Enforce use of a defined token. Simplifies additional server and agent joining process.
Signed-off-by: Derek Nola <derek.nola@suse.com>
This commit is contained in:
parent
9ecdc933ca
commit
565c9fa049
|
@ -9,13 +9,16 @@ NETWORK_PREFIX = "10.10.10"
|
||||||
def provision(vm, role, node_num)
|
def provision(vm, role, node_num)
|
||||||
vm.box = NODE_BOXES[node_num]
|
vm.box = NODE_BOXES[node_num]
|
||||||
vm.hostname = role
|
vm.hostname = role
|
||||||
# An expanded netmask is required to allow VM<-->VM communication, virtualbox defaults to /32
|
# We use a private network because the default IPs are dynamicly assigned
|
||||||
|
# during provisioning. This makes it impossible to know the server-0 IP when
|
||||||
|
# provisioning subsequent servers and agents. A private network allows us to
|
||||||
|
# assign static IPs to each node, and thus provide a known IP for the API endpoint.
|
||||||
node_ip = "#{NETWORK_PREFIX}.#{100+node_num}"
|
node_ip = "#{NETWORK_PREFIX}.#{100+node_num}"
|
||||||
|
# An expanded netmask is required to allow VM<-->VM communication, virtualbox defaults to /32
|
||||||
vm.network "private_network", ip: node_ip, netmask: "255.255.255.0"
|
vm.network "private_network", ip: node_ip, netmask: "255.255.255.0"
|
||||||
|
|
||||||
vm.provision "ansible", run: 'once' do |ansible|
|
vm.provision "ansible", run: 'once' do |ansible|
|
||||||
ansible.compatibility_mode = "2.0"
|
ansible.compatibility_mode = "2.0"
|
||||||
ansible.verbose = "vv"
|
|
||||||
ansible.playbook = "playbook/site.yml"
|
ansible.playbook = "playbook/site.yml"
|
||||||
ansible.groups = {
|
ansible.groups = {
|
||||||
"server" => NODE_ROLES.grep(/^server/),
|
"server" => NODE_ROLES.grep(/^server/),
|
||||||
|
@ -25,13 +28,12 @@ def provision(vm, role, node_num)
|
||||||
ansible.extra_vars = {
|
ansible.extra_vars = {
|
||||||
k3s_version: "v1.26.5+k3s1",
|
k3s_version: "v1.26.5+k3s1",
|
||||||
api_endpoint: "#{NETWORK_PREFIX}.100",
|
api_endpoint: "#{NETWORK_PREFIX}.100",
|
||||||
api_port: 6443,
|
token: "myyagrant",
|
||||||
extra_server_args: "",
|
# Required to use the private network configured above
|
||||||
extra_server_init_args: "",
|
extra_server_args: "--node-external-ip #{node_ip} --flannel-iface eth1",
|
||||||
extra_agent_args: "",
|
extra_agent_args: "",
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
Vagrant.configure("2") do |config|
|
Vagrant.configure("2") do |config|
|
||||||
|
@ -45,8 +47,6 @@ Vagrant.configure("2") do |config|
|
||||||
v.memory = NODE_MEMORY
|
v.memory = NODE_MEMORY
|
||||||
end
|
end
|
||||||
|
|
||||||
# Must iterate on the index, vagrant does not understand iterating
|
|
||||||
# over the node roles themselves
|
|
||||||
NODE_ROLES.each_with_index do |name, i|
|
NODE_ROLES.each_with_index do |name, i|
|
||||||
config.vm.define name do |node|
|
config.vm.define name do |node|
|
||||||
provision(node.vm, name, i)
|
provision(node.vm, name, i)
|
||||||
|
|
|
@ -14,12 +14,12 @@ k3s_cluster:
|
||||||
ansible_port: 22
|
ansible_port: 22
|
||||||
ansible_user: debian
|
ansible_user: debian
|
||||||
k3s_version: v1.25.5+k3s2
|
k3s_version: v1.25.5+k3s2
|
||||||
|
token: "mytoken" # Use ansible vault if you want to keep it secret
|
||||||
api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
|
api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
|
||||||
api_port: 6443
|
|
||||||
extra_server_args: ""
|
extra_server_args: ""
|
||||||
extra_server_init_args: ""
|
|
||||||
extra_agent_args: ""
|
extra_agent_args: ""
|
||||||
|
|
||||||
# Optional vars
|
# Optional vars
|
||||||
|
# api_port: 6443
|
||||||
# k3s_server_location: /var/lib/rancher/k3s
|
# k3s_server_location: /var/lib/rancher/k3s
|
||||||
# systemd_dir: /etc/systemd/system
|
# systemd_dir: /etc/systemd/system
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
---
|
---
|
||||||
k3s_server_location: "/var/lib/rancher/k3s"
|
k3s_server_location: "/var/lib/rancher/k3s"
|
||||||
systemd_dir: "/etc/systemd/system"
|
systemd_dir: "/etc/systemd/system"
|
||||||
|
api_port: 6443
|
||||||
|
|
|
@ -7,7 +7,7 @@ After=network-online.target
