Add a playbook to setup ansible on existing k3s - Standalone mode (#907)

* setup for existing k3s

* adds better blocks with conditionals for host setup

* updates auth block conditional

Co-authored-by: wtripp180901 <[email protected]>

* new prometheus override var that fixes CI

* defaults to fix ci

* added variables to disable prometheus monitoring

* one click Azimuth deploy

* removed vars overrides

* automated groups setup

* rename standalone deploy

* better groups to work with existing deploy

* Groundwork for standalone mode and kubeconfig path rework

Co-authored-by: Scott Davidson <[email protected]>

* add standalone mode

* Improved uri generation

---------

Co-authored-by: wtripp180901 <[email protected]>
Co-authored-by: Scott Davidson <[email protected]>

Author: 3 people

playbooks/deploy.yml

@@ -20,7 +20,7 @@
     - role: azimuth_cloud.azimuth_ops.helm_dashboard
     - role: azimuth_cloud.azimuth_ops.admin_dashboard_ingress
     - role: azimuth_cloud.azimuth_ops.azimuth_authorization_webhook
-      when: azimuth_authentication_type == "oidc"
+      when: azimuth_authentication_type == "oidc" and azimuth_cloud_provider_type != "null"
     - role: azimuth_cloud.azimuth_ops.harbor
       when: harbor_enabled
     - role: azimuth_cloud.azimuth_ops.cloud_metrics
@@ -49,7 +49,8 @@
       when: azimuth_kubernetes_enabled
     - role: azimuth_cloud.azimuth_ops.azimuth_apps_operator
       when: azimuth_apps_enabled
-    - azimuth_cloud.azimuth_ops.azimuth
+    - role: azimuth_cloud.azimuth_ops.azimuth
+
   # Ensure that Consul is uninstalled
   post_tasks:
     - name: Ensure Consul is uninstalled

playbooks/deploy_standalone.yml

@@ -0,0 +1,125 @@
+#####
+# This playbook attempts to setup and install Azimuth on a fresh ubuntu VM
+#####
+
+- name: Setup
+  hosts: azimuth_deploy
+  tasks:
+    # HA mode relies on openstack
+    - name: Fail if install_mode is not standalone
+      ansible.builtin.fail:
+        msg: "Install modes other than 'standalone' are not supported for this playbook"
+      when: install_mode != 'standalone'
+
+    - name: Setup host groups
+      ansible.builtin.add_host:
+        name: "{{ item }}"
+        groups:
+          - k3s
+      loop: "{{ ansible_play_hosts }}"
+
+# Configure the k3s cluster and add tools
+- name: Setup Node
+  hosts: k3s
+  tasks:
+
+    - name: System setup
+      become: true
+      when: configure_system_resources | default (false)
+      block:
+        - name: Update packages
+          ansible.builtin.apt:
+            update_cache: true
+            upgrade: true
+
+        - name: Configure system trust store
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.system_trust
+
+        - name: Set sysctls
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.sysctl_inotify
+
+    - name: Install k3s
+      when: install_k3s
+      become: true
+      block:
+        - name: Install and configure k3s
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.k3s
+
+    - name: Install CLI tools
+      become: true
+      when: install_cli_tools
+      block:
+        - name: Install and configure k9s
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.k9s
+
+        - name: Get installed Kubernetes version
+          ansible.builtin.command: k3s kubectl version --output json
+          changed_when: false
+          register: k3s_kubectl_version
+
+        - name: Set kubectl version fact
+          ansible.builtin.set_fact:
+            kubectl_version: "{{ (k3s_kubectl_version.stdout | from_json).serverVersion.gitVersion.split('+') | first }}"
+
+        - name: Install Kubectl
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.kubectl
+
+        - name: Install Helm
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.helm
+
+        - name: Install Kustomize
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.kustomize
+
+        - name: Install Flux
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.flux
+            tasks_from: cli
+          when: flux_enabled
+
+    - name: Setup Kubeconfig
+      when: slurp_k3s_kubeconfig
+      become: true
+      block:
+        - name: Slurp kubeconfig file
+          ansible.builtin.slurp:
+            src: /etc/rancher/k3s/k3s.yaml
+          register: k3s_kubeconfig
+
+        - name: Ensure kube config directory exists
+          ansible.builtin.file:
+            path: "{{ ansible_env.HOME }}/.kube"
+            state: directory
+            mode: u=rwx,g=rx,o=rx
+
+        - name: Write kubeconfig file
+          ansible.builtin.copy:
+            content: "{{ k3s_kubeconfig.content | b64decode }}"
+            dest: "{{ ansible_env.HOME }}/.kube/config"
+            mode: u=rwx,g=r,o=r
+
+    # For a single node install, we put the monitoring and ingress controller on the K3S cluster
+    - name: Install monitoring stack and ingress controller
+
+      # Configure the K3S cluster as a Cluster API management cluster when doing a HA installation
+      block:
+        # Must be done before NGINX ingress so that the ServiceMonitor CRD exists
+        - name: Install Kube-Prometheus-Stack
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.kube_prometheus_stack
+          when: deploy_prometheus_stack | default(false)
+
+        - name: Install Nginx ingress controller
+          ansible.builtin.include_role:
+            name: azimuth_cloud.azimuth_ops.ingress_nginx
+          when: "ingress_controller_enabled | default(true)"
+
+# Install Azimuth
+- name: Install and configure Azimuth
+  import_playbook: azimuth_cloud.azimuth_ops.deploy

