From d8fd09437945fa17023e333b75266f1336c6fce7 Mon Sep 17 00:00:00 2001 From: Tuan-Dat Tran Date: Mon, 14 Jul 2025 22:57:04 +0200 Subject: [PATCH] feat(kubernetes): stable kubernetes with argo Signed-off-by: Tuan-Dat Tran --- .../templates/ingress.yml.j2 | 9 +++--- roles/kubernetes_cert_manager/tasks/main.yml | 8 +++++ .../templates/certificate.yml.j2 | 16 ++++++++++ .../templates/clusterissuer.yml.j2 | 12 +++++--- roles/kubernetes_nfs/defaults/main.yml | 6 ++++ roles/kubernetes_nfs/tasks/main.yml | 16 ++++++++++ .../templates/helmchartconfig.yaml.j2 | 16 +++++----- .../templates/ingress.yaml.j2 | 30 ++++++++++--------- vars/group_vars/all/vars.yml | 2 ++ vars/group_vars/kubernetes/vars.yml | 3 ++ 10 files changed, 89 insertions(+), 29 deletions(-) create mode 100644 roles/kubernetes_cert_manager/templates/certificate.yml.j2 create mode 100644 roles/kubernetes_nfs/defaults/main.yml create mode 100644 roles/kubernetes_nfs/tasks/main.yml diff --git a/roles/kubernetes_argocd/templates/ingress.yml.j2 b/roles/kubernetes_argocd/templates/ingress.yml.j2 index 57da0da..8c75a50 100644 --- a/roles/kubernetes_argocd/templates/ingress.yml.j2 +++ b/roles/kubernetes_argocd/templates/ingress.yml.j2 @@ -1,13 +1,14 @@ +--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: argocd-ingress namespace: argocd annotations: + kubernetes.io/ingress.class: traefik + cert-manager.io/cluster-issuer: "{{ argocd_cert_resolver }}" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - cert-manager.io/cluster-issuer: "{{ argocd_cert_resolver }}" - traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd spec: rules: - host: {{ argocd_hostname }} @@ -22,5 +23,5 @@ spec: number: 80 tls: - hosts: - - {{ argocd_hostname }} - secretName: argocd-tls-secret + - {{ argocd_hostname }} + secretName: k3s-seyshiro-de-tls diff --git a/roles/kubernetes_cert_manager/tasks/main.yml b/roles/kubernetes_cert_manager/tasks/main.yml index 093ee28..a45dea8 100644 --- a/roles/kubernetes_cert_manager/tasks/main.yml +++ b/roles/kubernetes_cert_manager/tasks/main.yml @@ -67,3 +67,11 @@ tags: - cert_manager - cluster_issuer + +- name: Create Let's Encrypt Certificate + kubernetes.core.k8s: + state: present + definition: "{{ lookup('ansible.builtin.template', 'certificate.yml.j2') | from_yaml }}" + tags: + - cert_manager + - certificate diff --git a/roles/kubernetes_cert_manager/templates/certificate.yml.j2 b/roles/kubernetes_cert_manager/templates/certificate.yml.j2 new file mode 100644 index 0000000..f619aac --- /dev/null +++ b/roles/kubernetes_cert_manager/templates/certificate.yml.j2 @@ -0,0 +1,16 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: k3s-seyshiro-de + namespace: cert-manager +spec: + secretName: k3s-seyshiro-de-tls + issuerRef: + name: {{ cert_manager_issuer_name }} + kind: ClusterIssuer + commonName: "*.k3s.seyshiro.de" + dnsNames: + - "k3s.seyshiro.de" + - "*.k3s.seyshiro.de" + diff --git a/roles/kubernetes_cert_manager/templates/clusterissuer.yml.j2 b/roles/kubernetes_cert_manager/templates/clusterissuer.yml.j2 index 1faa913..badea9a 100644 --- a/roles/kubernetes_cert_manager/templates/clusterissuer.yml.j2 +++ b/roles/kubernetes_cert_manager/templates/clusterissuer.yml.j2 @@ -1,15 +1,19 @@ +--- apiVersion: cert-manager.io/v1 kind: ClusterIssuer +metadata: + name: "{{ cert_manager_issuer_name }}" spec: - # For staging: https://acme-staging-v02.api.letsencrypt.org/directory - # For production: https://acme-v02.api.letsencrypt.org/directory + acme: server: "{% if cert_manager_issuer_env == 'production' %}https://acme-v02.api.letsencrypt.org/directory{% else %}https://acme-staging-v02.api.letsencrypt.org/directory{% endif %}" email: "{{ cert_manager_email }}" privateKeySecretRef: name: "{{ cert_manager_issuer_name }}-account-key" - solvers: - - dns01: + - selector: + dnsZones: + - 'k3s.seyshiro.de' + dns01: webhook: groupName: com.netcup.webhook solverName: netcup diff --git a/roles/kubernetes_nfs/defaults/main.yml b/roles/kubernetes_nfs/defaults/main.yml new file mode 100644 index 0000000..7394fb3 --- /dev/null +++ b/roles/kubernetes_nfs/defaults/main.yml @@ -0,0 +1,6 @@ +kubernetes_nfs_helm_name: nfs-subdir-external-provisioner +kubernetes_nfs_helm_url: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/ +kubernetes_nfs_helm_chart: nfs-subdir-external-provisioner/nfs-subdir-external-provisioner + +kubernetes_nfs_server_host: 192.168.20.1 +kubernetes_nfs_server_path: /nfs/ diff --git a/roles/kubernetes_nfs/tasks/main.yml b/roles/kubernetes_nfs/tasks/main.yml new file mode 100644 index 0000000..aa96ea4 --- /dev/null +++ b/roles/kubernetes_nfs/tasks/main.yml @@ -0,0 +1,16 @@ +--- +# helm repo add + +- name: Add a repository + kubernetes.core.helm_repository: + name: "{{ kubernetes_nfs_helm_name }}" + repo_url: "{{ kubernetes_nfs_helm_url }}" + +- name: Install NetCup Webhook + kubernetes.core.helm: + name: "{{ kubernetes_nfs_helm_name }}" + chart_ref: "{{ kubernetes_nfs_helm_chart }}" + create_namespace: true + set_values: + - value: "nfs.server={{ kubernetes_nfs_server_host }}" + - value: "nfs.path={{ kubernetes_nfs_server_path }}" diff --git a/roles/kubernetes_traefik/templates/helmchartconfig.yaml.j2 b/roles/kubernetes_traefik/templates/helmchartconfig.yaml.j2 index ab7d0f8..2668b5f 100644 --- a/roles/kubernetes_traefik/templates/helmchartconfig.yaml.j2 +++ b/roles/kubernetes_traefik/templates/helmchartconfig.yaml.j2 @@ -6,10 +6,12 @@ metadata: namespace: kube-system spec: valuesContent: |- - dashboard: - enabled: true - ingressRoute: false - ports: - websecure: - tls: - enabled: true + logs: + access: + enabled: true + ingressRoute: + dashboard: + enabled: true + websecure: + tls: + enabled: true diff --git a/roles/kubernetes_traefik/templates/ingress.yaml.j2 b/roles/kubernetes_traefik/templates/ingress.yaml.j2 index 681b181..3443e98 100644 --- a/roles/kubernetes_traefik/templates/ingress.yaml.j2 +++ b/roles/kubernetes_traefik/templates/ingress.yaml.j2 @@ -6,20 +6,22 @@ metadata: namespace: kube-system annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: "{{ traefik_cert_resolver }}" + cert-manager.io/cluster-issuer: {{ traefik_cert_resolver }} + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: - - host: "{{ traefik_dashboard_hostname }}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: traefik - port: - name: traefik + - host: {{ traefik_dashboard_hostname }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: traefik + port: + number: 8080 tls: - - hosts: - - "{{ traefik_dashboard_hostname }}" - secretName: traefik-dashboard-tls + - hosts: + - {{ traefik_dashboard_hostname }} + secretName: k3s-seyshiro-de-tls diff --git a/vars/group_vars/all/vars.yml b/vars/group_vars/all/vars.yml index 887806c..88924d0 100644 --- a/vars/group_vars/all/vars.yml +++ b/vars/group_vars/all/vars.yml @@ -13,6 +13,8 @@ pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqc9fnzfCz8fQDFzla+D8PBhvaMmFu2aF+ public_domain: "tudattr.dev" internal_domain: "seyshiro.de" +nfs_server: 192.168.20.12 + # # Packages # diff --git a/vars/group_vars/kubernetes/vars.yml b/vars/group_vars/kubernetes/vars.yml index 46d617e..aa06c3c 100644 --- a/vars/group_vars/kubernetes/vars.yml +++ b/vars/group_vars/kubernetes/vars.yml @@ -13,3 +13,6 @@ argocd_hostname: "argocd.k3s.{{ domain }}" metallb_ip_range: "192.168.20.240-192.168.20.250" traefik_password: "{{ vault_kubernetes.traefik_password }}" + +kubernetes_nfs_server_host: "{{ nfs_server }}" +kubernetes_nfs_server_path: /media/kubernetes