add Kubernetes deployment on HCloud

ansible/Makefile

@@ -0,0 +1,16 @@
+install: install-ansible-dependencies install-hcloud-servers install-k8s-cluster
+
+install-ansible-dependencies:
+	ansible-galaxy collection install community.kubernetes
+	ansible-galaxy collection install hetzner.hcloud
+
+install-hcloud-servers:
+	ansible-playbook create-hcloud-infrastructure.yaml  -e "state=present"
+	sleep 300
+
+install-k8s-cluster:
+	ansible-playbook create-kubernetes-cluster.yaml -i env/inventory --private-key ~/.ssh/talexdev_rsa
+	ansible-playbook deploy-db-prometheus.yaml
+	ansible-playbook deploy-db-pg.yaml
+	ansible-playbook deploy-app-termine.yaml
+	ansible-playbook deploy-ingress.yaml

ansible/README.md

@@ -0,0 +1,13 @@
+```bash
+ansible-galaxy collection install community.kubernetes
+ansible-galaxy collection install hetzner.hcloud
+
+ansible-playbook create-hcloud-infrastructure.yaml  -e "state=present"
+ansible-playbook create-kubernetes-cluster.yaml -i env/inventory --private-key ~/.ssh/talexdev_rsa
+ansible-playbook deploy-db-prometheus.yaml
+ansible-playbook deploy-db-pg.yaml
+ansible-playbook deploy-app-termine.yaml
+ansible-playbook deploy-ingress.yaml
+```
+
+install: htpasswd, openssl

ansible/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+vault_password_file = ~/.ansible-vault-pass
+host_key_checking = False
+inventory = inventory
+deprecation_warnings = False
+interpreter_python = auto_legacy_silent
+
+[ssh_connection]
+pipelining = True

ansible/create-hcloud-infrastructure.yaml

@@ -0,0 +1,12 @@
+---
+- name: create hosts and network infrastructure on Hetzner Cloud
+  hosts: localhost
+  gather_facts: false
+  become: false
+  vars_files:
+    - "env/credentials.yaml"
+    - "env/setup.yaml"
+    - "env/hcloud.yaml"
+    - "env/app.yaml"
+  roles:
+    - { role: tf-infrastructure, tags: tf-infrastructure }

ansible/create-kubernetes-cluster.yaml

@@ -0,0 +1,42 @@
+---
+- name: install Kubernetes control plane on first master node
+  hosts: master[0]
+  gather_facts: yes
+  remote_user: k8s
+  become: yes
+  vars_files:
+    - "env/credentials.yaml"
+    - "env/setup.yaml"
+    - "env/hcloud.yaml"
+    - "env/app.yaml"
+    - "env/ips.yaml"
+  vars:
+    kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
+  roles:
+    - { role: kube-prepare, tags: kube-prepare }
+    - { role: kube-master, tags: kube-master }
+    - { role: kube-config, tags: kube-config }
+
+- name: join Kubernetes control plane with other master nodes
+  hosts: master[1:]
+  gather_facts: yes
+  remote_user: k8s
+  become: yes
+  vars_files:
+    - "env/setup.yaml"
+    - "env/hcloud.yaml"
+  roles:
+    - { role: kube-prepare, tags: kube-prepare }
+    - { role: kube-join-master, tags: kube-join-master }
+
+- name: join Kubernetes cluster with worker nodes
+  hosts: worker
+  gather_facts: yes
+  remote_user: k8s
+  become: yes
+  vars_files:
+    - "env/setup.yaml"
+    - "env/hcloud.yaml"
+  roles:
+    - { role: kube-prepare, tags: kube-prepare }
+    - { role: kube-join-worker, tags: kube-join-worker }

ansible/deploy-app-termine.yaml

@@ -0,0 +1,12 @@
+---
+- name: deploy Termine application
+  hosts: localhost
+  gather_facts: false
+  become: false
+  vars_files:
+    - "env/setup.yaml"
+    - "env/app.yaml"
+  vars:
+    kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
+  roles:
+    - { role: termine, tags: termine }

ansible/deploy-db-ldap.yaml

@@ -0,0 +1,16 @@
+---
+- name: deploy 389DS LDAP server
+  hosts: localhost
+  gather_facts: false
+  become: false
+  vars_files:
+    - "env/setup.yaml"
+    - "env/app.yaml"
+  vars:
+    kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
+  roles:
+    - { role: ldap, tags: ldap }
+  pre_tasks:
+    - name: create k8s namespace
+      shell: |
+        kubectl --kubeconfig {{ kubeconfig }} create namespace {{ namespace.ldap }} || true

