feat: add base kubernetes services

M0NsTeRRR · Jul 23, 2023 · 49d3007 · 49d3007
1 parent a5e7db0
commit 49d3007
Show file tree

Hide file tree

Showing 96 changed files with 1,794 additions and 483 deletions.
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -146,6 +146,18 @@
       ignoreUnstable: false,
       versioning: 'regex:^v?(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(\\+k3s1)',
     },
+    // handle emissary chart github tag that don't follow semver
+    {
+      matchPackageNames: [
+        'emissary-ingress/emissary',
+      ],  
+      matchDepNames: [
+        'emissary-ingress/emissary',
+      ],
+      ignoreUnstable: false,
+      matchCurrentValue: '/^chart/',
+      versioning: 'regex:^(chart\/v)?(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)',
+    },
     // handle pdns auth github tag that don't follow semver
     {
       matchPackageNames: [

diff --git a/README.md b/README.md
@@ -12,7 +12,8 @@ This is my Homelab v3 infrastructure.
   - Packer builder arm (needed for rpi build)
 - Terraform
   - Terragrunt
-- Docker (needed for kube-vip manifest generation)
+- Kubectl
+- Helm
 
 Create venv `python3 -m venv venv`  
 Source venv `source venv/bin/activate`  
@@ -29,7 +30,6 @@ Install ansible galaxy dependencies `ansible-galaxy install -r requirements.yml`
 
 fill all `.vault_password.txt` at root with ansible vault password used   
 fill all `secrets.yml` based on `secrets.example` in each subdirectory of `groups_vars`  
-fill `inventory.vmware.yml` and encrypt it with `vault` based on `inventory.vmware.example`
 
 ### Playbooks to create client certificate signed by a CA
 

diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
@@ -3,11 +3,11 @@ remote_user = lortega
 interpreter_python = /usr/bin/python3
 callbacks_enabled = timer, profile_tasks, profile_roles
 vault_password_file = ../.vault_password.txt
-inventory = inventory.proxmox.yaml,hosts
+inventory = hosts
 
 [ssh_connection]
 pipelining = True
 ssh_args = -o ControlMaster=auto -o ControlPersist=60s
 
 [inventory]
-enable_plugins = host_list, ini, community.general.proxmox
+enable_plugins = host_list, ini
diff --git a/ansible/deploy_infra.yml b/ansible/deploy_infra.yml
@@ -11,45 +11,43 @@
     - powerdns_authoritative
     - ntp
 
-- name: Configure k3s
+- name: Configure kubernetes
   hosts: kubernetes
   become: true
-  roles:
-    - k3s
-  pre_tasks:
-    - name: Disable SWAP
-      ansible.builtin.command: swapoff -a
-      changed_when: true
-
-    - name: Disable SWAP in fstab
-      ansible.builtin.replace:
-        path: /etc/fstab
-        regexp: '^([^#].*?\sswap\s+sw\s+.*)$'
-        replace: '# \1'
-
-- name: Configure Longhorn dependencies
-  hosts: kubernetes_worker
-  become: true
-  pre_tasks:
-    - name: Install required packages by longhorn
-      ansible.builtin.apt:
-        pkg:
-          - open-iscsi
-          - nfs-common
-        state: present
-
-- name: Configure cilium & kubectl
-  hosts: kubernetes_master
-  become: true
   roles:
     - kubectl
-    - cilium
+    - common_kubernetes
+    - k3s
 
