Merge branch 'master' into display-network-errors

sillsdev · Sep 24, 2021 · 0491535 · 0491535
2 parents 70d1b54 + ac16096
commit 0491535
Show file tree

Hide file tree

Showing 26 changed files with 185 additions and 350 deletions.
diff --git a/deploy/group_vars/nuc/main.yml b/deploy/group_vars/nuc/main.yml
@@ -51,29 +51,32 @@ my_aws_profiles:
 ################################################
 # Configure Kubernetes cluster
 ################################################
+
+# Specify which Kubernetes engine to install -
+# one of k3s or none.
+k8s_engine: k3s
 k8s_components:
-  - microk8s
-  - cert_manager
   - ingress_controller
 
 image_pull_secret: aws-login-credentials
 
+app_namespace: thecombine
+
 aws_ecr_login:
   cron: no
   image: sillsdev/aws-kubectl:0.1.9
   secrets_name: aws-ecr-credentials
   config_name: aws-ecr-config
-  pull_secret_name: aws-login-credentials
+  pull_secret_name: "{{ image_pull_secret | default('aws-login-credentials') }}"
   job_name: ecr-cred-helper
 
-app_namespace: thecombine
-
 k8s_user: sillsdev
 k8s_group: sillsdev
 
 #######################################
-# Ingress configuration (microk8s ingress addon)
-ingress_class: public
+# Ingress configuration
+ingress_class: nginx
+ingress_namespace: ingress-nginx
 
 # For the NUCs we want to use the ansible host name
 # since that is how we can connect on the local network

diff --git a/deploy/group_vars/qa/main.yml b/deploy/group_vars/qa/main.yml
@@ -51,6 +51,10 @@ my_aws_profiles:
 ################################################
 # Configure Kubernetes cluster
 ################################################
+
+# Specify which Kubernetes engine to install -
+# one of k3s, or none.
+k8s_engine: none
 k8s_components: []
 
 image_pull_secret: aws-login-credentials
@@ -63,6 +67,7 @@ k8s_group: sillsdev
 #######################################
 # Ingress configuration
 ingress_class: nginx
+ingress_namespace: ingress-nginx
 
 ################################################
 # WiFi access point settings

diff --git a/deploy/group_vars/server/main.yml b/deploy/group_vars/server/main.yml
@@ -65,6 +65,10 @@ max_backups: "3"
 ################################################
 # Configure Kubernetes cluster
 ################################################
+
+# Specify which Kubernetes engine to install -
+# one of k3s, or none.
+k8s_engine: none
 k8s_components: []
 
 image_pull_secret: aws-login-credentials
@@ -77,6 +81,7 @@ k8s_group: sillsdev
 #######################################
 # Ingress configuration
 ingress_class: nginx
+ingress_namespace: ingress-nginx
 
 ################################################
 # WiFi access point settings

diff --git a/deploy/playbook_kube_config.yml b/deploy/playbook_kube_config.yml
@@ -48,15 +48,12 @@
         - name: Setup container registry credentials
           import_role:
             name: aws_login_job
-          tags:
-            - aws_login
 
         - name: Create Storage Class
           import_role:
             name: k8s_storage
           when:
             - k8s_storage_class is defined
-            - k8s_storage_class != "microk8s-hostpath"
 
         - name: Install cert-manager
           include_role:

diff --git a/deploy/roles/aws_login_job/defaults/main.yml b/deploy/roles/aws_login_job/defaults/main.yml
@@ -8,5 +8,3 @@ aws_ecr_login:
   job_name: ecr-cred-helper
   cron_job_name: ecr-cred-helper-cron
   schedule: "0 */8 * * *"
-
-k8s_config_secret: tc-thecombine-kubeconfig
diff --git a/deploy/roles/aws_login_job/tasks/main.yml b/deploy/roles/aws_login_job/tasks/main.yml
@@ -1,30 +1,10 @@
 ---
-- name: Print config
-  debug:
-    var: aws_ecr_login
-
 - name: Create directory for the AWS Login cron job files
   file:
     path: "{{ k8s_aws_login_cfg }}"
     state: directory
     mode: 0700
 
-- name: List kubeconfig secret
-  command: >
-    kubectl --kubeconfig={{ kubecfg }} -n {{ app_namespace }} get secret
-    {{ k8s_config_secret }}
-  register: get_secret
-  changed_when: false
-  failed_when: false
-
-- name: Create kubeconfig secret
-  command: >
-    kubectl --kubeconfig={{ kubecfg }} -n {{ app_namespace }}
-    create secret generic
-    {{ k8s_config_secret }}
-    --from-file={{ kubecfg }}
-  when: get_secret.rc > 0
-
 ##############################################################
 # Delete any immutable objects leftover from previous runs
 ##############################################################

