add k0s support

.gitignore

@@ -12,3 +12,6 @@ kubeconfig
 .venv*
 # Taskfile
 .tasks
+# intellij
+.idea
+

.taskfiles/FluxTasks.yaml

@@ -26,9 +26,15 @@ tasks:
       - kubectl apply --server-side --filename {{.KUBERNETES_DIR}}/flux/vars/cluster-settings-user.yaml
       - kubectl apply --server-side --kustomize {{.KUBERNETES_DIR}}/flux/config
     preconditions:
-      - { msg: "Flux already appears installed", sh: "exit $(( ! $(kubectl get namespace flux-system) ))" }
+      - { msg: "Flux already appears installed", sh: "kubectl get namespace flux-system &>/dev/null && exit 1 || exit 0" }
       - { msg: "Age private key not found",      sh: "test -f {{.ROOT_DIR}}/age.key" }
 
+  github-deploy-key:
+    cmds:
+      - sops --decrypt {{.KUBERNETES_DIR}}/bootstrap/github-deploy-key.sops.yaml | kubectl apply -f -
+    preconditions:
+      - { msg: "Flux is not installed", sh: "kubectl get namespace flux-system &>/dev/null && exit 0 || exit 1" }
+
   apply:
     desc: Apply a Flux Kustomization resource for a cluster
     summary: |

.taskfiles/K0sTasks.yaml

@@ -0,0 +1,25 @@
+---
+version: "3"
+
+tasks:
+
+  kubeconfig:
+    desc: Gets k0s cluster kubeconfig
+    cmds:
+      - k0sctl kubeconfig -c k0s-config.yaml > kubeconfig
+    preconditions:
+      - { msg: "k0s-config.yaml not found",      sh: "test -f {{.ROOT_DIR}}/k0s-config.yaml" }
+
+  apply:
+    desc: Apply k0s cluster k0s-config.yaml
+    cmds:
+      - k0sctl apply --config k0s-config.yaml
+      - task: kubeconfig
+    preconditions:
+      - { msg: "k0s-config.yaml not found",      sh: "test -f {{.ROOT_DIR}}/k0s-config.yaml" }
+
+  reset:
+    desc: Resets the k0s cluster
+    cmd: k0sctl reset --config k0s-config.yaml
+    preconditions:
+      - { msg: "k0s-config.yaml not found",      sh: "test -f {{.ROOT_DIR}}/k0s-config.yaml" }

Taskfile.yaml

@@ -17,6 +17,7 @@ includes:
     aliases: ["k8s"]
     taskfile: .taskfiles/KubernetesTasks.yaml
   flux: .taskfiles/FluxTasks.yaml
+  k0s: .taskfiles/K0sTasks.yaml
 
 tasks:
 

bootstrap/configure.yaml

@@ -35,5 +35,8 @@
     - name: Template Kubernetes configuration
       ansible.builtin.include_tasks: tasks/kubernetes/main.yaml
 
+    - name: Template Kubernetes optional configuration
+      ansible.builtin.include_tasks: tasks/optional/main.yaml
+
     - name: Template Kubernetes addon configuration
       ansible.builtin.include_tasks: tasks/addons/main.yaml

bootstrap/tasks/addons/main.yaml

@@ -21,7 +21,7 @@
   ansible.builtin.include_tasks: kube_prometheus_stack.yaml
 
 - name: Process addon system-upgrade-controller
-  when: system_upgrade_controller.enabled | default(false)
+  when: (bootstrap_distribution == "k3s") and (system_upgrade_controller.enabled | default(false))
   ansible.builtin.include_tasks: system_upgrade_controller.yaml
 
