nycmeshnet · james-otten · Jan 8, 2025 · Dec 25, 2024 · Dec 29, 2024 · Dec 29, 2024
diff --git a/.github/workflows/deploy_k8s_cluster.yaml b/.github/workflows/deploy_k8s_cluster.yaml
@@ -38,7 +38,7 @@ jobs:
           python-version: '3.11'
 
       - name: Setup ansible
-        run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install cloud.terraform && ansible-galaxy collection install datadog.dd && ansible-galaxy collection install git+https://github.com/k3s-io/k3s-ansible.git,99fa632acb713758c8ee376e2a6cc9d03404914c
+        run: pip install ansible && export PATH="$HOME/.local/bin:$PATH" && ansible-galaxy collection install -r ansible/roles/requirements.yml
 
       - name: Setup Terraform with specified version on the runner
         uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # @v3

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -40,3 +40,11 @@ jobs:
         if: success() || failure()
         with:
           sarif_file: results.sarif
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@c629b235398065e24ff44b5f1138028642c74a03
+        with:
+          args: ""
+          setup_python: "true"
+          working_directory: "./ansible/"
+          requirements_file: ""
diff --git a/ansible/.ansible-lint-ignore b/ansible/.ansible-lint-ignore
@@ -0,0 +1,2 @@
+roles/k8s_cluster_helm/tasks/main.yaml no-changed-when
+roles/k8s_lb/tasks/main.yaml no-changed-when
diff --git a/ansible/collections/requirements.yml b/ansible/collections/requirements.yml
diff --git a/ansible/k8s_infra.yaml b/ansible/k8s_infra.yaml
@@ -1,12 +1,13 @@
-- hosts: mgrs 
+- name: K8s Managers
+  hosts: mgrs
   become: true
   gather_facts: true
   roles:
-    - role: mesh-k8s-node
-    - role: mesh-mgr
+    - role: mesh_k8s_node
+    - role: mesh_mgr
     - role: k3s.orchestration.prereq # k3s-ansible
     - role: k3s.orchestration.k3s_server # k3s-ansible
-    - role: k8s-cluster-helm
+    - role: k8s_cluster_helm
   vars:
     k3s_version: v1.30.2+k3s2
     api_endpoint: "{{ K3S_API_ENDPOINT }}"
@@ -15,11 +16,12 @@
     extra_agent_args: ""
     server_group: "mgrs"
 
-- hosts: workers 
+- name: K8s Agents
+  hosts: workers
   become: true
   gather_facts: true
   roles:
-    - role: mesh-k8s-node
+    - role: mesh_k8s_node
     - role: k3s.orchestration.prereq # k3s-ansible
     - role: k3s.orchestration.k3s_agent # k3s-ansible
   vars:
@@ -29,8 +31,9 @@
     extra_server_args: ""
     extra_agent_args: ""
 
-- hosts: lb
+- name: Loadbalancer
+  hosts: lb
   become: true
   roles:
     - role: monitoring
-    - role: k8s-lb
+    - role: k8s_lb
diff --git a/...le/roles/k8s-cluster-helm/tasks/main.yaml → ...le/roles/k8s_cluster_helm/tasks/main.yaml b/...le/roles/k8s-cluster-helm/tasks/main.yaml → ...le/roles/k8s_cluster_helm/tasks/main.yaml
@@ -4,7 +4,7 @@
     dest: /root/longhorn_manifest.yaml
     owner: root
     group: root
-    mode: '0600'
+    mode: "0600"
 
 - name: Apply longhorn manifest
   ansible.builtin.command:
@@ -13,11 +13,11 @@
 
 - name: Copy datadog operator manifiest
   ansible.builtin.template:
-    src: ./templates/datadog_operator.yaml.j2
+    src: datadog_operator.yaml.j2
     dest: /root/datadog_operator.yaml
     owner: root
     group: root
-    mode: '0600'
+    mode: "0600"
 
 - name: Apply datadog operator manifest
   ansible.builtin.command:
@@ -26,11 +26,11 @@
 
 - name: Copy datadog agent manifiest
   ansible.builtin.template:
-    src: ./templates/datadog_agent.yaml.j2
+    src: datadog_agent.yaml.j2
     dest: /root/datadog_agent.yaml
     owner: root
     group: root
-    mode: '0600'
+    mode: "0600"
 
 - name: Apply datadog agent manifest
   ansible.builtin.command:
@@ -39,11 +39,11 @@
 
 - name: Copy traefik config
   ansible.builtin.template:
-    src: ./templates/traefik_config.yaml.j2
+    src: traefik_config.yaml.j2
     dest: /root/traefik_config.yaml
     owner: root
     group: root
-    mode: '0600'
+    mode: "0600"
 
