From 42d8038b43604e2415797c90d0842e6f9fa26512 Mon Sep 17 00:00:00 2001 From: Dave G Vigil Sr Date: Mon, 8 Mar 2021 23:22:49 -0600 Subject: [PATCH] Set to playbook (#8) * Changed directory structure from role to playbook with multiple roles * fix: Yamllint is now ignoring the .github/ directory * fix: Added blank line to the bottom of .yamllint --- .github/workflows/ci.yml | 31 +-- .travis.yml | 29 --- .yamllint | 37 +--- CONTRIBUTING.md | 71 ------- LICENSE | 198 ++++++++++++++++-- README.md | 105 +++++----- ansible.cfg | 12 ++ handlers/main.yml | 2 - inventory | 11 - inventory/.gitignore | 3 + meta/main.yml | 19 -- molecule/default/INSTALL.rst | 22 -- molecule/default/converge.yml | 7 - molecule/default/create.yml | 147 ------------- molecule/default/destroy.yml | 47 ----- molecule/default/molecule.yml | 14 -- molecule/default/prepare.yml | 10 - molecule/default/verify.yml | 10 - {defaults => roles/agent/defaults}/main.yml | 2 +- .../agent/tasks/main.yml | 2 +- {vars => roles/agent/vars}/main.yml | 0 roles/prereqs/defaults/main.yml | 44 ++++ {tasks => roles/prereqs/tasks}/airgap.yml | 5 +- .../prereqs/tasks}/cis-profile.yml | 2 +- {tasks => roles/prereqs/tasks}/config.yml | 6 +- {tasks => roles/prereqs/tasks}/main.yml | 2 - {tasks => roles/prereqs/tasks}/yum.yml | 16 +- roles/prereqs/vars/main.yml | 8 + roles/server/defaults/main.yml | 44 ++++ .../server/tasks/main.yml | 2 +- roles/server/vars/main.yml | 8 + site.yml | 18 ++ tests/inventory | 2 - tests/test.yml | 5 - 34 files changed, 394 insertions(+), 547 deletions(-) delete mode 100644 .travis.yml delete mode 100644 CONTRIBUTING.md create mode 100644 ansible.cfg delete mode 100644 handlers/main.yml delete mode 100644 inventory create mode 100644 inventory/.gitignore delete mode 100644 meta/main.yml delete mode 100644 molecule/default/INSTALL.rst delete mode 100644 molecule/default/converge.yml delete mode 100644 molecule/default/create.yml delete mode 100644 molecule/default/destroy.yml delete mode 100644 molecule/default/molecule.yml delete mode 100644 molecule/default/prepare.yml delete mode 100644 molecule/default/verify.yml rename {defaults => roles/agent/defaults}/main.yml (95%) rename tasks/rke2-agent.yml => roles/agent/tasks/main.yml (92%) rename {vars => roles/agent/vars}/main.yml (100%) create mode 100644 roles/prereqs/defaults/main.yml rename {tasks => roles/prereqs/tasks}/airgap.yml (73%) rename {tasks => roles/prereqs/tasks}/cis-profile.yml (97%) rename {tasks => roles/prereqs/tasks}/config.yml (90%) rename {tasks => roles/prereqs/tasks}/main.yml (96%) rename {tasks => roles/prereqs/tasks}/yum.yml (52%) create mode 100644 roles/prereqs/vars/main.yml create mode 100644 roles/server/defaults/main.yml rename tasks/rke2-master.yml => roles/server/tasks/main.yml (94%) create mode 100644 roles/server/vars/main.yml create mode 100644 site.yml delete mode 100644 tests/inventory delete mode 100644 tests/test.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9d7ecfd3..24fb272b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,36 +7,27 @@ on: schedule: - cron: "0 2 * * *" -defaults: - run: - working-directory: 'rancherfederal.rke2' - jobs: - lint: + test: name: Lint runs-on: ubuntu-latest + steps: - name: Check out the codebase. uses: actions/checkout@v2 - with: - path: 'rancherfederal.rke2' - - name: Set up Python 3. + - name: Set up Python 3.7. uses: actions/setup-python@v2 with: python-version: '3.x' - name: Install test dependencies. - run: pip3 install yamllint ansible ansible-lint - - - name: Verify versions - run: | - ansible --version - ansible-lint --version - yamllint --version - - - name: Lint code. - run: | - yamllint . - ansible-lint + run: pip3 install yamllint ansible-lint ansible + + - name: Run yamllint. + run: yamllint . + + - name: Run ansible-lint. + run: ansible-lint + diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 36bbf620..00000000 --- a/.travis.