From d01b360a418c5025d79642d14aa4289116aea25e Mon Sep 17 00:00:00 2001 From: Jay Patel <78554593+jarpat@users.noreply.github.com> Date: Tue, 11 Jul 2023 10:01:54 -0400 Subject: [PATCH] feat: (IAC-1066) Add Hadolint, ShellCheck, TFLint Checks, and Ansible Lint via GitHub Actions (#78) --- .github/workflows/linter-analysis.yaml | 93 +++++++++++++++++++ Dockerfile | 11 ++- docs/CONFIG-VARS.md | 1 - docs/REQUIREMENTS.md | 2 - examples/bare-metal/sample-ansible-vars.yaml | 6 +- examples/vsphere/sample-terraform-dhcp.tfvars | 1 - .../vsphere/sample-terraform-minimal.tfvars | 1 - .../sample-terraform-static-ips.tfvars | 1 - ...sample-terraform-static-singlestore.tfvars | 1 - examples/vsphere/sample-terraform-vi.tfvars | 1 - linting-configs/.ansible-lint | 50 ++++++++++ linting-configs/.hadolint.yaml | 3 + linting-configs/.shellcheckrc | 6 ++ linting-configs/.tflint.hcl | 27 ++++++ locals.tf | 4 +- main.tf | 1 - modules/server/main.tf | 2 +- modules/server/variables.tf | 4 - modules/vm/main.tf | 6 +- playbooks/kubernetes-install.yaml | 15 ++- playbooks/kubernetes-uninstall.yaml | 3 + playbooks/systems-install.yaml | 7 ++ roles/kubernetes/common/defaults/main.yaml | 1 + roles/kubernetes/common/tasks/main.yaml | 54 +++++------ .../init/primary/defaults/main.yaml | 1 + .../init/primary/tasks/main.yaml | 12 +-- .../init/secondary/tasks/main.yaml | 8 +- .../control_plane/removal/tasks/main.yaml | 3 +- .../cri/containerd/defaults/main.yaml | 1 + .../kubernetes/cri/containerd/tasks/main.yaml | 38 ++++---- roles/kubernetes/cri/cri-o/tasks/main.yaml | 30 +++--- roles/kubernetes/cri/docker/tasks/main.yaml | 38 ++++---- .../alter_server_settings/defaults/main.yaml | 1 + .../alter_server_settings/tasks/main.yaml | 2 +- .../postgres/create_databases/tasks/main.yaml | 3 +- .../loadbalancer/kube_vip/tasks/main.yaml | 6 +- .../loadbalancer/metallb/defaults/main.yaml | 1 + .../loadbalancer/metallb/tasks/main.yaml | 8 +- .../metrics/metrics-server/defaults/main.yaml | 1 + roles/kubernetes/misc/tasks/main.yaml | 3 +- .../kubernetes/node/baseline/tasks/main.yaml | 4 +- roles/kubernetes/node/init/tasks/main.yaml | 2 +- .../node/labels_taints/roles/tasks/main.yaml | 2 +- .../node/labels_taints/system/tasks/main.yaml | 2 +- .../node/labels_taints/tasks/labels.yaml | 4 +- .../node/labels_taints/tasks/taints.yaml | 4 +- roles/kubernetes/node/removal/tasks/main.yaml | 12 +-- .../sas-iac-buildinfo/tasks/main.yaml | 67 ++++++------- .../defaults/main.yaml | 3 +- .../tasks/main.yaml | 2 +- .../defaults/main.yaml | 83 +++++++++-------- .../tasks/main.yaml | 4 +- roles/kubernetes/toolbox/tasks/main.yaml | 24 ++--- roles/kubernetes/vip/primary/tasks/main.yaml | 2 +- .../kubernetes/vip/secondary/tasks/main.yaml | 4 +- roles/systems/bare_metal/init/tasks/main.yaml | 5 +- roles/systems/common/tasks/main.yaml | 12 +-- .../container_registry/harbor/tasks/main.yaml | 46 ++++----- roles/systems/jump_server/tasks/main.yaml | 8 +- roles/systems/nfs_server/tasks/main.yaml | 16 ++-- roles/systems/postgres/defaults/main.yaml | 1 + roles/systems/postgres/tasks/main.yaml | 42 ++++----- roles/systems/vsphere/init/tasks/main.yaml | 6 +- variables.tf | 7 +- 64 files changed, 508 insertions(+), 311 deletions(-) create mode 100644 .github/workflows/linter-analysis.yaml create mode 100644 linting-configs/.ansible-lint create mode 100644 linting-configs/.hadolint.yaml create mode 100644 linting-configs/.shellcheckrc create mode 100644 linting-configs/.tflint.hcl diff --git a/.github/workflows/linter-analysis.yaml b/.github/workflows/linter-analysis.yaml new file mode 100644 index 0000000..06ba91f --- /dev/null +++ b/.github/workflows/linter-analysis.yaml @@ -0,0 +1,93 @@ +name: Linter Analysis +on: + push: + branches: [ '*' ] # '*' will cause the workflow to run on all commits to all branches. + +jobs: + # Hadolint: Job-1 + Hadolint: + name: Hadolint + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + + - name: Run Hadolint Action + uses: jbergstroem/hadolint-gh-action@v1.11.0 + with: + dockerfile: ./Dockerfile + config_file: linting-configs/.hadolint.yaml + error_level: 1 # Fail CI based on hadolint output (-1: never, 0: error, 1: warning, 2: info) + + # ShellCheck: Job-2 + ShellCheck: + name: ShellCheck + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + + # .shellcheckrc is read from the current dir + - name: Copy Config to Parent Level Directory + run: cp $(pwd)/linting-configs/.shellcheckrc . + + - name: Run ShellCheck Action + uses: ludeeus/action-shellcheck@master + with: + severity: error + + # TFLint: Job-3 + TFLint: + name: TFLint + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + + - name: Cache Plugin Directory + uses: actions/cache@v3 + with: + path: ~/.tflint.d/plugins + key: ubuntu-latest-tflint-${{ hashFiles('.tflint.hcl') }} + + - name: Setup TFLint + uses: terraform-linters/setup-tflint@v3.0.0 + with: + tflint_version: latest + github_token: ${{ secrets.LINTER_TOKEN }} + + - name: Initializing viya4-iac-k8s + run: terraform init + + - name: Initializing TFLint + run: TFLINT_LOG=info tflint --init -c "$(pwd)/linting-configs/.tflint.hcl" + + - name: Run TFLint Action + run: TFLINT_LOG=info tflint -c "$(pwd)/linting-configs/.tflint.hcl" --recursive + + # ansible-lint: Job-4 + Ansible-Lint: + name: ansible-lint + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + + # The latest ansible/ansible-lint-action removed the + # ability to specify configs from other dirs + - name: Copy Config to Parent Level Directory + run: cp $(pwd)/linting-configs/.ansible-lint . + + # ansible-lint does not seem to recognize the .yaml + # extension for the requirements file and it is not + # configurable + - name: Updates requirements extension + run: cp $(pwd)/requirements.yaml requirements.yml + + - name: Install requirements.yaml + run: ansible-galaxy install -r ./requirements.yaml + + - name: Run ansible-lint Action + uses: ansible/ansible-lint-action@v6.16.0 + env: + ANSIBLE_ROLES_PATH: "./roles" diff --git a/Dockerfile b/Dockerfile index 2cb1c10..6c4d0fb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # Base layer FROM ubuntu:22.04 as baseline -RUN apt-get update && apt-get upgrade -y \ - && apt-get install -y python3 python3-dev python3-pip curl unzip gnupg \ +RUN apt-get update && apt-get upgrade -y --no-install-recommends \ + && apt-get install -y python3 python3-dev python3-pip curl unzip gnupg --no-install-recommends \ && update-alternatives --install /usr/bin/python python /usr/bin/python3 1 \ && update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1 \ && apt-get clean && rm -rf /var/lib/apt/lists/* @@ -14,13 +14,14 @@ ARG TERRAFORM_VERSION=1.4.5-* WORKDIR /build +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - \ && echo "deb [arch=amd64] https://apt.releases.hashicorp.com focal main" > /etc/apt/sources.list.d/tf.list \ && apt-get update \ - && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v{$KUBECTL_VERSION}/bin/linux/amd64/kubectl && chmod 755 ./kubectl \ + && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl && chmod 755 ./kubectl \ && curl -ksLO https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && chmod 755 get-helm-3 \ && ./get-helm-3 --version v$HELM_VERSION --no-sudo \ - && apt-get install -y terraform=$TERRAFORM_VERSION \ + && apt-get install -y terraform=$TERRAFORM_VERSION --no-install-recommends \ && apt-get clean && rm -rf /var/lib/apt/lists/* # Installation steps @@ -38,7 +39,7 @@ COPY . /viya4-iac-k8s/ ENV HOME=/viya4-iac-k8s -RUN pip install -r ./requirements.txt \ +RUN pip install -r ./requirements.txt --no-cache-dir \ && ansible-galaxy install -r ./requirements.yaml \ && chmod 755 /viya4-iac-k8s/docker-entrypoint.sh /viya4-iac-k8s/oss-k8s.sh \ && terraform init \ diff --git a/docs/CONFIG-VARS.md b/docs/CONFIG-VARS.md index 280db09..2dfd57b 100644 --- a/docs/CONFIG-VARS.md +++ b/docs/CONFIG-VARS.md @@ -52,7 +52,6 @@ Terraform input variables can be set in the following ways: | Name | Description | Type | Default | Notes | | :--- | :--- | :--- | :--- | :--- | | vsphere_server | Name of the vSphere server | string | | | -| vsphere_cluster | Name of the vSphere cluster | string | | | | vsphere_datacenter | Name of the vSphere data center | string | | | | vsphere_datastore | Name of the vSphere data store to use for the VMs | string | | | | vsphere_resource_pool | Name of the vSphere resource pool to use for the VMs | string | | | diff --git a/docs/REQUIREMENTS.md b/docs/REQUIREMENTS.md index a8945cb..3dcc4cb 100644 --- a/docs/REQUIREMENTS.md +++ b/docs/REQUIREMENTS.md @@ -55,7 +55,6 @@ In order to leverage vSphere or vCenter, the following items are required for us | vSphere Item | Description | | --- | :--- | -|vsphere_cluster | Name of the vSphere cluster | |vsphere_datacenter | Name of the vSphere data center | |vsphere_datastore | Name of the vSphere data store to use for the VMs | |vsphere_resource_pool | Name of the vSphere resource pool to use for the VMs | @@ -193,7 +192,6 @@ gateway = "10.18.0.1" # Gateway for servers netmask = "16" # Netmask providing network access to your gateway # vSphere -vsphere_cluster = "" # Name of the vSphere cluster vsphere_datacenter = "" # Name of the vSphere data center vsphere_datastore = "" # Name of the vSphere data store to use for the VMs vsphere_resource_pool = "" # Name of the vSphere resource pool to use for the VMs diff --git a/examples/bare-metal/sample-ansible-vars.yaml b/examples/bare-metal/sample-ansible-vars.yaml index f462449..cc479b6 100644 --- a/examples/bare-metal/sample-ansible-vars.yaml +++ b/examples/bare-metal/sample-ansible-vars.yaml @@ -31,7 +31,7 @@ kubernetes_service_subnet : "" kubernetes_pod_subnet : "" # Kubernetes - VIP : https://kube-vip.io -# +# # Useful links: # # VIP IP : https://kube-vip.io/docs/installation/static/ @@ -72,7 +72,7 @@ kubernetes_loadbalancer : "" # Load Balancer accepted values [kube_vip,metallb] # - "192.168.10.0/24" # - "192.168.9.1-192.168.9.5" # -# NOTE: If you are assigning a static IP using the loadBalancerIP value in your +# NOTE: If you are assigning a static IP using the loadBalancerIP value in your # load balancer controller when using `metallb` that IP must fall within the # address range you provide below. If you are using `kube_vip` you do not # have this limitation. @@ -105,7 +105,7 @@ control_plane_ssh_key_name : "cp_ssh" # NOTE: There are no quotes around the label and taint elements # These are literal converted to strings when applying # into the cluster -# +# ## Labels node_labels: diff --git a/examples/vsphere/sample-terraform-dhcp.tfvars b/examples/vsphere/sample-terraform-dhcp.tfvars index 1fed95a..a3a2857 100644 --- a/examples/vsphere/sample-terraform-dhcp.tfvars +++ b/examples/vsphere/sample-terraform-dhcp.tfvars @@ -7,7 +7,6 @@ netmask = "" # Network interface netmask # vSphere vsphere_server = "" # Name of the vSphere server -vsphere_cluster = "" # Name of the vSphere cluster vsphere_datacenter = "" # Name of the vSphere data center vsphere_datastore = "" # Name of the vSphere data store to use for the VMs vsphere_resource_pool = "" # Name of the vSphere resource pool to use for the VMs diff --git a/examples/vsphere/sample-terraform-minimal.tfvars b/examples/vsphere/sample-terraform-minimal.tfvars index b061604..836e967 100644 --- a/examples/vsphere/sample-terraform-minimal.tfvars +++ b/examples/vsphere/sample-terraform-minimal.tfvars @@ -7,7 +7,6 @@ netmask = "" # Network interface netmask # vSphere vsphere_server = "" # Name of the vSphere server -vsphere_cluster = "" # Name of the vSphere cluster vsphere_datacenter = "" # Name of the vSphere data center vsphere_datastore = "" # Name of the vSphere data store to use for the VMs vsphere_resource_pool = "" # Name of the vSphere resource pool to use for the VMs diff --git a/examples/vsphere/sample-terraform-static-ips.tfvars b/examples/vsphere/sample-terraform-static-ips.tfvars index 265c47b..f522688 100644 --- a/examples/vsphere/sample-terraform-static-ips.tfvars +++ b/examples/vsphere/sample-terraform-static-ips.tfvars @@ -7,7 +7,6 @@ netmask = "" # Network interface netmask # vSphere vsphere_server = "" # Name of the vSphere server -vsphere_cluster = "" # Name of the vSphere cluster vsphere_datacenter = "" # Name of the vSphere data center vsphere_datastore = "" # Name of the vSphere data store to use for the VMs vsphere_resource_pool = "" # Name of the vSphere resource pool to use for the VMs diff --git a/examples/vsphere/sample-terraform-static-singlestore.tfvars b/examples/vsphere/sample-terraform-static-singlestore.tfvars index babbc86..942dd68 100644 --- a/examples/vsphere/sample-terraform-static-singlestore.tfvars +++ b/examples/vsphere/sample-terraform-static-singlestore.tfvars @@ -7,7 +7,6 @@ netmask = "" # Network interface netmask # vSphere vsphere_server = "" # Name of the vSphere server -vsphere_cluster = "" # Name of the vSphere cluster vsphere_datacenter = "" # Name of the vSphere data center vsphere_datastore = "" # Name of the vSphere data store to use for the VMs vsphere_resource_pool = "" # Name of the vSphere resource pool to use for the VMs diff --git a/examples/vsphere/sample-terraform-vi.tfvars b/examples/vsphere/sample-terraform-vi.tfvars index 4044733..e881338 100644 --- a/examples/vsphere/sample-terraform-vi.tfvars +++ b/examples/vsphere/sample-terraform-vi.tfvars @@ -7,7 +7,6 @@ netmask = "" # Network interface netmask # vSphere vsphere_server = "" # Name of the vSphere server -vsphere_cluster = "" # Name of the vSphere cluster vsphere_datacenter = "" # Name of the vSphere data center vsphere_datastore = "" # Name of the vSphere data store to use for the VMs vsphere_resource_pool = "" # Name of the vSphere resource pool to use for the VMs diff --git a/linting-configs/.ansible-lint b/linting-configs/.ansible-lint new file mode 100644 index 0000000..fe4c436 --- /dev/null +++ b/linting-configs/.ansible-lint @@ -0,0 +1,50 @@ +--- +# .ansible-lint + +profile: moderate +verbosity: 1 +strict: true + +# Enforce variable names to follow pattern below, in addition to Ansible own +# requirements, like avoiding python identifiers. To disable add `var-naming` +# to skip_list. +var_naming_pattern: ^[a-zA-Z0-9_]*$ + +use_default_rules: true + +# Ansible-lint is able to recognize and load skip rules stored inside +# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files. +# To skip a rule just enter filename and tag, like "playbook.yml package-latest" +# on a new line. +skip_list: + - role-name # roles are dynamically selected based on user's choice so we do need to use paths + - yaml[line-length] # it's easier to understand/debug the underlying command when it's not broken up, excessively long lines that make sense to split up should be caught during code review, + - name[template] # task name is being templated, this can be ignored + - command-instead-of-shell # shell should only be used when necessary, swap to command TODO future update requires functionality change + - command-instead-of-module # there are some cases where command calls could be replaced with modules TODO future update requires functionality change + - deprecated-module # In future look for suitable replacement TODO future update requires functionality change + +# Ansible-lint does not automatically load rules that have the 'opt-in' tag. +# You must enable opt-in rules by listing each rule 'id' below. +enable_list: + - args + - empty-string-compare + - no-log-password + - no-same-owner + - yaml + +# exclude_paths included in this file are parsed relative to this file's location +# and not relative to the CWD of execution. CLI arguments passed to the --exclude +# option are parsed relative to the CWD of execution. +exclude_paths: + - examples/bare-metal/sample-ansible-vars.yaml # ignore this file, spacing is done for doc purposes + +# Offline mode disables installation of requirements.yml and schema refreshing +offline: false + +# Define required Ansible's variables to satisfy syntax check +extra_vars: + kubernetes_cri: containerd + kubernetes_cni: calico + kubernetes_loadbalancer: kube_vip + deployment_type: vsphere diff --git a/linting-configs/.hadolint.yaml b/linting-configs/.hadolint.yaml new file mode 100644 index 0000000..0a15954 --- /dev/null +++ b/linting-configs/.hadolint.yaml @@ -0,0 +1,3 @@ +ignored: + - DL3008 # Specify version with apt-get install -y = : https://github.com/hadolint/hadolint/wiki/DL3008 + - DL3015 # Require --no-install-recommends to get all required packages for sshpass diff --git a/linting-configs/.shellcheckrc b/linting-configs/.shellcheckrc new file mode 100644 index 0000000..67584a8 --- /dev/null +++ b/linting-configs/.shellcheckrc @@ -0,0 +1,6 @@ +# Review 'man shellcheck' section 'RC FILES' for instructions on adding directives. + +# Allow using `which` since it gives full paths and is common enough +# https://github.com/koalaman/shellcheck/wiki/SC2230 +# https://www.shellcheck.net/wiki/SC2068 we split the string back into an array +disable=SC2230,SC2068 diff --git a/linting-configs/.tflint.hcl b/linting-configs/.tflint.hcl new file mode 100644 index 0000000..337cfd6 --- /dev/null +++ b/linting-configs/.tflint.hcl @@ -0,0 +1,27 @@ +# For more information on configuring TFlint; see https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/config.md + +# For more information on plugins see https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md + +# For more information on TFlint Ruleset for Terraform; see https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.3.0/docs/rules/README.md + +# For more information on TFlint Ruleset for GCP, see