chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

REQUIRES REGENERATING ansible.cfg!
2025-02-23 00:00:00 +00:00 · 2025-02-23 00:00:00 +00:00 · 888590ed9f
commit 888590ed9f
parent 4af69c31ce
188 changed files with 30 additions and 30 deletions
--- a/ansible_collections/nullified/infrastructure/roles/k3s/defaults/main.yml
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/defaults/main.yml
@ -0,0 +1,10 @@
+---
+k3s_cluster_name: default
+k3s_cluster_role: server
+k3s_kube_context: default
+k3s_extra_args: ''
+k3s_operator_ips: []
+k3s_cluster_cidr: '10.42.0.0/16'
+k3s_service_cidr: '10.43.0.0/16'
+k3s_cluster_additional_helm_charts: []
+k3s_cluster_helm_customizations: []
--- a/ansible_collections/nullified/infrastructure/roles/k3s/handlers/main.yml
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/handlers/main.yml
@ -0,0 +1,14 @@
+---
+- name: restart firewall service
+  become: true
+  ansible.builtin.systemd_service:
+    name: nftables.service
+    enabled: true
+    state: restarted
+
+- name: restart k3s service
+  become: true
+  ansible.builtin.systemd_service:
+    name: k3s.service
+    enabled: true
+    state: restarted
--- a/ansible_collections/nullified/infrastructure/roles/k3s/meta/main.yml
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/meta/main.yml
@ -0,0 +1,20 @@
+---
+galaxy_info:
+  author: Florian L.
+  namespace: nullified
+  description: Install and configure K3S and related tools
+  # issue_tracker_url: http://example.com/issue/tracker
+  license: MIT
+  min_ansible_version: 2.15
+
+  # https://galaxy.ansible.com/api/v1/platforms/
+  platforms:
+    - name: Debian
+      versions:
+        - bookworm
+
+  galaxy_tags:
+    - kubernetes
+    - k3s
+
+dependencies: []
--- a/ansible_collections/nullified/infrastructure/roles/k3s/tasks/agent.yml
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/tasks/agent.yml
@ -0,0 +1,18 @@
+---
+# TODO: implement
+# TODO: disable swap
+
+- name: operation not supported
+  ansible.builtin.debug:
+    msg: Operation currently not supported
+  failed_when: true
+
+- name: setup firewall rules
+  become: true
+  ansible.builtin.template:
+    src: ../templates/nftables.d/k3s_agents.nft.j2
+    dest: /etc/nftables.d/k3s_agents.nft
+    mode: '0600'
+  notify:
+    - 'k3s : restart firewall service'
+    - 'k3s : restart k3s service'
--- a/ansible_collections/nullified/infrastructure/roles/k3s/tasks/main.yml
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/tasks/main.yml
@ -0,0 +1,55 @@
+---
+- name: group by cluster name
+  ansible.builtin.group_by:
+    key: "k3s_clusters_{{ k3s_cluster_name }}_{{ k3s_cluster_role }}"
+  changed_when: false
+
+- name: determine cluster type and members
+  ansible.builtin.set_fact:
+    k3s_cluster_type: "{{ 'ha' if groups['k3s_clusters_' ~ k3s_cluster_name ~ '_' ~ k3s_cluster_role] | length > 1 else 'single' }}"
+    k3s_cluster_servers: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_server'] }}"
+    k3s_cluster_agents: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_agent'] | default([]) }}"
+    k3s_nft_servers4: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_server'] | default([]) | map('extract', hostvars, ['k3s_cluster_ip']) | ansible.utils.ipv4 }}"
+    k3s_nft_agents4: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_agent'] | default([]) | map('extract', hostvars, ['k3s_cluster_ip']) | ansible.utils.ipv4 }}"
+    k3s_nft_servers6: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_server'] | default([]) | map('extract', hostvars, ['k3s_cluster_ip']) | ansible.utils.ipv6 }}"
+    k3s_nft_agents6: "{{ groups['k3s_clusters_' ~ k3s_cluster_name ~ '_agent'] | default([]) | map('extract', hostvars, ['k3s_cluster_ip']) | ansible.utils.ipv6 }}"
+    k3s_nft_operators4: "{{ k3s_operator_ips | ansible.utils.ipv4 }}"
+    k3s_nft_operators6: "{{ k3s_operator_ips | ansible.utils.ipv6 }}"
+  changed_when: false
+
+- name: setup permissions
+  become: true
+  block:
+    - name: install sudo
+      ansible.builtin.apt:
+        update_cache: true