 - name: Apply traefik config manifest
   ansible.builtin.command:

diff --git a/...ster-helm/templates/datadog_agent.yaml.j2 → ...ster_helm/templates/datadog_agent.yaml.j2 b/...ster-helm/templates/datadog_agent.yaml.j2 → ...ster_helm/templates/datadog_agent.yaml.j2
diff --git a/...r-helm/templates/datadog_operator.yaml.j2 → ...r_helm/templates/datadog_operator.yaml.j2 b/...r-helm/templates/datadog_operator.yaml.j2 → ...r_helm/templates/datadog_operator.yaml.j2
diff --git a/...-helm/templates/longhorn_manifest.yaml.j2 → ..._helm/templates/longhorn_manifest.yaml.j2 b/...-helm/templates/longhorn_manifest.yaml.j2 → ..._helm/templates/longhorn_manifest.yaml.j2
diff --git a/...ter-helm/templates/traefik_config.yaml.j2 → ...ter_helm/templates/traefik_config.yaml.j2 b/...ter-helm/templates/traefik_config.yaml.j2 → ...ter_helm/templates/traefik_config.yaml.j2
diff --git a/...le/roles/k8s-lb/files/haproxy.d_conf.yaml → ...le/roles/k8s_lb/files/haproxy.d_conf.yaml b/...le/roles/k8s-lb/files/haproxy.d_conf.yaml → ...le/roles/k8s_lb/files/haproxy.d_conf.yaml
diff --git a/ansible/roles/k8s-lb/tasks/main.yaml → ansible/roles/k8s_lb/tasks/main.yaml b/ansible/roles/k8s-lb/tasks/main.yaml → ansible/roles/k8s_lb/tasks/main.yaml
@@ -1,4 +1,3 @@
-
 - name: Install deps
   ansible.builtin.apt:
     lock_timeout: 240
@@ -29,32 +28,32 @@
     name: certbot==2.11.0
     virtualenv: /root/certbot_venv
     virtualenv_command: python3 -m venv
-    
-- name: certbot script
+
+- name: Certbot script
   ansible.builtin.template:
-    src: ../templates/certbot.sh.j2
+    src: certbot.sh.j2
     dest: /root/certbot.sh
     mode: "700"
 
-- name: dummy0 interface
+- name: Netplan dummy0 interface
   ansible.builtin.template:
-    src: ../templates/netplan_dummy0.yaml.j2
+    src: netplan_dummy0.yaml.j2
     dest: /etc/netplan/dummy0.yaml
     mode: "600"
 
-- name: dummy1 interface
+- name: Netplan dummy1 interface
   ansible.builtin.template:
-    src: ../templates/netplan_dummy1.yaml.j2
+    src: netplan_dummy1.yaml.j2
     dest: /etc/netplan/dummy1.yaml
     mode: "600"
   when: EXTERNAL_LISTEN_IPS | split(';') | length == 2
 
-- name: eth0 interface
+- name: Netplan eth0 interface
   ansible.builtin.template:
-    src: ../templates/netplan_50_cloud_init.yaml.j2
+    src: netplan_50_cloud_init.yaml.j2
     dest: /etc/netplan/50-cloud-init.yaml
     mode: "600"
-  
+
 - name: Install frr
   ansible.builtin.apt:
     update_cache: true
@@ -69,13 +68,15 @@
 
 - name: Config template frr
   ansible.builtin.template:
-    src: ../templates/frr.conf.j2
+    src: frr.conf.j2
     dest: /etc/frr/frr.conf
+    mode: "640"
 
 - name: Iptables rules
   ansible.builtin.template:
-    src: ../templates/iptables.j2
+    src: iptables.j2
     dest: /etc/iptables/rules.v4
+    mode: "600"
 
 - name: Restore iptables rules
   ansible.builtin.command:
@@ -98,10 +99,10 @@
     state: reloaded
     enabled: true
 
-- name: net.ipv4.ip_forward
+- name: Set net.ipv4.ip_forward
   ansible.posix.sysctl:
     name: net.ipv4.ip_forward
-    value: '1'
+    value: "1"
     sysctl_set: true
     state: present
     reload: true
@@ -110,7 +111,7 @@
   ansible.builtin.file:
     path: /etc/haproxy/ssl
     state: directory
-    mode: '0755'
+    mode: "0755"
 
 - name: Check if file exists
   ansible.builtin.stat:
@@ -119,8 +120,9 @@
 
 - name: Config template haproxy
   ansible.builtin.template:
-    src: ../templates/haproxy.cfg
+    src: haproxy.cfg
     dest: /etc/haproxy/haproxy.cfg
+    mode: "644"
 
 - name: Temporarily disable ssl (no cert yet)
   ansible.builtin.lineinfile:
@@ -137,13 +139,14 @@
   when: not lb_cert_file.stat.exists
 
 - name: Get cert
-  ansible.builtin.shell:
+  ansible.builtin.command:
     cmd: /root/certbot.sh
 
 - name: Re-apply config template haproxy (because certs should exist)
   ansible.builtin.template:
-    src: ../templates/haproxy.cfg
+    src: haproxy.cfg
     dest: /etc/haproxy/haproxy.cfg
+    mode: "644"
   when: not lb_cert_file.stat.exists
 
 - name: Reload and enable haproxy service
@@ -157,6 +160,7 @@
     path: /etc/cron.d/certbot_update_cert
     line: "2 1 * * 1   root    bash /root/certbot.sh 2>&1 > /dev/null"
     create: true
+    mode: "600"
 
