michael/IaC
1
0
Fork 0
Code Packages
Infrastructure as code templates
111 Commits 1 Branch 0 Tags 1.1 MiB
HCL 40.8%
Jinja 40.6%
Shell 17.9%
JavaScript 0.7%
5c72b57d9c
Go to file
michael 5c72b57d9c comment out containerd restart
2022-12-06 00:22:12 +13:00
ansible comment out containerd restart 2022-12-06 00:22:12 +13:00
notes doco 2022-11-02 01:03:56 +13:00
zz_archived added ebs hostpath storage 2022-11-10 01:09:46 +13:00
.gitignore added ebs hostpath storage 2022-11-10 01:09:46 +13:00
README.md add ebs to todo 2022-11-03 16:25:55 +13:00

README.md

The general idea is to bootstrap a bare metal host into a functioning kubernetes cluster. These playbooks/roles in their current state will create all kubernetes nodes on a single host. This is for lab/testing/learning type scenarios. With some adjustments though this could be used to provision multiple hypervisors, ideally with each running 2 VMs: a control-plane node and a worker node. If you've got the hardware or the cloud budget for that, then lucky you! 😄

An outline of the steps, which are roughly broken up by playbook:

  • Install Arch linux on the bare metal
  • Configure the bare metal Arch host as a hypervisor (qemu/kvm) - Link
  • Install Arch linux into a VM on the hypervisor then convert it to a template.
  • Deploy 3 (or more) VMs from the template (uses backing store qcow images) - Link
  • Create a kubernetes cluster from those 3 VMs - Link
  • Install calico networking into the cluster.
  • Remove the taint from control plane nodes. <-- Optional
  • Configure cluster storage using rook. <-- This didn't work due to hardware limitations (3 x VHDs on a single spinning HDD)
  • Possible storage setup using openEBS zfs or device local PV
  • Example PVC backups using one of stash/velero/gemini or other
  • Deploy workloads into the cluster

What you don't see here is setup/configuration of an Opnsense VM to act as a firewall, this is too far off from being possible to automate.

Opnsense provides firewall, routing (including BGP peering to calico nodes), DNS and acts as a HA proxy load balancer to the kubernetes nodes. I'll add notes at some point on how to configure opnsense but it's not something that can be done sensibly with ansible.

What you'll also need:

  • Clone the git repo.
  • Create a vault_password file (chmod 600) under the ansible directory.
  • Ensure .gitignore is correctly setup so that vault_password doesn't get commited to source control.
  • Create an ansible vault in your inventory directory tree to hold sensitive variables such as 'ansible_become_pass'. Again, .gitignore should ensure this vault file remains only on your workstation.

Check the defaults files for roles carefully. Variables are a scattered mess right now and need to be properly amalgamated.

Ansible roles were written to work on an Arch linux workstation, some tasks are intended to install packages to localhost (such as kubectl) and use pacman modules to do so. If you encounter problems with these steps, change those tasks to use your relevant package manager module, eg apt or yum.