Fix some ansible-lints and firewalld
Fix playbooks folder name according to the ansible collection scheme... Refactor firewalld policy Signed-off-by: Przemyslaw Sztoch <przemyslaw@sztoch.pl>
This commit is contained in:
parent
33c15e7c2f
commit
c5a5b9e0d8
|
@ -60,7 +60,7 @@ Setting up a loadbalancer or VIP beforehand to use as the API endpoint is possib
|
|||
Start provisioning of the cluster using the following command:
|
||||
|
||||
```bash
|
||||
ansible-playbook playbook/site.yml -i inventory.yml
|
||||
ansible-playbook playbooks/site.yml -i inventory.yml
|
||||
```
|
||||
|
||||
## Upgrading
|
||||
|
@ -68,7 +68,7 @@ ansible-playbook playbook/site.yml -i inventory.yml
|
|||
A playbook is provided to upgrade K3s on all nodes in the cluster. To use it, update `k3s_version` with the desired version in `inventory.yml` and run:
|
||||
|
||||
```bash
|
||||
ansible-playbook playbook/upgrade.yml -i inventory.yml
|
||||
ansible-playbook playbooks/upgrade.yml -i inventory.yml
|
||||
```
|
||||
|
||||
## Airgap Install
|
||||
|
@ -77,7 +77,7 @@ Airgap installation is supported via the `airgap_dir` variable. This variable sh
|
|||
|
||||
An example folder for an x86_64 cluster:
|
||||
```bash
|
||||
$ ls ./playbook/my-airgap/
|
||||
$ ls ./playbooks/my-airgap/
|
||||
total 248M
|
||||
-rwxr-xr-x 1 $USER $USER 58M Nov 14 11:28 k3s
|
||||
-rw-r--r-- 1 $USER $USER 190M Nov 14 11:30 k3s-airgap-images-amd64.tar.gz
|
||||
|
|
|
@ -19,7 +19,7 @@ k3s_cluster:
|
|||
extra_server_args: ""
|
||||
extra_agent_args: ""
|
||||
|
||||
# Optional vars
|
||||
# Optional vars
|
||||
# cluster_context: k3s-ansible
|
||||
# api_port: 6443
|
||||
# k3s_server_location: /var/lib/rancher/k3s
|
||||
|
@ -29,12 +29,13 @@ k3s_cluster:
|
|||
# List of locally available manifests to apply to the cluster, useful for PVCs or Traefik modifications.
|
||||
# extra_manifests: [ '/path/to/manifest1.yaml', '/path/to/manifest2.yaml' ]
|
||||
# airgap_dir: /tmp/k3s-airgap-images
|
||||
# user_kubectl: true, by default kubectl is symlinked and configured for use by ansible_user. Set to false to only kubectl via root user.
|
||||
# user_kubectl: true, by default kubectl is symlinked and configured for use by ansible_user.
|
||||
# Set to false to only kubectl via root user.
|
||||
# server_config_yaml: |
|
||||
# This is now an inner yaml file. Maintain the indentation.
|
||||
# YAML here will be placed as the content of /etc/rancher/k3s/config.yaml
|
||||
# See https://docs.k3s.io/installation/configuration#configuration-file
|
||||
# This is now an inner yaml file. Maintain the indentation.
|
||||
# YAML here will be placed as the content of /etc/rancher/k3s/config.yaml
|
||||
# See https://docs.k3s.io/installation/configuration#configuration-file
|
||||
# registries_config_yaml: |
|
||||
# Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.
|
||||
# YAML here will be placed as the content of /etc/rancher/k3s/registries.yaml
|
||||
# See https://docs.k3s.io/installation/private-registry
|
||||
# Containerd can be configured to connect to private registries and use them to pull images as needed
|
||||
# by the kubelet. YAML here will be placed as the content of /etc/rancher/k3s/registries.yaml
|
||||
# See https://docs.k3s.io/installation/private-registry
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
url: https://get.k3s.io/
|
||||
timeout: 120
|
||||
dest: "{{ airgap_dir }}/k3s-install.sh"
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
|
||||
- name: Distribute K3s install script
|
||||
ansible.builtin.copy:
|
||||
|
@ -23,7 +23,7 @@
|
|||
dest: /usr/local/bin/k3s-install.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
|
||||
- name: Distribute K3s binary
|
||||
ansible.builtin.copy:
|
||||
|
@ -31,7 +31,7 @@
|
|||
dest: /usr/local/bin/k3s
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
|
||||
- name: Distribute K3s SELinux RPM
|
||||
ansible.builtin.copy:
|
||||
|
@ -39,7 +39,7 @@
|
|||
dest: /tmp/
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
with_fileglob:
|
||||
- "{{ airgap_dir }}/k3s-selinux*.rpm"
|
||||
register: selinux_copy
|
||||
|
@ -57,7 +57,7 @@
|
|||
- name: Make images directory
|
||||
ansible.builtin.file:
|
||||
path: "/var/lib/rancher/k3s/agent/images/"
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
state: directory
|
||||
|
||||
- name: Determine Architecture
|
||||
|
@ -71,7 +71,7 @@
|
|||
dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
with_first_found:
|
||||
- files:
|
||||
- "{{ airgap_dir }}/k3s-airgap-images-amd64.tar.zst"
|
||||
|
@ -86,7 +86,7 @@
|
|||
dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
with_first_found:
|
||||
- files:
|
||||
- "{{ airgap_dir }}/k3s-airgap-images-arm64.tar.zst"
|
||||
|
@ -101,7 +101,7 @@
|
|||
dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
