diff --git a/.github/workflows/deploy_k8s_cluster.yaml b/.github/workflows/deploy_k8s_cluster.yaml index 3438809..b671d8a 100644 --- a/.github/workflows/deploy_k8s_cluster.yaml +++ b/.github/workflows/deploy_k8s_cluster.yaml @@ -38,7 +38,7 @@ jobs: python-version: '3.11' - name: Setup ansible - run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install cloud.terraform && ansible-galaxy collection install datadog.dd && ansible-galaxy collection install git+https://github.com/k3s-io/k3s-ansible.git,99fa632acb713758c8ee376e2a6cc9d03404914c + run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml - name: Setup Terraform with specified version on the runner uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3 diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 598303b..107c761 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -40,3 +40,11 @@ jobs: if: success() || failure() with: sarif_file: results.sarif + + - name: Run ansible-lint + uses: ansible/ansible-lint@c629b235398065e24ff44b5f1138028642c74a03 + with: + args: "" + setup_python: "true" + working_directory: "./ansible/" + requirements_file: "" diff --git a/ansible/.ansible-lint-ignore b/ansible/.ansible-lint-ignore new file mode 100644 index 0000000..f6a6005 --- /dev/null +++ b/ansible/.ansible-lint-ignore @@ -0,0 +1,2 @@ +roles/k8s_cluster_helm/tasks/main.yaml no-changed-when +roles/k8s_lb/tasks/main.yaml no-changed-when diff --git a/ansible/collections/requirements.yml b/ansible/collections/requirements.yml deleted file mode 100644 index 93afd5c..0000000 --- a/ansible/collections/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ -collections: - - name: k3s.orchestration - source: git+https://github.com/k3s-io/k3s-ansible.git - type: git - version: 99fa632acb713758c8ee376e2a6cc9d03404914c \ No newline at end of file diff --git a/ansible/k8s_infra.yaml b/ansible/k8s_infra.yaml index 9490b84..ace3679 100644 --- a/ansible/k8s_infra.yaml +++ b/ansible/k8s_infra.yaml @@ -1,12 +1,13 @@ -- hosts: mgrs +- name: K8s Managers + hosts: mgrs become: true gather_facts: true roles: - - role: mesh-k8s-node - - role: mesh-mgr + - role: mesh_k8s_node + - role: mesh_mgr - role: k3s.orchestration.prereq # k3s-ansible - role: k3s.orchestration.k3s_server # k3s-ansible - - role: k8s-cluster-helm + - role: k8s_cluster_helm vars: k3s_version: v1.30.2+k3s2 api_endpoint: "{{ K3S_API_ENDPOINT }}" @@ -15,11 +16,12 @@ extra_agent_args: "" server_group: "mgrs" -- hosts: workers +- name: K8s Agents + hosts: workers become: true gather_facts: true roles: - - role: mesh-k8s-node + - role: mesh_k8s_node - role: k3s.orchestration.prereq # k3s-ansible - role: k3s.orchestration.k3s_agent # k3s-ansible vars: @@ -29,8 +31,9 @@ extra_server_args: "" extra_agent_args: "" -- hosts: lb +- name: Loadbalancer + hosts: lb become: true roles: - role: monitoring - - role: k8s-lb + - role: k8s_lb diff --git a/ansible/roles/k8s-cluster-helm/tasks/main.yaml b/ansible/roles/k8s_cluster_helm/tasks/main.yaml similarity index 84% rename from ansible/roles/k8s-cluster-helm/tasks/main.yaml rename to ansible/roles/k8s_cluster_helm/tasks/main.yaml index 205256f..7b2ac3e 100644 --- a/ansible/roles/k8s-cluster-helm/tasks/main.yaml +++ b/ansible/roles/k8s_cluster_helm/tasks/main.yaml @@ -4,7 +4,7 @@ dest: /root/longhorn_manifest.yaml