feat(kubernetes): stable kubernetes with argo

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>

roles/kubernetes_argocd/templates/ingress.yml.j2

@@ -1,13 +1,14 @@
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: argocd-ingress
   namespace: argocd
   annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: "{{ argocd_cert_resolver }}"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    cert-manager.io/cluster-issuer: "{{ argocd_cert_resolver }}"
-    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
 spec:
   rules:
     - host: {{ argocd_hostname }}
@@ -22,5 +23,5 @@ spec:
                   number: 80
   tls:
     - hosts:
-        - {{ argocd_hostname }}
+      - {{ argocd_hostname }}
-      secretName: argocd-tls-secret
+      secretName: k3s-seyshiro-de-tls

roles/kubernetes_cert_manager/tasks/main.yml

@@ -67,3 +67,11 @@
   tags:
     - cert_manager
     - cluster_issuer
+
+- name: Create Let's Encrypt Certificate
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('ansible.builtin.template', 'certificate.yml.j2') | from_yaml }}"
+  tags:
+    - cert_manager
+    - certificate

roles/kubernetes_cert_manager/templates/certificate.yml.j2

@@ -0,0 +1,16 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: k3s-seyshiro-de
+  namespace: cert-manager
+spec:
+  secretName: k3s-seyshiro-de-tls
+  issuerRef:
+    name: {{ cert_manager_issuer_name }}
+    kind: ClusterIssuer
+  commonName: "*.k3s.seyshiro.de"
+  dnsNames:
+    - "k3s.seyshiro.de"
+    - "*.k3s.seyshiro.de"
+

roles/kubernetes_cert_manager/templates/clusterissuer.yml.j2

@@ -1,15 +1,19 @@
+---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
+metadata:
+  name: "{{ cert_manager_issuer_name }}"
 spec:
-    # For staging: https://acme-staging-v02.api.letsencrypt.org/directory
+  acme:
-    # For production: https://acme-v02.api.letsencrypt.org/directory
     server: "{% if cert_manager_issuer_env == 'production' %}https://acme-v02.api.letsencrypt.org/directory{% else %}https://acme-staging-v02.api.letsencrypt.org/directory{% endif %}"
     email: "{{ cert_manager_email }}"
     privateKeySecretRef:
       name: "{{ cert_manager_issuer_name }}-account-key"
-
     solvers:
-    - dns01:
+    - selector:
+        dnsZones:
+          - 'k3s.seyshiro.de'
+      dns01:
         webhook:
             groupName: com.netcup.webhook
             solverName: netcup

roles/kubernetes_nfs/defaults/main.yml

@@ -0,0 +1,6 @@
+kubernetes_nfs_helm_name: nfs-subdir-external-provisioner
+kubernetes_nfs_helm_url: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
+kubernetes_nfs_helm_chart: nfs-subdir-external-provisioner/nfs-subdir-external-provisioner
+
+kubernetes_nfs_server_host: 192.168.20.1
+kubernetes_nfs_server_path: /nfs/

roles/kubernetes_nfs/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+# helm repo add
+
+- name: Add a repository
+  kubernetes.core.helm_repository:
+    name: "{{ kubernetes_nfs_helm_name }}"
+    repo_url: "{{ kubernetes_nfs_helm_url }}"
+
+- name: Install NetCup Webhook
+  kubernetes.core.helm:
+    name: "{{ kubernetes_nfs_helm_name }}"
+    chart_ref: "{{ kubernetes_nfs_helm_chart }}"
+    create_namespace: true
+    set_values:
+      - value: "nfs.server={{ kubernetes_nfs_server_host }}"
+      - value: "nfs.path={{ kubernetes_nfs_server_path }}"

roles/kubernetes_traefik/templates/helmchartconfig.yaml.j2

@@ -6,10 +6,12 @@ metadata:
   namespace: kube-system
 spec:
   valuesContent: |-
-    dashboard:
+    logs:
-      enabled: true
+      access:
-      ingressRoute: false
+        enabled: true
-    ports:
+    ingressRoute:
-      websecure:
+      dashboard:
-        tls:
+        enabled: true
-          enabled: true
+    websecure:
+      tls:
+        enabled: true

roles/kubernetes_traefik/templates/ingress.yaml.j2

@@ -6,20 +6,22 @@ metadata:
   namespace: kube-system
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: "{{ traefik_cert_resolver }}"
+    cert-manager.io/cluster-issuer: {{ traefik_cert_resolver }}
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   rules:
-  - host: "{{ traefik_dashboard_hostname }}"
+    - host: {{ traefik_dashboard_hostname }}
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: traefik
+                name: traefik
-            port:
+                port:
-              name: traefik
+                  number: 8080
   tls:
-  - hosts:
+    - hosts:
-    - "{{ traefik_dashboard_hostname }}"
+      - {{ traefik_dashboard_hostname }}
-    secretName: traefik-dashboard-tls
+      secretName: k3s-seyshiro-de-tls

vars/group_vars/all/vars.yml

@@ -13,6 +13,8 @@ pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqc9fnzfCz8fQDFzla+D8PBhvaMmFu2aF+
 public_domain: "tudattr.dev"
 internal_domain: "seyshiro.de"
 
+nfs_server: 192.168.20.12
+
 #
 # Packages
 #

vars/group_vars/kubernetes/vars.yml

@@ -13,3 +13,6 @@ argocd_hostname: "argocd.k3s.{{ domain }}"
 metallb_ip_range: "192.168.20.240-192.168.20.250"
 
 traefik_password: "{{ vault_kubernetes.traefik_password }}"
+
+kubernetes_nfs_server_host: "{{ nfs_server }}"
+kubernetes_nfs_server_path: /media/kubernetes