From 29fd3d3c0f037cf636236095056e375074ce1dd4 Mon Sep 17 00:00:00 2001 From: richard Date: Sat, 16 Aug 2025 17:01:02 -0400 Subject: [PATCH 1/7] Install MetalLB into cluster --- ansible-5/roles/prod.k3s/defaults/main.yml | 5 ++ .../roles/prod.k3s/files/metallb/values.yaml | 0 .../prod.k3s/tasks/deployments/metallb.yaml | 48 +++++++++++++++++++ ansible-5/roles/prod.k3s/tasks/main.yml | 5 ++ 4 files changed, 58 insertions(+) create mode 100644 ansible-5/roles/prod.k3s/files/metallb/values.yaml create mode 100644 ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml diff --git a/ansible-5/roles/prod.k3s/defaults/main.yml b/ansible-5/roles/prod.k3s/defaults/main.yml index 01081d2..44fc111 100644 --- a/ansible-5/roles/prod.k3s/defaults/main.yml +++ b/ansible-5/roles/prod.k3s/defaults/main.yml @@ -112,3 +112,8 @@ apps: enabled: false namespace: backstage state: present + + metallb: + enabled: true + namespace: metallb-system + state: present \ No newline at end of file diff --git a/ansible-5/roles/prod.k3s/files/metallb/values.yaml b/ansible-5/roles/prod.k3s/files/metallb/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml b/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml new file mode 100644 index 0000000..e6cf1b9 --- /dev/null +++ b/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml @@ -0,0 +1,48 @@ +--- +# deployment tasks for MetalLB +# https://metallb.io/installation/ + +#- name: Create a namespace for funkwhale +# k8s: +# kubeconfig: "/etc/rancher/k3s/k3s.yaml" +# name: "{{apps.funkwhale.namespace}}" +# api_version: v1 +# kind: Namespace +# state: "{{apps.funkwhale.state}}" +# become: true +# +#- name: create persistent volume resources +# kubernetes.core.k8s: +# kubeconfig: "/etc/rancher/k3s/k3s.yaml" +# state: "{{apps.funkwhale.state}}" +# definition: "{{ lookup('template', item) | from_yaml }}" +# loop: +# - funkwhale/pv.yaml +# - funkwhale/pv-claim.yaml +# become: true + + +- name: Install MetalLB chart + block: + - name: Add MetaLB chart helm repo + local_action: + module: kubernetes.core.helm_repository + name: metallb + repo_url: https://metallb.github.io/metallb + + - name: load variables files/metallb/values.yaml + ansible.builtin.include_vars: + file: files/metallb/values.yaml + name: release_values + + - name: Install MetalLB Release + local_action: + module: kubernetes.core.helm + release_state: "{{apps.metallb.state}}" + name: funkwhale + namespace: "{{apps.metallb.namespace}}" + create_namespace: yes + update_repo_cache: True + chart_ref: metallb/metallb + values: "{{release_values}}" + wait: true diff --git a/ansible-5/roles/prod.k3s/tasks/main.yml b/ansible-5/roles/prod.k3s/tasks/main.yml index b26909c..88fd392 100644 --- a/ansible-5/roles/prod.k3s/tasks/main.yml +++ b/ansible-5/roles/prod.k3s/tasks/main.yml @@ -54,6 +54,11 @@ - name: deploy backstage include_tasks: deployments/backstage.yaml when: apps.backstage.enabled + +- name: deploy metallb + include_tasks: deployments/metallb.yaml + when: apps.metallb.enabled + #----------------------------------------------------- #- include_tasks: mariadb.yaml # From 2a52b535c5c0107a50b6ebe0c3b659c7eb868438 Mon Sep 17 00:00:00 2001 From: richard Date: Sat, 16 Aug 2025 17:09:59 -0400 Subject: [PATCH 2/7] Install MetalLB into cluster --- ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml b/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml index e6cf1b9..0ef99e4 100644 --- a/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml +++ b/ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml @@ -39,7 +39,7 @@ local_action: module: kubernetes.core.helm release_state: "{{apps.metallb.state}}" - name: funkwhale + name: metallb namespace: "{{apps.metallb.namespace}}" create_namespace: yes update_repo_cache: True From d0d8876c43940a392625ced765d8b6d7d9fcde9e Mon Sep 17 00:00:00 2001 From: richard Date: Sat, 16 Aug 2025 20:58:08 -0400 Subject: [PATCH 3/7] kube-cluster-update playbook update k3s version to 1.29 --- ansible-5/playbooks/kube-cluster-update.yaml | 10 ++++++++++ ansible-5/roles/k3s/defaults/main.yml | 5 +++++ ansible-5/roles/k3s/tasks/install.yml | 3 ++- ansible-5/roles/k3s/tasks/main.yml | 3 +++ 4 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 ansible-5/playbooks/kube-cluster-update.yaml create mode 100644 ansible-5/roles/k3s/defaults/main.yml diff --git a/ansible-5/playbooks/kube-cluster-update.yaml b/ansible-5/playbooks/kube-cluster-update.yaml