init

setup/README.md

@@ -0,0 +1,10 @@
+* adapt IPs in inventory.yaml
+
+* add host keys `./trust-hosts.sh`
+
+* change wg encryption keys in host\_vars: `./generate-keys.sh`
+    * requires wireguard-tools, yq
+
+* run play for the first time `ansible-playbook -i inventory.yaml -u root -t initial setup.yaml` - this will upgrade all packages and reboot the system
+
+* run play again, without the tag

setup/generate-keys.sh

@@ -0,0 +1,7 @@
+cd host_vars
+for i in cluster-master01 cluster-master02 cluster-master03 cluster-worker01 cluster-worker02 cluster-worker03 cluster-worker04 cluster-worker05 cluster-worker06
+do
+  sed -i "s#^wg_secret_key.*#wg_secret_key: $(wg genkey)#" ${i}.yaml
+  pubkey=$(cat ${i}.yaml | yq .wg_secret_key | sed 's/"//g' | wg pubkey)
+  sed -i "s#^wg_public_key.*#wg_public_key: ${pubkey}#" ${i}.yaml
+done

setup/host_vars/cluster-master01.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: uC00qKf4vbfQ1Mn/ndWFX9h3JXKDv5ijIXpjchY/2Gc=
+wg_public_key: 4a0DAKvszfFGxDn8Pq9OMdyZbqiELNalF/bOU+lS4ww=
+wg_ip: 10.42.23.11

setup/host_vars/cluster-master02.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: QNqBGoi2Vd/J0Zc+s5G0y+yPFqV9kmqH9pGxb5ojDGE=
+wg_public_key: 8wmpoiFyWhHEAP88dR1bBsZP7bQOKAUkNMki5S/9uFc=
+wg_ip: 10.42.23.12

setup/host_vars/cluster-master03.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: sM+AFAKPGOcXNalGCGoBbCXG9msG5qF66Wz49CVvL2A=
+wg_public_key: PhCEr0T1F0ABbFN0ngkIcLQ8OXmQZj+/U3DgAsWXXA8=
+wg_ip: 10.42.23.13

setup/host_vars/cluster-worker01.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: MMw5jxqi+4iO3pS1C99+Hck9jabDssQuQ3yC5Rhsgn0=
+wg_public_key: GG1AGeGLX2KiCiK+/5wH3JhHDZvKHexfZgVhyX3I8Ag=
+wg_ip: 10.42.23.21

setup/host_vars/cluster-worker02.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: KBMAarDchzYpPIq7J9LRUgll5jeo9wJkgjwC+tJc80Y=
+wg_public_key: CiOc+aYn9xCvLLm2rDEE0HrfY9n/kHggwK0LNRDD0Qg=
+wg_ip: 10.42.23.22

setup/host_vars/cluster-worker03.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: AE9mrGQ3jJCqdWj6ZAHu9mdULr4HyBV5vE1+Wzjo+FY=
+wg_public_key: hJ2CtHqxeB321TJZD+7bzSMNA1GzEteckUb//6KzjhQ=
+wg_ip: 10.42.23.23

setup/host_vars/cluster-worker04.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: WFMMXY1HPcIUw2I/2Z8x6wyR0r/CnGYeV6Rmyt6WbXo=
+wg_public_key: Tc+GCAYefY+MJMwDVqyjLuR0JPvZMFj2xtS9oTAQvSg=
+wg_ip: 10.42.23.24

setup/host_vars/cluster-worker05.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: oEql4vfFXVqdI6HiSDyQsSK19Xs+IzyMrz+7gbRgWWQ=
+wg_public_key: xQozpZLyW7Gl+xYsLBvegmEtjhB7vBP2sKBJgfP22D4=
+wg_ip: 10.42.23.25

setup/host_vars/cluster-worker06.yaml

@@ -0,0 +1,3 @@
+wg_secret_key: WCvlYVbX/ieEU6ZLNJcQEAl9YcHASiLMgrmkU9cUElI=
+wg_public_key: iV+fDDW5bw9ANklUKa9Vbqi+fwJCzqebahcT7nE6PCA=
+wg_ip: 10.42.23.26

setup/inventory.yaml

@@ -0,0 +1,12 @@
+[master]
+cluster-master01 ansible_ssh_host=212.47.246.128
+#cluster-master02 ansible_ssh_host=
+#cluster-master03 ansible_ssh_host=
+
+[worker]
+cluster-worker01 ansible_ssh_host=51.15.238.164
+cluster-worker02 ansible_ssh_host=51.158.115.24
+cluster-worker03 ansible_ssh_host=51.158.108.159
+#cluster-worker04 ansible_ssh_host=
+#cluster-worker05 ansible_ssh_host=
+#cluster-worker06 ansible_ssh_host=

