add ansible k3s automation

Author: fsavoia

infrastructure/k3s-ansible/README.md

@@ -0,0 +1,75 @@
+# Build a Kubernetes cluster using K3s via Ansible
+
+Easily bring up a cluster on machines running:
+
+- [X] Ubuntu
+
+on processor architectures:
+
+- [X] x64
+- [X] arm64
+- [X] armhf
+
+## System requirements
+
+The control node **must** have Ansible 8.0+ (ansible-core 2.15+)
+
+All managed nodes in inventory must have:
+- Passwordless SSH access
+- Root access (or a user with equivalent permissions) 
+
+It is also recommended that all managed nodes disable firewalls and swap. See [K3s Requirements](https://docs.k3s.io/installation/requirements) for more information.
+
+## Usage
+
+Second edit the inventory file to match your cluster setup. For example:
+```bash
+k3s_cluster:
+  children:
+    server:
+      hosts:
+        192.16.35.11:
+    agent:
+      hosts:
+        192.16.35.12:
+        192.16.35.13:
+```
+
+If multiple hosts are in the server group the playbook will automatically setup k3s in HA mode with embedded etcd.
+An odd number of server nodes is required (3,5,7). Read the [official documentation](https://docs.k3s.io/datastore/ha-embedded) for more information.
+
+Start provisioning of the cluster using the following command:
+
+```bash
+ansible-playbook deploy.yml -i inventory.yml
+```
+
+## Kubeconfig
+
+After successful bringup, the kubeconfig of the cluster is copied to the control node  and merged with `~/.kube/config` under the `k3s-ansible` context.
+Assuming you have [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) installed, you can confirm access to your **Kubernetes** cluster with the following:
+
+```bash
+kubectl config use-context k3s-ansible
+kubectl get nodes
+```
+
+If you wish for your kubeconfig to be copied elsewhere and not merged, you can set the `kubeconfig` variable in `inventory.yml` to the desired path.
+
+
+## Need More Features?
+
+This project is intended to provide a "vanilla" K3s install. If you need more features, such as:
+- Private Registry
+- Advanced Storage (Longhorn, Ceph, etc)
+- External Database
+- External Load Balancer or VIP
+- Alternative CNIs
+
+See these other projects:
+- https://github.com/PyratLabs/ansible-role-k3s
+- https://github.com/techno-tim/k3s-ansible
+- https://github.com/jon-stumpf/k3s-ansible
+- https://github.com/alexellis/k3sup
+- https://github.com/axivo/k3s-cluster
+- https://github.com/k3s-io/k3s-ansible

infrastructure/k3s-ansible/ansible.cfg

@@ -0,0 +1,13 @@
+[defaults]
+nocows = True
+roles_path = ./roles
+inventory  = ./inventory.yml
+
+remote_tmp = $HOME/.ansible/tmp
+local_tmp  = $HOME/.ansible/tmp
+pipelining = True
+become = True
+host_key_checking = False
+deprecation_warnings = False
+callback_whitelist = profile_tasks
+private_key_file = ~/.ssh/fmsavoia_oci_ssh_key

infrastructure/k3s-ansible/collections/requirements.yml

@@ -0,0 +1,4 @@
+---
+collections:
+  - name: community.general
+  - name: ansible.posix

infrastructure/k3s-ansible/deploy.yml

@@ -0,0 +1,19 @@
+---
+- name: Cluster prep
+  hosts: k3s_cluster
+  gather_facts: true
+  become: true
+  roles:
+    - role: prereq
+
+- name: Setup K3S server
+  hosts: server
+  become: true
+  roles:
+    - role: k3s_server
+
+- name: Setup K3S agent
+  hosts: agent
+  become: true
+  roles:
+    - role: k3s_agent

infrastructure/k3s-ansible/inventory.yml

@@ -0,0 +1,22 @@
+---
+k3s_cluster:
+  children:
+    server:
+      hosts:
+        152.70.57.197:
+    agent:
+      hosts:
+        141.144.202.55:
+        193.123.63.252:
+  vars:
+    ansible_port: 22
+    ansible_user: ubuntu
+    k3s_version: v1.30.2+k3s1
+    # The token should be a random string of reasonable length. You can generate
+    # one with the following commands:
+    # - openssl rand -base64 64
+    # - pwgen -s 64 1
+    # You can use ansible-vault to encrypt this value / keep it secret.
+    # Or you can omit it if not using Vagrant and let the first server automatically generate one.
+    # token: "changeme!"
+    api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"

infrastructure/k3s-ansible/meta/runtime.yml

@@ -0,0 +1,2 @@
+---
+requires_ansible: ">=2.15.0"

infrastructure/k3s-ansible/roles/k3s_agent/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+server_group: server  # noqa var-naming[no-role-prefix]
+k3s_server_location: "/var/lib/rancher/k3s"  # noqa var-naming[no-role-prefix]
+systemd_dir: "/etc/systemd/system"  # noqa var-naming[no-role-prefix]
+api_port: 6443  # noqa var-naming[no-role-prefix]
+extra_agent_args: "" # noqa var-naming[no-role-prefix]

