feat: add documentation and configuration for deploying SC4S on RKE2 with ansible

wojtekzyla · wojtekzyla · commit 06c54bf4f70d · 2024-11-07T10:12:08.000+01:00
feat: remove ip and personal uid
diff --git a/ansible/inventory/inventory_rke2.yml b/ansible/inventory/inventory_rke2.yml
@@ -0,0 +1,5 @@
+control_nodes:
+  hosts:
+    token_node:
+      ansible_host:
+      config_file:
diff --git a/ansible/inventory/inventory_rke2_ha.yml b/ansible/inventory/inventory_rke2_ha.yml
@@ -0,0 +1,23 @@
+control_nodes:
+  hosts:
+    token_node:
+      ansible_host:
+      config_file:
+    optional_control_node_1:
+      ansible_host:
+      config_file:
+    optional_control_node_2:
+      ansible_host:
+      config_file:
+
+agent_nodes:
+  hosts:
+    optional_agent_1:
+      ansible_host:
+      config_file:
+    optional_agent_2:
+      ansible_host:
+      config_file:
+    optional_agent_3:
+      ansible_host:
+      config_file:
diff --git a/ansible/playbooks/rke2.yml b/ansible/playbooks/rke2.yml
@@ -0,0 +1,65 @@
+---
+- name: Copy rke2 configuration files
+  hosts: all
+  become: true
+  tasks:
+    - include_tasks: ../tasks/rke2/copy_config.yml
+
+- name: Install and run rke2-server.service on first control node
+  hosts: control_nodes
+  become: true
+  tasks:
+    - include_tasks: ../tasks/rke2/install_first_server.yml
+
+- name: Get node-token from a control node
+  hosts: control_nodes
+  become: true
+  tasks:
+    - include_tasks: ../tasks/rke2/get_registration_token.yml
+
+- name: Add node-token to other control nodes and agent nodes configuration
+  hosts: control_nodes:agent_nodes
+  become: true
+  tasks:
+    - include_tasks: ../tasks/rke2/add_token_to_config.yml
+
+- name: Install and run rke2-server.service on rest of the control nodes
+  hosts: control_nodes
+  become: true
+  tasks:
+    - include_tasks: ../tasks/rke2/install_other_servers.yml
+
+- name: Install and run rke2-agent.service on agent nodes
+  hosts: agent_nodes
+  become: true
+  tasks:
+    - include_tasks: ../tasks/rke2/install_agents.yml
+
+- name: Make kubectl executable available for ansible_user
+  hosts: control_nodes
+  become: true
+  tasks:
+    - include_tasks: ../tasks/rke2/provide_kubectl.yml
+
+- name: Deploy k8s secrets
+  hosts: control_nodes
+  become: true
+  tasks:
+    - include_tasks: ../tasks/rke2/deploy_secrets.yml
+
+- name: Install metallb
+  hosts: control_nodes
+  tasks:
+    - include_tasks: ../tasks/rke2/install_metallb.yml
+
+- name: Install SC4S helm repo
+  hosts: control_nodes
+  tasks:
+    - include_tasks: ../tasks/rke2/install_helm_repo.yml
+
+- name: Deploy SC4S app
+  hosts: control_nodes
+  tasks:
+    - include_tasks: ../tasks/rke2/deploy_app.yml
+
+
diff --git a/ansible/resources/metallb-config.yaml b/ansible/resources/metallb-config.yaml
@@ -0,0 +1,15 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  namespace: metallb
+  name: my-ip-pool
+spec:
+  addresses:
+  # Configure address pool for metallb
+  #- 1.2.3.4/32
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  namespace: metallb
+  name: l2-advertisement
diff --git a/ansible/tasks/rke2/add_token_to_config.yml b/ansible/tasks/rke2/add_token_to_config.yml
@@ -0,0 +1,8 @@
+---
+- name: Add rke2 token to config
+  lineinfile:
+    path: /etc/rancher/rke2/config.yaml
+    regexp: '^token:'
+    line: "token: {{ hostvars['token_node'].rke2_token }}"
+    create: yes
+  when: inventory_hostname != "token_node"
diff --git a/ansible/tasks/rke2/copy_config.yml b/ansible/tasks/rke2/copy_config.yml
@@ -0,0 +1,14 @@
+---
+- name: Create /etc/rancher/rke2 directory
+  file:
+    path: /etc/rancher/rke2
+    state: directory
+    mode: u=rw,g=rw,o=r
+
+- name: Copy the configuration file to the remote location
+  copy:
+    src: "{{ config_file }}"
+    dest: /etc/rancher/rke2/config.yaml
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: u=rw,g=rw,o=r
diff --git a/ansible/tasks/rke2/deploy_app.yml b/ansible/tasks/rke2/deploy_app.yml
@@ -0,0 +1,21 @@
+---
+- name: Copying values.yml file on the server
+  copy:
+    src: /opt/charts/splunk-connect-for-syslog/values.yaml
+    dest: "/home/{{ ansible_user }}/values.yaml"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: u=rw,g=rw,o=r
+
+- name: Deploy app or update it with new values if already deployed
+  block:
+    - name: Deploy sc4s app from templates with overwrites from values.yml
+      ansible.builtin.shell: helm install sc4s splunk-connect-for-syslog/splunk-connect-for-syslog -f values.yaml
+      args:
+        chdir: "/home/{{ ansible_user }}/"
+  rescue:
+      - name: Update app with new values.yml
+        ansible.builtin.shell: helm upgrade sc4s splunk-connect-for-syslog/splunk-connect-for-syslog -f values.yaml
+        args:
+          chdir: "/home/{{ ansible_user }}/"
