diff --git a/.gitignore b/.gitignore index 104a698..86d417c 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,6 @@ .vagrant .virtualenv *.retry +.terraform* +terraform.tfstate +terraform.tfstate.backup diff --git a/group_vars/all/vars b/group_vars/all/vars index ffa32c0..f05fa88 100644 --- a/group_vars/all/vars +++ b/group_vars/all/vars @@ -1,18 +1,16 @@ --- +ansible_python_interpreter: /usr/bin/python3 initial_master: master1 tinc_primary_router: proxy1 vpn_interface: tun0 -k8s_release: "1.10.6" -k8s_apiserver_secure_port: "6443" -k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}" -k8s_config_directory: "{{ '~/k8s/configs' | expanduser }}" -k8s_ca_certificate_owner: "{{ harden_linux_deploy_user }}" -k8s_ca_certificate_group: "root" -k8s_config_cluster_name: banditlair.com -k8s_encryption_config_directory: "{{k8s_config_directory}}" -k8s_interface: "{{peervpn_conf_interface}}" -k8s_conf_dir: /etc/kubernetes +# Kubernetes +kubernetes_apt_key: https://packages.cloud.google.com/apt/doc/apt-key.gpg +kubernetes_apt_channel: main +kubernetes_release: xenial +kubernetes_version: 1.11.3 +kubernetes_version_apt: "{{kubernetes_version}}-00" +kubernetes_port: 6443 etcd_version: "3.2.24" diff --git a/packer/common.yml b/packer/common.yml new file mode 100644 index 0000000..4d7fff5 --- /dev/null +++ b/packer/common.yml @@ -0,0 +1,56 @@ +--- +- hosts: localhost + tasks: + - name: Install tinc and ping + apt: + name: [ 'tinc', 'iputils-ping' ] + state: latest + + - name: Adding Kubernetes official gpg key + apt_key: + url: "{{ kubernetes_apt_key }}" + state: present + + - name: Adding Kubernetes repository + apt_repository: + repo: "deb http://apt.kubernetes.io/ kubernetes-{{ kubernetes_release }} {{ kubernetes_apt_channel }}" + state: present + filename: 'kubernetes' + + - name: Installing kubernetes core components (kubectl, kubelet ...) + apt: + name: ['kubelet={{kubernetes_version_apt}}', 'kubeadm={{kubernetes_version_apt}}', 'kubectl={{kubernetes_version_apt}}'] + register: result + retries: 3 + until: result is success + + - name: Get the kernel revision + shell: "uname -r" + register: kernel + changed_when: False + check_mode: False + + - name: Try install linux-image + apt: + state: present + name: "{{ 'linux-image-' + kernel.stdout }}" + register: result + failed_when: False + + - name: modprobe + modprobe: + name: "{{ item }}" + state: present + with_items: + - ip_vs + - nf_conntrack_ipv4 + + - name: /etc/modules + lineinfile: + path: /etc/modules + line: "{{ item }}" + with_items: + - ip_vs + - nf_conntrack_ipv4 + roles: + - role: docker diff --git a/packer/packer.json b/packer/packer.json new file mode 100644 index 0000000..fd248f5 --- /dev/null +++ b/packer/packer.json @@ -0,0 +1,58 @@ +{ + "variables": { + "api_access_key": "{{ env `SCALEWAY_ORGANIZATION` }}", + "api_token": "{{ env `SCALEWAY_TOKEN` }}", + "vault_pass_file": "" + }, + "builders": [ + { + "type": "scaleway", + "api_access_key": "{{ user `api_access_key` }}", + "api_token": "{{ user `api_token` }}", + "server_name": "k8s-template", + "image_name": "ubuntu-bionic-k8s", + "snapshot_name": "ubuntu-bionic-k8s-snapshot", + "image": "d4067cdc-dc9d-4810-8a26-0dae51d7df42", + "region": "par1", + "commercial_type": "START1-S", + "ssh_username": "root" + } + ], + "provisioners": [ + { + "type": "shell", + "inline": [ + "sleep 30", + "apt -y update", + "DEBIAN_FRONTEND=noninteractive apt-get -y upgrade", + "apt -y install software-properties-common", + "apt-add-repository ppa:ansible/ansible", + "apt -y update", + "apt -y install ansible" + ] + }, + { + "type": "file", + "source": "{{ user `vault_pass_file` }}", + "destination": "/tmp/vault-pass" + }, + { + "type": "ansible-local", + "role_paths": "../roles/docker", + "group_vars": "../group_vars", + "clean_staging_directory": true, + "playbook_file": "common.yml", + "extra_arguments": "--vault-password-file=/tmp/vault-pass" + }, + { + "type": "shell", + "inline": [ + "rm -f /tmp/vault-pass", + "apt -y remove --purge ansible", + "apt-add-repository --remove ppa:ansible/ansible", + "apt autoremove -y", + "apt update" + ] + } + ] +} \ No newline at end of file diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 807a3c9..a40ef61 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -4,4 +4,4 @@ docker_apt_repository: https://download.docker.com/linux/ubuntu docker_apt_channel: stable # Docker daemon config file docker_daemon_config: /etc/docker/daemon.json -docker_version: 17.03.* +docker_version: 18.06.