 - name: Restart and enable cron service
   ansible.builtin.service:
@@ -170,6 +174,7 @@
     dest: /etc/datadog-agent/conf.d/haproxy.d/conf.yaml
     owner: dd-agent
     group: dd-agent
+    mode: "644"
 
 - name: Reload datadog
   ansible.builtin.systemd_service:

diff --git a/ansible/roles/k8s-lb/templates/certbot.sh.j2 → ansible/roles/k8s_lb/templates/certbot.sh.j2 b/ansible/roles/k8s-lb/templates/certbot.sh.j2 → ansible/roles/k8s_lb/templates/certbot.sh.j2
diff --git a/ansible/roles/k8s-lb/templates/frr.conf.j2 → ansible/roles/k8s_lb/templates/frr.conf.j2 b/ansible/roles/k8s-lb/templates/frr.conf.j2 → ansible/roles/k8s_lb/templates/frr.conf.j2
diff --git a/ansible/roles/k8s-lb/templates/haproxy.cfg → ansible/roles/k8s_lb/templates/haproxy.cfg b/ansible/roles/k8s-lb/templates/haproxy.cfg → ansible/roles/k8s_lb/templates/haproxy.cfg
diff --git a/ansible/roles/k8s-lb/templates/iptables.j2 → ansible/roles/k8s_lb/templates/iptables.j2 b/ansible/roles/k8s-lb/templates/iptables.j2 → ansible/roles/k8s_lb/templates/iptables.j2
diff --git a/...b/templates/netplan_50_cloud_init.yaml.j2 → ...b/templates/netplan_50_cloud_init.yaml.j2 b/...b/templates/netplan_50_cloud_init.yaml.j2 → ...b/templates/netplan_50_cloud_init.yaml.j2
diff --git a/...s/k8s-lb/templates/netplan_dummy0.yaml.j2 → ...s/k8s_lb/templates/netplan_dummy0.yaml.j2 b/...s/k8s-lb/templates/netplan_dummy0.yaml.j2 → ...s/k8s_lb/templates/netplan_dummy0.yaml.j2
diff --git a/...s/k8s-lb/templates/netplan_dummy1.yaml.j2 → ...s/k8s_lb/templates/netplan_dummy1.yaml.j2 b/...s/k8s-lb/templates/netplan_dummy1.yaml.j2 → ...s/k8s_lb/templates/netplan_dummy1.yaml.j2
diff --git a/ansible/roles/mesh-k8s-node/tasks/main.yaml → ansible/roles/mesh_k8s_node/tasks/main.yaml b/ansible/roles/mesh-k8s-node/tasks/main.yaml → ansible/roles/mesh_k8s_node/tasks/main.yaml
@@ -1,4 +1,3 @@
-
 - name: Install packages on each node
   ansible.builtin.apt:
     pkg:

diff --git a/ansible/roles/mesh-mgr/tasks/main.yaml → ansible/roles/mesh_mgr/tasks/main.yaml b/ansible/roles/mesh-mgr/tasks/main.yaml → ansible/roles/mesh_mgr/tasks/main.yaml
@@ -19,5 +19,7 @@
 
 - name: Extract install helm
   ansible.builtin.command:
-    cmd: "bash -c 'mkdir -p /root/helm_extracted && tar -xzf /root/helm-v3.15.3-linux-amd64.tar.gz -C /root/helm_extracted && cp /root/helm_extracted/linux-amd64/helm /usr/bin/helm && chmod +x /usr/bin/helm'"
+    cmd: "bash -c 'mkdir -p /root/helm_extracted &&
+      tar -xzf /root/helm-v3.15.3-linux-amd64.tar.gz -C /root/helm_extracted &&
+      cp /root/helm_extracted/linux-amd64/helm /usr/bin/helm && chmod +x /usr/bin/helm'"
     creates: /usr/bin/helm
diff --git a/ansible/roles/mesh-mgr/tasks/traefik.yml → ansible/roles/mesh_mgr/tasks/traefik.yml b/ansible/roles/mesh-mgr/tasks/traefik.yml → ansible/roles/mesh_mgr/tasks/traefik.yml
@@ -6,4 +6,4 @@
     patch:
       - op: replace
         path: /spec/ports/0/nodePort
-        value: {{ NODE_PORT }}
+        value: "{{ NODE_PORT }}"
diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml
@@ -0,0 +1,9 @@
+collections:
+  - name: k3s.orchestration
+    source: git+https://github.com/k3s-io/k3s-ansible.git
+    type: git
+    version: 99fa632acb713758c8ee376e2a6cc9d03404914c
+  - name: datadog.dd
+    version: 5.8.0
+  - name: cloud.terraform
+    version: 3.0.0
diff --git a/ansible/roles/ssh-config/tasks/main.yaml → ansible/roles/ssh_config/tasks/main.yaml b/ansible/roles/ssh-config/tasks/main.yaml → ansible/roles/ssh_config/tasks/main.yaml
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		roles/k8s_cluster_helm/tasks/main.yaml no-changed-when
		roles/k8s_lb/tasks/main.yaml no-changed-when