-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
49ce025
commit 8b04736
Showing
9 changed files
with
124 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,74 +1,104 @@ | ||
- name: Setup k8s-lb | ||
hosts: k8s-lb | ||
vars_files: | ||
- k8s_lb_config.yaml | ||
hosts: lb | ||
tasks: | ||
- name: Install deps | ||
ansible.builtin.apt: | ||
update_cache: true | ||
pkg: | ||
- iptables-persistent | ||
become: true | ||
|
||
- name: dummy0 interface | ||
ansible.builtin.template: | ||
src: ./lb_config/netplan_dummy0.yaml.j2 | ||
dest: /etc/netplan/dummy0.yaml | ||
mode: "640" | ||
mode: "600" | ||
become: true | ||
|
||
- name: eth0 interface | ||
ansible.builtin.template: | ||
src: ./lb_config/netplan_50_cloud_init.yaml.j2 | ||
dest: /etc/netplan/50-cloud-init.yaml | ||
mode: "640" | ||
mode: "600" | ||
become: true | ||
|
||
- name: Install frr | ||
ansible.builtin.apt: | ||
update_cache: true | ||
pkg: | ||
- frr | ||
become: true | ||
|
||
- name: Enable ospfd | ||
ansible.builtin.lineinfile: | ||
path: /etc/frr/daemons | ||
search_string: ospfd=no | ||
line: "ospfd=yes" | ||
become: true | ||
|
||
- name: Config template frr | ||
ansible.builtin.template: | ||
src: ./lb_config/frr.conf.j2 | ||
dest: /etc/frr/frr.conf | ||
become: true | ||
|
||
- name: Install haproxy | ||
ansible.builtin.apt: | ||
update_cache: true | ||
pkg: | ||
- haproxy | ||
become: true | ||
|
||
- name: Config template haproxy | ||
ansible.builtin.template: | ||
src: ./lb_config/haproxy.cfg | ||
dest: /etc/haproxy/haproxy.cfg | ||
become: true | ||
|
||
- name: Iptables rules | ||
ansible.builtin.template: | ||
src: ./lb_config/iptables.j2 | ||
dest: /etc/iptables/rules.v4 | ||
become: true | ||
|
||
- name: Restore iptables rules | ||
ansible.builtin.command: | ||
cmd: "bash -c '/sbin/iptables-restore < /etc/iptables/rules.v4 && touch /tmp/firewall_set'" | ||
creates: /tmp/firewall_set | ||
become: true | ||
|
||
- name: Restore iptables rules | ||
- name: Netplan apply | ||
ansible.builtin.command: | ||
cmd: "bash -c 'netplan apply && touch /tmp/netplan_applied'" | ||
creates: /tmp/netplan_applied | ||
become: true | ||
|
||
- name: Restart and enable iptables service | ||
ansible.builtin.service: | ||
name: netfilter-persistent | ||
state: restarted | ||
enabled: true | ||
become: true | ||
|
||
- name: Restart and enable frr service | ||
ansible.builtin.service: | ||
name: frr | ||
state: restarted | ||
enabled: true | ||
become: true | ||
|
||
- name: Restart and enable haproxy service | ||
ansible.builtin.service: | ||
name: haproxy | ||
state: restarted | ||
enabled: true | ||
become: true | ||
|
||
- name: net.ipv4.ip_forward | ||
ansible.posix.sysctl: | ||
name: net.ipv4.ip_forward | ||
value: '1' | ||
sysctl_set: true | ||
state: present | ||
reload: true | ||
reload: true | ||
become: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
global | ||
log /dev/log local0 | ||
log /dev/log local1 notice | ||
chroot /var/lib/haproxy | ||
stats socket /run/haproxy/admin.sock mode 660 level admin | ||
stats timeout 30s | ||
user haproxy | ||
group haproxy | ||
daemon | ||
|
||
# Default SSL material locations | ||
ca-base /etc/ssl/certs | ||
crt-base /etc/ssl/private | ||
|
||
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate | ||
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | ||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | ||
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets | ||
|
||
defaults | ||
log global | ||
mode http | ||
option httplog | ||
option dontlognull | ||
timeout connect 5000 | ||
timeout client 50000 | ||
timeout server 50000 | ||
errorfile 400 /etc/haproxy/errors/400.http | ||
errorfile 403 /etc/haproxy/errors/403.http | ||
errorfile 408 /etc/haproxy/errors/408.http | ||
errorfile 500 /etc/haproxy/errors/500.http | ||
errorfile 502 /etc/haproxy/errors/502.http | ||
errorfile 503 /etc/haproxy/errors/503.http | ||
errorfile 504 /etc/haproxy/errors/504.http | ||
|
||
frontend meshdb | ||
bind {{ EXTERNAL_LISTEN_IP }}:80 | ||
bind {{ EXTERNAL_LISTEN_IP }}:443 | ||
default_backend k8s | ||
|
||
backend k8s | ||
# server metallb 10.70.90.240:80 | ||
server meshdbarlenenode0 {{ NODE_IP_1 }}:{{ NODE_PORT }} | ||
server meshdbarlenenode1 {{ NODE_IP_2 }}:{{ NODE_PORT }} | ||
server meshdbarlenenode2 {{ NODE_IP_3 }}:{{ NODE_PORT }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters