diff --git a/ansible-5/roles/k3s/tasks/install.python_modules.yml b/ansible-5/roles/k3s/tasks/install.python_modules.yml new file mode 100644 index 0000000..dd018d3 --- /dev/null +++ b/ansible-5/roles/k3s/tasks/install.python_modules.yml @@ -0,0 +1,17 @@ +--- +# install the required python3 modules with pip + +- name: Install required packages for pip + apt: + name: "{{ item }}" + update_cache: yes + cache_valid_time: 3600 + state: latest + with_items: + - python3-pip + +- name: Install ansible kubernetes python packages + ansible.builtin.pip: + name: + - anisble + - kubernetes diff --git a/ansible-5/roles/k3s/tasks/main.yml b/ansible-5/roles/k3s/tasks/main.yml index b846314..15856a1 100644 --- a/ansible-5/roles/k3s/tasks/main.yml +++ b/ansible-5/roles/k3s/tasks/main.yml @@ -16,3 +16,5 @@ - include_tasks: install_helm.yml +#install required python modules +- include_tasks: install.python_modules.yml diff --git a/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 b/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 index 00a58a1..986d726 100644 --- a/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 +++ b/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 @@ -9,6 +9,7 @@ $TTL 1D xai-corp.net. IN NS ns.xai-corp.net. xai-corp.net. IN MX 0 mail.xai-corp.net. xai-corp.net. IN TXT "v=spf1 ip4:192.168.4.11/32 mx ptr mx:mail.xai-corp.net ~all" +xai-corp.net. IN A 192.168.4.11 ;mail IN A 192.168.4.12 gateway IN A 192.168.4.4 diff --git a/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml new file mode 100644 index 0000000..aca5c9f --- /dev/null +++ b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.prod.yaml @@ -0,0 +1,20 @@ +--- +#https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + email: r_morgan@sympatico.ca + server: https://acme-v02.api.letsencrypt.org/directory +# disableAccountKeyGeneration: true + privateKeySecretRef: + # Secret resource that will be used to store the account's private key. + name: letsencrypt-production-issuer-account-key + # Add a single challenge solver, HTTP01 + solvers: + - http01: + ingress: + class: traefik diff --git a/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml new file mode 100644 index 0000000..e8399f6 --- /dev/null +++ b/ansible-5/roles/prod.k3s/files/cert-manager/acme.issuer.stg.yaml @@ -0,0 +1,20 @@ +--- +#https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + email: r_morgan@sympatico.ca + server: https://acme-staging-v02.api.letsencrypt.org/directory +# disableAccountKeyGeneration: true + privateKeySecretRef: + # Secret resource that will be used to store the account's private key. + name: letsencrypt-staging-issuer-account-key + # Add a single challenge solver, HTTP01 + solvers: + - http01: + ingress: + class: traefik diff --git a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml new file mode 100644 index 0000000..ce6cdcf --- /dev/null +++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.prod.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: xai-corp + namespace: default +spec: + # Secret names are always required. + secretName: xai-corp-staging-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: xai-corp.net + dnsNames: + - xai-corp.net + - git.xai-corp.net + - tunedb.xai-corp.net + - www.xai-corp.net + - xaibox.xai-corp.net + - sql.xai-corp.net + - cik.xai-corp.net + acme: + config: + - http01: + ingressClass: traefik + domains: + - xai-corp.net +# - http01: +# ingress: certs-ingress +# domains: +# - hello.xai-corp.net +# - sql.xai-corp.net diff --git a/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml new file mode 100644 index 0000000..01239e9 --- /dev/null +++ b/ansible-5/roles/prod.k3s/files/cert-manager/certificate.xai-corp.stg.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: xai-corp + namespace: default +spec: + # Secret names are always required. + secretName: xai-corp-staging-tls + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: xai-corp.net + dnsNames: + - xai-corp.net + - www.xai-corp.net + - sql.xai-corp.net + acme: + config: + - http01: + ingressClass: traefik + domains: + - xai-corp.net +# - http01: +# ingress: certs-ingress +# domains: +# - hello.xai-corp.net +# - sql.xai-corp.net diff --git a/ansible-5/roles/prod.k3s/tasks/cert_manager.yml b/ansible-5/roles/prod.k3s/tasks/cert_manager.yml index e69de29..ede90aa 100644 --- a/ansible-5/roles/prod.k3s/tasks/cert_manager.yml +++ b/ansible-5/roles/prod.k3s/tasks/cert_manager.yml @@ -0,0 +1,34 @@ +--- +# https://cert-manager.io/docs/installation/helm/#installing-with-helm +- name: install cert-manager + kubernetes.core.helm: + kubeconfig_path: "/etc/rancher/k3s/k3s.yaml" + atomic: true + name: cert-manager + chart_ref: jetstack/cert-manager + release_namespace: cert-manager + create_namespace: true + release_values: + installCRDs: true + become: true + +# create issuer +- name: create let's encrypt issuers + kubernetes.core.k8s: + kubeconfig: "/etc/rancher/k3s/k3s.yaml" + state: present + definition: "{{ lookup('file', item) | from_yaml }}" + become: true + loop: + - 'cert-manager/acme.issuer.stg.yaml' + - 'cert-manager/acme.issuer.prod.yaml' + +- name: create let's encrypt certificates + kubernetes.core.k8s: + kubeconfig: "/etc/rancher/k3s/k3s.yaml" + state: present + definition: "{{ lookup('file', item) | from_yaml }}" + become: true + loop: + - 'cert-manager/certificate.xai-corp.stg.yaml' + - 'cert-manager/certificate.xai-corp.prod.yaml' diff --git a/ansible-5/roles/prod.k3s/tasks/gluster.fstab.yml b/ansible-5/roles/prod.k3s/tasks/gluster.fstab.yml new file mode 100644 index 0000000..f8d95c7 --- /dev/null +++ b/ansible-5/roles/prod.k3s/tasks/gluster.fstab.yml @@ -0,0 +1,12 @@ +--- + +- name: Create glusterfs fstab entries + ansible.posix.mount: + path: "{{item.path}}" + src: "gluster:/{{item.name}}" + fstype: "glusterfs" + boot: false + opts: "direct-io-mode=disable,_netdev,x-systemd.automount 0 0" + state: "{{item.state}}" + with_items: "{{fstab.gluster}}" + become: true diff --git a/ansible-5/roles/prod.k3s/tasks/main.yml b/ansible-5/roles/prod.k3s/tasks/main.yml index f87f2a1..498c00e 100644 --- a/ansible-5/roles/prod.k3s/tasks/main.yml +++ b/ansible-5/roles/prod.k3s/tasks/main.yml @@ -2,19 +2,13 @@ # provisioning services in k3s cluster # mount gluster -- name: Create glusterfs fstab entries - ansible.posix.mount: - path: "{{item.path}}" - src: "gluster:/{{item.name}}" - fstype: "glusterfs" - boot: false - opts: "direct-io-mode=disable,_netdev,x-systemd.automount 0 0" - state: "{{item.state}}" - with_items: "{{fstab.gluster}}" - become: true +#- include_tasks: gluster.fstab.yml # add helm repositories -- include_tasks: add_repos.yml +#- include_tasks: add_repos.yml + + +- include_tasks: cert_manager.yml # https://artifacthub.io/packages/helm/twuni/docker-registry #- name: Deploy latest version of docker-registry in dev-tools namespace