diff --git a/ansible-5/playbooks/kube-cluster-update.yaml b/ansible-5/playbooks/kube-cluster-update.yaml new file mode 100644 index 0000000..50a0129 --- /dev/null +++ b/ansible-5/playbooks/kube-cluster-update.yaml @@ -0,0 +1,10 @@ +--- +- name: ping + hosts: kube + gather_facts: true + + roles: + - role: k3s + become: true + vars: + k3s_upgrade: true \ No newline at end of file diff --git a/ansible-5/roles/k3s/defaults/main.yml b/ansible-5/roles/k3s/defaults/main.yml new file mode 100644 index 0000000..33ecaed --- /dev/null +++ b/ansible-5/roles/k3s/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# default values for prod.k3s +# https://github.com/rancher/system-agent-installer-k3s/releases?page=1 +kube_context: home +k3s_version: "v1.33.3" + diff --git a/ansible-5/roles/k3s/tasks/install.yml b/ansible-5/roles/k3s/tasks/install.yml index 06935b7..e88ee8f 100644 --- a/ansible-5/roles/k3s/tasks/install.yml +++ b/ansible-5/roles/k3s/tasks/install.yml @@ -1,4 +1,5 @@ --- + # install k3s - name: Install required packages apt: @@ -20,7 +21,7 @@ async: 300 poll: 10 ansible.builtin.shell: - cmd: sh -s -- + cmd: INSTALL_K3S_VERSION={{k3s_version}}+k3s1 sh -s -- stdin: "{{ k3s_installer.content }}" #- name: Setup bash completion diff --git a/ansible-5/roles/k3s/tasks/main.yml b/ansible-5/roles/k3s/tasks/main.yml index 15856a1..7fb3356 100644 --- a/ansible-5/roles/k3s/tasks/main.yml +++ b/ansible-5/roles/k3s/tasks/main.yml @@ -9,6 +9,9 @@ - include_tasks: install.yml when: not k3s_service.stat.exists +- include_tasks: install.yml + when: k3s_upgrade == true + - name: Start service k3s, if not started ansible.builtin.service: name: k3s diff --git a/ansible-5/roles/prod.k3s/defaults/main.yml b/ansible-5/roles/prod.k3s/defaults/main.yml index 01081d2..50ce291 100644 --- a/ansible-5/roles/prod.k3s/defaults/main.yml +++ b/ansible-5/roles/prod.k3s/defaults/main.yml @@ -112,3 +112,8 @@ apps: enabled: false namespace: backstage state: present + + metallb: + enabled: true + namespace: metallb-system + state: absent \ No newline at end of file diff --git a/ansible-5/roles/prod.k3s/files/gitea/values.yaml b/ansible-5/roles/prod.k3s/files/gitea/values.yaml index ae32772..fd583d6 100644 --- a/ansible-5/roles/prod.k3s/files/gitea/values.yaml +++ b/ansible-5/roles/prod.k3s/files/gitea/values.yaml @@ -42,17 +42,25 @@ redis-cluster: enabled: true service: - ssh: - port: 10022 + http: type: ClusterIP -# clusterIP: + port: 3000 + clusterIP: + ssh: + port: 30022 + nodePort: 30022 + type: LoadBalancer + clusterIP: +# externalTrafficPolicy: Local +# hostPort: 10022 + gitea: config: APP_NAME: "Gitea: With a cup of tea, for 2." server: ROOT_URL: https://git.xai-corp.net - SSH_PORT: 10022 + SSH_PORT: 30022 START_SSH_SERVER: true database: HOST: mysql:3306 diff --git a/ansible-5/roles/prod.k3s/files/metallb/values.yaml b/ansible-5/roles/prod.k3s/files/metallb/values.yaml new file mode 100644 index 0000000..32a6f24 --- /dev/null +++ b/ansible-5/roles/prod.k3s/files/metallb/values.yaml @@ -0,0 +1,387 @@ +# Default values for metallb. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +loadBalancerClass: "" + +# To configure MetalLB, you must specify ONE of the following two +# options. + +rbac: + # create specifies whether to install and use RBAC rules. + create: true + +prometheus: + # scrape annotations specifies whether to add Prometheus metric + # auto-collection annotations to pods. See + # https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml + # for a corresponding Prometheus configuration. Alternatively, you + # may want to use the Prometheus Operator + # (https://github.com/coreos/prometheus-operator) for more powerful + # monitoring configuration. If you use the Prometheus operator, this + # can be left at false. + scrapeAnnotations: false + + # port both controller and speaker will listen on for metrics + metricsPort: 7472 + + # if set, enables rbac proxy on the controller and speaker to expose + # the metrics via tls. + # secureMetricsPort: 9120 + + # the name of the secret to be mounted in the speaker pod + # to expose the metrics securely. If not present, a self signed + # certificate to be used. + speakerMetricsTLSSecret: "" + + # the name of the secret to be mounted in the controller pod + # to expose the metrics securely. If not present, a self signed + # certificate to be used. + controllerMetricsTLSSecret: "" + + # prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one + rbacPrometheus: true + + # the service account used by prometheus + # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true " + serviceAccount: "" + + # the namespace where prometheus is deployed + # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true " + namespace: "" + + # the image to be used for the kuberbacproxy container + rbacProxy: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.12.0 + pullPolicy: + + # Prometheus Operator PodMonitors + podMonitor: + # enable support for Prometheus Operator + enabled: false + + # optional additional labels for podMonitors + additionalLabels: {} + + # optional annotations for podMonitors + annotations: {} + + # Job label for scrape target + jobLabel: "app.kubernetes.io/name" + + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: + + # metric relabel configs to apply to samples before ingestion. + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # target_label: nodename + # replacement: $1 + # action: replace + + # Prometheus Operator ServiceMonitors. To be used as an alternative + # to podMonitor, supports secure metrics. + serviceMonitor: + # enable support for Prometheus Operator + enabled: false + + speaker: + # optional additional labels for the speaker serviceMonitor + additionalLabels: {} + # optional additional annotations for the speaker serviceMonitor + annotations: {} + # optional tls configuration for the speaker serviceMonitor, in case + # secure metrics are enabled. + tlsConfig: + insecureSkipVerify: true + + controller: + # optional additional labels for the controller serviceMonitor + additionalLabels: {} + # optional additional annotations for the controller serviceMonitor + annotations: {} + # optional tls configuration for the controller serviceMonitor, in case + # secure metrics are enabled. + tlsConfig: + insecureSkipVerify: true + + # Job label for scrape target + jobLabel: "app.kubernetes.io/name" + + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: + + # metric relabel configs to apply to samples before ingestion. + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # target_label: nodename + # replacement: $1 + # action: replace + + # Prometheus Operator alertmanager alerts + prometheusRule: + # enable alertmanager alerts + enabled: false + + # optional additional labels for prometheusRules + additionalLabels: {} + + # optional annotations for prometheusRules + annotations: {} + + # MetalLBStaleConfig + staleConfig: + enabled: true + labels: + severity: warning + + # MetalLBConfigNotLoaded + configNotLoaded: + enabled: true + labels: + severity: warning + + # MetalLBAddressPoolExhausted + addressPoolExhausted: + enabled: true + labels: + severity: critical + # Exclude the pools matching the regular expression from triggering the alert. + excludePools: "" + + addressPoolUsage: + enabled: true + thresholds: + - percent: 75 + labels: + severity: warning + - percent: 85 + labels: + severity: warning + - percent: 95 + labels: + severity: critical + # Exclude the pools matching the regular expression from triggering the alert. + excludePools: "" + + # MetalLBBGPSessionDown + bgpSessionDown: + enabled: true + labels: + severity: critical + + extraAlerts: [] + +# controller contains configuration specific to the MetalLB cluster +# controller. +controller: + enabled: true + # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + # command: /controller + webhookMode: enabled + image: + repository: quay.io/metallb/controller + tag: + pullPolicy: + ## @param controller.updateStrategy.type Metallb controller deployment strategy type. + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## e.g: + ## strategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + strategy: + type: RollingUpdate + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + annotations: {} + securityContext: + runAsNonRoot: true + # nobody + runAsUser: 65534 + fsGroup: 65534 + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + nodeSelector: {} + tolerations: [] + priorityClassName: "" + runtimeClassName: "" + affinity: {} + podAnnotations: {} + labels: {} + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + tlsMinVersion: "VersionTLS12" + tlsCipherSuites: "" + + extraContainers: [] + +# speaker contains configuration specific to the MetalLB speaker +# daemonset. +speaker: + enabled: true + # command: /speaker + # -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + tolerateMaster: true + memberlist: + # -- When enabled: false, the speaker pods must run on all nodes + enabled: true + mlBindPort: 7946 + mlBindAddrOverride: "" + mlSecretKeyPath: "/etc/ml_secret_key" + excludeInterfaces: + enabled: true + # ignore the exclude-from-external-loadbalancer label + ignoreExcludeLB: false + + image: + repository: quay.io/metallb/speaker + tag: + pullPolicy: + ## @param speaker.updateStrategy.type Speaker daemonset strategy type + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + annotations: {} + securityContext: {} + ## Defines a secret name for the controller to generate a memberlist encryption secret + ## By default secretName: {{ "metallb.fullname" }}-memberlist + ## + # secretName: + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + nodeSelector: {} + tolerations: [] + priorityClassName: "" + affinity: {} + ## Selects which runtime class will be used by the pod. + runtimeClassName: "" + podAnnotations: {} + labels: {} + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + enabled: true + failureThreshold: 30 + periodSeconds: 5 + # frr contains configuration specific to the MetalLB FRR container, + # for speaker running alongside FRR. + frr: + enabled: true + image: + repository: quay.io/frrouting/frr + tag: 9.1.0 + pullPolicy: + metricsPort: 7473 + resources: {} + + # if set, enables a rbac proxy sidecar container on the speaker to + # expose the frr metrics via tls. + # secureMetricsPort: 9121 + + + reloader: + resources: {} + + frrMetrics: + resources: {} + + initContainers: + cpFrrFiles: + resources: {} + cpReloader: + resources: {} + cpMetrics: + resources: {} + + extraContainers: [] + +crds: + enabled: true + validationFailurePolicy: Fail + +# frrk8s contains the configuration related to using an frrk8s instance +# (github.com/metallb/frr-k8s) as the backend for the BGP implementation. +# This allows configuring additional frr parameters in combination to those +# applied by MetalLB. +frrk8s: + # if set, enables frrk8s as a backend. This is mutually exclusive to frr + # mode. + enabled: false + external: false + namespace: "" + +# networkpolicies +networkpolicies: + # if set, networkpolicies for metallb components will be installed in the metallb namespace + enabled: false + # if set, a default deny network policy will be installed in the metallb namespace + defaultDeny: false + # to override internal k8s api targetPort + apiPort: 6443 \ No newline at end of file diff --git a/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml b/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml new file mode 100644 index 0000000..0ef99e4 --- /dev/null +++ b/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml @@ -0,0 +1,48 @@ +--- +# deployment tasks for MetalLB +# https://metallb.io/installation/ + +#- name: Create a namespace for funkwhale +# k8s: +# kubeconfig: "/etc/rancher/k3s/k3s.yaml" +# name: "{{apps.funkwhale.namespace}}" +# api_version: v1 +# kind: Namespace +# state: "{{apps.funkwhale.state}}" +# become: true +# +#- name: create persistent volume resources +# kubernetes.core.k8s: +# kubeconfig: "/etc/rancher/k3s/k3s.yaml" +# state: "{{apps.funkwhale.state}}" +# definition: "{{ lookup('template', item) | from_yaml }}" +# loop: +# - funkwhale/pv.yaml +# - funkwhale/pv-claim.yaml +# become: true + + +- name: Install MetalLB chart + block: + - name: Add MetaLB chart helm repo + local_action: + module: kubernetes.core.helm_repository + name: metallb + repo_url: https://metallb.github.io/metallb + + - name: load variables files/metallb/values.yaml + ansible.builtin.include_vars: + file: files/metallb/values.yaml + name: release_values + + - name: Install MetalLB Release + local_action: + module: kubernetes.core.helm + release_state: "{{apps.metallb.state}}" + name: metallb + namespace: "{{apps.metallb.namespace}}" + create_namespace: yes + update_repo_cache: True + chart_ref: metallb/metallb + values: "{{release_values}}" + wait: true diff --git a/ansible-5/roles/prod.k3s/tasks/main.yml b/ansible-5/roles/prod.k3s/tasks/main.yml index b26909c..88fd392 100644 --- a/ansible-5/roles/prod.k3s/tasks/main.yml +++ b/ansible-5/roles/prod.k3s/tasks/main.yml @@ -54,6 +54,11 @@ - name: deploy backstage include_tasks: deployments/backstage.yaml when: apps.backstage.enabled + +- name: deploy metallb + include_tasks: deployments/metallb.yaml + when: apps.metallb.enabled + #----------------------------------------------------- #- include_tasks: mariadb.yaml #