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -language: python -python: "2.7" - -# Use the new container infrastructure -sudo: false - -# Install ansible -addons: - apt: - packages: - - python-pip - -install: - # Install ansible - - pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - -script: - # Basic role syntax check - - ansible-playbook tests/test.yml -i tests/inventory --syntax-check - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/.yamllint b/.yamllint index 88276760..02ca2a27 100644 --- a/.yamllint +++ b/.yamllint @@ -1,33 +1,12 @@ --- -# Based on ansible-lint config extends: default rules: - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - colons: - max-spaces-after: -1 - level: error - commas: - max-spaces-after: -1 - level: error - comments: disable - comments-indentation: disable - document-start: disable - empty-lines: - max: 3 - level: error - hyphens: - level: error - indentation: disable - key-duplicates: enable - line-length: disable - new-line-at-end-of-file: disable - new-lines: - type: unix - trailing-spaces: disable - truthy: disable + line-length: + max: 120 + level: warning + truthy: + allowed-values: ['true', 'false', 'yes', 'no'] + +ignore: | + .github/ diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 973d9b7c..00000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,71 +0,0 @@ -# Contributing Guidelines - -The following is a set of guidelines for contributing to the RKE2 Ansible role. We really appreciate that you are considering contributing! - -#### Table Of Contents - -[Ask a Question](#ask-a-question) - -[Getting Started](#getting-started) - -[Contributing](#contributing) - -[Code Guidelines](#code-guidelines) -* [Git Guidelines](#git-guidelines) -* [Ansible Guidelines](#ansible-guidelines) - - -## Ask a Question - -Don't know how something works? Curious if the role can achieve your desired functionality? Please open an Issue on GitHub with the label `question`. - -## Getting Started - -Follow our [Installation Guide](https://github.com/rancherfederal/rke2-ansible/blob/main/README.md#Installation) to install Ansible and Molecule and get ready to use the RKE2 Ansible role. - -### Project Structure - -* The RKE2 Ansible role is written in `yaml`. -* The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html): - * The main code is found in `tasks/`. - * Variables can be found in `defaults/main.yml`. - * "Constant" variables can be found in `vars/main.yml`. - * [Molecule](https://molecule.readthedocs.io/) tests can be found in `molecule/`. - -## Contributing - -### Report a Bug - -To report a bug, open an issue on GitHub with the label `bug` using the available bug report issue template. Please ensure the issue has not already been reported. - -### Suggest an Enhancement - -To suggest an enhancement, please create an issue on GitHub with the label `enhancement` using the available feature issue template. - -### Open a Pull Request - -* Fork the repo, create a branch, submit a PR when your changes are **tested** (ideally using Molecule) and ready for review. -* Fill in [our pull request template](https://github.com/rancherfederal/rke2-ansible/blob/main/.github/PULL_REQUEST_TEMPLATE.md). - -Note: if you’d like to implement a new feature, please consider creating a feature request issue first to start a discussion about the feature. - -## Code Guidelines - -### Ansible Guidelines - -* Run `molecule lint` over your code to automatically resolve a lot of `yaml` and Ansible style issues. -* Run `molecule test --all` on your code before you submit a PR to catch any potential issues. -* Follow these guides on some good practices for Ansible: - * - * - -### Git Guidelines - -* Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR. -* Follow