update 369ds LDAP server setup

ansible/Makefile

@@ -0,0 +1,16 @@
+install: install-ansible-dependencies install-hcloud-servers install-k8s-cluster
+
+install-ansible-dependencies:
+	ansible-galaxy collection install community.kubernetes
+	ansible-galaxy collection install hetzner.hcloud
+
+install-hcloud-servers:
+	ansible-playbook create-hcloud-infrastructure.yaml  -e "state=present"
+	sleep 300
+
+install-k8s-cluster:
+	ansible-playbook create-kubernetes-cluster.yaml -i env/inventory --private-key ~/.ssh/talexdev_rsa
+	ansible-playbook deploy-db-prometheus.yaml
+	ansible-playbook deploy-db-pg.yaml
+	ansible-playbook deploy-app-termine.yaml
+	ansible-playbook deploy-ingress.yaml

ansible/README.md

@@ -0,0 +1,13 @@
+```bash
+ansible-galaxy collection install community.kubernetes
+ansible-galaxy collection install hetzner.hcloud
+
+ansible-playbook create-hcloud-infrastructure.yaml  -e "state=present"
+ansible-playbook create-kubernetes-cluster.yaml -i env/inventory --private-key ~/.ssh/talexdev_rsa
+ansible-playbook deploy-db-prometheus.yaml
+ansible-playbook deploy-db-pg.yaml
+ansible-playbook deploy-app-termine.yaml
+ansible-playbook deploy-ingress.yaml
+```
+
+install: htpasswd, openssl

ansible/ansible.cfg

@@ -1,5 +1,9 @@
 [defaults]
+vault_password_file = ~/.ansible-vault-pass
 host_key_checking = False
 inventory = inventory
 deprecation_warnings = False
 interpreter_python = auto_legacy_silent
+
+[ssh_connection]
+pipelining = True

ansible/create-hcloud-infrastructure.yaml

@@ -0,0 +1,12 @@
+---
+- name: create hosts and network infrastructure on Hetzner Cloud
+  hosts: localhost
+  gather_facts: false
+  become: false
+  vars_files:
+    - "env/credentials.yaml"
+    - "env/setup.yaml"
+    - "env/hcloud.yaml"
+    - "env/app.yaml"
+  roles:
+    - { role: tf-infrastructure, tags: tf-infrastructure }

ansible/create-kubernetes-cluster.yaml

@@ -0,0 +1,42 @@
+---
+- name: install Kubernetes control plane on first master node
+  hosts: master[0]
+  gather_facts: yes
+  remote_user: k8s
+  become: yes
+  vars_files:
+    - "env/credentials.yaml"
+    - "env/setup.yaml"
+    - "env/hcloud.yaml"
+    - "env/app.yaml"
+    - "env/ips.yaml"
+  vars:
+    kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
+  roles:
+    - { role: kube-prepare, tags: kube-prepare }
+    - { role: kube-master, tags: kube-master }
+    - { role: kube-config, tags: kube-config }
+
+- name: join Kubernetes control plane with other master nodes
+  hosts: master[1:]
+  gather_facts: yes
+  remote_user: k8s
+  become: yes
+  vars_files:
+    - "env/setup.yaml"
+    - "env/hcloud.yaml"
+  roles:
+    - { role: kube-prepare, tags: kube-prepare }
+    - { role: kube-join-master, tags: kube-join-master }
+
+- name: join Kubernetes cluster with worker nodes
+  hosts: worker
+  gather_facts: yes
+  remote_user: k8s
+  become: yes
+  vars_files:
+    - "env/setup.yaml"
+    - "env/hcloud.yaml"
+  roles:
+    - { role: kube-prepare, tags: kube-prepare }
+    - { role: kube-join-worker, tags: kube-join-worker }

ansible/deploy-app-termine.yaml

@@ -4,8 +4,9 @@
   gather_facts: false
   become: false
   vars_files:
-    - "env/config.yaml"
-    - "env/namespace.yaml"
-    - "env/version.yaml"
+    - "env/setup.yaml"
+    - "env/app.yaml"
+  vars:
+    kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
   roles:
     - { role: termine, tags: termine }

ansible/deploy-db-ldap.yaml

@@ -4,9 +4,10 @@
   gather_facts: false
   become: false
   vars_files:
-    - "env/config.yaml"
-    - "env/namespace.yaml"
-    - "env/version.yaml"
+    - "env/setup.yaml"
+    - "env/app.yaml"
+  vars:
+    kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
   roles:
     - { role: ldap, tags: ldap }
   pre_tasks:

