refactoring kubernetes roles

author: Christian Pointner <equinox@spreadspace.org> 2019-09-29 00:42:21 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2019-10-10 19:27:38 +0200
commit: 98308448d40f3c07c4afd58cf41ba2ad6dfe7e23 (patch)
tree: cc81cae3a6d1810cded6c29cdf976bf64ad10661
parent: sk-torrent role (diff)
21 files changed, 188 insertions, 183 deletions
diff --git a/common/kubernetes.yml b/common/kubernetes.yml
index e0073c0e..311f3ebd 100644
--- a/common/kubernetes.yml
+++ b/common/kubernetes.yml
@@ -38,18 +38,19 @@
   hosts: _kubernetes_nodes_
   roles:
   - role: docker
+  - role: kubernetes/net/kubeguard
   - role: kubernetes/base
-  - role: kubernetes/net
+  - role: kubernetes/kubeadm/base
 
 - name: configure kubernetes master
   hosts: _kubernetes_masters_
   roles:
-  - role: kubernetes/master
+  - role: kubernetes/kubeadm/master
 
 - name: configure kubernetes non-master nodes
   hosts: _kubernetes_nodes_:!_kubernetes_masters_
   roles:
-  - role: kubernetes/node
+  - role: kubernetes/kubeadm/node
 
 ########
 - name: check for nodes to be removed
@@ -75,11 +76,11 @@
 
 - name: try to clean superflous nodes
   hosts: _kubernetes_nodes_remove_
-  vars:
-    kubernetes_remove_node: yes
   roles:
-  - role: kubernetes/node
-  - role: kubernetes/net
+  - role: kubernetes/kubeadm/reset
+  - role: kubernetes/net/kubeguard
+    vars:
+      kubeguard_remove_node: yes
 
 - name: remove node from api server
   hosts: _kubernetes_masters_
diff --git a/roles/kubernetes/base/tasks/main.yml b/roles/kubernetes/base/tasks/main.yml
index bf62f7d2..0b0be821 100644
--- a/roles/kubernetes/base/tasks/main.yml
+++ b/roles/kubernetes/base/tasks/main.yml
@@ -42,30 +42,20 @@
 - name: update apt cache
   meta: flush_handlers
 
-- name: install basic kubernetes components
+- name: install kubelet
   apt:
     name:
     - "kubelet{% if kubernetes.pkg_version is defined %}={{ kubernetes.pkg_version }}{% endif %}"
-    - "kubeadm{% if kubernetes.pkg_version is defined %}={{ kubernetes.pkg_version }}{% endif %}"
-    - "kubectl{% if kubernetes.pkg_version is defined %}={{ kubernetes.pkg_version }}{% endif %}"
     state: present
 
-- name: disable automatic upgrades for kubernetes components
+- name: disable automatic upgrades for kubelet
   when: kubernetes.pkg_version is defined
   loop:
   - kubelet
-  - kubeadm
-  - kubectl
   dpkg_selections:
     name: "{{ item }}"
     selection: hold
 
