Test ansible output regression workaround #2;Refactor vapp properties;Add kube-vip dependency;Refactor netplan;Download/Trust root CA

2023-01-21 16:12:11 +01:00
parent 43d83e8e31
commit d67bf86dab
13 changed files with 141 additions and 56 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/k3s.yml
@ -27,7 +27,7 @@
    chdir: /opt/metacluster/k3s
  environment:
    INSTALL_K3S_SKIP_DOWNLOAD: 'true'
-    INSTALL_K3S_EXEC: "server --cluster-init --token {{ vapp['metacluster.token'] }} --disable local-storage --config /etc/rancher/k3s/config.yaml"
+    INSTALL_K3S_EXEC: "server --cluster-init --token {{ vapp['metacluster.token'] }} --tls-san {{ vapp['metacluster.vip'] }} --disable local-storage --config /etc/rancher/k3s/config.yaml"
  when: ansible_facts.services['k3s.service'] is undefined

 - name: Debug possible taints on k3s node
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/kube-vip.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/kube-vip.yml
@ -0,0 +1,27 @@
+- name: Generate kube-vip manifest
+  ansible.builtin.command:
+    cmd: >-
+      ctr run --rm --net-host ghcr.io/kube-vip/kube-vip:{{ components.kubevip.version }} vip \
+        /kube-vip manifest daemonset \
+          --interface eth0 \
+          --address {{ vapp['metacluster.vip'] }} \
+          --inCluster \
+          --taint \
+          --controlplane \
+          --services \
+          --arp \
+          --leaderElection
+  register: kubevip_manifest
+
+- name: Inject manifests
+  ansible.builtin.copy:
+    dest: /var/lib/rancher/k3s/server/manifests/kubevip-manifest.yaml
+    content: >-
+      {{ lookup('ansible.builtin.file', '/opt/metacluster/kube-vip/rbac.yaml') }}
+      ---
+      {{ kubevip_manifest.stdout }}
+  notify:
+    - Apply manifests
+
+- name: Trigger handlers
+  ansible.builtin.meta: flush_handlers
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/main.yml
@ -1,5 +1,6 @@
 - import_tasks: init.yml
 - import_tasks: k3s.yml
+- import_tasks: kube-vip.yml
 - import_tasks: assets.yml
 - import_tasks: ingress.yml
 - import_tasks: storage.yml
--- a/ansible/roles/firstboot/files/ansible_payload/common/roles/network/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/common/roles/network/tasks/main.yml
@ -6,6 +6,13 @@
  ansible.builtin.template:
    src: netplan.j2
    dest: /etc/netplan/00-installer-config.yaml
+  vars:
+    _template:
+      macaddress: "{{ ansible_facts.ansible_facts.default_ipv4.macaddress }}"
+      ipaddress: "{{ vapp['guestinfo.ipaddress'] }}"
+      prefixlength: "{{ vapp['guestinfo.prefixlength'] }}"
+      gateway: "{{ vapp['guestinfo.gateway'] }}"
+      dnsserver: "{{ vapp['guestinfo.dnsserver'] }}"

 - name: Apply netplan configuration
  ansible.builtin.shell:
--- a/ansible/roles/firstboot/files/ansible_payload/common/roles/network/templates/netplan.j2
+++ b/ansible/roles/firstboot/files/ansible_payload/common/roles/network/templates/netplan.j2
@ -1,10 +1,13 @@
 network:
  version: 2
  ethernets:
-    ens192:
+    id0:
+      set-name: eth0
+      match:
+        macaddress: {{ _template.macaddress }}
      addresses:
-      - {{ vapp['guestinfo.ipaddress'] }}/{{ vapp['guestinfo.prefixlength'] }}
-      gateway4: {{ vapp['guestinfo.gateway'] }}
+      - {{ _template.ipaddress }}/{{ _template.prefixlength }}
+      gateway4: {{ _template.gateway }}
      nameservers:
        addresses:
-        - {{ vapp['guestinfo.dnsserver'] }}
+        - {{ _template.dnsserver }}
--- a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/init.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/init.yml
@ -0,0 +1,30 @@
+- name: Configure fallback name resolution
+  ansible.builtin.lineinfile:
+    path: /etc/hosts
+    line: "{{ vapp['metacluster.vip'] }}  {{ item + '.' + vapp['metacluster.fqdn'] }}"
+    state: present
+  loop:
+    # TODO: Make this list dynamic
+    - ca
+    - git
+    - gitops
+    - ingress
+    - registry
+    - storage
+
+- name: Retrieve root CA certificate
+  ansible.builtin.uri:
+    url: https://ca.{{ vapp['metacluster.fqdn'] }}/roots
+    validate_certs: no
+    method: GET
+    status_code: [200, 201]
+  register: rootca_certificate
+
+- name: Store root CA certificate
+  ansible.builtin.copy:
+    dest: /usr/local/share/ca-certificates/root_ca.crt
+    content: "{{ rootca_certificate.json.crts | list | join('\n') }}"
+
+- name: Update certificate truststore
+  ansible.builtin.command:
+    cmd: update-ca-certificates
--- a/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/upgrade/roles/metacluster/tasks/main.yml
@ -1,4 +1,4 @@
-# - import_tasks: init.yml
+- import_tasks: init.yml
 - import_tasks: k3s.yml
 # - import_tasks: assets.yml
 # - import_tasks: ingress.yml