From b579aa2f1f8cd7ce0373840da357f0ee0cdc818f Mon Sep 17 00:00:00 2001 From: Bradley Bickford Date: Mon, 11 Nov 2024 11:00:31 -0500 Subject: [PATCH] moving some things around --- .vscode/settings.json | 4 +- ansible.cfg | 4 +- inventories/core_infrastructure | 26 +- inventories/kubernetes | 18 +- .../database.yml => IaC_database.yml} | 326 +++++++++--------- playbooks/fedora_configure_node_for_k8s.yml | 152 ++++---- playbooks/make_ansible_user.yml | 62 ++-- playbooks/patch.yml | 32 +- playbooks/podman_setup.yml | 114 +++--- playbooks/rocky_configure_node_for_k8s.yml | 230 ++++++------ 10 files changed, 484 insertions(+), 484 deletions(-) rename playbooks/{quadlets/database.yml => IaC_database.yml} (96%) diff --git a/.vscode/settings.json b/.vscode/settings.json index 67873ac..e87e473 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,3 +1,3 @@ -{ - "ansible.python.interpreterPath": "c:\\Program Files\\Python312\\python.exe" +{ + "ansible.python.interpreterPath": "c:\\Program Files\\Python312\\python.exe" } \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg index dd43d2b..b23a35a 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,2 @@ -[defaults] -host_key_checking = false +[defaults] +host_key_checking = false diff --git a/inventories/core_infrastructure b/inventories/core_infrastructure index 7a007de..0e2a19a 100644 --- a/inventories/core_infrastructure +++ b/inventories/core_infrastructure @@ -1,13 +1,13 @@ -[ansible_nodes] -blacktide ansible_host=192.168.3.2 connection=local - -[podman_nodes] -arcade ansible_host=10.20.24.3 -beachpolice ansible_host=10.42.0.3 -bulletinboard ansible_host=10.26.48.3 -lifeguard ansible_host=172.16.132.4 -beachsidelibrary ansible_host=10.12.34.3 - -[pfsense_nodes] -openocean ansible_host=172.16.132.2 -boardwalk ansible_host=10.77.7.2 +[ansible_nodes] +blacktide ansible_host=192.168.3.2 connection=local + +[podman_nodes] +arcade ansible_host=10.20.24.3 +beachpolice ansible_host=10.42.0.3 +bulletinboard ansible_host=10.26.48.3 +lifeguard ansible_host=172.16.132.4 +beachsidelibrary ansible_host=10.12.34.3 + +[pfsense_nodes] +openocean ansible_host=172.16.132.2 +boardwalk ansible_host=10.77.7.2 diff --git a/inventories/kubernetes b/inventories/kubernetes index 7886129..670f509 100644 --- a/inventories/kubernetes +++ b/inventories/kubernetes @@ -1,9 +1,9 @@ -[masters] -kubemaster ansible_host=10.20.24.4 master=true - -[workers] -kubeworker1 ansible_host=10.20.24.5 worker=true -kubeworker2 ansible_host=10.20.24.6 worker=true - -[ansible_nodes] -ansible ansible_host=10.20.24.3 connection=local +[masters] +kubemaster ansible_host=10.20.24.4 master=true + +[workers] +kubeworker1 ansible_host=10.20.24.5 worker=true +kubeworker2 ansible_host=10.20.24.6 worker=true + +[ansible_nodes] +ansible ansible_host=10.20.24.3 connection=local diff --git a/playbooks/quadlets/database.yml b/playbooks/IaC_database.yml similarity index 96% rename from playbooks/quadlets/database.yml rename to playbooks/IaC_database.yml index 4138fe4..662cc83 100644 --- a/playbooks/quadlets/database.yml +++ b/playbooks/IaC_database.yml @@ -1,164 +1,164 @@ ---- -- hosts: beachsidelibrary - become: true - become_method: sudo - become_user: root - vars: - postgres_device: "/dev/vdc" - postgres_vg_name: "vg_postgres" - postgres_lv_name: "lv_pgdata" - postgres_data_directory: "/pgdata" - mysql_device: "/dev/vdd" - mysql_vg_name: "vg_mysql" - mysql_lv_name: "lv_mysql_data" - mysql_data_directory: "/mysql_data" - vars_prompt: - - name: psql_password - prompt: "Enter psql