Kubernetes cluster deployment palybooks
All playbooks require the apache-libcloud module which you can install from pip:
pip install apache-libcloud
Also you can install Ansible
from pip if it does not installed
pip install ansible
Before using of the playbooks you should change/enter all required vars in inventory/group_vars/all.yml
Prepare GCE components. This is optional action related to GCE infrastructure. It should not be used with prepare-vps.yml
ansible-playbook playbooks/prepare-gce.yml
Prepare VPS components. This is optional action depend on your provider infrastructure. It should not be used with prepare-gce.yml
ansible-playbook playbooks/prepare-vps.yml
Install Kubernetes cluster base components
ansible-playbook playbooks/setup-base.yml
Install Kubernetes additional components
ansible-playbook playbooks/setup-addons.yml
Install Build machine
ansible-playbook playbooks/setup-build.yml
Install CICD
ansible-playbook playbooks/setup-cicd.yml
Install Gateway (Istio, optional)
ansible-playbook playbooks/setup-gateway.yml
All playbooks may be running separately, e.g. setup Kubernetes components: dashboard, etc
ansible-playbook playbooks/cluster/dashboard.yml
A service account's credentials include a generated email address that is unique. Specify the email address of the user account. You can create service account according to the procedure.
gce_service_account_email: '[email protected]'
Specify full path of your unique service account credentials file. Details on generating this can be found at https://docs.ansible.com. You can download json credentials according to the procedure.
gce_credentials_file: 'gcloud.json'
Specify your project ID which one used from your GCP account.
gce_project_id: my-project-id
Available variables are listed below, along with default values (see inventory/group_vars/all.yml
):
Kubernetes master and services host names, you should change that to real host names.
k8s_master_name: master.your-domain-name
k8s_services_name: services.your-domain-name
Docker registry host name, you should change that to real host name.
k8s_registry_name: registry.your-domain-name
Charts server repository. This service provide Helm chart repository server with charts templates. You can see this one as example.
k8s_charts_repo: github.com/k8s-community/charts
Country name which used in C
attribute of certificates (NL
,RU
, etc).
ssl_country: country-name
City name which used in L
attribute of certificates.
ssl_city: city-name
Organization name which used in O
attribute of certificates.
ssl_org: organization-name
Organization Unit name which used in OU
attribute of certificates.
ssl_division: organization-unit-name
State name which used in ST
attribute of certificates.
ssl_state: state-name
List of groups with VM instance names and machine types. Instance groups let you organize VM instances or use them in a load-balancing backend service. Nodes contain comma separated list of instance names. Names must start with a lowercase letter followed by up to 63 lowercase letters, numbers, or hyphens, and cannot end with a hyphen. Predefined machine types are managed by Google Compute Engine.
gce_groups:
- name: master
type: n1-standard-1
nodes:
- k8s-master-01
- k8s-master-02
- k8s-master-03
- name: node
type: n1-standard-1
nodes:
- k8s-node-01
- k8s-node-02
- k8s-node-03
- name: build
type: n1-standard-1
nodes:
- k8s-build-01
Kubernetes cluster access data (admin, release and guest)
k8s_admin_token: 'Admin user token should be here'
k8s_admin_username: admin
k8s_admin_password: 'password'
k8s_release_token: 'Release user token should be here'
k8s_release_username: release
k8s_release_password: 'password'
k8s_guest_token: 'Guest user token should be here'
k8s_guest_username: guest
k8s_guest_password: 'password'
k8s.community services exchange token
k8s_community_token: 'k8s-community-token'
k8s.community services databases credentials
k8s_community_db_username: 'k8s-community'
k8s_community_db_password: 'k8s.community'
k8s_github_integration_db_username: 'github-integration'
k8s_github_integration_db_password: 'github.integration'
k8s.community Github integration services secrets
k8s_github_client_id: 'github client id here'
k8s_github_client_secret: 'github client secret here'
k8s_github_state: 'github state here'
k8s_github_integration_id: 'github integration id here'
k8s_github_integration_token: 'github integration token here'
k8s_github_integration_private_key: |
-----BEGIN RSA PRIVATE KEY-----
- Your RSA private key here -
-----END RSA PRIVATE KEY-----
To get it we should do some strange things, but it needs anyway.
First of all, we should prepare access token for Docker Registry
docker run --rm --entrypoint htpasswd registry:2 -Bbn <user> <password> | base64
k8s_docker_registry_token: 'docker registry token here'
Second, we should create docker config with auth code, auth token and there are two ways:
(without login to docker registry)
kubectl create secret docker-registry my-secret --docker-username=user --docker-password='password' \
--docker-email '[email protected]' --docker-server=<docker_registry_host> --dry-run -o yaml
grab hash in field data.dockercfg
from output result of the command above
echo '<hash from data.dockercfg>' | base64 --decode
grab auth code
from output result of the command above
create .docker/config.json
{
"auths": {
"<docker_registry_host>": {
"auth": "<auth_code_from_previous_command>"
}
}
}
(need real login to docker registry)
docker login -u=<user> -p=<password> <docker_registry_host:port>
Enter auth code from .docker/config.json
here
k8s_docker_registry_auth_code: 'docker registry auth code here'
Enter result of cat .docker/config.json | base64
here
k8s_docker_registry_auth_token: 'docker registry auth config token'
You may leave it untouched, in this case SSL certificates will be self-signed.
k8s_services_cert: |
----BEGIN CERTIFICATE----
- Your certificate here -
-----END CERTIFICATE-----
k8s_services_cert_key: |
----BEGIN PRIVATE KEY----
- Your private key here -
-----END PRIVATE KEY-----
All the contributors are welcome. If you would like to be the contributor please accept some rules:
- The pull requests will be accepted only in
develop
branch - All modifications or additions should be tested
Thank you for your understanding!
Kubernets Community k8s-community