-- name: set kubelet node-ip
-  lineinfile:
-    name: "/etc/default/kubelet"
-    regexp: '^KUBELET_EXTRA_ARGS='
-    line: 'KUBELET_EXTRA_ARGS=--node-ip={{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) | ipaddr(1) | ipaddr("address") }}'
-
 - name: add dummy group with gid 998
   group:
     name: app
@@ -77,15 +67,3 @@
     uid: 998
     group: app
     password: "!"
-
-- name: add kubectl/kubeadm completion for shells
-  loop:
-    - zsh
-    - bash
-  blockinfile:
-    path: "/root/.{{ item }}rc"
-    create: yes
-    marker: "### {mark} ANSIBLE MANAGED BLOCK for kubectl ###"
-    content: |
-      source <(kubectl completion {{ item }})
-      source <(kubeadm completion {{ item }})
diff --git a/roles/kubernetes/kubeadm/base/tasks/main.yml b/roles/kubernetes/kubeadm/base/tasks/main.yml
new file mode 100644
index 00000000..2d9b9eed
--- /dev/null
+++ b/roles/kubernetes/kubeadm/base/tasks/main.yml
@@ -0,0 +1,34 @@
+---
+- name: install kubeadm and kubectl
+  apt:
+    name:
+    - "kubeadm{% if kubernetes.pkg_version is defined %}={{ kubernetes.pkg_version }}{% endif %}"
+    - "kubectl{% if kubernetes.pkg_version is defined %}={{ kubernetes.pkg_version }}{% endif %}"
+    state: present
+
+- name: disable automatic upgrades for kubeadm and kubectl
+  when: kubernetes.pkg_version is defined
+  loop:
+  - kubeadm
+  - kubectl
+  dpkg_selections:
+    name: "{{ item }}"
+    selection: hold
+
+- name: set kubelet node-ip
+  lineinfile:
+    name: "/etc/default/kubelet"
+    regexp: '^KUBELET_EXTRA_ARGS='
+    line: 'KUBELET_EXTRA_ARGS=--node-ip={{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) | ipaddr(1) | ipaddr("address") }}'
+
+- name: add kubectl/kubeadm completion for shells
+  loop:
+    - zsh
+    - bash
+  blockinfile:
+    path: "/root/.{{ item }}rc"
+    create: yes
+    marker: "### {mark} ANSIBLE MANAGED BLOCK for kubectl ###"
+    content: |
+      source <(kubectl completion {{ item }})
+      source <(kubeadm completion {{ item }})
diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/kubeadm/master/tasks/main.yml
index 7cc6fe94..7cc6fe94 100644
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/master/tasks/main.yml
diff --git a/roles/kubernetes/master/templates/kubeadm-cluster.config.j2 b/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2
index 07c4dddd..07c4dddd 100644
--- a/roles/kubernetes/master/templates/kubeadm-cluster.config.j2
+++ b/roles/kubernetes/kubeadm/master/templates/kubeadm-cluster.config.j2
diff --git a/roles/kubernetes/node/tasks/add.yml b/roles/kubernetes/kubeadm/node/tasks/main.yml
index 9f0057f9..9f0057f9 100644
--- a/roles/kubernetes/node/tasks/add.yml
+++ b/roles/kubernetes/kubeadm/node/tasks/main.yml
diff --git a/roles/kubernetes/node/tasks/remove.yml b/roles/kubernetes/kubeadm/reset/tasks/main.yml
index a6d64c7d..a6d64c7d 100644
--- a/roles/kubernetes/node/tasks/remove.yml
+++ b/roles/kubernetes/kubeadm/reset/tasks/main.yml
diff --git a/roles/kubernetes/net/files/kubenet-interfaces.service b/roles/kubernetes/net/kubeguard/files/kubeguard-interfaces.service
index f27fb85b..f45df88a 100644
--- a/roles/kubernetes/net/files/kubenet-interfaces.service
+++ b/roles/kubernetes/net/kubeguard/files/kubeguard-interfaces.service
@@ -4,8 +4,8 @@ After=network.target
 
 [Service]
 Type=oneshot
-ExecStart=/var/lib/kubenet/ifupdown.sh up
-ExecStop=/var/lib/kubenet/ifupdown.sh down
+ExecStart=/var/lib/kubeguard/ifupdown.sh up
+ExecStop=/var/lib/kubeguard/ifupdown.sh down
 RemainAfterExit=yes
 
 [Install]
diff --git a/roles/kubernetes/net/filter_plugins/kubenet.py b/roles/kubernetes/net/kubeguard/filter_plugins/kubeguard.py
index c1312dd8..199ff14b 100644
--- a/roles/kubernetes/net/filter_plugins/kubenet.py
+++ b/roles/kubernetes/net/kubeguard/filter_plugins/kubeguard.py
@@ -24,7 +24,7 @@ def direct_net_zone(data, myname, peer):
 
 class FilterModule(object):
 
