provision new worker nodes with ansible
This commit is contained in:
		| @@ -1,4 +1,58 @@ | |||||||
| --- | --- | ||||||
|  | # ansible-galaxy install -r requirements.yaml | ||||||
|  | - name: Install cri-o | ||||||
|  |   hosts: | ||||||
|  |     - worker9.kube.k-space.ee | ||||||
|  |   vars:  | ||||||
|  |     CRIO_VERSION: "v1.30" | ||||||
|  |   tasks: | ||||||
|  |     - name: ensure curl is installed | ||||||
|  |       ansible.builtin.apt: | ||||||
|  |         name: curl | ||||||
|  |         state: present | ||||||
|  |  | ||||||
|  |     - name: Ensure /etc/apt/keyrings exists | ||||||
|  |       ansible.builtin.file: | ||||||
|  |         path: /etc/apt/keyrings | ||||||
|  |         state: directory | ||||||
|  |  | ||||||
|  |     # TODO: fix | ||||||
|  |     # - name: add k8s repo apt key | ||||||
|  |     #   ansible.builtin.shell: "curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/stable:/{{ CRIO_VERSION }}/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg" | ||||||
|  |      | ||||||
|  |     - name: add k8s repo | ||||||
|  |       ansible.builtin.apt_repository: | ||||||
|  |         repo: "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/stable:/{{ CRIO_VERSION }}/deb/ /"  | ||||||
|  |         state: present | ||||||
|  |         filename: cri-o | ||||||
|  |  | ||||||
|  |     - name: check current crictl version | ||||||
|  |       command: "/usr/bin/crictl --version" | ||||||
|  |       failed_when: false | ||||||
|  |       changed_when: false | ||||||
|  |       register: crictl_version_check | ||||||
|  |  | ||||||
|  |     - name: download crictl | ||||||
|  |       unarchive: | ||||||
|  |         src: "https://github.com/kubernetes-sigs/cri-tools/releases/download/{{ CRIO_VERSION }}/crictl-{{ CRIO_VERSION }}-linux-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.tar.gz" | ||||||
|  |         dest: /tmp | ||||||
|  |         remote_src: true | ||||||
|  |       when: > | ||||||
|  |         crictl_version_check.stdout is not defined or CRIO_VERSION not in crictl_version_check.stdout | ||||||
|  |       register: crictl_download_check | ||||||
|  |  | ||||||
|  |     - name: move crictl binary into place | ||||||
|  |       copy: | ||||||
|  |         src: /tmp/crictl | ||||||
|  |         dest: "/usr/bin/crictl" | ||||||
|  |       when: > | ||||||
|  |         exporter_download_check is changed | ||||||
|  |  | ||||||
|  |     - name: ensure crio is installed | ||||||
|  |       ansible.builtin.apt: | ||||||
|  |         name: cri-o | ||||||
|  |         state: present | ||||||
|  |  | ||||||
| - name: Reconfigure Kubernetes worker nodes | - name: Reconfigure Kubernetes worker nodes | ||||||
|   hosts: |   hosts: | ||||||
|     - storage |     - storage | ||||||
| @@ -40,7 +94,7 @@ | |||||||
|       loop: |       loop: | ||||||
|         - kubelet |         - kubelet | ||||||
|         - kubeadm |         - kubeadm | ||||||
|         - kubectl |         - kubectl  | ||||||
|  |  | ||||||
|     - name: Download kubectl, kubeadm, kubelet |     - name: Download kubectl, kubeadm, kubelet | ||||||
|       ansible.builtin.get_url: |       ansible.builtin.get_url: | ||||||
| @@ -52,6 +106,24 @@ | |||||||
|         - kubectl |         - kubectl | ||||||
|         - kubeadm |         - kubeadm | ||||||
|  |  | ||||||
|  |     - name: Create /etc/systemd/system/kubelet.service | ||||||
|  |       ansible.builtin.copy: | ||||||
|  |         content: | | ||||||
|  |           [Unit] | ||||||
|  |           Description=kubelet: The Kubernetes Node Agent | ||||||
|  |           Documentation=https://kubernetes.io/docs/home/ | ||||||
|  |           Wants=network-online.target | ||||||
|  |           After=network-online.target | ||||||
|  |           [Service] | ||||||
|  |           ExecStart=/usr/bin/kubelet | ||||||
|  |           Restart=always | ||||||
|  |           StartLimitInterval=0 | ||||||
|  |           RestartSec=10 | ||||||
|  |           [Install] | ||||||
|  |           WantedBy=multi-user.target | ||||||
|  |         dest: /etc/systemd/system/kubelet.service | ||||||
|  |       register: kubelet_service         | ||||||
|  |  | ||||||