 - name: Process addon weave-gitops

bootstrap/tasks/ansible/main.yaml

@@ -27,13 +27,4 @@
         mode: "0644"
         force: true
       with_community.general.filetree: ["../templates/ansible/"]
-    - name: Template encrypted node secrets
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/ansible/inventory/host_vars/{{ item.name }}.sops.yaml"
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', 'templates/node.sops.yaml.j2', template_vars=dict(password=item.password)) | from_yaml }}"
-        mode: "0644"
-        force: true
-      loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-      loop_control:
-        label: "{{ item.address }}"
+

bootstrap/tasks/optional/coredns.yaml

@@ -0,0 +1,34 @@
+---
+- name: Set addon facts
+  ansible.builtin.set_fact:
+    optional_name: coredns
+    optional_namespace: kube-system
+
+- name: Ensure directories exist for {{ optional_namespace }}/{{ optional_name }}
+  when: item.state == 'directory'
+  ansible.builtin.file:
+    path: "{{ repository_path }}/kubernetes/apps/{{ optional_namespace }}/{{ optional_name }}/{{ item.path }}"
+    state: directory
+    mode: "0755"
+  with_community.general.filetree: ["../templates/optional/{{ optional_name }}/"]
+
+- name: Template unencrypted files for {{ optional_namespace }}/{{ optional_name }}
+  when: item.state == 'file' and 'sops' not in item.path
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ repository_path }}/kubernetes/apps/{{ optional_namespace }}/{{ optional_name }}/{{ item.path | replace('.j2', '') }}"
+    mode: "0644"
+  with_community.general.filetree: ["../templates/optional/{{ optional_name }}/"]
+
+- name: Template encrypted files for {{ optional_namespace }}/{{ optional_name }}
+  block:
+    - name: Template encrypted files
+      when: item.state == 'file' and 'sops' in item.path
+      community.sops.sops_encrypt:
+        path: "{{ repository_path }}/kubernetes/apps/{{ optional_namespace }}/{{ optional_name }}/{{ item.path | replace('.j2', '') }}"
+        encrypted_regex: ^(data|stringData)$
+        age: ["{{ bootstrap_age_public_key }}"]
+        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
+        mode: "0644"
+        force: true
+      with_community.general.filetree: ["../templates/optional/{{ optional_name }}/"]

bootstrap/tasks/optional/main.yaml

@@ -0,0 +1,7 @@
+---
+
+- name: Process optional opendns
+  when: bootstrap_distribution == "k3s"
+  ansible.builtin.include_tasks: coredns.yaml
+
+

bootstrap/tasks/validation/github.yaml

@@ -14,6 +14,7 @@
     fail_msg: Github user {{ bootstrap_github_username }} does not exist
 
 - name: Query Github repo
+  when: not bootstrap_private_github_repo | default(false)
   ansible.builtin.uri:
     url: https://api.github.com/repos/{{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }}
     timeout: 5
@@ -22,12 +23,14 @@
   register: result
 
 - name: Check if repo exists
+  when: not bootstrap_private_github_repo | default(false)
   ansible.builtin.assert:
     that: result.json.full_name == bootstrap_github_username + '/' + bootstrap_github_repository_name
     success_msg: Github repo {{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }} exists
     fail_msg: Github repo {{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }} does not exist
 
 - name: Query Github repo branch
+  when: not bootstrap_private_github_repo | default(false)
   ansible.builtin.uri:
     url: https://api.github.com/repos/{{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }}/branches/{{ bootstrap_github_repository_branch | default('main', true) }}
     timeout: 5
@@ -36,6 +39,7 @@
   register: result
 
 - name: Check if repo branch exists
+  when: not bootstrap_private_github_repo | default(false)
   ansible.builtin.assert:
     that: result.json.name == bootstrap_github_repository_branch | default('main', true)
     success_msg: Github repo branch {{ bootstrap_github_repository_branch | default('main', true) }} exists

bootstrap/tasks/validation/vars.yaml

@@ -7,6 +7,7 @@
     success_msg: Required bootstrap var {{ item }} exists and is defined
     fail_msg: Required bootstrap var {{ item }} does not exists or is not defined
   loop:
+    - bootstrap_distribution
     - bootstrap_acme_email
     - bootstrap_age_public_key
     - bootstrap_cilium_loadbalancer_mode
@@ -25,7 +26,6 @@
     - bootstrap_ipv6_enabled
     - bootstrap_k8s_gateway_addr
     - bootstrap_kube_vip_addr
-    - bootstrap_local_path_provisioner_path
     - bootstrap_node_cidr
     - bootstrap_service_cidr
     - bootstrap_timezone

