├── .gitignore
├── README.md
├── create-fedora-coreos-vm
    ├── ansible.cfg
    ├── create-fedora-coreos-vm.yaml
    └── roles
    │   └── create-fedora-coreos-vm
    │       ├── .travis.yml
    │       ├── README.md
    │       ├── defaults
    │           └── main.yml
    │       ├── tasks
    │           └── main.yml
    │       └── templates
    │           └── fcos-template.ign.j2
├── create-ha-cluster
    ├── README.md
    ├── Vagrantfile
    ├── ansible.cfg
    ├── kube-flannel-v0.16.3.yml
    ├── playbook
    │   ├── cluster_inventory.yml
    │   ├── cluster_playbook.yml
    │   ├── lb_inventory.yml
    │   └── lb_playbook.yml
    └── setup.png
├── create-kvm-guest-vm
    ├── ansible.cfg
    ├── create-kvm-guest-vm.yaml
    └── roles
    │   └── kvm-provision
    │       ├── .travis.yml
    │       ├── README.md
    │       ├── defaults
    │           └── main.yml
    │       ├── tasks
    │           └── main.yml
    │       └── templates
    │           └── vm-template.xml.j2
├── create-single-master-cluster
    ├── README.md
    ├── Vagrantfile
    ├── ansible.cfg
    ├── kube-flannel-v0.24.2.yml
    ├── playbook
    │   ├── inventory.yml
    │   └── playbook.yml
    └── setup.png
├── create-virtualbox-vm
    ├── README.md
    └── Vagrantfile
├── getting-started-with-ansible
    ├── Ansible.png
    ├── README.md
    ├── Vagrantfile
    ├── inventory.yaml
    ├── playbook.yml
    └── sample_inventory.yaml
├── jaegertracing
    ├── README.md
    ├── cluster-issuer.yml
    ├── example-hotrod.yaml
    ├── jaeger-operator-v1.42.0.yml
    ├── simplest.yaml
    └── trust-bundle.yml
├── load-balancing-services
    ├── README.md
    ├── my-nginx-deploy.yaml
    ├── my-nginx-ingress.yaml
    ├── my-nginx-svc.yaml
    ├── patch-configmap.yaml
    └── setup.png
├── metallb
    ├── README.md
    ├── my-nginx-deploy.yaml
    ├── my-nginx-ingress.yaml
    ├── my-nginx-svc.yaml
    └── values.yaml
├── nfs-subdir-external-provisioner
    ├── README.md
    ├── Setup.png
    ├── Vagrantfile
    ├── my-nginx-deploy.yaml
    ├── my-nginx-pvc.yaml
    └── my-nginx-svc.yaml
├── rook-ceph
    ├── README.md
    ├── Vagrantfile
    └── toolbox.yml
├── setup-ha-etcd-cluster
    ├── README.md
    ├── Vagrantfile
    ├── ansible.cfg
    ├── kube-flannel-v0.16.3.yml
    ├── playbook
    │   ├── etcd_cluster_inventory.yml
    │   ├── etcd_cluster_playbook.yml
    │   ├── k8s_cluster_inventory.yml
    │   └── k8s_cluster_playbook.yml
    └── setup.png
└── setup-load-balancer-for-kube-apiservers
    ├── README.md
    ├── Vagrantfile
    ├── ansible.cfg
    ├── kube-flannel-v0.16.3.yml
    ├── playbook
        ├── cluster_inventory.yml
        ├── cluster_playbook.yml
        ├── load_balancer_inventory.yml
        └── load_balancer_playbook.yml
    └── setup.png


/.gitignore:
--------------------------------------------------------------------------------
1 | /.idea/
2 | /create-ha-cluster/.vagrant/
3 | /create-virtualbox-vm/.vagrant/
4 | /getting-started-with-ansible/.vagrant/
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # A playground for Kubernetes
 2 | 
 3 | ## VM Provision
 4 | * [Create a Virtualbox guest VM by Vagrant](create-virtualbox-vm)
 5 | * [Create a KVM guest VM by Ansible](create-kvm-guest-vm)
 6 | 
 7 | ## Cluster Provision
 8 | * [Getting Started with Ansible](getting-started-with-ansible)
 9 | * [Create a single-master Kubernetes cluster with kubeadm by Ansible](create-single-master-cluster)
10 | * [Setup load balancer for kube-apiservers](setup-load-balancer-for-kube-apiservers)
11 | * [Create a HA Kubernetes cluster with kubeadm, keepalived, and haproxy by Ansible](create-ha-cluster)
12 | * [Set up a High Availability etcd Cluster with kubeadm by Ansible](setup-ha-etcd-cluster)
13 | * [Load balancing requests to Kubernetes services with external haproxy and NGINX Ingress Controller](load-balancing-services)
14 | * [Install MetalLB as a network load balancer on bare-metal cluster](metallb)
15 | 
16 | ## Storage
17 | * [Dynamic provision Persistent Volumes with NFS Subdir External Provisioner](nfs-subdir-external-provisioner)
18 | * [Cloud-Native Storage solution with Rook Ceph](rook-ceph)
19 | 
20 | ## Observability
21 | * [Distributed tracing with Jaeger](jaegertracing)
22 | 


--------------------------------------------------------------------------------
/create-fedora-coreos-vm/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | host_key_checking = False
3 | 


--------------------------------------------------------------------------------
/create-fedora-coreos-vm/create-fedora-coreos-vm.yaml:
--------------------------------------------------------------------------------
1 | - name: Create Fedora CoreOS VM
2 |   hosts: all
3 |   gather_facts: yes
4 |   become: yes
5 |   tasks:
6 |     - name: Create Fedora CoreOS VM
7 |       include_role:
8 |         name: create-fedora-coreos-vm
9 | 


--------------------------------------------------------------------------------
/create-fedora-coreos-vm/roles/create-fedora-coreos-vm/.travis.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | language: python
 3 | python: "2.7"
 4 | 
 5 | # Use the new container infrastructure
 6 | sudo: false
 7 | 
 8 | # Install ansible
 9 | addons:
10 |   apt:
11 |     packages:
12 |     - python-pip
13 | 
14 | install:
15 |   # Install ansible
16 |   - pip install ansible
17 | 
18 |   # Check ansible version
19 |   - ansible --version
20 | 
21 |   # Create ansible.cfg with correct roles_path
22 |   - printf '[defaults]\nroles_path=../' >ansible.cfg
23 | 
24 | script:
25 |   # Basic role syntax check
26 |   - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 | 
28 | notifications:
29 |   webhooks: https://galaxy.ansible.com/api/v1/notifications/


--------------------------------------------------------------------------------
/create-fedora-coreos-vm/roles/create-fedora-coreos-vm/README.md:
--------------------------------------------------------------------------------
 1 | Create Fedora CoreOS VM
 2 | =========
 3 | 
 4 | Create Fedora CoreOS VM.
 5 | 
 6 | ```shell
 7 | ansible-playbook -i YOUR_HOST -u YOUR_SSH_USER --extra-vars "vm_name=$VM_NAME vm_vcpus=4 vm_memory_mb=16384 vm_disk
 8 | _size=100G ssh_user_password_hash=YOUR_PASSWORD_HASH ssh_authorized_key=YOUR_SSH_PUBLIC_KEY" create-fedora-coreos-vm.yaml
 9 | ```
10 | 


--------------------------------------------------------------------------------
/create-fedora-coreos-vm/roles/create-fedora-coreos-vm/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # defaults file for create-fedora-coreos-vm
 3 | base_image_pool_dir: "/images/base"
 4 | base_image_name: fedora-coreos-39.20240128.3.0-qemu.x86_64.qcow2
 5 | vms_image_pool_dir: "/images/vms"
 6 | vm_name: my-awesome-vm
 7 | vm_vcpus: 2
 8 | vm_memory_mb: 4096
 9 | vm_disk_size: 20G
10 | ssh_user: core
11 | # https://docs.fedoraproject.org/en-US/fedora-coreos/authentication/#_using_password_authentication
12 | ssh_user_password_hash: "WILL_BE_SET_AT_RUNTIME"
13 | ssh_authorized_key: "WILL_BE_SET_AT_RUNTIME"
14 | 


--------------------------------------------------------------------------------
/create-fedora-coreos-vm/roles/create-fedora-coreos-vm/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # tasks file for create-fedora-coreos-vm
 3 | - name: Check preconditions
 4 |   block:
 5 |     - name: Check if vm exists
 6 |       stat:
 7 |         path: "{{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.xml"
 8 |       register: stat_result
 9 |     - name: Fail if vm exists
10 |       fail:
11 |         msg: VM already exists
12 |       when: stat_result.stat.exists
13 |     - name: Fail if vm is not named
14 |       fail:
15 |         msg: No name provided for the new VM
16 |       when: vm_name | length == 0
17 | 
18 | - name: "Create a VM directory: {{ vms_image_pool_dir }}/{{ vm_name }}"
19 |   file:
20 |     path: "{{ vms_image_pool_dir }}/{{ vm_name }}"
21 |     state: directory
22 | 
23 | - name: Copy base image to the VM directory
24 |   become: true
25 |   copy:
26 |     remote_src: true
27 |     src: "{{ base_image_pool_dir }}/{{ base_image_name }}"
28 |     dest: "{{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.qcow2"
29 | 
30 | - name: Resize the VM image
31 |   become: true
32 |   shell: "qemu-img resize {{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.qcow2 +{{ vm_disk_size }}"
33 | 
34 | - name: Generate new mac address for the new VM
35 |   shell: bash -c "printf '00:16:3E:%02X:%02X:%02X\n' $[RANDOM%256] $[RANDOM%256] $[RANDOM%256]"
36 |   register: new_mac
37 | 
38 | - name: "Save new mac address for the new VM: {{ new_mac.stdout }}"
39 |   set_fact:
40 |     vm_mac_address: "{{ new_mac.stdout }}"
41 |     vm_uuid: "{{ ansible_date_time.iso8601_micro | to_uuid }}"
42 | 
43 | - name: Copy fcos.ign into the VM directory
44 |   template:
45 |     src: fcos-template.ign.j2
46 |     dest: "{{ vms_image_pool_dir }}/{{ vm_name }}/fcos.ign"
47 |     mode: 0644
48 | 
49 | - name: "Start the new VM: {{ vm_name }}"
50 |   become: true
51 |   shell: "virt-install -n {{ vm_name }} --vcpus {{ vm_vcpus }} -r {{ vm_memory_mb }} \
52 |   --os-variant=fedora31 --import \
53 |   --network network=host-bridge,model=virtio,mac={{ vm_mac_address }} \
54 |   --disk={{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.qcow2,format=qcow2,bus=virtio \
55 |   --noautoconsole \
56 |   --qemu-commandline=\"-fw_cfg name=opt/com.coreos/config,file={{ vms_image_pool_dir }}/{{ vm_name }}/fcos.ign\""
57 | 