+        force_apt_get: true
+        cache_valid_time: 3600
+        pkg: [ sudo ]
+        state: present
+    - name: add operator to sudoers
+      ansible.builtin.lineinfile:
+        backup: true
+        path: /etc/sudoers
+        regexp: "^{{ k3s_operator_username }}\b.+$"
+        line: "{{ k3s_operator_username }} ALL=(ALL) NOPASSWD: ALL"
+        state: present
+      register: backup_sudoers
+      changed_when: false
+
+- name: setup server role
+  ansible.builtin.include_tasks: server.yml
+  tags: [helm, opentofu]
+  when: k3s_cluster_role is match("server")
+- name: setup agent role
+  ansible.builtin.include_tasks: agent.yml
+  tags: [helm, opentofu]
+  when: k3s_cluster_role is match("agent")
+
+- name: reset permissions
+  become: true
+  ansible.builtin.command:
+    cmd: "mv {{ backup_sudoers.backup }} /etc/sudoers"
+    removes: "{{ backup_sudoers.backup }}"
+  when: backup_sudoers.backup
+  changed_when: false
--- a/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/tasks/opentofu.yml
@ -0,0 +1,77 @@
+- name: deploy OpenTofu resource
+  connection: local
+  block:
+    - name: set TF resource facts
+      ansible.builtin.set_fact:
+        k3s_tf_safe_item_name: "{{ item.name | regex_replace('[^\\w]', '') }}"
+        k3s_tf_project_git_path: "{{ provisioner_facts.artifacts_dir }}/{{ item.name | regex_replace('[^\\w]', '') }}.git"
+      changed_when: false
+
+    - name: check pre-existing TF state file
+      ansible.builtin.file:
+        path: "{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate"
+      register: tfstate_file_info
+      changed_when: false
+      failed_when: false
+      when: item.get("backend_override", false) is falsy
+
+    - name: fetch git repository
+      ansible.builtin.git:
+        repo: '{{ item.git_repository }}'
+        dest: '{{ k3s_tf_project_git_path }}'
+        version: '{{ item.git_revision }}'
+        force: true
+
+    - name: prepare variables file
+      ansible.builtin.copy:
+        content: '{{ item.tfvars_content }}'
+        dest: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/terraform.tfvars'
+        mode: '0600'
+        force: true
+
+    - name: prepare tfstate file
+      ansible.builtin.copy:
+        src: '{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate'
+        dest: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/terraform.tfstate'
+        force: true
+        mode: '0600'
+      when: item.get("backend_override", false) is falsy
+
+    - name: dump custom backend override
+      ansible.builtin.copy:
+        content: '{{ item.backend_override }}'
+        dest: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/backend_override.tf'
+        mode: '0600'
+      when: item.get("backend_override", false) is truthy
+      changed_when: false
+
+    - name: deploy k8s resources
+      community.general.terraform:
+        binary_path: "{{ provisioner_facts.tofu_binary_path }}"
+        project_path: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}'
+        provider_upgrade: true
+        force_init: true
+      environment: '{{ item.get("backend_env", {}) }}'
+
+    - name: cleanup override file
+      ansible.builtin.file:
+        path: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/backend_override.tf'
+        state: absent
+      when: item.get("backend_override", false) is truthy
+      changed_when: false
+
+    - name: backup source state file
+      ansible.builtin.copy:
+        src: '{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate'
+        dest: '{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate.previous'
+        force: true
+        mode: '0600'
+      when: item.get("backend_override", false) is falsy
+
+    - name: update source tfstate file
+      ansible.builtin.copy:
+        src: '{{ k3s_tf_project_git_path }}/{{ item.terraform_dir }}/terraform.tfstate'
+        dest: '{{ provisioner_facts.k8s_states_dir }}/{{ k3s_tf_safe_item_name }}.tfstate'
+        force: true
+        mode: '0600'
