From 6aa4f4335010cafe834b622c7a3ded70d668bb1e Mon Sep 17 00:00:00 2001 From: jacob Date: Fri, 3 Jan 2025 11:55:38 -0600 Subject: [PATCH 01/13] Add network attached instructions --- README.md | 38 +-- .../files}/audit-policy.yaml | 0 .../files}/pod-security-admission-config.yaml | 0 .../group_vars/all.yaml | 3 + .../group_vars/rke2_servers.yaml | 17 ++ docs/advanced_sample_inventory/hosts.yml | 9 + .../post-deploy-manifests/cert-manager.yaml | 14 + .../pre-deploy-manifests/cilium.yaml | 17 ++ docs/basic_sample_inventorysample/hosts.yml | 9 + docs/development.md | 5 + .../manifests/manifest-example.yaml | 0 .../sample_files}/registries.yaml | 0 .../sample_files}/tarball_install/README.md | 0 docs/tarball_install.md | 0 docs/usage.md | 252 ++++++++++++++++++ requirements.yml | 3 - site.yml | 2 +- 17 files changed, 339 insertions(+), 30 deletions(-) rename {sample_files => docs/advanced_sample_inventory/files}/audit-policy.yaml (100%) rename {sample_files => docs/advanced_sample_inventory/files}/pod-security-admission-config.yaml (100%) create mode 100644 docs/advanced_sample_inventory/group_vars/all.yaml create mode 100644 docs/advanced_sample_inventory/group_vars/rke2_servers.yaml create mode 100644 docs/advanced_sample_inventory/hosts.yml create mode 100644 docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml create mode 100644 docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml create mode 100644 docs/basic_sample_inventorysample/hosts.yml create mode 100644 docs/development.md rename {sample_files => docs/sample_files}/manifests/manifest-example.yaml (100%) rename {sample_files => docs/sample_files}/registries.yaml (100%) rename {sample_files => docs/sample_files}/tarball_install/README.md (100%) create mode 100644 docs/tarball_install.md create mode 100644 docs/usage.md delete mode 100644 requirements.yml diff --git a/README.md b/README.md index d1789905..fae328ea 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Ansible RKE2 (RKE Government) Playbook --------- [![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml) -RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. This Ansible playbook installs RKE2 for both the control plane and workers. +RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. This Ansible playbook installs RKE2 for both the control plane and workers. See the [docs](https://docs.rke2.io/) more information about [RKE Government](https://docs.rke2.io/). @@ -49,20 +49,10 @@ Supported Operating Systems: System requirements ------------------- - Deployment environment must have Ansible 2.9.0+ -Server and agent nodes must have passwordless SSH access - Usage ----- - -This playbook requires ansible.utils to run properly. Please see https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-a-collection-from-galaxy for more information about how to install this. - -``` -ansible-galaxy collection install -r requirements.yml -``` - Create a new directory based on the `sample` directory within the `inventory` directory: ```bash @@ -94,32 +84,28 @@ Start provisioning of the cluster using the following command: ```bash ansible-playbook site.yml -i inventory/my-cluster/hosts.yml -``` +``` + +More detailed information can be found [here](./docs/usage.md) -Tarball Install/Air-Gap Install -------------------------------- -Added the neeed files to the [tarball_install](tarball_install/) directory. -Further info can be found [here](tarball_install/README.md) +Tarball Install/Air-Gap Install +------------------------------- +Air-Gap/Tarball install information can be found [here](./docs/tarball_install.md) Kubeconfig ---------- +The root user will have the `kubeconfig` and `kubectl` made available, to access your cluster login into any server node and `kubectl` will be available for use immideatly. -To get access to your **Kubernetes** cluster just - -```bash -ssh ec2-user@rke2_kubernetes_api_server_host "sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get nodes" -``` - -Available configurations ------------------------- +Available configurations +------------------------ Variables should be set in `inventory/cluster/group_vars/rke2_agents.yml` and `inventory/cluster/group_vars/rke2_servers.yml`. See sample variables in `inventory/sample/group_vars` for reference. -Uninstall RKE2 ---------------- +Uninstall RKE2 +--------------- Note: Uninstalling RKE2 deletes the cluster data and all of the scripts. The offical documentation for fully uninstalling the RKE2 cluster can be found in the [RKE2 Documentation](https://docs.rke2.io/install/uninstall/). diff --git a/sample_files/audit-policy.yaml b/docs/advanced_sample_inventory/files/audit-policy.yaml similarity index 100% rename from sample_files/audit-policy.yaml rename to docs/advanced_sample_inventory/files/audit-policy.yaml diff --git a/sample_files/pod-security-admission-config.yaml b/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml similarity index 100% rename from sample_files/pod-security-admission-config.yaml rename to docs/advanced_sample_inventory/files/pod-security-admission-config.yaml diff --git a/docs/advanced_sample_inventory/group_vars/all.yaml b/docs/advanced_sample_inventory/group_vars/all.yaml new file mode 100644 index 00000000..64107abc --- /dev/null +++ b/docs/advanced_sample_inventory/group_vars/all.yaml @@ -0,0 +1,3 @@ +rke2_install_version: v1.29.12+rke2r1 +cluster_rke2_config: + selinux: true \ No newline at end of file diff --git a/docs/advanced_sample_inventory/group_vars/rke2_servers.yaml b/docs/advanced_sample_inventory/group_vars/rke2_servers.yaml new file mode 100644 index 00000000..6f19fa88 --- /dev/null +++ b/docs/advanced_sample_inventory/group_vars/rke2_servers.yaml @@ -0,0 +1,17 @@ +rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml" +rke2_audit_policy_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/audit-policy.yaml" +rke2_manifest_config_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/" +rke2_manifest_config_post_run_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/post-deploy-manifests/" + +group_rke2_config: + # Use Cilium as the CNI + cni: + - cilium + # Cilium will replace this + disable-kube-proxy: true + profile: cis + pod-security-admission-config-file: /etc/rancher/rke2/pod-security-admission-config.yaml + audit-policy-file: /etc/rancher/rke2/audit-policy.yaml + kube-apiserver-arg: + - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml + - audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log \ No newline at end of file diff --git a/docs/advanced_sample_inventory/hosts.yml b/docs/advanced_sample_inventory/hosts.yml new file mode 100644 index 00000000..e6bd01c4 --- /dev/null +++ b/docs/advanced_sample_inventory/hosts.yml @@ -0,0 +1,9 @@ +--- +rke2_cluster: + children: + rke2_servers: + hosts: + server0.example.com: + rke2_agents: + hosts: + agent0.example.com: diff --git a/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml b/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml new file mode 100644 index 00000000..408af96d --- /dev/null +++ b/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml @@ -0,0 +1,14 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: jetstack + namespace: kube-system +spec: + repo: https://charts.jetstack.io + chart: cert-manager + version: v1.16.2 + targetNamespace: cert-manager + createNamespace: true + valuesContent: |- + crds: + enabled: true diff --git a/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml b/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml new file mode 100644 index 00000000..cb5a7a53 --- /dev/null +++ b/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: rke2-cilium + namespace: kube-system +spec: + valuesContent: |- + kubeProxyReplacement: true + k8sServiceHost: 127.0.0.1 + k8sServicePort: 6443 + bpf: + masquerade: true + preallocateMaps: true + tproxy: true + bpfClockProbe: true + diff --git a/docs/basic_sample_inventorysample/hosts.yml b/docs/basic_sample_inventorysample/hosts.yml new file mode 100644 index 00000000..e6bd01c4 --- /dev/null +++ b/docs/basic_sample_inventorysample/hosts.yml @@ -0,0 +1,9 @@ +--- +rke2_cluster: + children: + rke2_servers: + hosts: + server0.example.com: + rke2_agents: + hosts: + agent0.example.com: diff --git a/docs/development.md b/docs/development.md new file mode 100644 index 00000000..b5ab56f8 --- /dev/null +++ b/docs/development.md @@ -0,0 +1,5 @@ +This playbook requires ansible.utils to run properly. Please see https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-a-collection-from-galaxy for more information about how to install this. + +``` +ansible-galaxy collection install -r requirements.yml +``` \ No newline at end of file diff --git a/sample_files/manifests/manifest-example.yaml b/docs/sample_files/manifests/manifest-example.yaml similarity index 100% rename from sample_files/manifests/manifest-example.yaml rename to docs/sample_files/manifests/manifest-example.yaml diff --git a/sample_files/registries.yaml b/docs/sample_files/registries.yaml similarity index 100% rename from sample_files/registries.yaml rename to docs/sample_files/registries.yaml diff --git a/sample_files/tarball_install/README.md b/docs/sample_files/tarball_install/README.md similarity index 100% rename from sample_files/tarball_install/README.md rename to docs/sample_files/tarball_install/README.md diff --git a/docs/tarball_install.md b/docs/tarball_install.md