--------------------------------------------------------------------------------
/create-fedora-coreos-vm/roles/create-fedora-coreos-vm/templates/fcos-template.ign.j2:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ignition": {
 3 |     "version": "3.0.0"
 4 |   },
 5 |   "passwd": {
 6 |     "users": [
 7 |       {
 8 |         "name": "{{ ssh_user }}",
 9 |         "groups": [
10 |             "sudo",
11 |             "docker"
12 |         ],
13 |         "passwordHash": "{{ ssh_user_password_hash }}",
14 |         "sshAuthorizedKeys": [
15 |           "{{ ssh_authorized_key }}"
16 |         ]
17 |       }
18 |     ]
19 |   },
20 |   "storage": {
21 |     "files": [
22 |         {
23 |             "path": "/etc/hostname",
24 |             "contents": {
25 |                 "compression": "",
26 |                 "source": "data:,{{ vm_name }}%0A"
27 |             }
28 |         }
29 |     ]
30 |   }
31 | }
32 | 


--------------------------------------------------------------------------------
/create-ha-cluster/README.md:
--------------------------------------------------------------------------------
 1 | # Setup a multi-master Kubernetes cluster with kubeadm
 2 | 
 3 | This will set up a new multi-master Kubernetes cluster that has
 4 | * 3 masters, each master has 2 CPUs and 2 GBs RAM
 5 | * 3 workers, each worker has 2 CPUs and 2 GBs RAM
 6 | * 2 load balancers, each load balancer has 1 CPU and 1 GB RAM
 7 | 
 8 | ![setup.png](setup.png?raw=true "setup.png")
 9 | 
10 | ## Prerequisites
11 | Before you want to try this on your local, here are requirements
12 | * Your computer must have at least 14 CPUs, 14 GBs RAM
13 | * A public key in .ssh/id_rsa.pub in your home directory
14 | * Directly download [Virtualbox](https://www.virtualbox.org/) and install, or use homebrew
15 |     ```
16 |     brew install --cask virtualbox
17 |     ```
18 | * Vagrant
19 |     ```
20 |     brew install --cask vagrant
21 |     ```
22 | * [(Optional) Vagrant Manager](http://vagrantmanager.com/)
23 |     ```
24 |     brew install --cask vagrant-manager
25 |     ```
26 | 
27 | ## Provision VMs
28 | ```
29 | cd create-ha-cluster
30 | vagrant up
31 | ```
32 | 
33 | Let's ssh into the first master VM
34 | ```
35 | ssh ci@172.16.1.11
36 | ```
37 | 
38 | ## Setup load balancer
39 | ```
40 | ansible-playbook -i playbook/lb_inventory.yml playbook/lb_playbook.yml --extra-vars "cluster_vip=172.16.0.16"
41 | ```
42 | 
43 | Let's ssh into the load balancer VM by the VIP, and check haproxy service status
44 | ```
45 | ssh ci@172.16.0.16
46 | systemctl status haproxy
47 | ```
48 | 
49 | ## Setup Kubernetes cluster
50 | ```
51 | ansible-playbook -i playbook/cluster_inventory.yml playbook/cluster_playbook.yml --extra-vars "cluster_vip=172.16.0.16"
52 | ```
53 | 
54 | Let's ssh into the first master VM, and verify the cluster
55 | ```
56 | ssh ci@172.16.1.11
57 | kubectl get nodes
58 | ```
59 | 
60 | Download kubeconfig to  your local
61 | ```
62 | mkdir ~/.kube-local
63 | scp ci@172.16.1.11:/home/ci/.kube/config ~/.kube-local/config
64 | export KUBECONFIG=$HOME/.kube-local/config && kubectl get nodes
65 | ```
66 | 


--------------------------------------------------------------------------------
/create-ha-cluster/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure("2") do |config|
 2 | 
 3 |     # Load Balancer Nodes
 4 |     LoadBalancerCount = 2
 5 |     (1..LoadBalancerCount).each do |i|
 6 |         config.vm.define "k8s-lb-#{i}" do |lb|
 7 |             lb.vm.box = "generic/ubuntu2004"
 8 |             lb.vm.box_version = "3.6.8"
 9 |             lb.vm.hostname = "k8s-lb-#{i}"
10 |             lb.vm.network "private_network", ip: "172.16.0.1#{i}"
11 | 
12 |             lb.vm.provider "virtualbox" do |vb|
13 |                 vb.name = "k8s-lb-#{i}"
14 |                 vb.memory = 1024
15 |                 vb.cpus = 1
16 |             end
17 |         end
18 |     end
19 | 
20 |     # Master Nodes
21 |     MasterCount = 3
22 |     (1..MasterCount).each do |i|
23 |         config.vm.define "k8s-master-#{i}" do |master|
24 |             master.vm.box = "generic/ubuntu2004"
25 |             master.vm.box_version = "3.6.8"
26 |             master.vm.hostname = "k8s-master-#{i}"
27 |             master.vm.network "private_network", ip: "172.16.1.1#{i}"
28 | 
29 |             master.vm.provider "virtualbox" do |vb|
30 |                 vb.name = "k8s-master-#{i}"
31 |                 vb.memory = 2048
32 |                 vb.cpus = 2
33 |             end
34 |         end
35 |     end
36 | 
37 |     # Worker Nodes
38 |     WorkerCount = 3
39 |     (1..WorkerCount).each do |i|
40 |         config.vm.define "k8s-worker-#{i}" do |worker|
41 |             worker.vm.box = "generic/ubuntu2004"
42 |             worker.vm.box_version = "3.6.8"
43 |             worker.vm.hostname = "k8s-worker-#{i}"
44 |             worker.vm.network "private_network", ip: "172.16.2.1#{i}"
45 | 
46 |             worker.vm.provider "virtualbox" do |vb|
47 |                 vb.name = "k8s-worker-#{i}"
48 |                 vb.memory = 2048
49 |                 vb.cpus = 2
50 |             end
51 |         end
52 |     end
53 | 
54 |     config.vm.provision "shell" do |s|
55 |         ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa.pub").first.strip
56 |         s.inline = <<-SHELL
57 |             # Create ci user
58 |             useradd -s /bin/bash -d /home/ci/ -m -G sudo ci
59 |             echo 'ci ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
60 |             mkdir -p /home/ci/.ssh && chown -R ci /home/ci/.ssh
61 |             echo #{ssh_pub_key} >> /home/ci/.ssh/authorized_keys
62 |         SHELL
63 |     end
64 | 
65 | end
66 | 


--------------------------------------------------------------------------------
/create-ha-cluster/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | host_key_checking = False
3 | 


--------------------------------------------------------------------------------
/create-ha-cluster/kube-flannel-v0.16.3.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | apiVersion: policy/v1beta1
  3 | kind: PodSecurityPolicy
  4 | metadata:
  5 |   name: psp.flannel.unprivileged
  6 |   annotations:
  7 |     seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
  8 |     seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  9 |     apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
 10 |     apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
 11 | spec:
 12 |   privileged: false
 13 |   volumes:
 14 |     - configMap
 15 |     - secret
 16 |     - emptyDir
 17 |     - hostPath
 18 |   allowedHostPaths:
 19 |     - pathPrefix: "/etc/cni/net.d"
 20 |     - pathPrefix: "/etc/kube-flannel"
 21 |     - pathPrefix: "/run/flannel"
 22 |   readOnlyRootFilesystem: false
 23 |   # Users and groups
 24 |   runAsUser:
 25 |     rule: RunAsAny
 26 |   supplementalGroups:
 27 |     rule: RunAsAny
 28 |   fsGroup:
 29 |     rule: RunAsAny
 30 |   # Privilege Escalation
 31 |   allowPrivilegeEscalation: false
 32 |   defaultAllowPrivilegeEscalation: false
 33 |   # Capabilities
 34 |   allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
 35 |   defaultAddCapabilities: []
 36 |   requiredDropCapabilities: []
 37 |   # Host namespaces
 38 |   hostPID: false
 39 |   hostIPC: false
 40 |   hostNetwork: true
 41 |   hostPorts:
 42 |     - min: 0
 43 |       max: 65535
 44 |   # SELinux
 45 |   seLinux:
 46 |     # SELinux is unused in CaaSP
 47 |     rule: 'RunAsAny'
 48 | ---
 49 | kind: ClusterRole
 50 | apiVersion: rbac.authorization.k8s.io/v1
 51 | metadata:
 52 |   name: flannel
 53 | rules:
 54 |   - apiGroups: ['extensions']
 55 |     resources: ['podsecuritypolicies']
 56 |     verbs: ['use']
 57 |     resourceNames: ['psp.flannel.unprivileged']
 58 |   - apiGroups:
 59 |       - ""
 60 |     resources:
 61 |       - pods
 62 |     verbs:
 63 |       - get
 64 |   - apiGroups:
 65 |       - ""
 66 |     resources:
 67 |       - nodes
 68 |     verbs:
 69 |       - list
 70 |       - watch
 71 |   - apiGroups:
 72 |       - ""
 73 |     resources:
 74 |       - nodes/status
 75 |     verbs:
 76 |       - patch
 77 | ---
 78 | kind: ClusterRoleBinding
 79 | apiVersion: rbac.authorization.k8s.io/v1
 80 | metadata:
 81 |   name: flannel
 82 | roleRef:
 83 |   apiGroup: rbac.authorization.k8s.io
 84 |   kind: ClusterRole
 85 |   name: flannel
 86 | subjects:
 87 |   - kind: ServiceAccount
 88 |     name: flannel
 89 |     namespace: kube-system
 90 | ---
 91 | apiVersion: v1
 92 | kind: ServiceAccount
 93 | metadata:
 94 |   name: flannel
 95 |   namespace: kube-system
 96 | ---
 97 | kind: ConfigMap
 98 | apiVersion: v1
 99 | metadata:
100 |   name: kube-flannel-cfg
101 |   namespace: kube-system
102 |   labels:
103 |     tier: node
104 |     app: flannel
105 | data:
106 |   cni-conf.json: |
107 |     {
108 |       "name": "cbr0",
109 |       "cniVersion": "0.3.1",
110 |       "plugins": [
111 |         {
112 |           "type": "flannel",
113 |           "delegate": {
114 |             "hairpinMode": true,
115 |             "isDefaultGateway": true
116 |           }
117 |         },
118 |         {
119 |           "type": "portmap",
120 |           "capabilities": {
121 |             "portMappings": true
122 |           }
123 |         }
124 |       ]
125 |     }
126 |   net-conf.json: |
127 |     {
128 |       "Network": "10.244.0.0/16",
129 |       "Backend": {
130 |         "Type": "vxlan"
131 |       }
132 |     }
133 | ---
134 | apiVersion: apps/v1
135 | kind: DaemonSet
136 | metadata:
137 |   name: kube-flannel-ds
138 |   namespace: kube-system
139 |   labels:
140 |     tier: node
141 |     app: flannel
142 | spec:
143 |   selector:
144 |     matchLabels:
145 |       app: flannel
146 |   template:
147 |     metadata:
148 |       labels:
149 |         tier: node
150 |         app: flannel
151 |     spec:
152 |       affinity:
153 |         nodeAffinity:
154 |           requiredDuringSchedulingIgnoredDuringExecution:
155 |             nodeSelectorTerms:
156 |               - matchExpressions:
157 |                   - key: kubernetes.io/os
158 |                     operator: In
159 |                     values:
160 |                       - linux
161 |       hostNetwork: true
162 |       priorityClassName: system-node-critical
163 |       tolerations:
164 |         - operator: Exists
165 |           effect: NoSchedule
166 |       serviceAccountName: flannel
167 |       initContainers:
168 |         - name: install-cni-plugin
169 |           #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le (dockerhub limitations may apply)
170 |           image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1
171 |           command:
172 |             - cp
173 |           args:
174 |             - -f
175 |             - /flannel
176 |             - /opt/cni/bin/flannel
177 |           volumeMounts:
178 |             - name: cni-plugin
179 |               mountPath: /opt/cni/bin
180 |         - name: install-cni
181 |           #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
182 |           image: rancher/mirrored-flannelcni-flannel:v0.16.1
183 |           command:
184 |             - cp
185 |           args:
186 |             - -f
187 |             - /etc/kube-flannel/cni-conf.json
188 |             - /etc/cni/net.d/10-flannel.conflist
189 |           volumeMounts:
190 |             - name: cni
191 |               mountPath: /etc/cni/net.d
192 |             - name: flannel-cfg
193 |               mountPath: /etc/kube-flannel/
194 |       containers:
195 |         - name: kube-flannel
196 |           #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
197 |           image: rancher/mirrored-flannelcni-flannel:v0.16.1
198 |           command:
199 |             - /opt/bin/flanneld
200 |           args:
201 |             - --ip-masq
202 |             - --kube-subnet-mgr
203 |             - --iface=eth1
204 |           resources:
205 |             requests:
206 |               cpu: "100m"
207 |               memory: "50Mi"
208 |             limits:
209 |               cpu: "100m"
210 |               memory: "50Mi"
211 |           securityContext:
212 |             privileged: false
213 |             capabilities:
214 |               add: ["NET_ADMIN", "NET_RAW"]
215 |           env:
216 |             - name: POD_NAME
217 |               valueFrom:
218 |                 fieldRef:
219 |                   fieldPath: metadata.name
220 |             - name: POD_NAMESPACE
221 |               valueFrom:
222 |                 fieldRef:
223 |                   fieldPath: metadata.namespace
224 |           volumeMounts:
225 |             - name: run
226 |               mountPath: /run/flannel
227 |             - name: flannel-cfg
228 |               mountPath: /etc/kube-flannel/
229 |             - name: xtables-lock
230 |               mountPath: /run/xtables.lock
231 |       volumes:
232 |         - name: run
233 |           hostPath:
234 |             path: /run/flannel
235 |         - name: cni-plugin
236 |           hostPath:
237 |             path: /opt/cni/bin
238 |         - name: cni
239 |           hostPath:
240 |             path: /etc/cni/net.d
241 |         - name: flannel-cfg
242 |           configMap:
243 |             name: kube-flannel-cfg
244 |         - name: xtables-lock
245 |           hostPath:
246 |             path: /run/xtables.lock
247 |             type: FileOrCreate
248 | 


