Inventory file has been added

Author: alsmk

.github/workflows/provision.yml

@@ -26,25 +26,42 @@ on:
           - application
           - tools
           - fail2ban
-          - data-partition
-          - ufw
           - decrypt-on-boot
-      
+          - metrics-server
+          - checks
+          - containerd-setup
+          - kubernetes-installation
+          - control-plane-init
+          - cni-plugin-installation
+          - join-workers
+          - system-preparation
+
 jobs:
   provision:
-    runs-on: [self-hosted]
+    runs-on: ubuntu-24.04
+    environment: ${{ inputs.environment }}
     steps:
       - name: Collect ssh key from secrets
         run: |
-          echo "${{ secrets.SSH_PRIVATE_KEY }}" > /tmp/id_rsa
+          echo "${{ secrets.SSH_KEY }}" > /tmp/id_rsa
           chmod 600 /tmp/id_rsa
+        env:
+          SSH_KEY: ${{ secrets.SSH_KEY }}
 
       - name: checkout repository
         uses: actions/checkout@v4
 
       - name: Run Ansible Playbook
-        run: |
-          ansible-playbook infrastructure/infrastructure/server-setup/playbook-k8s.yml \
-          -i infrastructure/infrastructure/server-setup/inventory/e2e-test.yml \
-          --private-key /tmp/id_rsa \
-          --extra-vars="ansible_user=provision"
+        uses: dawidd6/action-ansible-playbook@v4
+        env:
+          ANSIBLE_PERSISTENT_COMMAND_TIMEOUT: 10
+          ANSIBLE_SSH_TIMEOUT: 10
+          ANSIBLE_SSH_RETRIES: 5
+        with:
+          playbook: playbook-k8s.yml
+          directory: ./infrastructure/server-setup
+          options: |
+            --verbose
+            --inventory inventory/${{ inputs.environment }}.yml
+            --private-key /tmp/id_rsa
+            ${{ inputs.tags != 'all' && format('--tags={0}', inputs.tags) || '' }}

infrastructure/server-setup/group_vars/all.yml

@@ -14,3 +14,6 @@ backup_server_user: 'backup'
 backup_server_user_home: '/home/backup'
 crontab_user: root
 provisioning_user: provision
+kubernetes_version: "v1.33"
+pod_network_cidr: "192.168.0.0/16"
+calico_version: "v3.26.1"

infrastructure/server-setup/inventory/e2e.yml

@@ -0,0 +1,28 @@
+all:
+  vars:
+    ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
+    ansible_user: provision
+    single_node: false
+    users: 
+      - name: shoumik
+        ssh_keys: 
+          - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC24iEmVR5UKl51apaLRpJKcGpW3D900F/wSD+8CiNTVZJ56b1+HPteQHzEXDFEh5bl5IEJCkhE5S6sdYLCK6n+UgauJWrSNHm0+xgAXpR6Zv7qo9sCVwrkbr9uZw/14l7mUTjv4gj9sTvkrjRW8LlBKvkqUXEadustDriJCbfkLxLwtHydwp/r8IAuCp1pfx3VblZBbDS+6R5S1f8qsr0nGHU7pmesW+jkyTzGWZuUrE8o8J9BB244CcIXrPjRzdiX/jU0O/HMrgfnlvVuVaA3W1KvYIrD4wOb9LUfUc22Bd/tpV1ZGJBV/A+fxOmZZjmlhTNxztLaXOIwjywDSUm5BxxgbIeY6ntobIWr3LNlF714nYOqjOGM3gncmbmpCqxHO04r8Wh5fCyEPDd0L8YfIJD5GZTJ6KRsP9l1M8uZ35N+AhOLhDNcWwWJuuA1inMmRFIwBCRAw6BRX9XRK2AYfmVZkU5cBbq9v+f6UAkRaMFl1rtG0UDDNTKk9HQ+Qj65tfgEs580dM0d+I5rF4KvRXZqrgrGIbn2BwOaxcbcor6v1YE4IE5UnS7YqOZqWoquSF3oWTEWYWtPlaLiu/04KaRDMGOwYglhgGQbHmMXdrKuOhKyulilyUtkNCxXCGBEqDSUjWJdp09rjN+rK+gNQ8jocG5fYg7QO/SWhOBM/w== alhel444@gmail.com
+        state: present
+        sudoer: true
+
+      - name: vmudryi
+        ssh_keys:
+          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINgMcsSBwTE0EbMDRSF1T4vJDcN/5HAjKGbi2DqV7g/Q vmudryi@opencrvs.org
+        state: present
+        sudoer: true
+  children:
+    master:
+      hosts:
+        test-k8s-master:
+          ansible_host: 5.78.158.131
+    workers:
+      hosts:
+        test-k8s-worker-0:
+          ansible_host: 5.78.67.216
+        test-k8s-worker-1:
+          ansible_host: 5.78.133.88