diff --git a/deploy/roles/install_helm/tasks/main.yml b/deploy/roles/install_helm/tasks/main.yml
diff --git a/deploy/roles/k3s/defaults/main.yml b/deploy/roles/k3s/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+k3s_options:
+  - --write-kubeconfig-mode
+  - 644
+  - --disable
+  - traefik
diff --git a/deploy/roles/k3s/tasks/main.yml b/deploy/roles/k3s/tasks/main.yml
@@ -0,0 +1,75 @@
+---
+################################################
+# Install the k3s Lightweight Kubernetes Engine
+# from Rancher.
+# https://k3s.io/
+################################################
+- name: Install k3s
+  shell:
+    cmd: curl -sfL https://get.k3s.io | sh -s - {{ k3s_options | join(' ') }}
+    warn: no
+    creates: /usr/local/bin/k3s
+
+- name: Get home directory for {{ k8s_user }}
+  shell: >
+    getent passwd {{ k8s_user }} | awk -F: '{ print $6 }'
+  register: k8s_user_home
+  changed_when: false
+
+- name: Create .kube directories
+  file:
+    path: "{{ item.home }}/.kube"
+    state: directory
+    owner: "{{ item.owner }}"
+    group: "{{ item.group }}"
+    mode: 0700
+  loop:
+    - home: "{{ k8s_user_home.stdout }}"
+      owner: "{{ k8s_user }}"
+      group: "{{ k8s_group }}"
+    - home: /root
+      owner: root
+      group: root
+
+- name: Set link .kube/config to /etc/rancher/k3s/k3s.yaml
+  file:
+    src: /etc/rancher/k3s/k3s.yaml
+    path: "{{ item }}/.kube/config"
+    state: link
+  loop:
+    - "{{ k8s_user_home.stdout }}"
+    - /root
+
+- name: Save kubectl configuration on host
+  fetch:
+    src: "{{ k8s_user_home.stdout }}/.kube/config"
+    dest: "{{ kubecfg }}"
+    flat: yes
+
+- name: Restrict permissions to kubeconfig to owner
+  delegate_to: localhost
+  become: no
+  file:
+    path: "{{ kubecfg }}"
+    state: file
+    mode: 0600
+
+  # The kubeconfig file that is generated by k3s on the target
+  # system identifies the server by the IP address.  This updates
+  # the file when it has been copied to the host to replace the
+  # IP address with the server name.  This is needed in the a
+  # cloud environment where the IP address seen on the host is not
+  # the public IP address.  For example:
+  #   server: 10.0.0.40:6443
+  # is changed to:
+  #   server: nuc2:6443
+  # (kubectl communicates with the cluster over port 16443 or 6443)
+- name: Replace server IP with DNS name in site_files copy
+  delegate_to: localhost
+  become: no
+  lineinfile:
+    state: present
+    path: "{{ kubecfg }}"
+    regexp: '^(\s+server: https:\/\/)[.0-9]+:(1?6443)'
+    backrefs: yes
+    line: '\1{{ k8s_dns_name }}:\2'
diff --git a/deploy/roles/k8s_accounts/templates/role_ecr_login.yml.j2 b/deploy/roles/k8s_accounts/templates/role_ecr_login.yml.j2
@@ -6,7 +6,7 @@ metadata:
   namespace: {{ app_namespace }}
 rules:
   - apiGroups: [""]
-    resources: ["secrets", "pods"]
+    resources: ["secrets", "pods", "pods/attach", "pods/log", "namespaces"]
     verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
   - apiGroups: [""]
     resources: ["serviceaccounts"]

diff --git a/deploy/roles/k8s_cert_manager/templates/letsencrypt_prod.yaml.j2 b/deploy/roles/k8s_cert_manager/templates/letsencrypt_prod.yaml.j2
@@ -1,7 +1,8 @@
 apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
+kind: Issuer
 metadata:
   name: letsencrypt-prod
+  namespace: {{ app_namespace }}
 spec:
   acme:
     # The ACME server URL

diff --git a/deploy/roles/k8s_cert_manager/templates/letsencrypt_staging.yaml.j2 b/deploy/roles/k8s_cert_manager/templates/letsencrypt_staging.yaml.j2
@@ -1,7 +1,8 @@
 apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
+kind: Issuer
 metadata:
   name: letsencrypt-staging
+  namespace: {{ app_namespace }}
 spec:
   acme:
     # The ACME server URL

diff --git a/deploy/roles/k8s_config/defaults/main.yml b/deploy/roles/k8s_config/defaults/main.yml
@@ -54,6 +54,7 @@ cert_issuer: letsencrypt-prod
 #######################################
 # Ingress configuration
 ingress_class: nginx
+ingress_namespace: ingress-nginx
 
 #######################################
 # Default Backup Schedule

diff --git a/deploy/roles/k8s_config/tasks/main.yml b/deploy/roles/k8s_config/tasks/main.yml
@@ -5,14 +5,12 @@
     state: directory
     mode: 0700
 
-- name: Create Kubernetes configuration files
+- name: Create Kubernetes configuration files for The Combine
   template:
     src: "{{ item }}.j2"
     dest: "{{ k8s_combine_cfg }}/{{ item }}"
     mode: 0600
   loop: "{{ k8s_resource_templates}}"
-  tags:
-    - config_only
 
 - name: Apply Kubernetes configuration
   command: kubectl --kubeconfig={{ kubecfg }} apply -f {{ item }}

diff --git a/deploy/roles/k8s_config/templates/ingress-combine.yaml.j2 b/deploy/roles/k8s_config/templates/ingress-combine.yaml.j2
@@ -1,13 +1,13 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: http-ingress
+  name: ingress-thecombine
   namespace: {{ app_namespace }}
   annotations:
     kubernetes.io/ingress.class: {{ ingress_class }}
     nginx.ingress.kubernetes.io/proxy-body-size: "250m"
 {% if "cert_manager" in k8s_components %}
-    cert-manager.io/cluster-issuer: {{ cert_issuer }}
+    cert-manager.io/issuer: {{ cert_issuer }}
 {% endif %}
 spec:
 {% if "cert_manager" in k8s_components %}

diff --git a/deploy/roles/k8s_install/defaults/main.yml b/deploy/roles/k8s_install/defaults/main.yml
@@ -7,10 +7,3 @@ k8s_required_pkgs:
   - apt-transport-https
   - ca-certificates
   - curl
-
-microk8s_addons:
-  - storage
-  - dns
-  - ingress
-  - helm3
-  - rbac