* diff --git a/roles/kubernetes/defaults/main.yml b/roles/kubernetes/defaults/main.yml index 2ee2741..8671e94 100644 --- a/roles/kubernetes/defaults/main.yml +++ b/roles/kubernetes/defaults/main.yml @@ -3,7 +3,6 @@ kubernetes_apt_key: https://packages.cloud.google.com/apt/doc/apt-key.gpg kubernetes_apt_channel: main kubernetes_release: xenial -# versions can be found here kubernetes_version: 1.11.3 kubernetes_version_apt: "{{kubernetes_version}}-00" kubernetes_port: 6443 diff --git a/roles/kubernetes/tasks/main.yml b/roles/kubernetes/tasks/main.yml index 68b9e12..12c1e4b 100644 --- a/roles/kubernetes/tasks/main.yml +++ b/roles/kubernetes/tasks/main.yml @@ -8,15 +8,6 @@ - "'k8s_masters' in group_names" - groups.k8s_masters | length > 1 -- name: Install iputils-ping - apt: - name: iputils-ping - state: latest - cache_valid_time: 3600 - register: result - retries: 3 - until: result is success - - name: Check all hosts can ping API floating IP shell: "ping {{ api_floating_ip }} -c 1" register: result diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 2d40867..ccd7936 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -5,34 +5,11 @@ changed_when: False check_mode: False -- name: Check for internet access - shell: |- - false \{% for url in proxy_test_urls %} - || curl -IsSL -m{{ proxy_test_timeout }} {{ url }} \ - {% endfor %} - || false - args: - warn: False - register: curl_result_initial - ignore_errors: True - changed_when: False - check_mode: False - - name: Set host interface facts set_fact: proxy_interface: "{{ interface_result.stdout | trim }}" - proxy_inet: "{{ curl_result_initial.rc == 0 }}" -- name: Assert at least one node has internet connectivity - assert: - that: hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', True) | list | length != 0 - run_once: true - -- name: Set router hostname fact - set_fact: - proxy_router_hostname: "{{ hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', True) | map(attribute='inventory_hostname') | first }}" - -- name: Allow ip forwarding (kernel) +- name: Allow ip forwarding sysctl: name: net.ipv4.ip_forward value: 1 @@ -40,17 +17,32 @@ reload: True when: inventory_hostname == tinc_primary_router -- name: Allow ip forwarding (iptables) +- name: Activate masquerade iptables: table: nat chain: POSTROUTING out_interface: "{{ proxy_interface }}" jump: MASQUERADE - register: iptables_result + when: inventory_hostname == tinc_primary_router -- name: Set up SSH tunnels - include: ssh-up.yml - when: hostvars.values() | selectattr('inventory_hostname', 'in', groups['k8s']) | selectattr('proxy_inet', '==', False) | list | length != 0 +- name: Allow packet forwarding from WAN to LAN + iptables: + chain: FORWARD + in_interface: tun0 + out_interface: "{{ proxy_interface }}" + jump: ACCEPT + when: inventory_hostname == tinc_primary_router + +- name: Check if incoming packets comme from an active connexion + iptables: + chain: FORWARD + in_interface: "{{ proxy_interface }}" + out_interface: tun0 + ctstate: + - ESTABLISHED + - RELATED + jump: ACCEPT + when: inventory_hostname == tinc_primary_router - name: Set up tinc include_role: @@ -59,9 +51,6 @@ - name: Set up keepalived include: keepalived.yml -- name: Tear down SSH tunnels - include: ssh-down.yml - - name: Check for internet access shell: |- false \{% for url in proxy_test_urls %} @@ -70,6 +59,5 @@ || false args: warn: False - register: curl_result - changed_when: curl_result_initial.rc != curl_result.rc check_mode: False + changed_when: no diff --git a/roles/tinc/tasks/main.yml b/roles/tinc/tasks/main.yml index 10864d7..e4db625 100644 --- a/roles/tinc/tasks/main.yml +++ b/roles/tinc/tasks/main.yml @@ -1,9 +1,4 @@ --- -- name: Install tinc - apt: - name: tinc - state: latest - - name: Ensure tinc netname directory exists file: path: /etc/tinc/{{ netname }}/hosts @@ -126,7 +121,7 @@ - name: Start tinc on boot systemd: - name: tinc + name: tinc@{{ netname }} enabled: yes state: started diff --git a/terraform/.gitignore b/terraform/.gitignore deleted file mode 100644 index daa7c5c..0000000 --- a/terraform/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -.terraform* -terraform.tfstate -terraform.tfstate.backup diff --git a/terraform/sl.tf b/terraform/sl.tf index fe1afcd..088cb13 100644 --- a/terraform/sl.tf +++ b/terraform/sl.tf @@ -42,7 +42,7 @@ resource "scaleway_server" "master" { resource "scaleway_server" "proxy1" { count = 1 name = "proxy1" - image = "${data.scaleway_image.ubuntu_mini.id}" + image = "${data.scaleway_image.ubuntu.id}" type = "${var.proxy_instance_type}" public_ip = "51.158.77.6" state = "running" @@ -52,7 +52,7 @@ resource "scaleway_server" "proxy1" { resource "scaleway_server" "proxy2" { count = 1 name = "proxy2" - image = "${data.scaleway_image.ubuntu_mini.id}" + image = "${data.scaleway_image.ubuntu.id}" type = "${var.proxy_instance_type}" state = "running" tags = ["k8s","k8s_proxy","secondary"] diff --git a/terraform/variables.tf b/terraform/variables.tf index b706a13..6a77b85 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -7,7 +7,7 @@ variable "architecture" { } variable "image" { - default = "Ubuntu Xenial" + default = "ubuntu-bionic-k8s" } variable "mini_image" { @@ -23,7 +23,7 @@ variable "master_instance_count" { } variable "proxy_instance_type" { - default = "START1-XS" + default = "START1-S" } variable "worker_instance_type" {