new file mode 100644 index 00000000..e69de29b diff --git a/docs/usage.md b/docs/usage.md new file mode 100644 index 00000000..5dac5c97 --- /dev/null +++ b/docs/usage.md @@ -0,0 +1,252 @@ +# Table of Contents +- [Table of Contents](#table-of-contents) +- [Basic Usage](#basic-usage) + - [Cloning](#cloning) + - [Importing](#importing) +- [Defining Your Cluster](#defining-your-cluster) + - [Minimal Cluster Inventory](#minimal-cluster-inventory) + - [Structuring Your Variable Files](#structuring-your-variable-files) + - [Enabling SELinux](#enabling-selinux) + - [Enabling CIS Modes](#enabling-cis-modes) + - [Special Variables](#special-variables) + - [RKE2 Config Variables](#rke2-config-variables) + - [Defining a PSA Config](#defining-a-psa-config) + - [Example](#example) + - [Defining an Audit Policy](#defining-an-audit-policy) + - [Example](#example-1) + - [Adding Additional Cluster Manifests](#adding-additional-cluster-manifests) + - [Pre-Deploy Example](#pre-deploy-example) + - [Post-Deploy Example](#post-deploy-example) + - [rke2\_install\_version](#rke2_install_version) +- [Examples](#examples) + +# Basic Usage +There are two methods for consuming this repository, one is to simply clone the repository and edit it as neccessary, the other is to import it as a collection, both options are detailed below. + +> [!NOTE]Airgap/Tarball Instructions +> If you are looking for airgap or tarball installation instructions, please go [here](./tarball_install.md) + +## Cloning +The simplest method for using this repository (as detailed in the main README.md) is to simply clone the repository and copy the sample inventory. + + +## Importing +The second method for using this project is to import it as a collection in your own `requirements.yaml` as this repository does contain a `galaxy.yaml`. To import it add the following to your `galaxy.yaml`: +```yaml +collections: + - name: rancherfederal.rke2-ansible + source: git@github.com:rancherfederal/rke2-ansible.git + type: git + version: main +``` +Then you can call the RKE2 role in a play like so: +```yaml +--- +- name: RKE2 play + hosts: all + any_errors_fatal: True + roles: + - role: rancherfederal.rke2_ansible.rke2 +``` + + +# Defining Your Cluster +This repository is not intended to be opinionated and as a rersult it is important you to have read and understand the [RKE2 docs](https://docs.rke2.io/) before moving forward, this documentation is not intended to be an exhaustive explanation of all possible RKE2 configuration options, it is up to the end user to ensure their options are valid. + + +## Minimal Cluster Inventory +The most basic inventory file contains nothing more than your hosts, see below: +```yaml +--- +rke2_cluster: + children: + rke2_servers: + hosts: + server0.example.com: + rke2_agents: + hosts: + agent0.example.com: +``` +This is the simplest possible inventory file and will deploy the latest available version of RKE2 with only default settings. + + +## Structuring Your Variable Files +Configurations and variables can become lengthy annd unwieldy, as a general note of advice it is best to move variables into a `group_vars` folder. +``` +./inventory +├── Cluser_A +│   ├── group_vars +│   │   ├── all.yml +│   │   ├── rke2_agents.yml +│   │   └── rke2_servers.yml +│   └── hosts.yml +└── Cluser_B + ├── group_vars + │   ├── all.yml + │   ├── rke2_agents.yml + │   └── rke2_servers.yml + └── hosts.yml + +5 directories, 8 files +``` + + +## Enabling SELinux +Enabling SELinux in the playbook requires `seliux: true` be set in either the cluster, group, or host level config profiles (Please see [Special Variables](#special-variables) for more info). Though generally this should be set at the cluster and can be done like so: +```yaml +--- +all: + vars: + cluster_rke2_config: + selinux: true +``` +For more information please see the RKE2 documentation, [here](https://docs.rke2.io/security/selinux). + + +## Enabling CIS Modes +Enabling the CIS tasks in the playbook requires a CIS profile be added to the ansible variables file. This can be placed in either the cluster, or group level config profiles (Please see [Special Variables](#special-variables) for more info). Below is an example, in the example the CIS profile is set at the group level, this ensures all server nodes run the CIS hardening profile tasks. +```yaml +rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + profile: cis +``` +For more information please see the RKE2 documentation, [here](https://docs.rke2.io/security/hardening_guide). + + +## Special Variables +In general this repository has attempted to move away from special or "magic" variables, however some are unavoidable, the (non-exhaustive) list of variables is below: + - `all.vars.rke2_install_version`: This defines what version of RKE2 to install + - `rke2_cluster.children.rke2_servers.vars.hosts..node_labels`: Defines a list of node labels for a specific server node + - `rke2_cluster.children.rke2_agents.vars.hosts..node_labels`: Defines a list of node labels for a specific agent node + + +### RKE2 Config Variables +There are three levels an RKE2 config variables can be placed in, that is `cluster_rke2_config`, `group_rke2_config`, and `host_rke2_config`. + - `all.vars.cluster_rke2_config`: Defines common RKE2 config options for the whole cluster + - `rke2_cluster.children.rke2_servers.vars.group_rke2_config`: Defines common RKE2 config options for the `rke2_servers` group + - `rke2_cluster.children.rke2_agents.vars.group_rke2_config`: Defines common RKE2 config options for the `rke2_agents` group + - `rke2_cluster.children.rke2_servers.vars.hosts..host_rke2_config`: Defines a list of node labels for a specific agent node + - `rke2_cluster.children.rke2_agents.vars.hosts..host_rke2_config`: Defines a list of node labels for a specific agent node + +> [!NOTE] +> Through the rest of these docs you may see references to `rke2_servers.yaml`, this is the group vars file for rke2_servers. This is functionally equivalent to `rke2_cluster.children.rke2_servers.vars`. References to `rke2_agents.yaml` is functionally equivalent to `rke2_cluster.children.rke2_agents.vars` + +It is important to understand these variables here are not special in the sense that they enable or disable certain functions in the RKE2 role, with one notable exception being the `profile` key. These variables are special in the sense that they will be condensed into a single config file on each node. Each node will end up with a merged config file comprised of `cluster_rke2_config`, `group_rke2_config`, and `host_rke2_config`. + +### Defining a PSA Config +In order to define a PSA config, server nodes will need to have the `rke2_pod_security_admission_config_file_path` variable defined, then the `pod-security-admission-config-file` will need to be defined in the rke2_config variable at the relevant level (please see [RKE Config Variables](#rke2-config-variables)). + +#### Example +Below is an example of how this can be defined at the server group level (`rke2_cluster.children.rke2_servers.vars`): + +__rke2_servers.yaml:__ +```yaml +--- +rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml" +group_rke2_config: + pod-security-admission-config-file: /etc/rancher/rke2/pod-security-admission-config.yaml +``` + + +### Defining an Audit Policy +In order to define a audit policy config, server nodes will need to have the `rke2_audit_policy_config_file_path` variable defined, then the `audit-policy-file` will need to be defined in the rke2_config variable at the relevant level (please see [RKE Config Variables](#rke2-config-variables)). + +#### Example +Below is an example of how this can be defined at the server group level (`rke2_cluster.children.rke2_servers.vars`): + +__rke2_servers.yaml:__ +```yaml +rke2_audit_policy_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/audit-policy.yaml" +group_rke2_config: + audit-policy-file: /etc/rancher/rke2/audit-policy.yaml + kube-apiserver-arg: + - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml + - audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log +``` + + +### Adding Additional Cluster Manifests +If you have a cluster that needs extra manifests to be deployed or the cluster needs a ciritical component to be configured RKE2's "HelmChartConfig" is an available option (among others). The Ansible repository supports the use of these configuration files, simply place them in a folder and give Ansible the path to the folder, Ansible will enumarte the files and place them on the first server node. + +There are two variables that control the deployment of manifests to the server nodes: + - `rke2_manifest_config_directory` + - `rke2_manifest_config_post_run_directory` + +The first variable is used to deploy manifest to the server nodes before starting the RKE2 server process, this ensures critical components (like the CNI) can be configured when the RKE2 server process starts. The second, ensures applications are deployed after the RKE2 server process starts. There are examples of both below. + +#### Pre-Deploy Example +The example used is configuring Cilium with the kube-proxy replacement enabled a fairly common use case: + +> [!WARNING] +> If this option is used you must provide a `become` password and this must be the password for the local host running the Ansible playbook. The playbook is looking for this directory