diff --git a/group_vars/all/traefik-account b/group_vars/all/traefik-account new file mode 100644 index 0000000..9d5dbff --- /dev/null +++ b/group_vars/all/traefik-account @@ -0,0 +1,7 @@ +traefik_serviceaccount: | + --- + apiVersion: v1 + kind: ServiceAccount + metadata: + name: traefik-ingress-controller + namespace: kube-system diff --git a/group_vars/all/traefik-daemonset b/group_vars/all/traefik-daemonset new file mode 100644 index 0000000..9785137 --- /dev/null +++ b/group_vars/all/traefik-daemonset @@ -0,0 +1,101 @@ +traefik_daemonset: | + --- + kind: DaemonSet + apiVersion: apps/v1 + metadata: + name: traefik-ingress-controller + namespace: kube-system + labels: + k8s-app: traefik-ingress-lb + spec: + selector: + matchLabels: + k8s-app: traefik-ingress-lb + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + k8s-app: traefik-ingress-lb + name: traefik-ingress-lb + spec: + serviceAccountName: traefik-ingress-controller + terminationGracePeriodSeconds: 60 + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - image: traefik:v1.7-alpine + name: traefik-ingress-lb + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 2 + httpGet: + path: /ping + port: 8080 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + failureThreshold: 2 + httpGet: + path: /ping + port: 8080 + scheme: HTTP + periodSeconds: 5 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "64Mi" + cpu: "250m" + ports: + - name: http + containerPort: 80 + hostPort: 80 + - name: https + containerPort: 443 + hostPort: 443 + - name: admin + containerPort: 8080 + securityContext: + privileged: true + volumeMounts: + - name: tls + mountPath: {{k8s_conf_dir}} + readOnly: true + args: + - --checknewversion=false + - --loglevel=INFO + - --defaultentrypoints=http,https + - --entrypoints=Name:http Address::80 Redirect.EntryPoint:https + - --entrypoints=Name:https Address::443 TLS + - --etcd=true + - --etcd.prefix=/traefik + - --etcd.watch=true + - --etcd.endpoint={{groups.k8s_etcd|first}}:2379 + - --etcd.tls=true + - --etcd.tls.ca={{k8s_conf_dir}}/ca-etcd.pem + - --etcd.tls.cert={{k8s_conf_dir}}/cert-etcd.pem + - --etcd.tls.key={{k8s_conf_dir}}/cert-etcd-key.pem + - --etcd.useapiv3=true + - --kubernetes=true + - --kubernetes.watch=true + - --kubernetes.namespaces=default + - --web=true + - --web.readonly + - --web.address=:8080 + - --acme=true + - --acme.acmelogging=true + - --acme.caserver=https://acme-staging.api.letsencrypt.org/directory + - --acme.entrypoint=https + - --acme.httpchallenge=true + - --acme.httpChallenge.entryPoint=http + - --acme.email=letsencrypt.account@banditlair.com + - --acme.onhostrule + - --acme.storage=/traefik/acme/account + volumes: + - name: tls + secret: + secretName: traefik-etcd + diff --git a/group_vars/all/traefik-role b/group_vars/all/traefik-role new file mode 100644 index 0000000..7fd6c27 --- /dev/null +++ b/group_vars/all/traefik-role @@ -0,0 +1,40 @@ +traefik_clusterrole: | + --- + kind: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1 + metadata: + name: traefik-ingress-controller + rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + +traefik_clusterrolebinding: | + --- + kind: ClusterRoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + metadata: + name: traefik-ingress-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-ingress-controller + subjects: + - kind: ServiceAccount + name: traefik-ingress-controller + namespace: kube-system diff --git a/group_vars/all/vars b/group_vars/all/vars index a994659..b4659dc 100644 --- a/group_vars/all/vars +++ b/group_vars/all/vars @@ -9,7 +9,12 @@ k8s_ca_certificate_group: "root" k8s_config_cluster_name: banditlair.com k8s_encryption_config_directory: "{{k8s_config_directory}}" k8s_interface: "{{peervpn_conf_interface}}" +k8s_conf_dir: /var/lib/kubernetes + etcd_version: "3.2.18" +etcd_bin_dir: "/usr/local/bin" +etcd_client_port: "2379" + harden_linux_root_password: "{{k8s_scaleway_root_password}}" harden_linux_deploy_user: deploy harden_linux_deploy_user_password: "{{k8s_scaleway_deploy_user_password}}" @@ -36,7 +41,6 @@ harden_linux_sshguard_whitelist: - "10.3.0.0/24" - "10.200.0.0/16" - peervpn_conf_networkname: "peervpn" peervpn_conf_psk: "{{k8s_peervpn_pre_shared_key}}" peervpn_conf_initpeers: "master1.banditlair.com 7000" diff --git a/group_vars/k8s_worker b/group_vars/k8s_worker new file mode 100644 index 0000000..961c7a2 --- /dev/null +++ b/group_vars/k8s_worker @@ -0,0 +1,13 @@ +harden_linux_ufw_rules: + - rule: "allow" + to_port: "2242" + protocol: "tcp" + - rule: "allow" + to_port: "7000" + protocol: "udp" + - rule: "allow" + to_port: "80" + protocol: "tcp" + - rule: "allow" + to_port: "443" + protocol: "tcp" diff --git a/k8s.yml b/k8s.yml index 9cbdd9d..23f4384 100644 --- a/k8s.yml +++ b/k8s.yml @@ -9,8 +9,6 @@ tags: role-cfssl - role: githubixx.kubernetes-ca tags: role-kubernetes-ca - - role: githubixx.kubernetes-ca - tags: role-kubernetes-ca - hosts: k8s_etcd roles: - role: githubixx.etcd