diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2020-06-20 19:39:23 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2020-06-20 19:39:23 +0200 |
| commit | 954d477be41072cf8a8a4260a8fe46f66674c117 (patch) | |
| tree | b5102e0d8f06088fb2c58072a63b31568ed9ced4 /roles/kubernetes/kubeadm/base/tasks | |
| parent | add ch-equinox-ws to managment vlan (diff) | |
| parent | kubernetes: add network-plugin kube-router (diff) | |
Merge branch 'topic/kubernetes-network-plugins'
Diffstat (limited to 'roles/kubernetes/kubeadm/base/tasks')
4 files changed, 120 insertions, 13 deletions
diff --git a/roles/kubernetes/kubeadm/base/tasks/main.yml b/roles/kubernetes/kubeadm/base/tasks/main.yml index 2d2bd324..7d882f31 100644 --- a/roles/kubernetes/kubeadm/base/tasks/main.yml +++ b/roles/kubernetes/kubeadm/base/tasks/main.yml @@ -3,7 +3,7 @@ apt: name: - haproxy - - hatop + - haproxyctl - "kubeadm={{ kubernetes_version }}-00" - "kubectl={{ kubernetes_version }}-00" state: present @@ -48,16 +48,13 @@ state: "{% if haproxy_config is changed %}restarted{% else %}started{% endif %}" enabled: yes -- name: add hatop config for shells - loop: - - zsh - - bash - blockinfile: - path: "/root/.{{ item }}rc" - create: yes - marker: "### {mark} ANSIBLE MANAGED BLOCK for hatop ###" - content: | - alias hatop="hatop -s /var/run/haproxy/admin.sock" +## loading the modules temporarly because kubeadm will complain if they are not there +# but i don't think it is necessary to make this persistent, also ignoring changes here +- name: load module br_netfilter to satisfy kubeadm init/join + modprobe: + name: br_netfilter + state: present + changed_when: false -# - name: prepare network plugin -# include_tasks: "net_{{ kubernetes_network_plugin }}.yml" +- name: prepare network plugin + include_tasks: "net_{{ kubernetes_network_plugin }}.yml" diff --git a/roles/kubernetes/kubeadm/base/tasks/net_kube-router.yml b/roles/kubernetes/kubeadm/base/tasks/net_kube-router.yml new file mode 100644 index 00000000..246b20bc --- /dev/null +++ b/roles/kubernetes/kubeadm/base/tasks/net_kube-router.yml @@ -0,0 +1,8 @@ +--- +- name: install packages needed for debugging kube-router + apt: + name: + - iptables + - ipvsadm + - ipset + state: present diff --git a/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml b/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml new file mode 100644 index 00000000..2d706a03 --- /dev/null +++ b/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml @@ -0,0 +1,95 @@ +--- +- name: make sure kubernetes_network_plugin_replaces_kube_proxy is not set + when: + - kubernetes_network_plugin_variant != 'with-kube-router' + run_once: yes + assert: + msg: "kubeguard variant '{{ kubernetes_network_plugin_variant }}' can not replace kube-proxy please set kubernetes_network_plugin_replaces_kube_proxy to false or configure a differnt kubernetes_network_plugin_variant." + that: + - not kubernetes_network_plugin_replaces_kube_proxy + + +- name: install wireguard + import_role: + name: wireguard/base + +- name: create network config directory + file: + name: /var/lib/kubeguard/ + state: directory + +- name: install ifupdown script + template: + src: net_kubeguard/ifupdown.sh.j2 + dest: /var/lib/kubeguard/ifupdown.sh + mode: 0755 + # TODO: notify reload... this is unfortunately already to late because + # it must probably be brought down by the old version of the script + +- name: generate wireguard private key + shell: "umask 077; wg genkey > /var/lib/kubeguard/kubeguard-wg0.privatekey" + args: + creates: /var/lib/kubeguard/kubeguard-wg0.privatekey + +- name: fetch wireguard public key + shell: "wg pubkey < /var/lib/kubeguard/kubeguard-wg0.privatekey" + register: kubeguard_wireguard_pubkey + changed_when: false + check_mode: no + +- name: install systemd service unit for network interface + template: + src: net_kubeguard/interface.service.j2 + dest: /etc/systemd/system/kubeguard-interface.service + # TODO: notify: reload??? + +- name: make sure kubeguard interface service is started and enabled + systemd: + daemon_reload: yes + name: kubeguard-interface.service + state: started + enabled: yes + +- name: install systemd units for every kubeguard peer + loop: "{{ groups['_kubernetes_nodes_'] | difference(inventory_hostname) }}" + loop_control: + loop_var: peer + template: + src: net_kubeguard/peer.service.j2 + dest: "/etc/systemd/system/kubeguard-peer-{{ peer }}.service" + # TODO: notify restart for peers that change... + +- name: make sure kubeguard peer services are started and enabled + loop: "{{ groups['_kubernetes_nodes_'] | difference(inventory_hostname) }}" + systemd: + daemon_reload: yes + name: "kubeguard-peer-{{ item }}.service" + state: started + enabled: yes + +- name: enable IPv4 forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + +- name: create cni config directory + file: + name: /etc/cni/net.d + state: directory + +- name: install cni config + template: + src: net_kubeguard/cni.json.j2 + dest: /etc/cni/net.d/kubeguard.json + +- name: install packages needed for debugging kube-router + when: kubernetes_network_plugin_variant == 'with-kube-router' + apt: + name: + - iptables + - ipvsadm + - ipset + state: present diff --git a/roles/kubernetes/kubeadm/base/tasks/net_none.yml b/roles/kubernetes/kubeadm/base/tasks/net_none.yml new file mode 100644 index 00000000..0924c458 --- /dev/null +++ b/roles/kubernetes/kubeadm/base/tasks/net_none.yml @@ -0,0 +1,7 @@ +--- +- name: make sure kubernetes_network_plugin_replaces_kube_proxy is not set + run_once: yes + assert: + msg: "this network plugin can not replace kube-proxy please set kubernetes_network_plugin_replaces_kube_proxy to false." + that: + - not kubernetes_network_plugin_replaces_kube_proxy |