-    ''' Kubernetes Network Filters '''
+    ''' Kubeguard Network Filters '''
     filter_map = {
         'direct_net_zone': direct_net_zone,
     }
diff --git a/roles/kubernetes/net/handlers/main.yml b/roles/kubernetes/net/kubeguard/handlers/main.yml
index bb7fde2b..bb7fde2b 100644
--- a/roles/kubernetes/net/handlers/main.yml
+++ b/roles/kubernetes/net/kubeguard/handlers/main.yml
diff --git a/roles/kubernetes/net/kubeguard/meta/main.yml b/roles/kubernetes/net/kubeguard/meta/main.yml
new file mode 100644
index 00000000..5017b623
--- /dev/null
+++ b/roles/kubernetes/net/kubeguard/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+- role: wireguard
+  when: kubeguard_remove_node is not defined
diff --git a/roles/kubernetes/net/kubeguard/tasks/add.yml b/roles/kubernetes/net/kubeguard/tasks/add.yml
new file mode 100644
index 00000000..b604302b
--- /dev/null
+++ b/roles/kubernetes/net/kubeguard/tasks/add.yml
@@ -0,0 +1,103 @@
+---
+- name: create network config directory
+  file:
+    name: /var/lib/kubeguard/
+    state: directory
+
+- name: configure wireguard port
+  set_fact:
+    kubeguard_wireguard_port: "{{ kubernetes.wireguard_port | default(51820) }}"
+
+- name: install ifupdown script
+  template:
+    src: ifupdown.sh.j2
+    dest: /var/lib/kubeguard/ifupdown.sh
+    mode: 0755
+  # TODO: notify reload... this is unfortunately already to late because
+  #                        it must probably be brought down by the old version of the script
+
+- name: generate wireguard private key
+  shell: "umask 077; wg genkey > /var/lib/kubeguard/kube-wg0.privatekey"
+  args:
+    creates: /var/lib/kubeguard/kube-wg0.privatekey
+
+- name: fetch wireguard public key
+  shell: "wg pubkey < /var/lib/kubeguard/kube-wg0.privatekey"
+  register: kubeguard_wireguard_pubkey
+  changed_when: false
+  check_mode: no
+
+- name: install systemd service unit for network interfaces
+  copy:
+    src: kubeguard-interfaces.service
+    dest: /etc/systemd/system/kubeguard-interfaces.service
+  # TODO: notify: reload???
+
+- name: make sure kubeguard interfaces service is started and enabled
+  systemd:
+    daemon_reload: yes
+    name: kubeguard-interfaces.service
+    state: started
+    enabled: yes
+
+- name: get list of currently installed kubeguard peers
+  find:
+    path: /etc/systemd/system/
+    pattern: "kubeguard-peer-*.service"
+  register: kubeguard_peers_installed
+
+- name: compute list of peers to be added
+  set_fact:
+    kubeguard_peers_to_add: "{{ kubernetes_nodes | difference(inventory_hostname) }}"
+
+- name: compute list of peers to be removed
+  set_fact:
+    kubeguard_peers_to_remove: "{{ kubeguard_peers_installed.files | map(attribute='path') | map('replace', '/etc/systemd/system/kubeguard-peer-', '') | map('replace', '.service', '') | difference(kubeguard_peers_to_add) }}"
+
+- name: stop/disable systemd units for stale kubeguard peers
+  loop: "{{ kubeguard_peers_to_remove }}"
+  systemd:
+    name: "kubeguard-peer-{{ item }}.service"
+    state: stopped
+    enabled: no
+
+- name: remove systemd units for stale kubeguard peers
+  loop: "{{ kubeguard_peers_to_remove }}"
+  file:
+    name: "/etc/systemd/system/kubeguard-peer-{{ item }}.service"
+    state: absent
+
+- name: install systemd units for every kubeguard peer
+  loop: "{{ kubeguard_peers_to_add }}"
+  loop_control:
+    loop_var: peer
+  template:
+    src: kubeguard-peer.service.j2
+    dest: "/etc/systemd/system/kubeguard-peer-{{ peer }}.service"
+  # TODO: notify restart for peers that change...
+
+- name: make sure kubeguard peer services are started and enabled
+  loop: "{{ kubeguard_peers_to_add }}"
+  systemd:
+    daemon_reload: yes
+    name: "kubeguard-peer-{{ item }}.service"
+    state: started
+    enabled: yes
+
+- name: enable IPv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: create cni config directory
+  file:
+    name: /etc/cni/net.d
+    state: directory
+
+- name: install cni config
+  template:
+    src: k8s.json.j2
+    dest: /etc/cni/net.d/k8s.json
diff --git a/roles/kubernetes/net/tasks/main.yml b/roles/kubernetes/net/kubeguard/tasks/main.yml
index 8aa7221e..0e87af11 100644
--- a/roles/kubernetes/net/tasks/main.yml
+++ b/roles/kubernetes/net/kubeguard/tasks/main.yml
@@ -1,8 +1,8 @@
 ---
 - name: add node to overlay network
   include_tasks: add.yml
-  when: kubernetes_remove_node is not defined
+  when: kubeguard_remove_node is not defined
 