roles/azimuth/defaults/main.yml

@@ -61,14 +61,16 @@ azimuth_secret_key: "{{ undef(hint='azimuth_secret_key is required') }}"
 # Settings for the available clouds
 # List of linked clouds - each item should contain name, label and url
 azimuth_linked_clouds: []
-
 # The name of this cloud
 azimuth_current_cloud_name: "{{ undef(hint='azimuth_current_cloud_name is required') }}"
 
 # The label for this cloud
 azimuth_current_cloud_label: >-
   {{ azimuth_current_cloud_name | regex_replace('[^a-z0-9]+', ' ') | capitalize }}
 
+# toggle for metrics
+azimuth_metrics: true
+
 # Settings for the metrics dashboards, if available
 # By default, these are provided by the cloud_metrics role
 azimuth_metrics_cloud_metrics_url: >-
@@ -126,14 +128,8 @@ azimuth_oidc_client_spec:
   public: false
   grantTypes:
     - AuthorizationCode
-  redirectUris:
-    - >-
-      {{
-        "{}://{}/auth/oidc/complete/".format(
-          'https' if azimuth_ingress_tls_enabled else 'http',
-          azimuth_ingress_host
-        )
-      }}
+  redirectUris: "{{ ['https://' + azimuth_ingress_host +'/auth/oidc/complete/'] +( ['http://' + azimuth_ingress_host + '/auth/oidc/complete/']
+   if not azimuth_ingress_tls_enabled else [])}}"
 #   The client secret
 #   If not given and an identity realm is being used, a client is created - see above
 azimuth_oidc_client_secret: "{{ undef(hint = 'azimuth_oidc_client_secret is required') }}"
@@ -204,7 +200,6 @@ azimuth_authenticator_federated_protocol: >-
     else None
   }}
 azimuth_authenticator_federated_provider:
-
 # The list of identity providers to make available
 azimuth_authenticator_federated_identity_providers:
   # The Keystone identity provider and protocol to use
@@ -282,7 +277,6 @@ azimuth_authentication_defaults: >-
       )
   }}
 azimuth_authentication_overrides: {}
-
 azimuth_authentication: >-
   {{-
     azimuth_authentication_defaults |
@@ -300,13 +294,11 @@ azimuth_cloud_provider_type: openstack
 # If given, network auto-creation is disabled
 # The fragment '{tenant_name}' is replaced with the current tenancy name, e.g. "{tenant_name}-internal"
 azimuth_openstack_internal_net_template:
-
 # The template to use when searching for the external network
 # Only used if the external network is not tagged
 # If not given, there must be exactly one external network available to tenants
 # The fragment '{tenant_name}' is replaced with the current tenancy name, e.g. "{tenant_name}-external"
 azimuth_openstack_external_net_template:
-
 # If larger than zero, project specific manila share should be auto-created
 azimuth_openstack_manila_project_share_gb: 0
 