new file mode 100644 index 0000000..50a0129 --- /dev/null +++ b/ansible-5/playbooks/kube-cluster-update.yaml @@ -0,0 +1,10 @@ +--- +- name: ping + hosts: kube + gather_facts: true + + roles: + - role: k3s + become: true + vars: + k3s_upgrade: true \ No newline at end of file diff --git a/ansible-5/roles/k3s/defaults/main.yml b/ansible-5/roles/k3s/defaults/main.yml new file mode 100644 index 0000000..baff6ca --- /dev/null +++ b/ansible-5/roles/k3s/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# default values for prod.k3s +kube_context: home +k3s_version: "v1.29.1" + diff --git a/ansible-5/roles/k3s/tasks/install.yml b/ansible-5/roles/k3s/tasks/install.yml index 06935b7..e88ee8f 100644 --- a/ansible-5/roles/k3s/tasks/install.yml +++ b/ansible-5/roles/k3s/tasks/install.yml @@ -1,4 +1,5 @@ --- + # install k3s - name: Install required packages apt: @@ -20,7 +21,7 @@ async: 300 poll: 10 ansible.builtin.shell: - cmd: sh -s -- + cmd: INSTALL_K3S_VERSION={{k3s_version}}+k3s1 sh -s -- stdin: "{{ k3s_installer.content }}" #- name: Setup bash completion diff --git a/ansible-5/roles/k3s/tasks/main.yml b/ansible-5/roles/k3s/tasks/main.yml index 15856a1..7fb3356 100644 --- a/ansible-5/roles/k3s/tasks/main.yml +++ b/ansible-5/roles/k3s/tasks/main.yml @@ -9,6 +9,9 @@ - include_tasks: install.yml when: not k3s_service.stat.exists +- include_tasks: install.yml + when: k3s_upgrade == true + - name: Start service k3s, if not started ansible.builtin.service: name: k3s From 2c529a70197314a77cf80cf89b54dd86960465b3 Mon Sep 17 00:00:00 2001 From: richard Date: Sat, 16 Aug 2025 21:11:59 -0400 Subject: [PATCH 4/7] update k3s version to 1.31 --- ansible-5/roles/k3s/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible-5/roles/k3s/defaults/main.yml b/ansible-5/roles/k3s/defaults/main.yml index baff6ca..96f5776 100644 --- a/ansible-5/roles/k3s/defaults/main.yml +++ b/ansible-5/roles/k3s/defaults/main.yml @@ -1,5 +1,5 @@ --- # default values for prod.k3s kube_context: home -k3s_version: "v1.29.1" +k3s_version: "v1.31.11" From 5df0d719375eadf1e1bb8057539955a360c12f1a Mon Sep 17 00:00:00 2001 From: richard Date: Sat, 16 Aug 2025 21:21:18 -0400 Subject: [PATCH 5/7] update k3s version to 1.31 --- ansible-5/roles/k3s/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible-5/roles/k3s/defaults/main.yml b/ansible-5/roles/k3s/defaults/main.yml index 96f5776..8e629a7 100644 --- a/ansible-5/roles/k3s/defaults/main.yml +++ b/ansible-5/roles/k3s/defaults/main.yml @@ -1,5 +1,5 @@ --- # default values for prod.k3s kube_context: home -k3s_version: "v1.31.11" +k3s_version: "v1.33.3" From 7e425fa1c04b1191d7e519d7c2e15b78e71d9bde Mon Sep 17 00:00:00 2001 From: richard Date: Sat, 16 Aug 2025 22:24:19 -0400 Subject: [PATCH 6/7] add values file for metallb --- ansible-5/roles/k3s/defaults/main.yml | 1 + .../roles/prod.k3s/files/metallb/values.yaml | 387 ++++++++++++++++++ 2 files changed, 388 insertions(+) diff --git a/ansible-5/roles/k3s/defaults/main.yml b/ansible-5/roles/k3s/defaults/main.yml index 8e629a7..33ecaed 100644 --- a/ansible-5/roles/k3s/defaults/main.yml +++ b/ansible-5/roles/k3s/defaults/main.yml @@ -1,5 +1,6 @@ --- # default values for prod.k3s +# https://github.com/rancher/system-agent-installer-k3s/releases?page=1 kube_context: home k3s_version: "v1.33.3" diff --git a/ansible-5/roles/prod.k3s/files/metallb/values.yaml b/ansible-5/roles/prod.k3s/files/metallb/values.yaml index e69de29..32a6f24 100644 --- a/ansible-5/roles/prod.k3s/files/metallb/values.yaml +++ b/ansible-5/roles/prod.k3s/files/metallb/values.yaml @@ -0,0 +1,387 @@ +# Default values for metallb. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +loadBalancerClass: "" + +# To configure MetalLB, you must specify ONE of the following two +# options. + +rbac: + # create specifies whether to install and use RBAC rules. + create: true + +prometheus: + # scrape annotations specifies whether to add Prometheus metric + # auto-collection annotations to pods. See + # https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml + # for a corresponding Prometheus configuration. Alternatively, you + # may want to use the Prometheus Operator + # (https://github.com/coreos/prometheus-operator) for more powerful + # monitoring configuration. If you use the Prometheus operator, this + # can be left at false. + scrapeAnnotations: false + + # port both controller and speaker will listen on for metrics + metricsPort: 