bridge istio and calico

OsgiliathEnterprise · Aug 19, 2023 · 7237249 · 7237249
1 parent 7355bbf
commit 7237249
Show file tree

Hide file tree

Showing 16 changed files with 96 additions and 56 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
 # defaults file for ansible-orchestration
 configure_mesh: Yes
-istio_version: 1.17.2
+calico_version: v3.26.1
+istio_version: 1.18.2
diff --git a/galaxy.yml b/galaxy.yml
@@ -1,20 +1,20 @@
 ---
 namespace: "tcharl"
-name: "freeipa_server"
-version: "1.0.1"
-description: "Role on top of the marvelous Freeipa server role to configure in compliancy with the Osgiliath platform topology"
+name: "servicemesh"
+version: "2.0.1"
+description: "Deploys Istio mesh on a kubernetes cluster"
 
 authors:
   - "Charlie Mordant <[email protected]>"
 
-repository: "https://github.com/OsgiliathEnterprise/freeipa_server"
-documentation: "https://github.com/OsgiliathEnterprise/freeipa_server/blob/master/README.md"
-homepage: "https://github.com/OsgiliathEnterprise/freeipa_server"
-issues: "https://github.com/OsgiliathEnterprise/freeipa_server/issues"
+repository: "https://github.com/OsgiliathEnterprise/servicemesh"
+documentation: "https://github.com/OsgiliathEnterprise/servicemesh/blob/master/README.md"
+homepage: "https://github.com/OsgiliathEnterprise/servicemesh"
+issues: "https://github.com/OsgiliathEnterprise/servicemesh/issues"
 
 readme: "README.md"
 license:
   - "Apache-2.0"
 tags:
-  - "freeipa"
-  - "freeipa-server"
+  - "istio"
+  - "calico"
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -1,8 +1,8 @@
 ---
 - name: Converge master
-  hosts: all
+  hosts:
+    - kube_master
   vars:
-    kubernetes_allow_pods_on_master: False
     hostname_reboot: false
     kube_firewall_zone: 'public'
     standalone_role: False

diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -4,9 +4,7 @@ dependency:
   enabled: ${DEPENDENCY_ENABLED:-True}
   options:
     role-file: ${REQUIREMENTS_PATH:-requirements-standalone.yml}
-    roles-path: ${MOLECULE_PROJECT_DIRECTORY}/../community
     requirements-file: requirements-collections.yml
-    collections-path: ${MOLECULE_PROJECT_DIRECTORY}/../community-collections
 driver:
   name: vagrant
   provider:
@@ -25,6 +23,19 @@ platforms:
         virtualbox__intnet: "internalnetwork"
     groups:
       - kube_master
+      - ipaclients
+  - name: ipa.osgiliath.test
+    box: ${TESTBOX:-fedora/38-cloud-base}
+    provider_options:
+      cpus: 2
+      memory: 5120
+    interfaces:
+      - type: dhcp
+        # ip: "192.168.56.5"
+        auto_config: true
+        network_name: private_network
+        virtualbox__intnet: "internalnetwork"
+    groups:
       - ipaservers
   - name: node1.osgiliath.test
     box: ${TESTBOX:-fedora/38-cloud-base}
@@ -33,6 +44,7 @@ platforms:
       memory: 5120
     groups:
       - kube_node
+      - ipaclients
     interfaces:
       - type: dhcp
         # ip: "192.168.56.5"
@@ -71,4 +83,4 @@ scenario:
     - side_effect
     - verify
     - cleanup
-    - destroy
+    - destroy
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -2,16 +2,17 @@
 
 - name: Prepare
   hosts:
-    - kube_master
-    - kube_node
+    - all
   tasks:
     - include_role:
         name: tcharl.servicemesh
         tasks_from: requirements.yml
       vars:
         secure_logs: False
         preferred_nic: "eth1"
+        idm_preferred_nic: "eth1"
+        master_preferred_nic: "eth1"
+        kube_firewall_zone: 'public'
         company_domain: osgiliath.test
         company_realm_password: '123ADMin'
         company_ad_password: '123ADmPass'
-        standalone_role: True
diff --git a/molecule/kvm/converge.yml b/molecule/kvm/converge.yml
@@ -2,9 +2,9 @@
 - name: Converge master
   hosts: all
   vars:
-    kubernetes_allow_pods_on_master: False
     hostname_reboot: false
     kube_firewall_zone: 'public'
+    master_preferred_nic: "eth1"
     standalone_role: False
     preferred_nic: "eth1"
 #        kube_alt_names:

