Next stab at deploying MicroK8s, #2

Still a learning experience, but with some stuff up and running! Refactor later on under issue #9.
OwnTube-tv · Apr 8, 2024 · 4ab948d · 4ab948d
1 parent 12ae860
commit 4ab948d
Show file tree

Hide file tree

Showing 11 changed files with 279 additions and 0 deletions.
diff --git a/.github/workflows/ansible-cd.yml b/.github/workflows/ansible-cd.yml
@@ -23,3 +23,17 @@ jobs:
           vault_password: ${{ secrets.VAULT_PASSWORD }}
           options: |
             --diff
+
+      - name: Run 1-microk8s-cluster.yml playbook
+        uses: dawidd6/[email protected]
+        with:
+          playbook: 1-microk8s-cluster.yml
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          known_hosts: |
+            [83.233.237.206]:622 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGnXbhMpfFhusPWbl0OhXDjO9m0XT51FWF7PowVNOVg/
+            [83.233.237.208]:622 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSP+L5mjXBT5UqCi9/rHWFAeMCqhGyxYVbSQfmDkNuB
+            [82.183.39.110]:622 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK+q9cT0xsLeMQT/XI7DpTYB8+XX21h1vOWk+9/JyFx
+            [82.183.39.110]:624 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5bwRDW4XzjrPytPvrRb/YFVrNZdXbgwg6+uOJG+Hji
+          vault_password: ${{ secrets.VAULT_PASSWORD }}
+          options: |
+            --diff
diff --git a/.github/workflows/ansible-ci.yml b/.github/workflows/ansible-ci.yml
@@ -23,3 +23,18 @@ jobs:
           options: |
             --diff
             --check
+
+      - name: Check 1-microk8s-cluster.yml playbook
+        uses: dawidd6/[email protected]
+        with:
+          playbook: 1-microk8s-cluster.yml
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          known_hosts: |
+            [83.233.237.206]:622 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGnXbhMpfFhusPWbl0OhXDjO9m0XT51FWF7PowVNOVg/
+            [83.233.237.208]:622 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSP+L5mjXBT5UqCi9/rHWFAeMCqhGyxYVbSQfmDkNuB
+            [82.183.39.110]:622 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK+q9cT0xsLeMQT/XI7DpTYB8+XX21h1vOWk+9/JyFx
+            [82.183.39.110]:624 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5bwRDW4XzjrPytPvrRb/YFVrNZdXbgwg6+uOJG+Hj
+          vault_password: ${{ secrets.VAULT_PASSWORD }}
+          options: |
+            --diff
+            --check
diff --git a/1-microk8s-cluster.yml b/1-microk8s-cluster.yml
@@ -0,0 +1,10 @@
+---
+
+- hosts: minio_servers
+  become: yes
+  roles:
+    - role: microk8s-cluster
+      microk8s_servers_group: minio_servers
+      microk8s_users: [ar9708, mblomdahl]
+
+...
diff --git a/README.md b/README.md
@@ -43,3 +43,17 @@ The setup steps for a live deployment are as follows:
 
     Follow the instructions in the end of the playbook to establish HA clustering for MicroK8s.
 