on the localhost, and will run as root. This imposes some limitations, if you are using an SSH password to login to remote systems (typical for STIG'd clusters) the `become` password must be the same for the cluster nodes AND localhost. + +__rke2_servers.yaml:__ +For this example to work kube proxy needs to be disabled, and the Cilium CNI needs to be enabled. +```yaml +rke2_manifest_config_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/" +group_rke2_config: + # Use Cilium as the CNI + cni: + - cilium + # Cilium will replace this + disable-kube-proxy: true +``` + +__cilium.yaml:__ +This file should be placed in the directory you intend to upload to the server node, in the example above that is `{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/`. +```yaml +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: rke2-cilium + namespace: kube-system +spec: + valuesContent: |- + kubeProxyReplacement: true + k8sServiceHost: 127.0.0.1 + k8sServicePort: 6443 + bpf: + masquerade: true + preallocateMaps: true + tproxy: true + bpfClockProbe: true +``` + +#### Post-Deploy Example +In the example below cert-manager is auto deployed after the RKE2 server process is started. +__rke2_servers.yaml:__ +```yaml +rke2_manifest_config_post_run_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/post-deploy-manifests/" +``` + +This file should be placed in the directory you intend to upload to the server node, in the example above that is `{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/`. +__cert-manager.yaml__ +```yaml +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: jetstack + namespace: kube-system +spec: + repo: https://charts.jetstack.io + chart: cert-manager + version: v1.16.2 + targetNamespace: cert-manager + createNamespace: true + valuesContent: |- + crds: + enabled: true +``` + + +### rke2_install_version +A version of RKE2 can be selected to be installed via the `all.vars.rke2_install_version` variable + + +# Examples +There are two examples provided in this folder, "basic_sample_inventory", and "advanced_sample_inventory". The basic example is the simplest possible example, the advanced example is all of the options explained above in one example. \ No newline at end of file diff --git a/requirements.yml b/requirements.yml deleted file mode 100644 index 4a0d0c30..00000000 --- a/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -collections: - - name: ansible.utils diff --git a/site.yml b/site.yml index 9d204c83..7fd240e6 100644 --- a/site.yml +++ b/site.yml @@ -3,6 +3,6 @@ - name: RKE2 play hosts: all any_errors_fatal: true - # become: true + become: true roles: - role: rke2 From a444c5e10b9c2da3bf3cc1025212469081b84b58 Mon Sep 17 00:00:00 2001 From: jacob Date: Fri, 3 Jan 2025 15:36:40 -0600 Subject: [PATCH 02/13] Update tarball docs --- .../hosts.yml | 0 docs/development.md | 5 ++ .../manifests/manifest-example.yaml | 28 ---------- docs/sample_files/tarball_install/README.md | 32 ----------- docs/tarball_install.md | 54 +++++++++++++++++++ .../group_vars/all.yaml | 3 ++ docs/tarball_install_sample/hosts.yml | 9 ++++ docs/usage.md | 2 +- 8 files changed, 72 insertions(+), 61 deletions(-) rename docs/{basic_sample_inventorysample => basic_sample_inventory}/hosts.yml (100%) delete mode 100644 docs/sample_files/manifests/manifest-example.yaml delete mode 100644 docs/sample_files/tarball_install/README.md create mode 100644 docs/tarball_install_sample/group_vars/all.yaml create mode 100644 docs/tarball_install_sample/hosts.yml diff --git a/docs/basic_sample_inventorysample/hosts.yml b/docs/basic_sample_inventory/hosts.yml similarity index 100% rename from docs/basic_sample_inventorysample/hosts.yml rename to docs/basic_sample_inventory/hosts.yml diff --git a/docs/development.md b/docs/development.md index b5ab56f8..2bc1f224 100644 --- a/docs/development.md +++ b/docs/development.md @@ -1,3 +1,8 @@ +# Table of Contents +- [Table of Contents](#table-of-contents) +- [Dependencies](#dependencies) + +# Dependencies This playbook requires ansible.utils to run properly. Please see https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-a-collection-from-galaxy for more information about how to install this. ``` diff --git a/docs/sample_files/manifests/manifest-example.yaml b/docs/sample_files/manifests/manifest-example.yaml deleted file mode 100644 index 64a1db69..00000000 --- a/docs/sample_files/manifests/manifest-example.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# See https://docs.rke2.io/helm/ -# In this directory "manifest" you can add every kubernetes .yaml file that you will add to your rke2 cluster. -# "kubectl apply" every file on this directory - -# See https://docs.rke2.io/install/network_options/#canal-options -# You can also override pre-install helm chart like canal, nginx-ingress, etc. - -# Example from https://docs.rke2.io/helm/#using-the-helm-crd - -# apiVersion: helm.cattle.io/v1 -# kind: HelmChart -# metadata: -# name: grafana -# namespace: kube-system -# spec: -# chart: stable/grafana -# targetNamespace: monitoring -# set: -# adminPassword: "NotVerySafePassword" -# valuesContent: |- -# image: -# tag: master -# env: -# GF_EXPLORE_ENABLED: true -# adminUser: admin -# sidecar: -# datasources: -# enabled: true diff --git a/docs/sample_files/tarball_install/README.md b/docs/sample_files/tarball_install/README.md deleted file mode 100644 index b567f9ff..00000000 --- a/docs/sample_files/tarball_install/README.md +++ /dev/null @@ -1,32 +0,0 @@ - -``` - , , _______________________________ - ,-----------|'------'| | | - /. '-' |-' |_____________________________| - |/| | | - | .________.'----' _______________________________ - | || | || | | - \__|' \__|' |_____________________________| - -|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| -|________________________________________________________| - -|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| -|________________________________________________________| -``` -# Air-Gap Install - -RKE2 can be installed in an air-gapped environment with two different methods. You can either deploy via the rke2-airgap-images tarball release artifact, or by using a private registry. - -All files mentioned in the steps can be obtained from the assets of the desired released rke2 version [here](https://github.com/rancher/rke2/releases). - -If running on an SELinux enforcing air-gapped node, you must first install the necessary SELinux policy RPM before performing these steps. See our [RPM Documentation](https://docs.rke2.io/install/methods/#rpm) to determine what you need. - -# Tarball Method -This ansible playbook will detect if the `rke2-images.linux-amd64.tar.zst` and `rke2.linux-amd64.tar.gz` files are in the tarball_install/ directory. If the files are in the directory then the install process will skip both the yum install and the need to download the tarball. - -## Images Install -If either the `rke2-images.linux-amd64.tar.zst` or `rke2-images.linux-amd64.tar.gz` files are found in the tarbarll_install/ directory then this playbook will use the images inside the tarball and not docker.io or a private registry. - -## Tarball Install -If the `rke2.linux-amd64.tar.gz` file is found in the tarball_install/ directory then this playbook will install RKE2 using that version. This will use the default docker.io registry unless the images tarball is present or unless the `system-default-registry` variable is set. diff --git a/docs/tarball_install.md b/docs/tarball_install.md index e69de29b..2309110d 100644 --- a/docs/tarball_install.md +++ b/docs/tarball_install.md @@ -0,0 +1,54 @@ +# Table of Contents +- [Table of Contents](#table-of-contents) +- [Air-Gap Install](#air-gap-install) +- [Collecting Your Resources](#collecting-your-resources) + - [Relevant Variables](#relevant-variables) + - [Tarball Install Variables](#tarball-install-variables) + - [Example](#example) + - [Image Variables](#image-variables) + - [Example](#example-1) + + +# Air-Gap Install +RKE2 can be installed in an air-gapped environment with two different methods. You can either deploy via the rke2-airgap-images tarball release artifact, or by using a private registry. + +> [!WARNING]SELinux Installs +> If running on an SELinux enforcing air-gapped node, you must first install the necessary SELinux policy RPM before performing these steps. See our [RPM Documentation](https://docs.rke2.io/install/methods/#rpm) to determine what you need. + +# Collecting Your Resources +All files mentioned in the steps can be obtained from the assets of the desired released rke2 version [here](https://github.com/rancher/rke2/releases). + +## Relevant Variables + +### Tarball Install Variables +The Ansible role looks for three variables to determine if/how the tarball installation method should run: + - `all.vars.rke2_install_tarball_url` + - `all.vars.rke2_install_local_tarball_path` + - `all.vars.rke2_force_tarball_install` + +The `rke2_install_tarball_url` looks for a tarball at the specified URL, `rke2_install_local_tarball_path` looks for a tarball at the specified local path, and `rke2_force_tarball_install` if set to True (while the previous two are set to empty strings) will force the download of the tarballs from GitHub. + +> [!WARNING] +> Currently there is no logic to prevent a user from defining both `rke2_install_tarball_url`, and `rke2_install_local_tarball_path`, you