+  when: inventory_hostname == "token_node"
diff --git a/ansible/tasks/rke2/deploy_secrets.yml b/ansible/tasks/rke2/deploy_secrets.yml
@@ -0,0 +1,29 @@
+---
+- name: Load k8s secrets
+  include_vars:
+    file: "{{ item }}"
+  with_first_found:
+    - files:
+      - /opt/ansible/resources/k8s_secrets.yaml
+      - /opt/charts/splunk-connect-for-syslog/secrets.yaml
+
+- name: Export kubectl bin path
+  shell: export PATH=$PATH:/var/lib/rancher/rke2/bin/
+
+- name: Create mTLS secret
+  ansible.builtin.shell: |
+    /var/lib/rancher/rke2/bin/kubectl apply -f - <<EOF
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: {{ hec_tls.secret }}
+    type: Opaque
+    data:
+      key.pem: {{ hec_tls.value.key | b64encode }}
+      cert.pem: {{ hec_tls.value.cert | b64encode }}
+      ca_cert.pem: {{ hec_tls.value.ca | b64encode }}
+    EOF
+  when:
+    - hec_tls is defined
+    - ('secret' in hec_tls) and ('value' in hec_tls)
+    - inventory_hostname == "token_node"
diff --git a/ansible/tasks/rke2/get_registration_token.yml b/ansible/tasks/rke2/get_registration_token.yml
@@ -0,0 +1,16 @@
+---
+- name: Wait for rke2 token to be ready
+  wait_for:
+    path: /var/lib/rancher/rke2/server/node-token
+    timeout: 60
+  when: inventory_hostname == "token_node"
+
+- name: Retrieve the rke2 node token
+  shell: cat /var/lib/rancher/rke2/server/node-token
+  register: node_token
+  when: inventory_hostname == "token_node"
+
+- name: Set the node token as a fact for worker nodes
+  set_fact:
+    rke2_token: "{{ node_token.stdout }}"
+  when: inventory_hostname == "token_node"
diff --git a/ansible/tasks/rke2/install_agents.yml b/ansible/tasks/rke2/install_agents.yml
@@ -0,0 +1,9 @@
+---
+- name: Run the installer
+  shell: curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE="agent" sh -
+
+- name: Enable and start rke2-agent.service
+  service:
+    name: rke2-agent.service
+    enabled: yes
+    state: started
diff --git a/ansible/tasks/rke2/install_first_server.yml b/ansible/tasks/rke2/install_first_server.yml
@@ -0,0 +1,11 @@
+---
+- name: Run the installer
+  shell: curl -sfL https://get.rke2.io | sh -
+  when: inventory_hostname == "token_node"
+
+- name: Enable and start rke2-server.service
+  service:
+    name: rke2-server.service
+    enabled: yes
+    state: started
+  when: inventory_hostname == "token_node"
diff --git a/ansible/tasks/rke2/install_helm_repo.yml b/ansible/tasks/rke2/install_helm_repo.yml
@@ -0,0 +1,6 @@
+---
+- name: Add sc4s helm repository
+  shell: helm repo add splunk-connect-for-syslog https://splunk.github.io/splunk-connect-for-syslog
+
+- name: Separately update the repository cache
+  shell: helm repo update
diff --git a/ansible/tasks/rke2/install_metallb.yml b/ansible/tasks/rke2/install_metallb.yml
@@ -0,0 +1,27 @@
+---
+- name: Add metallb helm repository
+  shell: helm repo add metallb https://metallb.github.io/metallb
+
+- name: Create metallb namespace
+  shell: /var/lib/rancher/rke2/bin/kubectl create namespace metallb
+  when: inventory_hostname == "token_node"
+
+- name: Install metallb
+  shell: helm install metallb metallb/metallb -n metallb
+  when: inventory_hostname == "token_node"
+
+- name: Copy metallb-config.yaml file on the server
+  copy:
+    src: /opt/ansible/resources/metallb-config.yaml
+    dest: "/home/{{ ansible_user }}/metallb-config.yaml"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: u=rw,g=rw,o=r
+
+- name: Apply metallb config
+  shell: /var/lib/rancher/rke2/bin/kubectl apply -f metallb-config.yaml
+  register: result
+  retries: 10
+  delay: 60
+  until: result.stderr == ""
+  when: inventory_hostname == "token_node"
diff --git a/ansible/tasks/rke2/install_other_servers.yml b/ansible/tasks/rke2/install_other_servers.yml
@@ -0,0 +1,11 @@
+---
+- name: Run the installer
+  shell: curl -sfL https://get.rke2.io | sh -
+  when: inventory_hostname != "token_node"
+
+- name: Enable and start rke2-server.service
+  service:
+    name: rke2-server.service
+    enabled: yes
+    state: started
+  when: inventory_hostname != "token_node"
diff --git a/ansible/tasks/rke2/provide_kubectl.yml b/ansible/tasks/rke2/provide_kubectl.yml
@@ -0,0 +1,14 @@
+---
+    - name: Copy kubectl config to ~/.kube/config
+      shell: |
+        mkdir -p /home/{{ ansible_user }}/.kube && \
+        cp /etc/rancher/rke2/rke2.yaml /home/{{ ansible_user }}/.kube/config && \
+        chown {{ ansible_user }} /home/{{ ansible_user }}/.kube/config
+
+    - name: Add rke2 bin path to .bashrc
+      lineinfile:
+        path: "/home/{{ ansible_user }}/.bashrc"
+        line: 'export PATH=$PATH:/var/lib/rancher/rke2/bin/'
+        create: yes
+        state: present
+        insertafter: EOF
diff --git a/docs/gettingstarted/ansible-rke2.md b/docs/gettingstarted/ansible-rke2.md
diff --git a/mkdocs.yml b/mkdocs.yml