ansible/deploy-db-pg.yaml

@@ -0,0 +1,24 @@
+---
+- name: deploy Postgres SQL database
+  hosts: localhost
+  gather_facts: false
+  become: false
+  vars_files:
+    - "env/setup.yaml"
+    - "env/app.yaml"
+  vars:
+    kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
+  roles:
+    - { role: postgres, tags: postgres }
+  pre_tasks:
+    - name: install Ansible module dependencies
+      pip:
+        name: openshift
+        state: present
+    - name: "create k8s namespace - {{ namespace.postgres }}"
+      community.kubernetes.k8s:
+        kubeconfig: "{{ kubeconfig }}"
+        name: "{{ namespace.postgres }}"
+        api_version: v1
+        kind: Namespace
+        state: present

ansible/deploy-db-prometheus.yaml

@@ -0,0 +1,24 @@
+---
+- name: deploy Prometheus Operator and Grafana
+  hosts: localhost
+  gather_facts: false
+  become: false
+  vars_files:
+    - "env/setup.yaml"
+    - "env/app.yaml"
+  vars:
+    kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
+  roles:
+    - { role: prometheus-operator, tags: prometheus-operator }
+  pre_tasks:
+    - name: install Ansible module dependencies
+      pip:
+        name: openshift
+        state: present
+    - name: "create k8s namespace - {{ namespace.prometheusOperator }}"
+      community.kubernetes.k8s:
+        kubeconfig: "{{ kubeconfig }}"
+        name: "{{ namespace.prometheusOperator }}"
+        api_version: v1
+        kind: Namespace
+        state: present

ansible/deploy-ingress.yaml

@@ -0,0 +1,39 @@
+---
+- name: deploy Traefik as ingress controller
+  hosts: localhost
+  gather_facts: false
+  become: false
+  vars_files:
+    - "env/credentials.yaml"
+    - "env/setup.yaml"
+    - "env/app.yaml"
+    - "env/hcloud.yaml"
+    - "env/ips.yaml"
+  vars:
+    - kubeconfig: "{{ kube_dir }}/{{ kube_config }}"
+    - domain_filters: [ "{{ subdomain }}.{{ domain }}" ]
+    - hostnames:
+      - "{{ hostname.traefik_dashboard }}.{{ subdomain }}.{{ domain }}"
+      - "{{ hostname.application }}.{{ subdomain }}.{{ domain }}"
+  roles:
+    - { role: external-dns, tags: external-dns }
+    - { role: traefik, tags: traefik }
+  pre_tasks:
+    - name: install Ansible module dependencies
+      pip:
+        name: openshift
+        state: present
+    - name: "create k8s namespace - {{ namespace.externalDNS }}"
+      community.kubernetes.k8s:
+        kubeconfig: "{{ kubeconfig }}"
+        name: "{{ namespace.externalDNS }}"
+        api_version: v1
+        kind: Namespace
+        state: present
+    - name: "create k8s namespace - {{ namespace.traefik }}"
+      community.kubernetes.k8s:
+        kubeconfig: "{{ kubeconfig }}"
+        name: "{{ namespace.traefik }}"
+        api_version: v1
+        kind: Namespace
+        state: present

ansible/env/app.yaml

@@ -0,0 +1,60 @@
+#
+# PRESETS: DO NOT CHANGE UNLESS YOU KNOW WHY :)
+#
+
+# Kubernetes cluster cert
+kube_dir: ~/.kube
+kube_config: kubernetes-admin-covid-test-station
+
+# Time-to-live for DNS entries
+dns_ttl: 300
+
+# Managed SSL certs
+managed_cert_name: k8s-tls-managed-cert-covidts
+
+# Kubernetes Namespaces
+namespace:
+  prometheusOperator: monitoring
+  postgres: postgres
+  ldap: ldap
+  externalDNS: traefik
+  traefik: traefik
+
+# Helm chart version pinning
+helm_chart_version:
+  prometheusOperator: 15.4.6
+  postgres: 10.3.13
+  externalDNS: 5.0.0
+  traefik: 9.19.1
+
+docker_image_version:
+  hcloudCCM: v1.10.0
+
+# Parameters for Traefik setup
+traefik:
+  dashboard:
+    user: "admin"
+    password: "DKL-3K2-Ld2-Dhg"
+
+# Helm chart values for Prometheus-Operator
+prometheusOperator:
+  deploy: true
+  grafana:
+    user: "admin"
+    password: "DKL-3K2-Ld2-Dhg"
+    persistentConfig: true
+
+# Helm chart values for Postgres database
+postgres:
+  port: 5432
+  volumeSize: 10Gi
+  database: "termine"
+  password: "termine_pw!"
+  metrics: true
+
+# Docker ENV parameters for 389DS LDAP server
+ldap:
+  port: 389
+  tlsPort: 636
+  volumeSize: 10Gi
+  password: "secret"