the guidelines of writing a good commit message as described here and summarised in the next few points: - * In the subject line, use the present tense ("Add feature" not "Added feature"). - * In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to..."). - * Limit the subject line to 72 characters or less. - * Reference issues and pull requests liberally after the subject line. - * Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`). - diff --git a/LICENSE b/LICENSE index fcba7014..f433b1a5 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,177 @@ -MIT License - -Copyright (c) 2021 Rancher Federal - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS diff --git a/README.md b/README.md index 90512ed2..41fba4e1 100644 --- a/README.md +++ b/README.md @@ -1,32 +1,29 @@ -Ansible RKE2 (RKE Government) Role +Build a Kubernetes cluster using RKE2 via Ansible ========= +``` + , , _______________________________ + ,-----------|'------'| | | + /. '-' |-' |_____________________________| + |/| | | + | .________.'----' _______________________________ + | || | || | | + \__|' \__|' |_____________________________| + +|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| +|________________________________________________________| + +|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| +|________________________________________________________| +``` + +Ansible RKE2 (RKE Government) Playbook +--------- [![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml) -RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. This Ansible role installs RKE2 for both the control plane and workers. +RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. This Ansible playbook installs RKE2 for both the control plane and workers. See the [docs](https://docs.rke2.io/) more information about [RKE Government](https://docs.rke2.io/). -Requirements ------------- -### Ansible - -* This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible base. - -### Molecule - -* Molecule `3.x` is used to test the various functionalities of the role. -* Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html). - - -Installation ------------- -### Ansible Galaxy - -Use `ansible-galaxy install rancherfederal.rke2-ansible` to install the latest stable release of the role on your system. - -### Git - -Use `git clone https://github.com/rancherfederal/rke2-ansible.git` to pull the latest edge commit of the role from GitHub. Platforms --------- @@ -49,53 +46,53 @@ Ubuntu: ``` -Role Variables --------------- - -This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](https://github.com/rancherfederal/rke2-ansible/blob/main/defaults/main/)** folder in the following files: +System requirements +------------------- -|Name|Description| -|----|-----------| -|**[`main.yml`](https://github.com/rancherfederal/rke2-ansible/blob/main/defaults/main/main.yml)**|RKE2 installation variables| +Deployment environment must have Ansible 2.9.0+ +Server and agent nodes must have passwordless SSH access -Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](https://github.com/rancherfederal/rke2-ansible/blob/main/vars/)** folder in the following files: +Usage +----- -|Name|Description| -|----|-----------| -|**[`main.yml`](https://github.com/rancherfederal/rke2-ansible/blob/main/vars/main.yml)**|List of supported currently variables| +First create a new directory based on the `sample` directory within the `inventory` directory: +```bash +cp -R inventory/sample inventory/my-cluster +``` -Example Playbook ----------------- +Second, edit `inventory/my-cluster/hosts.ini` to match the system information gathered above. For example: -Add the following to the full playbook: +```bash +[server] +192.16.35.12 - - hosts: all - become: yes - roles: - - rke2-ansible +[agent] +192.16.35.[10:11] +[rke2_cluster:children] +server +agent +``` -Inventory should be broken up between control plan nodes and worker nodes. +If needed, you can also edit `inventory/my-cluster/group_vars/all.yml` to match your environment. - [control_plane] - 192.168.0.3 - 192.168.0.4 - 192.168.0.5 +Start provisioning of the cluster using the following command: - [workers] - 192.168.0.10 - 192.168.0.11 - 192.168.0.12 - 192.168.0.13 +```bash +ansible-playbook site.yml -i inventory/my-cluster/hosts.ini +``` +Kubeconfig +---------- +To get access to your **Kubernetes** cluster just -License -------- +```bash +scp debian@server_ip:~/.kube/config ~/.kube/config +``` -MIT Author Information ------------------ diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 00000000..9e7b9a9a --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,12 @@ +[defaults] +nocows = True +roles_path = ./roles +inventory = ./inventory/cluster.ini + +remote_tmp = $HOME/.ansible/tmp +local_tmp = $HOME/.ansible/tmp +pipelining = True +become = True +host_key_checking = False +deprecation_warnings = False +callback_whitelist = profile_tasks diff --git a/handlers/main.yml b/handlers/main.yml deleted file mode 100644 index efcd5881..00000000 --- a/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for . \ No newline at end of file diff --git a/inventory b/inventory deleted file mode 100644 index bf6eac5a..00000000 --- a/inventory +++ /dev/null @@ -1,11 +0,0 @@ -[rke2-cluster] -rke2m1 ansible_host=10.0.100.61 role=master -rke2m2 ansible_host=10.0.100.62 role=master -rke2m3 ansible_host=10.0.100.63 role=master -rke2k1 ansible_host=10.0.100.64 role=agent -rke2k2 ansible_host=10.0.100.65 role=agent -rke2k3 ansible_host=10.0.100.66 role=agent - -[rke2-cluster:vars] -ansible_ssh_user=root -#deploy_target=root diff --git a/inventory/.gitignore b/inventory/.gitignore new file mode 100644 index 00000000..568d6c0d --- /dev/null +++ b/inventory/.gitignore @@ -0,0 +1,3 @@ +* +!.gitignore +!sample/ \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml deleted file mode 100644 index 906a5f01..00000000 --- a/meta/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -galaxy_info: - role_name: rke2 - author: rancherfederal - description: This installs RKE Government - company: Rancher Federal - - license: MIT - - min_ansible_version: 2.9 - - platforms: - - name: EL - versions: - - 7 - - 9 - - galaxy_tags: ["rancher", "rke2", "rke", "kubernetes", "k8s"] - -dependencies: [] diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst deleted file mode 100644 index f5a4328c..00000000 --- a/molecule/default/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -********************************************* -Amazon Web Services driver installation guide -********************************************* - -Requirements -============ - -* An AWS credentials rc file - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule-ec2' diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml deleted file mode 100644 index 189d9481..00000000 --- a/molecule/default/converge.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Converge - hosts: all - tasks: - - name: "Include rke2-ansible" - include_role: - name: "rke2-ansible" diff --git a/molecule/default/create.yml b/molecule/default/create.yml deleted file mode 100644 index 7093ef3d..00000000 --- a/molecule/default/create.yml +++ /dev/null @@ -1,147 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - vars: - ssh_user: ubuntu - ssh_port: 22 - - security_group_name: molecule - security_group_description: Security group for testing Molecule - security_group_rules: - - proto: tcp - from_port: "{{ ssh_port }}" - to_port: "{{ ssh_port }}" - cidr_ip: '0.0.0.0/0' - - proto: icmp - from_port: 8 - to_port: -1 - cidr_ip: '0.0.0.0/0' - security_group_rules_egress: - - proto: -1 - from_port: 0 - to_port: 0 - cidr_ip: '0.0.0.0/0' - - key_pair_name: molecule_key - key_pair_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key" - tasks: - - name: Find the vpc for the subnet - ec2_vpc_subnet_info: - subnet_ids: "{{ item.vpc_subnet_id }}" - loop: "{{ molecule_yml.platforms }}" - register: subnet_info - - - name: Create security groups - ec2_group: - vpc_id: "{{ item.subnets[0].vpc_id }}" - name: "{{ security_group_name }}" - description: "{{ security_group_name }}" - rules: "{{ security_group_rules }}" - rules_egress: "{{ security_group_rules_egress }}" - loop: "{{ subnet_info.results }}" - - - name: Test for presence of local key pair - stat: - path: "{{ key_pair_path }}" - register: key_pair_local - - - name: Delete remote key pair - ec2_key: - name: "{{ key_pair_name }}" - state: absent - when: not key_pair_local.stat.exists - - - name: Create key pair - ec2_key: - name: "{{ key_pair_name }}" - register: key_pair - - - name: Persist the key pair - copy: - dest: "{{ key_pair_path }}" - content: "{{ key_pair.key.private_key }}" - mode: 0600 - when: key_pair.changed - - - name: Get the ec2 ami(s) by owner and name, if image not set - ec2_ami_info: - owners: "{{ item.image_owner }}" - filters: - name: "{{ item.image_name }}" - loop: "{{ molecule_yml.platforms }}" - when: item.image is not defined - register: ami_info - - - name: Create molecule instance(s) - ec2: - key_name: "{{ key_pair_name }}" - image: "{{ item.image - if item.image is defined - else (ami_info.results[index].images | sort(attribute='creation_date', reverse=True))[0].image_id }}" - instance_type: "{{ item.instance_type }}" - vpc_subnet_id: "{{ item.vpc_subnet_id }}" - group: "{{ security_group_name }}" - instance_tags: "{{ item.instance_tags | combine({'instance': item.name}) - if item.instance_tags is defined - else {'instance': item.name} }}" - wait: true - assign_public_ip: true - exact_count: 1 - count_tag: - instance: "{{ item.name }}" - register: server - loop: "{{ molecule_yml.platforms }}" - loop_control: - index_var: index - async: 7200 - poll: 0 - - - name: Wait for instance(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: ec2_jobs - until: ec2_jobs.finished - retries: 300 - with_items: "{{ server.results }}" - - # Mandatory configuration for Molecule to function. - - - name: Populate instance config dict - set_fact: - instance_conf_dict: { - 'instance': "{{ item.instances[0].tags.instance }}", - 'address': "{{ item.instances[0].public_ip }}", - 'user': "{{ ssh_user }}", - 'port': "{{ ssh_port }}", - 'identity_file': "{{ key_pair_path }}", - 'instance_ids': "{{ item.instance_ids }}", } - with_items: "{{ ec2_jobs.results }}" - register: instance_config_dict - when: server.changed | bool - - - name: Convert instance config dict to a list - set_fact: - instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}" - when: server.changed | bool - - - name: Dump instance config - copy: - content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}" - dest: "{{ molecule_instance_config }}" - when: server.changed | bool - - - name: Wait for SSH - wait_for: - port: "{{ ssh_port }}" - host: "{{ item.address }}" - search_regex: SSH - delay: 10 - timeout: 320 - with_items: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}" - - - name: Wait for boot process to finish - pause: - minutes: 2 diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml deleted file mode 100644 index 5b7a756d..00000000 --- a/molecule/default/destroy.