first commit

credentials/kube_user

@@ -0,0 +1 @@
+taco1130@

inventory/group_vars/k8s-cluster.yml

@@ -0,0 +1,192 @@
+# Kubernetes configuration dirs and system namespace.
+# Those are where all the additional config stuff goes
+# the kubernetes normally puts in /srv/kubernets.
+# This puts them in a sane location and namespace.
+# Editting those values will almost surely break something.
+kube_config_dir: /etc/kubernetes
+kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
+kube_manifest_dir: "{{ kube_config_dir }}/manifests"
+system_namespace: kube-system
+
+# Logging directory (sysvinit systems)
+kube_log_dir: "/var/log/kubernetes"
+
+# This is where all the cert scripts and certs will be located
+kube_cert_dir: "{{ kube_config_dir }}/ssl"
+
+# This is where all of the bearer tokens will be stored
+kube_token_dir: "{{ kube_config_dir }}/tokens"
+
+# This is where to save basic auth file
+kube_users_dir: "{{ kube_config_dir }}/users"
+
+kube_api_anonymous_auth: false
+
+## Change this to use another Kubernetes version, e.g. a current beta release
+kube_version: v1.8.1
+
+# Where the binaries will be downloaded.
+# Note: ensure that you've enough disk space (about 1G)
+local_release_dir: "/tmp/releases"
+# Random shifts for retrying failed ops like pushing/downloading
+retry_stagger: 5
+
+# This is the group that the cert creation scripts chgrp the
+# cert files to. Not really changable...
+kube_cert_group: kube-cert
+
+# Cluster Loglevel configuration
+kube_log_level: 2
+
+# Users to create for basic auth in Kubernetes API via HTTP
+# Optionally add groups for user
+kube_api_pwd: "{{ lookup('password', 'credentials/kube_user length=15 chars=ascii_letters,digits') }}"
+kube_users:
+  kube:
+    pass: "{{kube_api_pwd}}"
+    role: admin
+  root:
+    pass: "{{kube_api_pwd}}"
+    role: admin
+    groups:
+      - system:masters
+
+## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
+#kube_oidc_auth: false
+#kube_basic_auth: false
+#kube_token_auth: false
+
+
+## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
+## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
+
+# kube_oidc_url: https:// ...
+# kube_oidc_client_id: kubernetes
+## Optional settings for OIDC
+# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
+# kube_oidc_username_claim: sub
+# kube_oidc_groups_claim: groups
+
+
+# Choose network plugin (calico, weave or flannel)
+# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
+kube_network_plugin: calico
+
+# weave's network password for encryption
+# if null then no network encryption
+# you can use --extra-vars to pass the password in command line
+weave_password: EnterPasswordHere
+
+# Weave uses consensus mode by default
+# Enabling seed mode allow to dynamically add or remove hosts
+# https://www.weave.works/docs/net/latest/ipam/
+weave_mode_seed: false
+
+# This two variable are automatically changed by the weave's role, do not manually change these values
+# To reset values :
+# weave_seed: uninitialized
+# weave_peers: uninitialized
+weave_seed: uninitialized
+weave_peers: uninitialized
+
+# Enable kubernetes network policies
+enable_network_policy: false
+
+# Kubernetes internal network for services, unused block of space.
+kube_service_addresses: 10.96.0.0/16
+
+# internal network. When used, it will assign IP
+# addresses from this range to individual pods.
+# This network must be unused in your network infrastructure!
+kube_pods_subnet: 172.16.0.0/16
+
+# internal network node size allocation (optional). This is the size allocated
+# to each node on your network.  With these defaults you should have
+# room for 4096 nodes with 254 pods per node.
+kube_network_node_prefix: 24
+
+# The port the API Server will be listening on.
+kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
+kube_apiserver_port: 6443 # (https)
+kube_apiserver_insecure_port: 8080 # (http)
+
+# DNS configuration.
+# Kubernetes cluster name, also will be used as DNS domain
+cluster_name: cluster.local
+# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
+ndots: 2
+# Can be dnsmasq_kubedns, kubedns or none
+dns_mode: kubedns
+# Can be docker_dns, host_resolvconf or none
+resolvconf_mode: docker_dns
+# Deploy netchecker app to verify DNS resolve as an HTTP service
+deploy_netchecker: false
+# Ip address of the kubernetes skydns service
+skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr('10')|ipaddr('address') }}"
+dnsmasq_dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
+dns_domain: "{{ cluster_name }}"
+
+# Path used to store Docker data
+docker_daemon_graph: "/var/lib/docker"
+docker_bin_dir: "/usr/bin"
+
+# Settings for containerized control plane (etcd/kubelet/secrets)
+etcd_deployment_type: docker
+kubelet_deployment_type: host
+vault_deployment_type: docker
+
+# etcd memory Limits
+etcd_memory_limit: 8192M
+
+# K8s image pull policy (imagePullPolicy)
+k8s_image_pull_policy: IfNotPresent
+
+# Kubernetes dashboard (available at http://first_master:6443/ui by default)
+dashboard_enabled: true
+
+# Monitoring apps for k8s
+efk_enabled: false
+
+# Helm deployment
+helm_enabled: true
+
+# Istio depoyment
+istio_enabled: false
+
+# Weave scope
+weave_scope_enabled: true
+
+# Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
+# kubeconfig_localhost: false
+# Download kubectl onto the host that runs Ansible in GITDIR/artifacts
+# kubectl_localhost: false
+
+# dnsmasq
+# dnsmasq_upstream_dns_servers:
+#  - /resolvethiszone.with/10.0.4.250
+#  - 8.8.8.8
+
+#  Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (default true)
+# kubelet_cgroups_per_qos: true
+
+# A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
+# Acceptible options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
+# kubelet_enforce_node_allocatable: pods
+
+## Supplementary addresses that can be added in kubernetes ssl keys.
+## That can be usefull for example to setup a keepalived virtual IP
+# supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3]
+
+##########################################
+# oreo-kargo override values
+##########################################
+kubelet_deployment_type: host
+
+# Use true only oreo-k5-cluster
+calico_node_ignorelooserpf: true
+
+# Make pause set uid 1
+kubelet_disable_shared_pid: false
+
+# Lower the open file soft limit for containers down to 1024
+docker_options: "--default-ulimit nofile=1024:1048576 --insecure-registry=tacorepo:5000 --insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} {{ docker_log_opts }}"

inventory/inventory.cfg

@@ -0,0 +1,28 @@
+t-node1 ansible_port=22 ansible_host=10.0.0.61 ip=10.0.0.61
+t-node2 ansible_port=22 ansible_host=10.0.0.62 ip=10.0.0.62
+t-node3 ansible_port=22 ansible_host=10.0.0.63 ip=10.0.0.63
+t-node4 ansible_port=22 ansible_host=10.0.0.64 ip=10.0.0.64
+t-node5 ansible_port=22 ansible_host=10.0.0.65 ip=10.0.0.65
+t-node6 ansible_port=22 ansible_host=10.0.0.66 ip=10.0.0.66
+
+[etcd]
+t-node1
+t-node2
+t-node3
+
+[kube-master]
+t-node1
+t-node2
+t-node3
+
+[kube-node]
+t-node4
+t-node5
+t-node6
+
+[k8s-cluster:children]
+kube-node
+kube-master
+
+[k8s-cluster:vars]
+ansible_python_interpreter=/usr/bin/python2.7

inventory/k1-seungkyua.cfg

@@ -0,0 +1,27 @@
+k1-master01 ansible_port=22 ansible_host=k1-master01 ip=192.168.30.13 iface=eno49
+k1-master02 ansible_port=22 ansible_host=k1-master02 ip=192.168.30.14 iface=ens2f0
+k1-master03 ansible_port=22 ansible_host=k1-master03 ip=192.168.30.15 iface=eno49
+k1-node01 ansible_port=22 ansible_host=k1-node01 ip=192.168.30.12 iface=ens2f0
+k1-node02 ansible_port=22 ansible_host=k1-node02 ip=192.168.30.17 iface=ens2f0
+k1-node03 ansible_port=22 ansible_host=k1-node03 ip=192.168.30.18 iface=ens2f0
+k1-node04 ansible_port=22 ansible_host=k1-node04 ip=192.168.30.21 iface=ens2f0
+
+[etcd]
+k1-master01
+k1-master02
+k1-master03
+
+[kube-master]
+k1-master01
+k1-master02
+k1-master03
+
+[kube-node]
+k1-node01
+k1-node02
+k1-node03
+k1-node04
+
+[k8s-cluster:children]
+kube-master
+kube-node

