add new k8s-cluster (#559)

Reviewed-on: #559
2023-08-23 23:20:26 +02:00 · 2023-08-23 23:20:26 +02:00 · 13ea2e8719
commit 13ea2e8719
parent 88fd592b4c
14 changed files with 111 additions and 67 deletions
--- a/docker-compose/routeros-config-export/docker-compose.yml
+++ b/docker-compose/routeros-config-export/docker-compose.yml
@ -15,7 +15,7 @@ services:
              hex.grote.lan,routeros-config-backup,/key_hex
              crs305.grote.lan,routeros-config-backup,/key_crs305
      GIT_REPO_BRANCH: "master"
-      GIT_REPO_URL: "ssh://gitea@git.mgrote.net:2222/mg/routeros-configs.git"
+      GIT_REPO_URL: "ssh://gitea@gitea.grote.lan:2222/mg/routeros-configs.git"
      GIT_REPO_DEPLOY_KEY: "/deploy_token"
      GIT_USERNAME: oxidized-selfmade
      GIT_USER_MAIL: michael.grote@posteo.de
--- a/docker-compose/traefik/file-provider.yml
+++ b/docker-compose/traefik/file-provider.yml
@ -1,20 +1,4 @@
 # TCP da SSH keine Hostnamen kennt
 # alle Anfragen an diesen Port werden an Gitea weitergeleitet
 tcp:
 ###### router #####
  routers:
    router-ssh:
      entryPoints:
        - entry_ssh
      rule: HostSNI(`*`)
      service: service_gitea_ssh
 ###### services #####
  services:
    service_gitea_ssh:
      loadBalancer:
        servers:
          - address: gitea.grote.lan:2222
 http:
 ###### router #####
  routers:
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@ -40,7 +40,7 @@
      from_ip: 192.168.2.144/24
  ### l3d.gitea
  # config liegt in /etc/gitea/gitea.ini
-  gitea_version: "1.20.0"
+  gitea_version: "1.20.3"
  gitea_app_name: "Gitea"
  gitea_user: "gitea"
  gitea_home: "/var/lib/gitea"
@ -76,7 +76,7 @@
  gitea_db_path: "{{ gitea_home }}/data/gitea.db" # for sqlite3
  gitea_ssh_listen: 0.0.0.0
-  gitea_ssh_domain: git.mgrote.net
+  gitea_ssh_domain: gitea.grote.lan
  gitea_ssh_port: 2222
  gitea_start_ssh: true
--- a/group_vars/k3s.yml
+++ b/group_vars/k3s.yml
@ -0,0 +1,81 @@
 ---
  ### Allgemein
  kubeconfig: /etc/rancher/k3s/k3s.yaml
  ### mgrote.restic
  restic_folders_to_backup: "/ /var" # --one-file-system ist gesetzt, also werden weitere Dateisysteme nicht eingeschlossen, es sei denn sie werden hier explizit angegeben; https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files
  ### pandemonium1986.ansible-role-k9s
  k9s_version: "v0.27.3"
  ### mrlesmithjr.ansible-manage-lvm
  #lvm_groups:
  # - vgname: vg_gitea_data
  #   disks:
  #     - /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1
  #   create: true
  #   lvnames:
  #     - lvname: lv_gitea_data
  #       size: +100%FREE
  #       create: true
  #       filesystem: xfs
  #       mount: true
  #       mntp: /var/lib/gitea
  #manage_lvm: true
  #pvresize_to_max: true
  ### oefenweb.ufw
  ufw_rules:
      - rule: allow
        comment: 'k3s - alles offen'
        from_ip: 0.0.0.0/0
  ### pyratlabs.k3s
  k3s_state: installed
  k3s_release_version: v1.25.11+k3s1
  k3s_airgap: false
  k3s_config_file: /etc/rancher/k3s/config.yaml
  k3s_build_cluster: true
  k3s_install_dir: /usr/local/bin
  k3s_etcd_datastore: true
  k3s_become: true
  k3s_use_experimental: true
  k3s_debug: false
  k3s_server:
    # siehe https://docs.k3s.io/reference/server-config
    # cli parameter OHNE -- am anfang
    write-kubeconfig-mode: '644'
    cluster-cidr: "10.42.0.0/16"
    service-cidr: "10.43.0.0/16"
    disable:
      - traefik
      - local-storage # disables local-path-provisioner
      - disable-helm-controller # https://fluxcd.io/flux/cheatsheets/troubleshooting/
  ### mgrote.fluxcd
  flux_repo_host: gitea.grote.lan
  flux_repo_host_port: 2222
  flux_repo_branch: master
  flux_repo_url_complete: "ssh://gitea@{{ flux_repo_host }}:{{ flux_repo_host_port }}/mg/manifests.git"
  flux_install_host: k3s4.grote.lan
  flux_homedir: /home/flux
  flux_path_ssh_dir: /home/flux/.ssh
  flux_user_group: flux
  flux_user: flux
  flux_download_url: https://github.com/fluxcd/flux2/releases/download/v2.0.1/flux_2.0.1_linux_amd64.tar.gz # updaten
  flux_path_bin: /usr/local/sbin
  flux_path_ssh_id_file: id_rsa
  flux_ssh_key_format: ed25519
  flux_sync_interval: 1m
  ### mgrote.apt_manage_packages
  apt_packages_extra:
    - nfs-common # für nfs-subdir-external-provisioner
  ### mgrote.sealed-secrets
  sealed_secrets_homedir: /home/sealed_secrets
  sealed_secrets_user_group: sealed_secrets
  sealed_secrets_user: sealed_secrets
  kubeseal_download_url: "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.1/kubeseal-0.19.1-linux-amd64.tar.gz" #updaten
  kubeseal_path_bin: /usr/local/sbin
  sealed_secrets_keepass_entry_name: "{{ lookup('keepass', 'k3s-sealed-secrets-private-key', 'notes') }}"
--- a/host_vars/k3s4.grote.lan.yml
+++ b/host_vars/k3s4.grote.lan.yml
@ -0,0 +1,3 @@
 ---
  ### pyratlabs.k3s
  k3s_control_node: true
--- a/host_vars/pve5.grote.lan.yml
+++ b/host_vars/pve5.grote.lan.yml
@ -169,7 +169,7 @@
  ### mgrote.cv4pve-autosnap
  cv4pve_api_user: root@pam!cv4pve-autosnap
  cv4pve_api_token: "{{ lookup('keepass', 'cv4pve_api_token', 'password') }}"
-  cv4pve_vmid: all,-106,-115
+  cv4pve_vmid: all,-106,-112,-115
  cv4pve_keep_snapshots: 5
  cv4pve_dl_link: "https://github.com/Corsinvest/cv4pve-autosnap/releases/download/v1.14.7/cv4pve-autosnap-linux-x64.zip"
--- a/4
+++ b/4
@ -15,6 +15,9 @@ all:
    docker:
      hosts:
        docker10.grote.lan:
    k3s:
      hosts:
        k3s4.grote.lan:
    vmtest:
      hosts:
        vm-test-2204.grote.lan:
@ -45,6 +48,7 @@ all:
        gitea.grote.lan:
        docker10.grote.lan:
        pbs.grote.lan:
        k3s4.grote.lan:
    test:
      hosts:
        vm-test-2204.grote.lan:
--- a/keepass_db.kdbx
+++ b/keepass_db.kdbx
--- a/playbooks/3_service/k3s.yml
+++ b/playbooks/3_service/k3s.yml
@ -0,0 +1,10 @@
 ---
 - hosts: k3s
  roles:
    - { role: PyratLabs.k3s, tags: "k3s" }
    - { role: mgrote.k8s_autocompletion, tags: "autocomp" }
    - { role: pandemonium1986.ansible-role-k9s, tags: "k9s", become: true }
    - { role: mgrote.fluxcd, tags: "flux", become: true }
    - { role: mgrote.k8s_misc, tags: "misc", become: true }
    - { role: mgrote.sealed-secrets, tags: "sealed-secrets", become: true }
    - { role: geerlingguy.helm, tags: "helm", become: true }
--- a/playbooks/3_service/nfs.yml
+++ b/playbooks/3_service/nfs.yml
@ -0,0 +1,4 @@
 ---
 - hosts: nfs
  roles:
    - { role: geerlingguy.nfs_server, tags: "nfs", become: true }
--- a/roles/mgrote.fluxcd/defaults/main.yml
+++ b/roles/mgrote.fluxcd/defaults/main.yml
@ -1,8 +1,8 @@
 ---
-  flux_repo_host: git.mgrote.net
+  flux_repo_host: gitea.grote.lan
  flux_repo_host_port: 2222
  flux_repo_branch: master
-  flux_repo_url_complete: ssh://gitea@git.mgrote.net:2222/mg/k3s-fluxcd.git
+  flux_repo_url_complete: "ssh://gitea@{{ flux_repo_host }}:{{ flux_repo_host_port }}/mg/manifests.git"
  flux_install_host: k3s1.grote.lan
  flux_homedir: /home/flux
  flux_path_ssh_dir: /home/flux/.ssh
--- a/roles/mgrote.sealed-secrets/README.md
+++ b/roles/mgrote.sealed-secrets/README.md
@ -2,42 +2,6 @@
 Diese Rolle installiert das kubeseal-Binary und hinterlegt den Private-Key im Cluster.
 Der Key ist im Keepass im Eintrag unter "Notes" abgelegt. Sollten die Secrets neu verschlüsselt werden ist hier wieder der aktuelle Private-Key abzulegen.
 Siehe: https://github.com/bitnami-labs/sealed-secrets#how-can-i-do-a-backup-of-my-sealedsecrets
 ## Backup
 `kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key`
 ## Restore
 ```
 kubectl apply -f main.key
 kubectl delete pod -n kube-system -l name=sealed-secrets-controller
 ```
 ## Erstellen eines verschlüsselten Secrets
 - Wichtig ist "stringData", wird nur "data" verwendet ist der Inhalt base64 zu enkodieren.
 1. lege Secret mit Klartext VALUE als Datei() an
    ```
      kind: Secret
      apiVersion: v1
      metadata:
        name: NAME_DES_SECRETS
        namespace: drone
      stringData:
        ICH_BIN_DER VARIABLEN_NAME: ICH_BIN_DAS_PASSWORT
    ```
 2. diese Datei mit kubeseal verschlüsseln
    ```
    cat <datei> | kubeseal --controller-namespace kube-system --format yaml > sealed-secret.yaml
    ```
 3. den Inhalt dann als Secret im Repo ablegen ablegen
 ## Verwenden des Secrets
 ```
@ -47,9 +11,3 @@ kubectl delete pod -n kube-system -l name=sealed-secrets-controller
      name: NAME_DES_SECRETS
      key: ICH_BIN_DER VARIABLEN_NAME
 ```
 ## Auslesen eines Klartext-Secrets  aus dem Cluster
 ```
 kubectl get secret <secretname> -n <namespace> -o jsonpath="{.data.<key>}" | base64 --decode ; echo""
 ```
--- a/roles/mgrote.sealed-secrets/defaults/main.yml
+++ b/roles/mgrote.sealed-secrets/defaults/main.yml
@ -5,4 +5,4 @@
  kubeseal_download_url: "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.1/kubeseal-0.19.1-linux-amd64.tar.gz"
  kubeseal_path_bin: /usr/local/sbin
  kubeconfig: /etc/rancher/k3s/k3s.yaml
-  sealed_secrets_keepass_entry_name: "{{ lookup('keepass', 'k3s-sealed-secrets-private-key', 'notes') }}"
+  sealed_secrets_keepass_entry_name: "{{ lookup('keepass', 'k3s-sealed-secrets-private-key', 'notes') }}" # mit kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key holen
--- a/roles/mgrote.sealed-secrets/tasks/import.yml
+++ b/roles/mgrote.sealed-secrets/tasks/import.yml
@ -1,6 +1,6 @@
 ---
  - name: check if private key exists
-    ansible.builtin.command: kubectl get secrets sealed-secrets-key9mpfq -n kube-system
+    ansible.builtin.command: kubectl get secrets sealed-secrets-keytsq4k -n kube-system
    register: key
    ignore_errors: yes
    changed_when: false
@ -13,7 +13,7 @@
      group: root
      mode: '0400'
    when: key.rc not in [ 0 ]
-    no_log: True
+    #no_log: True
  - name: apply private key
    ansible.builtin.command: kubectl apply -f /root/private.key