 - name: Deploy kubernetes base services
   hosts: kubernetes_master[0]
   become: true
   roles:
+    - cilium
     - kube_vip
-    - emissary
     - metallb
+    - role: traefik
+    - role: traefik
+      traefik_external_ips:
+        - 192.168.10.101
+        - 2a0c:b641:2c0:110::101
+      traefik_namespace: traefik-internal
+      traefik_default_ingress_class: true
+      traefik_ingress_class_name: traefik-internal
     - longhorn
+    - vault
+    - cert_manager
+    - role: external_dns
+    - role: external_dns
+      external_dns_namespace: "external-dns-internal"
+      external_dns_vault_role: external-dns-internal
+      external_dns_vault_inject_secret: secret/data/homelab/prod/external_dns/internal
+      external_dns_envs:
+        - EXTERNAL_DNS_PDNS_SERVER
+        - EXTERNAL_DNS_PDNS_API_KEY
+        - EXTERNAL_DNS_PDNS_TLS_ENABLED
+        - EXTERNAL_DNS_TLS_CA
+      external_dns_tls_envs:
+        - EXTERNAL_DNS_TLS_CA
+      external_dns_args: "--source=ingress --provider=pdns {% for domain in local_domains %}--domain-filter={{ domain }}{% if not loop.last %} {% endif %}{% endfor %} --registry=txt --txt-owner-id=homelab.kubernetes --ingress-class=traefik-internal --default-targets=192.168.10.102 --default-targets=2a0c:b641:2c0:110::102"
+    - argocd
diff --git a/ansible/group_vars/all/all.yml b/ansible/group_vars/all/all.yml
@@ -1,10 +1,11 @@
 ---
 country: FR
 organization: unicornafk
-certs_dir: ../../../ssl/
-certs_dir_role_path: "{{ role_path }}/../../../ssl/"
+certs_dir: "../../../ssl/"
+root_dir_role_path: "{{ role_path }}/../../../"
+certs_dir_role_path: "{{ root_dir_role_path }}ssl/"
 ca_certificates_local_path_ca_certificate: "{{ certs_dir_role_path }}unicornafk.crt"
-ca_certificates_certs_dir: "{{ certs_dir }}"
+ca_certificates_certs_dir: "{{ certs_dir_role_path }}"
 
 kubernetes_localhost_kubeconfig_path: "{{ lookup('env', 'HOME') }}/.kube/homelab.yaml"
 kubernetes_vip_url: "kubernetes.unicornafk.fr"
@@ -24,10 +25,14 @@ systemd_resolved_fallback_dns:
   - 149.112.112.112
   - 2620:fe::fe
   - 2620:fe::9
-systemd_resolved_domains: "{{ domains }}"
+systemd_resolved_domains: "{{ local_domains }}"
 
 domains:
   - unicornafk.fr
+  - adminafk.fr
+  - as212510.net
+local_domains:
+  - "{{ domains[0] }}"
 subdomains:
   - dmz.unicornafk.fr
   - lab.unicornafk.fr

diff --git a/ansible/group_vars/all/secrets.example b/ansible/group_vars/all/secrets.example
@@ -2,4 +2,6 @@
 grub_user:
 grub_password:
 admin_email:
-ca_private_passphrase:
+ca_private_passphrase:
+monitoring_email:
+self_signed_cert_pdns:
diff --git a/ansible/group_vars/dns/all.yml b/ansible/group_vars/dns/all.yml
@@ -1,14 +1,15 @@
 ---
-dnsdist_local_path_ca_certificate: "{{ certs_dir_role_path }}unicornafk.crt"
+dnsdist_local_path_ca_certificate: "{{ ca_certificates_local_path_ca_certificate }}"
 dnsdist_cert_filename: "{{ hostvars[inventory_hostname].hostname[:-1] }}-fullchain.crt"
 dnsdist_key_filename: "{{ hostvars[inventory_hostname].hostname[:-1] }}.key"
 
-powerdns_recursor_domains: '{{ domains }}'
+powerdns_recursor_domains: '{{ local_domains }}'
 powerdns_recursor_reverse_zones: '{{ reverse_zones }}'
 