ansible/deploy-ingress.yaml

@@ -4,16 +4,36 @@
   gather_facts: false
   become: false
   vars_files:
-    - "env/config.yaml"
-    - "env/namespace.yaml"
-    - "env/version.yaml"
+    - "env/credentials.yaml"
+    - "env/setup.yaml"
+    - "env/app.yaml"
+    - "env/hcloud.yaml"
+    - "env/ips.yaml"
+  vars:
+    - kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
+    - domain_filters: [ "{{ subdomain }}.{{ domain }}" ]
+    - hostnames:
+      - "{{ hostname.traefik_dashboard }}.{{ subdomain }}.{{ domain }}"
+      - "{{ hostname.application }}.{{ subdomain }}.{{ domain }}"
   roles:
     - { role: external-dns, tags: external-dns }
     - { role: traefik, tags: traefik }
   pre_tasks:
-    - name: create k8s namespace
-      shell: |
-        kubectl --kubeconfig {{ kubeconfig }} create namespace {{ namespace.traefik }} || true
-    - name: create k8s namespace
-      shell: |
-        kubectl --kubeconfig {{ kubeconfig }} create namespace {{ namespace.externaldns }} || true
+    - name: install Ansible module dependencies
+      pip:
+        name: openshift
+        state: present
+    - name: "create k8s namespace - {{ namespace.externalDNS }}"
+      community.kubernetes.k8s:
+        kubeconfig: "{{ kubeconfig }}"
+        name: "{{ namespace.externalDNS }}"
+        api_version: v1
+        kind: Namespace
+        state: present
+    - name: "create k8s namespace - {{ namespace.traefik }}"
+      community.kubernetes.k8s:
+        kubeconfig: "{{ kubeconfig }}"
+        name: "{{ namespace.traefik }}"
+        api_version: v1
+        kind: Namespace
+        state: present

ansible/env/app.yaml

@@ -0,0 +1,60 @@
+#
+# PRESETS: DO NOT CHANGE UNLESS YOU KNOW WHY :)
+#
+
+# Kubernetes cluster cert
+kube_dir: ~/.kube
+kube_config: kubernetes-admin-covid-test-station
+
+# Time-to-live for DNS entries
+dns_ttl: 300
+
+# Managed SSL certs
+managed_cert_name: k8s-tls-managed-cert-covidts
+
+# Kubernetes Namespaces
+namespace:
+  prometheusOperator: monitoring
+  postgres: postgres
+  ldap: ldap
+  externalDNS: traefik
+  traefik: traefik
+
+# Helm chart version pinning
+helm_chart_version:
+  prometheusOperator: 15.4.6
+  postgres: 10.3.13
+  externalDNS: 5.0.0
+  traefik: 9.19.1
+
+docker_image_version:
+  hcloudCCM: v1.10.0
+
+# Parameters for Traefik setup
+traefik:
+  dashboard:
+    user: "admin"
+    password: "DKL-3K2-Ld2-Dhg"
+
+# Helm chart values for Prometheus-Operator
+prometheusOperator:
+  deploy: true
+  grafana:
+    user: "admin"
+    password: "DKL-3K2-Ld2-Dhg"
+    persistentConfig: true
+
+# Helm chart values for Postgres database
+postgres:
+  port: 5432
+  volumeSize: 10Gi
+  database: "termine"
+  password: "termine_pw!"
+  metrics: true
+
+# Docker ENV parameters for 389DS LDAP server
+ldap:
+  port: 389
+  tlsPort: 636
+  volumeSize: 10Gi
+  password: "secret"

ansible/env/credentials.yaml.sample

@@ -0,0 +1,10 @@
+# Hetzner Cloud project API token
+hetzner_api_token: <CREATE_PROJECT_AND_API_TOKEN_IN_YOU_HCLOUD_ACCOUNT>
+
+# Hetzner DNS Console API token
+hetzner_dns_token: <CREATE_API_TOKEN_IN_YOU_DNS_CONSOLE_ACCOUNT>
+
+# Public SSH keys to connect hosts
+ssh_authorized_keys:
+  - ssh-rsa XZY [email protected]
+  - ssh-rsa ZXY [email protected]