@@ -428,10 +420,8 @@ azimuth_scheduling_enabled: false
 # Theme settings
 # Custom bootstrap CSS URL
 azimuth_theme_bootstrap_css_url:
-
 # Custom CSS snippet
 azimuth_theme_custom_css:
-
 # The values for the release
 azimuth_release_defaults:
   tags:
@@ -513,7 +503,7 @@ azimuth_release_defaults:
   # Enable the API monitoring by default
   api:
     monitoring:
-      enabled: true
+      enabled: "{{ azimuth_metrics }}"
 azimuth_release_overrides: {}
 azimuth_release_values: >-
   {{-

roles/azimuth_apps_operator/defaults/main.yml

@@ -13,6 +13,9 @@ azimuth_apps_operator_release_name: azimuth-apps-operator
 # The timeout to wait for apps operator to become ready
 azimuth_apps_operator_wait_timeout: 10m
 
+# toggle for metrics
+azimuth_apps_operator_metrics: true
+
 # Custom trust bundle for SSL verification
 azimuth_apps_operator_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
 
@@ -93,7 +96,7 @@ azimuth_apps_operator_release_defaults:
       }}
   # Enable the metrics with the service monitor by default
   metrics:
-    enabled: true
+    enabled: "{{ azimuth_apps_operator_metrics }}"
   trustBundle: "{{ azimuth_apps_operator_trust_bundle }}"
 azimuth_apps_operator_release_overrides: {}
 azimuth_apps_operator_release_values: >-

roles/azimuth_capi_operator/defaults/main.yml

@@ -19,6 +19,9 @@ azimuth_capi_operator_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
 # The timer interval to use for the CAPI operator
 azimuth_capi_operator_timer_interval: 60
 
+# variable to toggle metrics
+azimuth_capi_operator_metrics: true
+
 # The repo, name and version for the CAPI Helm charts
 # Leave blank to use the operator defaults
 azimuth_capi_operator_capi_helm_chart_repo:
@@ -502,7 +505,7 @@ azimuth_capi_operator_release_defaults:
       }}
   # Enable the metrics with the service monitor by default
   metrics:
-    enabled: true
+    enabled: "{{ azimuth_capi_operator_metrics }}"
   trustBundle: "{{ azimuth_capi_operator_trust_bundle }}"
 azimuth_capi_operator_release_overrides: {}
 azimuth_capi_operator_release_values: >-

roles/azimuth_identity_operator/defaults/main.yml

@@ -13,6 +13,9 @@ azimuth_identity_operator_release_name: azimuth-identity-operator
 # The timeout to wait for CAPI operator to become ready
 azimuth_identity_operator_wait_timeout: 10m
 
+# toggle for metrics
+azimuth_identity_operator_metrics: true
+
 # Custom trust bundle for SSL verification
 azimuth_identity_operator_trust_bundle: "{{ system_trust_ca_bundle | default('') }}"
 
@@ -208,7 +211,7 @@ azimuth_identity_operator_release_defaults:
       zenithDiscoveryNamespace: "{{ azimuth_identity_operator_keycloak_zenith_discovery_namespace }}"
   # Enable the metrics with the service monitor by default
   metrics:
-    enabled: true
+    enabled: "{{ azimuth_identity_operator_metrics }}"
   trustBundle: "{{ azimuth_identity_operator_trust_bundle }}"
 azimuth_identity_operator_release_overrides: {}
 azimuth_identity_operator_release_values: >-

roles/ingress_nginx/defaults/main.yml

@@ -12,6 +12,9 @@ ingress_nginx_release_name: ingress-nginx
 # The timeout to wait for NGINX ingress controller to become ready
 ingress_nginx_wait_timeout: 10m
 
