Separate from Kubernetes repo

kubernetes-nodes.yaml

@@ -0,0 +1,173 @@
+# This playbook sets up dependencies for the Kubernetes cluster nodes
+
+---
+- name: Reconfigure Kubernetes worker nodes
+  hosts:
+    - storage
+    - workers
+  tasks:
+    - name: Configure grub defaults
+      copy:
+        dest: "/etc/default/grub"
+        content: |
+          GRUB_DEFAULT=0
+          GRUB_TIMEOUT_STYLE=countdown
+          GRUB_TIMEOUT=5
+          GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
+          GRUB_CMDLINE_LINUX_DEFAULT="quiet splash memhp_default_state=online"
+          GRUB_CMDLINE_LINUX="memhp_default_state=online rootflags=pquota"
+      register: grub_defaults
+      when: ansible_architecture == 'x86_64'
+
+
+    - name: Load grub defaults
+      ansible.builtin.shell: update-grub
+      when: grub_defaults.changed
+
+    - name: Ensure nfs-common is installed
+      ansible.builtin.apt:
+        name: nfs-common
+        state: present
+
+- name: Reconfigure Kubernetes nodes
+  hosts: kubernetes
+  vars:
+    KUBERNETES_VERSION: v1.30.3
+    IP: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+  tasks:
+    - name: Remove APT packages
+      ansible.builtin.apt:
+        name: "{{ item }}"
+        state: absent
+      loop:
+        - kubelet
+        - kubeadm
+        - kubectl
+
+    - name: Download kubectl, kubeadm, kubelet
+      ansible.builtin.get_url:
+        url: "https://cdn.dl.k8s.io/release/{{ KUBERNETES_VERSION }}/bin/linux/{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}/{{ item }}"
+        dest: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}"
+        mode: '0755'
+      loop:
+        - kubelet
+        - kubectl
+        - kubeadm
+
+    - name: Create symlinks for kubectl, kubeadm, kubelet
+      ansible.builtin.file:
+        src: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}"
+        dest: "/usr/bin/{{ item }}"
+        state: link
+      loop:
+        - kubelet
+        - kubectl
+        - kubeadm
+      register: kubelet
+
+    - name: Restart Kubelet
+      service:
+        name: kubelet
+        enabled: true
+        state: restarted
+      when: kubelet.changed
+
+    - name: Create /etc/systemd/system/kubelet.service
+      ansible.builtin.copy:
+        content: |
+          [Unit]
+          Description=kubelet: The Kubernetes Node Agent
+          Documentation=https://kubernetes.io/docs/home/
+          Wants=network-online.target
+          After=network-online.target
+          [Service]
+          ExecStart=/usr/local/bin/kubelet
+          Restart=always
+          StartLimitInterval=0
+          RestartSec=10
+          [Install]
+          WantedBy=multi-user.target
+        dest: /etc/systemd/system/kubelet.service
+
+    - name: Reconfigure shutdownGracePeriod
+      ansible.builtin.lineinfile:
+        path: /var/lib/kubelet/config.yaml
+        regexp: '^shutdownGracePeriod:'
+        line: 'shutdownGracePeriod: 5m'
+
+    - name: Reconfigure shutdownGracePeriodCriticalPods
+      ansible.builtin.lineinfile:
+        path: /var/lib/kubelet/config.yaml
+        regexp: '^shutdownGracePeriodCriticalPods:'
+        line: 'shutdownGracePeriodCriticalPods: 5m'
+
+    - name: Work around unattended-upgrades
+      ansible.builtin.lineinfile:
+        path: /lib/systemd/logind.conf.d/unattended-upgrades-logind-maxdelay.conf
+        regexp: '^InhibitDelayMaxSec='
+        line: 'InhibitDelayMaxSec=5m0s'
+
+    - name: Disable unneccesary services
+      ignore_errors: true
+      loop:
+        - gdm3
+        - snapd
+        - bluetooth
+        - multipathd
+      service:
+        name: "{{item}}"
+        state: stopped
+        enabled: false
+
+    - name: Reset /etc/containers/registries.conf
+      ansible.builtin.copy:
+        content: "unqualified-search-registries = [\"docker.io\"]\n"
+        dest: /etc/containers/registries.conf
+      register: registries
+
+    - name: Restart CRI-O
+      service:
+        name: cri-o
+        state: restarted
+      when: registries.changed
+
+    - name: Reset /etc/modules
+      ansible.builtin.copy:
+        content: |
+          overlay
+          br_netfilter
+        dest: /etc/modules
+      register: kernel_modules
+    - name: Load kernel modules
+      ansible.builtin.shell: "cat /etc/modules | xargs -L 1 -t modprobe"
+      when: kernel_modules.changed
+
+    - name: Reset /etc/sysctl.d/99-k8s.conf
+      ansible.builtin.copy:
+        content: |
+          net.ipv4.conf.all.accept_redirects  = 0
+          net.bridge.bridge-nf-call-iptables  = 1
+          net.ipv4.ip_forward                 = 1
+          net.bridge.bridge-nf-call-ip6tables = 1
+          vm.max_map_count                    = 524288
+          fs.inotify.max_user_instances       = 1280
+          fs.inotify.max_user_watches         = 655360
+        dest: /etc/sysctl.d/99-k8s.conf
+      register: sysctl
+
+    - name: Reload sysctl config
+      ansible.builtin.shell: "sysctl --system"
+      when: sysctl.changed
+
+    - name: Reconfigure kube-apiserver to use Passmower OIDC endpoint
+      ansible.builtin.template:
+        src: kube-apiserver.j2
+        dest: /etc/kubernetes/manifests/kube-apiserver.yaml
+        mode: 600
+      register: apiserver
+      when:
+        - inventory_hostname in groups["masters"]
+
+    - name: Restart kube-apiserver
+      ansible.builtin.shell: "killall kube-apiserver"
+      when: apiserver.changed