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - tasks: - - block: - - name: Populate instance config - set_fact: - instance_conf: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}" - skip_instances: false - rescue: - - name: Populate instance config when file missing - set_fact: - instance_conf: {} - skip_instances: true - - - name: Destroy molecule instance(s) - ec2: - state: absent - instance_ids: "{{ item.instance_ids }}" - register: server - with_items: "{{ instance_conf }}" - when: not skip_instances - async: 7200 - poll: 0 - - - name: Wait for instance(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: ec2_jobs - until: ec2_jobs.finished - retries: 300 - with_items: "{{ server.results }}" - - # Mandatory configuration for Molecule to function. - - - name: Populate instance config - set_fact: - instance_conf: {} - - - name: Dump instance config - copy: - content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}" - dest: "{{ molecule_instance_config }}" - when: server.changed | bool diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml deleted file mode 100644 index ec1f7f81..00000000 --- a/molecule/default/molecule.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -dependency: - name: galaxy -lint: | - yamllint . - ansible-lint -driver: - name: ec2 -platforms: - - name: instance -provisioner: - name: ansible -verifier: - name: ansible diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml deleted file mode 100644 index e1b9818e..00000000 --- a/molecule/default/prepare.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: false - tasks: - - name: Make sure python3 is installed - package: - name: python3 - state: present - become: true diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml deleted file mode 100644 index 79044cd0..00000000 --- a/molecule/default/verify.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - gather_facts: false - tasks: - - name: Example assertion - assert: - that: true diff --git a/defaults/main.yml b/roles/agent/defaults/main.yml similarity index 95% rename from defaults/main.yml rename to roles/agent/defaults/main.yml index 1d5bc334..d278910a 100644 --- a/defaults/main.yml +++ b/roles/agent/defaults/main.yml @@ -45,4 +45,4 @@ rke2_default_interface: "auto" # airgap configuration ## TODO rke2_airgap_mode: false -rke2_image_file_url: https://github.com/rancher/rke2/releases/download/v1.18.15%2Brke2r1/rke2-images.linux-amd64.tar.gz \ No newline at end of file +rke2_image_file_url: https://github.com/rancher/rke2/releases/download/v1.18.15%2Brke2r1/rke2-images.linux-amd64.tar.gz diff --git a/tasks/rke2-agent.yml b/roles/agent/tasks/main.yml similarity index 92% rename from tasks/rke2-agent.yml rename to roles/agent/tasks/main.yml index 7c8b2a30..42031163 100644 --- a/tasks/rke2-agent.yml +++ b/roles/agent/tasks/main.yml @@ -2,7 +2,7 @@ - name: YUM | Install rke2-agent yum: name: rke2-agent - state: latest # noqa package-latest + state: latest # noqa package-latest - name: CIS | copy systemctl file for kernel hardening ansible.builtin.copy: diff --git a/vars/main.yml b/roles/agent/vars/main.yml similarity index 100% rename from vars/main.yml rename to roles/agent/vars/main.yml diff --git a/roles/prereqs/defaults/main.yml b/roles/prereqs/defaults/main.yml new file mode 100644 index 00000000..78c81720 --- /dev/null +++ b/roles/prereqs/defaults/main.yml @@ -0,0 +1,44 @@ +--- +# Security configuration +rke2_cis_mode: true +rke2_selinux: true + +# YUM repository configuration +rke2_repo_common_baseurl: "https://rpm.rancher.io/rke2/latest/common/centos/7/noarch" +rke2_repo_common_gpg_check: true +rke2_repo_common_gpg_key: "https://rpm.rancher.io/public.key" +rke2_repo_package_baseurl: "https://rpm.rancher.io/rke2/latest/1.19/centos/7/x86_64" +rke2_repo_package_gpg_check: true +rke2_repo_package_gpg_key: "https://rpm.rancher.io/public.key" + +# config.yaml configuration +## TODO +rke2_write_kubeconfig_mode: "0644" +rke2_write_kubeconfig: "/etc/rancher/rke2/rke2.yaml" +rke2_lb_hostname: # used in HA + +# etcd snapshot configuration +## TODO +rke2_etcd_disable_snapshots: false +rke2_etcd_snapshot_cron: "0 */12 * * *" +rke2_etcd_snapshot_retention: 