 - name: remove node from overlay network
   include_tasks: remove.yml
-  when: kubernetes_remove_node is defined
+  when: kubeguard_remove_node is defined
diff --git a/roles/kubernetes/net/kubeguard/tasks/remove.yml b/roles/kubernetes/net/kubeguard/tasks/remove.yml
new file mode 100644
index 00000000..d24f9eff
--- /dev/null
+++ b/roles/kubernetes/net/kubeguard/tasks/remove.yml
@@ -0,0 +1,26 @@
+---
+- name: check if kubeguard interface service unit exists
+  stat:
+    path: /etc/systemd/system/kubeguard-interfaces.service
+  register: kubeguard_interface_unit
+
+- name: bring down kubeguard interface
+  systemd:
+    name: kubeguard-interfaces.service
+    state: stopped
+  when: kubeguard_interface_unit.stat.exists
+
+- name: gather list of all kubeguard related service units
+  find:
+    path: /etc/systemd/system/
+    patterns:
+      - "kubeguard-peer-*.service"
+      - kubeguard-interfaces.service
+  register: kubeguard_units_installed
+
+- name: remove all kubeguard related files and directories
+  loop: "{{ kubeguard_units_installed.files | map(attribute='path') | list | flatten | union(['/var/lib/kubeguard']) }}"
+  file:
+    path: "{{ item }}"
+    state: absent
+  notify: reload systemd
diff --git a/roles/kubernetes/net/templates/ifupdown.sh.j2 b/roles/kubernetes/net/kubeguard/templates/ifupdown.sh.j2
index 995d358b..87849ee9 100644
--- a/roles/kubernetes/net/templates/ifupdown.sh.j2
+++ b/roles/kubernetes/net/kubeguard/templates/ifupdown.sh.j2
@@ -2,7 +2,7 @@
 
 set -e
 
-CONF_D="/var/lib/kubenet/"
+CONF_D="/var/lib/kubeguard/"
 
 INET_IF="{{ ansible_default_ipv4.interface }}"
 
@@ -30,7 +30,7 @@ case "$1" in
     # bring up wireguard tunnel to other nodes
     ip link add dev "$TUN_IF" type wireguard
     ip addr add dev "$TUN_IF" "$TUN_IP_CIDR"
-    wg set "$TUN_IF" listen-port {{ kubenet_wireguard_port }} private-key "$CONF_D/$TUN_IF.privatekey"
+    wg set "$TUN_IF" listen-port {{ kubeguard_wireguard_port }} private-key "$CONF_D/$TUN_IF.privatekey"
     ip link set up dev "$TUN_IF"
 