Password: " - private: true - encrypt: sha512_crypt - confirm: true - salt_size: 7 - - name: mysql_password - prompt: "Enter mysql Password: " - private: true - encrypt: sha512_crypt - confirm: true - salt_size: 7 - tasks: - - name: Create psql user - ansible.builtin.user: - name: psql - password: "{{ psql_password }}" - comment: "Podman user for Postgresql Database" - uid: 2000 - - - name: Build /pgdata mount - ansible.builtin.import_role: - name: make_lvm_mount - vars: - device_name: "{{ postgres_device }}" - vg_name: "{{ postgres_vg_name }}" - lvs: - - lv_name: "{{ postgres_lv_name }}" - lv_size: "100%FREE" - directories: - - name: "{{ postgres_data_directory }}" - owner: psql - group: psql - mode: "0755" - lv: "{{ postgres_lv_name }}" - - - name: Create mysql user - ansible.builtin.user: - name: mysql - password: "{{ mysql_password }}" - comment: "Podman user for MySQL Database" - uid: 2001 - - - name: Build /mysql_data mount - ansible.builtin.import_role: - name: make_lvm_mount - vars: - device_name: "{{ mysql_device }}" - vg_name: "{{ mysql_vg_name }}" - lvs: - - lv_name: "{{ mysql_lv_name }}" - lv_size: "100%FREE" - directories: - - name: "{{ mysql_data_directory }}" - owner: mysql - group: mysql - mode: "0755" - lv: "{{ mysql_lv_name }}" - - - name: Write subuid user entry for psql - ansible.builtin.lineinfile: - path: /etc/subuid - line: "psql:100000:2000" - insertafter: EOF - create: true - state: present - - - name: Write subuid user entry for mysql - ansible.builtin.lineinfile: - path: /etc/subuid - line: "mysql:102000:2000" - insertafter: EOF - create: true - state: present - - - name: Write subgid group entry for psql - ansible.builtin.lineinfile: - path: /etc/subgid - line: "psql:100000:2000" - insertafter: EOF - create: true - state: present - - - name: Write subgid group entry for mysql - ansible.builtin.lineinfile: - path: /etc/subgid - line: "mysql:102000:2000" - insertafter: EOF - create: true - state: present - - - name: Configure firewalld for postgres - ansible.posix.firewalld: - service: postgresql - state: enabled - permanent: true - immediate: true - - - name: Configure firewalld for mysql - ansible.posix.firewalld: - service: mysql - state: enabled - permanent: true - immediate: true - - - name: Build postgres quadlet - containers.podman.podman_container: - name: postgres - image: "postgres:latest" - state: quadlet - quadlet_filename: "postgres-quadlet" - quadlet_file_mode: "0640" - user: "psql" - ports: - - "5432:5432" - volumes: - - "{{ postgres_data_directory }}:/var/lib/postgresql/data" - quadlet_options: - - "AutoUpdate=registry" - - "Pull=newer" - - "" - - | - [Install] - WantedBy=default.target - env: - - POSTGRES_PASSWORD: "{{ psql_password }}" - - - name: Build mysql quadlet - containers.podman.podman_container: - name: mysql - image: "mysql:latest" - state: quadlet - quadlet_filename: "mysql-quadlet" - quadlet_file_mode: "0640" - user: "mysql" - ports: - - "3306:3306" - volumes: - - "{{ mysql_data_directory }}:/var/lib/mysql" - quadlet_options: - - "AutoUpdate=registry" - - "Pull=newer" - - "" - - | - [Install] - WantedBy=default.target - env: - - MYSQL_ROOT_PASSWORD: "{{ psql_password }}" +--- +- hosts: beachsidelibrary + become: true + become_method: sudo + become_user: root + vars: + postgres_device: "/dev/vdc" + postgres_vg_name: "vg_postgres" + postgres_lv_name: "lv_pgdata" + postgres_data_directory: "/pgdata" + mysql_device: "/dev/vdd" + mysql_vg_name: "vg_mysql" + mysql_lv_name: "lv_mysql_data" + mysql_data_directory: "/mysql_data" + vars_prompt: + - name: psql_password + prompt: "Enter psql Password: " + private: true + encrypt: sha512_crypt + confirm: true + salt_size: 7 + - name: mysql_password + prompt: "Enter mysql Password: " + private: true + encrypt: sha512_crypt + confirm: true + salt_size: 7 + tasks: + - name: Create psql user + ansible.builtin.user: + name: psql + password: "{{ psql_password }}" + comment: "Podman user for Postgresql Database" + uid: 2000 + + - name: Build /pgdata mount + ansible.builtin.import_role: + name: make_lvm_mount + vars: + device_name: "{{ postgres_device }}" + vg_name: "{{ postgres_vg_name }}" + lvs: + - lv_name: "{{ postgres_lv_name }}" + lv_size: "100%FREE" + directories: + - name: "{{ postgres_data_directory }}" + owner: psql + group: psql + mode: "0755" + lv: "{{ postgres_lv_name }}" + + - name: Create mysql user + ansible.builtin.user: + name: mysql + password: "{{ mysql_password }}" + comment: "Podman user for MySQL Database" + uid: 2001 + + - name: Build /mysql_data mount + ansible.builtin.import_role: + name: make_lvm_mount + vars: + device_name: "{{ mysql_device }}" + vg_name: "{{ mysql_vg_name }}" + lvs: + - lv_name: "{{ mysql_lv_name }}" + lv_size: "100%FREE" + directories: + - name: "{{ mysql_data_directory }}" + owner: mysql + group: mysql + mode: "0755" + lv: "{{ mysql_lv_name }}" + + - name: Write subuid user entry for psql + ansible.builtin.lineinfile: + path: /etc/subuid + line: "psql:100000:2000" + insertafter: EOF + create: true + state: present + + - name: Write subuid user entry for mysql + ansible.builtin.lineinfile: + path: /etc/subuid + line: "mysql:102000:2000" + insertafter: EOF + create: true + state: present + + - name: Write subgid group entry for psql + ansible.builtin.lineinfile: + path: /etc/subgid + line: "psql:100000:2000" + insertafter: EOF + create: true + state: present + + - name: Write subgid group entry for mysql + ansible.builtin.lineinfile: + path: /etc/subgid + line: "mysql:102000:2000" + insertafter: EOF + create: true + state: present + + - name: Configure firewalld for postgres + ansible.posix.firewalld: + service: postgresql + state: enabled + permanent: true + immediate: true + + - name: Configure firewalld for mysql + ansible.posix.firewalld: + service: mysql + state: enabled + permanent: true + immediate: true + + - name: Build postgres quadlet + containers.podman.podman_container: + name: postgres + image: "postgres:latest" + state: quadlet + quadlet_filename: "postgres-quadlet" + quadlet_file_mode: "0640" + user: "psql" + ports: + - "5432:5432" + volumes: + - "{{ postgres_data_directory }}:/var/lib/postgresql/data" + quadlet_options: + - "AutoUpdate=registry" + - "Pull=newer" + - "" + - | + [Install] + WantedBy=default.target + env: + - POSTGRES_PASSWORD: "{{ psql_password }}" + + - name: Build mysql quadlet + containers.podman.podman_container: + name: mysql + image: "mysql:latest" + state: quadlet + quadlet_filename: "mysql-quadlet" + quadlet_file_mode: "0640" + user: "mysql" + ports: + - "3306:3306" + volumes: + - "{{ mysql_data_directory }}:/var/lib/mysql" + quadlet_options: + - "AutoUpdate=registry" + - "Pull=newer" + - "" + - | + [Install] + WantedBy=default.target + env: + - MYSQL_ROOT_PASSWORD: "{{ psql_password }}" \ No newline at end of file diff --git a/playbooks/fedora_configure_node_for_k8s.yml b/playbooks/fedora_configure_node_for_k8s.yml index 9c6961e..88b4565 100644 --- a/playbooks/fedora_configure_node_for_k8s.yml +++ b/playbooks/fedora_configure_node_for_k8s.yml @@ -1,76 +1,76 @@ ---- -- hosts: masters,workers - become: true - become_method: sudo - become_user: root - tasks: - - name: Update grub config to remove zram generation - ansible.builtin.shell: - cmd: grubby --update-kernel ALL --args='systemd.zram=0' - - - name: Update grub config - ansible.builtin.shell: - cmd: grub2-mkconfig -o /boot/grub2/grub.cfg - - - name: Reboot the system to get rid of the zram swap that's already been set up - ansible.builtin.reboot: - reboot_timeout: 900 - - - name: Set SELinux to Permissive - ansible.posix.selinux: - state: disabled - - - name: Disable firewalld - ansible.builtin.service: - name: firewalld - enabled: false - state: stopped - - - name: Install iptables components - ansible.builtin.yum: - name: - - iptables - - iproute-tc - state: present - - - name: Add overlay modprobe module - community.general.modprobe: - name: overlay - persistent: present - state: present - - - name: Add br_netfilter module - community.general.modprobe: - name: br_netfilter - persistent: present - state: present - - - name: Create network settings configuration file - ansible.builtin.blockinfile: - path: "/etc/sysctl.d/99-kubernetes-cri.conf" - block: | - net.bridge.bridge-nf-call-iptables = 1 - net.ipv4.ip_forward = 1 - net.bridge.bridge-nf-call-ip6tables = 1 - create: true - - - name: Apply new sysctl settings - ansible.builtin.shell: - cmd: sysctl --system - changed_when: false - - - name: Install cri-o and kubernetes - ansible.builtin.yum: - name: - - cri-o - - containernetworking-plugins - - kubernetes - - kubernetes-kubeadm - - kubernetes-client - state: present - - - name: Enable and start cri-o - ansible.builtin.service: - name: crio - enabled: true - state: started +--- +- hosts: masters,workers + become: true + become_method: sudo + become_user: root + tasks: + - name: Update grub config to remove zram generation + ansible.builtin.shell: + cmd: grubby --update-kernel ALL --args='systemd.zram=0' + + - name: Update grub config + ansible.builtin.shell: + cmd: grub2-mkconfig -o /boot/grub2/grub.cfg + + - name: Reboot the system to get rid of the zram swap that's already been set up + ansible.builtin.reboot: + reboot_timeout: 900 + + - name: Set SELinux to Permissive + ansible.posix.selinux: + state: disabled + + - name: Disable firewalld + ansible.builtin.service: + name: firewalld + enabled: false + state: stopped + + - name: Install iptables components + ansible.builtin.yum: + name: + - iptables + - iproute-tc + state: present + + - name: Add overlay modprobe module + community.general.modprobe: + name: overlay + persistent: present + state: present + + - name: Add br_netfilter module + community.general.modprobe: + name: br_netfilter + persistent: present + state: present + + - name: Create network settings configuration file + ansible.builtin.blockinfile: + path: "/etc/sysctl.d/99-kubernetes-cri.conf" + block: | + net.bridge.bridge-nf-call-iptables = 1 + net.ipv4.ip_forward = 1 + net.bridge.bridge-nf-call-ip6tables = 1 + create: true + + - name: Apply new sysctl settings + ansible.builtin.shell: + cmd: sysctl --system + changed_when: false + + - name: Install cri-o and kubernetes + ansible.builtin.yum: + name: + - cri-o + - containernetworking-plugins + - kubernetes + - kubernetes-kubeadm + - kubernetes-client + state: present + + - name: Enable and start cri-o + ansible.builtin.service: + name: crio + enabled: true + state: started diff --git a/playbooks/make_ansible_user.yml b/playbooks/make_ansible_user.yml index a8f362d..f162cb7 100644 --- a/playbooks/make_ansible_user.yml +++ b/playbooks/make_ansible_user.yml @@ -1,31 +1,31 @@ ---- -- hosts: all - become: true - become_method: su - become_user: root - tasks: - - name: Create the ansible user - ansible.builtin.user: - name: ansible - append: true - state: present - createhome: true - shell: /bin/bash - - - name: Make sure the sudoers dropin directory exists - ansible.builtin.file: - path: "/etc/sudoers.d" - state: directory - - - name: Create a sudoers file for the ansible user - ansible.builtin.lineinfile: - path: "/etc/sudoers.d/50-ansible" - line: "ansible ALL=(ALL) NOPASSWD: ALL" - create: true - validate: "visudo -cf %s" - - - name: Add authorized key for ansible user - ansible.builtin.authorized_key: - user: ansible - key: "{{ lookup('ansible.builtin.file', '/home/ansible/.ssh/id_rsa.pub') }}" - +--- +- hosts: all + become: true + become_method: su + become_user: root + tasks: + - name: Create the ansible user + ansible.builtin.user: + name: ansible + append: true + state: present + createhome: true + shell: /bin/bash + + - name: Make sure the sudoers dropin directory exists + ansible.builtin.file: + path: "/etc/sudoers.d" + state: directory + + - name: Create a sudoers file for the ansible user + ansible.builtin.lineinfile: + path: "/etc/sudoers.d/50-ansible" + line: "ansible ALL=(ALL) NOPASSWD: ALL" + create: true + validate: "visudo -cf %s" + + - name: Add authorized key for ansible user + ansible.builtin.authorized_key: + user: ansible + key: "{{ lookup('ansible.builtin.file', '/home/ansible/.ssh/id_rsa.pub') }}" + diff --git a/playbooks/patch.yml b/playbooks/patch.yml index fbe1219..04ad295 100644 --- a/playbooks/patch.yml +++ b/playbooks/patch.yml @@ -1,16 +1,16 @@ ---- -- hosts: all - become: true - become_method: sudo - become_user: root - tasks: - - name: Update all packages - ansible.builtin.yum: - name: "*" - state: latest - async: 3600 - poll: 60 - - - name: Reboot Node - ansible.builtin.reboot: - reboot_timeout: 1800 +--- +- hosts: all + become: true + become_method: sudo + become_user: root + tasks: + - name: Update all packages + ansible.builtin.yum: + name: "*" + state: latest + async: 3600 + poll: 60 + + - name: Reboot Node + ansible.builtin.reboot: + reboot_timeout: 1800 diff --git a/playbooks/podman_setup.yml b/playbooks/podman_setup.yml index 69de19d..860fc5d 100644 --- a/playbooks/podman_setup.yml +++ b/playbooks/podman_setup.yml @@ -1,58 +1,58 @@ ---- -- hosts: podman_nodes - become: true - become_method: sudo - become_user: root - vars: - dev_device: "/dev/vdb" - vg_name: "vg_podman" - lv_name: "lv_containers" - containers_directory: "/var/lib/containers" - tasks: - - name: Setup container directory volume group - community.general.lvg: - vg: "{{ vg_name }}" - pvs: "{{ dev_device }}" - - - name: Setup container directory logical volume - community.general.lvol: - vg: "{{ vg_name }}" - lv: "{{ lv_name }}" - size: 100%FREE - - - name: Create xfs filesystem on lib_containers logical volume - community.general.filesystem: - fstype: xfs - dev: /dev/mapper/{{ vg_name }}-{{ lv_name }} - - - name: Create the containers directory - ansible.builtin.file: - path: "{{ containers_directory }}" - state: directory - mode: '0755' - - - name: Setup containers directory mount - ansible.posix.mount: - path: "{{ containers_directory }}" - src: "/dev/mapper/{{ vg_name }}-{{ lv_name }}" - fstype: xfs - state: mounted - - - name: Install podman and components - ansible.builtin.yum: - name: - - podman - - passt - - shadow-utils - state: latest - async: 1200 - poll: 60 - - - name: Force reinstall container-selinux - ansible.builtin.yum: - name: container-selinux - state: reinstall - async: 1200 - poll: 60 - +--- +- hosts: podman_nodes + become: true + become_method: sudo + become_user: root + vars: + dev_device: "/dev/vdb" + vg_name: "vg_podman" + lv_name: "lv_containers" + containers_directory: "/var/lib/containers" + tasks: + - name: Setup container directory volume group + community.general.lvg: + vg: "{{ vg_name }}" + pvs: "{{ dev_device }}" + + - name: Setup container directory logical volume + community.general.lvol: + vg: "{{ vg_name }}" + lv: "{{ lv_name }}" + size: 100%FREE + + - name: Create xfs filesystem on lib_containers logical volume + community.general.filesystem: + fstype: xfs + dev: /dev/mapper/{{ vg_name }}-{{ lv_name }} + + - name: Create the containers directory + ansible.builtin.file: + path: "{{ containers_directory }}" + state: directory + mode: '0755' + + - name: Setup containers directory mount + ansible.posix.mount: + path: "{{ containers_directory }}" + src: "/dev/mapper/{{ vg_name }}-{{ lv_name }}" + fstype: xfs + state: mounted + + - name: Install podman and components + ansible.builtin.yum: + name: + - podman + - passt + - shadow-utils + state: latest + async: 1200 + poll: 60 + + - name: Force reinstall container-selinux + ansible.builtin.yum: + name: container-selinux + state: reinstall + async: 1200 + poll: 60 + \ No newline at end of file diff --git a/playbooks/rocky_configure_node_for_k8s.yml b/playbooks/rocky_configure_node_for_k8s.yml index 7c8d1ec..76d95f3 100644 --- a/playbooks/rocky_configure_node_for_k8s.yml +++ b/playbooks/rocky_configure_node_for_k8s.yml @@ -1,116 +1,116 @@ ---- -- hosts: masters,workers - become: yes - become_method: sudo - become_user: root - tasks: - - name: Add overlay modprobe module - community.general.modprobe: - name: overlay - persistent: present - state: present - - - name: Add br_netfilter module - community.general.modprobe: - name: br_netfilter - persistent: present - state: present - - - name: Set SELinux to Permissive - ansible.posix.selinux: - state: permissive - - - name: Set firewalld configuration | Master Nodes - ansible.posix.firewalld: - port: "{{ item }}" - permanent: true - state: enabled - loop: - - "6443/tcp" - - "2379-2380/tcp" - - "10250/tcp" - - "10251/tcp" - - "10259/tcp" - - "10257/tcp" - - "179/tcp" - - "4789/udp" - when: master | default(false) - - - name: Set firewalld configuration | Worker Nodes - ansible.posix.firewalld: - port: "{{ item }}" - permanent: true - state: enabled - loop: - - "179/tcp" - - "10250/tcp" - - "30000-32767/tcp" - - "4789/udp" - when: worker | default(false) - - - name: Create network settings configuration file - ansible.builtin.blockinfile: - path: "/etc/sysctl.d/99-kubernetes-cri.conf" - block: | - net.bridge.bridge-nf-call-iptables = 1 - net.ipv4.ip_forward = 1 - net.bridge.bridge-nf-call-ip6tables = 1 - create: true - - - name: Apply new sysctl settings - ansible.builtin.shell: - cmd: sysctl --system - changed_when: false - - - name: Add docker repo - ansible.builtin.shell: - cmd: dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo - changed_when: false - - - name: Install containerd - ansible.builtin.yum: - name: containerd.io - state: present - - - name: Build default containerd config - ansible.builtin.shell: - cmd: set -o pipefail && mkdir -p /etc/containerd && containerd config default | tee /etc/containerd/config.toml - changed_when: false - - - name: Restart containerd - ansible.builtin.service: - name: containerd - state: restarted - enabled: true - - - name: Create Kubernetes repo - ansible.builtin.blockinfile: - path: "/etc/yum.repos.d/kubernetes.repo" - create: true - block: | - [kubernetes] - name=Kubernetes - baseurl=https://pkgs.k8s.io/core:/stable:/v1.31/rpm/ - enabled=1 - gpgcheck=1 - gpgkey=https://pkgs.k8s.io/core:/stable:/v1.31/rpm/repodata/repomd.xml.key - exclude=kubelet kubeadm kubectl cri-tools kubernetes-cni - - - name: Install Kubernetes components - ansible.builtin.yum: - name: - - kubelet - - kubeadm - - kubectl - state: present - disable_excludes: all - - - name: Disable running swap - ansible.builtin.shell: - cmd: swapoff -a - changed_when: false - - - name: Disable swap in fstab - ansible.builtin.shell: - cmd: sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab +--- +- hosts: masters,workers + become: yes + become_method: sudo + become_user: root + tasks: + - name: Add overlay modprobe module + community.general.modprobe: + name: overlay + persistent: present + state: present + + - name: Add br_netfilter module + community.general.modprobe: + name: br_netfilter + persistent: present + state: present + + - name: Set SELinux to Permissive + ansible.posix.selinux: + state: permissive + + - name: Set firewalld configuration | Master Nodes + ansible.posix.firewalld: + port: "{{ item }}" + permanent: true + state: enabled + loop: + - "6443/tcp" + - "2379-2380/tcp" + - "10250/tcp" + - "10251/tcp" + - "10259/tcp" + - "10257/tcp" + - "179/tcp" + - "4789/udp" + when: master | default(false) + + - name: Set firewalld configuration | Worker Nodes + ansible.posix.firewalld: + port: "{{ item }}" + permanent: true + state: enabled + loop: + - "179/tcp" + - "10250/tcp" + - "30000-32767/tcp" + - "4789/udp" + when: worker | default(false) + + - name: Create network settings configuration file + ansible.builtin.blockinfile: + path: "/etc/sysctl.d/99-kubernetes-cri.conf" + block: | + net.bridge.bridge-nf-call-iptables = 1 + net.ipv4.ip_forward = 1 + net.bridge.bridge-nf-call-ip6tables = 1 + create: true + + - name: Apply new sysctl settings + ansible.builtin.shell: + cmd: sysctl --system + changed_when: false + + - name: Add docker repo + ansible.builtin.shell: + cmd: dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo + changed_when: false + + - name: Install containerd + ansible.builtin.yum: + name: containerd.io + state: present + + - name: Build default containerd config + ansible.builtin.shell: + cmd: set -o pipefail && mkdir -p /etc/containerd && containerd config default | tee /etc/containerd/config.toml + changed_when: false + + - name: Restart containerd + ansible.builtin.service: + name: containerd + state: restarted + enabled: true + + - name: Create Kubernetes repo + ansible.builtin.blockinfile: + path: "/etc/yum.repos.d/kubernetes.repo" + create: true + block: | + [kubernetes] + name=Kubernetes + baseurl=https://pkgs.k8s.io/core:/stable:/v1.31/rpm/ + enabled=1 + gpgcheck=1 + gpgkey=https://pkgs.k8s.io/core:/stable:/v1.31/rpm/repodata/repomd.xml.key + exclude=kubelet kubeadm kubectl cri-tools kubernetes-cni + + - name: Install Kubernetes components + ansible.builtin.yum: + name: + - kubelet + - kubeadm + - kubectl + state: present + disable_excludes: all + + - name: Disable running swap + ansible.builtin.shell: + cmd: swapoff -a + changed_when: false + + - name: Disable swap in fstab + ansible.builtin.shell: + cmd: sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab changed_when: false \ No newline at end of file