+      when: item.get("backend_override", false) is falsy
--- a/ansible_collections/nullified/infrastructure/roles/k3s/tasks/server.yml
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/tasks/server.yml
@ -0,0 +1,75 @@
+---
+# TODO: disable swap
+- name: setup firewall rules
+  become: true
+  ansible.builtin.template:
+    src: ../templates/nftables.d/k3s_servers.nft.j2
+    dest: /etc/nftables.d/k3s_servers.nft
+    mode: '0600'
+  notify:
+    - 'k3s : restart firewall service'
+    - 'k3s : restart k3s service'
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: install K3S cluster, single server
+  connection: local
+  ansible.builtin.command:
+    argv:
+      - "{{ provisioner_facts.k3sup_binary_path }}"
+      - install
+      - "--merge"
+      - "--local-path"
+      - "{{ provisioner_facts.kubeconfig_repository }}/{{ k3s_cluster_name }}.kubeconfig"
+      - "--context"
+      - "{{ k3s_kube_context }}"
+      - "--k3s-extra-args"
+      - "{{ k3s_extra_args }}"
+      - "--user"
+      - "{{ k3s_operator_username }}"
+      - "--ssh-key"
+      - "{{ k3s_operator_ssh_key_path }}"
+      - "--host"
+      - "{{ inventory_hostname }}.{{ global_dns_domainname }}"
+  register: k3s_init
+  when: k3s_cluster_type is match("single")
+  changed_when: not "No change detected so skipping service start" in k3s_init.stdout
+
+- name: install K3S cluster, HA
+  connection: local
+  debug: msg="Not supported yet"
+  when: k3s_cluster_type is match("ha")
+  failed_when: true
+
+- name: install K3S Helm customizations
+  become: true
+  ansible.builtin.copy:
+    dest: "{{ k3s_manifests_dir }}/{{ item.name | regex_replace('[^\\w]', '') }}.yaml"
+    content: '{{ item.content }}'
+    mode: '0600'
+    owner: root
+    group: root
+  loop: '{{ k3s_cluster_helm_customizations }}'
+  loop_control:
+    label: '{{ item.name }}'
+  no_log: true
+
+- name: install Helm charts
+  connection: local
+  kubernetes.core.helm: '{{ item }}'
+  loop: '{{ k3s_cluster_additional_helm_charts }}'
+  loop_control:
+    label: '{{ item.release_name }}'
+  no_log: true
+  tags: [helm]
+
+- name: install OpenTofu resources
+  ansible.builtin.include_tasks:
+    file: opentofu.yml
+    apply:
+      tags: [opentofu]
+  loop: '{{ k3s_cluster_additional_tf_resources }}'
+  loop_control:
+    label: '{{ item.name }}'
+  tags: [opentofu]
--- a/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_agents.nft.j2
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_agents.nft.j2
@ -0,0 +1,22 @@
+# K3S source: agents
+table inet filter {
+    chain input {
+        # inter-node communication
+        ## UDP
+        {%+ if k3s_nft_servers4 or k3s_nft_agents4 %}ip saddr { {{ (k3s_nft_servers4 + k3s_nft_agents4)  | join(', ') }} } udp dport { 8472, 51820 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 or k3s_nft_agents6 %}ip6 saddr { {{ (k3s_nft_servers6 + k3s_nft_agents6) | join(', ') }} } udp dport { 8472, 51821 } accept{%- endif +%}
+        ## TCP
+        {%+ if k3s_nft_servers4 or k3s_nft_agents4 %}ip saddr { {{ (k3s_nft_servers4 + k3s_nft_agents4) | join(', ') }} } tcp dport { 5001, 6443, 10250 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 or k3s_nft_agents6 %}ip6 saddr { {{ (k3s_nft_servers6 + k3s_nft_agents6) | join(', ') }} } tcp dport { 5001, 6443, 10250 } accept{%- endif +%}
+    }
+
+    chain output {
+        # inter-node communication
+        ## UDP
+        {%+ if k3s_nft_servers4 or k3s_nft_agents4 %}ip daddr { {{ (k3s_nft_servers4 + k3s_nft_agents4)  | join(', ') }} } udp dport { 8472, 51820 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 or k3s_nft_agents6 %}ip6 daddr { {{ (k3s_nft_servers6 + k3s_nft_agents6) | join(', ') }} } udp dport { 8472, 51821 } accept{%- endif +%}
+        ## TCP
+        {%+ if k3s_nft_servers4 or k3s_nft_agents4 %}ip daddr { {{ (k3s_nft_servers4 + k3s_nft_agents4) | join(', ') }} } tcp dport { 5001, 6443, 10250 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 or k3s_nft_agents6 %}ip6 daddr { {{ (k3s_nft_servers6 + k3s_nft_agents6) | join(', ') }} } tcp dport { 5001, 6443, 10250 } accept{%- endif +%}