     # make pods and service IPs reachable
diff --git a/roles/kubernetes/net/templates/k8s.json.j2 b/roles/kubernetes/net/kubeguard/templates/k8s.json.j2
index f457ed1c..f457ed1c 100644
--- a/roles/kubernetes/net/templates/k8s.json.j2
+++ b/roles/kubernetes/net/kubeguard/templates/k8s.json.j2
diff --git a/roles/kubernetes/net/templates/kubenet-peer.service.j2 b/roles/kubernetes/net/kubeguard/templates/kubeguard-peer.service.j2
index bee211af..54251caf 100644
--- a/roles/kubernetes/net/templates/kubenet-peer.service.j2
+++ b/roles/kubernetes/net/kubeguard/templates/kubeguard-peer.service.j2
@@ -1,8 +1,8 @@
 [Unit]
 Description=Kubernetes Network Peer {{ peer }}
 After=network.target
-Requires=kubenet-interfaces.service
-After=kubenet-interfaces.service
+Requires=kubeguard-interfaces.service
+After=kubeguard-interfaces.service
 
 {% set pod_net_peer = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[peer]) -%}
 {% set direct_zone = kubernetes.direct_net_zones | direct_net_zone(inventory_hostname, peer) -%}
@@ -12,9 +12,9 @@ After=kubenet-interfaces.service
 {% set direct_ip_peer = kubernetes.direct_net_zones[direct_zone].transfer_net | ipaddr(kubernetes.net_index[peer]) %}
 {% else %}
 {% set tun_ip = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[peer]) -%}
-{% set wg_pubkey = hostvars[peer].kubenet_wireguard_pubkey.stdout -%}
+{% set wg_pubkey = hostvars[peer].kubeguard_wireguard_pubkey.stdout -%}
 {% set wg_host = hostvars[peer].external_ip | default(hostvars[peer].ansible_default_ipv4.address) -%}
-{% set wg_port = hostvars[peer].kubenet_wireguard_port -%}
+{% set wg_port = hostvars[peer].kubeguard_wireguard_port -%}
 {% set wg_allowedips = (tun_ip | ipaddr('address')) + "/32," + pod_net_peer %}
 {% endif %}
 [Service]
diff --git a/roles/kubernetes/net/meta/main.yml b/roles/kubernetes/net/meta/main.yml
deleted file mode 100644
index a3d4d97b..00000000
--- a/roles/kubernetes/net/meta/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-dependencies:
-- role: wireguard
-  when: kubernetes_remove_node is not defined
diff --git a/roles/kubernetes/net/tasks/add.yml b/roles/kubernetes/net/tasks/add.yml
deleted file mode 100644
index 4fe7c5e2..00000000
--- a/roles/kubernetes/net/tasks/add.yml
+++ /dev/null
@@ -1,103 +0,0 @@
----
-- name: create network config directory
-  file:
-    name: /var/lib/kubenet/
-    state: directory
-
-- name: configure wireguard port
-  set_fact:
-    kubenet_wireguard_port: "{{ kubernetes.wireguard_port | default(51820) }}"
-
-- name: install ifupdown script
-  template:
-    src: ifupdown.sh.j2
-    dest: /var/lib/kubenet/ifupdown.sh
-    mode: 0755
-  # TODO: notify reload... this is unfortunately already to late because
-  #                        it must probably be brought down by the old version of the script
-
-- name: generate wireguard private key
-  shell: "umask 077; wg genkey > /var/lib/kubenet/kube-wg0.privatekey"
-  args:
-    creates: /var/lib/kubenet/kube-wg0.privatekey
-
-- name: fetch wireguard public key
-  shell: "wg pubkey < /var/lib/kubenet/kube-wg0.privatekey"
-  register: kubenet_wireguard_pubkey
-  changed_when: false
-  check_mode: no
-
-- name: install systemd service unit for network interfaces
-  copy:
-    src: kubenet-interfaces.service
-    dest: /etc/systemd/system/kubenet-interfaces.service
-  # TODO: notify: reload???
-
-- name: make sure kubenet interfaces service is started and enabled
-  systemd:
-    daemon_reload: yes
-    name: kubenet-interfaces.service
-    state: started
-    enabled: yes
-