7472 + + # if set, enables rbac proxy on the controller and speaker to expose + # the metrics via tls. + # secureMetricsPort: 9120 + + # the name of the secret to be mounted in the speaker pod + # to expose the metrics securely. If not present, a self signed + # certificate to be used. + speakerMetricsTLSSecret: "" + + # the name of the secret to be mounted in the controller pod + # to expose the metrics securely. If not present, a self signed + # certificate to be used. + controllerMetricsTLSSecret: "" + + # prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one + rbacPrometheus: true + + # the service account used by prometheus + # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true " + serviceAccount: "" + + # the namespace where prometheus is deployed + # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true " + namespace: "" + + # the image to be used for the kuberbacproxy container + rbacProxy: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.12.0 + pullPolicy: + + # Prometheus Operator PodMonitors + podMonitor: + # enable support for Prometheus Operator + enabled: false + + # optional additional labels for podMonitors + additionalLabels: {} + + # optional annotations for podMonitors + annotations: {} + + # Job label for scrape target + jobLabel: "app.kubernetes.io/name" + + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: + + # metric relabel configs to apply to samples before ingestion. + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # target_label: nodename + # replacement: $1 + # action: replace + + # Prometheus Operator ServiceMonitors. To be used as an alternative + # to podMonitor, supports secure metrics. + serviceMonitor: + # enable support for Prometheus Operator + enabled: false + + speaker: + # optional additional labels for the speaker serviceMonitor + additionalLabels: {} + # optional additional annotations for the speaker serviceMonitor + annotations: {} + # optional tls configuration for the speaker serviceMonitor, in case + # secure metrics are enabled. + tlsConfig: + insecureSkipVerify: true + + controller: + # optional additional labels for the controller serviceMonitor + additionalLabels: {} + # optional additional annotations for the controller serviceMonitor + annotations: {} + # optional tls configuration for the controller serviceMonitor, in case + # secure metrics are enabled. + tlsConfig: + insecureSkipVerify: true + + # Job label for scrape target + jobLabel: "app.kubernetes.io/name" + + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: + + # metric relabel configs to apply to samples before ingestion. + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # target_label: nodename + # replacement: $1 + # action: replace + + # Prometheus Operator alertmanager alerts + prometheusRule: + # enable alertmanager alerts + enabled: false + + # optional additional labels for prometheusRules + additionalLabels: {} + + # optional annotations for prometheusRules + annotations: {} + + # MetalLBStaleConfig + staleConfig: + enabled: true + labels: + severity: warning + + # MetalLBConfigNotLoaded + configNotLoaded: + enabled: true + labels: + severity: warning + + # MetalLBAddressPoolExhausted + addressPoolExhausted: + enabled: true + labels: + severity: critical + # Exclude the pools matching the regular expression from triggering the alert. + excludePools: "" + + addressPoolUsage: + enabled: true + thresholds: + - percent: 75 + labels: + severity: warning + - percent: 85 + labels: + severity: warning + - percent: 95 + labels: + severity: critical + # Exclude the pools matching the regular expression from triggering the alert. + excludePools: "" + + # MetalLBBGPSessionDown + bgpSessionDown: + enabled: true + labels: + severity: critical + + extraAlerts: [] + +# controller contains configuration specific to the MetalLB cluster +# controller. +controller: + enabled: true + # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + # command: /controller + webhookMode: enabled + image: + repository: quay.io/metallb/controller + tag: + pullPolicy: + ## @param controller.updateStrategy.type Metallb controller deployment strategy type. + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## e.g: + ## strategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + strategy: + type: RollingUpdate + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + annotations: {} + securityContext: + runAsNonRoot: true + # nobody + runAsUser: 65534 + fsGroup: 65534 + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + nodeSelector: {} + tolerations: [] + priorityClassName: "" + runtimeClassName: "" + affinity: {} + podAnnotations: {} + labels: {} + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + tlsMinVersion: "VersionTLS12" + tlsCipherSuites: "" + + extraContainers: [] + +# speaker contains configuration specific to the MetalLB speaker +# daemonset. +speaker: + enabled: true + # command: /speaker + # -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + tolerateMaster: true + memberlist: + # -- When enabled: false, the speaker pods must run on all nodes + enabled: true + mlBindPort: 7946 + mlBindAddrOverride: "" + mlSecretKeyPath: "/etc/ml_secret_key" + excludeInterfaces: + enabled: true + # ignore the exclude-from-external-loadbalancer label + ignoreExcludeLB: false + + image: + repository: quay.io/metallb/speaker + tag: + pullPolicy: + ## @param speaker.updateStrategy.type Speaker daemonset strategy type + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + annotations: {} + securityContext: {} + ## Defines a secret name for the controller to generate a memberlist encryption secret + ## By default secretName: {{ "metallb.fullname" }}-memberlist + ## + # secretName: + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + nodeSelector: {} + tolerations: [] + priorityClassName: "" + affinity: {} + ## Selects which runtime class will be used by the pod. + runtimeClassName: "" + podAnnotations: {} + labels: {} + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + enabled: true + failureThreshold: 30 + periodSeconds: 5 + # frr contains configuration specific to the MetalLB FRR container, + # for speaker running alongside FRR. + frr: + enabled: true + image: + repository: quay.io/frrouting/frr + tag: 9.1.0 + pullPolicy: + metricsPort: 7473 + resources: {} + + # if set, enables a rbac proxy sidecar container on the speaker to + # expose the frr metrics via tls. + # secureMetricsPort: 9121 + + + reloader: + resources: {} + + frrMetrics: + resources: {} + + initContainers: + cpFrrFiles: + resources: {} + cpReloader: + resources: {} + cpMetrics: + resources: {} + + extraContainers: [] + +crds: + enabled: true + validationFailurePolicy: Fail + +# frrk8s contains the configuration related to using an frrk8s instance +# (github.com/metallb/frr-k8s) as the backend for the BGP implementation. +# This allows configuring additional frr parameters in combination to those +# applied by MetalLB. +frrk8s: + # if set, enables frrk8s as a backend. This is mutually exclusive to frr + # mode. + enabled: false + external: false + namespace: "" + +# networkpolicies +networkpolicies: + # if set, networkpolicies for metallb components will be installed in the metallb namespace + enabled: false + # if set, a default deny network policy will be installed in the metallb namespace + defaultDeny: false + # to override internal k8s api targetPort + apiPort: 6443 \ No newline at end of file From 83a091f7c9ea7e579b5105df8d83295e5875ef89 Mon Sep 17 00:00:00 2001 From: richard Date: Sun, 17 Aug 2025 22:56:42 -0400 Subject: [PATCH 7/7] gitea ssh support on 30022 --- ansible-5/roles/prod.k3s/defaults/main.yml | 2 +- ansible-5/roles/prod.k3s/files/gitea/values.yaml | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ansible-5/roles/prod.k3s/defaults/main.yml b/ansible-5/roles/prod.k3s/defaults/main.yml index 44fc111..50ce291 100644 --- a/ansible-5/roles/prod.k3s/defaults/main.yml +++ b/ansible-5/roles/prod.k3s/defaults/main.yml @@ -116,4 +116,4 @@ apps: metallb: enabled: true namespace: metallb-system - state: present \ No newline at end of file + state: absent \ No newline at end of file diff --git a/ansible-5/roles/prod.k3s/files/gitea/values.yaml b/ansible-5/roles/prod.k3s/files/gitea/values.yaml index ae32772..fd583d6 100644 --- a/ansible-5/roles/prod.k3s/files/gitea/values.yaml +++ b/ansible-5/roles/prod.k3s/files/gitea/values.yaml @@ -42,17 +42,25 @@ redis-cluster: enabled: true service: - ssh: - port: 10022 + http: type: ClusterIP -# clusterIP: + port: 3000 + clusterIP: + ssh: + port: 30022 + nodePort: 30022 + type: LoadBalancer + clusterIP: +# externalTrafficPolicy: Local +# hostPort: 10022 + gitea: config: APP_NAME: "Gitea: With a cup of tea, for 2." server: ROOT_URL: https://git.xai-corp.net - SSH_PORT: 10022 + SSH_PORT: 30022 START_SSH_SERVER: true database: HOST: mysql:3306