5 +# rke2_etcd_dir: ${data-dir}/db/snapshots + + +# systemd configuration +## TODO +rke2_systemd_enable_service: true + +# container registry configuration +## https://docs.rke2.io/install/containerd_registry_configuration/ +## TODO + +# network default-interface override +## https://docs.rke2.io/install/network_options/ +## TODO +rke2_default_interface: "auto" + +# airgap configuration +## TODO +rke2_airgap_mode: false +rke2_image_file_url: https://github.com/rancher/rke2/releases/download/v1.19.8%2Brke2r1/rke2-images.linux-amd64.tar.gz diff --git a/tasks/airgap.yml b/roles/prereqs/tasks/airgap.yml similarity index 73% rename from tasks/airgap.yml rename to roles/prereqs/tasks/airgap.yml index aaeaca1c..562d2499 100644 --- a/tasks/airgap.yml +++ b/roles/prereqs/tasks/airgap.yml @@ -10,10 +10,11 @@ - name: WGET | download rke2 images to disk (just to speed up repeated testing) get_url: - url: "https://github.com/rancher/rke2/releases/download/v{{ rke_version_full }}%2Brke2r1/rke2-images.linux-amd64.tar.gz" + url: "{{ rke2_image_file_url }}" dest: /opt/rke2-images.linux-amd64.tar.gz - # copy the container-image tar to the airgap image. we have to do this every time because rke2 will delete the file on disk after the images are ingested into the containerd store + # copy the container-image tar to the airgap image. we have to do this every time because rke2 will delete the + # file on disk after the images are ingested into the containerd store - name: COPY | airgap images to /var/lib/rancher/rke2/agent/images copy: src: /opt/rke2-images.linux-amd64.tar.gz diff --git a/tasks/cis-profile.yml b/roles/prereqs/tasks/cis-profile.yml similarity index 97% rename from tasks/cis-profile.yml rename to roles/prereqs/tasks/cis-profile.yml index 99c18c5e..143c15b6 100644 --- a/tasks/cis-profile.yml +++ b/roles/prereqs/tasks/cis-profile.yml @@ -1,6 +1,6 @@ --- -## CIS-Mode +## CIS-Mode # https://docs.rke2.io/security/hardening_guide/ - name: CONFIG | enable CIS-MODE lineinfile: diff --git a/tasks/config.yml b/roles/prereqs/tasks/config.yml similarity index 90% rename from tasks/config.yml rename to roles/prereqs/tasks/config.yml index d5cc72be..810e8af9 100644 --- a/tasks/config.yml +++ b/roles/prereqs/tasks/config.yml @@ -1,6 +1,4 @@ --- -# /etc/rancher/rke2/config.yaml - # Does the /etc/rancher/rke2 directory exist? - name: Does the /etc/rancher/rke2 directory exist? stat: @@ -16,7 +14,7 @@ - name: Does /etc/rancher/rke2/config.yaml exist stat: - path: /etc/rancher/rke2/config.yaml + path: /etc/rancher/rke2/config.yaml register: etc_rancher_rke2_config - name: create the /etc/rancher/rke2/config.yaml file @@ -39,7 +37,7 @@ # Airgap Images - name: Does the airgap images folder exist? stat: - path: /var/lib/rancher/rke2/agent/images + path: /var/lib/rancher/rke2/agent/images register: rke2_agent_images - name: create the airgap images folder diff --git a/tasks/main.yml b/roles/prereqs/tasks/main.yml similarity index 96% rename from tasks/main.yml rename to roles/prereqs/tasks/main.yml index cb9b351f..300da2e0 100644 --- a/tasks/main.yml +++ b/roles/prereqs/tasks/main.yml @@ -35,5 +35,3 @@ # CIS mode - import_tasks: cis-profile.yml when: rke2_cis_mode - -- import_tasks: rke2-master.yml \ No newline at end of file diff --git a/tasks/yum.yml b/roles/prereqs/tasks/yum.yml similarity index 52% rename from tasks/yum.yml rename to roles/prereqs/tasks/yum.yml index f077a77b..8b6300f1 100644 --- a/tasks/yum.yml +++ b/roles/prereqs/tasks/yum.yml @@ -1,17 +1,3 @@ -#!/usr/bin/ansible-playbook -# , , _______________________________ -# ,-----------|'------'| | | -# /. '-' |-' |_____________________________| -# |/| | | -# | .________.'