https://github.com/terraform-linters/tflint-ruleset-google/blob/master/README.md + +config { + # Enables module inspection. + module = true +} + +plugin "terraform" { + enabled = true + preset = "recommended" +} + +# We specify the versions and providers in the top level versions.tf. +# This stops it from throwing a warning when scanning our modules +# in ./modules +rule "terraform_required_version" { + enabled = false +} +rule "terraform_required_providers" { + enabled = false +} diff --git a/locals.tf b/locals.tf index 5953478..719e405 100644 --- a/locals.tf +++ b/locals.tf @@ -18,8 +18,8 @@ locals { control_plane_ips = flatten(sort(flatten([for item in values(module.control_plane) : values(item)]))) ## System nodes - system_nodes = local.node_pools == null ? {} : { for k, v in local.node_pools : k => v if k == "system" } - system_node_ips = flatten(sort(flatten([for item in values(module.system) : values(item)]))) + system_nodes = local.node_pools == null ? {} : { for k, v in local.node_pools : k => v if k == "system" } + # system_node_ips = flatten(sort(flatten([for item in values(module.system) : values(item)]))) not used, ref for future use ## Nodes nodes = local.node_pools == null ? {} : { for k, v in local.node_pools : k => v if(k != "control_plane" && k != "system") } diff --git a/main.tf b/main.tf index e8a2811..bdb1955 100644 --- a/main.tf +++ b/main.tf @@ -172,7 +172,6 @@ module "postgresql" { datacenter_id = data.vsphere_datacenter.dc.id template = var.vsphere_template cluster_domain = var.cluster_domain - cluster_name = local.cluster_name dns_servers = var.dns_servers netmask = var.netmask gateway = var.gateway diff --git a/modules/server/main.tf b/modules/server/main.tf index 8079e83..a2df3a2 100644 --- a/modules/server/main.tf +++ b/modules/server/main.tf @@ -37,7 +37,7 @@ resource "vsphere_virtual_machine" "server" { disk { label = "disk0" size = var.disk_size - thin_provisioned = data.vsphere_virtual_machine.template.disks.0.thin_provisioned + thin_provisioned = data.vsphere_virtual_machine.template.disks[0].thin_provisioned } clone { diff --git a/modules/server/variables.tf b/modules/server/variables.tf index 60741c4..8e5abe9 100644 --- a/modules/server/variables.tf +++ b/modules/server/variables.tf @@ -25,10 +25,6 @@ variable "cluster_domain" { type = string } -variable "cluster_name" { - type = string -} - variable "datacenter_id" { type = string } diff --git a/modules/vm/main.tf b/modules/vm/main.tf index dc845cf..3b4ca6d 100644 --- a/modules/vm/main.tf +++ b/modules/vm/main.tf @@ -18,7 +18,7 @@ data "vsphere_virtual_machine" "template" { locals { static_config = (length(var.ip_addresses) > 0 ? true : false) - ip_addresses = local.static_config ? var.ip_addresses : vsphere_virtual_machine.dhcp.*.default_ip_address + ip_addresses = local.static_config ? var.ip_addresses : vsphere_virtual_machine.dhcp[*].default_ip_address } resource "vsphere_virtual_machine" "static" { @@ -43,7 +43,7 @@ resource "vsphere_virtual_machine" "static" { disk { label = "os-disk-01" size = var.disk_size - thin_provisioned = data.vsphere_virtual_machine.template.disks.0.thin_provisioned + thin_provisioned = data.vsphere_virtual_machine.template.disks[0].thin_provisioned unit_number = 0 } dynamic "disk" { @@ -99,7 +99,7 @@ resource "vsphere_virtual_machine" "dhcp" { disk { label = "os-disk-01" size = var.disk_size - thin_provisioned = data.vsphere_virtual_machine.template.disks.0.thin_provisioned + thin_provisioned = data.vsphere_virtual_machine.template.disks[0].thin_provisioned unit_number = 0 } dynamic "disk" { diff --git a/playbooks/kubernetes-install.yaml b/playbooks/kubernetes-install.yaml index 3ef9d83..80b40f9 100644 --- a/playbooks/kubernetes-install.yaml +++ b/playbooks/kubernetes-install.yaml @@ -9,6 +9,7 @@ # All systems - hosts: all + name: Kubernetes Setup - Common become: true become_user: root roles: @@ -16,6 +17,7 @@ # All kubernetes nodes - hosts: k8s + name: Kubernetes Setup - Nodes become: true become_user: root roles: @@ -24,6 +26,7 @@ # Primary control plane node - hosts: k8s_control_plane[0] + name: Kubernetes Setup - Primary Control Plane Node become: true become_user: root roles: @@ -33,11 +36,13 @@ # Secure kubernetes items - hosts: localhost + name: Kubernetes Setup - Secure Kubernetes Items roles: - { role: kubernetes/misc } # Secondary control plane nodes - hosts: k8s_control_plane[1:] + name: Kubernetes Setup - Secondary Control Plane Nodes become: true become_user: root roles: @@ -46,6 +51,7 @@ # Compute nodes - hosts: k8s_node + name: Kubernetes Setup - Compute Nodes become: true become_user: root roles: @@ -54,6 +60,7 @@ # Kubernetes loadbalancer - hosts: k8s_control_plane[0] + name: Kubernetes Setup - Load Balancer become: true become_user: root roles: @@ -61,6 +68,7 @@ # Label/Taint Kubernetes nodes - hosts: k8s + name: Kubernetes Setup - Labels and Taints become: true become_user: root roles: @@ -68,14 +76,16 @@ # Alter PostgreSQL server and add PostgreSQL databases - hosts: postgres + name: Postgres Setup - Configuration become: true - become_user: postgres + become_user: postgres roles: - { role: kubernetes/database/postgres/alter_server_settings } - { role: kubernetes/database/postgres/create_databases } # Restart PostgreSQL server - hosts: postgres + name: Postgres Setup - Restart become: true become_user: root roles: @@ -83,16 +93,19 @@ # Setup default storage class for cluster - hosts: localhost + name: Default Storage Class Setup roles: - { role: kubernetes/storage/sig-storage-local-static-provisioner } - { role: kubernetes/storage/nfs-subdir-external-provisioner } # Setup metrics-server for cluster - hosts: localhost + name: Metrics Server Setup roles: - { role: kubernetes/metrics/metrics-server } # Misc cluster related items - hosts: localhost + name: Setup - Misc roles: - { role: kubernetes/sas-iac-buildinfo } diff --git a/playbooks/kubernetes-uninstall.yaml b/playbooks/kubernetes-uninstall.yaml index 07c8243..3051f31 100644 --- a/playbooks/kubernetes-uninstall.yaml +++ b/playbooks/kubernetes-uninstall.yaml @@ -4,6 +4,7 @@ --- # Compute nodes - hosts: k8s_node + name: Kubernetes Uninstall - Compute Nodes become: true become_user: root serial: 1 @@ -12,6 +13,7 @@ # Control plane - hosts: k8s_control_plane + name: Kubernetes Uninstall - Control Plane become: true become_user: root roles: @@ -19,6 +21,7 @@ # Clean up toolbox items - hosts: k8s + name: Kubernetes Uninstall - Toolbox Items become: true become_user: root roles: diff --git a/playbooks/systems-install.yaml b/playbooks/systems-install.yaml index 5a1f81c..a1b2f4e 100644 --- a/playbooks/systems-install.yaml +++ b/playbooks/systems-install.yaml @@ -4,6 +4,7 @@ --- # Tasks that run on all nodes for initialization and common tasks - hosts: all + name: Systems Install - Common become: true become_user: root roles: @@ -12,6 +13,7 @@ # NFS Server - hosts: nfs + name: System Install - NFS Server become: true become_user: root roles: @@ -19,6 +21,7 @@ # Jump Server - hosts: jump + name: System Install - Jump Server become: true become_user: root roles: @@ -26,6 +29,7 @@ # Postgres Server - hosts: postgres + name: System Install - Postgres Server become: true become_user: root roles: @@ -33,6 +37,7 @@ # Container Registry Server - hosts: cr + name: System Install - CR become: true become_user: root roles: @@ -40,6 +45,7 @@ # Kubernetes - Control Plane - hosts: k8s_control_plane + name: System Install - Control Plane become: true become_user: root roles: @@ -47,6 +53,7 @@ # Kubernetes - Compute nodes - hosts: k8s_node + name: System Install - Compute Nodes become: true become_user: root roles: diff --git a/roles/kubernetes/common/defaults/main.yaml b/roles/kubernetes/common/defaults/main.yaml index 4cbf14b..40b3b4e 100644 --- a/roles/kubernetes/common/defaults/main.yaml +++ b/roles/kubernetes/common/defaults/main.yaml @@ -1,4 +1,5 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- helm_version: 3.12.0 diff --git a/roles/kubernetes/common/tasks/main.yaml b/roles/kubernetes/common/tasks/main.yaml index 4489498..26974fd 100644 --- a/roles/kubernetes/common/tasks/main.yaml +++ b/roles/kubernetes/common/tasks/main.yaml @@ -30,7 +30,7 @@ ansible.builtin.package: name: '*' state: latest - update_cache: yes # Proxied command for apt : apt-get update + update_cache: true # Proxied command for apt : apt-get update when: - ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") - deployment_type == "bare_metal" @@ -39,11 +39,16 @@ - update - name: Enable cgroup v2 # https://rootlesscontaine.rs/getting-started/common/cgroup2/#enabling-cgroup-v2 + vars: + option: systemd.unified_cgroup_hierarchy + value: "1" + tags: + - install block: - name: Retrieve contents of /etc/default/grub ansible.builtin.shell: cat /etc/default/grub register: grub_content - changed_when: False + changed_when: false - name: Retrieve existing GRUB_CMDLINE_LINUX options, if any set_fact: @@ -65,33 +70,28 @@ line: 'GRUB_CMDLINE_LINUX="{{ grub_cmdline_updated }}"' owner: root group: root - mode: '0644' + mode: "0644" - name: Update GRUB ansible.builtin.command: update-grub - vars: - option: systemd.unified_cgroup_hierarchy - value: "1" - tags: - - install - name: Enable CPU, CPUSET, and I/O delegation for non-root users - block: - - name: mkdir for user@.service.d - ansible.builtin.file: - path: /etc/systemd/system/user@.service.d - state: directory - mode: '0755' - - name: Adding delegation - ansible.builtin.copy: - dest: /etc/systemd/system/user@.service.d/delegate.conf - content: | - [Service] - Delegate=cpu cpuset io memory pids tags: - install - update - + block: + - name: Run mkdir for user@.service.d + ansible.builtin.file: + path: /etc/systemd/system/user@.service.d + state: directory + mode: '0755' + - name: Adding delegation + ansible.builtin.copy: + dest: /etc/systemd/system/user@.service.d/delegate.conf + content: | + [Service] + Delegate=cpu cpuset io memory pids + # - name: Disable the firewalld - for RHEL based operating systems # systemd: # name: firewalld @@ -115,7 +115,7 @@ # ansible_python_interpreter: /usr/bin/python3 # tags: # - install - + - name: Adding SAS certs become: true ansible.builtin.shell: | @@ -134,16 +134,16 @@ state: present vars: packages: - - sshpass + - sshpass tags: - install - update - name: Installing helm ansible.builtin.shell: | - curl -ksLO https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - chmod 755 get-helm-3 - ./get-helm-3 --version v{{ helm_version }} --no-sudo + curl -ksLO https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 + chmod 755 get-helm-3 + ./get-helm-3 --version v{{ helm_version }} --no-sudo tags: - install - update @@ -152,7 +152,7 @@ ansible.builtin.lineinfile: path: /etc/security/limits.conf insertbefore: '^# End of file' - line: "{{ item }}" + line: "{{ item }}" with_items: - '' - '* soft nproc 65535' diff --git a/roles/kubernetes/control_plane/init/primary/defaults/main.yaml b/roles/kubernetes/control_plane/init/primary/defaults/main.yaml index 6c2d9f8..f3683c0 100644 --- a/roles/kubernetes/control_plane/init/primary/defaults/main.yaml +++ b/roles/kubernetes/control_plane/init/primary/defaults/main.yaml @@ -1,5 +1,6 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- kubernetes_pod_subnet: 10.42.0.0/16 kubernetes_service_subnet: 10.43.0.0/16 diff --git a/roles/kubernetes/control_plane/init/primary/tasks/main.yaml b/roles/kubernetes/control_plane/init/primary/tasks/main.yaml index 963cc2c..b9ede3f 100644 --- a/roles/kubernetes/control_plane/init/primary/tasks/main.yaml +++ b/roles/kubernetes/control_plane/init/primary/tasks/main.yaml @@ -6,7 +6,7 @@ ansible.builtin.template: src: "templates/{{ item }}.j2" dest: "/etc/kubernetes/{{ item }}.yaml" - mode: '0600' + mode: "0600" with_items: - kubeadm-config tags: @@ -14,7 +14,7 @@ - update # TODO: pod-network-cidr can conflict locally check with IT to ensure correct range. -- name: kubeadm init +- name: Run kubeadm init ansible.builtin.command: kubeadm init --config /etc/kubernetes/kubeadm-config.yaml --upload-certs tags: - install @@ -23,7 +23,7 @@ ansible.builtin.file: path: ~/.kube state: directory - mode: '0755' + mode: "0755" tags: - install @@ -41,8 +41,8 @@ dest: ~/.kube/config owner: root group: root - mode: '0600' - remote_src: yes + mode: "0600" + remote_src: true tags: - install @@ -50,6 +50,6 @@ ansible.builtin.fetch: src: /etc/kubernetes/admin.conf dest: "{{ inventory_dir }}/{{ kubernetes_cluster_name }}-kubeconfig.conf" - flat: yes + flat: true tags: - install diff --git a/roles/kubernetes/control_plane/init/secondary/tasks/main.yaml b/roles/kubernetes/control_plane/init/secondary/tasks/main.yaml index 6c77294..cbceb0d 100644 --- a/roles/kubernetes/control_plane/init/secondary/tasks/main.yaml +++ b/roles/kubernetes/control_plane/init/secondary/tasks/main.yaml @@ -6,7 +6,7 @@ ansible.builtin.file: path: /etc/kubernetes/{{ item }} state: directory - mode: '0755' + mode: "0755" owner: root group: root with_items: @@ -17,10 +17,10 @@ - update - name: Copy Kubernetes primary control plane PKI files to secondary control plane k8s_nodes - ansible.posix.synchronize: + ansible.posix.synchronize: src: /etc/kubernetes/pki/{{ item }} dest: /etc/kubernetes/pki/{{ item }} - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" with_items: - ca.crt - ca.key @@ -36,7 +36,7 @@ - name: Generate control plane join command ansible.builtin.shell: kubeadm token create --print-join-command register: kubeadm_join_cmd - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" tags: - install diff --git a/roles/kubernetes/control_plane/removal/tasks/main.yaml b/roles/kubernetes/control_plane/removal/tasks/main.yaml index d8cf8b2..65732f5 100644 --- a/roles/kubernetes/control_plane/removal/tasks/main.yaml +++ b/roles/kubernetes/control_plane/removal/tasks/main.yaml @@ -1,8 +1,9 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- - name: Cleaning up the control plane ansible.builtin.shell: | kubeadm reset --force tags: - uninstall + - uninstall diff --git a/roles/kubernetes/cri/containerd/defaults/main.yaml b/roles/kubernetes/cri/containerd/defaults/main.yaml index af76b0f..42067ea 100644 --- a/roles/kubernetes/cri/containerd/defaults/main.yaml +++ b/roles/kubernetes/cri/containerd/defaults/main.yaml @@ -1,6 +1,7 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- # Allows users to overwrite containerd version # Set as an empty string to use the latest upstream version # diff --git a/roles/kubernetes/cri/containerd/tasks/main.yaml b/roles/kubernetes/cri/containerd/tasks/main.yaml index 3b3cbd6..cbe3da3 100644 --- a/roles/kubernetes/cri/containerd/tasks/main.yaml +++ b/roles/kubernetes/cri/containerd/tasks/main.yaml @@ -11,17 +11,17 @@ # Task to Remove existing containerd installations - name: Uninstall old Docker/Containerd versions - ansible.builtin.package: + ansible.builtin.package: name: "{{ packages }}" state: absent vars: packages: - - docker - - docker-engine - - docker.io - - containerd - - containerd.io - - runc + - docker + - docker-engine + - docker.io + - containerd + - containerd.io + - runc ignore_errors: true tags: - install @@ -33,17 +33,17 @@ state: present vars: packages: - - apt-transport-https # Also needed for kubeadm tooling - - ca-certificates # Also needed for kubeadm tooling - - curl # Also needed for kubeadm tooling - - gnupg2 - - lsb-release - - software-properties-common + - apt-transport-https # Also needed for kubeadm tooling + - ca-certificates # Also needed for kubeadm tooling + - curl # Also needed for kubeadm tooling + - gnupg2 + - lsb-release + - software-properties-common tags: - install - update -# +# # containerd - https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd # - name: Add module load file for containerd @@ -102,7 +102,7 @@ - install - update -- name: set containerd.io package debian revision if not specified +- name: Set containerd.io package debian revision if not specified set_fact: kubernetes_cri_deb_rev: "-*" when: kubernetes_cri_version | regex_search("^(\d+\.)(\d+\.)(\d+)$") @@ -116,7 +116,7 @@ state: present vars: packages: - - "containerd.io{% if kubernetes_cri_version is defined and kubernetes_cri_version %}={{kubernetes_cri_version}}{{kubernetes_cri_deb_rev}}{%endif%}" + - "containerd.io{% if kubernetes_cri_version is defined and kubernetes_cri_version %}={{ kubernetes_cri_version }}{{ kubernetes_cri_deb_rev }}{%endif %}" when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") tags: - install @@ -142,7 +142,7 @@ ansible.builtin.file: path: /etc/containerd state: directory - mode: '0755' + mode: "0755" tags: - install - update @@ -168,7 +168,7 @@ # path: /etc/containerd/config.toml # regexp: '(^\[metrics\][\s\S]*)\[plugins\]' # replace: |- -# [metrics] +# [metrics] # address = "0.0.0.0:10257" # grpc_histogram = true @@ -180,7 +180,7 @@ - name: Enabling and starting containerd to start now and on boot ansible.builtin.systemd: name: containerd.service - enabled: yes + enabled: true state: restarted tags: - install diff --git a/roles/kubernetes/cri/cri-o/tasks/main.yaml b/roles/kubernetes/cri/cri-o/tasks/main.yaml index c84e354..81b9174 100644 --- a/roles/kubernetes/cri/cri-o/tasks/main.yaml +++ b/roles/kubernetes/cri/cri-o/tasks/main.yaml @@ -16,12 +16,12 @@ state: present vars: packages: - - apt-transport-https # Also needed for kubeadm tooling - - ca-certificates # Also needed for kubeadm tooling - - curl # Also needed for kubeadm tooling - - gnupg2 - - lsb-release - - software-properties-common + - apt-transport-https # Also needed for kubeadm tooling + - ca-certificates # Also needed for kubeadm tooling + - curl # Also needed for kubeadm tooling + - gnupg2 + - lsb-release + - software-properties-common tags: - install - update @@ -44,7 +44,7 @@ tags: - install - update - + - name: Installing the cri-o libcontainers-archive-keyring key ansible.builtin.apt_key: url: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os }}/Release.key @@ -57,7 +57,7 @@ - name: Installing the cri-o libcontainers-crio-archive-keyring key ansible.builtin.apt_key: - url: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ k8s_major_version}}.{{ k8s_minor_version }}/{{ os }}/Release.key + url: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ k8s_major_version }}.{{ k8s_minor_version }}/{{ os }}/Release.key keyring: /usr/share/keyrings/libcontainers-crio-archive-keyring.gpg state: present when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") @@ -71,14 +71,14 @@ repo: "{{ item }}" state: present with_items: - - deb [signed-by=/usr/share/keyrings/libcontainers-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os }}/ / - - deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ k8s_major_version }}.{{ k8s_minor_version }}/{{ os }}/ / + - deb [signed-by=/usr/share/keyrings/libcontainers-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os }}/ / + - deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ k8s_major_version }}.{{ k8s_minor_version }}/{{ os }}/ / when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") tags: - install - update -# +# # cri-o - https://kubernetes.io/docs/setup/production-environment/container-runtimes/#cri-o # - name: Add module load file for cri-o @@ -125,8 +125,8 @@ state: present vars: packages: - - cri-o - - cri-o-runc + - cri-o + - cri-o-runc when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") tags: - install @@ -143,7 +143,7 @@ ansible.builtin.copy: src: files/10-cri-ipv4-bridge.conf dest: /etc/cni/net.d/10-cri-ipv4-bridge.conf - mode: '0644' + mode: "0644" tags: - install - update @@ -151,7 +151,7 @@ - name: Enabling and starting cri-o to start now and on boot ansible.builtin.systemd: name: cri-o.service - enabled: yes + enabled: true state: restarted tags: - install diff --git a/roles/kubernetes/cri/docker/tasks/main.yaml b/roles/kubernetes/cri/docker/tasks/main.yaml index 33bb052..c9d298d 100644 --- a/roles/kubernetes/cri/docker/tasks/main.yaml +++ b/roles/kubernetes/cri/docker/tasks/main.yaml @@ -12,16 +12,16 @@ # Task to Remove existing Docker installations - name: Uninstall old Docker versions - ansible.builtin.package: + ansible.builtin.package: name: "{{ packages }}" state: absent vars: packages: - - docker - - docker-engine - - docker.io - - containerd - - runc + - docker + - docker-engine + - docker.io + - containerd + - runc ignore_errors: true tags: - install @@ -33,11 +33,11 @@ state: present vars: packages: - - apt-transport-https # Also needed for kubeadm tooling - - ca-certificates # Also needed for kubeadm tooling - - curl # Also needed for kubeadm tooling - - gnupg - - lsb-release + - apt-transport-https # Also needed for kubeadm tooling + - ca-certificates # Also needed for kubeadm tooling + - curl # Also needed for kubeadm tooling + - gnupg + - lsb-release tags: - install - update @@ -70,9 +70,9 @@ state: present vars: packages: - - docker-ce - - docker-ce-cli - - containerd.io + - docker-ce + - docker-ce-cli + - containerd.io tags: - install - update @@ -100,7 +100,7 @@ ansible.builtin.user: name: devops groups: docker - append: yes + append: true tags: - install - update @@ -109,7 +109,7 @@ - name: Setting up docker to start on boot ansible.builtin.systemd: name: docker.service - enabled: yes + enabled: true tags: - install - update @@ -117,12 +117,12 @@ - name: Setting up containerd to start on boot ansible.builtin.systemd: name: containerd.service - enabled: yes + enabled: true tags: - install - update -# +# # containerd - https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd # - name: Add module load file for containerd @@ -164,7 +164,7 @@ - name: Restart systemd ansible.builtin.systemd: - daemon_reload: yes + daemon_reload: true tags: - install - update diff --git a/roles/kubernetes/database/postgres/alter_server_settings/defaults/main.yaml b/roles/kubernetes/database/postgres/alter_server_settings/defaults/main.yaml index 91ef306..e3432aa 100644 --- a/roles/kubernetes/database/postgres/alter_server_settings/defaults/main.yaml +++ b/roles/kubernetes/database/postgres/alter_server_settings/defaults/main.yaml @@ -1,6 +1,7 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- # default PG System settings we will set if the user does # not define their own values postgres_system_setting_max_prepared_transactions: "1024" diff --git a/roles/kubernetes/database/postgres/alter_server_settings/tasks/main.yaml b/roles/kubernetes/database/postgres/alter_server_settings/tasks/main.yaml index c0ba285..bb02c25 100644 --- a/roles/kubernetes/database/postgres/alter_server_settings/tasks/main.yaml +++ b/roles/kubernetes/database/postgres/alter_server_settings/tasks/main.yaml @@ -13,7 +13,7 @@ # but noting that is an experimental feature - name: Update PostgreSQL server settings script ansible.builtin.shell: | - echo 'ALTER SYSTEM SET {{ item | replace("postgres_system_setting_","") }} = {{ vars[item] }};' >> /tmp/postgres_system.psql + echo 'ALTER SYSTEM SET {{ item | replace("postgres_system_setting_", "") }} = {{ vars[item] }};' >> /tmp/postgres_system.psql with_items: "{{ lookup('ansible.builtin.varnames', '^postgres_system_setting_.+', wantlist=True) }}" tags: - install diff --git a/roles/kubernetes/database/postgres/create_databases/tasks/main.yaml b/roles/kubernetes/database/postgres/create_databases/tasks/main.yaml index bfa7f03..465d05d 100644 --- a/roles/kubernetes/database/postgres/create_databases/tasks/main.yaml +++ b/roles/kubernetes/database/postgres/create_databases/tasks/main.yaml @@ -3,7 +3,7 @@ --- # TODO: Make "SharedServices" a variable -- name: Create SharedServices database +- name: Create SharedServices database ansible.builtin.shell: | echo 'CREATE DATABASE "SharedServices";' >> /tmp/postgres_databases.psql echo 'GRANT ALL PRIVILEGES ON DATABASE "SharedServices" TO {{ postgres_administrator_login }} ;' >> /tmp/postgres_databases.psql @@ -12,4 +12,3 @@ tags: - install - update - diff --git a/roles/kubernetes/loadbalancer/kube_vip/tasks/main.yaml b/roles/kubernetes/loadbalancer/kube_vip/tasks/main.yaml index 825a821..aae946e 100644 --- a/roles/kubernetes/loadbalancer/kube_vip/tasks/main.yaml +++ b/roles/kubernetes/loadbalancer/kube_vip/tasks/main.yaml @@ -3,6 +3,9 @@ --- - name: Setting up kube-vip loadbalancer + tags: + - install + - update block: - name: Install kube-vip Cloud Provider ansible.builtin.shell: | @@ -28,6 +31,3 @@ tags: - install - update - tags: - - install - - update diff --git a/roles/kubernetes/loadbalancer/metallb/defaults/main.yaml b/roles/kubernetes/loadbalancer/metallb/defaults/main.yaml index 420c938..fe199cf 100644 --- a/roles/kubernetes/loadbalancer/metallb/defaults/main.yaml +++ b/roles/kubernetes/loadbalancer/metallb/defaults/main.yaml @@ -1,6 +1,7 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- ## sig-storage-local-static-provisioner METALLB_NAME: metallb METALLB_NAMESPACE: kube-system diff --git a/roles/kubernetes/loadbalancer/metallb/tasks/main.yaml b/roles/kubernetes/loadbalancer/metallb/tasks/main.yaml index de8a5fc..502c4bb 100644 --- a/roles/kubernetes/loadbalancer/metallb/tasks/main.yaml +++ b/roles/kubernetes/loadbalancer/metallb/tasks/main.yaml @@ -10,6 +10,9 @@ # Reference URL : https://docs.ansible.com/ansible/latest/inventory/implicit_localhost.html # - name: Setting up MetalLB loadbalancer + tags: + - install + - update block: - name: Installing metallb kubernetes.core.helm: @@ -34,7 +37,7 @@ - metallb-ip-ap tags: - install - - update + - update - name: Create MetalLB IPAddressPool file ansible.builtin.template: @@ -53,9 +56,6 @@ tags: - install - update - tags: - - install - - update - name: Remove MetalLB kubernetes.core.helm: diff --git a/roles/kubernetes/metrics/metrics-server/defaults/main.yaml b/roles/kubernetes/metrics/metrics-server/defaults/main.yaml index ffa1610..0194efe 100644 --- a/roles/kubernetes/metrics/metrics-server/defaults/main.yaml +++ b/roles/kubernetes/metrics/metrics-server/defaults/main.yaml @@ -1,6 +1,7 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- ## Metrics-server METRICS_SERVER_NAME: metrics-server METRICS_SERVER_NAMESPACE: kube-system diff --git a/roles/kubernetes/misc/tasks/main.yaml b/roles/kubernetes/misc/tasks/main.yaml index 926d057..6c9ba4e 100644 --- a/roles/kubernetes/misc/tasks/main.yaml +++ b/roles/kubernetes/misc/tasks/main.yaml @@ -1,9 +1,10 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- - name: Secure kube config file ansible.builtin.file: path: "{{ iac_inventory_dir }}/{{ kubernetes_cluster_name }}-kubeconfig.conf" - mode: '0600' + mode: "0600" tags: - install diff --git a/roles/kubernetes/node/baseline/tasks/main.yaml b/roles/kubernetes/node/baseline/tasks/main.yaml index d017441..7448845 100644 --- a/roles/kubernetes/node/baseline/tasks/main.yaml +++ b/roles/kubernetes/node/baseline/tasks/main.yaml @@ -17,7 +17,7 @@ - name: Start rpc-statd ansible.builtin.systemd: name: rpc-statd.service - enabled: yes + enabled: true state: started tags: - install @@ -38,7 +38,7 @@ state: directory owner: "{{ owner }}" group: "{{ group }}" - mode: 0777 + mode: "0777" ignore_errors: true tags: - install diff --git a/roles/kubernetes/node/init/tasks/main.yaml b/roles/kubernetes/node/init/tasks/main.yaml index 2b99d01..64927dd 100644 --- a/roles/kubernetes/node/init/tasks/main.yaml +++ b/roles/kubernetes/node/init/tasks/main.yaml @@ -5,7 +5,7 @@ - name: Generate compute node join command ansible.builtin.shell: kubeadm token create --print-join-command register: kubeadm_join_cmd - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" tags: - install diff --git a/roles/kubernetes/node/labels_taints/roles/tasks/main.yaml b/roles/kubernetes/node/labels_taints/roles/tasks/main.yaml index 1dedf2c..a0fe7d8 100644 --- a/roles/kubernetes/node/labels_taints/roles/tasks/main.yaml +++ b/roles/kubernetes/node/labels_taints/roles/tasks/main.yaml @@ -5,7 +5,7 @@ - name: Label/Taints for cluster nodes ansible.builtin.shell: | kubectl label nodes {{ ansible_hostname }} node-role.kubernetes.io/node= --overwrite - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" tags: - install - update diff --git a/roles/kubernetes/node/labels_taints/system/tasks/main.yaml b/roles/kubernetes/node/labels_taints/system/tasks/main.yaml index 5bff056..3a3dc81 100644 --- a/roles/kubernetes/node/labels_taints/system/tasks/main.yaml +++ b/roles/kubernetes/node/labels_taints/system/tasks/main.yaml @@ -6,7 +6,7 @@ ansible.builtin.shell: | kubectl label nodes {{ ansible_hostname }} kubernetes.azure.com/mode=system --overwrite kubectl label nodes {{ ansible_hostname }} node-role.kubernetes.io/system-node= --overwrite - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" tags: - install - update diff --git a/roles/kubernetes/node/labels_taints/tasks/labels.yaml b/roles/kubernetes/node/labels_taints/tasks/labels.yaml index 66cbe54..3954464 100644 --- a/roles/kubernetes/node/labels_taints/tasks/labels.yaml +++ b/roles/kubernetes/node/labels_taints/tasks/labels.yaml @@ -4,11 +4,11 @@ --- - name: Applying labels ansible.builtin.shell: | - kubectl label nodes {{ ansible_hostname }} {{ label }} --overwrite + kubectl label nodes {{ ansible_hostname }} {{ label }} --overwrite with_items: "{{ labels }}" loop_control: loop_var: label - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" tags: - install - update diff --git a/roles/kubernetes/node/labels_taints/tasks/taints.yaml b/roles/kubernetes/node/labels_taints/tasks/taints.yaml index 660175c..48f778e 100644 --- a/roles/kubernetes/node/labels_taints/tasks/taints.yaml +++ b/roles/kubernetes/node/labels_taints/tasks/taints.yaml @@ -4,11 +4,11 @@ --- - name: Applying taints ansible.builtin.shell: | - kubectl taint nodes {{ ansible_hostname }} {{ taint }} --overwrite + kubectl taint nodes {{ ansible_hostname }} {{ taint }} --overwrite with_items: "{{ taints }}" loop_control: loop_var: taint - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" tags: - install - update diff --git a/roles/kubernetes/node/removal/tasks/main.yaml b/roles/kubernetes/node/removal/tasks/main.yaml index 8fdadc1..2747cd9 100644 --- a/roles/kubernetes/node/removal/tasks/main.yaml +++ b/roles/kubernetes/node/removal/tasks/main.yaml @@ -5,28 +5,28 @@ - name: Draining the node ansible.builtin.shell: | kubectl drain {{ ansible_hostname }} --delete-emptydir-data --force --ignore-daemonsets - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" ignore_errors: true tags: - uninstall + - uninstall - name: Resetting the state ansible.builtin.shell: | kubeadm reset --force ignore_errors: true tags: - uninstall + - uninstall - name: Clean up IPTables ansible.builtin.shell: | iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X tags: - uninstall + - uninstall - name: Remove the node ansible.builtin.shell: | kubectl delete nodes {{ ansible_hostname }} - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" ignore_errors: true tags: - uninstall + - uninstall diff --git a/roles/kubernetes/sas-iac-buildinfo/tasks/main.yaml b/roles/kubernetes/sas-iac-buildinfo/tasks/main.yaml index c3e5e67..533b92e 100644 --- a/roles/kubernetes/sas-iac-buildinfo/tasks/main.yaml +++ b/roles/kubernetes/sas-iac-buildinfo/tasks/main.yaml @@ -13,39 +13,40 @@ # is handled externally and therefore will not # have this code applied. # -- block: - - name: Register Git HASH information - ansible.builtin.shell: | - cd "{{ k8s_tool_base }}" - "{{ k8s_tool_base }}/files/tools/iac_git_info.sh" - register: git_hash - tags: - - install - - update +- name: Setting up sas-iac-buildinfo + when: deployment_type == 'vsphere' + block: + - name: Register Git HASH information + ansible.builtin.shell: | + cd "{{ k8s_tool_base }}" + "{{ k8s_tool_base }}/files/tools/iac_git_info.sh" + register: git_hash + tags: + - install + - update - - name: Register IAC Tooling information - ansible.builtin.shell: | - cd "{{ k8s_tool_base }}" - "{{ k8s_tool_base }}/files/tools/iac_tooling_version.sh" - register: iac_tooling_version - tags: - - install - - update + - name: Register IAC Tooling information + ansible.builtin.shell: | + cd "{{ k8s_tool_base }}" + "{{ k8s_tool_base }}/files/tools/iac_tooling_version.sh" + register: iac_tooling_version + tags: + - install + - update - - name: Create the sas-iac-buildinfo ConfigMap manifest file - ansible.builtin.template: - src: "templates/sas-iac-buildinfo-cm.tmpl" - dest: "{{ iac_inventory_dir }}/sas-iac-buildinfo-cm.yaml" - mode: '0600' - tags: - - install - - update + - name: Create the sas-iac-buildinfo ConfigMap manifest file + ansible.builtin.template: + src: "templates/sas-iac-buildinfo-cm.tmpl" + dest: "{{ iac_inventory_dir }}/sas-iac-buildinfo-cm.yaml" + mode: "0600" + tags: + - install + - update - - name: Apply sas-iac-buildinfo ConfigMap into cluster - ansible.builtin.shell: | - export KUBECONFIG="{{ iac_inventory_dir }}/{{ kubernetes_cluster_name }}-kubeconfig.conf" - kubectl apply -f "{{ iac_inventory_dir }}/sas-iac-buildinfo-cm.yaml" - tags: - - install - - update - when: deployment_type == 'vsphere' + - name: Apply sas-iac-buildinfo ConfigMap into cluster + ansible.builtin.shell: | + export KUBECONFIG="{{ iac_inventory_dir }}/{{ kubernetes_cluster_name }}-kubeconfig.conf" + kubectl apply -f "{{ iac_inventory_dir }}/sas-iac-buildinfo-cm.yaml" + tags: + - install + - update diff --git a/roles/kubernetes/storage/nfs-subdir-external-provisioner/defaults/main.yaml b/roles/kubernetes/storage/nfs-subdir-external-provisioner/defaults/main.yaml index 2b17114..9bdddd5 100644 --- a/roles/kubernetes/storage/nfs-subdir-external-provisioner/defaults/main.yaml +++ b/roles/kubernetes/storage/nfs-subdir-external-provisioner/defaults/main.yaml @@ -1,6 +1,7 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- ## Nfs-subdir-external-provisioner NFS_CLIENT_NAME: nfs-subdir-external-provisioner-default NFS_CLIENT_NAMESPACE: kube-system @@ -11,7 +12,7 @@ NFS_CLIENT_CONFIG: nfs: server: "{{ nfs_ip }}" path: /srv/nfs/kubernetes/sc/default - mountOptions: + mountOptions: - noatime - nodiratime - 'rsize=262144' diff --git a/roles/kubernetes/storage/nfs-subdir-external-provisioner/tasks/main.yaml b/roles/kubernetes/storage/nfs-subdir-external-provisioner/tasks/main.yaml index e93048b..d71aa58 100644 --- a/roles/kubernetes/storage/nfs-subdir-external-provisioner/tasks/main.yaml +++ b/roles/kubernetes/storage/nfs-subdir-external-provisioner/tasks/main.yaml @@ -9,7 +9,7 @@ # # Reference URL : https://docs.ansible.com/ansible/latest/inventory/implicit_localhost.html # -- name: Setting up default storage for the cluster using nfs-subdir-external-provisioner +- name: Setting up default storage for the cluster using nfs-subdir-external-provisioner kubernetes.core.helm: name: "{{ NFS_CLIENT_NAME }}" namespace: "{{ NFS_CLIENT_NAMESPACE }}" diff --git a/roles/kubernetes/storage/sig-storage-local-static-provisioner/defaults/main.yaml b/roles/kubernetes/storage/sig-storage-local-static-provisioner/defaults/main.yaml index 596b61a..b768bdf 100644 --- a/roles/kubernetes/storage/sig-storage-local-static-provisioner/defaults/main.yaml +++ b/roles/kubernetes/storage/sig-storage-local-static-provisioner/defaults/main.yaml @@ -1,6 +1,7 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- ## sig-storage-local-static-provisioner LOCAL_VOLUME_NAME: sig-storage-local-static-provisioner-sas LOCAL_VOLUME_NAMESPACE: kube-system @@ -24,49 +25,49 @@ LOCAL_VOLUME_CONFIG: storageClass: true daemonset: tolerations: - - effect: NoSchedule - key: workload.sas.com/class - operator: Equal - value: cas - - effect: NoSchedule - key: workload.sas.com/class - operator: Equal - value: stateless - - effect: NoSchedule - key: workload.sas.com/class - operator: Equal - value: stateful - - effect: NoSchedule - key: workload.sas.com/class - operator: Equal - value: singlestore + - effect: NoSchedule + key: workload.sas.com/class + operator: Equal + value: cas + - effect: NoSchedule + key: workload.sas.com/class + operator: Equal + value: stateless + - effect: NoSchedule + key: workload.sas.com/class + operator: Equal + value: stateful + - effect: NoSchedule + key: workload.sas.com/class + operator: Equal + value: singlestore affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: workload.sas.com/class - operator: In - values: - - stateful - - stateless - - cas - - singlestore - matchFields: [] - weight: 100 - - preference: - matchExpressions: - - key: workload.sas.com/class - operator: NotIn - values: - - compute - matchFields: [] - weight: 50 + - preference: + matchExpressions: + - key: workload.sas.com/class + operator: In + values: + - stateful + - stateless + - cas + - singlestore + matchFields: [] + weight: 100 + - preference: + matchExpressions: + - key: workload.sas.com/class + operator: NotIn + values: + - compute + matchFields: [] + weight: 50 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.azure.com/mode - operator: NotIn - values: - - system - matchFields: [] + - matchExpressions: + - key: kubernetes.azure.com/mode + operator: NotIn + values: + - system + matchFields: [] diff --git a/roles/kubernetes/storage/sig-storage-local-static-provisioner/tasks/main.yaml b/roles/kubernetes/storage/sig-storage-local-static-provisioner/tasks/main.yaml index 3a8ec4e..3645e62 100644 --- a/roles/kubernetes/storage/sig-storage-local-static-provisioner/tasks/main.yaml +++ b/roles/kubernetes/storage/sig-storage-local-static-provisioner/tasks/main.yaml @@ -16,7 +16,7 @@ tags: - install - update - + - name: Cloning sig-storage-local-static-provisioner ansible.builtin.git: repo: "{{ LOCAL_VOLUME_REPO }}" @@ -26,7 +26,7 @@ - install - update -- name: Setting up local storage for the cluster using sig-storage-local-static-provisioner +- name: Setting up local storage for the cluster using sig-storage-local-static-provisioner kubernetes.core.helm: name: "{{ LOCAL_VOLUME_NAME }}" namespace: "{{ LOCAL_VOLUME_NAMESPACE }}" diff --git a/roles/kubernetes/toolbox/tasks/main.yaml b/roles/kubernetes/toolbox/tasks/main.yaml index 840e38e..87de127 100644 --- a/roles/kubernetes/toolbox/tasks/main.yaml +++ b/roles/kubernetes/toolbox/tasks/main.yaml @@ -27,7 +27,7 @@ - install - update -- name: Set kubernetes version facts for crictl +- name: Set kubernetes version facts for crictl set_fact: k8s_version_semantic_parts: "{{ kubernetes_version.split('.') }}" when: kubernetes_cri|lower != 'docker' @@ -49,7 +49,7 @@ ansible.builtin.get_url: url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ k8s_major_version }}.{{ k8s_minor_version }}.0/crictl-v{{ k8s_major_version }}.{{ k8s_minor_version }}.0-linux-amd64.tar.gz dest: /tmp/crictl-v{{ k8s_major_version }}.{{ k8s_minor_version }}.0-linux-amd64.tar.gz - mode: '0755' + mode: "0755" when: kubernetes_cri|lower != 'docker' tags: - install @@ -59,7 +59,7 @@ ansible.builtin.unarchive: src: /tmp/crictl-v{{ k8s_major_version }}.{{ k8s_minor_version }}.0-linux-amd64.tar.gz dest: /usr/local/bin - remote_src: yes + remote_src: true when: kubernetes_cri|lower != 'docker' tags: - install @@ -108,11 +108,11 @@ - name: Update apt package index and install kubelet, kubeadm, kubectl ansible.builtin.apt: pkg: - - kubelet={{ kubernetes_version }}-00 - - kubeadm={{ kubernetes_version }}-00 - - kubectl={{ kubernetes_version }}-00 + - kubelet={{ kubernetes_version }}-00 + - kubeadm={{ kubernetes_version }}-00 + - kubectl={{ kubernetes_version }}-00 state: present - update_cache: yes + update_cache: true when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") tags: - install @@ -129,7 +129,7 @@ when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") tags: - install - + - name: Mark the packages to purge as we control the version ;) ansible.builtin.dpkg_selections: name: "{{ item }}" @@ -145,11 +145,11 @@ - name: Update apt package index and remove kubelet, kubeadm, kubectl ansible.builtin.apt: pkg: - - kubelet={{ kubernetes_version }}-00 - - kubeadm={{ kubernetes_version }}-00 - - kubectl={{ kubernetes_version }}-00 + - kubelet={{ kubernetes_version }}-00 + - kubeadm={{ kubernetes_version }}-00 + - kubectl={{ kubernetes_version }}-00 state: absent - update_cache: yes + update_cache: true when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") tags: - uninstall diff --git a/roles/kubernetes/vip/primary/tasks/main.yaml b/roles/kubernetes/vip/primary/tasks/main.yaml index 621869e..941bbd5 100644 --- a/roles/kubernetes/vip/primary/tasks/main.yaml +++ b/roles/kubernetes/vip/primary/tasks/main.yaml @@ -6,7 +6,7 @@ ansible.builtin.file: path: /etc/kubernetes/manifests state: directory - mode: '0755' + mode: "0755" tags: - install diff --git a/roles/kubernetes/vip/secondary/tasks/main.yaml b/roles/kubernetes/vip/secondary/tasks/main.yaml index cefafd2..bc8f2e0 100644 --- a/roles/kubernetes/vip/secondary/tasks/main.yaml +++ b/roles/kubernetes/vip/secondary/tasks/main.yaml @@ -3,9 +3,9 @@ --- - name: Copy kube-vip manifest to secondary control planes - ansible.posix.synchronize: + ansible.posix.synchronize: src: /etc/kubernetes/manifests/kube-vip.yaml dest: /etc/kubernetes/manifests/kube-vip.yaml - delegate_to: "{{groups['k8s_control_plane'][0]}}" + delegate_to: "{{ groups['k8s_control_plane'][0] }}" tags: - install diff --git a/roles/systems/bare_metal/init/tasks/main.yaml b/roles/systems/bare_metal/init/tasks/main.yaml index f6c663e..91f7729 100644 --- a/roles/systems/bare_metal/init/tasks/main.yaml +++ b/roles/systems/bare_metal/init/tasks/main.yaml @@ -1,6 +1,7 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- # NOTE: Should make this more generic for other OS types - name: Set owner and group for Ubuntu OS ansible.builtin.set_fact: @@ -17,7 +18,7 @@ state: directory owner: "{{ owner }}" group: "{{ group }}" - mode: 0777 + mode: "0777" ignore_errors: true tags: - install @@ -34,7 +35,7 @@ dest: /tmp/link_devs.sh owner: root group: root - mode: '0700' + mode: "0700" tags: - install diff --git a/roles/systems/common/tasks/main.yaml b/roles/systems/common/tasks/main.yaml index 888cb91..4066c0f 100644 --- a/roles/systems/common/tasks/main.yaml +++ b/roles/systems/common/tasks/main.yaml @@ -34,7 +34,7 @@ - name: Disable and turn off unattended-upgrades ansible.builtin.systemd: name: unattended-upgrades.service - enabled: no + enabled: false state: stopped ignore_errors: true tags: @@ -57,7 +57,7 @@ ansible.builtin.apt: name: unattended-upgrades state: absent - purge: yes + purge: true tags: - install - update @@ -67,11 +67,11 @@ ansible.builtin.package: name: '*' state: latest - update_cache: yes + update_cache: true tags: - install - update - + # TODO: Add code here to support RHEL/CentOS for code # - name: Disable the firewalld # CentOS ONLY # systemd: @@ -88,7 +88,7 @@ # exit 0 # tags: # - install - + # Add SAS Certificates to support SAS Viya - name: Adding SAS certs ansible.builtin.shell: | @@ -130,4 +130,4 @@ when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") tags: - install - - update + - update diff --git a/roles/systems/container_registry/harbor/tasks/main.yaml b/roles/systems/container_registry/harbor/tasks/main.yaml index 4c880ba..3733613 100644 --- a/roles/systems/container_registry/harbor/tasks/main.yaml +++ b/roles/systems/container_registry/harbor/tasks/main.yaml @@ -12,16 +12,16 @@ # Task to Remove existing Docker installations - name: Uninstall old Docker versions - ansible.builtin.package: + ansible.builtin.package: name: "{{ packages }}" state: absent vars: packages: - - docker - - docker-engine - - docker.io - - containerd - - runc + - docker + - docker-engine + - docker.io + - containerd + - runc ignore_errors: true tags: - install @@ -33,11 +33,11 @@ state: present vars: packages: - - apt-transport-https # Also needed for kubeadm tooling - - ca-certificates # Also needed for kubeadm tooling - - curl # Also needed for kubeadm tooling - - gnupg - - lsb-release + - apt-transport-https # Also needed for kubeadm tooling + - ca-certificates # Also needed for kubeadm tooling + - curl # Also needed for kubeadm tooling + - gnupg + - lsb-release tags: - install - update @@ -70,10 +70,10 @@ state: present vars: packages: - - docker-ce - - docker-ce-cli - - docker-compose - - containerd.io + - docker-ce + - docker-ce-cli + - docker-compose + - containerd.io tags: - install - update @@ -101,8 +101,8 @@ ansible.builtin.user: name: "{{ item }}" groups: docker - append: yes - with_items: + append: true + with_items: - devops - ubuntu when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") @@ -114,7 +114,7 @@ - name: Setting up docker to start on boot ansible.builtin.systemd: name: docker.service - enabled: yes + enabled: true tags: - install - update @@ -122,12 +122,12 @@ - name: Setting up containerd to start on boot ansible.builtin.systemd: name: containerd.service - enabled: yes + enabled: true tags: - install - update -# +# # containerd - https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd # - name: Add module load file for containerd @@ -169,7 +169,7 @@ - name: Restart systemd ansible.builtin.systemd: - daemon_reload: yes + daemon_reload: true tags: - install - update @@ -178,7 +178,7 @@ ansible.builtin.get_url: url: https://github.com/goharbor/harbor/releases/download/v2.6.0/harbor-offline-installer-v2.6.0.tgz dest: /tmp/harbor-offline-installer-v2.6.0.tgz - mode: '0755' + mode: "0755" tags: - install - update @@ -187,7 +187,7 @@ ansible.builtin.unarchive: src: /tmp/harbor-offline-installer-v2.6.0.tgz dest: /tmp - remote_src: yes + remote_src: true tags: - install - update diff --git a/roles/systems/jump_server/tasks/main.yaml b/roles/systems/jump_server/tasks/main.yaml index e6a1c7f..86e4720 100644 --- a/roles/systems/jump_server/tasks/main.yaml +++ b/roles/systems/jump_server/tasks/main.yaml @@ -16,7 +16,7 @@ tags: - install - update - + - name: Install nfs-common package ansible.builtin.package: name: nfs-common @@ -32,7 +32,7 @@ state: directory owner: "{{ owner }}" group: "{{ group }}" - mode: 0777 + mode: "0777" tags: - install - update @@ -43,7 +43,7 @@ state: directory owner: "{{ owner }}" group: "{{ group }}" - mode: 0777 + mode: "0777" tags: - install - update @@ -92,7 +92,7 @@ path: /viya-share/pvs owner: "{{ owner }}" group: "{{ group }}" - mode: 0777 + mode: "0777" state: directory tags: - install diff --git a/roles/systems/nfs_server/tasks/main.yaml b/roles/systems/nfs_server/tasks/main.yaml index b3c6d8e..5d63d60 100644 --- a/roles/systems/nfs_server/tasks/main.yaml +++ b/roles/systems/nfs_server/tasks/main.yaml @@ -15,6 +15,9 @@ - update - name: Setting up /export nfs mount point + tags: + - install + - update block: - name: Create nfs mount point ansible.builtin.file: @@ -22,7 +25,7 @@ state: directory owner: nobody group: nogroup - mode: 0777 + mode: "0777" when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") - name: Test for export mount point @@ -43,11 +46,11 @@ regexp: '^/export' line: /export *(rw,no_root_squash,async,insecure,crossmnt,no_subtree_check) when: exports_file_rc.stdout != "0" + +- name: Setting up /srv/nfs/kubernetes/sc/default nfs mount point tags: - install - update - -- name: Setting up /srv/nfs/kubernetes/sc/default nfs mount point block: - name: Create nfs mount point ansible.builtin.file: @@ -55,7 +58,7 @@ state: directory owner: nobody group: nogroup - mode: 0777 + mode: "0777" when: ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") - name: Test for export mount point @@ -76,9 +79,6 @@ regexp: '^/srv/nfs/kubernetes/sc/default' line: /srv/nfs/kubernetes/sc/default *(rw,no_root_squash,async,insecure,crossmnt,no_subtree_check) when: kubernetes_sc_default_file_rc.stdout != "0" - tags: - - install - - update - name: Export file system ansible.builtin.shell: exportfs -a @@ -90,7 +90,7 @@ - name: Start the nfs_kernel_server, portmap, and rpc-statd ansible.builtin.systemd: name: "{{ item }}" - enabled: yes + enabled: true state: restarted with_items: - nfs-server diff --git a/roles/systems/postgres/defaults/main.yaml b/roles/systems/postgres/defaults/main.yaml index cf53ce8..59a0b99 100644 --- a/roles/systems/postgres/defaults/main.yaml +++ b/roles/systems/postgres/defaults/main.yaml @@ -1,5 +1,6 @@ # Copyright © 2022-2023, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +--- postgres_server_ssl_cert_file: "" postgres_server_ssl_key_file: "" diff --git a/roles/systems/postgres/tasks/main.yaml b/roles/systems/postgres/tasks/main.yaml index d5dd179..36aa326 100644 --- a/roles/systems/postgres/tasks/main.yaml +++ b/roles/systems/postgres/tasks/main.yaml @@ -24,12 +24,12 @@ - name: Install postgres ansible.builtin.apt: pkg: - - "postgresql-{{ postgres_server_version }}" - - "postgresql-client-{{ postgres_server_version }}" - - python3-psycopg2 - - acl + - "postgresql-{{ postgres_server_version }}" + - "postgresql-client-{{ postgres_server_version }}" + - python3-psycopg2 + - acl state: present - update_cache: yes + update_cache: true tags: - install - update @@ -58,7 +58,7 @@ - name: Postgres SSL with user supplied cert and key - verify both defined ansible.builtin.fail: - msg: "User has set postgres_server_ssl to on, but has only defined one of 'postgres_server_ssl_cert_file, + msg: "User has set postgres_server_ssl to on, but has only defined one of 'postgres_server_ssl_cert_file, postgres_server_ssl_key_file'. Ensure that both these variables are set, or remove both of them from your inventory file to use the Ubuntu system default cert and key files." when: @@ -70,6 +70,13 @@ - update - name: Copy user supplied cert and key to Postgres host + when: + - ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") + - postgres_server_ssl|lower == "on" + - (postgres_server_ssl_cert_file|length > 0) and (postgres_server_ssl_key_file|length > 0) + tags: + - install + - update block: - name: Add user supplied SSL Cert ansible.builtin.copy: @@ -91,15 +98,15 @@ ansible.builtin.set_fact: postgres_server_ssl_cert_file_dest: "{{ cert_result.dest }}" postgres_server_ssl_key_file_dest: "{{ key_result.dest }}" + +- name: Create copy of Ubuntu default cert and key when: - ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") - postgres_server_ssl|lower == "on" - - (postgres_server_ssl_cert_file|length > 0) and (postgres_server_ssl_key_file|length > 0) + - (postgres_server_ssl_cert_file|length == 0) and (postgres_server_ssl_key_file|length == 0) tags: - install - update - -- name: Create copy of Ubuntu default cert and key block: - name: Copy Ubuntu default SSL Cert ansible.builtin.copy: @@ -108,7 +115,7 @@ owner: root group: root mode: "0644" - remote_src: yes + remote_src: true register: cert_result - name: Copy Ubuntu default SSL Key ansible.builtin.copy: @@ -117,29 +124,22 @@ owner: root group: ssl-cert mode: "0640" - remote_src: yes + remote_src: true register: key_result - name: Fetch SSL Cert ansible.builtin.fetch: src: "{{ cert_result.dest }}" dest: "{{ inventory_dir }}/" - flat: yes + flat: true - name: Fetch SSL Key ansible.builtin.fetch: src: "{{ key_result.dest }}" dest: "{{ inventory_dir }}/" - flat: yes + flat: true - name: Set postgres_server_ssl_cert_file_dest and postgres_server_ssl_key_file_dest ansible.builtin.set_fact: postgres_server_ssl_cert_file_dest: "{{ cert_result.dest }}" postgres_server_ssl_key_file_dest: "{{ key_result.dest }}" - when: - - ansible_distribution == "Ubuntu" and (ansible_distribution_version == "20.04" or ansible_distribution_version == "22.04") - - postgres_server_ssl|lower == "on" - - (postgres_server_ssl_cert_file|length == 0) and (postgres_server_ssl_key_file|length == 0) - tags: - - install - - update - name: Alter postgresql.conf - Update ssl ansible.builtin.lineinfile: @@ -193,7 +193,7 @@ ansible.builtin.systemd: name: postgresql state: restarted - enabled: yes + enabled: true tags: - install - update diff --git a/roles/systems/vsphere/init/tasks/main.yaml b/roles/systems/vsphere/init/tasks/main.yaml index a70788b..56ce12d 100644 --- a/roles/systems/vsphere/init/tasks/main.yaml +++ b/roles/systems/vsphere/init/tasks/main.yaml @@ -16,7 +16,7 @@ tags: - install - update - + - name: Expand Root Partition - growpart ansible.builtin.shell: "growpart /dev/sda {{ partition_number }}" # CentOS - 1 # Ubuntu - 2 register: grow_result @@ -48,7 +48,7 @@ state: directory owner: "{{ owner }}" group: "{{ group }}" - mode: 0777 + mode: "0777" ignore_errors: true tags: - install @@ -65,7 +65,7 @@ dest: /tmp/link_devs.sh owner: root group: root - mode: '0700' + mode: "0700" tags: - install diff --git a/variables.tf b/variables.tf index fd9ee83..279c87b 100644 --- a/variables.tf +++ b/variables.tf @@ -31,12 +31,6 @@ variable "vsphere_password" { default = null } -variable "vsphere_cluster" { - type = string - description = "This is the name of the vSphere cluster." - default = null -} - variable "vsphere_datacenter" { type = string description = "This is the name of the vSphere data center." @@ -89,6 +83,7 @@ variable "nat_ip" { } variable "netmask" { + type = number description = "Netmask (if using static ips)" default = 16 }