diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| m--------- | ansible/kubespray | 0 | ||||
| -rw-r--r-- | ansible/playbooks/k8s.yml | 2 | ||||
| -rw-r--r-- | ansible/roles/k8s/handlers/main.yml | 6 | ||||
| -rw-r--r-- | ansible/roles/k8s/tasks/main.yml | 4 | ||||
| -rw-r--r-- | ansible/roles/k8s/tasks/ufw.yml | 64 | ||||
| -rwxr-xr-x | opentofu/inventory.ini | 14 | ||||
| -rw-r--r-- | opentofu/modules/ansible_provisioner/main.tf | 2 | ||||
| -rw-r--r-- | opentofu/plan.out | bin | 9767 -> 0 bytes |
9 files changed, 78 insertions, 15 deletions
@@ -4,6 +4,7 @@ *.tfstate.backup *.lock.hcl credentials.auto.tfvars +*.out # Ansible *.retry diff --git a/ansible/kubespray b/ansible/kubespray -Subproject 4628275fdcb21bffd88def0d882cc528fd12c93 +Subproject 2ae66bb366b02b71109f04dd011d1f2435e5cb4 diff --git a/ansible/playbooks/k8s.yml b/ansible/playbooks/k8s.yml index a424b1b..45f03ee 100644 --- a/ansible/playbooks/k8s.yml +++ b/ansible/playbooks/k8s.yml @@ -2,6 +2,8 @@ - name: Deploy a Production Ready Kubernetes Cluster hosts: all become: true + roles: + - role: k8s - name: Import kubespray playbook to deploy k8s cluster ansible.builtin.import_playbook: ../kubespray/cluster.yml diff --git a/ansible/roles/k8s/handlers/main.yml b/ansible/roles/k8s/handlers/main.yml new file mode 100644 index 0000000..d090d0e --- /dev/null +++ b/ansible/roles/k8s/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart UFW + ansible.builtin.service: + name: ufw + state: restarted +... diff --git a/ansible/roles/k8s/tasks/main.yml b/ansible/roles/k8s/tasks/main.yml new file mode 100644 index 0000000..c784c7c --- /dev/null +++ b/ansible/roles/k8s/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- name: Include UFW tasks + ansible.builtin.include_tasks: ufw.yml +... diff --git a/ansible/roles/k8s/tasks/ufw.yml b/ansible/roles/k8s/tasks/ufw.yml new file mode 100644 index 0000000..c4c653a --- /dev/null +++ b/ansible/roles/k8s/tasks/ufw.yml @@ -0,0 +1,64 @@ +--- +- name: Ensure UFW is installed + ansible.builtin.apt: + name: ufw + state: present + +- name: Allow Kubernetes API server (6443) + community.general.ufw: + rule: allow + port: 6443 + proto: tcp + comment: "Kubernetes API server" + +- name: Allow etcd server client API (2379-2380) + community.general.ufw: + rule: allow + port: "2379:2380" + proto: tcp + comment: "etcd server client API" + +- name: Allow Kubelet API (10250) + community.general.ufw: + rule: allow + port: 10250 + proto: tcp + comment: "Kubelet API" + +- name: Allow kube-scheduler (10259) + community.general.ufw: + rule: allow + port: 10259 + proto: tcp + comment: "kube-scheduler" + +- name: Allow kube-controller-manager (10257) + community.general.ufw: + rule: allow + port: 10257 + proto: tcp + comment: "kube-controller-manager" + +- name: Allow kube-proxy (10256) + community.general.ufw: + rule: allow + port: 10256 + proto: tcp + comment: "kube-proxy" + +- name: Allow NodePort services (30000-32767) + community.general.ufw: + rule: allow + port: "30000:32767" + proto: tcp + comment: "NodePort services" + +- name: Enable UFW + community.general.ufw: + state: enabled + +- name: Ensure UFW is enabled on boot + ansible.builtin.systemd: + name: ufw + enabled: true +... diff --git a/opentofu/inventory.ini b/opentofu/inventory.ini deleted file mode 100755 index f00a94a..0000000 --- a/opentofu/inventory.ini +++ /dev/null @@ -1,14 +0,0 @@ -[kube_control_plane] -192.168.1.86 - -[etcd] -192.168.1.86 - -[kube_node] -192.168.1.84 -192.168.1.85 - - -[k8s_cluster:children] -kube_control_plane -kube_node diff --git a/opentofu/modules/ansible_provisioner/main.tf b/opentofu/modules/ansible_provisioner/main.tf index 54e3346..cac666d 100644 --- a/opentofu/modules/ansible_provisioner/main.tf +++ b/opentofu/modules/ansible_provisioner/main.tf @@ -17,7 +17,7 @@ resource "null_resource" "ansible_provisioner" { provisioner "local-exec" { command = <<-EOT - ANSIBLE_HOST_KEY_CHECKING=False ANSIBLE_CONFIG=${path.root}/../ansible/ansible.cfg ansible-playbook \ + ANSIBLE_HOST_KEY_CHECKING=False ANSIBLE_CONFIG=${path.root}/../ansible/ansible.cfg ansible-playbook -b -v \ -i ${var.inventory_file_path != null ? var.inventory_file_path : "${var.vm_ip},"} \ -u ${var.vm_username} \ --private-key ${var.ssh_private_key_path} \ diff --git a/opentofu/plan.out b/opentofu/plan.out Binary files differdeleted file mode 100644 index a295e16..0000000 --- a/opentofu/plan.out +++ /dev/null |