--------------------------------------------------------------------------------
/create-ha-cluster/playbook/cluster_inventory.yml:
--------------------------------------------------------------------------------
 1 | all:
 2 |   children:
 3 |     masters:
 4 |       hosts:
 5 |         172.16.1.11: null
 6 |         172.16.1.12: null
 7 |         172.16.1.13: null
 8 | 
 9 |     workers:
10 |       hosts:
11 |         172.16.2.11: null
12 |         172.16.2.12: null
13 |         172.16.2.13: null
14 | 


--------------------------------------------------------------------------------
/create-ha-cluster/playbook/cluster_playbook.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | 
  3 | - hosts: masters, workers
  4 |   name: Setup masters and workers
  5 |   remote_user: ci
  6 |   become: yes
  7 |   tasks:
  8 |     # https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#before-you-begin
  9 |     - name: Disable swap
 10 |       shell: swapoff -a
 11 | 
 12 |     - name: Remove swap entry from /etc/fstab
 13 |       lineinfile:
 14 |         dest: /etc/fstab
 15 |         regexp: swap
 16 |         state: absent
 17 | 
 18 |     - name: Load br_netfilter module
 19 |       shell: |
 20 |         cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
 21 |         br_netfilter
 22 |         EOF
 23 | 
 24 |     - name: Configure iptables to see bridged traffic
 25 |       shell: |
 26 |         cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
 27 |         net.bridge.bridge-nf-call-ip6tables = 1
 28 |         net.bridge.bridge-nf-call-iptables = 1
 29 |         EOF
 30 | 
 31 |     - name: Read values from all system directories
 32 |       shell: sysctl --system
 33 | 
 34 |     # https://docs.docker.com/engine/install/ubuntu/#installation-methods
 35 |     - name: Install packages to allow apt to use a repository over HTTPS
 36 |       apt:
 37 |         name:
 38 |           - ca-certificates
 39 |           - gnupg
 40 |           - apt-transport-https
 41 |         state: present
 42 |         update_cache: yes
 43 | 
 44 |     - name: Add Docker’s official GPG key
 45 |       apt_key:
 46 |         url: https://download.docker.com/linux/ubuntu/gpg
 47 |         state: present
 48 | 
 49 |     - name: Get Ubuntu release version
 50 |       shell: lsb_release -cs
 51 |       register: ubuntu_version
 52 | 
 53 |     - name: Get architecture
 54 |       shell: dpkg --print-architecture
 55 |       register: architecture
 56 | 
 57 |     - name: Add Docker repository
 58 |       apt_repository:
 59 |         repo: "deb [arch={{ architecture.stdout }}] https://download.docker.com/linux/ubuntu {{ ubuntu_version.stdout }} stable"
 60 |         state: present
 61 |         filename: docker
 62 | 
 63 |     - name: Update apt packages
 64 |       apt:
 65 |         update_cache: "yes"
 66 |         force_apt_get: "yes"
 67 | 
 68 |     - name: Install Docker engine
 69 |       apt:
 70 |         name:
 71 |           - docker-ce
 72 |           - docker-ce-cli
 73 |           - containerd.io
 74 |         state: present
 75 |         update_cache: yes
 76 | 
 77 |     # https://kubernetes.io/docs/setup/production-environment/container-runtimes/#docker
 78 |     - name: Create Docker directory
 79 |       file:
 80 |         path: /etc/docker
 81 |         state: directory
 82 | 
 83 |     - name: Create Docker daemon empty file
 84 |       copy:
 85 |         content: ""
 86 |         dest: /etc/docker/daemon.json
 87 |         force: no
 88 | 
 89 |     - name: Configure Docker daemon
 90 |       shell: |
 91 |         cat <<EOF | sudo tee /etc/docker/daemon.json
 92 |         {
 93 |           "exec-opts": ["native.cgroupdriver=systemd"],
 94 |           "log-driver": "json-file",
 95 |           "log-opts": {
 96 |             "max-size": "100m"
 97 |           },
 98 |           "storage-driver": "overlay2"
 99 |         }
100 |         EOF
101 | 
102 |     - name: Restart Docker
103 |       systemd:
104 |         name: docker
105 |         state: restarted
106 |         enabled: yes
107 |         daemon-reload: yes
108 | 
109 |     - name: Add current user to docker group
110 |       user:
111 |         name: "{{ ansible_user }}"
112 |         groups: docker
113 |         append: yes
114 |       become: yes
115 | 
116 |     - name: Add Google Cloud public signing key
117 |       apt_key:
118 |         url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
119 |         state: present
120 | 
121 |     - name: Add Kubernetes repository
122 |       apt_repository:
123 |         repo: deb http://apt.kubernetes.io/ kubernetes-xenial main
124 |         state: present
125 |         filename: kubernetes
126 |         mode: 0600
127 | 
128 |     - name: Install kubelet, kubeadm and kubectl
129 |       apt:
130 |         name:
131 |           - kubeadm=1.23.1-00
132 |           - kubectl=1.23.1-00
133 |           - kubelet=1.23.1-00
134 |         state: present
135 | 
136 |     - name: Enable kubelet service
137 |       service:
138 |         name: kubelet
139 |         enabled: yes
140 | 
141 | - hosts: masters
142 |   name: Init cluster and join masters
143 |   remote_user: ci
144 |   become: yes
145 |   tasks:
146 |     - name: Reset existing cluster
147 |       shell: kubeadm reset -f
148 | 
149 |     - name: Remove .kube in user home directory
150 |       shell: rm -rf .kube
151 | 
152 |     - name: Remove /etc/kubernetes/manifests directory
153 |       shell: rm -rf /etc/kubernetes/manifests
154 | 
155 |     - name: Remove /var/lib/etcd directory
156 |       shell: rm -rf /var/lib/etcd
157 | 
158 |     - name: Init kubernetes cluster
159 |       shell: kubeadm init --control-plane-endpoint={{ cluster_vip }}:6443 --upload-certs --apiserver-advertise-address=172.16.1.11 --pod-network-cidr=10.244.0.0/16
160 |       run_once: yes
161 |       delegate_to: "172.16.1.11"
162 | 
163 |     # This got updated after the video
164 |     # Use release 0.16.3, rather than master version!
165 |     - name: Copy kube-flannel-v0.16.3.yml
166 |       copy:
167 |         src: ../kube-flannel-v0.16.3.yml
168 |         dest: /home/ci/kube-flannel-v0.16.3.yml
169 |         owner: ci
170 |         group: ci
171 |         mode: '0644'
172 |       when: inventory_hostname == "172.16.1.11"
173 | 
174 |     - name: Deploy Flannel network
175 |       shell: kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f kube-flannel-v0.16.3.yml
176 |       run_once: yes
177 |       delegate_to: "172.16.1.11"
178 | 
179 |     - name: Print join command
180 |       shell: kubeadm token create --print-join-command
181 |       register: kubernetes_join_command
182 |       run_once: yes
183 |       delegate_to: "172.16.1.11"
184 | 
185 |     - name: Copy join command to local
186 |       become: no
187 |       local_action: copy content="{{ kubernetes_join_command.stdout_lines[0] }}" dest="/tmp/kubernetes_join_command" mode=0777
188 |       run_once: yes
189 |       delegate_to: "172.16.1.11"
190 | 
191 |     - name: Generate certificate key
192 |       shell: kubeadm init phase upload-certs --upload-certs
193 |       register: kubernetes_certificate_key
194 |       run_once: yes
195 |       delegate_to: "172.16.1.11"
196 | 
197 |     - name: Execute master join command
198 |       become: yes
199 |       when: inventory_hostname != "172.16.1.11"
200 |       shell: "{{ kubernetes_join_command.stdout_lines[0] }} --control-plane --certificate-key {{ kubernetes_certificate_key.stdout_lines[2] }} --apiserver-advertise-address={{ inventory_hostname }}"
201 | 
202 |     # This got updated after the video
203 |     # Because of https://github.com/kubernetes/kubernetes/issues/60835#issuecomment-395931644
204 |     - name: Edit kubeadm.conf
205 |       blockinfile:
206 |         path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
207 |         block: |
208 |           Environment="KUBELET_EXTRA_ARGS=--node-ip={{ inventory_hostname }}"
209 | 
210 |     - name: Restart kubelet service
211 |       service:
212 |         name: kubelet
213 |         daemon-reload: yes
214 |         state: restarted
215 | 
216 |     - name: Create directory for kube config
217 |       file:
218 |         path: /home/ci/.kube
219 |         state: directory
220 |         owner: ci
221 |         group: ci
222 |         mode: 0755
223 | 
224 |     - name: Copy /etc/kubernetes/admin.conf to user home directory
225 |       become_user: root
226 |       become_method: sudo
227 |       become: yes
228 |       copy:
229 |         src: /etc/kubernetes/admin.conf
230 |         dest: /home/ci/.kube/config
231 |         remote_src: yes
232 |         owner: ci
233 |         group: ci
234 |         mode: '0644'
235 | 
236 | - hosts: workers
237 |   name: Join workers
238 |   remote_user: ci
239 |   become: yes
240 |   tasks:
241 |     - name: Reset existing cluster
242 |       shell: kubeadm reset -f
243 | 
244 |     - name: Remove .kube in user home directory
245 |       shell: rm -rf .kube
246 | 
247 |     - name: Remove /etc/kubernetes/manifests directory
248 |       shell: rm -rf /etc/kubernetes/manifests
249 | 
250 |     - name: Copy join command to workers
251 |       copy:
252 |         src: /tmp/kubernetes_join_command
253 |         dest: /tmp/kubernetes_join_command
254 |         mode: 0777
255 | 
256 |     - name: Execute worker join command
257 |       shell: sh /tmp/kubernetes_join_command
258 | 
259 |     # This got updated after the video
260 |     # Because of https://github.com/kubernetes/kubernetes/issues/60835#issuecomment-395931644
261 |     - name: Edit kubeadm.conf
262 |       blockinfile:
263 |         path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
264 |         block: |
265 |           Environment="KUBELET_EXTRA_ARGS=--node-ip={{ inventory_hostname }}"
266 | 
267 |     - name: Restart kubelet service
268 |       service:
269 |         name: kubelet
270 |         daemon-reload: yes
271 |         state: restarted
272 | 