ansible/env/config.yaml

@@ -0,0 +1,30 @@
+kubeconfig: ~/.kube/kubernetes-admin-neotokyo.k8s
+
+externaldns:
+  hcloud_dns_token: bq1eURjvvecx1vSUw7rwsarLpzgpMaII
+  domain: impftermine.neotokyo.space
+  cluster_name: neotokyo.k8s
+  lb_hostname: lb-2.k8s.neotokyo.space
+  domain_filters:
+    - neotokyo.space
+
+monitoring:
+  deploy: true
+  grafana:
+    adminPassword: "DKL-3K2-Ld2-Dhg"
+
+postgres:
+  port: 5432
+  volumeSize: 10Gi
+  database: "termine"
+  password: "termine_pw!"
+  metrics: true
+
+ldap:
+  port: 389
+  tlsPort: 636
+  volumeSize: 10Gi
+  password: "secret"
+
+traefik:
+  loadbalancer_name: worker-lb

ansible/env/credentials.yaml.sample

@@ -0,0 +1,10 @@
+# Hetzner Cloud project API token
+hetzner_api_token: <CREATE_PROJECT_AND_API_TOKEN_IN_YOU_HCLOUD_ACCOUNT>
+
+# Hetzner DNS Console API token
+hetzner_dns_token: <CREATE_API_TOKEN_IN_YOU_DNS_CONSOLE_ACCOUNT>
+
+# Public SSH keys to connect hosts
+ssh_authorized_keys:
+  - ssh-rsa XZY [email protected]
+  - ssh-rsa ZXY [email protected]

ansible/env/hcloud.yaml

@@ -0,0 +1,50 @@
+#
+# PRESETS FOR HETZNER CLOUD: DO NOT CHANGE UNLESS YOU KNOW WHY :)
+#
+
+# Hetzner Cloud servers
+master_count: 1
+worker_count: 2
+
+# Hetzner datacenter location name:
+# nbg1= Nuremberg DC Park 1
+ds_location: nbg1
+
+# Kubernetes version:
+# this setup works for v1.19.x
+kubernetes_version: 1.19.11
+
+# Kubernetes config
+pod_subnet: 10.96.0.0/16
+service_subnet: 10.244.0.0/16
+dns_domain: cluster.local
+
+# Docker-CE package version:
+# this setup works for v19.x
+docker_version: 5:19.03.15~3-0~ubuntu-focal
+
+# Hetzner Linux image:
+# this setup expects Ubuntu v20 as Linux host system
+os_image: ubuntu-20.04
+
+# Hetzner Cloud server types for cluster master node(s)
+master_server_type: cx11
+
+# Hetzner Cloud server types for cluster worker node(s)
+worker_server_type: cx21
+
+# Loadbalancer
+subnet_master_lb_ip: 10.0.1.1
+subnet_worker_lb_ip: 10.0.2.1
+
+# Private network settings
+network_name: kubernetes
+network_ip_range: 10.0.0.0/8
+
+# Master nodes
+subnet_master_ip_range: 10.0.1.0/24
+subnet_master_ip: 10.0.1
+
+# Worker nodes
+subnet_worker_ip_range: 10.0.2.0/24
+subnet_worker_ip: 10.0.2

ansible/env/setup.yaml

@@ -0,0 +1,19 @@
+#
+# CONFIGURATION: CHANGE DOMAIN SETTINGS AND OTHER STUFF HERE
+#
+# Kubernetes control plane API host: control_plane.subdomain.domain
+# Traefik Ingress Controller dashboard: traefik_dashboard.subdomain.domain
+# COVID Test-Station URL: application.subdomain.domain
+
+# Internal name of Kubernetes cluster
+cluster_name: roanapur
+
+# Naming (DNS) for master and worker nodes
+domain: roanapur.space
+subdomain: k8s
+
+# Naming (DNS) for hosts
+hostname:
+  control_plane: api
+  traefik_dashboard: ingress
+  application: covid-test-station

ansible/inventory

@@ -0,0 +1,2 @@
+[localhost]
+127.0.0.1  ansible_connection=local