should only use one or the other, not both. + +Both of these variables should contain the `rke2.linux-amd64.tar.gz` tarball available from the release page referenced in [Collecting Your Resources](#collecting-your-resources). + +#### Example +In this example the full local path is given to the RKE2 tarball like so: +__all.yaml__ +```yaml +rke2_install_local_tarball_path: "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" +``` + +### Image Variables +The image variables need to be given as a list, as most user will need to include more than just the RKE2 image tarball. + - `all.vars.rke2_images_urls` + - `all.vars.rke2_images_local_tarball_path` + +#### Example +The example below provides only a single local item to the list, but is enough to start the cluster: +__all.yaml__ +```yaml +rke2_images_local_tarball_path: + - "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" +``` \ No newline at end of file diff --git a/docs/tarball_install_sample/group_vars/all.yaml b/docs/tarball_install_sample/group_vars/all.yaml new file mode 100644 index 00000000..9b641c55 --- /dev/null +++ b/docs/tarball_install_sample/group_vars/all.yaml @@ -0,0 +1,3 @@ +rke2_install_local_tarball_path: "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" +rke2_images_local_tarball_path: + - "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" \ No newline at end of file diff --git a/docs/tarball_install_sample/hosts.yml b/docs/tarball_install_sample/hosts.yml new file mode 100644 index 00000000..e6bd01c4 --- /dev/null +++ b/docs/tarball_install_sample/hosts.yml @@ -0,0 +1,9 @@ +--- +rke2_cluster: + children: + rke2_servers: + hosts: + server0.example.com: + rke2_agents: + hosts: + agent0.example.com: diff --git a/docs/usage.md b/docs/usage.md index 5dac5c97..954155b8 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -23,7 +23,7 @@ # Basic Usage There are two methods for consuming this repository, one is to simply clone the repository and edit it as neccessary, the other is to import it as a collection, both options are detailed below. -> [!NOTE]Airgap/Tarball Instructions +> [!NOTE]Airgap/Tarball Instructions > If you are looking for airgap or tarball installation instructions, please go [here](./tarball_install.md) ## Cloning From 156bb6e9d2eb9cc5bcfe27473a8bc0b589399501 Mon Sep 17 00:00:00 2001 From: jacob Date: Fri, 3 Jan 2025 15:37:54 -0600 Subject: [PATCH 03/13] Github does not support titled admons --- docs/tarball_install.md | 2 +- docs/usage.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tarball_install.md b/docs/tarball_install.md index 2309110d..1d890b4c 100644 --- a/docs/tarball_install.md +++ b/docs/tarball_install.md @@ -12,7 +12,7 @@ # Air-Gap Install RKE2 can be installed in an air-gapped environment with two different methods. You can either deploy via the rke2-airgap-images tarball release artifact, or by using a private registry. -> [!WARNING]SELinux Installs +> [!WARNING] > If running on an SELinux enforcing air-gapped node, you must first install the necessary SELinux policy RPM before performing these steps. See our [RPM Documentation](https://docs.rke2.io/install/methods/#rpm) to determine what you need. # Collecting Your Resources diff --git a/docs/usage.md b/docs/usage.md index 954155b8..5454110e 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -23,7 +23,7 @@ # Basic Usage There are two methods for consuming this repository, one is to simply clone the repository and edit it as neccessary, the other is to import it as a collection, both options are detailed below. -> [!NOTE]Airgap/Tarball Instructions +> [!NOTE] > If you are looking for airgap or tarball installation instructions, please go [here](./tarball_install.md) ## Cloning From 0883f702f5e08665e37cfdf97bea2fcfc23ea43a Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Mon, 6 Jan 2025 08:48:45 -0600 Subject: [PATCH 04/13] Clear some lint issues --- .../files/pod-security-admission-config.yaml | 5 ----- docs/advanced_sample_inventory/group_vars/all.yaml | 5 +++-- .../advanced_sample_inventory/group_vars/rke2_servers.yaml | 7 ++++--- .../post-deploy-manifests/cert-manager.yaml | 1 + .../pre-deploy-manifests/cilium.yaml | 1 - docs/tarball_install_sample/group_vars/all.yaml | 5 +++-- 6 files changed, 11 insertions(+), 13 deletions(-) diff --git a/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml b/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml index 6aaaa5a8..fbde7fa1 100644 --- a/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml +++ b/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml @@ -1,8 +1,3 @@ -# This sample list was generated from: -# https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces -# For security reasons, this list should be as concise as possible -# only include active namespaces that need to be except from a restricted profile. - --- apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration diff --git a/docs/advanced_sample_inventory/group_vars/all.yaml b/docs/advanced_sample_inventory/group_vars/all.yaml index 64107abc..1ee2ec2a 100644 --- a/docs/advanced_sample_inventory/group_vars/all.yaml +++ b/docs/advanced_sample_inventory/group_vars/all.yaml @@ -1,3 +1,4 @@ -rke2_install_version: v1.29.12+rke2r1 +--- +rke2_install_version: v1.29.12+rke2r1 cluster_rke2_config: - selinux: true \ No newline at end of file + selinux: true diff --git a/docs/advanced_sample_inventory/group_vars/rke2_servers.yaml b/docs/advanced_sample_inventory/group_vars/rke2_servers.yaml index 6f19fa88..b4928a8a 100644 --- a/docs/advanced_sample_inventory/group_vars/rke2_servers.yaml +++ b/docs/advanced_sample_inventory/group_vars/rke2_servers.yaml @@ -1,3 +1,4 @@ +--- rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml" rke2_audit_policy_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/audit-policy.yaml" rke2_manifest_config_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/" @@ -9,9 +10,9 @@ group_rke2_config: - cilium # Cilium will replace this disable-kube-proxy: true - profile: cis - pod-security-admission-config-file: /etc/rancher/rke2/pod-security-admission-config.yaml + profile: cis + pod-security-admission-config-file: /etc/rancher/rke2/pod-security-admission-config.yaml audit-policy-file: /etc/rancher/rke2/audit-policy.yaml kube-apiserver-arg: - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml - - audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log \ No newline at end of file + - audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log diff --git a/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml b/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml index 408af96d..332c0a29 100644 --- a/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml +++ b/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml @@ -1,3 +1,4 @@ +--- apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: diff --git a/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml b/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml index cb5a7a53..7295e61a 100644 --- a/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml +++ b/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml @@ -14,4 +14,3 @@ spec: preallocateMaps: true tproxy: true bpfClockProbe: true - diff --git a/docs/tarball_install_sample/group_vars/all.yaml b/docs/tarball_install_sample/group_vars/all.yaml index 9b641c55..cee14398 100644 --- a/docs/tarball_install_sample/group_vars/all.yaml +++ b/docs/tarball_install_sample/group_vars/all.yaml @@ -1,3 +1,4 @@ +--- rke2_install_local_tarball_path: "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" -rke2_images_local_tarball_path: - - "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" \ No newline at end of file +rke2_images_local_tarball_path: + - "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" From c3954de38d22d48420fe07177683a460b670f134 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Mon, 6 Jan 2025 09:12:35 -0600 Subject: [PATCH 05/13] Clear some galaxy errors --- changelogs/changelog.yml | 2 ++ galaxy.yml | 2 +- meta/runtime.yml | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 changelogs/changelog.yml create mode 100644 meta/runtime.yml diff --git a/changelogs/changelog.yml b/changelogs/changelog.yml new file mode 100644 index 00000000..15b5bf67 --- /dev/null +++ b/changelogs/changelog.yml @@ -0,0 +1,2 @@ +--- +releases: {} \ No newline at end of file diff --git a/galaxy.yml b/galaxy.yml index 4e52df6b..f490b4b3 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,7 +1,7 @@ --- namespace: rancherfederal name: rke2_ansible -version: 1.0.0 +version: 2.0.0 readme: README.md authors: - Rancher Government diff --git a/meta/runtime.yml b/meta/runtime.yml new file mode 100644 index 00000000..8a761249 --- /dev/null +++ b/meta/runtime.yml @@ -0,0 +1,2 @@ +--- +requires_ansible: ">=2.10" \ No newline at end of file From a785925903b67f7a86864b409da1f1bab096f2cc Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Mon, 6 Jan 2025 09:15:12 -0600 Subject: [PATCH 06/13] Clear some new lint issues --- changelogs/changelog.yml | 2 +- meta/runtime.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/changelogs/changelog.yml b/changelogs/changelog.yml index 15b5bf67..52e7f388 100644 --- a/changelogs/changelog.yml +++ b/changelogs/changelog.yml @@ -1,2 +1,2 @@ --- -releases: {} \ No newline at end of file +releases: {} diff --git a/meta/runtime.yml b/meta/runtime.yml index 8a761249..4f8988b5 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -1,2 +1,2 @@ --- -requires_ansible: ">=2.10" \ No newline at end of file +requires_ansible: ">=2.10" From 213a05c262bf5b54c0c829cd935a8089dc0db3a1 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Mon, 6 Jan 2025 09:19:30 -0600 Subject: [PATCH 07/13] Fix ansible semver string --- meta/runtime.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/runtime.yml b/meta/runtime.yml index 4f8988b5..7d868341 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -1,2 +1,2 @@ --- -requires_ansible: ">=2.10" +requires_ansible: ">=2.10.0" From 7b3f1009715a5f9a441686f51e61c60e78f92b11 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Mon, 6 Jan 2025 09:28:06 -0600 Subject: [PATCH 08/13] Use a supported ansible version --- meta/runtime.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/runtime.yml b/meta/runtime.yml index 7d868341..a764a086 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -1,2 +1,2 @@ --- -requires_ansible: ">=2.10.0" +requires_ansible: ">=2.17.0" From 3865ff96947e48fcc8d771986ae73deb5da3ac99 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Mon, 6 Jan 2025 15:51:18 -0600 Subject: [PATCH 09/13] Update file and folder names --- README.md | 2 +- docs/{usage.md => README.md} | 0 .../group_vars/all.yaml | 0 .../hosts.yml | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename docs/{usage.md => README.md} (100%) rename docs/{tarball_install_sample => tarball_sample_inventory}/group_vars/all.yaml (100%) rename docs/{tarball_install_sample => tarball_sample_inventory}/hosts.yml (100%) diff --git a/README.md b/README.md index fae328ea..8cce304f 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,7 @@ Start provisioning of the cluster using the following command: ansible-playbook site.yml -i inventory/my-cluster/hosts.yml ``` -More detailed information can be found [here](./docs/usage.md) +More detailed information can be found [here](./docs/README.md) Tarball Install/Air-Gap Install diff --git a/docs/usage.md b/docs/README.md similarity index 100% rename from docs/usage.md rename to docs/README.md diff --git a/docs/tarball_install_sample/group_vars/all.yaml b/docs/tarball_sample_inventory/group_vars/all.yaml similarity index 100% rename from docs/tarball_install_sample/group_vars/all.yaml rename to docs/tarball_sample_inventory/group_vars/all.yaml diff --git a/docs/tarball_install_sample/hosts.yml b/docs/tarball_sample_inventory/hosts.yml similarity index 100% rename from docs/tarball_install_sample/hosts.yml rename to docs/tarball_sample_inventory/hosts.yml From 7a46a11c837c7706f144761042297c671cf70545 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Wed, 8 Jan 2025 09:28:54 -0600 Subject: [PATCH 10/13] Update README instruction o inventory use --- .gitignore | 1 + README.md | 30 ++++--- ansible.cfg | 2 +- inventory/.gitignore | 4 - inventory/sample/group_vars/rke2_agents.yml | 10 --- inventory/sample/group_vars/rke2_servers.yml | 53 ------------ inventory/sample/hosts.yml | 85 -------------------- 7 files changed, 16 insertions(+), 169 deletions(-) delete mode 100644 inventory/.gitignore delete mode 100644 inventory/sample/group_vars/rke2_agents.yml delete mode 100644 inventory/sample/group_vars/rke2_servers.yml delete mode 100644 inventory/sample/hosts.yml diff --git a/.gitignore b/.gitignore index 66226d30..dc23ec9e 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ venv/ .venv/ test_inventory* +inventory* sample_files/tarball_install/* !sample_files/tarball_install/README.md \ No newline at end of file diff --git a/README.md b/README.md index 8cce304f..fc2941ff 100644 --- a/README.md +++ b/README.md @@ -53,40 +53,35 @@ Deployment environment must have Ansible 2.9.0+ Usage ----- -Create a new directory based on the `sample` directory within the `inventory` directory: +Create a new directory based on the one of the sample inventory directories within the `docs` directory: ```bash -cp -R inventory/sample inventory/my-cluster +cp -R ./docs/basic_sample_inventory ./inventory ``` -Second, edit `inventory/my-cluster/hosts.yaml` to match the system information gathered above. For example: +Second, edit `inventory/hosts.yaml` to match the system information gathered above. For example: ```yaml +--- rke2_cluster: children: rke2_servers: hosts: - server1.example.com: + server0.example.com: rke2_agents: hosts: - agent1.example.com: - agent2.example.com: - node_labels: - - agent2Label=true" -all: - vars: - install_rke2_version: v1.27.10+rke2r1 + agent0.example.com: ``` -If needed, you can also edit `inventory/my-cluster/group_vars/rke2_agents.yml` and `inventory/my-cluster/group_vars/rke2_servers.yml` to match your environment. +If needed, you can also create `inventory/group_vars/rke2_agents.yml` and `inventory/my-cluster/group_vars/rke2_servers.yml` to match your environment. Start provisioning of the cluster using the following command: ```bash -ansible-playbook site.yml -i inventory/my-cluster/hosts.yml +ansible-playbook site.yml -i inventory/hosts.yml ``` - -More detailed information can be found [here](./docs/README.md) +> [!NOTE] +> More detailed information can be found [here](./docs/README.md) Tarball Install/Air-Gap Install @@ -101,7 +96,10 @@ The root user will have the `kubeconfig` and `kubectl` made available, to access Available configurations ------------------------ -Variables should be set in `inventory/cluster/group_vars/rke2_agents.yml` and `inventory/cluster/group_vars/rke2_servers.yml`. See sample variables in `inventory/sample/group_vars` for reference. +Variables should be set in `inventory/group_vars/rke2_agents.yml` and `inventory/group_vars/rke2_servers.yml`. + +> [!NOTE] +> More detailed information can be found [here](./docs/README.md) Uninstall RKE2 diff --git a/ansible.cfg b/ansible.cfg index a351711f..963f3c12 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,7 +1,7 @@ [defaults] nocows = True roles_path = ./roles -inventory = ./inventory/my-cluster/hosts.yml +inventory = ./inventory/hosts.yml remote_tmp = $HOME/.ansible/tmp local_tmp = $HOME/.ansible/tmp diff --git a/inventory/.gitignore b/inventory/.gitignore deleted file mode 100644 index 520c0f44..00000000 --- a/inventory/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -* -!.gitignore -!sample/ -!sample/hosts.yml diff --git a/inventory/sample/group_vars/rke2_agents.yml b/inventory/sample/group_vars/rke2_agents.yml deleted file mode 100644 index dd8c405d..00000000 --- a/inventory/sample/group_vars/rke2_agents.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -# Primary RKE2 agent configuration parameters. Remove the curly braces ( {} ) and add your configuration. -# See https://docs.rke2.io/install/install_options/linux_agent_config/ for all configuration options. -rke2_config: {} - # debug: false - -# See https://docs.rke2.io/install/containerd_registry_configuration/ -# Add a registry configuration file by specifying the file path on the control host -# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml deleted file mode 100644 index 40d7117e..00000000 --- a/inventory/sample/group_vars/rke2_servers.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -# Primary RKE2 server configuration parameters. Remove the curly braces ( {} ) and add your configuration. -# See https://docs.rke2.io/install/install_options/server_config/ for all configuration options. -rke2_config: {} - -# Example of possible rke2_config. -#rke2_config: -# selinux: true -# profile: cis-1.6 -# kube-controller-manager-arg: -# - "tls-min-version=VersionTLS12" -# - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -# kube-scheduler-arg: -# - "tls-min-version=VersionTLS12" -# - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -# kube-apiserver-arg: -# - "tls-min-version=VersionTLS12" -# - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -# - "enable-admission-plugins=ValidatingAdmissionWebhook,NodeRestriction,PodSecurityPolicy" -# - "request-timeout=300s" -# # Enable only when auditing is enabled, blocks API when audit fails -# #- "audit-log-mode=blocking-strict" -# -# kubelet-arg: -# - "feature-gates=DynamicKubeletConfig=false" -# - "protect-kernel-defaults=true" -# - "streaming-connection-idle-timeout=5m" -# -# # Available in RKE2 1.21 -# #etcd-extra-env: -# #- "ETCD_AUTO_TLS=false" -# #- "ETCD_PEER_AUTO_TLS=false" -# -# write-kubeconfig-mode: "0640" - - -# See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ -# Add a policy configuration file by specifying the file path on the control host -# rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" - -# See https://docs.rke2.io/install/containerd_registry_configuration/ -# Add a registry configuration file by specifying the file path on the control host -# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" - -# See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts -# Add manifest files by specifying the directory path on the control host -# manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/" - -# See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces -# Available in RKE2 1.25+ -# Add a pod security admission config file by specifying the file path on the control host -# Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored -# rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml deleted file mode 100644 index 82aeab26..00000000 --- a/inventory/sample/hosts.