From 150911af46705be2e2b0726cfb6e0446b2c7a3d4 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 28 Apr 2020 22:56:12 +0200 Subject: kubeguard: split up role --- roles/kubernetes/net/kubeguard/tasks/add.yml | 107 ------------------------ roles/kubernetes/net/kubeguard/tasks/main.yml | 3 - roles/kubernetes/net/kubeguard/tasks/remove.yml | 26 ------ 3 files changed, 136 deletions(-) delete mode 100644 roles/kubernetes/net/kubeguard/tasks/add.yml delete mode 100644 roles/kubernetes/net/kubeguard/tasks/main.yml delete mode 100644 roles/kubernetes/net/kubeguard/tasks/remove.yml (limited to 'roles/kubernetes/net/kubeguard/tasks') diff --git a/roles/kubernetes/net/kubeguard/tasks/add.yml b/roles/kubernetes/net/kubeguard/tasks/add.yml deleted file mode 100644 index 0658b42c..00000000 --- a/roles/kubernetes/net/kubeguard/tasks/add.yml +++ /dev/null @@ -1,107 +0,0 @@ ---- -- name: install wireguard - import_role: - name: wireguard/base - -- name: create network config directory - file: - name: /var/lib/kubeguard/ - state: directory - -- name: configure wireguard port - set_fact: - kubeguard_wireguard_port: "{{ kubernetes.wireguard_port | default(51820) }}" - -- name: install ifupdown script - template: - src: ifupdown.sh.j2 - dest: /var/lib/kubeguard/ifupdown.sh - mode: 0755 - # TODO: notify reload... this is unfortunately already to late because - # it must probably be brought down by the old version of the script - -- name: generate wireguard private key - shell: "umask 077; wg genkey > /var/lib/kubeguard/kube-wg0.privatekey" - args: - creates: /var/lib/kubeguard/kube-wg0.privatekey - -- name: fetch wireguard public key - shell: "wg pubkey < /var/lib/kubeguard/kube-wg0.privatekey" - register: kubeguard_wireguard_pubkey - changed_when: false - check_mode: no - -- name: install systemd service unit for network interfaces - copy: - src: kubeguard-interfaces.service - dest: /etc/systemd/system/kubeguard-interfaces.service - # TODO: notify: reload??? - -- name: make sure kubeguard interfaces service is started and enabled - systemd: - daemon_reload: yes - name: kubeguard-interfaces.service - state: started - enabled: yes - -- name: get list of currently installed kubeguard peers - find: - path: /etc/systemd/system/ - pattern: "kubeguard-peer-*.service" - register: kubeguard_peers_installed - -- name: compute list of peers to be added - set_fact: - kubeguard_peers_to_add: "{{ groups['_kubernetes_nodes_'] | difference(inventory_hostname) }}" - -- name: compute list of peers to be removed - set_fact: - kubeguard_peers_to_remove: "{{ kubeguard_peers_installed.files | map(attribute='path') | map('replace', '/etc/systemd/system/kubeguard-peer-', '') | map('replace', '.service', '') | difference(kubeguard_peers_to_add) }}" - -- name: stop/disable systemd units for stale kubeguard peers - loop: "{{ kubeguard_peers_to_remove }}" - systemd: - name: "kubeguard-peer-{{ item }}.service" - state: stopped - enabled: no - -- name: remove systemd units for stale kubeguard peers - loop: "{{ kubeguard_peers_to_remove }}" - file: - name: "/etc/systemd/system/kubeguard-peer-{{ item }}.service" - state: absent - -- name: install systemd units for every kubeguard peer - loop: "{{ kubeguard_peers_to_add }}" - loop_control: - loop_var: peer - template: - src: kubeguard-peer.service.j2 - dest: "/etc/systemd/system/kubeguard-peer-{{ peer }}.service" - # TODO: notify restart for peers that change... - -- name: make sure kubeguard peer services are started and enabled - loop: "{{ kubeguard_peers_to_add }}" - systemd: - daemon_reload: yes - name: "kubeguard-peer-{{ item }}.service" - state: started - enabled: yes - -- name: enable IPv4 forwarding - sysctl: - name: net.ipv4.ip_forward - value: '1' - sysctl_set: yes - state: present - reload: yes - -- name: create cni config directory - file: - name: /etc/cni/net.d - state: directory - -- name: install cni config - template: - src: k8s.json.j2 - dest: /etc/cni/net.d/k8s.json diff --git a/roles/kubernetes/net/kubeguard/tasks/main.yml b/roles/kubernetes/net/kubeguard/tasks/main.yml deleted file mode 100644 index 10b0d547..00000000 --- a/roles/kubernetes/net/kubeguard/tasks/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: add/remove nodes to overlay network - include_tasks: "{{ kubeguard_action }}.yml" diff --git a/roles/kubernetes/net/kubeguard/tasks/remove.yml b/roles/kubernetes/net/kubeguard/tasks/remove.yml deleted file mode 100644 index d24f9eff..00000000 --- a/roles/kubernetes/net/kubeguard/tasks/remove.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: check if kubeguard interface service unit exists - stat: - path: /etc/systemd/system/kubeguard-interfaces.service - register: kubeguard_interface_unit - -- name: bring down kubeguard interface - systemd: - name: kubeguard-interfaces.service - state: stopped - when: kubeguard_interface_unit.stat.exists - -- name: gather list of all kubeguard related service units - find: - path: /etc/systemd/system/ - patterns: - - "kubeguard-peer-*.service" - - kubeguard-interfaces.service - register: kubeguard_units_installed - -- name: remove all kubeguard related files and directories - loop: "{{ kubeguard_units_installed.files | map(attribute='path') | list | flatten | union(['/var/lib/kubeguard']) }}" - file: - path: "{{ item }}" - state: absent - notify: reload systemd -- cgit v1.2.3