diff --git a/molecule/kvm/molecule.yml b/molecule/kvm/molecule.yml
@@ -4,9 +4,7 @@ dependency:
   enabled: ${DEPENDENCY_ENABLED:-True}
   options:
     role-file: ${REQUIREMENTS_PATH:-requirements-standalone.yml}
-    roles-path: ${MOLECULE_PROJECT_DIRECTORY}/../community
     requirements-file: requirements-collections.yml
-    collections-path: ${MOLECULE_PROJECT_DIRECTORY}/../community-collections
 driver:
   name: vagrant
   provider:
@@ -17,28 +15,45 @@ platforms:
     provider_options:
       driver: "kvm"
       cpus: 2
-      memory: 5120
+      memory: 6144
       qemu_use_session: false
     interfaces:
       - auto_config: true
         network_name: private_network
-        ip: "192.168.50.4"
+        type: dhcp
+#        ip: "192.168.50.4"
     groups:
       - kube_master
+      - ipaclients
+  - name: ipa.osgiliath.test
+    box: ${TESTBOX:-fedora/38-cloud-base}
+    provider_options:
+      driver: "kvm"
+      cpus: 2
+      memory: 6144
+      qemu_use_session: false
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: dhcp
+#        ip: "192.168.50.6"
+    groups:
       - ipaservers
   - name: node1.osgiliath.test
     box: ${TESTBOX:-fedora/38-cloud-base}
     provider_options:
       driver: "kvm"
       cpus: 2
-      memory: 5120
+      memory: 6144
       qemu_use_session: false
     interfaces:
       - auto_config: true
         network_name: private_network
-        ip: "192.168.50.5"
+        type: dhcp
+#        ip: "192.168.50.5"
     groups:
       - kube_node
+      - ipaclients
 provisioner:
   name: ansible
 #  config_options:
@@ -67,4 +82,4 @@ scenario:
     - side_effect
     - verify
     - cleanup
-    - destroy
+    - destroy
diff --git a/molecule/kvm/prepare.yml b/molecule/kvm/prepare.yml
@@ -2,15 +2,17 @@
 
 - name: Prepare
   hosts:
-    - kube_master
-    - kube_node
+    - all
   tasks:
     - include_role:
         name: tcharl.servicemesh
         tasks_from: requirements.yml
       vars:
         secure_logs: False
         preferred_nic: "eth1"
+        idm_preferred_nic: "eth1"
+        master_preferred_nic: "eth1"
+        kube_firewall_zone: 'public'
         company_domain: osgiliath.test
         company_realm_password: '123ADMin'
         company_ad_password: '123ADmPass'

diff --git a/molecule/parallels/converge.yml b/molecule/parallels/converge.yml
@@ -2,11 +2,11 @@
 - name: Converge master
   hosts: all
   vars:
-    kubernetes_allow_pods_on_master: False
     hostname_reboot: false
     kube_firewall_zone: 'public'
     standalone_role: False
     preferred_nic: "eth1"
+    master_preferred_nic: "eth1"
 #        kube_alt_names:
 #          - "kubeadm.osgiliath.net"
   roles:

diff --git a/molecule/parallels/molecule.yml b/molecule/parallels/molecule.yml
@@ -4,9 +4,7 @@ dependency:
   enabled: ${DEPENDENCY_ENABLED:-True}
   options:
     role-file: ${REQUIREMENTS_PATH:-requirements-standalone.yml}
-    roles-path: ${MOLECULE_PROJECT_DIRECTORY}/../community
     requirements-file: requirements-collections.yml
-    collections-path: ${MOLECULE_PROJECT_DIRECTORY}/../community-collections
 driver:
   name: vagrant
   provider:
@@ -23,6 +21,17 @@ platforms:
         network_name: private_network
     groups:
       - kube_master
+      - ipaclients
+  - name: ipa.osgiliath.test
+    box: ${TESTBOX:-bento/fedora-38-arm64}
+    provider_options:
+      cpus: 2
+      memory: 5120
+    interfaces:
+      - type: dhcp
+        auto_config: true
+        network_name: private_network
+    groups:
       - ipaservers
   - name: node1.osgiliath.test
     box: ${TESTBOX:-bento/fedora-38-arm64}
@@ -35,6 +44,7 @@ platforms:
         network_name: private_network
     groups:
       - kube_node
+      - ipaclients
 provisioner:
   name: ansible
 #  config_options:
@@ -63,4 +73,4 @@ scenario:
     - side_effect
     - verify
     - cleanup
-    - destroy
+    - destroy
diff --git a/molecule/parallels/prepare.yml b/molecule/parallels/prepare.yml
@@ -2,15 +2,17 @@
 