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -all: - vars: - rke2_install_version: v1.27.10+rke2r1 - # # In air-gapped envs, it might be convenient to download the tar files from custom URLs - # rke2_install_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz - # rke2_image_tar_urls: - # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst - # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-core.linux-amd64.tar.zst - - # Or specify a tarball that's been prestaged on the ansible control host - # rke2_binary_tarball: {{ inventory_dir }}/tarball/rke2.linux-amd64.tar.gz - -rke2_cluster: - children: - rke2_servers: - vars: - # # Set generic rke2_config at the group level. - # # Every host in this group will inherit these rke2 configurations - # # See https://docs.rke2.io/reference/server_config for more options - # # These options can also be set in the group_vars folder - rke2_config: - node-label: - - serverGroupLabel=true - # profile: cis-1.6 - # kube-controller-manager-arg: - # - "tls-min-version=VersionTLS12" - # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - # kube-scheduler-arg: - # - "tls-min-version=VersionTLS12" - # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - # kube-apiserver-arg: - # - "tls-min-version=VersionTLS12" - # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - # - "enable-admission-plugins=ValidatingAdmissionWebhook,NodeRestriction,PodSecurityPolicy" - # - "request-timeout=300s" - # # Enable only when auditing is enabled, blocks API when audit fails - # #- "audit-log-mode=blocking-strict" - # - # kubelet-arg: - # - "feature-gates=DynamicKubeletConfig=false" - # - "protect-kernel-defaults=true" - # - "streaming-connection-idle-timeout=5m" - # - # etcd-extra-env: - # - "ETCD_AUTO_TLS=false" - # - "ETCD_PEER_AUTO_TLS=false" - # - # write-kubeconfig-mode: "0640" - # # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ - # # Add a policy configuration file by specifying the file path on the control host - # rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" - # # See https://docs.rke2.io/install/containerd_registry_configuration/ - # # Add a registry configuration file by specifying the file path on the control host - # rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" - # # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts - # # Add manifest files by specifying the directory path on the control host - # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/" - hosts: - # # Optional hostvars that can be pased in to individual nodes include - # # node_ip, node_name, bind_address, advertise_address, node_taints=[], - # # node_labels=[], and node_external_ip - server0.example.com: - node_labels: - - server0Label=true - # node_ip: "10.10.10.10" - # node_name: "server0.example.com" - # bind_address: "10.10.10.10" - # advertise_address: "10.10.10.10" - # node_external_ip: "52.52.52.52" - # node_taints: - # - CriticalAddonsOnly=true:NoSchedule - # cloud_provider_name: "aws" - rke2_agents: - vars: - rke2_config: - node-label: - - agentGroupLabel=true - hosts: - agent0.example.com: - node_labels: - - agent0Label=true - agent1.example.com: - node_labels: - - agent1Label=true From 315b9dfad2d0fe523be572475d79037eb0d2f53d Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Wed, 8 Jan 2025 11:25:08 -0600 Subject: [PATCH 11/13] Add vale linting, normalized file extensions, and doc tweaks --- .../vale/Readability/AutomatedReadability.yml | 8 +++ .github/vale/Readability/ColemanLiau.yml | 8 +++ .github/vale/Readability/FleschKincaid.yml | 8 +++ .../vale/Readability/FleschReadingEase.yml | 8 +++ .github/vale/Readability/GunningFog.yml | 8 +++ .github/vale/Readability/LIX.yml | 17 ++++++ .github/vale/Readability/SMOG.yml | 8 +++ .github/vale/Readability/meta.json | 4 ++ .../vale/config/vocabularies/RGS/accept.txt | 18 ++++++ .vale.ini | 10 ++++ README.md | 10 +++- docs/README.md | 59 +++++++++++-------- .../group_vars/{all.yaml => all.yml} | 0 .../{rke2_servers.yaml => rke2_servers.yml} | 0 .../group_vars/{all.yaml => all.yml} | 0 15 files changed, 139 insertions(+), 27 deletions(-) create mode 100644 .github/vale/Readability/AutomatedReadability.yml create mode 100644 .github/vale/Readability/ColemanLiau.yml create mode 100644 .github/vale/Readability/FleschKincaid.yml create mode 100644 .github/vale/Readability/FleschReadingEase.yml create mode 100644 .github/vale/Readability/GunningFog.yml create mode 100644 .github/vale/Readability/LIX.yml create mode 100644 .github/vale/Readability/SMOG.yml create mode 100644 .github/vale/Readability/meta.json create mode 100644 .github/vale/config/vocabularies/RGS/accept.txt create mode 100644 .vale.ini rename docs/advanced_sample_inventory/group_vars/{all.yaml => all.yml} (100%) rename docs/advanced_sample_inventory/group_vars/{rke2_servers.yaml => rke2_servers.yml} (100%) rename docs/tarball_sample_inventory/group_vars/{all.yaml => all.yml} (100%) diff --git a/.github/vale/Readability/AutomatedReadability.yml b/.github/vale/Readability/AutomatedReadability.yml new file mode 100644 index 00000000..dd9fe669 --- /dev/null +++ b/.github/vale/Readability/AutomatedReadability.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Automated Readability Index (%s) below 8." +link: https://en.wikipedia.org/wiki/Automated_readability_index + +formula: | + (4.71 * (characters / words)) + (0.5 * (words / sentences)) - 21.43 + +condition: "> 8" diff --git a/.github/vale/Readability/ColemanLiau.yml b/.github/vale/Readability/ColemanLiau.yml new file mode 100644 index 00000000..d478303c --- /dev/null +++ b/.github/vale/Readability/ColemanLiau.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Coleman–Liau Index grade (%s) below 9." +link: https://en.wikipedia.org/wiki/Coleman%E2%80%93Liau_index + +formula: | + (0.0588 * (characters / words) * 100) - (0.296 * (sentences / words) * 100) - 15.8 + +condition: "> 9" diff --git a/.github/vale/Readability/FleschKincaid.yml b/.github/vale/Readability/FleschKincaid.yml new file mode 100644 index 00000000..3f60f205 --- /dev/null +++ b/.github/vale/Readability/FleschKincaid.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Flesch–Kincaid grade level (%s) below 8." +link: https://en.wikipedia.org/wiki/Flesch%E2%80%93Kincaid_readability_tests + +formula: | + (0.39 * (words / sentences)) + (11.8 * (syllables / words)) - 15.59 + +condition: "> 8" diff --git a/.github/vale/Readability/FleschReadingEase.yml b/.github/vale/Readability/FleschReadingEase.yml new file mode 100644 index 00000000..61797667 --- /dev/null +++ b/.github/vale/Readability/FleschReadingEase.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Flesch reading ease score (%s) above 70." +link: https://en.wikipedia.org/wiki/Flesch%E2%80%93Kincaid_readability_tests + +formula: | + 206.835 - (1.015 * (words / sentences)) - (84.6 * (syllables / words)) + +condition: "< 70" diff --git a/.github/vale/Readability/GunningFog.yml b/.github/vale/Readability/GunningFog.yml new file mode 100644 index 00000000..302c0eeb --- /dev/null +++ b/.github/vale/Readability/GunningFog.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Gunning-Fog index (%s) below 10." +link: https://en.wikipedia.org/wiki/Gunning_fog_index + +formula: | + 0.4 * ((words / sentences) + 100 * (complex_words / words)) + +condition: "> 10" diff --git a/.github/vale/Readability/LIX.yml b/.github/vale/Readability/LIX.yml new file mode 100644 index 00000000..f5b0f4e8 --- /dev/null +++ b/.github/vale/Readability/LIX.yml @@ -0,0 +1,17 @@ +extends: metric +message: "Try to keep the LIX score (%s) below 35." + +link: https://en.wikipedia.org/wiki/Lix_(readability_test) +# Very Easy: 20 - 25 +# +# Easy: 30 - 35 +# +# Medium: 40 - 45 +# +# Difficult: 50 - 55 +# +# Very Difficult: 60+ +formula: | + (words / sentences) + ((long_words * 100) / words) + +condition: "> 35" diff --git a/.github/vale/Readability/SMOG.yml b/.github/vale/Readability/SMOG.yml new file mode 100644 index 00000000..e7f5913b --- /dev/null +++ b/.github/vale/Readability/SMOG.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the SMOG grade (%s) below 10." +link: https://en.wikipedia.org/wiki/SMOG + +formula: | + 1.0430 * math.sqrt((polysyllabic_words * 30.0) / sentences) + 3.1291 + +condition: "> 10" diff --git a/.github/vale/Readability/meta.json b/.github/vale/Readability/meta.json new file mode 100644 index 00000000..0ff71c30 --- /dev/null +++ b/.github/vale/Readability/meta.json @@ -0,0 +1,4 @@ +{ + "feed": "https://github.com/errata-ai/Readability/releases.atom", + "vale_version": ">=2.13.0" +} \ No newline at end of file diff --git a/.github/vale/config/vocabularies/RGS/accept.txt b/.github/vale/config/vocabularies/RGS/accept.txt new file mode 100644 index 00000000..315ffad8 --- /dev/null +++ b/.github/vale/config/vocabularies/RGS/accept.txt @@ -0,0 +1,18 @@ +# Common/valid Slang +[C|c]onfig +airgap + +# Acronyms +STIG + +# Tools +[A|a]nsible + +# Kubernetes +Kubernetes +[K|k]ubeconfig + +# Linux +[F|f]apolicyd +containerd +SELinux \ No newline at end of file diff --git a/.vale.ini b/.vale.ini new file mode 100644 index 00000000..61de8510 --- /dev/null +++ b/.vale.ini @@ -0,0 +1,10 @@ +StylesPath = ./.github/vale + +MinAlertLevel = suggestion +Vocab = RGS + +Packages = Readability + +[*.md] +BasedOnStyles = Vale, Readability + diff --git a/README.md b/README.md index fc2941ff..4cde1597 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,11 @@ Thank you for your understanding and cooperation. Ansible RKE2 (RKE Government) Playbook --------- -[![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml) +[![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/lint.