|
||||||
Type=notify
|
Type=notify
|
||||||
ExecStartPre=-/sbin/modprobe br_netfilter
|
ExecStartPre=-/sbin/modprobe br_netfilter
|
||||||
ExecStartPre=-/sbin/modprobe overlay
|
ExecStartPre=-/sbin/modprobe overlay
|
||||||
ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ hostvars[groups['server'][0]]['token'] }} {{ extra_agent_args }}
|
ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} --token {{ token }} {{ extra_agent_args }}
|
||||||
KillMode=process
|
KillMode=process
|
||||||
Delegate=yes
|
Delegate=yes
|
||||||
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
---
|
---
|
||||||
k3s_server_location: "/var/lib/rancher/k3s"
|
k3s_server_location: "/var/lib/rancher/k3s"
|
||||||
systemd_dir: "/etc/systemd/system"
|
systemd_dir: "/etc/systemd/system"
|
||||||
|
api_port: 6443
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: >
|
cmd: >
|
||||||
systemd-run -p RestartSec=2 -p Restart=on-failure --unit=k3s-init k3s server
|
systemd-run -p RestartSec=2 -p Restart=on-failure --unit=k3s-init k3s server
|
||||||
--cluster-init --tls-san {{ api_endpoint }} --data-dir {{ k3s_server_location }} {{ extra_server_args}}
|
--cluster-init --token {{ token }} --tls-san {{ api_endpoint }} --data-dir {{ k3s_server_location }} {{ extra_server_args}}
|
||||||
# noqa: jinja[spacing]
|
# noqa: jinja[spacing]
|
||||||
creates: "{{ k3s_server_location }}/server/node-token"
|
creates: "{{ k3s_server_location }}/server/node-token"
|
||||||
when: groups['server'] | length > 1
|
when: groups['server'] | length > 1
|
||||||
|
@ -15,38 +15,10 @@
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
cmd: >
|
cmd: >
|
||||||
systemd-run -p RestartSec=2 -p Restart=on-failure --unit=k3s-init k3s server
|
systemd-run -p RestartSec=2 -p Restart=on-failure --unit=k3s-init k3s server
|
||||||
--tls-san {{ api_endpoint }} --data-dir {{ k3s_server_location }} {{ extra_server_args }}
|
--token {{ token }} --tls-san {{ api_endpoint }} --data-dir {{ k3s_server_location }} {{ extra_server_args }}
|
||||||
creates: "{{ k3s_server_location }}/server/node-token"
|
creates: "{{ k3s_server_location }}/server/node-token"
|
||||||
when: groups['server'] | length == 1
|
when: groups['server'] | length == 1
|
||||||
|
|
||||||
- name: Wait for node-token
|
|
||||||
ansible.builtin.wait_for:
|
|
||||||
path: "{{ k3s_server_location }}/server/node-token"
|
|
||||||
|
|
||||||
- name: Register node-token file access mode
|
|
||||||
ansible.builtin.stat:
|
|
||||||
path: "{{ k3s_server_location }}/server/node-token"
|
|
||||||
register: p
|
|
||||||
|
|
||||||
- name: Change file access node-token
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ k3s_server_location }}/server/node-token"
|
|
||||||
mode: "g+rx,o+rx"
|
|
||||||
|
|
||||||
- name: Read node-token from server
|
|
||||||
ansible.builtin.slurp:
|
|
||||||
path: "{{ k3s_server_location }}/server/node-token"
|
|
||||||
register: node_token
|
|
||||||
|
|
||||||
- name: Store server node-token
|
|
||||||
ansible.builtin.set_fact:
|
|
||||||
token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}"
|
|
||||||
|
|
||||||
- name: Restore node-token file access
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ k3s_server_location }}/server/node-token"
|
|
||||||
mode: "{{ p.stat.mode }}"
|
|
||||||
|
|
||||||
- name: Create directory .kube
|
- name: Create directory .kube
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: ~{{ ansible_user }}/.kube
|
path: ~{{ ansible_user }}/.kube
|
||||||
|
|
|
@ -7,7 +7,7 @@ After=network-online.target
|
||||||
Type=notify
|
Type=notify
|
||||||
ExecStartPre=-/sbin/modprobe br_netfilter
|
ExecStartPre=-/sbin/modprobe br_netfilter
|
||||||
ExecStartPre=-/sbin/modprobe overlay
|
ExecStartPre=-/sbin/modprobe overlay
|
||||||
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }}
|
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} --token {{ token }}
|
||||||
KillMode=process
|
KillMode=process
|
||||||
Delegate=yes
|
Delegate=yes
|
||||||
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
||||||
|
|
Loading…
Reference in New Issue