+    }
+}
--- a/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/templates/nftables.d/k3s_servers.nft.j2
@ -0,0 +1,44 @@
+# K3S source: servers
+table inet filter {
+    chain input {
+        # operators access
+        {%+ if k3s_nft_operators4 %}ip saddr { {{ k3s_nft_operators4 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
+        {%+ if k3s_nft_operators6 %}ip saddr { {{ k3s_nft_operators6 | join(', ') }} } tcp dport { 6443 } accept{%- endif +%}
+
+        # required only for HA with embedded etcd
+        {%+ if k3s_nft_servers4 %}ip saddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 %}ip6 saddr { {{ k3s_nft_servers6 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%}
+
+        # inter-node communication
+        ## UDP
+        {%+ if k3s_nft_servers4 or k3s_nft_agents4 %}ip saddr { {{ (k3s_nft_servers4 + k3s_nft_agents4)  | join(', ') }} } udp dport { 8472, 51820 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 or k3s_nft_agents6 %}ip6 saddr { {{ (k3s_nft_servers6 + k3s_nft_agents6) | join(', ') }} } udp dport { 8472, 51821 } accept{%- endif +%}
+        ## TCP
+        {%+ if k3s_nft_servers4 or k3s_nft_agents4 %}ip saddr { {{ (k3s_nft_servers4 + k3s_nft_agents4) | join(', ') }} } tcp dport { 5001, 6443, 10250 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 or k3s_nft_agents6 %}ip6 saddr { {{ (k3s_nft_servers6 + k3s_nft_agents6) | join(', ') }} } tcp dport { 5001, 6443, 10250 } accept{%- endif +%}
+
+        {%+ if k3s_cluster_cidr | ansible.utils.ipv4 %}ip saddr {{ k3s_cluster_cidr }} meta l4proto { tcp, udp } accept{%- endif +%}
+        {%+ if k3s_cluster_cidr | ansible.utils.ipv6 %}ip6 saddr {{ k3s_cluster_cidr }} meta l4proto { tcp, udp } accept{%- endif +%}
+        {%+ if k3s_service_cidr | ansible.utils.ipv4 %}ip saddr {{ k3s_service_cidr }} meta l4proto { tcp, udp } accept{%- endif +%}
+        {%+ if k3s_service_cidr | ansible.utils.ipv6 %}ip6 saddr {{ k3s_service_cidr }} meta l4proto { tcp, udp } accept{%- endif +%}
+    }
+
+    chain output {
+        # required only for HA with embedded etcd
+        {%+ if k3s_nft_servers4 %}ip daddr { {{ k3s_nft_servers4 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 %}ip6 daddr { {{ k3s_nft_servers6 | join(',') }} } tcp dport { 2379, 2380 } accept{%- endif +%}
+
+        # inter-node communication
+        ## UDP
+        {%+ if k3s_nft_servers4 or k3s_nft_agents4 %}ip daddr { {{ (k3s_nft_servers4 + k3s_nft_agents4)  | join(', ') }} } udp dport { 8472, 51820 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 or k3s_nft_agents6 %}ip6 daddr { {{ (k3s_nft_servers6 + k3s_nft_agents6) | join(', ') }} } udp dport { 8472, 51821 } accept{%- endif +%}
+        ## TCP
+        {%+ if k3s_nft_servers4 or k3s_nft_agents4 %}ip daddr { {{ (k3s_nft_servers4 + k3s_nft_agents4) | join(', ') }} } tcp dport { 5001, 6443, 10250 } accept{%- endif +%}
+        {%+ if k3s_nft_servers6 or k3s_nft_agents6 %}ip6 daddr { {{ (k3s_nft_servers6 + k3s_nft_agents6) | join(', ') }} } tcp dport { 5001, 6443, 10250 } accept{%- endif +%}
+
+        {%+ if k3s_cluster_cidr | ansible.utils.ipv4 %}ip daddr {{ k3s_cluster_cidr }} meta l4proto { tcp, udp } accept{%- endif +%}
+        {%+ if k3s_cluster_cidr | ansible.utils.ipv6 %}ip6 daddr {{ k3s_cluster_cidr }} meta l4proto { tcp, udp } accept{%- endif +%}
+        {%+ if k3s_service_cidr | ansible.utils.ipv4 %}ip daddr {{ k3s_service_cidr }} meta l4proto { tcp, udp } accept{%- endif +%}
+        {%+ if k3s_service_cidr | ansible.utils.ipv6 %}ip6 daddr {{ k3s_service_cidr }} meta l4proto { tcp, udp } accept{%- endif +%}
+    }
+}
--- a/ansible_collections/nullified/infrastructure/roles/k3s/tests/inventory
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/tests/inventory
@ -0,0 +1,2 @@
+localhost
+
--- a/ansible_collections/nullified/infrastructure/roles/k3s/vars/main.yml
+++ b/ansible_collections/nullified/infrastructure/roles/k3s/vars/main.yml
@ -0,0 +1,2 @@
+---
+k3s_manifests_dir: '/var/lib/rancher/k3s/server/manifests'