This repository contains a couple of Ansible PlayBooks that deploy and bring on the below resources on Ubuntu and CentOS (Detection is automatic):
- Kubernetes Cluster
- One Master, multiple workers (Test)
- Multiple Master, Multiple Workers (Production)
- A Teleport Instance
- A HA-Proxy (Mandatory for Production K8s setup!)
- A Mattermost (Deploy/Backup)
- A Jenkins Agent
- And soon, more resources! (See the below Roadmap)
Also, at the beginning of each playbook, it will ask you whether you want to set up a VPN on the target host or not. It's helpful if you want the installation to go through a VPN.
Why?
For various reasons, for instance, you live in sanctions countries like Iran.
If you want the installation to go through the VPN, you must already have an OpenConnect VPN server. (Do you want to deploy an OpenConnect VPN server? See Setup OpenVPN on a server below)
Ansible runs the VPN with the openconnect client on the machine.
And pass the IP, username, and Password to Ansible whenever it asks you.
First, Install roles dependcies:
$ ansible-galaxy install -r requirements.yamlTo run a specific play:
$ cd playbooks
$ ansible-playbook -i ../inventory.ini <PLAYBOOK>.yaml- NOTE: Everything is already set. You only need to change the IP address and your ssh key in the
host_varsorgroup_vars
At times, certain things are encoded. To execute such playbooks, follow these steps:
-
Go to the
playbooksdirectory. -
Run the command
ansible-playbook --ask-vault-pass -i ../inventory.ini <PLAYBOOK>.yamlAs I mentioned earlier, you have two options for K8s:
-
Single master node (and multiple worker nodes): This is pretty straightforward. Just put the master IP in the
[control-plane]section. And that's it. -
Multiple Master nodes (and multiple worker nodes):
- We are using the Stacked ETCD model
- As you know, in this model, you must have a load balancer for your API servers (See Here)
- We are using HAProxy for our HA K8s setup.
- Notice you can use this HAproxy for communication with your cluster as well, but keep in mind that mainly in a Production environment, you should separate the API Server's load balancers from other load balancers.
- One last note: just put one of your master IPs in
[control-plane]and the rest goes under[masters]
Remember to change the proxy_service.public_addr and proxy_service.acme.email in the Teleport config file in roles/teleport/files/teleport.yaml
- There is always exactly ONE IP under
ha-proxyandcontrol-plane. - If you want to run
k8s-single.yamlplay, themastersshould be exactly ONE IP. - If your K8s Cluster is behind a bastion (Jump Host), then be sure to add the below line to the
group_vars/GROUP.
ansible_ssh_common_args: '-o ProxyCommand="ssh -i KEY -p 22 -W %h:%p -q USER@BASTION-IP"'It's super easy. You need a Server, A Public IP, and Docker.
We use this image.
Run the below command on the server that you want to be your VPN server.
docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d tommylau/ocservThen, create a username and Password for your self (Here is my username, ali, put yours instead of ali)
docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -g "Route,All" ali- Add Kubernetes
- Add Teleport
- Add HA-Proxy
- Add Mattermost
- Add Jenkins
- Installation of Jenkins Controller
- Installation of Mattermost
- Deploying LDAP
- Deploying KeyCloak
See the open issues for a complete list of proposed features (and known issues).
Any contributions you make are greatly appreciated.
If you have a suggestion to improve this, please fork the repo and create a pull request. You can also open an issue with the tag "enhancement."
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
The license is under the MIT License. See LICENSE for more information.
Give a ⭐️ if this project helped you!