From 98308448d40f3c07c4afd58cf41ba2ad6dfe7e23 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 29 Sep 2019 00:42:21 +0200
Subject: refactoring kubernetes roles

---
 roles/kubernetes/net/kubeguard/tasks/add.yml    | 103 ++++++++++++++++++++++++
 roles/kubernetes/net/kubeguard/tasks/main.yml   |   8 ++
 roles/kubernetes/net/kubeguard/tasks/remove.yml |  26 ++++++
 3 files changed, 137 insertions(+)
 create mode 100644 roles/kubernetes/net/kubeguard/tasks/add.yml
 create mode 100644 roles/kubernetes/net/kubeguard/tasks/main.yml
 create mode 100644 roles/kubernetes/net/kubeguard/tasks/remove.yml

(limited to 'roles/kubernetes/net/kubeguard/tasks')

diff --git a/roles/kubernetes/net/kubeguard/tasks/add.yml b/roles/kubernetes/net/kubeguard/tasks/add.yml
new file mode 100644
index 00000000..b604302b
--- /dev/null
+++ b/roles/kubernetes/net/kubeguard/tasks/add.yml
@@ -0,0 +1,103 @@
+---
+- name: create network config directory
+  file:
+    name: /var/lib/kubeguard/
+    state: directory
+
+- name: configure wireguard port
+  set_fact:
+    kubeguard_wireguard_port: "{{ kubernetes.wireguard_port | default(51820) }}"
+
+- name: install ifupdown script
+  template:
+    src: ifupdown.sh.j2
+    dest: /var/lib/kubeguard/ifupdown.sh
+    mode: 0755
+  # TODO: notify reload... this is unfortunately already to late because
+  #                        it must probably be brought down by the old version of the script
+
+- name: generate wireguard private key
+  shell: "umask 077; wg genkey > /var/lib/kubeguard/kube-wg0.privatekey"
+  args:
+    creates: /var/lib/kubeguard/kube-wg0.privatekey
+
+- name: fetch wireguard public key
+  shell: "wg pubkey < /var/lib/kubeguard/kube-wg0.privatekey"
+  register: kubeguard_wireguard_pubkey
+  changed_when: false
+  check_mode: no
+
+- name: install systemd service unit for network interfaces
+  copy:
+    src: kubeguard-interfaces.service
+    dest: /etc/systemd/system/kubeguard-interfaces.service
+  # TODO: notify: reload???
+
+- name: make sure kubeguard interfaces service is started and enabled
+  systemd:
+    daemon_reload: yes
+    name: kubeguard-interfaces.service
+    state: started
+    enabled: yes
+
+- name: get list of currently installed kubeguard peers
+  find:
+    path: /etc/systemd/system/
+    pattern: "kubeguard-peer-*.service"
+  register: kubeguard_peers_installed
+
+- name: compute list of peers to be added
+  set_fact:
+    kubeguard_peers_to_add: "{{ kubernetes_nodes | difference(inventory_hostname) }}"
+
+- name: compute list of peers to be removed
+  set_fact:
+    kubeguard_peers_to_remove: "{{ kubeguard_peers_installed.files | map(attribute='path') | map('replace', '/etc/systemd/system/kubeguard-peer-', '') | map('replace', '.service', '') | difference(kubeguard_peers_to_add) }}"
+
+- name: stop/disable systemd units for stale kubeguard peers
+  loop: "{{ kubeguard_peers_to_remove }}"
+  systemd:
+    name: "kubeguard-peer-{{ item }}.service"
+    state: stopped
+    enabled: no
+
+- name: remove systemd units for stale kubeguard peers
+  loop: "{{ kubeguard_peers_to_remove }}"
+  file:
+    name: "/etc/systemd/system/kubeguard-peer-{{ item }}.service"
+    state: absent
+
+- name: install systemd units for every kubeguard peer
+  loop: "{{ kubeguard_peers_to_add }}"
+  loop_control:
+    loop_var: peer
+  template:
+    src: kubeguard-peer.service.j2
+    dest: "/etc/systemd/system/kubeguard-peer-{{ peer }}.service"
+  # TODO: notify restart for peers that change...
+
+- name: make sure kubeguard peer services are started and enabled
+  loop: "{{ kubeguard_peers_to_add }}"
+  systemd:
+    daemon_reload: yes
+    name: "kubeguard-peer-{{ item }}.service"
+    state: started
+    enabled: yes
+
+- name: enable IPv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: create cni config directory
+  file:
+    name: /etc/cni/net.d
+    state: directory
+
+- name: install cni config
+  template:
+    src: k8s.json.j2
+    dest: /etc/cni/net.d/k8s.json
diff --git a/roles/kubernetes/net/kubeguard/tasks/main.yml b/roles/kubernetes/net/kubeguard/tasks/main.yml
new file mode 100644
index 00000000..0e87af11
--- /dev/null
+++ b/roles/kubernetes/net/kubeguard/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+- name: add node to overlay network
+  include_tasks: add.yml
+  when: kubeguard_remove_node is not defined
+
+- name: remove node from overlay network
+  include_tasks: remove.yml
+  when: kubeguard_remove_node is defined
diff --git a/roles/kubernetes/net/kubeguard/tasks/remove.yml b/roles/kubernetes/net/kubeguard/tasks/remove.yml
new file mode 100644
index 00000000..d24f9eff
--- /dev/null
+++ b/roles/kubernetes/net/kubeguard/tasks/remove.yml
@@ -0,0 +1,26 @@
+---
+- name: check if kubeguard interface service unit exists
+  stat:
+    path: /etc/systemd/system/kubeguard-interfaces.service
+  register: kubeguard_interface_unit
+
+- name: bring down kubeguard interface
+  systemd:
+    name: kubeguard-interfaces.service
+    state: stopped
+  when: kubeguard_interface_unit.stat.exists
+
+- name: gather list of all kubeguard related service units
+  find:
+    path: /etc/systemd/system/
+    patterns:
+      - "kubeguard-peer-*.service"
+      - kubeguard-interfaces.service
+  register: kubeguard_units_installed
+
+- name: remove all kubeguard related files and directories
+  loop: "{{ kubeguard_units_installed.files | map(attribute='path') | list | flatten | union(['/var/lib/kubeguard']) }}"
+  file:
+    path: "{{ item }}"
+    state: absent
+  notify: reload systemd
-- 
cgit v1.2.3