Add ansible playbook to automate service provider setup #10

Merged
nabarun merged 31 commits from deep-stack/testnet-ops:ag-sp-setup into main 2024-10-01 12:17:11 +00:00
7 changed files with 138 additions and 0 deletions
Showing only changes of commit 7d826a1322 - Show all commits

View File

@ -1,3 +1,6 @@
target_host: ""
gpg_key_id: ""
vault_passphrase: ""
org_id: ""
location_id: ""
dns_domain: ""

View File

@ -0,0 +1,16 @@
---
firewalld_add:
- name: public
interfaces:
- enp9s0
services:
- http
- https
ports:
- 6443/tcp
- name: trusted
sources:
- 10.42.0.0/16
- 10.43.0.0/16
- "{{ cluster_control_ip }}"

View File

@ -0,0 +1,16 @@
---
firewalld_add:
- name: public
interfaces:
- ens3
services:
- http
- https
ports:
- 26657/tcp
- 26656/tcp
- 1317/tcp
- name: trusted
sources:
- "{{ cluster_control_ip }}"

View File

@ -0,0 +1,12 @@
[all]
{{ org_id }}-daemon ansible_host={{ cluster_control_ip }}
{{ org_id }}-{{ country_id }}-cluster-control ansible_host={{ cluster_control_ip }}
[so]
{{ org_id }}-daemon
[{{ org_id }}-{{ country_id }}]
{{ org_id }}-{{ country_id }}-cluster-control k8s_node_type=bootstrap k8s_pod_limit=1024 k8s_external_ip={{ cluster_control_ip }}
[k8s:children]
{{ org_id }}-{{ country_id }}

View File

@ -0,0 +1,55 @@
---
# default context is used for stack orchestrator deployments, for testing a custom context name can be usefull
#k8s_cluster_name: "{{ org_id }}-{{ country_id }}-cluster"
k8s_cluster_name: default
k8s_cluster_url: "{{ org_id }}-{{ country_id }}-cluster-control.{{ dns_domain }}.com"
k8s_taint_servers: false
k8s_acme_email: "{{ support_email }}"
# k3s bundles traefik as the default ingress controller, we will disable it and use nginx instead
k8s_disable:
- traefik
# secrets can be stored in a file or as a template, the template secrets gets dynamically base64 encoded while file based secrets must be encoded by hand
k8s_secrets:
- name: digitalocean-dns
type: file
source: secret-digitalocean-dns.yaml
k8s_manifests:
# ingress controller, replaces traefik which is explicitly disabled
- name: ingress-nginx
type: url
source: https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml
# cert-manager, required for letsencrypt
- name: cert-manager
type: url
source: https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml
# issuer for basic http certs
- name: letsencrypt-prod
type: template
source: shared/clusterissuer-acme.yaml
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- type: http
ingress: nginx
# issuer for wildcard dns certs
- name: letsencrypt-prod-wild
type: template
source: shared/clusterissuer-acme.yaml
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- type: dns
provider: digitalocean
tokenref: tokenSecretRef
secret_name: digitalocean-dns
secret_key: access-token
# initiate wildcard cert
- name: "pwa.{{ dns_domain }}.com"
type: file
source: "wildcard-pwa-{{ dns_domain }}.yaml"

View File

@ -0,0 +1,21 @@
---
nginx_packages_intall: false
nginx_server_name_hash: 64
nginx_proxy_read_timeout: 1200
nginx_proxy_send_timeout: 1200
nginx_proxy_connection_timeout: 75
nginx_sites:
- name: "{{ org_id }}-console"
url: "{{ org_id }}-console.{{ dns_domain }}.com"
upstream: http://localhost:8080
template: basic-proxy
ssl: true
- name: "{{ org_id }}-daemon"
url: "{{ org_id }}-daemon.{{ dns_domain }}.com"
upstream: http://localhost:9473
configs:
- rewrite "^/deployer(/.*)? https://webapp-deployer.pwa.{{domain}}.com" permanent
template: websocket-proxy
ssl: true

View File

@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "pwa.{{ dns_domain }}.com"
namespace: default
spec:
secretName: "pwa.{{ dns_domain }}.com"
issuerRef:
name: letsencrypt-prod-wild
kind: ClusterIssuer
group: cert-manager.io
commonName: "*.pwa.{{ dns_domain }}.com"
dnsNames:
- "pwa.{{ dns_domain }}.com"
- "*.pwa.{{ dns_domain }}.com"