From 834feb58bdcbd448714888147e1db4421270ba93 Mon Sep 17 00:00:00 2001
From: clyhtsuriva <aimeric@adjutor.xyz>
Date: Mon, 3 Feb 2025 22:54:35 +0100
Subject: opentofu&ansible: add `become` to `ansible_provisioner` & open k8s
 ports

---
 .gitignore                                   |   1 +
 ansible/kubespray                            |   2 +-
 ansible/playbooks/k8s.yml                    |   2 +
 ansible/roles/k8s/handlers/main.yml          |   6 +++
 ansible/roles/k8s/tasks/main.yml             |   4 ++
 ansible/roles/k8s/tasks/ufw.yml              |  64 +++++++++++++++++++++++++++
 opentofu/inventory.ini                       |  14 ------
 opentofu/modules/ansible_provisioner/main.tf |   2 +-
 opentofu/plan.out                            | Bin 9767 -> 0 bytes
 9 files changed, 79 insertions(+), 16 deletions(-)
 create mode 100644 ansible/roles/k8s/handlers/main.yml
 create mode 100644 ansible/roles/k8s/tasks/main.yml
 create mode 100644 ansible/roles/k8s/tasks/ufw.yml
 delete mode 100755 opentofu/inventory.ini
 delete mode 100644 opentofu/plan.out

diff --git a/.gitignore b/.gitignore
index 24b2700..c4add7a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@
 *.tfstate.backup
 *.lock.hcl
 credentials.auto.tfvars
+*.out
 
 # Ansible
 *.retry
diff --git a/ansible/kubespray b/ansible/kubespray
index 4628275..2ae66bb 160000
--- a/ansible/kubespray
+++ b/ansible/kubespray
@@ -1 +1 @@
-Subproject commit 4628275fdcb21bffd88def0d882cc528fd12c935
+Subproject commit 2ae66bb366b02b71109f04dd011d1f2435e5cb49
diff --git a/ansible/playbooks/k8s.yml b/ansible/playbooks/k8s.yml
index a424b1b..45f03ee 100644
--- a/ansible/playbooks/k8s.yml
+++ b/ansible/playbooks/k8s.yml
@@ -2,6 +2,8 @@
 - name: Deploy a Production Ready Kubernetes Cluster
   hosts: all
   become: true
+  roles:
+    - role: k8s
 
 - name: Import kubespray playbook to deploy k8s cluster
   ansible.builtin.import_playbook: ../kubespray/cluster.yml
diff --git a/ansible/roles/k8s/handlers/main.yml b/ansible/roles/k8s/handlers/main.yml
new file mode 100644
index 0000000..d090d0e
--- /dev/null
+++ b/ansible/roles/k8s/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart UFW
+  ansible.builtin.service:
+    name: ufw
+    state: restarted
+...
diff --git a/ansible/roles/k8s/tasks/main.yml b/ansible/roles/k8s/tasks/main.yml
new file mode 100644
index 0000000..c784c7c
--- /dev/null
+++ b/ansible/roles/k8s/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- name: Include UFW tasks
+  ansible.builtin.include_tasks: ufw.yml
+...
diff --git a/ansible/roles/k8s/tasks/ufw.yml b/ansible/roles/k8s/tasks/ufw.yml
new file mode 100644
index 0000000..c4c653a
--- /dev/null
+++ b/ansible/roles/k8s/tasks/ufw.yml
@@ -0,0 +1,64 @@
+---
+- name: Ensure UFW is installed
+  ansible.builtin.apt:
+    name: ufw
+    state: present
+
+- name: Allow Kubernetes API server (6443)
+  community.general.ufw:
+    rule: allow
+    port: 6443
+    proto: tcp
+    comment: "Kubernetes API server"
+
+- name: Allow etcd server client API (2379-2380)
+  community.general.ufw:
+    rule: allow
+    port: "2379:2380"
+    proto: tcp
+    comment: "etcd server client API"
+
+- name: Allow Kubelet API (10250)
+  community.general.ufw:
+    rule: allow
+    port: 10250
+    proto: tcp
+    comment: "Kubelet API"
+
+- name: Allow kube-scheduler (10259)
+  community.general.ufw:
+    rule: allow
+    port: 10259
+    proto: tcp
+    comment: "kube-scheduler"
+
+- name: Allow kube-controller-manager (10257)
+  community.general.ufw:
+    rule: allow
+    port: 10257
+    proto: tcp
+    comment: "kube-controller-manager"
+
+- name: Allow kube-proxy (10256)
+  community.general.ufw:
+    rule: allow
+    port: 10256
+    proto: tcp
+    comment: "kube-proxy"
+
+- name: Allow NodePort services (30000-32767)
+  community.general.ufw:
+    rule: allow
+    port: "30000:32767"
+    proto: tcp
+    comment: "NodePort services"
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+
+- name: Ensure UFW is enabled on boot
+  ansible.builtin.systemd:
+    name: ufw
+    enabled: true
+...
diff --git a/opentofu/inventory.ini b/opentofu/inventory.ini
deleted file mode 100755
index f00a94a..0000000
--- a/opentofu/inventory.ini
+++ /dev/null
@@ -1,14 +0,0 @@
-[kube_control_plane]
-192.168.1.86
-
-[etcd]
-192.168.1.86
-
-[kube_node]
-192.168.1.84
-192.168.1.85
-
-
-[k8s_cluster:children]
-kube_control_plane
-kube_node
diff --git a/opentofu/modules/ansible_provisioner/main.tf b/opentofu/modules/ansible_provisioner/main.tf
index 54e3346..cac666d 100644
--- a/opentofu/modules/ansible_provisioner/main.tf
+++ b/opentofu/modules/ansible_provisioner/main.tf
@@ -17,7 +17,7 @@ resource "null_resource" "ansible_provisioner" {
 
   provisioner "local-exec" {
     command = <<-EOT
-      ANSIBLE_HOST_KEY_CHECKING=False ANSIBLE_CONFIG=${path.root}/../ansible/ansible.cfg ansible-playbook \
+      ANSIBLE_HOST_KEY_CHECKING=False ANSIBLE_CONFIG=${path.root}/../ansible/ansible.cfg ansible-playbook -b -v \
         -i ${var.inventory_file_path != null ? var.inventory_file_path : "${var.vm_ip},"} \
         -u ${var.vm_username} \
         --private-key ${var.ssh_private_key_path} \
diff --git a/opentofu/plan.out b/opentofu/plan.out
deleted file mode 100644
index a295e16..0000000
Binary files a/opentofu/plan.out and /dev/null differ
-- 
cgit v1.2.3