 - name: Prepare
   hosts:
-    - kube_master
-    - kube_node
+    - all
   tasks:
     - include_role:
         name: tcharl.servicemesh
         tasks_from: requirements.yml
       vars:
         secure_logs: False
         preferred_nic: "eth1"
+        idm_preferred_nic: "eth1"
+        master_preferred_nic: "eth1"
+        kube_firewall_zone: 'public'
         company_domain: osgiliath.test
         company_realm_password: '123ADMin'
         company_ad_password: '123ADmPass'

diff --git a/requirements-monorepo.yml b/requirements-monorepo.yml
@@ -3,7 +3,7 @@ roles:
   # Install a role from Ansible Galaxy.
   - name: geerlingguy.swap
   - name: geerlingguy.containerd
-  - name: mrlesmithjr.manage-lvm
+  - name: mrlesmithjr.manage_lvm
   - name: robertdebock.bootstrap
   - name: robertdebock.environment
   - name: robertdebock.core_dependencies

diff --git a/requirements-standalone.yml b/requirements-standalone.yml
@@ -5,7 +5,7 @@ roles:
   - name: geerlingguy.swap
   - name: geerlingguy.containerd
   - name: tcharl.ansible_volumes
-  - name: mrlesmithjr.manage-lvm
+  - name: mrlesmithjr.manage_lvm
   - name: tcharl.ansible_hostname
   - name: robertdebock.bootstrap
   - name: robertdebock.environment
@@ -24,3 +24,4 @@ roles:
   - name: tcharl.nfs_client
   - name: tcharl.ansible_orchestration
   - name: tcharl.ansible_orchestration_cli
+  - name: tcharl.kube_certmanager
diff --git a/tasks/requirements.yml b/tasks/requirements.yml
@@ -1,6 +1,5 @@
 ---
 
-- name: Requirements | import orchestration cli
+- name: Requirements | install kubernetes cli
   ansible.builtin.import_role:
-    name: tcharl.ansible_orchestration_cli
-  become: Yes
+    name: tcharl.kube_certmanager
diff --git a/tasks/service-mesh.yml b/tasks/service-mesh.yml
@@ -111,10 +111,10 @@
     - kube_masters_group in group_names
 
 - name: Service-mesh | apply istio policies
-  ansible.builtin.command: >
-    kubectl apply -f {{ mtls_policies_temp_directory.path }}/istio-mtls-stricts.yml
-  register: result
-  until: result is succeeded
+  kubernetes.core.k8s:
+    state: present
+    apply: True
+    src: "{{ mtls_policies_temp_directory.path }}/istio-mtls-stricts.yml"
   retries: 5
   delay: 10
   become: true
@@ -130,19 +130,17 @@
   become: True
 
 - name: Service-mesh | patch the injector
-  ansible.builtin.command: >
-    kubectl patch configmap istio-sidecar-injector -n istio-system --patch "$(cat {{ mtls_policies_temp_directory.path }}/istio-inject-configmap.yaml)"
-  register: result
-  until: result is succeeded
-  retries: 5
-  delay: 10
+  kubernetes.core.k8s:
+    state: patched
+    src: "{{ mtls_policies_temp_directory.path }}/istio-inject-configmap.yaml"
+    namespace: istio-system
+    name: istio-sidecar-injector
+    kind: configmap
   become: True
 
 - name: Service-mesh | apply authorization services to the mesh
-  ansible.builtin.command: >
-    kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/{{ calico_version }}/manifests/alp/istio-app-layer-policy-envoy-v3.yaml
-  register: result
-  until: result is succeeded
-  retries: 5
-  delay: 10
+  kubernetes.core.k8s:
+    state: present
+    apply: True
+    src: "https://raw.githubusercontent.com/projectcalico/calico/{{ calico_version }}/manifests/alp/istio-app-layer-policy-envoy-v3.yaml"
   become: True
diff --git a/vars/main.yml b/vars/main.yml
@@ -7,4 +7,3 @@ idm_group: 'ipaservers' # do not change: convention from the ipa roles
 kube_config_folder: "/etc/kubernetes"
 kube_credential_folder: "/home/kubecreds"
 kubernetes_certificates_path: "{{ kube_config_folder }}/pki/"
-calico_version: v3.26.0