bootstrap/templates/addons/grafana/app/helmrelease.yaml.j2

@@ -24,7 +24,7 @@ spec:
   uninstall:
     keepHistory: false
   dependsOn:
-    - name: local-path-provisioner
+    - name: openebs
       namespace: storage
   values:
     deploymentStrategy:
@@ -168,6 +168,6 @@ spec:
             - *host
     persistence:
       enabled: true
-      storageClassName: local-hostpath
+      storageClassName: openebs-hostpath
     testFramework:
       enabled: false

bootstrap/templates/addons/kube-prometheus-stack/app/helmrelease.yaml.j2

@@ -27,7 +27,7 @@ spec:
   uninstall:
     keepHistory: false
   dependsOn:
-    - name: local-path-provisioner
+    - name: openebs
       namespace: storage
   valuesFrom:
     - name: kube-prometheus-stack-values

bootstrap/templates/addons/kube-prometheus-stack/app/helmvalues.yaml.j2

@@ -114,7 +114,7 @@ data:
         storageSpec:
           volumeClaimTemplate:
             spec:
-              storageClassName: local-hostpath
+              storageClassName: openebs-hostpath
               resources:
                 requests:
                   storage: 10Gi

bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmvalues.yaml.j2

@@ -16,7 +16,11 @@ data:
       id: 1
     containerRuntime:
       integration: containerd
+{% if k0s.enabled | default(false) %}
+      socketPath: /var/run/k0s/containerd.sock
+{% else %}
       socketPath: /var/run/k3s/containerd/containerd.sock
+{% endif %}
     endpointRoutes:
       enabled: true
     hubble:

bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2

@@ -5,5 +5,7 @@ kind: Kustomization
 resources:
   - ./namespace.yaml
   - ./cilium/ks.yaml
+{% if bootstrap_distribution == "k3s" %}
   - ./coredns/ks.yaml
+{% endif %}
   - ./metrics-server/ks.yaml

bootstrap/templates/kubernetes/apps/storage/kustomization.yaml.j2

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./namespace.yaml
-  - ./local-path-provisioner/ks.yaml
+  - ./openebs/ks.yaml
   - ./snapshot-controller/ks.yaml
   - ./volsync/ks.yaml
   {% if csi_driver_nfs.enabled | default(false) %}

bootstrap/templates/kubernetes/apps/storage/openebs/app/helmrelease.yaml.j2

@@ -0,0 +1,36 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: openebs
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: openebs
+      version: 3.3.0
+      sourceRef:
+        kind: HelmRepository
+        name: openebs
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    localprovisioner:
+      hostpathClass:
+        enabled: true
+        isDefaultClass: false
+{% if bootstrap_distribution == 'k3s' %}
+        basePath: "{{ bootstrap_local_storage_path | default('/var/lib/rancher/k3s/local-hostpath', true) }}"
+{% else %}
+        basePath: "{{ bootstrap_local_storage_path | default('/var/openebs/local', true) }}"
+{% endif %}
+

bootstrap/templates/kubernetes/apps/storage/local-path-provisioner/app/kustomization.yaml.j2 → bootstrap/templates/kubernetes/apps/storage/openebs/app/kustomization.yaml.j2

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helmrelease.yaml
+  - ./helmrelease.yaml

bootstrap/templates/kubernetes/apps/storage/local-path-provisioner/ks.yaml.j2 → bootstrap/templates/kubernetes/apps/storage/openebs/ks.yaml.j2

@@ -2,19 +2,19 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app local-path-provisioner
+  name: &app openebs
   namespace: flux-system
 spec:
   targetNamespace: storage
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/storage/local-path-provisioner/app
+  path: ./kubernetes/apps/kube-system/openebs/app
   prune: true
   sourceRef:
     kind: GitRepository
     name: home-kubernetes
-  wait: false
+  wait: true
   interval: 30m
   retryInterval: 1m
   timeout: 5m

bootstrap/vars/addons.sample.yaml

@@ -41,6 +41,7 @@ system_upgrade_controller:
   # WARNING: Only enable this if you also track the version of k3s in the
   # ansible configuration files. Running ansible against an already provisioned
   # cluster with this enabled might cause your cluster to be downgraded.
+  # Note that if bootstrap_distribution is set to k0s enable: true will be ignored.
   enabled: false
 
 # https://github.com/morphy2k/rss-forwarder