Use tinc for private networking

group_vars/all/vars.yml

@@ -1,18 +1,5 @@
 ---
 ansible_python_interpreter: /usr/bin/python3
-initial_master: master1
-tinc_primary_router: proxy1
-vpn_interface: tun0
-
-# Kubernetes
-kubernetes_apt_key: https://packages.cloud.google.com/apt/doc/apt-key.gpg
-kubernetes_apt_channel: main
-kubernetes_release: xenial
-kubernetes_version: 1.11.3
-kubernetes_version_apt: "{{kubernetes_version}}-00"
-kubernetes_port: 6443
-
-etcd_version: "3.2.24"
 
 harden_linux_root_password: "{{k8s_scaleway_root_password}}"
 harden_linux_deploy_user: deploy

inventories/staging/group_vars/all.yml

@@ -0,0 +1,10 @@
+---
+kubeadm_enabled: true
+kube_api_anonymous_auth: true
+skip_non_kubeadm_warning: false
+helm_enabled: true
+ingress_nginx_enabled: true
+ingress_nginx_host_network: true
+ingress_nginx_nodeselector:
+  node-role.kubernetes.io/node: ""
+cert_manager_enabled: true

inventories/staging/group_vars/k8s-cluster.yml

@@ -1,2 +1,6 @@
+---
+ip: "{{vpn_ip}}"
 kube_network_plugin: flannel
 bin_dir: /usr/local/bin
+cluster_name: banditlair-staging
+dns_domain: k8s.staging.banditlair.com

inventories/staging/group_vars/kube-master.yml

@@ -0,0 +1,2 @@
+---
+vpn_ip: 192.168.66.{{ 0 +(inventory_hostname|regex_replace('\D+','')|int) }}

inventories/staging/group_vars/kube-node.yml

@@ -0,0 +1,2 @@
+---
+vpn_ip: 192.168.66.{{ 100 +( inventory_hostname|regex_replace('\D+','')|int) }}

k8s.yml

@@ -1,4 +1,9 @@
 ---
+- hosts: k8s-cluster
+  roles:
+    - role: tinc
+      tags: tinc
+
 - name: Include kubespray tasks
   import_playbook: kubespray/cluster.yml
 

roles/tinc/defaults/main.yml

@@ -1,8 +1,7 @@
 ---
-api_floating_ip: 192.168.66.253
 netname: meshvpn
 scw_private_domain: priv.cloud.scaleway.com
-tinc_primary_router: proxy1
+tinc_primary_router: master1
 tinc_route_default_ip: 192.168.66.1
 tinc_route_get_ip: 169.254.42.42
 vpn_interface: tun0

roles/tinc/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Install tinc
+  apt:
+    name: tinc
+    state: latest
+
 - name: Ensure tinc netname directory exists
   file:
     path: /etc/tinc/{{ netname }}/hosts
@@ -55,12 +60,7 @@
   lineinfile:
     dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
     line: |-
-      {%- if "k8s_proxy" in group_names -%}
-        {%- set interface = 'ansible_' + tinc_private_interface | default('eth0') -%}
-        Address = {{ vars[interface].ipv4.address }}
-      {%- else -%}
         Address = {{ ansible_eth0.ipv4.address }}
-      {%- endif -%}
     create: yes
   notify:
     - restart tinc
@@ -74,14 +74,6 @@
   notify:
     - restart tinc
 
-# in case of multimaster we need to add a subnet line
-- name: Ensure that keepalived ip is properly set in tinc host file on k8s_masters
-  lineinfile:
-    dest: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
-    line: "Subnet = {{ api_floating_ip }}/{{ vpn_subnet_cidr_netmask }}"
-    create: yes
-  when: groups.k8s_masters | length > 1
-
 - name: Check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----"
   command: awk '/^-----END RSA PUBLIC KEY-----$/'  /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
   changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'"

roles/tinc/templates/tinc-up.j2

@@ -1,16 +1,3 @@
 #!/bin/sh
 
 ifconfig {{ vpn_interface }} {{ vpn_ip }} netmask {{ vpn_netmask }}
-
-{% if inventory_hostname != tinc_primary_router %}
-ROUTE_GET_IP={{ tinc_route_get_ip }}
-INTERFACE=$(ip route get $ROUTE_GET_IP | head -n1 | sed -E 's/.+ dev ([^ ]+).+/\1/')
-GATEWAY=$(ip route | awk '$3 == "'$INTERFACE'" { print $1 }' | cut -d'/' -f1)
-
-ip route add 10.0.0.0/8 via $GATEWAY dev $INTERFACE
-ip route add 169.254.0.0/16 via $GATEWAY dev $INTERFACE
-ip route add 172.16.0.0/12 via $GATEWAY dev $INTERFACE
-ip route add 192.168.0.0/16 via $GATEWAY dev $INTERFACE
-
-ip route replace default via {{ tinc_route_default_ip }}
-{% endif %}