infrastructure/server-setup/k8s.yml

@@ -0,0 +1,50 @@
+---
+- name: Setup Kubernetes Cluster
+  hosts: all
+  gather_facts: yes
+  tasks:
+    - name: Include system preparation tasks
+      include_tasks: tasks/system-preparation.yml
+      tags:
+        - system-preparation
+      
+    - name: Include containerd installation tasks
+      include_tasks: tasks/install-containerd.yml
+      tags:
+        - containerd-setup
+
+    - name: Include Kubernetes installation tasks
+      include_tasks: tasks/install-kubernetes.yml
+      tags:
+        - kubernetes-installation
+
+- name: Initialize Kubernetes Master
+  hosts: master
+  tasks:
+    - name: Include master initialization tasks
+      include_tasks: tasks/init-master.yml
+      tags:
+        - control-plane-init
+
+    - name: Include network plugin installation tasks
+      include_tasks: tasks/install-network-plugin.yml
+      tags:
+        - cni-plugin-installation
+
+- name: Join Worker Nodes
+  hosts: workers
+  
+  tasks:
+    - name: Include worker join tasks
+      include_tasks: tasks/join-workers.yml
+      tags:
+        - join-workers
+      when: single_node == false
+
+- name: Install metrics server
+  hosts: master
+  tasks:
+    - name: Install metrics server on control plane
+      include_tasks: tasks/metrics-server.yml
+  tags:
+    - metrics-server

infrastructure/server-setup/playbook-k8s.yml

@@ -0,0 +1,83 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# OpenCRVS is also distributed under the terms of the Civil Registration
+# & Healthcare Disclaimer located at http://opencrvs.org/license.
+#
+# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+---
+
+- hosts: all
+  become: yes
+  gather_facts: yes
+  ignore_unreachable: false
+  become_method: sudo
+  tasks:
+    - include_tasks:
+        file: tasks/checks.yml
+        apply:
+          tags:
+            - checks
+      tags:
+        - checks
+      
+    - include_tasks:
+        file: tasks/updates.yml
+        apply:
+          tags:
+            - updates   
+
+    - include_tasks:
+        file: tasks/users.yml
+        apply:
+          tags:
+            - users
+      tags:
+        - users
+        
+    - include_tasks:
+        file: tasks/application.yml
+        apply:
+          tags:
+            - application
+      tags:
+        - application
+
+    - include_tasks:
+        file: tasks/tools.yml
+        apply:
+          tags:
+            - tools
+      tags:
+        - tools
+
+    - include_tasks:
+        file: tasks/fail2ban.yml
+        apply:
+          tags:
+            - fail2ban
+      tags:
+        - fail2ban
+
+    - name: 'Copy logrotate script'
+      copy:
+        src: ../logrotate.conf
+        dest: /etc/
+
+
+    - name: 'Save system logs to Papertrail'
+      register: papaertrailSystemLogs
+      shell: ' cd / && wget -qO - --header="X-Papertrail-Token: {{ papertrail_token }}" \ https://papertrailapp.com/destinations/16712142/setup.sh | sudo bash >> /var/log/papertrail.log 2>&1'
+      when: papertrail_token is defined
+
+    - include_tasks:
+        file: tasks/decrypt-on-boot.yml
+        apply:
+          tags:
+            - decrypt-on-boot
+      tags:
+        - decrypt-on-boot
+
+- import_playbook: k8s.yml
+

infrastructure/server-setup/tasks/checks.yml

@@ -1,26 +1,34 @@
-- name: Check if external_backup_server_user is set
+- name: Check if single_node is defined
   fail:
-    msg: 'external_backup_server_user variable was deprecated in OpenCRVS 1.5. Please rename the variable to backup_server_remote_target_directory'
-  when: external_backup_server_user is defined
+    msg: |
+      Configuration error: single_node variable is not defined.
+      Please add 'single_node: true' or 'single_node: false' under the 'all.vars' section.
+  when: single_node is not defined
 