ansible/env/hcloud.yaml

@@ -0,0 +1,50 @@
+#
+# PRESETS FOR HETZNER CLOUD: DO NOT CHANGE UNLESS YOU KNOW WHY :)
+#
+
+# Hetzner Cloud servers
+master_count: 1
+worker_count: 2
+
+# Hetzner datacenter location name:
+# nbg1= Nuremberg DC Park 1
+ds_location: nbg1
+
+# Kubernetes version:
+# this setup works for v1.19.x
+kubernetes_version: 1.19.11
+
+# Kubernetes config
+pod_subnet: 10.96.0.0/16
+service_subnet: 10.244.0.0/16
+dns_domain: cluster.local
+
+# Docker-CE package version:
+# this setup works for v19.x
+docker_version: 5:19.03.15~3-0~ubuntu-focal
+
+# Hetzner Linux image:
+# this setup expects Ubuntu v20 as Linux host system
+os_image: ubuntu-20.04
+
+# Hetzner Cloud server types for cluster master node(s)
+master_server_type: cx11
+
+# Hetzner Cloud server types for cluster worker node(s)
+worker_server_type: cx21
+
+# Loadbalancer
+subnet_master_lb_ip: 10.0.1.1
+subnet_worker_lb_ip: 10.0.2.1
+
+# Private network settings
+network_name: kubernetes
+network_ip_range: 10.0.0.0/8
+
+# Master nodes
+subnet_master_ip_range: 10.0.1.0/24
+subnet_master_ip: 10.0.1
+
+# Worker nodes
+subnet_worker_ip_range: 10.0.2.0/24
+subnet_worker_ip: 10.0.2

ansible/env/setup.yaml

@@ -0,0 +1,19 @@
+#
+# CONFIGURATION: CHANGE DOMAIN SETTINGS AND OTHER STUFF HERE
+#
+# Kubernetes control plane API host: control_plane.subdomain.domain
+# Traefik Ingress Controller dashboard: traefik_dashboard.subdomain.domain
+# COVID Test-Station URL: application.subdomain.domain
+
+# Internal name of Kubernetes cluster
+cluster_name: roanapur
+
+# Naming (DNS) for master and worker nodes
+domain: roanapur.space
+subdomain: k8s
+
+# Naming (DNS) for hosts
+hostname:
+  control_plane: api
+  traefik_dashboard: ingress
+  application: covid-test-station

ansible/roles/external-dns/tasks/install.yaml

@@ -3,4 +3,4 @@
   shell: |-
     helm --kubeconfig {{ kubeconfig }} repo add bitnami https://charts.bitnami.com/bitnami
     helm --kubeconfig {{ kubeconfig }} repo update
-    helm --kubeconfig {{ kubeconfig }} install --namespace {{ namespace.externaldns }} external-dns bitnami/external-dns -f {{ k8s_install_dir.path }}/values.yaml --version {{ version.externaldns }}
+    helm --kubeconfig {{ kubeconfig }} install --namespace {{ namespace.externalDNS }} external-dns bitnami/external-dns -f {{ k8s_install_dir.path }}/values.yaml --version {{ helm_chart_version.externalDNS }} --wait

ansible/roles/external-dns/tasks/main.yaml

@@ -3,6 +3,7 @@
   ansible.builtin.tempfile:
     state: directory
     suffix: build
+    prefix: ansible.{{ cluster_name }}
   register: k8s_install_dir
 
 - name: create Helm chart values
@@ -11,7 +12,7 @@
     dest: "{{ k8s_install_dir.path }}/values.yaml"
 
 - name: check deployment status
-  shell: "helm --kubeconfig {{ kubeconfig }} status -n {{ namespace.externaldns }} external-dns 2>/dev/null | grep 'STATUS: deployed' | awk '{print $2}'"
+  shell: "helm --kubeconfig {{ kubeconfig }} status -n {{ namespace.externalDNS }} external-dns 2>/dev/null | grep 'STATUS: deployed' | awk '{print $2}'"
   ignore_errors: true
   register: helm_chart_status
 

ansible/roles/external-dns/tasks/upgrade.yaml

@@ -2,4 +2,4 @@
 - name: upgrade Helm chart
   shell: |-
     helm --kubeconfig {{ kubeconfig }} repo update
-    helm --kubeconfig {{ kubeconfig }} upgrade --namespace {{ namespace.externaldns }} external-dns bitnami/external-dns -f {{ k8s_install_dir.path }}/values.yaml --version {{ version.externaldns }}
+    helm --kubeconfig {{ kubeconfig }} upgrade --namespace {{ namespace.externalDNS }} external-dns bitnami/external-dns -f {{ k8s_install_dir.path }}/values.yaml --version {{ helm_chart_version.externalDNS }} --wait