 powerdns_authoritative_rname: "{{ admin_email | replace('@', '.') }}."
 powerdns_authoritative_api_base_url: "https://{{ ansible_default_ipv4.address }}:9443"
-powerdns_authoritative_domains: '{{ domains }}'
+powerdns_authoritative_ca_path: "{{ ca_certificates_local_path_ca_certificate }}"
+powerdns_authoritative_domains: '{{ local_domains }}'
 powerdns_authoritative_subdomains: '{{ subdomains }}'
 powerdns_authoritative_reverse_zones: '{{ reverse_zones }}'
 powerdns_authoritative_records:
@@ -54,9 +55,9 @@ powerdns_authoritative_records:
     a: 192.168.6.3
     aaaa: 2a0c:b641:02c0:106::3
     sshfp:
-      - algorithm: 3
+      - algorithm: 4
         type: 2
-        fingerprint: 5C4DACEB5E7F832D076BCF85831AF7BFA5064C7E06ED99003F513ABE84FB2204
+        fingerprint: 33a3f4d1970bfa6bd85305adf23c437d8fd2b2b2b30aaaf9653d303733148dce
     rdns: true
   - hostname: dns1.unicornafk.fr.
     a: 192.168.10.21
@@ -88,6 +89,9 @@ powerdns_authoritative_records:
   - hostname: kubernetes.unicornafk.fr.
     a: 192.168.10.80
     aaaa: 2a0c:b641:02c0:110::80
+  - hostname: vault.unicornafk.fr.
+    a: 192.168.10.101
+    rdns: true
   - hostname: ap1.unicornafk.fr.
     a: 192.168.20.51
     aaaa: 2a0c:b641:02c0:120::51
@@ -124,13 +128,6 @@ powerdns_authoritative_records:
         type: 2
         fingerprint: 942A283E7B7D4ED621A7570A6C2785E20904305BDA3199CBCAD7EA5091D88880
     rdns: true
-  - hostname: vcenter.unicornafk.fr.
-    a: 192.168.40.10
-    sshfp:
-      - algorithm: 3
-        type: 2
-        fingerprint: 3395968F65F5B88C6048A423D3A8113B0EB6BB52DF027BAFBA3BBCC2D98B0EF3
-    rdns: true
   - hostname: server1.unicornafk.fr.
     a: 192.168.40.11
     aaaa: 2a0c:b641:02c0:140::11
@@ -271,7 +268,7 @@ self_signed_certs:
     country: "{{ country }}"
     organization: "{{ organization }}"
     admin_email: "{{ admin_email }}"
-    ca_cert_local_path: "{{ certs_dir_role_path }}unicornafk.crt"
+    ca_cert_local_path: "{{ ca_certificates_local_path_ca_certificate }}"
     intermediate_cert_local_path: "{{ certs_dir_role_path }}intermediate/homelab/homelab.crt"
     intermediate_private_local_path: "{{ certs_dir_role_path }}intermediate/homelab/homelab.key"
     intermediate_private_passphrase: "{{ ca_private_passphrase }}"

diff --git a/ansible/group_vars/kubernetes/all.yml b/ansible/group_vars/kubernetes/all.yml
@@ -1,5 +1,5 @@
 ---
 k3s_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-k3s_join_url: "https://master1.unicornafk.fr:6443"
+k3s_join_url: "https://{{ hostvars[groups['kubernetes_master'][0]].inventory_hostname }}:6443"
 k3s_ha_controlplane_ip: "{{ kubernetes_vip_url }},{{ lookup('community.general.dig', kubernetes_vip_url) }},{{ lookup('community.general.dig', kubernetes_vip_url, 'qtype=AAAA') }}"
 k3s_nodename: "{{ inventory_hostname }}"
diff --git a/ansible/group_vars/kubernetes_master/all.yml b/ansible/group_vars/kubernetes_master/all.yml
@@ -1,10 +1,147 @@
 ---
-cilium_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
 kube_vip_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-kube_vip_address: "192.168.10.80"
-kube_vip_interface: ens192
-emissary_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
+kube_vip_address:
+ - namespace: kube-vip-ipv4
+   address: 192.168.10.80
+   cidr: 32
+   prometheus_server: ":2112"
+ - namespace: kube-vip-ipv6
+   address: 2a0c:b641:2c0:110::80
+   cidr: 128
+   prometheus_server: ":2113"
+kube_vip_interface: enp6s18
+cilium_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
+traefik_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
+traefik_external_ips:
+  - 192.168.10.100
+  - 2a0c:b641:2c0:110::100
+traefik_namespace: traefik-external
+traefik_default_ingress_class: false
+traefik_ingress_class_name: traefik-external
 longhorn_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
 metallb_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
-metallb_ip_address_pool:
-  - 192.168.10.100-110
+metallb_ip_address_pools:
+  - name: private
+    pools:
+      - 192.168.10.100-192.168.10.120
+      - 2a0c:b641:02c0:110::100-2a0c:b641:02c0:110::120
+    auto_assign: true
+vault_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
+vault_init_output_file_path: "{{ root_dir_role_path }}/vault.json.secrets"
+vault_ca_filename: "{{ ca_certificates_local_path_ca_certificate }}"
+vault_cert_filename: "{{ certs_dir_role_path }}homelab/vault.unicornafk.fr/vault.unicornafk.fr-fullchain.crt"
+vault_key_filename: "{{ certs_dir_role_path }}homelab/vault.unicornafk.fr/vault.unicornafk.fr.key"
+vault_url: "https://vault.unicornafk.fr:8200"
+vault_ca_path: "{{ ca_certificates_local_path_ca_certificate }}"
+vault_loadbalancer_ip:
+  - 192.168.10.102
+  - 2a0c:b641:2c0:110::102
+vault_secrets_engine:
+  - name: kv-v2
+    path: secret
+  - name: pki
+    path: pki
+    tunes:
+      max-lease-ttl: 8760h
+      passthrough-request-headers:
+        - If-Modified-Since
+        - Last-Modified
+        - Location
+        - Replay-Nonce
+        - Link
+vault_auth_methods:
+  - name: kubernetes
+    path: kubernetes
+vault_policies:
+  - name: pki
+    rules:
+      - path: pki*
+        capabilities:
+          - read
+          - list
+      - path: pki/sign/*
+        capabilities:
+          - create
+          - update
+      - path: pki/issue/*
+        capabilities:
+          - create
+  - name: external-dns-internal
+    rules:
+      - path: secret/data/homelab/prod/external_dns/internal
+        capabilities:
+          - read
+  - name: external-dns-external
+    rules:
+      - path: secret/data/homelab/prod/external_dns/external
+        capabilities:
+          - read
+public_vault_datas:
+  - path: pki/config/ca
+    data:
+      pem_bundle: "{{ lookup('ansible.builtin.file', ca_certificates_local_path_ca_certificate) }}\n{{ lookup('ansible.builtin.file', certs_dir_role_path ~ 'intermediate/vault/vault.crt') }}\n{{ lookup('ansible.builtin.file', certs_dir_role_path ~ 'intermediate/vault/vault.key') }}"
+  - path: pki/config/cluster
+    data:
+      path: https://vault-active.vault.svc:8200/v1/pki
+      aia_path: https://vault.unicornafk.fr:8200/v1/pki
+  - path: pki/config/urls
+    data:
+      issuing_certificates: "{{ '{{' }}cluster_aia_path{{ '}}' }}/issuer/{{ '{{' }}issuer_id{{ '}}' }}/der"
+      crl_distribution_points: "{{ '{{' }}cluster_aia_path{{ '}}' }}/issuer/{{ '{{' }}issuer_id{{ '}}' }}/crl/der"
+      ocsp_servers: "{{ '{{' }}cluster_path{{ '}}' }}/ocsp"
+      enable_templating: true
+  - path: pki/config/acme
+    data:
+      enabled: true
+  - path: pki/roles/unicornafk-dot-fr
+    data:
+      allowed_domains: unicornafk.fr
+      allow_subdomains: true
+      ttl: 72h
+      key_type: rsa
+      key_bits: 4096
+      signature_bits: 512
+      organization: "{{ organization }}"
+      country: "{{ country }}"
+      require_cn: false # must be disabled for cert-manager
+  - path: auth/kubernetes/config
+    data:
+      kubernetes_host: "https://10.43.0.1:443"
+  - path: auth/kubernetes/role/vault-cert-manager
+    data:
+      bound_service_account_names: vault-cert-manager
+      bound_service_account_namespaces: cert-manager
+      audience: "vault://vault"
+      policies: pki
+      ttl: 1m
+  - path: auth/kubernetes/role/external-dns-internal
+    data:
+      bound_service_account_names: external-dns
+      bound_service_account_namespaces: external-dns-internal
+      policies: external-dns-internal
+      ttl: 72h
+  - path: auth/kubernetes/role/external-dns-external
+    data:
+      bound_service_account_names: external-dns
+      bound_service_account_namespaces: external-dns-external
+      policies: external-dns-external
+      ttl: 72h
+vault_datas: "{{ public_vault_datas + secret_vault_datas }}"
+cert_manager_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
+cert_manager_email: "{{ monitoring_email }}"
+cert_manager_vault_sign: unicornafk-dot-fr
+cert_manager_vault_server_ca: "{{ vault_ca_filename }}"
+external_dns_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
+external_dns_namespace: "external-dns-external"
+external_dns_vault_role: external-dns-external
+external_dns_vault_inject_secret: secret/data/homelab/prod/external_dns/external
+external_dns_vault_ca_filename: "{{ vault_ca_filename }}"
+external_dns_envs:
+  - SCW_ACCESS_KEY
+  - SCW_SECRET_KEY
+external_dns_args: "--source=ingress --provider=scaleway {% for domain in domains %}--domain-filter={{ domain }}{% if not loop.last %} {% endif %}{% endfor %} --registry=txt --txt-owner-id=homelab.kubernetes --ingress-class=traefik-external --default-targets=82.65.135.80 --default-targets=2a0c:b641:2c0:110::100"
+argocd_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
+argocd_hostname: argocd.unicornafk.fr
+argocd_ingress_class: traefik-internal
+argocd_repository_name: homelab
+argocd_repository_url: https://github.com/M0NsTeRRR/homelabv3-infra