Add ansible playbook to automate service provider setup #10
@ -1,3 +1,6 @@
|
|||||||
target_host: ""
|
target_host: ""
|
||||||
gpg_key_id: ""
|
gpg_key_id: ""
|
||||||
vault_passphrase: ""
|
vault_passphrase: ""
|
||||||
|
org_id: ""
|
||||||
|
location_id: ""
|
||||||
|
dns_domain: ""
|
||||||
|
16
service-provider-setup/templates/control-firewalld.yml.j2
Normal file
16
service-provider-setup/templates/control-firewalld.yml.j2
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
firewalld_add:
|
||||||
|
- name: public
|
||||||
|
interfaces:
|
||||||
|
- enp9s0
|
||||||
|
services:
|
||||||
|
- http
|
||||||
|
- https
|
||||||
|
ports:
|
||||||
|
- 6443/tcp
|
||||||
|
|
||||||
|
- name: trusted
|
||||||
|
sources:
|
||||||
|
- 10.42.0.0/16
|
||||||
|
- 10.43.0.0/16
|
||||||
|
- "{{ cluster_control_ip }}"
|
16
service-provider-setup/templates/daemon-firewalld.yml.j2
Normal file
16
service-provider-setup/templates/daemon-firewalld.yml.j2
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
firewalld_add:
|
||||||
|
- name: public
|
||||||
|
interfaces:
|
||||||
|
- ens3
|
||||||
|
services:
|
||||||
|
- http
|
||||||
|
- https
|
||||||
|
ports:
|
||||||
|
- 26657/tcp
|
||||||
|
- 26656/tcp
|
||||||
|
- 1317/tcp
|
||||||
|
|
||||||
|
- name: trusted
|
||||||
|
sources:
|
||||||
|
- "{{ cluster_control_ip }}"
|
12
service-provider-setup/templates/hosts.j2
Normal file
12
service-provider-setup/templates/hosts.j2
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[all]
|
||||||
|
{{ org_id }}-daemon ansible_host={{ cluster_control_ip }}
|
||||||
|
{{ org_id }}-{{ country_id }}-cluster-control ansible_host={{ cluster_control_ip }}
|
||||||
|
|
||||||
|
[so]
|
||||||
|
{{ org_id }}-daemon
|
||||||
|
|
||||||
|
[{{ org_id }}-{{ country_id }}]
|
||||||
|
{{ org_id }}-{{ country_id }}-cluster-control k8s_node_type=bootstrap k8s_pod_limit=1024 k8s_external_ip={{ cluster_control_ip }}
|
||||||
|
|
||||||
|
[k8s:children]
|
||||||
|
{{ org_id }}-{{ country_id }}
|
55
service-provider-setup/templates/k8s.yml.j2
Normal file
55
service-provider-setup/templates/k8s.yml.j2
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
---
|
||||||
|
# default context is used for stack orchestrator deployments, for testing a custom context name can be usefull
|
||||||
|
#k8s_cluster_name: "{{ org_id }}-{{ country_id }}-cluster"
|
||||||
|
k8s_cluster_name: default
|
||||||
|
k8s_cluster_url: "{{ org_id }}-{{ country_id }}-cluster-control.{{ dns_domain }}.com"
|
||||||
|
k8s_taint_servers: false
|
||||||
|
|
||||||
|
k8s_acme_email: "{{ support_email }}"
|
||||||
|
|
||||||
|
# k3s bundles traefik as the default ingress controller, we will disable it and use nginx instead
|
||||||
|
k8s_disable:
|
||||||
|
- traefik
|
||||||
|
|
||||||
|
# secrets can be stored in a file or as a template, the template secrets gets dynamically base64 encoded while file based secrets must be encoded by hand
|
||||||
|
k8s_secrets:
|
||||||
|
- name: digitalocean-dns
|
||||||
|
type: file
|
||||||
|
source: secret-digitalocean-dns.yaml
|
||||||
|
|
||||||
|
k8s_manifests:
|
||||||
|
# ingress controller, replaces traefik which is explicitly disabled
|
||||||
|
- name: ingress-nginx
|
||||||
|
type: url
|
||||||
|
source: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml
|
||||||
|
|
||||||
|
# cert-manager, required for letsencrypt
|
||||||
|
- name: cert-manager
|
||||||
|
type: url
|
||||||
|
source: https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml
|
||||||
|
|
||||||
|
# issuer for basic http certs
|
||||||
|
- name: letsencrypt-prod
|
||||||
|
type: template
|
||||||
|
source: shared/clusterissuer-acme.yaml
|
||||||
|
server: https://acme-v02.api.letsencrypt.org/directory
|
||||||
|
solvers:
|
||||||
|
- type: http
|
||||||
|
ingress: nginx
|
||||||
|
|
||||||
|
# issuer for wildcard dns certs
|
||||||
|
- name: letsencrypt-prod-wild
|
||||||
|
type: template
|
||||||
|
source: shared/clusterissuer-acme.yaml
|
||||||
|
server: https://acme-v02.api.letsencrypt.org/directory
|
||||||
|
solvers:
|
||||||
|
- type: dns
|
||||||
|
provider: digitalocean
|
||||||
|
tokenref: tokenSecretRef
|
||||||
|
secret_name: digitalocean-dns
|
||||||
|
secret_key: access-token
|
||||||
|
|
||||||
|
# initiate wildcard cert
|
||||||
|
- name: "pwa.{{ dns_domain }}.com"
|
||||||
|
type: file
|
||||||
|
source: "wildcard-pwa-{{ dns_domain }}.yaml"
|
21
service-provider-setup/templates/nginx.yml.j2
Normal file
21
service-provider-setup/templates/nginx.yml.j2
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
nginx_packages_intall: false
|
||||||
|
nginx_server_name_hash: 64
|
||||||
|
nginx_proxy_read_timeout: 1200
|
||||||
|
nginx_proxy_send_timeout: 1200
|
||||||
|
nginx_proxy_connection_timeout: 75
|
||||||
|
|
||||||
|
nginx_sites:
|
||||||
|
- name: "{{ org_id }}-console"
|
||||||
|
url: "{{ org_id }}-console.{{ dns_domain }}.com"
|
||||||
|
upstream: http://localhost:8080
|
||||||
|
template: basic-proxy
|
||||||
|
ssl: true
|
||||||
|
|
||||||
|
- name: "{{ org_id }}-daemon"
|
||||||
|
url: "{{ org_id }}-daemon.{{ dns_domain }}.com"
|
||||||
|
upstream: http://localhost:9473
|
||||||
|
configs:
|
||||||
|
- rewrite "^/deployer(/.*)? https://webapp-deployer.pwa.{{domain}}.com" permanent
|
||||||
|
template: websocket-proxy
|
||||||
|
ssl: true
|
15
service-provider-setup/templates/wildcard-pwa-example.yml.j2
Normal file
15
service-provider-setup/templates/wildcard-pwa-example.yml.j2
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: "pwa.{{ dns_domain }}.com"
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
secretName: "pwa.{{ dns_domain }}.com"
|
||||||
|
issuerRef:
|
||||||
|
name: letsencrypt-prod-wild
|
||||||
|
kind: ClusterIssuer
|
||||||
|
group: cert-manager.io
|
||||||
|
commonName: "*.pwa.{{ dns_domain }}.com"
|
||||||
|
dnsNames:
|
||||||
|
- "pwa.{{ dns_domain }}.com"
|
||||||
|
- "*.pwa.{{ dns_domain }}.com"
|
Loading…
Reference in New Issue
Block a user