Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add fixed registration address for high availability setup #237

Closed
wants to merge 5 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
*.retry
.cache/

.vscode/
files/
venv/

inventory/homelab/*
test_inventory*

rke2-images.linux-amd64.tar.gz
Expand Down
3 changes: 3 additions & 0 deletions inventory/sample/group_vars/rke2_servers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ rke2_config: {}
#
# write-kubeconfig-mode: "0640"

# See https://docs.rke2.io/install/ha
# Add a fixed registration address, such as a load balancer
# fixed_registration_address: 192.168.1.1

# See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
# Add a policy configuration file by specifying the file path on the control host
Expand Down
10 changes: 10 additions & 0 deletions roles/rke2_agent/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,16 @@
when:
- '"server:" not in server_url_check.stdout'

- name: Add fixed registration url to config file
ansible.builtin.lineinfile:
dest: /etc/rancher/rke2/config.yaml
line: "server: https://{{ fixed_registration_address }}:9345"
state: present
insertbefore: BOF
when:
- '"server:" not in server_url_check.stdout'
- fixed_registration_address is defined

- name: Start rke2-agent
ansible.builtin.systemd:
name: rke2-agent.service
Expand Down
19 changes: 18 additions & 1 deletion roles/rke2_common/tasks/cis-hardening.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,11 @@
shell: /usr/sbin/nologin
group: etcd
create_home: false

- name: "Check for rke2-cis-sysctl.conf in the /opt directory"
ansible.builtin.stat:
path: "/opt/rke2/share/rke2/rke2-cis-sysctl.conf"
register: rke2_cis_conf_in_opt

- name: Copy systemctl file for kernel hardening for yum installs
ansible.builtin.copy:
Expand All @@ -28,6 +33,7 @@
- ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky'
- not rke2_binary_tarball_check.stat.exists
- rke2_tarball_url is not defined or rke2_tarball_url == ""
- not rke2_cis_conf_in_opt.stat.exists

- name: Copy systemctl file for kernel hardening for non-yum installs
ansible.builtin.copy:
Expand All @@ -37,16 +43,27 @@
mode: 0600
register: sysctl_operation_tarball
when: >-
not rke2_cis_conf_in_opt.stat.exists and
(ansible_facts['os_family'] != 'RedHat' and
ansible_facts['os_family'] != 'Rocky') or
rke2_binary_tarball_check.stat.exists or
(rke2_tarball_url is defined and rke2_tarball_url != "")

- name: Copy systemctl file for kernel hardening for other
ansible.builtin.copy:
src: /opt/rke2/share/rke2/rke2-cis-sysctl.conf
dest: /etc/sysctl.d/60-rke2-cis.conf
remote_src: true
mode: 0600
register: sysctl_operation_other
when:
- rke2_cis_conf_in_opt.stat.exists

- name: Restart systemd-sysctl
ansible.builtin.service:
state: restarted
name: systemd-sysctl
when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed
when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed or sysctl_operation_other.changed

# Per CIS hardening guide, if Kubernetes is already running, making changes to sysctl can result in unexpected
# side-effects. Rebooting node if RKE2 is already running to prevent potential issues whereas before we were
Expand Down
2 changes: 1 addition & 1 deletion roles/rke2_server/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}"
kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}"
25 changes: 25 additions & 0 deletions roles/rke2_server/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
- name: Ensure the RKE2 Service is started
block:
- name: Attempt to start RKE2
ansible.builtin.systemd:
name: rke2-server
enabled: yes
state: started
register: rke2_service_start
retries: 20
delay: 10
until: rke2_service_start is succeeded
listen: Start RKE2

- name: Wait to ensure the service started correctly
ansible.builtin.pause:
seconds: 20
listen: Start RKE2

- name: Verify rke2-server started
ansible.builtin.systemd:
name: rke2-server
state: started
failed_when: rke2_service_start is failed
listen: Start RKE2
10 changes: 10 additions & 0 deletions roles/rke2_server/tasks/fixed-registration.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
- name: Add fixed registration url to config file
ansible.builtin.lineinfile:
dest: /etc/rancher/rke2/config.yaml
line: "server: https://{{ fixed_registration_address }}:9345"
state: present
insertbefore: BOF
regexp: '^server:'
when:
- fixed_registration_address is defined
6 changes: 6 additions & 0 deletions roles/rke2_server/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,11 @@
ansible.builtin.include_tasks: other_servers.yml
when: inventory_hostname in groups['rke2_servers'][1:]

- name: Add first server to fixed registration address (High availability)
ansible.builtin.include_tasks: fixed-registration.yml
when:
- inventory_hostname in groups['rke2_servers'][0]
- fixed_registration_address is defined

- name: Configure Utilities
ansible.builtin.include_tasks: utilities.yml
26 changes: 17 additions & 9 deletions roles/rke2_server/tasks/other_servers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,28 +29,36 @@
insertbefore: BOF
when:
- '"server:" not in server_url_check.stdout'
- fixed_registration_address is undefined

- name: Start rke2-server
throttle: 1
ansible.builtin.systemd:
name: rke2-server
state: started
enabled: yes
- name: Add fixed registration url to config file
ansible.builtin.lineinfile:
dest: /etc/rancher/rke2/config.yaml
line: "server: https://{{ fixed_registration_address }}:9345"
state: present
insertbefore: BOF
when:
- '"server:" not in server_url_check.stdout'
- fixed_registration_address is defined
notify: Start RKE2

- name: Flush handlers
meta: flush_handlers

- name: Wait for k8s apiserver reachability
ansible.builtin.wait_for:
host: "{{ kubernetes_api_server_host }}"
port: "6443"
state: present
timeout: 300
timeout: 600

- name: Wait for kubelet process to be present on host
ansible.builtin.command: >-
ps -C kubelet -F -ww --no-headers
register: kubelet_check
until: kubelet_check.rc == 0
retries: 20
delay: 10
delay: 30
changed_when: false

- name: Extract the hostname-override parameter from the kubelet process
Expand All @@ -67,5 +75,5 @@
register: status_result
until: status_result.stdout.find("True") != -1
retries: 20
delay: 10
delay: 30
changed_when: false
1 change: 1 addition & 0 deletions roles/rke2_server/tasks/utilities.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
ansible.builtin.lineinfile:
dest: "/root/.bashrc"
line: 'PATH=$PATH:/var/lib/rancher/rke2/bin'
create: true
insertafter: EOF

- name: Symlink crictl config to /etc/crictl.yaml
Expand Down