-- name: Check if external_backup_server_remote_directory is set
-  fail:
-    msg: 'external_backup_server_remote_directory variable was deprecated in OpenCRVS 1.5. Please rename the variable to backup_server_remote_target_directory'
-  when: external_backup_server_remote_directory is defined
+- name: Get all Node groups 
+  set_fact:
+    child_groups: "{{ groups.keys() | difference(['all', 'ungrouped']) | list }}"
+
+- name: Display child groups
+  debug:
+    msg: "Detected Node groups: {{ child_groups }}"
 
-- name: 'Check mandatory variables are defined'
-  assert:
-    that:
-      - mongodb_admin_username is defined
-      - mongodb_admin_password is defined
-      - elasticsearch_superuser_password is defined
-      - encrypted_disk_size is defined
+- name: Fail if single_node is set to False and worker nodes are not present
+  fail:
+    msg: |
+      Configuration mismatch detected!
+      single_node is set to 'false' but only {{ child_groups | length }} group found: {{ child_groups }}
+      For multi-node setup (single_node: false), you need at least 2 groups (e.g., master and workers).
+  when: 
+    - single_node == false
+    - child_groups | length == 1
 
-- name: 'Prevent single-node configuration in production'
+- name: Fail if single_node is set to True and multiple groups are present
   fail:
-    msg: 'The production environment should always use more than one node. Please check the inventory file for production.'
-  when: >
-    (single_node | default(false)) == false and (
-      'docker-workers' not in groups or
-      groups['docker-workers'] | length == 0
-    )
+    msg: |
+      Configuration mismatch detected!
+      single_node is set to 'true' but multiple groups found: {{ child_groups }}
+      For single-node setup (single_node: true), only one group should be present.
+  when: 
+    - single_node == true
+    - child_groups | length > 1

infrastructure/server-setup/tasks/install-containerd.yml

@@ -6,15 +6,17 @@
 
 - name: Remove Docker's old version if it exists
   shell: sudo apt remove -y docker docker-engine docker.io containerd runc
+  ignore_errors: true
 
 - name: Remove Docker's official GPG key if it exists
   shell: sudo rm -f /etc/apt/trusted.gpg.d/docker.gpg
+  ignore_errors: true
 
 - name: Add Docker's official GPG key
   shell: curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
 
 - name: Add Docker repository
-  shell: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+  shell: sudo add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
 
 - name: Install containerd
   shell: |

infrastructure/server-setup/tasks/metrics-server.yml

@@ -0,0 +1,44 @@
+- name: Download manifest for metrics server
+  get_url:
+    url: https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+    dest: /tmp/metrics-server.yaml
+    mode: '0644'
+
+- name: Install metrics server on control plane
+  shell: |
+    kubectl apply -f /tmp/metrics-server.yaml
+  become: yes
+  environment:
+    KUBECONFIG: /home/provision/.kube/config
+
+- name: Add --kubelet-insecure-tls to metrics-server
+  shell: |
+    kubectl -n kube-system patch deployment metrics-server \
+    --type='json' \
+    -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--kubelet-insecure-tls"}]'
+  environment:
+    KUBECONFIG: /home/provision/.kube/config
+- name: Wait for metrics server to be ready
+  shell: |
+    kubectl wait --for=condition=ready pod -l k8s-app=metrics-server -n kube-system --timeout=30s
+  become: yes
+  retries: 3
+  delay: 1
+  environment:
+    KUBECONFIG: /home/provision/.kube/config
+- name: Verify metrics server installation
+  shell: |
+     kubectl get deployment metrics-server -n kube-system
+  become: yes
+  register: metrics_server_status
+  environment:
+    KUBECONFIG: /home/provision/.kube/config
+- name: Display metrics server status
+  debug:
+    msg: "Metrics server is installed and running: {{ metrics_server_status.stdout }}"
+  when: metrics_server_status.rc == 0
+
+- name: Clean up temporary files
+  file:
+    path: /tmp/metrics-server.yaml
+    state: absent

infrastructure/server-setup/tasks/tools.yml

@@ -8,6 +8,11 @@
     name: jq
     state: present
 
+- name: 'Install yq'
+  apt:
+    name: yq
+    state: present
+
 - name: 'Install pexpect python module for ansible expect commands'
   apt:
     name: python-3pexpect