--------------------------------------------------------------------------------
/create-ha-cluster/playbook/lb_inventory.yml:
--------------------------------------------------------------------------------
1 | lbs:
2 |   hosts:
3 |     172.16.0.11: null
4 |     172.16.0.12: null
5 | 


--------------------------------------------------------------------------------
/create-ha-cluster/playbook/lb_playbook.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | 
  3 | - hosts: lbs
  4 |   name: Setup load balancers
  5 |   remote_user: ci
  6 |   become: yes
  7 |   tasks:
  8 |     - name: Install haproxy
  9 |       apt:
 10 |         name:
 11 |           - haproxy
 12 |         state: present
 13 |         update_cache: yes
 14 | 
 15 |     - name: Create haproxy conf empty file
 16 |       copy:
 17 |         content: ""
 18 |         dest: /etc/haproxy/haproxy.cfg
 19 |         force: yes
 20 | 
 21 |     - name: Configure haproxy
 22 |       shell: |
 23 |         cat <<EOF | sudo tee /etc/haproxy/haproxy.cfg
 24 |         frontend kube_apiserver_frontend
 25 |           bind *:6443
 26 |           mode tcp
 27 |           option tcplog
 28 |           default_backend kube_apiserver_backend
 29 | 
 30 |         backend kube_apiserver_backend
 31 |           option httpchk GET /healthz
 32 |           http-check expect status 200
 33 |           mode tcp
 34 |           option ssl-hello-chk
 35 |           balance roundrobin
 36 |             server k8s-master-1 172.16.1.11:6443 check fall 3 rise 2
 37 |             server k8s-master-2 172.16.1.12:6443 check fall 3 rise 2
 38 |             server k8s-master-3 172.16.1.13:6443 check fall 3 rise 2
 39 | 
 40 |         frontend http_frontend
 41 |           bind *:80
 42 |           mode tcp
 43 |           option tcplog
 44 |           default_backend http_backend
 45 | 
 46 |         backend http_backend
 47 |           mode tcp
 48 |           balance roundrobin
 49 |             server k8s-worker-1 172.16.2.11:30100 check send-proxy-v2
 50 |             server k8s-worker-2 172.16.2.12:30100 check send-proxy-v2
 51 |             server k8s-worker-3 172.16.2.13:30100 check send-proxy-v2
 52 | 
 53 |         frontend https_frontend
 54 |           bind *:443
 55 |           mode tcp
 56 |           option tcplog
 57 |           default_backend https_backend
 58 | 
 59 |         backend https_backend
 60 |           mode tcp
 61 |           balance roundrobin
 62 |             server k8s-worker-1 172.16.2.11:30101 check send-proxy-v2
 63 |             server k8s-worker-2 172.16.2.12:30101 check send-proxy-v2
 64 |             server k8s-worker-3 172.16.2.13:30101 check send-proxy-v2
 65 | 
 66 |         EOF
 67 | 
 68 |     - name: Restart haproxy
 69 |       systemd:
 70 |         name: haproxy
 71 |         state: restarted
 72 |         enabled: yes
 73 |         daemon-reload: yes
 74 | 
 75 |     - name: Install keepalived
 76 |       apt:
 77 |         name:
 78 |           - keepalived
 79 |         state: present
 80 |         update_cache: yes
 81 | 
 82 |     - name: Create keepalived.conf empty file
 83 |       copy:
 84 |         content: ""
 85 |         dest: /etc/keepalived/keepalived.conf
 86 |         force: yes
 87 | 
 88 |     - name: Create keepalived.conf
 89 |       blockinfile:
 90 |         path: /etc/keepalived/keepalived.conf
 91 |         block: |
 92 |           vrrp_script check_apiserver {
 93 |             script "killall -0 haproxy"
 94 |             interval 3
 95 |             timeout 10
 96 |           }
 97 | 
 98 |           vrrp_instance VI_1 {
 99 |               state MASTER
100 |               interface eth1
101 |               virtual_router_id 201
102 |               priority 200
103 |               advert_int 1
104 |               authentication {
105 |                   auth_type PASS
106 |                   auth_pass secret
107 |               }
108 |               virtual_ipaddress {
109 |                   {{ cluster_vip }}/24
110 |               }
111 |               track_script {
112 |                   check_apiserver
113 |               }
114 |           }
115 | 
116 |     - name: Restart keepalived
117 |       systemd:
118 |         name: keepalived
119 |         state: restarted
120 |         enabled: yes
121 |         daemon-reload: yes
122 | 
123 | 


--------------------------------------------------------------------------------
/create-ha-cluster/setup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tranductrinh/k8s/4ecb0802080582a13066ac335d57e5f649d459c8/create-ha-cluster/setup.png


--------------------------------------------------------------------------------
/create-kvm-guest-vm/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | host_key_checking = False
3 | 


--------------------------------------------------------------------------------
/create-kvm-guest-vm/create-kvm-guest-vm.yaml:
--------------------------------------------------------------------------------
1 | - name: Create new VM
2 |   hosts: all
3 |   gather_facts: yes
4 |   become: yes
5 |   tasks:
6 |     - name: KVM provision
7 |       include_role:
8 |         name: kvm-provision
9 | 


--------------------------------------------------------------------------------
/create-kvm-guest-vm/roles/kvm-provision/.travis.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | language: python
 3 | python: "2.7"
 4 | 
 5 | # Use the new container infrastructure
 6 | sudo: false
 7 | 
 8 | # Install ansible
 9 | addons:
10 |   apt:
11 |     packages:
12 |     - python-pip
13 | 
14 | install:
15 |   # Install ansible
16 |   - pip install ansible
17 | 
18 |   # Check ansible version
19 |   - ansible --version
20 | 
21 |   # Create ansible.cfg with correct roles_path
22 |   - printf '[defaults]\nroles_path=../' >ansible.cfg
23 | 
24 | script:
25 |   # Basic role syntax check
26 |   - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 | 
28 | notifications:
29 |   webhooks: https://galaxy.ansible.com/api/v1/notifications/


--------------------------------------------------------------------------------
/create-kvm-guest-vm/roles/kvm-provision/README.md:
--------------------------------------------------------------------------------
1 | KVM Provision
2 | =========
3 | 
4 | Provision a new guest KVM guest VM.
5 | 


--------------------------------------------------------------------------------
/create-kvm-guest-vm/roles/kvm-provision/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # defaults file for kvm-provision
 3 | base_image_pool_dir: "/images/base"
 4 | base_image_name: jammy-server-cloudimg-amd64.qcow2
 5 | vms_image_pool_dir: "/images/vms"
 6 | vm_memory_mb: 4096
 7 | vm_vcpus: 2
 8 | vm_disk_size: 20G
 9 | vm_second_disk_enabled: false
10 | vm_second_disk_size: 40G
11 | 


--------------------------------------------------------------------------------
/create-kvm-guest-vm/roles/kvm-provision/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # tasks file for kvm-provision
 3 | - name: Check preconditions
 4 |   block:
 5 |     - name: Check if vm exists
 6 |       stat:
 7 |         path: "{{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.xml"
 8 |       register: stat_result
 9 |     - name: Fail if vm exists
10 |       fail:
11 |         msg: VM already exists
12 |       when: stat_result.stat.exists
13 |     - name: Fail if vm is not named
14 |       fail:
15 |         msg: No name provided for the new VM
16 |       when: vm_name | length == 0
17 | 
18 | - name: Create VM directory
19 |   file:
20 |     path: "{{ vms_image_pool_dir }}/{{ vm_name }}"
21 |     state: directory
22 | 
23 | - name: Copy base image to VM directory
24 |   become: true
25 |   copy:
26 |     remote_src: true
27 |     src: "{{ base_image_pool_dir }}/{{ base_image_name }}"
28 |     dest: "{{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.qcow2"
29 | 
30 | - name: Resize VM image
31 |   become: true
32 |   shell: "qemu-img resize {{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.qcow2 +{{ vm_disk_size }}"
33 | 
34 | - name: Create a new raw disk
35 |   become: true
36 |   shell: "qemu-img create -f raw {{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}-second-disk {{ vm_second_disk_size }}"
37 |   when: vm_second_disk_enabled
38 | 
39 | - name: Generate new mac address for new VM
40 |   shell: bash -c "printf '00:16:3E:%02X:%02X:%02X\n' $[RANDOM%256] $[RANDOM%256] $[RANDOM%256]"
41 |   register: new_mac
42 | 
43 | - name: Save new mac address for new VM
44 |   set_fact:
45 |     vm_mac_address: "{{ new_mac.stdout }}"
46 |     vm_uuid: "{{ ansible_date_time.iso8601_micro | to_uuid }}"
47 | 
48 | - name: Configure VM image
49 |   become: true
50 |   command: |
51 |     virt-customize -a "{{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.qcow2" \
52 |     --hostname {{ vm_name }} \
53 |     --root-password password:{{ vm_root_password }} \
54 |     --ssh-inject root:file:{{ vm_root_public_key }} \
55 |     --firstboot-command "cat << "EOF" > /etc/netplan/00-installer-config.yaml
56 |     network:
57 |       ethernets:
58 |         enp1s0:
59 |           dhcp4: true
60 |       version: 2
61 |     EOF" \
62 |     --firstboot-command "netplan apply"
63 |     --firstboot-command "useradd -u 2000 -s /bin/bash -d /home/ci/ -m -G sudo ci"
64 |     --firstboot-command "cp -r /root/.ssh /home/ci && chown -R ci /home/ci/.ssh"
65 |     --firstboot-command "dpkg-reconfigure openssh-server"
66 |     --firstboot-command "echo 'ci ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers"
67 |     --firstboot-command "growpart /dev/vda 1 && resize2fs /dev/vda1"
68 |     --uninstall cloud-init
69 | 
70 | - name: Copy new VM configuration into VM directory
71 |   template:
72 |     src: vm-template.xml.j2
73 |     dest: "{{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.xml"
74 | 
75 | - name: Import new VM configuration
76 |   become: true
77 |   shell: "virsh define {{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.xml"
78 | 
79 | - name: Start new VM
80 |   become: true
81 |   shell: "virsh start {{ vm_name }}"
82 | 


--------------------------------------------------------------------------------
/create-kvm-guest-vm/roles/kvm-provision/templates/vm-template.xml.j2:
--------------------------------------------------------------------------------
 1 | <domain type='kvm'>
 2 |   <name>{{ vm_name }}</name>
 3 |   <uuid>{{ vm_uuid }}</uuid>
 4 |   <memory unit='MiB'>{{ vm_memory_mb }}</memory>
 5 |   <vcpu placement='static'>{{ vm_vcpus }}</vcpu>
 6 |   <os>
 7 |     <type arch='x86_64' machine='q35'>hvm</type>
 8 |     <boot dev='hd'/>
 9 |   </os>
10 |   <cpu mode='host-model' check='none'/>
11 |   <devices>
12 |     <emulator>/usr/bin/qemu-system-x86_64</emulator>
13 |     <disk type='file' device='disk'>
14 |       <driver name='qemu' type='qcow2'/>
15 |       <source file='{{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}.qcow2'/>
16 |       <target dev='vda' bus='virtio'/>
17 |     </disk>
18 |     {% if vm_second_disk_enabled %}
19 |     <disk type='file' device='disk'>
20 |        <driver name='qemu' type='raw' cache='none'/>
21 |        <source file='{{ vms_image_pool_dir }}/{{ vm_name }}/{{ vm_name }}-second-disk'/>
22 |        <target dev='vdb' bus='virtio'/>
23 |     </disk >
24 |     {% endif %}
25 |     <interface type='network'>
26 |       <mac address="{{ vm_mac_address }}"/>
27 |       <source network='host-bridge'/>
28 |       <model type='virtio'/>
29 |     </interface>
30 |     <serial type='pty'>
31 |       <source path='/dev/pts/1'/>
32 |       <target type='isa-serial' port='0'>
33 |         <model name='isa-serial'/>
34 |       </target>
35 |       <alias name='serial0'/>
36 |     </serial>
37 |     <console type='pty' tty='/dev/pts/1'>
38 |       <source path='/dev/pts/1'/>
39 |       <target type='serial' port='0'/>
40 |       <alias name='serial0'/>
41 |     </console>
42 |     <input type='tablet' bus='usb'>
43 |       <address type='usb' bus='0' port='1'/>
44 |     </input>
45 |     <input type='mouse' bus='ps2'/>
46 |     <input type='keyboard' bus='ps2'/>
47 |     <graphics type='spice' autoport='yes'>
48 |       <listen type='address'/>
49 |       <image compression='off'/>
50 |     </graphics>
51 |     <video>
52 |       <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
53 |       <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
54 |     </video>
55 |     <memballoon model='virtio'>
56 |       <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
57 |     </memballoon>
58 |     <rng model='virtio'>
59 |       <backend model='random'>/dev/urandom</backend>
60 |       <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
61 |     </rng>
62 |   </devices>
63 | </domain>
64 | 


--------------------------------------------------------------------------------
/create-single-master-cluster/README.md:
--------------------------------------------------------------------------------
 1 | # Create a single-master Kubernetes cluster with kubeadm
 2 | 
 3 | This will set up a new single-master Kubernetes cluster that has
 4 | * 1 master, has 2 CPUs and 2 GBs RAM
 5 | * 3 workers, each worker has 2 CPUs and 2 GBs RAM
 6 | 
 7 | ![setup.png](setup.png?raw=true "setup.png")
 8 | 
 9 | ## Prerequisites
10 | Before you want to try this on your local, here are requirements
11 | * A public key in .ssh/id_rsa.pub in your home directory
12 | * Directly download [Virtualbox](https://www.virtualbox.org/) and install, or use homebrew
13 |     ```
14 |     brew install --cask virtualbox
15 |     ```
16 | * Vagrant
17 |     ```
18 |     brew install --cask vagrant
19 |     ```
20 | 
21 | ## Provision VMs
22 | ```
23 | cd create-single-master-cluster
24 | vagrant up
25 | ```
26 | 
27 | ## Create Kubernetes cluster
28 | ```
29 | ansible-playbook -i playbook/inventory.yml playbook/playbook.yml
30 | ```
31 | 
32 | Let's ssh into the master VM, and verify the cluster
33 | ```
34 | ssh ci@172.16.1.11
35 | kubectl get nodes
36 | ```
37 | 
38 | Download kubeconfig to  your local
39 | ```
40 | mkdir ~/.kube-local
41 | scp ci@172.16.1.11:/home/ci/.kube/config ~/.kube-local/config
42 | export KUBECONFIG=~/.kube-local/config && kubectl get nodes
43 | ```
44 | 
45 | ## Creating and exploring an nginx deployment
46 | Source: https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/
47 | 
48 | ### Create a Deployment
49 | ```
50 | kubectl apply -f https://k8s.io/examples/application/deployment.yaml
51 | ```
52 | 
53 | ### Display information about the Deployment
54 | ```
55 | kubectl describe deployment nginx-deployment
56 | ```
57 | 
58 | ### List the Pods created by the deployment
59 | ```
60 | kubectl get pods -l app=nginx
61 | ```
62 | 


--------------------------------------------------------------------------------
/create-single-master-cluster/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure("2") do |config|
 2 | 
 3 |     # Master Nodes
 4 |     MasterCount = 1
 5 |     (1..MasterCount).each do |i|
 6 |         config.vm.define "k8s-master-#{i}" do |master|
 7 |             # Disclaimer: Not sure if this works, I just updated here from generic/ubuntu2004 to generic/ubuntu2204
 8 |             config.vm.box = "generic/ubuntu2204"
 9 |             master.vm.box_version = "3.6.8"
10 |             master.vm.hostname = "k8s-master-#{i}"
11 |             master.vm.network "private_network", ip: "172.16.1.1#{i}"
12 | 
13 |             master.vm.provider "virtualbox" do |vb|
14 |                 vb.name = "k8s-master-#{i}"
15 |                 vb.memory = 2048
16 |                 vb.cpus = 2
17 |             end
18 |         end
19 |     end
20 | 
21 |     # Worker Nodes
22 |     WorkerCount = 3
23 |     (1..WorkerCount).each do |i|
24 |         config.vm.define "k8s-worker-#{i}" do |worker|
25 |             worker.vm.box = "generic/ubuntu2004"
26 |             worker.vm.box_version = "3.6.8"
27 |             worker.vm.hostname = "k8s-worker-#{i}"
28 |             worker.vm.network "private_network", ip: "172.16.2.1#{i}"
29 | 
30 |             worker.vm.provider "virtualbox" do |vb|
31 |                 vb.name = "k8s-worker-#{i}"
32 |                 vb.memory = 2048
33 |                 vb.cpus = 2
34 |             end
35 |         end
36 |     end
37 | 
38 |     config.vm.provision "shell" do |s|
39 |         ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa.pub").first.strip
40 |         s.inline = <<-SHELL
41 |             # Create ci user
42 |             useradd -s /bin/bash -d /home/ci/ -m -G sudo ci
43 |             echo 'ci ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
44 |             mkdir -p /home/ci/.ssh && chown -R ci /home/ci/.ssh
45 |             echo #{ssh_pub_key} >> /home/ci/.ssh/authorized_keys
46 |         SHELL
47 |     end
48 | 
49 | end
50 | 


--------------------------------------------------------------------------------
/create-single-master-cluster/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | host_key_checking = False
3 | 


--------------------------------------------------------------------------------
/create-single-master-cluster/kube-flannel-v0.24.2.yml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: Namespace
  3 | metadata:
  4 |   labels:
  5 |     k8s-app: flannel
  6 |     pod-security.kubernetes.io/enforce: privileged
  7 |   name: kube-flannel
  8 | ---
  9 | apiVersion: v1
 10 | kind: ServiceAccount
 11 | metadata:
 12 |   labels:
 13 |     k8s-app: flannel
 14 |   name: flannel
 15 |   namespace: kube-flannel
 16 | ---
 17 | apiVersion: rbac.authorization.k8s.io/v1
 18 | kind: ClusterRole
 19 | metadata:
 20 |   labels:
 21 |     k8s-app: flannel
 22 |   name: flannel
 23 | rules:
 24 | - apiGroups:
 25 |   - ""
 26 |   resources:
 27 |   - pods
 28 |   verbs:
 29 |   - get
 30 | - apiGroups:
 31 |   - ""
 32 |   resources:
 33 |   - nodes
 34 |   verbs:
 35 |   - get
 36 |   - list
 37 |   - watch
 38 | - apiGroups:
 39 |   - ""
 40 |   resources:
 41 |   - nodes/status
 42 |   verbs:
 43 |   - patch
 44 | - apiGroups:
 45 |   - networking.k8s.io
 46 |   resources:
 47 |   - clustercidrs
 48 |   verbs:
 49 |   - list
 50 |   - watch
 51 | ---
 52 | apiVersion: rbac.authorization.k8s.io/v1
 53 | kind: ClusterRoleBinding
 54 | metadata:
 55 |   labels:
 56 |     k8s-app: flannel
 57 |   name: flannel
 58 | roleRef:
 59 |   apiGroup: rbac.authorization.k8s.io
 60 |   kind: ClusterRole
 61 |   name: flannel
 62 | subjects:
 63 | - kind: ServiceAccount
 64 |   name: flannel
 65 |   namespace: kube-flannel
 66 | ---
 67 | apiVersion: v1
 68 | data:
 69 |   cni-conf.json: |
 70 |     {
 71 |       "name": "cbr0",
 72 |       "cniVersion": "0.3.1",
 73 |       "plugins": [
 74 |         {
 75 |           "type": "flannel",
 76 |           "delegate": {
 77 |             "hairpinMode": true,
 78 |             "isDefaultGateway": true
 79 |           }
 80 |         },
 81 |         {
 82 |           "type": "portmap",
 83 |           "capabilities": {
 84 |             "portMappings": true
 85 |           }
 86 |         }
 87 |       ]
 88 |     }
 89 |   net-conf.json: |
 90 |     {
 91 |       "Network": "10.244.0.0/16",
 92 |       "Backend": {
 93 |         "Type": "vxlan"
 94 |       }
 95 |     }
 96 | kind: ConfigMap
 97 | metadata:
 98 |   labels:
 99 |     app: flannel
100 |     k8s-app: flannel
101 |     tier: node
102 |   name: kube-flannel-cfg
103 |   namespace: kube-flannel
104 | ---
105 | apiVersion: apps/v1
106 | kind: DaemonSet
107 | metadata:
108 |   labels:
109 |     app: flannel
110 |     k8s-app: flannel
111 |     tier: node
112 |   name: kube-flannel-ds
113 |   namespace: kube-flannel
114 | spec:
115 |   selector:
116 |     matchLabels:
117 |       app: flannel
118 |       k8s-app: flannel
119 |   template:
120 |     metadata:
121 |       labels:
122 |         app: flannel
123 |         k8s-app: flannel
124 |         tier: node
125 |     spec:
126 |       affinity:
127 |         nodeAffinity:
128 |           requiredDuringSchedulingIgnoredDuringExecution:
129 |             nodeSelectorTerms:
130 |             - matchExpressions:
131 |               - key: kubernetes.io/os
132 |                 operator: In
133 |                 values:
134 |                 - linux
135 |       containers:
136 |       - args:
137 |         - --ip-masq
138 |         - --kube-subnet-mgr
139 |         command:
140 |         - /opt/bin/flanneld
141 |         env:
142 |         - name: POD_NAME
143 |           valueFrom:
144 |             fieldRef:
145 |               fieldPath: metadata.name
146 |         - name: POD_NAMESPACE
147 |           valueFrom:
148 |             fieldRef:
149 |               fieldPath: metadata.namespace
150 |         - name: EVENT_QUEUE_DEPTH
151 |           value: "5000"
152 |         image: docker.io/flannel/flannel:v0.24.2
153 |         name: kube-flannel
154 |         resources:
155 |           requests:
156 |             cpu: 100m
157 |             memory: 50Mi
158 |         securityContext:
159 |           capabilities:
160 |             add:
161 |             - NET_ADMIN
162 |             - NET_RAW
163 |           privileged: false
164 |         volumeMounts:
165 |         - mountPath: /run/flannel
166 |           name: run
167 |         - mountPath: /etc/kube-flannel/
168 |           name: flannel-cfg
169 |         - mountPath: /run/xtables.lock
170 |           name: xtables-lock
171 |       hostNetwork: true
172 |       initContainers:
173 |       - args:
174 |         - -f
175 |         - /flannel
176 |         - /opt/cni/bin/flannel
177 |         command:
178 |         - cp
179 |         image: docker.io/flannel/flannel-cni-plugin:v1.4.0-flannel1
180 |         name: install-cni-plugin
181 |         volumeMounts:
182 |         - mountPath: /opt/cni/bin
183 |           name: cni-plugin
184 |       - args:
185 |         - -f
186 |         - /etc/kube-flannel/cni-conf.json
187 |         - /etc/cni/net.d/10-flannel.conflist
188 |         command:
189 |         - cp
190 |         image: docker.io/flannel/flannel:v0.24.2
191 |         name: install-cni
192 |         volumeMounts:
193 |         - mountPath: /etc/cni/net.d
194 |           name: cni
195 |         - mountPath: /etc/kube-flannel/
196 |           name: flannel-cfg
197 |       priorityClassName: system-node-critical
198 |       serviceAccountName: flannel
199 |       tolerations:
200 |       - effect: NoSchedule
201 |         operator: Exists
202 |       volumes:
203 |       - hostPath:
204 |           path: /run/flannel
205 |         name: run
206 |       - hostPath:
207 |           path: /opt/cni/bin
208 |         name: cni-plugin
209 |       - hostPath:
210 |           path: /etc/cni/net.d
211 |         name: cni
212 |       - configMap:
213 |           name: kube-flannel-cfg
214 |         name: flannel-cfg
215 |       - hostPath:
216 |           path: /run/xtables.lock
217 |           type: FileOrCreate
218 |         name: xtables-lock
219 | 


--------------------------------------------------------------------------------
/create-single-master-cluster/playbook/inventory.yml:
--------------------------------------------------------------------------------
 1 | all:
 2 |   children:
 3 |     masters:
 4 |       hosts:
 5 |         172.16.1.11: null
 6 | 
 7 |     workers:
 8 |       hosts:
 9 |         172.16.2.11: null
10 |         172.16.2.12: null
11 |         172.16.2.13: null
12 | 