with_first_found:
|
||||
- files:
|
||||
- "{{ airgap_dir }}/k3s-airgap-images-arm.tar.zst"
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
dest: /usr/local/bin/k3s-install.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
|
||||
- name: Download K3s binary
|
||||
ansible.builtin.command:
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
dest: /usr/local/bin/k3s-install.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
|
||||
- name: Download K3s binary
|
||||
ansible.builtin.command:
|
||||
|
@ -46,13 +46,13 @@
|
|||
- name: Make config directory
|
||||
ansible.builtin.file:
|
||||
path: "/etc/rancher/k3s"
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
state: directory
|
||||
- name: Copy config values
|
||||
ansible.builtin.copy:
|
||||
content: "{{ server_config_yaml }}"
|
||||
dest: "/etc/rancher/k3s/config.yaml"
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
|
||||
- name: Init first server node
|
||||
when: inventory_hostname == groups['server'][0]
|
||||
|
@ -64,7 +64,7 @@
|
|||
dest: "{{ systemd_dir }}/k3s.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
|
||||
- name: Copy K3s service file [HA]
|
||||
when: groups['server'] | length > 1
|
||||
|
@ -73,7 +73,7 @@
|
|||
dest: "{{ systemd_dir }}/k3s.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
|
||||
- name: Add service environment variables
|
||||
when: extra_service_envs is defined
|
||||
|
@ -154,7 +154,7 @@
|
|||
dest: "{{ systemd_dir }}/k3s.service"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
|
||||
- name: Enable and check K3s service
|
||||
ansible.builtin.systemd:
|
||||
|
|
|
@ -1,2 +1,13 @@
|
|||
---
|
||||
# Zone for inter-node traffic
|
||||
k3s_firewalld_node_zone: internal
|
||||
|
||||
# List of IP addresses or cidr masks of your nodes
|
||||
k3s_firewalld_node_cidrs: []
|
||||
|
||||
# List of public services
|
||||
k3s_firewalld_public_ports:
|
||||
- 80/tcp
|
||||
- 443/tcp
|
||||
|
||||
api_port: 6443
|
||||
|
|
|
@ -73,7 +73,7 @@
|
|||
- name: If firewalld enabled, open api port
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ api_port }}/tcp"
|
||||
zone: trusted
|
||||
zone: "{{ k3s_firewalld_node_zone }}"
|
||||
state: enabled
|
||||
permanent: true
|
||||
immediate: true
|
||||
|
@ -82,11 +82,45 @@
|
|||
when: groups['server'] | length > 1
|
||||
ansible.posix.firewalld:
|
||||
port: "2379-2381/tcp"
|
||||
zone: trusted
|
||||
zone: "{{ k3s_firewalld_node_zone }}"
|
||||
state: enabled
|
||||
permanent: true
|
||||
immediate: true
|
||||
|
||||
- name: If firewalld enabled, open inter-node ports
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item }}"
|
||||
zone: "{{ k3s_firewalld_node_zone }}"
|
||||
state: enabled
|
||||
permanent: true
|
||||
immediate: true
|
||||
with_items:
|
||||
- 8472/udp
|
||||
- 10250/tcp
|
||||
- 51820/udp
|
||||
- 51821/udp
|
||||
- 5001/tcp
|
||||
|
||||
- name: If firewalld enabled, allow node CIDRs
|
||||
ansible.posix.firewalld:
|
||||
source: "{{ item }}"
|
||||
zone: "{{ k3s_firewalld_node_zone }}"
|
||||
state: enabled
|
||||
permanent: true
|
||||
immediate: true
|
||||
when: k3s_firewalld_node_cidrs is defined
|
||||
loop: "{{ k3s_firewalld_node_cidrs }}"
|
||||
|
||||
- name: If firewalld enabled, open public ports
|
||||
ansible.posix.firewalld:
|
||||
port: "{{ item }}"
|
||||
zone: "public"
|
||||
state: enabled
|
||||
permanent: true
|
||||
immediate: true
|
||||
when: k3s_firewalld_public_ports is defined
|
||||
loop: "{{ k3s_firewalld_public_ports }}"
|
||||
|
||||
- name: If firewalld enabled, allow default CIDRs
|
||||
ansible.posix.firewalld:
|
||||
source: "{{ item }}"
|
||||
|
@ -184,7 +218,7 @@
|
|||
- name: Make rancher directory
|
||||
ansible.builtin.file:
|
||||
path: "/var/lib/rancher"
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
state: directory
|
||||
- name: Create symlink
|
||||
ansible.builtin.file:
|
||||
|
@ -199,13 +233,13 @@
|
|||
- name: Make manifests directory
|
||||
ansible.builtin.file:
|
||||
path: "/var/lib/rancher/k3s/server/manifests"
|
||||
mode: 0700
|
||||
mode: "0700"
|
||||
state: directory
|
||||
- name: Copy manifests
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/var/lib/rancher/k3s/server/manifests"
|
||||
mode: 0600
|
||||
mode: "0600"
|
||||
loop: "{{ extra_manifests }}"
|
||||
|
||||
- name: Setup optional private registry configuration
|
||||
|
@ -214,10 +248,10 @@
|
|||
- name: Make k3s config directory
|
||||
ansible.builtin.file:
|
||||
path: "/etc/rancher/k3s"
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
state: directory
|
||||
- name: Copy config values
|
||||
ansible.builtin.copy:
|
||||
content: "{{ registries_config_yaml }}"
|
||||
dest: "/etc/rancher/k3s/registries.yaml"
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
|
|
Loading…
Reference in New Issue