|     - name: Create symlinks for kubectl, kubeadm, kubelet |     - name: Create symlinks for kubectl, kubeadm, kubelet | ||||||
|       ansible.builtin.file: |       ansible.builtin.file: | ||||||
|         src: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}" |         src: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}" | ||||||
| @@ -68,42 +140,32 @@ | |||||||
|         name: kubelet |         name: kubelet | ||||||
|         enabled: true |         enabled: true | ||||||
|         state: restarted |         state: restarted | ||||||
|       when: kubelet.changed |         daemon_reload: true | ||||||
|  |       when: kubelet.changed or kubelet_service.changed | ||||||
|  |  | ||||||
|     - name: Create /etc/systemd/system/kubelet.service |     - name: Ensure /var/lib/kubelet exists | ||||||
|       ansible.builtin.copy: |       ansible.builtin.file: | ||||||
|         content: | |         path: /var/lib/kubelet | ||||||
|           [Unit] |         state: directory | ||||||
|           Description=kubelet: The Kubernetes Node Agent |  | ||||||
|           Documentation=https://kubernetes.io/docs/home/ |  | ||||||
|           Wants=network-online.target |  | ||||||
|           After=network-online.target |  | ||||||
|           [Service] |  | ||||||
|           ExecStart=/usr/local/bin/kubelet |  | ||||||
|           Restart=always |  | ||||||
|           StartLimitInterval=0 |  | ||||||
|           RestartSec=10 |  | ||||||
|           [Install] |  | ||||||
|           WantedBy=multi-user.target |  | ||||||
|         dest: /etc/systemd/system/kubelet.service |  | ||||||
|  |  | ||||||
|     - name: Reconfigure shutdownGracePeriod |     - name: Configure kubelet | ||||||
|       ansible.builtin.lineinfile: |       ansible.builtin.template: | ||||||
|         path: /var/lib/kubelet/config.yaml |         src: kubelet.j2 | ||||||
|         regexp: '^shutdownGracePeriod:' |         dest: /var/lib/kubelet/config.yaml | ||||||
|         line: 'shutdownGracePeriod: 5m' |         mode: 644 | ||||||
|  |  | ||||||
|     - name: Reconfigure shutdownGracePeriodCriticalPods |     - name: Ensure /etc/systemd/system/kubelet.service.d/ exists | ||||||
|       ansible.builtin.lineinfile: |       ansible.builtin.file: | ||||||
|         path: /var/lib/kubelet/config.yaml |         path: /etc/systemd/system/kubelet.service.d | ||||||
|         regexp: '^shutdownGracePeriodCriticalPods:' |         state: directory | ||||||
|         line: 'shutdownGracePeriodCriticalPods: 5m' |  | ||||||
|  |  | ||||||
|     - name: Work around unattended-upgrades |     - name: Configure kubelet service | ||||||
|       ansible.builtin.lineinfile: |       ansible.builtin.template: | ||||||
|         path: /lib/systemd/logind.conf.d/unattended-upgrades-logind-maxdelay.conf |         src: 10-kubeadm.j2 | ||||||
|         regexp: '^InhibitDelayMaxSec=' |         dest: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf | ||||||
|         line: 'InhibitDelayMaxSec=5m0s' |         mode: 644 | ||||||
|  |  | ||||||
|  |     # TODO: register new node if needed | ||||||
|  |  | ||||||
|     - name: Disable unneccesary services |     - name: Disable unneccesary services | ||||||
|       ignore_errors: true |       ignore_errors: true | ||||||
| @@ -112,11 +174,17 @@ | |||||||
|         - snapd |         - snapd | ||||||
|         - bluetooth |         - bluetooth | ||||||
|         - multipathd |         - multipathd | ||||||
|  |         - zram | ||||||
|       service: |       service: | ||||||
|         name: "{{item}}" |         name: "{{item}}" | ||||||
|         state: stopped |         state: stopped | ||||||
|         enabled: no |         enabled: no | ||||||
|  |  | ||||||
|  |     - name: Ensure /etc/containers exists | ||||||
|  |       ansible.builtin.file: | ||||||
|  |         path: /etc/containers | ||||||
|  |         state: directory | ||||||
|  |  | ||||||
|     - name: Reset /etc/containers/registries.conf |     - name: Reset /etc/containers/registries.conf | ||||||
|       ansible.builtin.copy: |       ansible.builtin.copy: | ||||||
|         content: "unqualified-search-registries = [\"docker.io\"]\n" |         content: "unqualified-search-registries = [\"docker.io\"]\n" | ||||||
|   | |||||||
							