--------------------------------------------------------------------------------
/create-single-master-cluster/playbook/playbook.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | - hosts: masters, workers
  3 |   name: Setup masters and workers
  4 |   remote_user: ci
  5 |   become: true
  6 |   vars:
  7 |     os_version: xUbuntu_22.04
  8 |     crio_version: 1.28
  9 |     k8s_version: 1.28.2-00
 10 |   tasks:
 11 |     # https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#before-you-begin
 12 |     - name: Disable swap
 13 |       shell: swapoff -a
 14 | 
 15 |     - name: Remove swap entry from /etc/fstab
 16 |       lineinfile:
 17 |         dest: /etc/fstab
 18 |         regexp: swap
 19 |         state: absent
 20 | 
 21 |     - name: Load br_netfilter module
 22 |       shell: |
 23 |         cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
 24 |         br_netfilter
 25 |         EOF
 26 |         modprobe overlay
 27 |         modprobe br_netfilter
 28 | 
 29 |     - name: Configure iptables to see bridged traffic
 30 |       shell: |
 31 |         cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
 32 |         net.bridge.bridge-nf-call-iptables  = 1
 33 |         net.bridge.bridge-nf-call-ip6tables = 1
 34 |         net.ipv4.ip_forward                 = 1
 35 |         EOF
 36 | 
 37 |     - name: Read values from all system directories
 38 |       shell: sysctl --system
 39 | 
 40 |     # https://v1-28.docs.kubernetes.io/docs/setup/production-environment/container-runtimes/#cri-o
 41 |     - name: Install packages to allow apt to use a repository over HTTPS
 42 |       apt:
 43 |         name:
 44 |           - ca-certificates
 45 |           - gnupg
 46 |           - apt-transport-https
 47 |           - curl
 48 |           - gnupg2
 49 |           - software-properties-common
 50 |         state: present
 51 |         update_cache: yes
 52 | 
 53 |     - name: Add GPG key for kubic stable repository
 54 |       apt_key:
 55 |         url: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os_version }}/Release.key
 56 |         state: present
 57 | 
 58 |     - name: Add GPG key for kubic crio {{ crio_version }} repository
 59 |       apt_key:
 60 |         url: https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:/{{ crio_version }}/{{ os_version }}/Release.key
 61 |         state: present
 62 | 
 63 |     - name: Add kubic stable repository
 64 |       apt_repository:
 65 |         repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os_version }}/ /"
 66 |         state: present
 67 |         filename: devel:kubic:libcontainers:stable.list
 68 | 
 69 |     - name: Add kubic crio {{ crio_version }} repository
 70 |       apt_repository:
 71 |         repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/{{ os_version }}/ /"
 72 |         state: present
 73 |         filename: devel:kubic:libcontainers:stable:cri-o:{{ crio_version }}.list
 74 | 
 75 |     - name: Update apt packages
 76 |       apt:
 77 |         update_cache: "yes"
 78 |         force_apt_get: "yes"
 79 | 
 80 |     - name: Install crio
 81 |       apt:
 82 |         name:
 83 |           - cri-o
 84 |           - cri-o-runc
 85 |         state: present
 86 |         update_cache: yes
 87 | 
 88 |     - name: Restart crio
 89 |       systemd:
 90 |         name: crio
 91 |         state: restarted
 92 |         enabled: yes
 93 |         daemon-reload: yes
 94 | 
 95 |     - name: Add Google Cloud public signing key
 96 |       apt_key:
 97 |         url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
 98 |         state: present
 99 | 
100 |     - name: Add Kubernetes repository
101 |       apt_repository:
102 |         repo: deb http://apt.kubernetes.io/ kubernetes-xenial main
103 |         state: present
104 |         filename: kubernetes
105 |         mode: 0600
106 | 
107 |     - name: Install kubelet, kubeadm and kubectl
108 |       apt:
109 |         name:
110 |           - kubeadm={{ k8s_version }}
111 |           - kubectl={{ k8s_version }}
112 |           - kubelet={{ k8s_version }}
113 |         state: present
114 | 
115 |     - name: Enable kubelet service
116 |       service:
117 |         name: kubelet
118 |         enabled: yes
119 | 
120 | - hosts: masters
121 |   name: Init cluster
122 |   remote_user: ci
123 |   become: true
124 |   vars:
125 |     control_plane_endpoint: 172.16.1.11
126 |     flannel_version: 0.24.2
127 |   tasks:
128 |     - name: Reset existing cluster
129 |       shell: kubeadm reset -f
130 | 
131 |     - name: Remove .kube in user home directory
132 |       shell: rm -rf .kube
133 | 
134 |     - name: Remove /etc/kubernetes/manifests directory
135 |       shell: rm -rf /etc/kubernetes/manifests
136 | 
137 |     - name: Remove /var/lib/etcd directory
138 |       shell: rm -rf /var/lib/etcd
139 | 
140 |     - name: Init kubernetes cluster
141 |       shell: kubeadm init --control-plane-endpoint={{ control_plane_endpoint }}:6443 --upload-certs --apiserver-advertise-address={{ control_plane_endpoint }} --pod-network-cidr=10.244.0.0/16
142 | 
143 |     # This got updated after the video
144 |     - name: Copy kube-flannel-v{{ flannel_version }}.yml
145 |       copy:
146 |         src: ../kube-flannel-v{{ flannel_version }}.yml
147 |         dest: /home/ci/kube-flannel-v{{ flannel_version }}.yml
148 |         owner: ci
149 |         group: ci
150 |         mode: '0644'
151 | 
152 |     - name: Deploy Flannel {{ flannel_version }} network
153 |       shell: kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f kube-flannel-v{{ flannel_version }}.yml
154 | 
155 |     - name: Print join command
156 |       shell: kubeadm token create --print-join-command
157 |       register: kubernetes_join_command
158 | 
159 |     - name: Copy join command to local
160 |       become: false
161 |       local_action: copy content="{{ kubernetes_join_command.stdout_lines[0] }}" dest="/tmp/kubernetes_join_command" mode=0777
162 | 
163 |     - name: Create directory for kube config
164 |       file:
165 |         path: /home/ci/.kube
166 |         state: directory
167 |         owner: ci
168 |         group: ci
169 |         mode: 0755
170 | 
171 |     - name: Copy /etc/kubernetes/admin.conf to user home directory
172 |       become_user: root
173 |       become_method: sudo
174 |       become: true
175 |       copy:
176 |         src: /etc/kubernetes/admin.conf
177 |         dest: /home/ci/.kube/config
178 |         remote_src: yes
179 |         owner: ci
180 |         group: ci
181 |         mode: '0644'
182 | 
183 |     # This got updated after the video
184 |     # Because of https://github.com/kubernetes/kubernetes/issues/60835#issuecomment-395931644
185 |     - name: Edit kubeadm.conf
186 |       blockinfile:
187 |         path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
188 |         block: |
189 |           Environment="KUBELET_EXTRA_ARGS=--node-ip={{ inventory_hostname }}"
190 | 
191 |     - name: Restart kubelet service
192 |       service:
193 |         name: kubelet
194 |         daemon-reload: yes
195 |         state: restarted
196 | 
197 | - hosts: workers
198 |   name: Join workers
199 |   remote_user: ci
200 |   become: true
201 |   tasks:
202 |     - name: Reset existing cluster
203 |       shell: kubeadm reset -f
204 | 
205 |     - name: Remove .kube in user home directory
206 |       shell: rm -rf .kube
207 | 
208 |     - name: Remove /etc/kubernetes/manifests directory
209 |       shell: rm -rf /etc/kubernetes/manifests
210 | 
211 |     - name: Copy join command to workers
212 |       copy:
213 |         src: /tmp/kubernetes_join_command
214 |         dest: /tmp/kubernetes_join_command
215 |         mode: 0777
216 | 
217 |     - name: Execute worker join command
218 |       shell: sh /tmp/kubernetes_join_command
219 | 
220 |     # This got updated after the video
221 |     # Because of https://github.com/kubernetes/kubernetes/issues/60835#issuecomment-395931644
222 |     - name: Edit kubeadm.conf
223 |       blockinfile:
224 |         path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
225 |         block: |
226 |           Environment="KUBELET_EXTRA_ARGS=--node-ip={{ inventory_hostname }}"
227 | 
228 |     - name: Restart kubelet service
229 |       service:
230 |         name: kubelet
231 |         daemon-reload: yes
232 |         state: restarted
233 | 


--------------------------------------------------------------------------------
/create-single-master-cluster/setup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tranductrinh/k8s/4ecb0802080582a13066ac335d57e5f649d459c8/create-single-master-cluster/setup.png


--------------------------------------------------------------------------------
/create-virtualbox-vm/README.md:
--------------------------------------------------------------------------------
 1 | # Create a Virtualbox guest VM by Vagrant
 2 | 
 3 | ## Prerequisites
 4 | * A public key in .ssh/id_rsa.pub in your home directory
 5 | * Directly download [Virtualbox](https://www.virtualbox.org/) and install, or use homebrew
 6 |     ```
 7 |     brew install --cask virtualbox
 8 |     ```
 9 | * Vagrant
10 |     ```
11 |     brew install --cask vagrant
12 |     ```
13 | * [(Optional) Vagrant Manager](http://vagrantmanager.com/)
14 |     ```
15 |     brew install --cask vagrant-manager
16 |     ```
17 | 
18 | ## Provision VM
19 | ```
20 | cd create-virtualbox-vm
21 | vagrant up
22 | ```
23 | 
24 | Let's ssh into the Virtualbox guest VM
25 | ```
26 | ssh ci@172.16.16.16
27 | ```
28 | 


--------------------------------------------------------------------------------
/create-virtualbox-vm/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure("2") do |config|
 2 |     # Disclaimer: Not sure if this works, I just updated here from generic/ubuntu2004 to generic/ubuntu2204
 3 |     config.vm.box = "generic/ubuntu2204"
 4 |     config.vm.box_version = "3.6.8"
 5 |     config.vm.hostname = "virtualbox-guest-vm"
 6 |     config.vm.network "private_network", ip: "172.16.16.16"
 7 | 
 8 |     config.vm.provider "virtualbox" do |vb|
 9 |         vb.name = "virtualbox-guest-vm"
10 |         vb.memory = 1024
11 |         vb.cpus = 1
12 |     end
13 | 
14 |     config.vm.provision "shell" do |s|
15 |         ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa.pub").first.strip
16 |         s.inline = <<-SHELL
17 |             # Create ci user
18 |             useradd -s /bin/bash -d /home/ci/ -m -G sudo ci
19 |             echo 'ci ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
20 |             mkdir -p /home/ci/.ssh && chown -R ci /home/ci/.ssh
21 |             echo #{ssh_pub_key} >> /home/ci/.ssh/authorized_keys
22 |         SHELL
23 |     end
24 | end
25 | 


--------------------------------------------------------------------------------
/getting-started-with-ansible/Ansible.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tranductrinh/k8s/4ecb0802080582a13066ac335d57e5f649d459c8/getting-started-with-ansible/Ansible.png


--------------------------------------------------------------------------------
/getting-started-with-ansible/README.md:
--------------------------------------------------------------------------------
 1 | # Getting Started with Ansible
 2 | 
 3 | ## Key Concepts
 4 | ![Ansible Key Concepts](Ansible.png?raw=true "Ansible.png")
 5 | 
 6 | ## Prerequisites
 7 | Before you want to try this on your local, here are requirements
 8 | * A public key in .ssh/id_rsa.pub in your home directory
 9 | * Directly download [Virtualbox](https://www.virtualbox.org/) and install, or use homebrew
10 |     ```
11 |     brew install --cask virtualbox
12 |     ```
13 | * Vagrant
14 |     ```
15 |     brew install --cask vagrant
16 |     ```
17 | * Ansible
18 |     ```
19 |     brew install ansible
20 |     ```
21 | 
22 | ## Provision VMs
23 | ```
24 | cd getting-started-with-ansible
25 | vagrant up
26 | ```
27 | 
28 | Let's ssh into two guest VMs
29 | ```
30 | ssh ci@172.16.16.11
31 | ```
32 | ```
33 | ssh ci@172.16.16.12
34 | ```
35 | 
36 | ## Ad-hoc Commands
37 | 
38 | Ping two guest VMs
39 | ```
40 | ansible all -i inventory.yaml -m ping -u ci
41 | ```
42 | 
43 | Check current directory after login
44 | ```
45 | ansible all -i inventory.yaml -m shell -a "pwd" -u ci
46 | ```
47 | 
48 | ## Playbook
49 | See all available  [Ansible modules](https://docs.ansible.com/ansible/2.9/modules/list_of_all_modules.html) 
50 | 
51 | Execute playbook to install Docker on guest VMs
52 | ```
53 | ansible-playbook -i inventory.yaml playbook.yml
54 | ```
55 | 


--------------------------------------------------------------------------------
/getting-started-with-ansible/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure("2") do |config|
 2 |     # Nodes
 3 |     NodeCount = 2
 4 |     (1..NodeCount).each do |i|
 5 |         config.vm.define "virtualbox-guest-vm-#{i}" do |vv|
 6 |             vv.vm.box = "generic/ubuntu2004"
 7 |             vv.vm.box_version = "3.6.8"
 8 |             vv.vm.hostname = "virtualbox-guest-vm-#{i}"
 9 |             vv.vm.network "private_network", ip: "172.16.16.1#{i}"
10 | 
11 |             vv.vm.provider "virtualbox" do |vb|
12 |                 vb.name = "virtualbox-guest-vm-#{i}"
13 |                 vb.memory = 1024
14 |                 vb.cpus = 1
15 |             end
16 |         end
17 |     end
18 | 
19 |     config.vm.provision "shell" do |s|
20 |         ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa.pub").first.strip
21 |         s.inline = <<-SHELL
22 |             # Create ci user
23 |             useradd -s /bin/bash -d /home/ci/ -m -G sudo ci
24 |             echo 'ci ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
25 |             mkdir -p /home/ci/.ssh && chown -R ci /home/ci/.ssh
26 |             echo #{ssh_pub_key} >> /home/ci/.ssh/authorized_keys
27 |         SHELL
28 |     end
29 | end
30 | 


--------------------------------------------------------------------------------
/getting-started-with-ansible/inventory.yaml:
--------------------------------------------------------------------------------
1 | all:
2 |   hosts:
3 |     172.16.16.11:
4 |     172.16.16.12:
5 | 


