--- # ansible-galaxy install -r requirements.yaml - name: Install cri-o hosts: - worker9.kube.k-space.ee vars: CRIO_VERSION: "v1.30" tasks: - name: ensure curl is installed ansible.builtin.apt: name: curl state: present - name: Ensure /etc/apt/keyrings exists ansible.builtin.file: path: /etc/apt/keyrings state: directory # TODO: fix # - name: add k8s repo apt key # ansible.builtin.shell: "curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/stable:/{{ CRIO_VERSION }}/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg" - name: add k8s repo ansible.builtin.apt_repository: repo: "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/stable:/{{ CRIO_VERSION }}/deb/ /" state: present filename: cri-o - name: check current crictl version command: "/usr/bin/crictl --version" failed_when: false changed_when: false register: crictl_version_check - name: download crictl unarchive: src: "https://github.com/kubernetes-sigs/cri-tools/releases/download/{{ CRIO_VERSION }}/crictl-{{ CRIO_VERSION }}-linux-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.tar.gz" dest: /tmp remote_src: true when: > crictl_version_check.stdout is not defined or CRIO_VERSION not in crictl_version_check.stdout register: crictl_download_check - name: move crictl binary into place copy: src: /tmp/crictl dest: "/usr/bin/crictl" when: > exporter_download_check is changed - name: ensure crio is installed ansible.builtin.apt: name: cri-o state: present - name: Reconfigure Kubernetes worker nodes hosts: - storage - workers tasks: - name: Configure grub defaults copy: dest: "/etc/default/grub" content: | GRUB_DEFAULT=0 GRUB_TIMEOUT_STYLE=countdown GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="quiet splash memhp_default_state=online" GRUB_CMDLINE_LINUX="memhp_default_state=online rootflags=pquota" register: grub_defaults when: ansible_architecture == 'x86_64' - name: Load grub defaults ansible.builtin.shell: update-grub when: grub_defaults.changed - name: Ensure nfs-common is installed ansible.builtin.apt: name: nfs-common state: present - name: Reconfigure Kubernetes nodes hosts: kubernetes vars: KUBERNETES_VERSION: v1.30.3 IP: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" tasks: - name: Remove APT packages ansible.builtin.apt: name: "{{ item }}" state: absent loop: - kubelet - kubeadm - kubectl - name: Download kubectl, kubeadm, kubelet ansible.builtin.get_url: url: "https://cdn.dl.k8s.io/release/{{ KUBERNETES_VERSION }}/bin/linux/{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}/{{ item }}" dest: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}" mode: '0755' loop: - kubelet - kubectl - kubeadm - name: Create /etc/systemd/system/kubelet.service ansible.builtin.copy: content: | [Unit] Description=kubelet: The Kubernetes Node Agent Documentation=https://kubernetes.io/docs/home/ Wants=network-online.target After=network-online.target [Service] ExecStart=/usr/bin/kubelet Restart=always StartLimitInterval=0 RestartSec=10 [Install] WantedBy=multi-user.target dest: /etc/systemd/system/kubelet.service register: kubelet_service - name: Create symlinks for kubectl, kubeadm, kubelet ansible.builtin.file: src: "/usr/bin/{{ item }}-{{ KUBERNETES_VERSION }}" dest: "/usr/bin/{{ item }}" state: link loop: - kubelet - kubectl - kubeadm register: kubelet - name: Restart Kubelet service: name: kubelet enabled: true state: restarted daemon_reload: true when: kubelet.changed or kubelet_service.changed - name: Ensure /var/lib/kubelet exists ansible.builtin.file: path: /var/lib/kubelet state: directory - name: Configure kubelet ansible.builtin.template: src: kubelet.j2 dest: /var/lib/kubelet/config.yaml mode: 644 - name: Ensure /etc/systemd/system/kubelet.service.d/ exists ansible.builtin.file: path: /etc/systemd/system/kubelet.service.d state: directory - name: Configure kubelet service ansible.builtin.template: src: 10-kubeadm.j2 dest: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf mode: 644 # TODO: register new node if needed - name: Disable unneccesary services ignore_errors: true loop: - gdm3 - snapd - bluetooth - multipathd - zram service: name: "{{item}}" state: stopped enabled: no - name: Ensure /etc/containers exists ansible.builtin.file: path: /etc/containers state: directory - name: Reset /etc/containers/registries.conf ansible.builtin.copy: content: "unqualified-search-registries = [\"docker.io\"]\n" dest: /etc/containers/registries.conf register: registries - name: Restart CRI-O service: name: cri-o state: restarted when: registries.changed - name: Reset /etc/modules ansible.builtin.copy: content: | overlay br_netfilter dest: /etc/modules register: kernel_modules - name: Load kernel modules ansible.builtin.shell: "cat /etc/modules | xargs -L 1 -t modprobe" when: kernel_modules.changed - name: Reset /etc/sysctl.d/99-k8s.conf ansible.builtin.copy: content: | net.ipv4.conf.all.accept_redirects = 0 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 vm.max_map_count = 524288 fs.inotify.max_user_instances = 1280 fs.inotify.max_user_watches = 655360 dest: /etc/sysctl.d/99-k8s.conf register: sysctl - name: Reload sysctl config ansible.builtin.shell: "sysctl --system" when: sysctl.changed - name: Reconfigure kube-apiserver to use Passmower OIDC endpoint ansible.builtin.template: src: kube-apiserver.j2 dest: /etc/kubernetes/manifests/kube-apiserver.yaml mode: 600 register: apiserver when: - inventory_hostname in groups["masters"] - name: Restart kube-apiserver ansible.builtin.shell: "killall kube-apiserver" when: apiserver.changed