								
								
									
										12
									
								
								ansible/templates/10-kubeadm.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								ansible/templates/10-kubeadm.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,12 @@ | |||||||
|  | # Note: This dropin only works with kubeadm and kubelet v1.11+ | ||||||
|  | [Service] | ||||||
|  | Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf" | ||||||
|  | Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml" | ||||||
|  | # This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically | ||||||
|  | EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env | ||||||
|  | # This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use | ||||||
|  | # the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file. | ||||||
|  | EnvironmentFile=-/etc/default/kubelet | ||||||
|  | ExecStart= | ||||||
|  | ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS | ||||||
|  | StandardOutput=null | ||||||
							
								
								
									
										43
									
								
								ansible/templates/kubelet.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								ansible/templates/kubelet.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,43 @@ | |||||||
|  | apiVersion: kubelet.config.k8s.io/v1beta1 | ||||||
|  | authentication: | ||||||
|  |   anonymous: | ||||||
|  |     enabled: false | ||||||
|  |   webhook: | ||||||
|  |     cacheTTL: 0s | ||||||
|  |     enabled: true | ||||||
|  |   x509: | ||||||
|  |     clientCAFile: /etc/kubernetes/pki/ca.crt | ||||||
|  | authorization: | ||||||
|  |   mode: Webhook | ||||||
|  |   webhook: | ||||||
|  |     cacheAuthorizedTTL: 0s | ||||||
|  |     cacheUnauthorizedTTL: 0s | ||||||
|  | cgroupDriver: systemd | ||||||
|  | clusterDNS: | ||||||
|  | - 10.96.0.10 | ||||||
|  | clusterDomain: cluster.local | ||||||
|  | cpuManagerReconcilePeriod: 0s | ||||||
|  | evictionPressureTransitionPeriod: 0s | ||||||
|  | fileCheckFrequency: 0s | ||||||
|  | healthzBindAddress: 127.0.0.1 | ||||||
|  | healthzPort: 10248 | ||||||
|  | httpCheckFrequency: 0s | ||||||
|  | imageMinimumGCAge: 0s | ||||||
|  | kind: KubeletConfiguration | ||||||
|  | logging: | ||||||
|  |   flushFrequency: 0 | ||||||
|  |   options: | ||||||
|  |     json: | ||||||
|  |       infoBufferSize: "0" | ||||||
|  |   verbosity: 0 | ||||||
|  | memorySwap: {} | ||||||
|  | nodeStatusReportFrequency: 0s | ||||||
|  | nodeStatusUpdateFrequency: 0s | ||||||
|  | rotateCertificates: true | ||||||
|  | runtimeRequestTimeout: 0s | ||||||
|  | shutdownGracePeriod: 5m | ||||||
|  | shutdownGracePeriodCriticalPods: 5m | ||||||
|  | staticPodPath: /etc/kubernetes/manifests | ||||||
|  | streamingConnectionIdleTimeout: 0s | ||||||
|  | syncFrequency: 0s | ||||||
|  | volumeStatsAggPeriod: 0s | ||||||
		Reference in New Issue
	
	Block a user