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/lint.yml?query=branch%3Amain) + +[![Rocky 8](https://github.com/rancherfederal/rke2-ansible/actions/workflows/rocky8.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/rocky8.yml?query=branch%3Amain) + +[![Ubuntu 20](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ubuntu20.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ubuntu20.yml?query=branch%3Amain) RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. This Ansible playbook installs RKE2 for both the control plane and workers. @@ -91,7 +95,7 @@ Air-Gap/Tarball install information can be found [here](./docs/tarball_install.m Kubeconfig ---------- -The root user will have the `kubeconfig` and `kubectl` made available, to access your cluster login into any server node and `kubectl` will be available for use immideatly. +The root user will have the `kubeconfig` and `kubectl` made available, to access your cluster login into any server node and `kubectl` will be available for use immediately. Available configurations @@ -105,7 +109,7 @@ Variables should be set in `inventory/group_vars/rke2_agents.yml` and `inventory Uninstall RKE2 --------------- Note: Uninstalling RKE2 deletes the cluster data and all of the scripts. -The offical documentation for fully uninstalling the RKE2 cluster can be found in the [RKE2 Documentation](https://docs.rke2.io/install/uninstall/). +The official documentation for fully uninstalling the RKE2 cluster can be found in the [RKE2 Documentation](https://docs.rke2.io/install/uninstall/). If you used this module to created the cluster and RKE2 was installed via yum, then you can attempt to run this command to remove all cluster data and all RKE2 scripts. diff --git a/docs/README.md b/docs/README.md index 5454110e..37454090 100644 --- a/docs/README.md +++ b/docs/README.md @@ -10,18 +10,19 @@ - [Enabling CIS Modes](#enabling-cis-modes) - [Special Variables](#special-variables) - [RKE2 Config Variables](#rke2-config-variables) - - [Defining a PSA Config](#defining-a-psa-config) + - [Defining the RKE2 Version](#defining-the-rke2-version) - [Example](#example) - - [Defining an Audit Policy](#defining-an-audit-policy) + - [Defining a PSA Config](#defining-a-psa-config) - [Example](#example-1) + - [Defining an Audit Policy](#defining-an-audit-policy) + - [Example](#example-2) - [Adding Additional Cluster Manifests](#adding-additional-cluster-manifests) - [Pre-Deploy Example](#pre-deploy-example) - [Post-Deploy Example](#post-deploy-example) - - [rke2\_install\_version](#rke2_install_version) - [Examples](#examples) # Basic Usage -There are two methods for consuming this repository, one is to simply clone the repository and edit it as neccessary, the other is to import it as a collection, both options are detailed below. +There are two methods for consuming this repository, one is to simply clone the repository and edit it as necessary, the other is to import it as a collection, both options are detailed below. > [!NOTE] > If you are looking for airgap or tarball installation instructions, please go [here](./tarball_install.md) @@ -31,7 +32,7 @@ The simplest method for using this repository (as detailed in the main README.md ## Importing -The second method for using this project is to import it as a collection in your own `requirements.yaml` as this repository does contain a `galaxy.yaml`. To import it add the following to your `galaxy.yaml`: +The second method for using this project is to import it as a collection in your own `requirements.yml` as this repository does contain a `galaxy.yml`. To import it add the following to your `galaxy.yml`: ```yaml collections: - name: rancherfederal.rke2-ansible @@ -51,7 +52,7 @@ Then you can call the RKE2 role in a play like so: # Defining Your Cluster -This repository is not intended to be opinionated and as a rersult it is important you to have read and understand the [RKE2 docs](https://docs.rke2.io/) before moving forward, this documentation is not intended to be an exhaustive explanation of all possible RKE2 configuration options, it is up to the end user to ensure their options are valid. +This repository is not intended to be opinionated and as a result it is important you to have read and understand the [RKE2 docs](https://docs.rke2.io/) before moving forward, this documentation is not intended to be an exhaustive explanation of all possible RKE2 configuration options, it is up to the end user to ensure their options are valid. ## Minimal Cluster Inventory @@ -71,7 +72,7 @@ This is the simplest possible inventory file and will deploy the latest availabl ## Structuring Your Variable Files -Configurations and variables can become lengthy annd unwieldy, as a general note of advice it is best to move variables into a `group_vars` folder. +Configurations and variables can become lengthy and unwieldy, as a general note of advice it is best to move variables into a `group_vars` folder. ``` ./inventory ├── Cluser_A @@ -92,7 +93,8 @@ Configurations and variables can become lengthy annd unwieldy, as a general note ## Enabling SELinux -Enabling SELinux in the playbook requires `seliux: true` be set in either the cluster, group, or host level config profiles (Please see [Special Variables](#special-variables) for more info). Though generally this should be set at the cluster and can be done like so: +Enabling SELinux in the playbook requires `selinux: true` be set in either the cluster, group, or host level config profiles (Please see [Special Variables](#special-variables) for more info). Though generally this should be set at the cluster and can be done like so: +__hosts.yml:__ ```yaml --- all: @@ -104,7 +106,8 @@ For more information please see the RKE2 documentation, [here](https://docs.rke2 ## Enabling CIS Modes -Enabling the CIS tasks in the playbook requires a CIS profile be added to the ansible variables file. This can be placed in either the cluster, or group level config profiles (Please see [Special Variables](#special-variables) for more info). Below is an example, in the example the CIS profile is set at the group level, this ensures all server nodes run the CIS hardening profile tasks. +Enabling the CIS tasks in the playbook requires a CIS profile be added to the ansible variables file. This can be placed in either the cluster, or group level config profiles (Please see [Special Variables](#special-variables) for more info). Below is an example, in the example the CIS profile is set at the group level, this ensures all server nodes run the CIS hardening profile tasks. +__hosts.yml:__ ```yaml rke2_cluster: children: @@ -132,17 +135,30 @@ There are three levels an RKE2 config variables can be placed in, that is `clust - `rke2_cluster.children.rke2_agents.vars.hosts..host_rke2_config`: Defines a list of node labels for a specific agent node > [!NOTE] -> Through the rest of these docs you may see references to `rke2_servers.yaml`, this is the group vars file for rke2_servers. This is functionally equivalent to `rke2_cluster.children.rke2_servers.vars`. References to `rke2_agents.yaml` is functionally equivalent to `rke2_cluster.children.rke2_agents.vars` +> Through the rest of these docs you may see references to `rke2_servers.yml`, this is the group vars file for rke2_servers. This is functionally equivalent to `rke2_cluster.children.rke2_servers.vars`. References to `rke2_agents.yml` is functionally equivalent to `rke2_cluster.children.rke2_agents.vars` It is important to understand these variables here are not special in the sense that they enable or disable certain functions in the RKE2 role, with one notable exception being the `profile` key. These variables are special in the sense that they will be condensed into a single config file on each node. Each node will end up with a merged config file comprised of `cluster_rke2_config`, `group_rke2_config`, and `host_rke2_config`. + +### Defining the RKE2 Version +A version of RKE2 can be selected to be installed via the `all.vars.rke2_install_version` variable, please see the RKE2 repository for available [releases](releases). + +#### Example +__group_vars/all.yml:__ +```yaml +--- +all: + vars: + rke2_install_version: v1.29.12+rke2r1 +``` + ### Defining a PSA Config -In order to define a PSA config, server nodes will need to have the `rke2_pod_security_admission_config_file_path` variable defined, then the `pod-security-admission-config-file` will need to be defined in the rke2_config variable at the relevant level (please see [RKE Config Variables](#rke2-config-variables)). +In order to define a PSA (Pod Security Admission) config, server nodes will need to have the `rke2_pod_security_admission_config_file_path` variable defined, then the `pod-security-admission-config-file` will need to be defined in the rke2_config variable at the relevant level (please see [RKE Config Variables](#rke2-config-variables)). #### Example Below is an example of how this can be defined at the server group level (`rke2_cluster.children.rke2_servers.vars`): -__rke2_servers.yaml:__ +__group_vars/rke2_servers.yml:__ ```yaml --- rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml" @@ -157,7 +173,7 @@ In order to define a audit policy config, server nodes will need to have the `rk #### Example Below is an example of how this can be defined at the server group level (`rke2_cluster.children.rke2_servers.vars`): -__rke2_servers.yaml:__ +__group_vars/rke2_servers.yml:__ ```yaml rke2_audit_policy_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/audit-policy.yaml" group_rke2_config: @@ -169,7 +185,7 @@ group_rke2_config: ### Adding Additional Cluster Manifests -If you have a cluster that needs extra manifests to be deployed or the cluster needs a ciritical component to be configured RKE2's "HelmChartConfig" is an available option (among others). The Ansible repository supports the use of these configuration files, simply place them in a folder and give Ansible the path to the folder, Ansible will enumarte the files and place them on the first server node. +If you have a cluster that needs extra manifests to be deployed or the cluster needs a critical component to be configured RKE2's "HelmChartConfig" is an available option (among others). The Ansible repository supports the use of these configuration files. Simply place the Helm chart configs in a folder, give Ansible the path to the folder, and Ansible will enumerate the files and place them on the first server node. There are two variables that control the deployment of manifests to the server nodes: - `rke2_manifest_config_directory` @@ -178,13 +194,13 @@ There are two variables that control the deployment of manifests to the server n The first variable is used to deploy manifest to the server nodes before starting the RKE2 server process, this ensures critical components (like the CNI) can be configured when the RKE2 server process starts. The second, ensures applications are deployed after the RKE2 server process starts. There are examples of both below. #### Pre-Deploy Example -The example used is configuring Cilium with the kube-proxy replacement enabled a fairly common use case: +The example used is configuring Cilium with the kube-proxy replacement enabled (a fairly common use case): > [!WARNING] > If this option is used you must provide a `become` password and this must be the password for the local host running the Ansible playbook. The playbook is looking for this directory on the localhost, and will run as root. This imposes some limitations, if you are using an SSH password to login to remote systems (typical for STIG'd clusters) the `become` password must be the same for the cluster nodes AND localhost. -__rke2_servers.yaml:__ -For this example to work kube proxy needs to be disabled, and the Cilium CNI needs to be enabled. +__group_vars/rke2_servers.yml:__ +For this example to work kube-proxy needs to be disabled, and the Cilium CNI needs to be enabled. ```yaml rke2_manifest_config_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/" group_rke2_config: @@ -218,7 +234,7 @@ spec: #### Post-Deploy Example In the example below cert-manager is auto deployed after the RKE2 server process is started. -__rke2_servers.yaml:__ +__group_vars/rke2_servers.yml:__ ```yaml rke2_manifest_config_post_run_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/post-deploy-manifests/" ``` @@ -243,10 +259,5 @@ spec: enabled: true ``` - -### rke2_install_version -A version of RKE2 can be selected to be installed via the `all.vars.rke2_install_version` variable - - # Examples -There are two examples provided in this folder, "basic_sample_inventory", and "advanced_sample_inventory". The basic example is the simplest possible example, the advanced example is all of the options explained above in one example. \ No newline at end of file +There are two examples provided in this folder, `basic_sample_inventory`, and `advanced_sample_inventory`. The basic example is the simplest possible example, the advanced example is all of the options explained above in one example. \ No newline at end of file diff --git a/docs/advanced_sample_inventory/group_vars/all.yaml b/docs/advanced_sample_inventory/group_vars/all.yml similarity index 100% rename from docs/advanced_sample_inventory/group_vars/all.yaml rename to docs/advanced_sample_inventory/group_vars/all.yml diff --git a/docs/advanced_sample_inventory/group_vars/rke2_servers.yaml b/docs/advanced_sample_inventory/group_vars/rke2_servers.yml similarity index 100% rename from docs/advanced_sample_inventory/group_vars/rke2_servers.yaml rename to docs/advanced_sample_inventory/group_vars/rke2_servers.yml diff --git a/docs/tarball_sample_inventory/group_vars/all.yaml b/docs/tarball_sample_inventory/group_vars/all.yml similarity index 100% rename from docs/tarball_sample_inventory/group_vars/all.yaml rename to docs/tarball_sample_inventory/group_vars/all.yml From e07597edd3e6c71e3ed031993564b5061759e0c7 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Wed, 8 Jan 2025 16:38:55 -0600 Subject: [PATCH 12/13] Revert become change, remove superfluous docs in main readme --- README.md | 38 +++++--------------------------------- site.yml | 2 +- 2 files changed, 6 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 4cde1597..1eb3cace 100644 --- a/README.md +++ b/README.md @@ -57,35 +57,15 @@ Deployment environment must have Ansible 2.9.0+ Usage ----- -Create a new directory based on the one of the sample inventory directories within the `docs` directory: +Create an Ansible inventory file (or folder), you can check the docs folder for examples (`basic_sample_inventory` or `advanced_sample_inventory`). -```bash -cp -R ./docs/basic_sample_inventory ./inventory -``` - -Second, edit `inventory/hosts.yaml` to match the system information gathered above. For example: - -```yaml ---- -rke2_cluster: - children: - rke2_servers: - hosts: - server0.example.com: - rke2_agents: - hosts: - agent0.example.com: -``` - -If needed, you can also create `inventory/group_vars/rke2_agents.yml` and `inventory/my-cluster/group_vars/rke2_servers.yml` to match your environment. - -Start provisioning of the cluster using the following command: +> [!NOTE] +> More detailed information can be found [here](./docs/README.md) +Start provisioning the cluster using the following command: ```bash -ansible-playbook site.yml -i inventory/hosts.yml +ansible-playbook site.yml -i inventory/hosts.yml -b ``` -> [!NOTE] -> More detailed information can be found [here](./docs/README.md) Tarball Install/Air-Gap Install @@ -98,14 +78,6 @@ Kubeconfig The root user will have the `kubeconfig` and `kubectl` made available, to access your cluster login into any server node and `kubectl` will be available for use immediately. -Available configurations ------------------------- -Variables should be set in `inventory/group_vars/rke2_agents.yml` and `inventory/group_vars/rke2_servers.yml`. - -> [!NOTE] -> More detailed information can be found [here](./docs/README.md) - - Uninstall RKE2 --------------- Note: Uninstalling RKE2 deletes the cluster data and all of the scripts. diff --git a/site.yml b/site.yml index 7fd240e6..9d204c83 100644 --- a/site.yml +++ b/site.yml @@ -3,6 +3,6 @@ - name: RKE2 play hosts: all any_errors_fatal: true - become: true + # become: true roles: - role: rke2 From 9df2bcd9eb3ff001997841f9fe7ebe4f2bb69b8d Mon Sep 17 00:00:00 2001 From: Adam Leiner <104371562+aleiner@users.noreply.github.com> Date: Thu, 9 Jan 2025 13:56:03 -0500 Subject: [PATCH 13/13] adjusting config verbiage --- docs/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/README.md b/docs/README.md index 37454090..ba613cb1 100644 --- a/docs/README.md +++ b/docs/README.md @@ -131,8 +131,8 @@ There are three levels an RKE2 config variables can be placed in, that is `clust - `all.vars.cluster_rke2_config`: Defines common RKE2 config options for the whole cluster - `rke2_cluster.children.rke2_servers.vars.group_rke2_config`: Defines common RKE2 config options for the `rke2_servers` group - `rke2_cluster.children.rke2_agents.vars.group_rke2_config`: Defines common RKE2 config options for the `rke2_agents` group - - `rke2_cluster.children.rke2_servers.vars.hosts..host_rke2_config`: Defines a list of node labels for a specific agent node - - `rke2_cluster.children.rke2_agents.vars.hosts..host_rke2_config`: Defines a list of node labels for a specific agent node + - `rke2_cluster.children.rke2_servers.vars.hosts..host_rke2_config`: Defines RKE2 config options for a specific server node + - `rke2_cluster.children.rke2_agents.vars.hosts..host_rke2_config`: Defines RKE2 config options for a specific agent node > [!NOTE] > Through the rest of these docs you may see references to `rke2_servers.yml`, this is the group vars file for rke2_servers. This is functionally equivalent to `rke2_cluster.children.rke2_servers.vars`. References to `rke2_agents.yml` is functionally equivalent to `rke2_cluster.children.rke2_agents.vars` @@ -260,4 +260,4 @@ spec: ``` # Examples -There are two examples provided in this folder, `basic_sample_inventory`, and `advanced_sample_inventory`. The basic example is the simplest possible example, the advanced example is all of the options explained above in one example. \ No newline at end of file +There are two examples provided in this folder, `basic_sample_inventory`, and `advanced_sample_inventory`. The basic example is the simplest possible example, the advanced example is all of the options explained above in one example.