+# enables the monitoring stack
+ingress_nginx_prometheus_stack_enabled: true
+
 # The values for the release
 ingress_nginx_release_defaults:
   controller:
@@ -24,9 +27,9 @@ ingress_nginx_release_defaults:
     config:
       annotations-risk-level: Critical
     metrics:
-      enabled: true
+      enabled: "{{ ingress_nginx_prometheus_stack_enabled }}"
       serviceMonitor:
-        enabled: true
+        enabled: "{{ ingress_nginx_prometheus_stack_enabled }}"
 ingress_nginx_release_overrides: {}
 ingress_nginx_release_values: >-
   {{-

roles/ingress_nginx/tasks/main.yml

@@ -47,3 +47,4 @@
                   severity: critical
   register: kubectl_ingress_cert_expiry
   changed_when: kubectl_ingress_cert_expiry.stdout_lines | select('match', '(?!.*unchanged$)') | length > 0
+  when: ingress_nginx_prometheus_stack_enabled

roles/k3s/defaults/main.yml

@@ -12,3 +12,6 @@ k3s_storage_fstype: xfs
 
 # Indicates if the Traefik ingress controller should be enabled
 k3s_traefik_enabled: false
+
+# Variable to disable filesystem setup (for running on existing systems)
+k3s_configure_filesystem: true

roles/k3s/tasks/main.yml

@@ -1,32 +1,36 @@
 ---
-- name: Check if k3s storage device is attached
-  ansible.builtin.stat:
-    path: "{{ k3s_storage_device }}"
-  register: k3s_storage_device_stat
-
-- name: Fail if k3s storage device is missing
-  ansible.builtin.fail:
-    msg: "K3s storage device not found at {{ k3s_storage_device }}"
-  when: not k3s_storage_device_stat.stat.exists
-
-- name: Ensure filesystem exists on storage device
-  community.general.filesystem:
-    fstype: "{{ k3s_storage_fstype }}"
-    dev: "{{ k3s_storage_device }}"
-
-- name: Mount filesystem at required location
-  ansible.posix.mount:
-    src: "{{ k3s_storage_device }}"
-    fstype: "{{ k3s_storage_fstype }}"
-    path: /var/lib/rancher/k3s
-    state: mounted
-
-# XFS requires the filesystem to be mounted to do this
-- name: Grow filesystem to fill available space
-  community.general.filesystem:
-    fstype: "{{ k3s_storage_fstype }}"
-    dev: "{{ k3s_storage_device }}"
-    resizefs: true
+
+- name: Configure filesystem
+  when: k3s_configure_filesystem
+  block:
+    - name: Check if k3s storage device is attached
+      ansible.builtin.stat:
+        path: "{{ k3s_storage_device }}"
+      register: k3s_storage_device_stat
+
+    - name: Fail if k3s storage device is missing
+      ansible.builtin.fail:
+        msg: "K3s storage device not found at {{ k3s_storage_device }}"
+      when: not k3s_storage_device_stat.stat.exists
+
+    - name: Ensure filesystem exists on storage device
+      community.general.filesystem:
+        fstype: "{{ k3s_storage_fstype }}"
+        dev: "{{ k3s_storage_device }}"
+
+    - name: Mount filesystem at required location
+      ansible.posix.mount:
+        src: "{{ k3s_storage_device }}"
+        fstype: "{{ k3s_storage_fstype }}"
+        path: /var/lib/rancher/k3s
+        state: mounted
+
+    # XFS requires the filesystem to be mounted to do this
+    - name: Grow filesystem to fill available space
+      community.general.filesystem:
+        fstype: "{{ k3s_storage_fstype }}"
+        dev: "{{ k3s_storage_device }}"
+        resizefs: true
 
 - name: Download k3s binary
   ansible.builtin.get_url: