1
0
IaC/README.md
2022-11-02 10:44:56 +13:00

31 lines
2.6 KiB
Markdown

The general idea is to bootstrap a bare metal host into a functioning kubernetes cluster.
These playbooks/roles in their current state will create all kubernetes nodes on a single host. This is for lab/testing/learning type scenarios.
With some adjustments though this could be used to provision multiple hypervisors, ideally with each running 2 VMs: a control-plane node and a worker node. If you've got the hardware or the cloud budget for that, then lucky you! :smile:
An outline of the steps, which are roughly broken up by playbook:
- [ ] Install Arch linux on the bare metal
- [x] Configure the bare metal Arch host as a hypervisor (qemu/kvm) - [Link](https://code.balsillie.net/michael/IaC/src/branch/master/ansible/playbooks/02_hypervisor.yaml)
- [ ] Install Arch linux into a VM on the hypervisor then convert it to a template.
- [x] Deploy 3 (or more) VMs from the template (uses backing store qcow images) - [Link](https://code.balsillie.net/michael/IaC/src/branch/master/ansible/playbooks/04_vm_deploy.yaml)
- [x] Create a kubernetes cluster from those 3 VMs - [Link](https://code.balsillie.net/michael/IaC/src/branch/master/ansible/playbooks/05_k8s_deploy.yaml)
- [x] Install calico networking into the cluster.
- [ ] Remove the taint from control plane nodes. <-- Optional
- [ ] Configure cluster storage, Rook?
- [ ] Deploy workloads into the cluster
What you don't see here is setup/configuration of an Opnsense VM to act as a firewall, this is too far off from being possible to automate.
Opnsense provides firewall, routing (including BGP peering to calico nodes), DNS and acts as a HA proxy load balancer to the kubernetes nodes. I'll add [notes](https://code.balsillie.net/michael/IaC/src/branch/master/notes/opnsense.md) at some point on how to configure opnsense but it's not something that can be done sensibly with ansible.
What you'll also need:
- Clone the git repo.
- Create a vault_password file (chmod 600) under the ansible directory.
- Ensure .gitignore is correctly setup so that vault_password doesn't get commited to source control.
- Create an ansible vault in your inventory directory tree to hold sensitive variables such as 'ansible_become_pass'. Again, .gitignore should ensure this vault file remains only on your workstation.
Check the defaults files for roles carefully. Variables are a scattered mess right now and need to be properly amalgamated.
Ansible roles were written to work on an Arch linux workstation, some tasks are intended to install packages to localhost (such as kubectl) and use pacman modules to do so. If you encounter problems with these steps, change those tasks to use your relevant package manager module, eg apt or yum.