From 2ecd6ff7a3390d86f40f062b177fe9babd676f22 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 20 Jun 2020 01:53:46 +0200
Subject: kubernetes: move kubeguard to kubeadm/base

---
 .../kubeadm/base/tasks/net_kubeguard.yml           | 77 ++++++++++++++++++++++
 1 file changed, 77 insertions(+)

(limited to 'roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml')

diff --git a/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml b/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml
index 0924c458..8c5f5065 100644
--- a/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml
+++ b/roles/kubernetes/kubeadm/base/tasks/net_kubeguard.yml
@@ -5,3 +5,80 @@
     msg: "this network plugin can not replace kube-proxy please set kubernetes_network_plugin_replaces_kube_proxy to false."
     that:
       - not kubernetes_network_plugin_replaces_kube_proxy
+
+
+- name: install wireguard
+  import_role:
+    name: wireguard/base
+
+- name: create network config directory
+  file:
+    name: /var/lib/kubeguard/
+    state: directory
+
+- name: install ifupdown script
+  template:
+    src: net_kubeguard/ifupdown.sh.j2
+    dest: /var/lib/kubeguard/ifupdown.sh
+    mode: 0755
+  # TODO: notify reload... this is unfortunately already to late because
+  #                        it must probably be brought down by the old version of the script
+
+- name: generate wireguard private key
+  shell: "umask 077; wg genkey > /var/lib/kubeguard/kube-wg0.privatekey"
+  args:
+    creates: /var/lib/kubeguard/kube-wg0.privatekey
+
+- name: fetch wireguard public key
+  shell: "wg pubkey < /var/lib/kubeguard/kube-wg0.privatekey"
+  register: kubeguard_wireguard_pubkey
+  changed_when: false
+  check_mode: no
+
+- name: install systemd service unit for network interfaces
+  template:
+    src: net_kubeguard/kubeguard-interfaces.service.j2
+    dest: /etc/systemd/system/kubeguard-interfaces.service
+  # TODO: notify: reload???
+
+- name: make sure kubeguard interfaces service is started and enabled
+  systemd:
+    daemon_reload: yes
+    name: kubeguard-interfaces.service
+    state: started
+    enabled: yes
+
+- name: install systemd units for every kubeguard peer
+  loop: "{{ groups['_kubernetes_nodes_'] | difference(inventory_hostname) }}"
+  loop_control:
+    loop_var: peer
+  template:
+    src: net_kubeguard/kubeguard-peer.service.j2
+    dest: "/etc/systemd/system/kubeguard-peer-{{ peer }}.service"
+  # TODO: notify restart for peers that change...
+
+- name: make sure kubeguard peer services are started and enabled
+  loop: "{{ groups['_kubernetes_nodes_'] | difference(inventory_hostname) }}"
+  systemd:
+    daemon_reload: yes
+    name: "kubeguard-peer-{{ item }}.service"
+    state: started
+    enabled: yes
+
+- name: enable IPv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: create cni config directory
+  file:
+    name: /etc/cni/net.d
+    state: directory
+
+- name: install cni config
+  template:
+    src: net_kubeguard/k8s.json.j2
+    dest: /etc/cni/net.d/kubeguard.json
-- 
cgit v1.2.3