inventory/k3-taco.cfg

@@ -0,0 +1,32 @@
+k3-master01 ansible_port=22 ansible_host=k3-master01 ip=192.168.51.12 iface=ens2f1
+k3-master02 ansible_port=22 ansible_host=k3-master02 ip=192.168.51.13 iface=ens2f1
+k3-master03 ansible_port=22 ansible_host=k3-master03 ip=192.168.51.14 iface=ens2f1
+k3-ctrl01 ansible_port=22 ansible_host=k3-ctrl01 ip=192.168.51.15 iface=ens2f1
+k3-ctrl02 ansible_port=22 ansible_host=k3-ctrl02 ip=192.168.51.16 iface=ens2f1
+k3-ctrl03 ansible_port=22 ansible_host=k3-ctrl03 ip=192.168.51.17 iface=ens2f1
+k3-cn01 ansible_port=22 ansible_host=k3-cn01 ip=192.168.51.20 iface=ens3f1
+k3-cn02 ansible_port=22 ansible_host=ck3-n02 ip=192.168.51.21 iface=ens3f1
+k3-cn03 ansible_port=22 ansible_host=k3-cn03 ip=192.168.51.22 iface=ens3f1
+k3-cn04 ansible_port=22 ansible_host=k3-cn04 ip=192.168.51.23 iface=ens3f1
+[etcd]
+k3-master01
+k3-master02
+k3-master03
+
+[kube-master]
+k3-master01
+k3-master02
+k3-master03
+
+[kube-node]
+k3-ctrl01
+k3-ctrl02
+k3-ctrl03
+k3-cn01
+k3-cn02
+k3-cn03
+k3-cn04
+
+[k8s-cluster:children]
+kube-node
+kube-master

monitoring.yml

@@ -0,0 +1,6 @@
+---
+- hosts: kube-master[0]
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  roles:
+    - { role: kubespray-defaults}
+    - { role: monitoring, tags: monitoring }

reset-monitoring.yml

@@ -0,0 +1,6 @@
+---
+- hosts: kube-master[0]
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  roles:
+    - { role: kubespray-defaults}
+    - { role: reset-monitoring, tags: reset-monitoring }

reset-node.yml

@@ -0,0 +1,26 @@
+---
+- hosts: localhost
+  vars_prompt:
+    name: "target_host"
+    prompt: "Type the target inventory node name to reset."
+    default: "no"
+    private: no
+
+  pre_tasks:
+    - name: check target host
+      fail:
+        msg: "Not matching inventory's node."
+      when: "target_host not in groups['all']"
+    - name: set target host
+      set_fact:
+        target_host: "{{ target_host }}"
+
+- hosts: "{{ hostvars['localhost']['target_host'] }}"
+  roles:
+    - { role: kubespray-defaults}
+    - { role: reset, tags: reset }
+
+- hosts: kube-master[0]
+  pre_tasks:
+    - name: Delete target node
+      command: "kubectl delete node {{ hostvars['localhost']['target_host'] }}"

roles/docker/defaults/main.yml

@@ -0,0 +1,18 @@
+---
+docker_version: 'stable'
+
+docker_package_info:
+  pkgs:
+
+docker_repo_key_info:
+  repo_keys:
+
+docker_repo_info:
+  repos:
+
+docker_dns_servers_strict: yes
+
+docker_container_storage_setup: false
+
+docker_rh_repo_base_url: 'https://yum.dockerproject.org/repo/main/centos/7'
+docker_rh_repo_gpgkey: 'https://yum.dockerproject.org/gpg'