+2. Run the `1-microk8s-cluster.yml` playbook to set up MicroK8s add-ons and configure the cluster:
+
+    ```shell
+    ansible-playbook 1-microk8s-cluster.yml
+    ```
+
+    After the successful completion of the playbook, you can access the Kubernetes dashboard at
+    https://k8s-dashboard.owntube.tv/ with a proper certificate and login with a token created from
+    one of the MicroK8s cluster nodes:
+
+    ```shell
+    kubectl get secret -n kube-system microk8s-dashboard-token \
+      -o jsonpath="{.data.token}" | base64 -d
+    ```
diff --git a/roles/microk8s-cluster/defaults/main.yml b/roles/microk8s-cluster/defaults/main.yml
@@ -0,0 +1,20 @@
+---
+
+# Inspired by https://github.com/istvano/ansible_role_microk8s/blob/master/defaults/main.yml
+
+microk8s_servers_group: all
+
+microk8s_users: []
+
+microk8s_plugins:
+  cert-manager: yes
+  dashboard: yes
+  dns: yes
+  helm: yes
+  helm3: yes
+  hostpath-storage: yes
+  ingress: yes
+  metrics-server: yes
+  host-access: yes
+
+...
diff --git a/roles/microk8s-cluster/files/k8s-dashboard-ingress.yml b/roles/microk8s-cluster/files/k8s-dashboard-ingress.yml
@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: public
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+  name: kubernetes-dashboard
+  namespace: kube-system
+spec:
+  tls:
+    - hosts:
+        - k8s-dashboard.owntube.tv
+      secretName: kubernetes-dashboard-ingress-cert
+  rules:
+    - host: k8s-dashboard.owntube.tv
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kubernetes-dashboard
+                port:
+                  number: 443
+...
diff --git a/roles/microk8s-cluster/files/letsencrypt-cluster-issuer.yml b/roles/microk8s-cluster/files/letsencrypt-cluster-issuer.yml
@@ -0,0 +1,21 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: [email protected]
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+      - http01:
+          ingress:
+            class: public
+...
diff --git a/roles/microk8s-cluster/meta/main.yml b/roles/microk8s-cluster/meta/main.yml
@@ -0,0 +1,28 @@
+---
+
+galaxy_info:
+  author: mblomdahl
+  description: |
+    Configuration of the MicroK8s cluster and its add-ons. Under consideration for partial
+    replacement by the Ansible role https://github.com/istvano/ansible_role_microk8s (see issue #9).
+  company: OwnTube.tv
+
+  license: The Unlicense
+
+  min_ansible_version: 2.16
+
+  platforms:
+    - name: EL
+      versions:
+        - 7
+    - name: Ubuntu
+      versions:
+        - 22.04
+
+  galaxy_tags:
+    - microk8s
+
+dependencies:
+  - microk8s-node
+
+...
diff --git a/roles/microk8s-cluster/tasks/k8s-configurations.yml b/roles/microk8s-cluster/tasks/k8s-configurations.yml
@@ -0,0 +1,29 @@
+---
+
+- name: Create root .kube folder for the MicroK8s designated initial host
+  ansible.builtin.file:
+    path: /root/.kube
+    state: directory
+    mode: 0750
+  tags: microk8s-cluster
+
+- name: Create root kubectl config for the MicroK8s designated host
+  ansible.builtin.shell: microk8s config > /root/.kube/config
+  args:
+    executable: /bin/bash
+  changed_when: no
+  tags: microk8s-cluster
+
+- name: Create Let's Encrypt issuer for cert-manager
+  kubernetes.core.k8s:
+    definition: "{{ lookup('file', 'letsencrypt-cluster-issuer.yml') | from_yaml }}"
+    state: present
+  tags: microk8s-cluster
+
+- name: Create ingress for Kubernetes Dashboard, https://k8s-dashboard.owntube.tv
+  kubernetes.core.k8s:
+    definition: "{{ lookup('file', 'k8s-dashboard-ingress.yml') | from_yaml }}"
+    state: present
+  tags: microk8s-cluster
+
+...
diff --git a/roles/microk8s-cluster/tasks/main.yml b/roles/microk8s-cluster/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+
+- name: Get current MicroK8s add-ons state
+  ansible.builtin.shell: microk8s.status --format yaml
+  changed_when: no
+  check_mode: no
+  register: microk8s_status_yaml
+  tags: microk8s-cluster
+
+- name: Determine current MicroK8s add-ons state
+  ansible.builtin.set_fact:
+    microk8s_status: '{{ microk8s_status_yaml.stdout | from_yaml }}'
+  tags: microk8s-cluster
+
+- name: Determine the designated initial master host
+  ansible.builtin.set_fact:
+    designated_host: '{{ (groups[microk8s_servers_group] | sort)[0] }}'
+  tags: microk8s-cluster
+
+- name: Enable MicroK8s add-ons on the designated master
+  when: inventory_hostname == designated_host
+  block:
+    - name: Enable currently-disabled MicroK8s add-ons
+      ansible.builtin.shell: 'microk8s.enable {{ item.name }}'
+      loop: '{{ microk8s_status.addons }}'
+      loop_control:
+        label: "{{ item.name }}"
+      when:
+        - item.status == 'disabled'
+        - item.name in microk8s_plugins
+        - microk8s_plugins[item.name]
+  tags: microk8s-cluster
+
+- name: Create helm3 Snap alias on all MicroK8s nodes, if enabled
+  community.general.snap_alias:
+    name: microk8s.helm3
+    alias: helm3
+  changed_when: no
+  when:
+    - microk8s_plugins.helm3
+    - microk8s_plugins['helm3'] is truthy
+  tags: microk8s-cluster
+
+- name: Configure MicroK8s user accounts for host-local access
+  include_tasks: user-configurations.yml
+  tags: microk8s-user
+
+- name: Configure Kubernetes resources in MicroK8s cluster
+  include_tasks: k8s-configurations.yml
+  when: inventory_hostname == designated_host
+  tags: microk8s-cluster
+
+...
diff --git a/roles/microk8s-cluster/tasks/user-configurations.yml b/roles/microk8s-cluster/tasks/user-configurations.yml
@@ -0,0 +1,48 @@
+---
+
+- name: Create .kube folder for the MicroK8s users
+  ansible.builtin.file:
+    path: '/home/{{ user }}/.kube'
+    state: directory
+    owner: '{{ user }}'
+    group: '{{ user }}'
+    mode: 0750
+  with_items: '{{ microk8s_users }}'
+  loop_control:
+    loop_var: user
+  tags: microk8s-user
+
+- name: Create kubectl config for the MicroK8s users
+  ansible.builtin.shell: microk8s config > /home/{{ user }}/.kube/config
+  args:
+    executable: /bin/bash
+  with_items: '{{ microk8s_users }}'
+  loop_control:
+    loop_var: user
+  changed_when: no
+  tags: microk8s-user
+
+- name: Correct ownership on kubectl config for MicroK8s users
+  ansible.builtin.file:
+    path: '/home/{{ user }}/.kube/config'
+    state: file
+    owner: '{{ user }}'
+    group: '{{ user }}'
+    mode: 0640
+  with_items: '{{ microk8s_users }}'
+  loop_control:
+    loop_var: user
+  changed_when: no
+  tags: microk8s-user
+
+- name: Install k9s for each of the MicroK8s users
+  become_user: '{{ user }}'
+  ansible.builtin.shell: curl -sS https://webinstall.dev/k9s | bash
+  args:
+    creates: '/home/{{ user }}/.local/bin/k9s'
+  with_items: '{{ microk8s_users }}'
+  loop_control:
+    loop_var: user
+  tags: microk8s-user
+
+...