diff --git a/roles/k8s-manifests/defaults/main.yml b/roles/k8s-manifests/defaults/main.yml index db79380..9a5d667 100644 --- a/roles/k8s-manifests/defaults/main.yml +++ b/roles/k8s-manifests/defaults/main.yml @@ -1,4 +1,4 @@ --- letsencrypt_email: letsencrypt.account@banditlair.com traefik_domain: "traefik.{{banditlair_domain}}" -searx_domain: "searx.{{banditlair_domain}}" \ No newline at end of file +searx_domain: "searx.{{banditlair_domain}}" diff --git a/roles/k8s-manifests/tasks/cert-manager.yml b/roles/k8s-manifests/tasks/cert-manager.yml index 336ee82..ec088a5 100644 --- a/roles/k8s-manifests/tasks/cert-manager.yml +++ b/roles/k8s-manifests/tasks/cert-manager.yml @@ -1,27 +1,25 @@ - name: cert-manager issuers k8s: state: present - namespace: "{{item.1}}" + namespace: "{{item.name}}" definition: apiVersion: certmanager.k8s.io/v1alpha1 - kind: Issuer + kind: ClusterIssuer metadata: - name: "{{item.0.name}}" + name: "{{item.name}}" spec: acme: # The ACME server URL - server: "{{item.0.server}}" + server: "{{item.server}}" # Email address used for ACME registration email: "{{letsencrypt_email}}" # Name of a secret used to store the ACME account private key privateKeySecretRef: - name: "{{item.0.name}}" + name: "{{item.name}}" # Enable HTTP01 validations http01: {} - with_nested: - - - name: letsencrypt-production - server: https://acme-v02.api.letsencrypt.org/directory - - name: letsencrypt-staging - server: https://acme-staging-v02.api.letsencrypt.org/directory - - - default - - kube-system + with_items: + - name: letsencrypt-production + server: https://acme-v02.api.letsencrypt.org/directory + - name: letsencrypt-staging + server: https://acme-staging-v02.api.letsencrypt.org/directory diff --git a/roles/k8s-manifests/tasks/main.yml b/roles/k8s-manifests/tasks/main.yml index ec7b459..2ac518b 100644 --- a/roles/k8s-manifests/tasks/main.yml +++ b/roles/k8s-manifests/tasks/main.yml @@ -5,8 +5,5 @@ - import_tasks: cert-manager.yml tags: cert-manager -- import_tasks: traefik.yml - tags: traefik - - import_tasks: searx.yml tags: searx diff --git a/roles/k8s-manifests/tasks/prerequisites.yml b/roles/k8s-manifests/tasks/prerequisites.yml index e51c935..0b47ead 100644 --- a/roles/k8s-manifests/tasks/prerequisites.yml +++ b/roles/k8s-manifests/tasks/prerequisites.yml @@ -1,9 +1,14 @@ - name: Install pip package: - name: python3-pip + name: + - python3-pip + - python3-setuptools state: present -- name: Install openshift python client +- name: Install python dependencies pip: - name: openshift + name: + - openshift + # - pyhelm + # - grpcio state: present diff --git a/roles/k8s-manifests/tasks/searx.yml b/roles/k8s-manifests/tasks/searx.yml index f500b05..3159e24 100644 --- a/roles/k8s-manifests/tasks/searx.yml +++ b/roles/k8s-manifests/tasks/searx.yml @@ -19,7 +19,7 @@ spec: containers: - name: searx - image: wonderfall/searx:latest + image: hoellen/searx imagePullPolicy: IfNotPresent ports: - containerPort: 8888 @@ -58,11 +58,11 @@ kind: Ingress metadata: name: searx - annotation: - traefik.ingress.kubernetes.io/redirect-entry-point: https - traefik.ingress.kubernetes.io/redirect-permanent: "true" - ingress.kubernetes.io/ssl-redirect: "true" - ingress.kubernetes.io/ssl-temporary-redirect: "false" + annotations: + kubernetes.io/ingress.class: nginx + certmanager.k8s.io/cluster-issuer: "{{cert_manager_issuer}}" + # ingress.kubernetes.io/ssl-redirect: "true" + # ingress.kubernetes.io/ssl-temporary-redirect: "false" spec: rules: - host: "{{searx_domain}}" @@ -73,25 +73,6 @@ serviceName: searx servicePort: 80 tls: - - secretName: searx-cert - -- name: Searx certificate - k8s: - namespace: default - state: present - definition: - apiVersion: certmanager.k8s.io/v1alpha1 - kind: Certificate - metadata: - name: searx-cert - spec: - secretName: traefik-cert - issuerRef: - name: "{{cert_manager_issuer}}" - commonName: "{{searx_domain}}" - acme: - config: - - http01: - ingressClass: traefik - domains: - - "{{searx_domain}}" \ No newline at end of file + - hosts: + - "{{searx_domain}}" + secretName: letsencrypt-staging diff --git a/roles/k8s-manifests/tasks/traefik.yml b/roles/k8s-manifests/tasks/traefik.yml deleted file mode 100644 index fcb4dbc..0000000 --- a/roles/k8s-manifests/tasks/traefik.yml +++ /dev/null @@ -1,232 +0,0 @@ -- name: Traefik cluster role - k8s: - state: present - definition: - kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1beta1 - metadata: - name: traefik-ingress-controller - rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - -- name: Traefik cluster role binding - k8s: - state: present - definition: - kind: ClusterRoleBinding - apiVersion: rbac.authorization.k8s.io/v1beta1 - metadata: - name: traefik-ingress-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller - subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: kube-system - -- name: Traefik service account - k8s: - state: present - definition: - apiVersion: v1 - kind: ServiceAccount - metadata: - name: traefik-ingress-controller - namespace: kube-system - -# - name: Traefik configuration -# k8s: -# state: present -# definition: -# apiVersion: v1 -# kind: ConfigMap -# metadata: -# name: traefik-conf -# namespace: kube-system -# data: -# traefik.toml: | -# defaultEntryPoints = ["http", "https"] - -# logLevel = "INFO" - -# [entryPoints] -# [entryPoints.http] -# address = ":80" -# [entryPoints.http.redirect] -# entryPoint = "https" -# [entryPoints.https] -# address = ":443" -# [entryPoints.https.tls] -# [entryPoints.api] -# address = ":8080" - -# [api] -# entryPoint = "api" -# dashboard = true -# debug = false - -# [kubernetes] - -- name: Traefik daemon set - k8s: - state: present - definition: - kind: DaemonSet - apiVersion: extensions/v1beta1 - metadata: - name: traefik-ingress-controller - namespace: kube-system - labels: - k8s-app: traefik-ingress-lb - spec: - template: - metadata: - labels: - k8s-app: traefik-ingress-lb - name: traefik-ingress-lb - spec: - serviceAccountName: traefik-ingress-controller - terminationGracePeriodSeconds: 60 - containers: - - image: traefik - name: traefik-ingress-lb - # volumeMounts: - # - mountPath: /config - # name: traefik-config - ports: - - name: http - containerPort: 80 - hostPort: 80 - - name: admin - containerPort: 8080 - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - args: - - --api - - --kubernetes - - --logLevel=INFO - # volumes: - # - name: traefik-config - # configMap: - # name: traefik-conf - -- name: Traefik service - k8s: - state: present - definition: - kind: Service - apiVersion: v1 - metadata: - name: traefik-ingress-service - namespace: kube-system - spec: - selector: - k8s-app: traefik-ingress-lb - ports: - - protocol: TCP - port: 80 - name: web - - protocol: TCP - port: 8080 - name: admin - -- name: Traefik UI service - k8s: - state: present - definition: - apiVersion: v1 - kind: Service - metadata: - name: traefik-web-ui - namespace: kube-system - spec: - selector: - k8s-app: traefik-ingress-lb - ports: - - name: web - port: 80 - targetPort: 8080 - -- name: Traefik UI basic auth secret - k8s: - state: present - definition: - apiVersion: v1 - data: - auth: "{{('admin:' + traefik_dashboard_password_hash) | b64encode}}" - kind: Secret - metadata: - name: traefik-auth - namespace: kube-system - -- name: Traefik UI ingress - k8s: - state: present - definition: - apiVersion: extensions/v1beta1 - kind: Ingress - metadata: - name: traefik-web-ui - namespace: kube-system - annotations: - traefik.ingress.kubernetes.io/auth-type: "basic" - traefik.ingress.kubernetes.io/auth-secret: "traefik-auth" - traefik.ingress.kubernetes.io/redirect-entry-point: https - traefik.ingress.kubernetes.io/redirect-permanent: "true" - ingress.kubernetes.io/ssl-redirect: "true" - ingress.kubernetes.io/ssl-temporary-redirect: "false" - spec: - rules: - - host: "{{traefik_domain}}" - http: - paths: - - path: / - backend: - serviceName: traefik-web-ui - servicePort: web - tls: - - secretName: traefik-cert - -- name: Traefik UI certificate - k8s: - state: present - definition: - apiVersion: certmanager.k8s.io/v1alpha1 - kind: Certificate - metadata: - name: traefik-cert - namespace: kube-system - spec: - secretName: traefik-cert - issuerRef: - name: "{{cert_manager_issuer}}" - commonName: "{{traefik_domain}}" - acme: - config: - - http01: - ingressClass: traefik - domains: - - "{{traefik_domain}}" diff --git a/roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2 b/roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2 deleted file mode 100644 index 39343f1..0000000 --- a/roles/k8s-manifests/templates/letsencrypt-production-issuer.yml.j2 +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: letsencrypt-production -spec: - acme: - # The ACME production api URL - server: https://acme-v02.api.letsencrypt.org/directory - - # Email address used for ACME registration - email: "{{letsencrypt_email}}" - - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-production - - # Enable the HTTP-01 challenge provider - http01: {} \ No newline at end of file diff --git a/roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2 b/roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2 deleted file mode 100644 index 1d457fd..0000000 --- a/roles/k8s-manifests/templates/letsencrypt-staging-issuer.yml.j2 +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: certmanager.k8s.io/v1alpha1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - - # Email address used for ACME registration - email: "{{letsencrypt_email}}" - - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - - # Enable the HTTP-01 challenge provider - http01: {} diff --git a/roles/k8s-manifests/templates/searx-ingress.yml.j2 b/roles/k8s-manifests/templates/searx-ingress.yml.j2 deleted file mode 100644 index d49c1df..0000000 --- a/roles/k8s-manifests/templates/searx-ingress.yml.j2 +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: searx-ingress - annotations: - ingress.kubernetes.io/ssl-redirect: "true" - certmanager.k8s.io/cluster-issuer: "{{searx_issuer}}" - kubernetes.io/ingress.class: "nginx" -spec: - tls: - - hosts: - - searx.{{dns_domain}} - secretName: searx-{{searx_issuer}} - rules: - - host: searx.{{dns_domain}} - http: - paths: - - backend: - serviceName: searx - servicePort: 80