----' _______________________________ -# | || | || | | -# \__|' \__|' |_____________________________| -# -#|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| -#|________________________________________________________| -# -#|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| -#|________________________________________________________| --- # Does the Rancher RKE2 Common repo exist already @@ -34,7 +20,7 @@ # Does the Rancher RKE2 1.19 repo exist already - name: Check to see if rke2 versioned repo exists stat: - path: '/etc/yum.repos.d/rke2-v{{rke_version}}.repo' # noqa var-spacing + path: '/etc/yum.repos.d/rke2-v{{rke_version}}.repo' # noqa var-spacing register: stat_rke2_versioned_repo # Add RKE2 1.19 repo if it doesn't exist diff --git a/roles/prereqs/vars/main.yml b/roles/prereqs/vars/main.yml new file mode 100644 index 00000000..7a1f8243 --- /dev/null +++ b/roles/prereqs/vars/main.yml @@ -0,0 +1,8 @@ +--- + +# RKE2 version +rke_version: 1.19 +rke_version_full: 1.19.8 + +# Is this an airgapped install +rke2_airgap_mode: false diff --git a/roles/server/defaults/main.yml b/roles/server/defaults/main.yml new file mode 100644 index 00000000..c686e7d8 --- /dev/null +++ b/roles/server/defaults/main.yml @@ -0,0 +1,44 @@ +--- +# Security configuration +rke2_cis_mode: true +rke2_selinux: true + +# YUM repository configuration +rke2_repo_common_baseurl: "https://rpm.rancher.io/rke2/latest/common/centos/7/noarch" +rke2_repo_common_gpg_check: true +rke2_repo_common_gpg_key: "https://rpm.rancher.io/public.key" +rke2_repo_package_baseurl: "https://rpm.rancher.io/rke2/latest/1.19/centos/7/x86_64" +rke2_repo_package_gpg_check: true +rke2_repo_package_gpg_key: "https://rpm.rancher.io/public.key" + +# config.yaml configuration +## TODO +rke2_write_kubeconfig_mode: "0644" +rke2_write_kubeconfig: "/etc/rancher/rke2/rke2.yaml" +rke2_lb_hostname: # used in HA + +# etcd snapshot configuration +## TODO +rke2_etcd_disable_snapshots: false +rke2_etcd_snapshot_cron: "0 */12 * * *" +rke2_etcd_snapshot_retention: 5 +# rke2_etcd_dir: ${data-dir}/db/snapshots + + +# systemd configuration +## TODO +rke2_systemd_enable_service: true + +# container registry configuration +## https://docs.rke2.io/install/containerd_registry_configuration/ +## TODO + +# network default-interface override +## https://docs.rke2.io/install/network_options/ +## TODO +rke2_default_interface: "auto" + +# airgap configuration +## TODO +rke2_airgap_mode: false +rke2_image_file_url: https://github.com/rancher/rke2/releases/download/v1.18.15%2Brke2r1/rke2-images.linux-amd64.tar.gz diff --git a/tasks/rke2-master.yml b/roles/server/tasks/main.yml similarity index 94% rename from tasks/rke2-master.yml rename to roles/server/tasks/main.yml index 57360aae..0c010d12 100644 --- a/tasks/rke2-master.yml +++ b/roles/server/tasks/main.yml @@ -2,7 +2,7 @@ - name: YUM | Install rke2-server yum: name: rke2-server - state: latest # noqa package-latest + state: latest # noqa package-latest - name: CIS | copy systemctl file for kernel hardening ansible.builtin.copy: diff --git a/roles/server/vars/main.yml b/roles/server/vars/main.yml new file mode 100644 index 00000000..7a1f8243 --- /dev/null +++ b/roles/server/vars/main.yml @@ -0,0 +1,8 @@ +--- + +# RKE2 version +rke_version: 1.19 +rke_version_full: 1.19.8 + +# Is this an airgapped install +rke2_airgap_mode: false diff --git a/site.yml b/site.yml new file mode 100644 index 00000000..d0298778 --- /dev/null +++ b/site.yml @@ -0,0 +1,18 @@ +--- + +- hosts: rke2_cluster + gather_facts: yes + become: yes + roles: + - role: prereq + - role: download + +- hosts: master + become: yes + roles: + - role: rke2/master + +- hosts: node + become: yes + roles: + - role: rke2/node diff --git a/tests/inventory b/tests/inventory deleted file mode 100644 index 878877b0..00000000 --- a/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index 14d2c49b..00000000 --- a/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - .