xai-corp.net/provisioning
1
0
Fork 0
Code Issues 9 Releases Activity

Merge remote-tracking branch 'origin/master'

Browse Source
This commit is contained in:
richard
2025-08-19 08:48:25 -04:00
parent f337af02b4 83a091f7c9
commit 56173cf2f1
9 changed files with 478 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ansible-5/playbooks/kube-cluster-update.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: ping
hosts: kube
gather_facts: true
roles:
- role: k3s
become: true
vars:
k3s_upgrade: true

6
ansible-5/roles/k3s/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# default values for prod.k3s
# https://github.com/rancher/system-agent-installer-k3s/releases?page=1
kube_context: home
k3s_version: "v1.33.3"

3
ansible-5/roles/k3s/tasks/install.yml
View File

@@ -1,4 +1,5 @@
---
# install k3s
- name: Install required packages
apt:
@@ -20,7 +21,7 @@
async: 300
poll: 10
ansible.builtin.shell:
cmd: sh -s --
cmd: INSTALL_K3S_VERSION={{k3s_version}}+k3s1 sh -s --
stdin: "{{ k3s_installer.content }}"
#- name: Setup bash completion

3
ansible-5/roles/k3s/tasks/main.yml
View File

@@ -9,6 +9,9 @@
- include_tasks: install.yml
when: not k3s_service.stat.exists
- include_tasks: install.yml
when: k3s_upgrade == true
- name: Start service k3s, if not started
ansible.builtin.service:
name: k3s

5
ansible-5/roles/prod.k3s/defaults/main.yml
View File

@@ -112,3 +112,8 @@ apps:
enabled: false
namespace: backstage
state: present
metallb:
enabled: true
namespace: metallb-system
state: absent

16
ansible-5/roles/prod.k3s/files/gitea/values.yaml
View File

@@ -42,17 +42,25 @@ redis-cluster:
enabled: true
service:
ssh:
port: 10022
http:
type: ClusterIP
# clusterIP:
port: 3000
clusterIP:
ssh:
port: 30022
nodePort: 30022
type: LoadBalancer
clusterIP:
# externalTrafficPolicy: Local
# hostPort: 10022
gitea:
config:
APP_NAME: "Gitea: With a cup of tea, for 2."
server:
ROOT_URL: https://git.xai-corp.net
SSH_PORT: 10022
SSH_PORT: 30022
START_SSH_SERVER: true
database:
HOST: mysql:3306

387
ansible-5/roles/prod.k3s/files/metallb/values.yaml Normal file
View File

@@ -0,0 +1,387 @@
# Default values for metallb.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
loadBalancerClass: ""
# To configure MetalLB, you must specify ONE of the following two
# options.
rbac:
# create specifies whether to install and use RBAC rules.
create: true
prometheus:
# scrape annotations specifies whether to add Prometheus metric
# auto-collection annotations to pods. See
# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
# for a corresponding Prometheus configuration. Alternatively, you
# may want to use the Prometheus Operator
# (https://github.com/coreos/prometheus-operator) for more powerful
# monitoring configuration. If you use the Prometheus operator, this
# can be left at false.
scrapeAnnotations: false
# port both controller and speaker will listen on for metrics
metricsPort: 7472
# if set, enables rbac proxy on the controller and speaker to expose
# the metrics via tls.
# secureMetricsPort: 9120
# the name of the secret to be mounted in the speaker pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
speakerMetricsTLSSecret: ""
# the name of the secret to be mounted in the controller pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
controllerMetricsTLSSecret: ""
# prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
rbacPrometheus: true
# the service account used by prometheus
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
serviceAccount: ""
# the namespace where prometheus is deployed
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
namespace: ""
# the image to be used for the kuberbacproxy container
rbacProxy:
repository: gcr.io/kubebuilder/kube-rbac-proxy
tag: v0.12.0
pullPolicy:
# Prometheus Operator PodMonitors
podMonitor:
# enable support for Prometheus Operator
enabled: false
# optional additional labels for podMonitors
additionalLabels: {}
# optional annotations for podMonitors
annotations: {}
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator ServiceMonitors. To be used as an alternative
# to podMonitor, supports secure metrics.
serviceMonitor:
# enable support for Prometheus Operator
enabled: false
speaker:
# optional additional labels for the speaker serviceMonitor
additionalLabels: {}
# optional additional annotations for the speaker serviceMonitor
annotations: {}
# optional tls configuration for the speaker serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
controller:
# optional additional labels for the controller serviceMonitor
additionalLabels: {}
# optional additional annotations for the controller serviceMonitor
annotations: {}
# optional tls configuration for the controller serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator alertmanager alerts
prometheusRule:
# enable alertmanager alerts
enabled: false
# optional additional labels for prometheusRules
additionalLabels: {}
# optional annotations for prometheusRules
annotations: {}
# MetalLBStaleConfig
staleConfig:
enabled: true
labels:
severity: warning
# MetalLBConfigNotLoaded
configNotLoaded:
enabled: true
labels:
severity: warning
# MetalLBAddressPoolExhausted
addressPoolExhausted:
enabled: true
labels:
severity: critical
# Exclude the pools matching the regular expression from triggering the alert.
excludePools: ""
addressPoolUsage:
enabled: true
thresholds:
- percent: 75
labels:
severity: warning
- percent: 85
labels:
severity: warning
- percent: 95
labels:
severity: critical
# Exclude the pools matching the regular expression from triggering the alert.
excludePools: ""
# MetalLBBGPSessionDown
bgpSessionDown:
enabled: true
labels:
severity: critical
extraAlerts: []
# controller contains configuration specific to the MetalLB cluster
# controller.
controller:
enabled: true
# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
# command: /controller
webhookMode: enabled
image:
repository: quay.io/metallb/controller
tag:
pullPolicy:
## @param controller.updateStrategy.type Metallb controller deployment strategy type.
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## e.g:
## strategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 25%
## maxUnavailable: 25%
##
strategy:
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext:
runAsNonRoot: true
# nobody
runAsUser: 65534
fsGroup: 65534
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
runtimeClassName: ""
affinity: {}
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
tlsMinVersion: "VersionTLS12"
tlsCipherSuites: ""
extraContainers: []
# speaker contains configuration specific to the MetalLB speaker
# daemonset.
speaker:
enabled: true
# command: /speaker
# -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
tolerateMaster: true
memberlist:
# -- When enabled: false, the speaker pods must run on all nodes
enabled: true
mlBindPort: 7946
mlBindAddrOverride: ""
mlSecretKeyPath: "/etc/ml_secret_key"
excludeInterfaces:
enabled: true
# ignore the exclude-from-external-loadbalancer label
ignoreExcludeLB: false
image:
repository: quay.io/metallb/speaker
tag:
pullPolicy:
## @param speaker.updateStrategy.type Speaker daemonset strategy type
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext: {}
## Defines a secret name for the controller to generate a memberlist encryption secret
## By default secretName: {{ "metallb.fullname" }}-memberlist
##
# secretName:
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
affinity: {}
## Selects which runtime class will be used by the pod.
runtimeClassName: ""
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
startupProbe:
enabled: true
failureThreshold: 30
periodSeconds: 5
# frr contains configuration specific to the MetalLB FRR container,
# for speaker running alongside FRR.
frr:
enabled: true
image:
repository: quay.io/frrouting/frr
tag: 9.1.0
pullPolicy:
metricsPort: 7473
resources: {}
# if set, enables a rbac proxy sidecar container on the speaker to
# expose the frr metrics via tls.
# secureMetricsPort: 9121
reloader:
resources: {}
frrMetrics:
resources: {}
initContainers:
cpFrrFiles:
resources: {}
cpReloader:
resources: {}
cpMetrics:
resources: {}
extraContainers: []
crds:
enabled: true
validationFailurePolicy: Fail
# frrk8s contains the configuration related to using an frrk8s instance
# (github.com/metallb/frr-k8s) as the backend for the BGP implementation.
# This allows configuring additional frr parameters in combination to those
# applied by MetalLB.
frrk8s:
# if set, enables frrk8s as a backend. This is mutually exclusive to frr
# mode.
enabled: false
external: false
namespace: ""
# networkpolicies
networkpolicies:
# if set, networkpolicies for metallb components will be installed in the metallb namespace
enabled: false
# if set, a default deny network policy will be installed in the metallb namespace
defaultDeny: false
# to override internal k8s api targetPort
apiPort: 6443

48
ansible-5/roles/prod.k3s/tasks/deployments/metallb.yaml Normal file
View File

@@ -0,0 +1,48 @@
---
# deployment tasks for MetalLB
# https://metallb.io/installation/
#- name: Create a namespace for funkwhale
# k8s:
# kubeconfig: "/etc/rancher/k3s/k3s.yaml"
# name: "{{apps.funkwhale.namespace}}"
# api_version: v1
# kind: Namespace
# state: "{{apps.funkwhale.state}}"
# become: true
#
#- name: create persistent volume resources
# kubernetes.core.k8s:
# kubeconfig: "/etc/rancher/k3s/k3s.yaml"
# state: "{{apps.funkwhale.state}}"
# definition: "{{ lookup('template', item) | from_yaml }}"
# loop:
# - funkwhale/pv.yaml
# - funkwhale/pv-claim.yaml
# become: true
- name: Install MetalLB chart
block:
- name: Add MetaLB chart helm repo
local_action:
module: kubernetes.core.helm_repository
name: metallb
repo_url: https://metallb.github.io/metallb
- name: load variables files/metallb/values.yaml
ansible.builtin.include_vars:
file: files/metallb/values.yaml
name: release_values
- name: Install MetalLB Release
local_action:
module: kubernetes.core.helm
release_state: "{{apps.metallb.state}}"
name: metallb
namespace: "{{apps.metallb.namespace}}"
create_namespace: yes
update_repo_cache: True
chart_ref: metallb/metallb
values: "{{release_values}}"
wait: true

5
ansible-5/roles/prod.k3s/tasks/main.yml
View File

@@ -54,6 +54,11 @@
- name: deploy backstage
include_tasks: deployments/backstage.yaml
when: apps.backstage.enabled
- name: deploy metallb
include_tasks: deployments/metallb.yaml
when: apps.metallb.enabled
#-----------------------------------------------------
#- include_tasks: mariadb.yaml
#