-- name: get list of currently installed kubenet peers
-  find:
-    path: /etc/systemd/system/
-    pattern: "kubenet-peer-*.service"
-  register: kubenet_peers_installed
-
-- name: compute list of peers to be added
-  set_fact:
-    kubenet_peers_to_add: "{{ kubernetes_nodes | difference(inventory_hostname) }}"
-
-- name: compute list of peers to be removed
-  set_fact:
-    kubenet_peers_to_remove: "{{ kubenet_peers_installed.files | map(attribute='path') | map('replace', '/etc/systemd/system/kubenet-peer-', '') | map('replace', '.service', '') | difference(kubenet_peers_to_add) }}"
-
-- name: stop/disable systemd units for stale kubenet peers
-  loop: "{{ kubenet_peers_to_remove }}"
-  systemd:
-    name: "kubenet-peer-{{ item }}.service"
-    state: stopped
-    enabled: no
-
-- name: remove systemd units for stale kubenet peers
-  loop: "{{ kubenet_peers_to_remove }}"
-  file:
-    name: "/etc/systemd/system/kubenet-peer-{{ item }}.service"
-    state: absent
-
-- name: install systemd units for every kubenet peer
-  loop: "{{ kubenet_peers_to_add }}"
-  loop_control:
-    loop_var: peer
-  template:
-    src: kubenet-peer.service.j2
-    dest: "/etc/systemd/system/kubenet-peer-{{ peer }}.service"
-  # TODO: notify restart for peers that change...
-
-- name: make sure kubenet peer services are started and enabled
-  loop: "{{ kubenet_peers_to_add }}"
-  systemd:
-    daemon_reload: yes
-    name: "kubenet-peer-{{ item }}.service"
-    state: started
-    enabled: yes
-
-- name: enable IPv4 forwarding
-  sysctl:
-    name: net.ipv4.ip_forward
-    value: 1
-    sysctl_set: yes
-    state: present
-    reload: yes
-
-- name: create cni config directory
-  file:
-    name: /etc/cni/net.d
-    state: directory
-
-- name: install cni config
-  template:
-    src: k8s.json.j2
-    dest: /etc/cni/net.d/k8s.json
diff --git a/roles/kubernetes/net/tasks/remove.yml b/roles/kubernetes/net/tasks/remove.yml
deleted file mode 100644
index e74f42c1..00000000
--- a/roles/kubernetes/net/tasks/remove.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-- name: check if kubenet interface service unit exists
-  stat:
-    path: /etc/systemd/system/kubenet-interfaces.service
-  register: kubenet_interface_unit
-
-- name: bring down kubenet interface
-  systemd:
-    name: kubenet-interfaces.service
-    state: stopped
-  when: kubenet_interface_unit.stat.exists
-
-- name: gather list of all kubenet related service units
-  find:
-    path: /etc/systemd/system/
-    patterns:
-      - "kubenet-peer-*.service"
-      - kubenet-interfaces.service
-  register: kubenet_units_installed
-
-- name: remove all kubenet related files and directories
-  loop: "{{ kubenet_units_installed.files | map(attribute='path') | list | flatten | union(['/var/lib/kubenet']) }}"
-  file:
-    path: "{{ item }}"
-    state: absent
-  notify: reload systemd
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
deleted file mode 100644
index e29fbc29..00000000
--- a/roles/kubernetes/node/tasks/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: add node cluster
-  include_tasks: add.yml
-  when: kubernetes_remove_node is not defined
-
-- name: remove node from cluster
-  include_tasks: remove.yml
-  when: kubernetes_remove_node is defined
author	Christian Pointner <equinox@spreadspace.org>	2019-09-29 00:42:21 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2019-10-10 19:27:38 +0200
commit	98308448d40f3c07c4afd58cf41ba2ad6dfe7e23 (patch)
tree	cc81cae3a6d1810cded6c29cdf976bf64ad10661
parent	sk-torrent role (diff)