diff --git a/roles/k8s-manifests/defaults/main.yml b/roles/k8s-manifests/defaults/main.yml index 9a5d667..3696da2 100644 --- a/roles/k8s-manifests/defaults/main.yml +++ b/roles/k8s-manifests/defaults/main.yml @@ -2,3 +2,5 @@ letsencrypt_email: letsencrypt.account@banditlair.com traefik_domain: "traefik.{{banditlair_domain}}" searx_domain: "searx.{{banditlair_domain}}" +anderia_domain: "anderia.{{banditlair_domain}}" +rook_domain: "rook.{{banditlair_domain}}" diff --git a/roles/k8s-manifests/tasks/anderia-wiki.yml b/roles/k8s-manifests/tasks/anderia-wiki.yml new file mode 100644 index 0000000..f0d59c9 --- /dev/null +++ b/roles/k8s-manifests/tasks/anderia-wiki.yml @@ -0,0 +1,89 @@ +- name: Anderia wiki deployment + k8s: + namespace: default + state: present + definition: + apiVersion: apps/v1 + kind: Deployment + metadata: + name: anderia-wiki + spec: + replicas: 2 + selector: + matchLabels: + app: anderia-wiki + template: + metadata: + labels: + app: anderia-wiki + spec: + containers: + - name: anderia-wiki + image: bitnami/dokuwiki + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + livenessProbe: + httpGet: + path: / + port: 80 + readinessProbe: + httpGet: + path: / + port: 80 + volumeMounts: + - mountPath: "/bitnami" + name: anderia-wiki-data + volumes: + - name: anderia-wiki-data + flexVolume: + driver: ceph.rook.io/rook + fsType: ceph + options: + fsName: ceph-fs # name of the filesystem specified in the filesystem CRD. + clusterNamespace: rook-ceph # namespace where the Rook cluster is deployed + +- name: Anderia wiki service + k8s: + namespace: default + state: present + definition: + apiVersion: v1 + kind: Service + metadata: + name: anderia-wiki + spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 80 + selector: + app: anderia-wiki + +- name: Anderia wiki ingress + k8s: + namespace: default + state: present + definition: + apiVersion: extensions/v1beta1 + kind: Ingress + metadata: + name: anderia + annotations: + kubernetes.io/ingress.class: nginx + certmanager.k8s.io/cluster-issuer: "{{cert_manager_issuer}}" + # ingress.kubernetes.io/ssl-redirect: "true" + # ingress.kubernetes.io/ssl-temporary-redirect: "false" + spec: + rules: + - host: "{{ anderia_domain }}" + http: + paths: + - path: / + backend: + serviceName: anderia-wiki + servicePort: 80 + tls: + - hosts: + - "{{ anderia_domain }}" + secretName: anderia-cert diff --git a/roles/k8s-manifests/tasks/hcloud-csi.yml b/roles/k8s-manifests/tasks/hcloud-csi.yml index 3b2e9ea..d13dd96 100644 --- a/roles/k8s-manifests/tasks/hcloud-csi.yml +++ b/roles/k8s-manifests/tasks/hcloud-csi.yml @@ -14,6 +14,7 @@ url: https://raw.githubusercontent.com/hetznercloud/csi-driver/master/deploy/kubernetes/hcloud-csi.yml dest: /tmp/hcloud-csi.yml mode: 0600 + force: yes delegate_to: localhost - name: Apply CSI driver manifest diff --git a/roles/k8s-manifests/tasks/main.yml b/roles/k8s-manifests/tasks/main.yml index eb8f420..2664c4c 100644 --- a/roles/k8s-manifests/tasks/main.yml +++ b/roles/k8s-manifests/tasks/main.yml @@ -5,8 +5,17 @@ - import_tasks: hcloud-csi.yml tags: hcloud-csi +- import_tasks: rook.yml + tags: rook + - import_tasks: cert-manager.yml tags: cert-manager - import_tasks: searx.yml tags: searx + + +- import_tasks: anderia-wiki.yml + tags: + - anderia + - wiki diff --git a/roles/k8s-manifests/tasks/prerequisites.yml b/roles/k8s-manifests/tasks/prerequisites.yml index 0b47ead..94d0557 100644 --- a/roles/k8s-manifests/tasks/prerequisites.yml +++ b/roles/k8s-manifests/tasks/prerequisites.yml @@ -9,6 +9,4 @@ pip: name: - openshift - # - pyhelm - # - grpcio state: present diff --git a/roles/k8s-manifests/tasks/rook.yml b/roles/k8s-manifests/tasks/rook.yml new file mode 100644 index 0000000..15a2e87 --- /dev/null +++ b/roles/k8s-manifests/tasks/rook.yml @@ -0,0 +1,204 @@ +- name: Download Rook manifests + get_url: + url: "{{item.url}}" + dest: "/tmp/{{item.filename}}" + mode: 0600 + force: yes + delegate_to: localhost + changed_when: false + with_items: + - url: https://raw.githubusercontent.com/rook/rook/release-1.0/cluster/examples/kubernetes/ceph/common.yaml + filename: rook-common.yml + - url: https://raw.githubusercontent.com/rook/rook/release-1.0/cluster/examples/kubernetes/ceph/operator.yaml + filename: rook-operator.yml + +# Workaround until https://github.com/ansible/ansible/pull/59160 is released +- name: Remove last line of the manifest file + lineinfile: + path: /tmp/rook-common.yml + state: absent + regexp: '^---$' + delegate_to: localhost + changed_when: false + +- name: Apply Rook manifests + k8s: + state: present + definition: "{{ lookup('file', '/tmp/' + item) }}" + with_items: + - rook-common.yml + - rook-operator.yml + +- name: Rook cluster CRD + k8s: + state: present + definition: + apiVersion: ceph.rook.io/v1 + kind: CephCluster + metadata: + name: rook-ceph + namespace: rook-ceph + spec: + cephVersion: + image: ceph/ceph:v14.2.2-20190722 + allowUnsupported: false + dataDirHostPath: /var/lib/rook + mon: + count: 3 + allowMultiplePerNode: false + dashboard: + enabled: true + # serve the dashboard under a subpath (useful when you are accessing the dashboard via a reverse proxy) + # urlPrefix: /ceph-dashboard + # serve the dashboard at the given port. + port: 8080 + # serve the dashboard using SSL + ssl: false + network: + hostNetwork: false + rbdMirroring: + workers: 0 + storage: + useAllNodes: true + useAllDevices: true + directories: + - path: /var/lib/rook + +- name: Rook CephFS + k8s: + state: present + definition: + apiVersion: ceph.rook.io/v1 + kind: CephFilesystem + metadata: + name: ceph-fs + namespace: rook-ceph + spec: + metadataPool: + failureDomain: host + replicated: + size: 2 + dataPools: + - failureDomain: host + replicated: + size: 3 + metadataServer: + activeCount: 1 + activeStandby: true + +- name: Rook Toolbox + k8s: + state: present + definition: + apiVersion: apps/v1 + kind: Deployment + metadata: + name: rook-ceph-tools + namespace: rook-ceph + labels: + app: rook-ceph-tools + spec: + replicas: 1 + selector: + matchLabels: + app: rook-ceph-tools + template: + metadata: + labels: + app: rook-ceph-tools + spec: + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: rook-ceph-tools + image: rook/ceph:v1.0.5 + command: ["/tini"] + args: ["-g", "--", "/usr/local/bin/toolbox.sh"] + imagePullPolicy: IfNotPresent + env: + - name: ROOK_ADMIN_SECRET + valueFrom: + secretKeyRef: + name: rook-ceph-mon + key: admin-secret + securityContext: + privileged: true + volumeMounts: + - mountPath: /dev + name: dev + - mountPath: /sys/bus + name: sysbus + - mountPath: /lib/modules + name: libmodules + - name: mon-endpoint-volume + mountPath: /etc/rook + # if hostNetwork: false, the "rbd map" command hangs, see https://github.com/rook/rook/issues/2021 + hostNetwork: true + volumes: + - name: dev + hostPath: + path: /dev + - name: sysbus + hostPath: + path: /sys/bus + - name: libmodules + hostPath: + path: /lib/modules + - name: mon-endpoint-volume + configMap: + name: rook-ceph-mon-endpoints + items: + - key: data + path: mon-endpoints + +- name: Rook ceph dashboard service + k8s: + state: present + definition: + apiVersion: v1 + kind: Service + metadata: + name: rook-ceph-mgr-dashboard + namespace: rook-ceph + labels: + app: rook-ceph-mgr + rook_cluster: rook-ceph + spec: + type: ClusterIP + ports: + - name: dashboard + port: 8080 + targetPort: 8080 + selector: + app: rook-ceph-mgr + rook_cluster: rook-ceph + sessionAffinity: None + +- name: Rook ceph dashboard ingress + k8s: + state: present + definition: + apiVersion: extensions/v1beta1 + kind: Ingress + metadata: + name: rook-ceph-mgr-dashboard + namespace: rook-ceph + annotations: + kubernetes.io/ingress.class: nginx + certmanager.k8s.io/cluster-issuer: "{{cert_manager_issuer}}" + # kubernetes.io/tls-acme: "true" + # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # nginx.ingress.kubernetes.io/server-snippet: | + # proxy_ssl_verify off; + spec: + rules: + - host: "{{rook_domain}}" + http: + paths: + - path: / + backend: + serviceName: rook-ceph-mgr-dashboard + servicePort: 8080 + tls: + - hosts: + - "{{rook_domain}}" + secretName: rook-cert diff --git a/roles/k8s-manifests/tasks/searx.yml b/roles/k8s-manifests/tasks/searx.yml index 3159e24..874ff72 100644 --- a/roles/k8s-manifests/tasks/searx.yml +++ b/roles/k8s-manifests/tasks/searx.yml @@ -75,4 +75,4 @@ tls: - hosts: - "{{searx_domain}}" - secretName: letsencrypt-staging + secretName: searx-cert