roles/docker/files/certs/certs.d/oreo01^5000/ca.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmACCQDxbsxzrTUTyDANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJL
+UjEOMAwGA1UECAwFU2VvdWwxEDAOBgNVBAcMB0p1bmctZ3UxDDAKBgNVBAoMA1NL
+VDEOMAwGA1UECwwFT1NMQWIxDzANBgNVBAMMBm9yZW8wMTEeMBwGCSqGSIb3DQEJ
+ARYPb3Jlb0BvcmVvMDEuY29tMB4XDTE3MDIyMTA2MjEzOFoXDTE4MDIyMTA2MjEz
+OFowfjELMAkGA1UEBhMCS1IxDjAMBgNVBAgMBVNlb3VsMRAwDgYDVQQHDAdKdW5n
+LWd1MQwwCgYDVQQKDANTS1QxDjAMBgNVBAsMBU9TTEFiMQ8wDQYDVQQDDAZvcmVv
+MDExHjAcBgkqhkiG9w0BCQEWD29yZW9Ab3JlbzAxLmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKdThRlmkoSQQDY7BYgJewTTN9asSyI5XkBTzzco
+GoN8H1SIRGHc8909AvAtIS2Z63RaWu01HVlA6UvqtDjjGMe96OmFtWZK+x3zjR2P
+aedR6oq4INrnn48F8sOX39dx+UF12zBy5bwl3pOEjuhv7dLuE6YP7oeFRRBE+Aiz
+J65/GrypSvlIljx0RA1l8Fo14d4UGeGFVBfN98nMdQ0nCEORFyzH3IVoSP25dyl8
+d/VLLgxishqzmgOWOtyw3/oVc8oDfR6JkkDWWjFvSMgQgm8ALWUQ21kuixvn40tv
+2JdWctQ3KVFCWnaL+23hVGn51AydeGHuwRoNHIMMwAl3FcUCAwEAATANBgkqhkiG
+9w0BAQUFAAOCAQEAB0LWX0AOZabXVi5ugiWZzpfKqEhqDblstuQ3ATwuMSwTKGFa
+xUQg0Z2v4JOa09aWshbnB3hmNGc9LuK7z2yWbEEnTfsd0kEwGifmjBXNH2HbugEd
+bUgAh6wOqLjxAVY7Cb2GR56c25bXGq+2+4tXbKgeEr63KnbDfhyWdeotNVPDNslx
+fKMmqy8BI9t0gcxMiN4GNXQlPAKcHGdeMUq4QYjbul4qtIPXsHHnEggYewSA5Ewg
+BPNisGnHAtNu3kEXohh1Hidcfzr1Y4peQYfgNV98/q+dwglWZu4z7dIKxw4Hjjae
+Qd5bVed2K4E8UX6vYFm3WCWdwNcvoM9DaVNOXg==
+-----END CERTIFICATE-----

roles/docker/files/certs/certs.d/registry.cicd.stg.taco/ca.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+DCCAZ6gAwIBAgIUA1dN6Z3t/hNh795tcQD94mvgWGIwCgYIKoZIzj0EAwIw
+WjELMAkGA1UEBhMCS1IxDjAMBgNVBAgTBVNlb3VsMRAwDgYDVQQHEwdKdW5nLWd1
+MQwwCgYDVQQKEwNTS1QxDjAMBgNVBAsTBU9TTGFiMQswCQYDVQQDEwJDQTAeFw0x
+NzA4MjgwNzU2MDBaFw0yMjA4MjcwNzU2MDBaMFoxCzAJBgNVBAYTAktSMQ4wDAYD
+VQQIEwVTZW91bDEQMA4GA1UEBxMHSnVuZy1ndTEMMAoGA1UEChMDU0tUMQ4wDAYD
+VQQLEwVPU0xhYjELMAkGA1UEAxMCQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AAQhT71hyWXgZ0JKgSISZXxBw4kCSVYbdwG75/UB+pdn44txbfoQwowO5krucEmN
+GXr5VW+MlYKIYWheUbxkPu8Zo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUB5Mph3QGdJR76x12pAnYN8EYUY4wCgYIKoZIzj0E
+AwIDSAAwRQIgc8/FlbbRyw22kt1ILAtqhYKdfibC/FjTqT4bQQ+cFb4CIQCpSBxE
+bAIZhGrI5HT/a4dq3GPZWo1ybJs5RliBnPUtRg==
+-----END CERTIFICATE-----