From 896bade101b82dfaba611326db5615cdca7681c5 Mon Sep 17 00:00:00 2001 From: Jim Grady Date: Thu, 18 Jan 2024 09:27:09 -0500 Subject: [PATCH] Add tls-san option to k3s install options (#2886) Also: - change "become: no" to "become: false" - remove microk8s --- deploy/ansible/group_vars/nuc/main.yml | 2 +- .../roles/k8s_config/defaults/main.yml | 2 +- .../ansible/roles/k8s_config/tasks/main.yml | 10 +-- .../roles/k8s_install/defaults/main.yml | 13 +--- .../roles/k8s_install/tasks/microk8s.yml | 72 ------------------- .../roles/network_config/defaults/main.yaml | 2 +- .../roles/network_config/tasks/main.yml | 2 +- 7 files changed, 12 insertions(+), 91 deletions(-) delete mode 100644 deploy/ansible/roles/k8s_install/tasks/microk8s.yml diff --git a/deploy/ansible/group_vars/nuc/main.yml b/deploy/ansible/group_vars/nuc/main.yml index e9dff55dfc..5119969493 100644 --- a/deploy/ansible/group_vars/nuc/main.yml +++ b/deploy/ansible/group_vars/nuc/main.yml @@ -30,7 +30,7 @@ ingress_namespace: ingress-nginx # The server name will direct traffic to the production # server since it is used to get the certificates for the # NUC. -k8s_dns_name: "{{ ansible_hostname }}" +public_dns_name: "{{ ansible_hostname }}" ################################################ # Ethernet settings diff --git a/deploy/ansible/roles/k8s_config/defaults/main.yml b/deploy/ansible/roles/k8s_config/defaults/main.yml index 2b9f3d9889..b51b2332a9 100644 --- a/deploy/ansible/roles/k8s_config/defaults/main.yml +++ b/deploy/ansible/roles/k8s_config/defaults/main.yml @@ -1,4 +1,4 @@ --- # Used to setup the certificate for kubectl # Can be overridden by specific groups/hosts -k8s_dns_name: "{{ combine_server_name }}" +public_dns_name: "{{ combine_server_name }}" diff --git a/deploy/ansible/roles/k8s_config/tasks/main.yml b/deploy/ansible/roles/k8s_config/tasks/main.yml index 305ff633dd..2587c57ade 100644 --- a/deploy/ansible/roles/k8s_config/tasks/main.yml +++ b/deploy/ansible/roles/k8s_config/tasks/main.yml @@ -13,7 +13,7 @@ - name: Restrict permissions to kubeconfig to owner delegate_to: localhost - become: no + become: false file: path: "{{ kubecfg }}" state: file @@ -31,17 +31,17 @@ # (kubectl communicates with the cluster over port 16443 or 6443) - name: Replace server IP with DNS name in site_files copy delegate_to: localhost - become: no + become: false lineinfile: state: present path: "{{ kubecfg }}" regexp: '^(\s+server: https:\/\/)[.0-9]+:(1?6443)' backrefs: yes - line: '\1{{ k8s_dns_name }}:\2' + line: '\1{{ public_dns_name }}:\2' - name: Replace 'default' cluster, user, etc with {{ kubecfgdir }} delegate_to: localhost - become: no + become: false replace: path: "{{ kubecfg }}" regexp: "^(.*)default(.*)$" @@ -49,7 +49,7 @@ - name: Link ~/.kube/config to {{ kubecfg }} delegate_to: localhost - become: no + become: false file: state: link src: "{{ kubecfg }}" diff --git a/deploy/ansible/roles/k8s_install/defaults/main.yml b/deploy/ansible/roles/k8s_install/defaults/main.yml index 1d9b74c29e..d1445c42d6 100644 --- a/deploy/ansible/roles/k8s_install/defaults/main.yml +++ b/deploy/ansible/roles/k8s_install/defaults/main.yml @@ -1,7 +1,7 @@ --- # Used to setup the certificate for kubectl # Can be overridden by specific groups/hosts -k8s_dns_name: "{{ combine_server_name }}" +public_dns_name: "{{ combine_server_name }}" k8s_required_pkgs: - apt-transport-https @@ -14,12 +14,5 @@ k3s_options: - 644 - --disable - traefik - -# Options for installing the microk8s engine -microk8s_options: - addons: - - storage - - dns - - ingress - - helm3 - - rbac + - --tls-san + - "{{ public_dns_name }}" diff --git a/deploy/ansible/roles/k8s_install/tasks/microk8s.yml b/deploy/ansible/roles/k8s_install/tasks/microk8s.yml deleted file mode 100644 index dacc9b1bce..0000000000 --- a/deploy/ansible/roles/k8s_install/tasks/microk8s.