setup/setup.yml

@@ -0,0 +1,122 @@
+---
+- hosts: all
+  tasks:
+    - name: deactivate swap
+      command: swapoff -a
+      when:
+        - ansible_swaptotal_mb != 0
+      notify: disable swap
+    - name: upgrade all the packages
+      apt:
+        name: '*'
+        state: latest
+        update_cache: yes
+      tags: ['initial', 'never']
+    - name: install deps
+      apt:
+        name: ['aptitude', 'sudo', 'nfs-common', 'apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common']
+        state: present
+    - name: import docker gpg key
+      apt_key:
+        url: "https://download.docker.com/linux/debian/gpg"
+        state: present
+    - name: add docker repository
+      apt_repository:
+        repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable"
+        state: present
+    - name: install docker
+      apt:
+        update_cache: yes
+        name: ['docker-ce', 'python-pip', 'python-setuptools']
+        state: present
+    - name: enable & start docker
+      systemd:
+        name: docker
+        enabled: yes
+        state: started
+    - name: install wireguard repo
+      apt_repository:
+        repo: "deb http://deb.debian.org/debian/ unstable main"
+        state: present
+    - name: pin unstables
+      blockinfile:
+        path: /etc/apt/preferences.d/limit-unstable
+        create: yes
+        block: |
+          Package: *
+          Pin: release a=unstable
+          Pin-Priority: 90
+    - name: install wireguard
+      apt:
+        update_cache: yes
+        name: wireguard
+        state: present
+    #- name: generate wireguard keys
+    #  shell: wg genkey | tee wg-private.key | wg pubkey > wg-public.key
+    #  args:
+    #    creates: wg-private.key
+    - name: configure wireguard interface
+      template:
+        src: templates/wireguard.cfg
+        dest: /etc/network/interfaces.d/wireguard.cfg
+      notify: restart wireguard
+    - name: configure wireguard connections
+      template:
+        src: templates/wg-k8s.conf
+        dest: /etc/wireguard/wg-k8s.conf
+      notify: restart wireguard
+
+    - name: install k8s apt key
+      apt_key:
+        url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
+        state: present
+    - name: add k8s repository
+      apt_repository:
+        repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
+        state: present
+    - name: install k8s
+      apt:
+        update_cache: yes
+        name: ["kubelet", "kubeadm", "kubectl"]
+        state: present
+    #- name: init kubeadm
+    #  command: kubeadm init --apiserver-advertise-address 10.42.23.11 --pod-network-cidr=10.244.0.0/16 > kubeadm.log
+    #  args:
+    #    creates: kubeadm.log
+      #kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
+      #kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/canal/canal.yaml
+    - name: restart system
+      command: reboot
+      tags: ['initial', 'never']
+
+  handlers:
+    - name: disable swap
+      lineinfile:
+        path: /etc/fstab
+        regexp: '.*swap.*'
+        state: absent
+    - name: restart wireguard
+      shell: ifdown wg-k8s; ifup wg-k8s
+
+- hosts: master
+  tasks:
+    - name: install haproxy
+      apt:
+        name: haproxy
+        state: present
+      notify: restart haproxy
+    - name: copy haproxy template
+      template:
+        src: templates/haproxy.cfg
+        dest: /etc/haproxy/haproxy.cfg
+      notify: restart haproxy
+    - name: enable haproxy service
+      service:
+        name: haproxy
+        enabled: true
+      notify: restart haproxy
+  handlers:
+    - name: restart haproxy
+      service:
+        name: haproxy
+        state: restarted

setup/templates/haproxy.cfg

@@ -0,0 +1,29 @@
+global
+  daemon
+  maxconn 256
+
+defaults
+  mode http
+  timeout connect 5000ms
+  timeout client 50000ms
+  timeout server 50000ms
+
+listen http-in
+  bind *:80
+  {% for host in groups['worker'] %}
+  server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30080 maxconn 32
+  {% endfor %}
+
+listen https-in
+  bind *:443
+  mode tcp
+  option tcplog
+  timeout client  1m
+  option log-health-checks
+  option redispatch
+  log global
+  timeout connect 10s
+  timeout server 1m   
+  {% for host in groups['worker'] %}
+  server server-{{hostvars[host].ansible_nodename}} {{ hostvars[host].wg_ip }}:30143 check
+  {% endfor %}

setup/templates/wg-k8s.conf

@@ -0,0 +1,24 @@
+[Interface]
+PrivateKey = {{ wg_secret_key }}
+ListenPort = 51820
+
+[Peer]
+Endpoint = {{ hostvars['cluster-master'].ansible_ssh_host }}:51820
+PublicKey = {{ hostvars['cluster-master'].wg_public_key }}
+AllowedIPs = {{ hostvars['cluster-master'].wg_ip }}/32
+
+[Peer]
+Endpoint = {{ hostvars['cluster-worker01'].ansible_ssh_host }}:51820
+PublicKey = {{ hostvars['cluster-worker01'].wg_public_key }}
+AllowedIPs = {{ hostvars['cluster-worker01'].wg_ip }}/32
+
+[Peer]
+Endpoint = {{ hostvars['cluster-worker02'].ansible_ssh_host }}:51820
+PublicKey = {{ hostvars['cluster-worker02'].wg_public_key }}
+AllowedIPs = {{ hostvars['cluster-worker02'].wg_ip }}/32
+
+[Peer]
+Endpoint = {{ hostvars['cluster-worker03'].ansible_ssh_host }}:51820
+PublicKey = {{ hostvars['cluster-worker03'].wg_public_key }}
+AllowedIPs = {{ hostvars['cluster-worker03'].wg_ip }}/32
+

setup/templates/wireguard.cfg

@@ -0,0 +1,7 @@
+auto wg-k8s
+iface wg-k8s inet static
+        address {{ wg_ip }}
+        netmask 255.255.255.0
+        pre-up ip link add $IFACE type wireguard
+        pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
+        post-down ip link del $IFACE

setup/trust-hosts.sh

@@ -0,0 +1,4 @@
+for i in $(cat inventory.yaml | grep ssh | cut -d= -f2)
+  do
+	  ssh-keyscan $i >> ~/.ssh/known_hosts
+  done