infrastructure/k3s-ansible/roles/k3s_agent/tasks/main.yml

@@ -0,0 +1,85 @@
+---
+- name: Get k3s installed version
+  ansible.builtin.command: k3s --version
+  register: k3s_version_output
+  changed_when: false
+  ignore_errors: true
+
+- name: Set k3s installed version
+  when: not ansible_check_mode and k3s_version_output.rc == 0
+  ansible.builtin.set_fact:
+    installed_k3s_version: "{{ k3s_version_output.stdout_lines[0].split(' ')[2] }}"
+
+# If airgapped, all K3s artifacts are already on the node.
+# We should be downloading and installing the newer version only if we are in one of the following cases :
+#   - we couldn't get k3s installed version in the first task of this role
+#   - the installed version of K3s on the nodes is older than the requested version in ansible vars
+- name: Download artifact only if needed
+  when: not ansible_check_mode and airgap_dir is undefined and ( k3s_version_output.rc != 0 or installed_k3s_version is version(k3s_version, '<') )
+  block:
+    - name: Download K3s install script
+      ansible.builtin.get_url:
+        url: https://get.k3s.io/
+        timeout: 120
+        dest: /usr/local/bin/k3s-install.sh
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: Download K3s binary
+      ansible.builtin.command:
+        cmd: /usr/local/bin/k3s-install.sh
+      environment:
+        INSTALL_K3S_SKIP_START: "true"
+        INSTALL_K3S_VERSION: "{{ k3s_version }}"
+        INSTALL_K3S_EXEC: "agent"
+      changed_when: true
+
+- name: Setup optional config file
+  when: agent_config_yaml is defined
+  block:
+    - name: Make config directory
+      ansible.builtin.file:
+        path: "/etc/rancher/k3s"
+        mode: "0755"
+        state: directory
+    - name: Copy config values
+      ansible.builtin.copy:
+        content: "{{ agent_config_yaml }}"
+        dest: "/etc/rancher/k3s/config.yaml"
+        mode: "0644"
+      register: _agent_config_result
+
+- name: Get the token from the first server
+  ansible.builtin.set_fact:
+    token: "{{ hostvars[groups[server_group][0]].token }}"
+
+- name: Delete any existing token from the environment if different from the new one
+  ansible.builtin.lineinfile:
+    state: absent
+    path: "{{ systemd_dir }}/k3s-agent.service.env"
+    regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)"
+
+- name: Add the token for joining the cluster to the environment
+  no_log: true # avoid logging the server token
+  ansible.builtin.lineinfile:
+    path: "{{ systemd_dir }}/k3s-agent.service.env"
+    line: "{{ item }}"
+  with_items:
+    - "K3S_TOKEN={{ token }}"
+
+- name: Copy K3s service file
+  register: k3s_agent_service
+  ansible.builtin.template:
+    src: "k3s-agent.service.j2"
+    dest: "{{ systemd_dir }}/k3s-agent.service"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+
+- name: Enable and check K3s service
+  ansible.builtin.systemd:
+    name: k3s-agent
+    daemon_reload: "{{ true if k3s_agent_service.changed else false }}"
+    state: "{{ 'restarted' if (k3s_agent_service.changed or _agent_config_result.changed) else 'started' }}"
+    enabled: true

infrastructure/k3s-ansible/roles/k3s_agent/templates/k3s-agent.service.j2

@@ -0,0 +1,29 @@
+[Unit]
+Description=Lightweight Kubernetes
+Documentation=https://k3s.io
+Wants=network-online.target
+After=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=notify
+EnvironmentFile=-/etc/default/%N
+EnvironmentFile=-/etc/sysconfig/%N
+EnvironmentFile=-/etc/systemd/system/k3s-agent.service.env
+KillMode=process
+Delegate=yes
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=1048576
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+TimeoutStartSec=0
+Restart=always
+RestartSec=5s
+ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
+ExecStartPre=-/sbin/modprobe br_netfilter
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}

infrastructure/k3s-ansible/roles/k3s_server/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+k3s_server_location: "/var/lib/rancher/k3s"
+systemd_dir: "/etc/systemd/system"  # noqa var-naming[no-role-prefix]
+api_port: 6443  # noqa var-naming[no-role-prefix]
+kubeconfig: ~/.kube/config.new  # noqa var-naming[no-role-prefix]
+user_kubectl: true  # noqa var-naming[no-role-prefix]
+cluster_context: k3s-ansible  # noqa var-naming[no-role-prefix]
+server_group: server  # noqa var-naming[no-role-prefix]
+agent_group: agent  # noqa var-naming[no-role-prefix]
+use_external_database: false # noqa var-naming[no-role-prefix]
+extra_server_args: "" # noqa var-naming[no-role-prefix]