owner: root group: root - mode: '0600' + mode: "0600" - name: Apply longhorn manifest ansible.builtin.command: @@ -13,11 +13,11 @@ - name: Copy datadog operator manifiest ansible.builtin.template: - src: ./templates/datadog_operator.yaml.j2 + src: datadog_operator.yaml.j2 dest: /root/datadog_operator.yaml owner: root group: root - mode: '0600' + mode: "0600" - name: Apply datadog operator manifest ansible.builtin.command: @@ -26,11 +26,11 @@ - name: Copy datadog agent manifiest ansible.builtin.template: - src: ./templates/datadog_agent.yaml.j2 + src: datadog_agent.yaml.j2 dest: /root/datadog_agent.yaml owner: root group: root - mode: '0600' + mode: "0600" - name: Apply datadog agent manifest ansible.builtin.command: @@ -39,11 +39,11 @@ - name: Copy traefik config ansible.builtin.template: - src: ./templates/traefik_config.yaml.j2 + src: traefik_config.yaml.j2 dest: /root/traefik_config.yaml owner: root group: root - mode: '0600' + mode: "0600" - name: Apply traefik config manifest ansible.builtin.command: diff --git a/ansible/roles/k8s-cluster-helm/templates/datadog_agent.yaml.j2 b/ansible/roles/k8s_cluster_helm/templates/datadog_agent.yaml.j2 similarity index 100% rename from ansible/roles/k8s-cluster-helm/templates/datadog_agent.yaml.j2 rename to ansible/roles/k8s_cluster_helm/templates/datadog_agent.yaml.j2 diff --git a/ansible/roles/k8s-cluster-helm/templates/datadog_operator.yaml.j2 b/ansible/roles/k8s_cluster_helm/templates/datadog_operator.yaml.j2 similarity index 100% rename from ansible/roles/k8s-cluster-helm/templates/datadog_operator.yaml.j2 rename to ansible/roles/k8s_cluster_helm/templates/datadog_operator.yaml.j2 diff --git a/ansible/roles/k8s-cluster-helm/templates/longhorn_manifest.yaml.j2 b/ansible/roles/k8s_cluster_helm/templates/longhorn_manifest.yaml.j2 similarity index 100% rename from ansible/roles/k8s-cluster-helm/templates/longhorn_manifest.yaml.j2 rename to ansible/roles/k8s_cluster_helm/templates/longhorn_manifest.yaml.j2 diff --git a/ansible/roles/k8s-cluster-helm/templates/traefik_config.yaml.j2 b/ansible/roles/k8s_cluster_helm/templates/traefik_config.yaml.j2 similarity index 100% rename from ansible/roles/k8s-cluster-helm/templates/traefik_config.yaml.j2 rename to ansible/roles/k8s_cluster_helm/templates/traefik_config.yaml.j2 diff --git a/ansible/roles/k8s-lb/files/haproxy.d_conf.yaml b/ansible/roles/k8s_lb/files/haproxy.d_conf.yaml similarity index 100% rename from ansible/roles/k8s-lb/files/haproxy.d_conf.yaml rename to ansible/roles/k8s_lb/files/haproxy.d_conf.yaml diff --git a/ansible/roles/k8s-lb/tasks/main.yaml b/ansible/roles/k8s_lb/tasks/main.yaml similarity index 88% rename from ansible/roles/k8s-lb/tasks/main.yaml rename to ansible/roles/k8s_lb/tasks/main.yaml index afabfe8..a25989f 100644 --- a/ansible/roles/k8s-lb/tasks/main.yaml +++ b/ansible/roles/k8s_lb/tasks/main.yaml @@ -1,4 +1,3 @@ - - name: Install deps ansible.builtin.apt: lock_timeout: 240 @@ -29,32 +28,32 @@ name: certbot==2.11.0 virtualenv: /root/certbot_venv virtualenv_command: python3 -m venv - -- name: certbot script + +- name: Certbot script ansible.builtin.template: - src: ../templates/certbot.sh.j2 + src: certbot.sh.j2 dest: /root/certbot.sh mode: "700" -- name: dummy0 interface +- name: Netplan dummy0 interface ansible.builtin.template: - src: ../templates/netplan_dummy0.yaml.j2 + src: netplan_dummy0.yaml.j2 dest: /etc/netplan/dummy0.yaml mode: "600" -- name: dummy1 interface +- name: Netplan dummy1 interface ansible.builtin.template: - src: ../templates/netplan_dummy1.yaml.j2 + src: netplan_dummy1.yaml.j2 dest: /etc/netplan/dummy1.yaml mode: "600" when: EXTERNAL_LISTEN_IPS | split(';') | length == 2 -- name: eth0 interface +- name: Netplan eth0 interface ansible.builtin.template: - src: ../templates/netplan_50_cloud_init.yaml.j2 + src: netplan_50_cloud_init.yaml.j2 dest: /etc/netplan/50-cloud-init.yaml mode: "600" - + - name: Install frr ansible.builtin.apt: update_cache: true @@ -69,13 +68,15 @@ - name: Config template frr ansible.builtin.template: - src: ../templates/frr.conf.j2 + src: frr.conf.j2 dest: /etc/frr/frr.conf + mode: "640" - name: Iptables rules ansible.builtin.template: - src: ../templates/iptables.j2 + src: iptables.j2 dest: /etc/iptables/rules.v4 + mode: "600" - name: Restore iptables rules ansible.builtin.command: @@ -98,10 +99,10 @@ state: reloaded enabled: true -- name: net.ipv4.ip_forward +- name: Set net.ipv4.ip_forward ansible.posix.sysctl: name: net.ipv4.ip_forward - value: '1' + value: "1" sysctl_set: true state: present reload: true @@ -110,7 +111,7 @@ ansible.builtin.file: path: /etc/haproxy/ssl state: directory - mode: '0755' + mode: "0755" - name: Check if file exists ansible.builtin.stat: @@ -119,8 +120,9 @@ - name: Config template haproxy ansible.builtin.template: - src: ../templates/haproxy.cfg + src: haproxy.cfg dest: /etc/haproxy/haproxy.cfg + mode: "644" - name: Temporarily disable ssl (no cert yet) ansible.builtin.lineinfile: @@ -137,13 +139,14 @@ when: not lb_cert_file.stat.exists - name: Get cert - ansible.builtin.shell: + ansible.builtin.command: cmd: /root/certbot.sh - name: Re-apply config template haproxy (because certs should exist) ansible.builtin.template: - src: ../templates/haproxy.cfg + src: haproxy.cfg dest: /etc/haproxy/haproxy.cfg + mode: "644" when: not lb_cert_file.stat.exists - name: Reload and enable haproxy service @@ -157,6 +160,7 @@ path: /etc/cron.d/certbot_update_cert line: "2 1 * * 1 root bash /root/certbot.sh 2>&1 > /dev/null" create: true + mode: "600" - name: Restart and enable cron service ansible.builtin.service: @@ -170,6 +174,7 @@ dest: /etc/datadog-agent/conf.d/haproxy.d/conf.yaml owner: dd-agent group: dd-agent + mode: "644" - name: Reload datadog ansible.builtin.systemd_service: diff --git a/ansible/roles/k8s-lb/templates/certbot.sh.j2 b/ansible/roles/k8s_lb/templates/certbot.sh.j2 similarity index 100% rename from ansible/roles/k8s-lb/templates/certbot.sh.j2 rename to ansible/roles/k8s_lb/templates/certbot.sh.j2 diff --git a/ansible/roles/k8s-lb/templates/frr.conf.j2 b/ansible/roles/k8s_lb/templates/frr.conf.j2 similarity index 100% rename from ansible/roles/k8s-lb/templates/frr.conf.j2 rename to ansible/roles/k8s_lb/templates/frr.conf.j2 diff --git a/ansible/roles/k8s-lb/templates/haproxy.cfg b/ansible/roles/k8s_lb/templates/haproxy.cfg similarity index 100% rename from ansible/roles/k8s-lb/templates/haproxy.cfg rename to ansible/roles/k8s_lb/templates/haproxy.cfg diff --git a/ansible/roles/k8s-lb/templates/iptables.j2 b/ansible/roles/k8s_lb/templates/iptables.j2 similarity index 100% rename from ansible/roles/k8s-lb/templates/iptables.j2 rename to ansible/roles/k8s_lb/templates/iptables.j2 diff --git a/ansible/roles/k8s-lb/templates/netplan_50_cloud_init.yaml.j2 b/ansible/roles/k8s_lb/templates/netplan_50_cloud_init.yaml.j2 similarity index 100% rename from ansible/roles/k8s-lb/templates/netplan_50_cloud_init.yaml.j2 rename to ansible/roles/k8s_lb/templates/netplan_50_cloud_init.yaml.j2 diff --git a/ansible/roles/k8s-lb/templates/netplan_dummy0.yaml.j2 b/ansible/roles/k8s_lb/templates/netplan_dummy0.yaml.j2 similarity index 100% rename from ansible/roles/k8s-lb/templates/netplan_dummy0.yaml.j2 rename to ansible/roles/k8s_lb/templates/netplan_dummy0.yaml.j2 diff --git a/ansible/roles/k8s-lb/templates/netplan_dummy1.yaml.j2 b/ansible/roles/k8s_lb/templates/netplan_dummy1.yaml.j2 similarity index 100% rename from ansible/roles/k8s-lb/templates/netplan_dummy1.yaml.j2 rename to ansible/roles/k8s_lb/templates/netplan_dummy1.yaml.j2 diff --git a/ansible/roles/mesh-k8s-node/tasks/main.yaml b/ansible/roles/mesh_k8s_node/tasks/main.yaml similarity index 99% rename from ansible/roles/mesh-k8s-node/tasks/main.yaml rename to ansible/roles/mesh_k8s_node/tasks/main.yaml index 4ae6824..ed34639 100644 --- a/ansible/roles/mesh-k8s-node/tasks/main.yaml +++ b/ansible/roles/mesh_k8s_node/tasks/main.yaml @@ -1,4 +1,3 @@ - - name: Install packages on each node ansible.builtin.apt: pkg: diff --git a/ansible/roles/mesh-mgr/tasks/main.yaml b/ansible/roles/mesh_mgr/tasks/main.yaml similarity index 69% rename from ansible/roles/mesh-mgr/tasks/main.yaml rename to ansible/roles/mesh_mgr/tasks/main.yaml index 18e495d..21217d1 100644 --- a/ansible/roles/mesh-mgr/tasks/main.yaml +++ b/ansible/roles/mesh_mgr/tasks/main.yaml @@ -19,5 +19,7 @@ - name: Extract install helm ansible.builtin.command: - cmd: "bash -c 'mkdir -p /root/helm_extracted && tar -xzf /root/helm-v3.15.3-linux-amd64.tar.gz -C /root/helm_extracted && cp /root/helm_extracted/linux-amd64/helm /usr/bin/helm && chmod +x /usr/bin/helm'" + cmd: "bash -c 'mkdir -p /root/helm_extracted && + tar -xzf /root/helm-v3.15.3-linux-amd64.tar.gz -C /root/helm_extracted && + cp /root/helm_extracted/linux-amd64/helm /usr/bin/helm && chmod +x /usr/bin/helm'" creates: /usr/bin/helm diff --git a/ansible/roles/mesh-mgr/tasks/traefik.yml b/ansible/roles/mesh_mgr/tasks/traefik.yml similarity index 85% rename from ansible/roles/mesh-mgr/tasks/traefik.yml rename to ansible/roles/mesh_mgr/tasks/traefik.yml index 9acac12..33732b9 100644 --- a/ansible/roles/mesh-mgr/tasks/traefik.yml +++ b/ansible/roles/mesh_mgr/tasks/traefik.yml @@ -6,4 +6,4 @@ patch: - op: replace path: /spec/ports/0/nodePort - value: {{ NODE_PORT }} + value: "{{ NODE_PORT }}" diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml new file mode 100644 index 0000000..2098194 --- /dev/null +++ b/ansible/roles/requirements.yml @@ -0,0 +1,9 @@ +collections: + - name: k3s.orchestration + source: git+https://github.com/k3s-io/k3s-ansible.git + type: git + version: 99fa632acb713758c8ee376e2a6cc9d03404914c + - name: datadog.dd + version: 5.8.0 + - name: cloud.terraform + version: 3.0.0 diff --git a/ansible/roles/ssh-config/tasks/main.yaml b/ansible/roles/ssh_config/tasks/main.yaml similarity index 100% rename from ansible/roles/ssh-config/tasks/main.yaml rename to ansible/roles/ssh_config/tasks/main.yaml