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -- name: Install microk8s snap - snap: - name: microk8s - classic: yes - -- name: Start microk8s - command: microk8s start - -- name: Add user to microk8s group - user: - name: "{{ k8s_user }}" - groups: microk8s - append: yes - -- name: Enable selected microk8s addons - command: microk8s enable {{ microk8s_options.addons | join(' ') }} - -- name: Add DNS name to microk8s config template - lineinfile: - path: /var/snap/microk8s/current/certs/csr.conf.template - insertafter: "^DNS\\.5" - line: DNS.6 = {{ k8s_dns_name }} - -- name: Get home directory for {{ k8s_user }} - shell: > - getent passwd {{ k8s_user }} | awk -F: '{ print $6 }' - register: k8s_user_home - changed_when: false - -- name: Create .kube directory - file: - path: "{{ k8s_user_home.stdout }}/.kube" - state: directory - owner: "{{ k8s_user }}" - group: "{{ k8s_group }}" - mode: 0700 - -- name: Save kubectl configuration in {{ k8s_user_home.stdout }}/.kube/config - shell: microk8s config > {{ k8s_user_home.stdout }}/.kube/config - -- name: Set permissions on .kube/config - file: - path: "{{ k8s_user_home.stdout }}/.kube/config" - state: file - owner: "{{ k8s_user }}" - group: "{{ k8s_group }}" - mode: 0600 - -- name: Save kubectl configuration in site_files on host - fetch: - src: "{{ k8s_user_home.stdout }}/.kube/config" - dest: "{{ kubecfg }}" - flat: yes - -- name: Restrict permissions to kubeconfig to owner - delegate_to: localhost - become: no - file: - path: "{{ kubecfg }}" - state: file - mode: 0600 - -- name: Replace server IP with DNS name in site_files copy - delegate_to: localhost - become: no - lineinfile: - state: present - path: "{{ kubecfg }}" - regexp: '^(\s+server: https:\/\/)[.0-9]+:16443' - backrefs: yes - line: '\1{{ combine_server_name}}:16443' diff --git a/deploy/ansible/roles/network_config/defaults/main.yaml b/deploy/ansible/roles/network_config/defaults/main.yaml index b39e835312..5b01a024e8 100644 --- a/deploy/ansible/roles/network_config/defaults/main.yaml +++ b/deploy/ansible/roles/network_config/defaults/main.yaml @@ -4,7 +4,7 @@ eth_if_pattern: "en[a-z][0-9]" ############################### # virtual_if device -# This is needed when microk8s is running on a target that +# This is needed when k3s is running on a target that # does not have an ethernet connection plugged-in. ############################### diff --git a/deploy/ansible/roles/network_config/tasks/main.yml b/deploy/ansible/roles/network_config/tasks/main.yml index 3dfd63d828..7c5cf2da2d 100644 --- a/deploy/ansible/roles/network_config/tasks/main.yml +++ b/deploy/ansible/roles/network_config/tasks/main.yml @@ -33,7 +33,7 @@ when: has_wifi ### -# Create a virtual network interface so that microk8s/k3s can run +# Create a virtual network interface so that k3s can run # when no ethernet connection is attached. ### - name: Create virtual network I/F