--------------------------------------------------------------------------------
/getting-started-with-ansible/playbook.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - hosts: all
 4 |   name: Install Docker
 5 |   remote_user: ci
 6 |   become: yes
 7 |   tasks:
 8 |     # https://docs.docker.com/engine/install/ubuntu/#installation-methods
 9 |     - name: Install packages to allow apt to use a repository over HTTPS
10 |       apt:
11 |         name:
12 |           - ca-certificates
13 |           - gnupg
14 |           - apt-transport-https
15 |         state: present
16 |         update_cache: yes
17 | 
18 |     - name: Add Docker’s official GPG key
19 |       apt_key:
20 |         url: https://download.docker.com/linux/ubuntu/gpg
21 |         state: present
22 | 
23 |     - name: Get Ubuntu release version
24 |       shell: lsb_release -cs
25 |       register: ubuntu_version
26 | 
27 |     - name: Get architecture
28 |       shell: dpkg --print-architecture
29 |       register: architecture
30 | 
31 |     - name: Add Docker repository
32 |       apt_repository:
33 |         repo: "deb [arch={{ architecture.stdout }}] https://download.docker.com/linux/ubuntu {{ ubuntu_version.stdout }} stable"
34 |         state: present
35 |         filename: docker
36 | 
37 |     - name: Update apt packages
38 |       apt:
39 |         update_cache: "yes"
40 |         force_apt_get: "yes"
41 | 
42 |     - name: Install Docker engine
43 |       apt:
44 |         name:
45 |           - docker-ce
46 |           - docker-ce-cli
47 |           - containerd.io
48 |         state: present
49 |         update_cache: yes
50 | 
51 |     - name: Add current user to docker group
52 |       user:
53 |         name: "{{ ansible_user }}"
54 |         groups: docker
55 |         append: yes
56 |       become: yes
57 | 
58 | 
59 | 


--------------------------------------------------------------------------------
/getting-started-with-ansible/sample_inventory.yaml:
--------------------------------------------------------------------------------
 1 | all:
 2 |   hosts:
 3 |     mail.example.com:
 4 |   children:
 5 |     webservers:
 6 |       hosts:
 7 |         foo.example.com:
 8 |         bar.example.com:
 9 |     dbservers:
10 |       hosts:
11 |         one.example.com:
12 |         two.example.com:
13 |         three.example.com:
14 |     east:
15 |       hosts:
16 |         foo.example.com:
17 |         one.example.com:
18 |         two.example.com:
19 |     west:
20 |       hosts:
21 |         bar.example.com:
22 |         three.example.com:
23 |     prod:
24 |       children:
25 |         east:
26 |     test:
27 |       children:
28 |         west:
29 | 


--------------------------------------------------------------------------------
/jaegertracing/README.md:
--------------------------------------------------------------------------------
 1 | # Distributed Tracing Platform
 2 | Jaeger: open source, end-to-end distributed tracing
 3 | 
 4 | ## Prerequisites
 5 | * A k8s cluster
 6 | * [Helm](https://helm.sh/)
 7 | 
 8 | ## Setup Kubernetes cluster
 9 | Follow * [Load balancing requests to Kubernetes services with external haproxy and NGINX Ingress Controller](../load-balancing-services)
10 | 
11 | ## Install cert-manager and trust-manager
12 | ```shell
13 | helm repo add jetstack https://charts.jetstack.io --force-update
14 | helm upgrade -i -n cert-system cert-manager jetstack/cert-manager --set installCRDs=true --wait --create-namespace
15 | helm upgrade -i -n cert-system trust-manager jetstack/trust-manager --wait --set app.trust.namespace=cert-system
16 | ```
17 | 
18 | ```shell
19 | NAME              	NAMESPACE         	REVISION	UPDATED                             	STATUS  	CHART                                	APP VERSION
20 | cert-manager      	cert-system       	1       	2023-02-26 11:18:08.553011 +0700 +07	deployed	cert-manager-v1.11.0                 	v1.11.0
21 | trust-manager     	cert-system       	1       	2023-02-26 11:19:08.579392 +0700 +07	deployed	trust-manager-v0.4.0                 	v0.4.0
22 | ```
23 | 
24 | ## Create a Bundle using the default CAs
25 | ```shell
26 | kubectl apply -f trust-bundle.yml
27 | kubectl get bundle trust-bundle
28 | kubectl get configmap trust-bundle -o "jsonpath={.data['trust-bundle\.pem']}"
29 | ```
30 | 
31 | ## Create cluster issuer
32 | ```shell
33 | kubectl apply -f cluster-issuer.yml
34 | ```
35 | 
36 | ## Install Jaeger Operator
37 | ```shell
38 | kubectl create ns observability-system
39 | kubectl apply -f jaeger-operator-v1.42.0.yml
40 | ```
41 | 
42 | ## Deploy the AllInOne image
43 | Replace `172.16.0.16` with IP from your cluster.
44 | ```shell
45 | kubectl apply -f simplest.yaml
46 | ```
47 | 
48 | Open on browser [http://jaegerui.172.16.0.16.nip.io/](http://jaegerui.172.16.0.16.nip.io/).
49 | 
50 | ## Deploy Rides on Demand
51 | https://github.com/jaegertracing/jaeger/tree/main/examples/hotrod
52 | 
53 | Replace `172.16.0.16` with IP from your cluster.
54 | ```shell
55 | kubectl apply -f example-hotrod.yaml
56 | ```
57 | 
58 | Open on browser [http://example-hotrod.172.16.0.16.nip.io/](http://example-hotrod.172.16.0.16.nip.io/).
59 | 
60 | 


--------------------------------------------------------------------------------
/jaegertracing/cluster-issuer.yml:
--------------------------------------------------------------------------------
1 | apiVersion: cert-manager.io/v1
2 | kind: ClusterIssuer
3 | metadata:
4 |   name: trust-manager-selfsigned-cluster-issuer
5 | spec:
6 |   selfSigned: {}
7 | 


--------------------------------------------------------------------------------
/jaegertracing/example-hotrod.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: example-hotrod
 5 | spec:
 6 |   selector:
 7 |     matchLabels:
 8 |       run: example-hotrod
 9 |   replicas: 1
10 |   template:
11 |     metadata:
12 |       labels:
13 |         run: example-hotrod
14 |     spec:
15 |       containers:
16 |         - name: example-hotrod
17 |           image: jaegertracing/example-hotrod:1.42
18 |           ports:
19 |             - containerPort: 8080
20 |           env:
21 |             - name: OTEL_EXPORTER_JAEGER_ENDPOINT
22 |               value: http://simplest-collector.observability-system.svc.cluster.local:14268/api/traces
23 | ---
24 | apiVersion: v1
25 | kind: Service
26 | metadata:
27 |   name: example-hotrod
28 |   labels:
29 |     run: example-hotrod
30 | spec:
31 |   ports:
32 |     - port: 8080
33 |       protocol: TCP
34 |   selector:
35 |     run: example-hotrod
36 | 
37 | ---
38 | apiVersion: networking.k8s.io/v1
39 | kind: Ingress
40 | metadata:
41 |   name: my-example-hotrod
42 |   annotations:
43 |     nginx.ingress.kubernetes.io/rewrite-target: /
44 | spec:
45 |   ingressClassName: nginx
46 |   rules:
47 |     - host: example-hotrod.172.16.0.16.nip.io
48 |       http:
49 |         paths:
50 |           - path: /
51 |             pathType: Prefix
52 |             backend:
53 |               service:
54 |                 name: example-hotrod
55 |                 port:
56 |                   number: 8080
57 | 


--------------------------------------------------------------------------------
/jaegertracing/simplest.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: jaegertracing.io/v1
 2 | kind: Jaeger
 3 | metadata:
 4 |   name: simplest
 5 |   namespace: observability-system
 6 | spec:
 7 |   strategy: allInOne
 8 |   allInOne:
 9 |     image: jaegertracing/all-in-one:latest 
10 |     options:
11 |       log-level: debug
12 |   storage:
13 |     type: memory
14 |     options:
15 |       memory:
16 |         max-traces: 100000
17 |   ingress:
18 |     enabled: false
19 | ---
20 | apiVersion: networking.k8s.io/v1
21 | kind: Ingress
22 | metadata:
23 |   name: my-simplest
24 |   namespace: observability-system
25 |   annotations:
26 |     nginx.ingress.kubernetes.io/rewrite-target: /
27 | spec:
28 |   ingressClassName: nginx
29 |   rules:
30 |     - host: jaegerui.172.16.0.16.nip.io
31 |       http:
32 |         paths:
33 |           - path: /
34 |             pathType: Prefix
35 |             backend:
36 |               service:
37 |                 name: simplest-query
38 |                 port:
39 |                   number: 16686
40 | 


--------------------------------------------------------------------------------
/jaegertracing/trust-bundle.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: trust.cert-manager.io/v1alpha1
 2 | kind: Bundle
 3 | metadata:
 4 |   name: trust-bundle
 5 | spec:
 6 |   sources:
 7 |     - useDefaultCAs: true
 8 |   target:
 9 |     configMap:
10 |       key: "trust-bundle.pem"


--------------------------------------------------------------------------------
/load-balancing-services/README.md:
--------------------------------------------------------------------------------
 1 | # Set up load balancing requests to Kubernetes services with Ingress NGINX
 2 | 
 3 | ![setup.png](setup.png?raw=true "setup.png")
 4 | 
 5 | ## Prerequisites
 6 | Before you want to try this on your local, here are requirements
 7 | * Directly download [Virtualbox](https://www.virtualbox.org/) and install, or use homebrew
 8 |     ```
 9 |     brew install --cask virtualbox
10 |     ```
11 | * Vagrant
12 |     ```
13 |     brew install --cask vagrant
14 |     ```
15 | * [(Optional) Vagrant Manager](http://vagrantmanager.com/)
16 |     ```
17 |     brew install --cask vagrant-manager
18 |     ```
19 | 
20 | ## Setup Kubernetes cluster
21 | Follow [Create a HA Kubernetes cluster with kubeadm, keepalived, and haproxy by Ansible](../create-ha-cluster) to set up a HA Kubernetes cluster.
22 | 
23 | ## Install NGINX ingress controller
24 | ```shell
25 | kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/baremetal/deploy.yaml
26 | kubectl -n ingress-nginx  get pods
27 | ```
28 | 
29 | Patch `ingress-nginx-controller` service to set `nodePort` to `30100` and `30101`
30 | ```shell
31 | kubectl -n ingress-nginx patch svc ingress-nginx-controller --patch \
32 |   '{"spec": { "type": "NodePort", "ports": [ { "port": 80, "nodePort": 30100 }, { "port": 443, "nodePort": 30101 } ] } }'
33 | kubectl -n ingress-nginx get svc
34 | ```
35 | 
36 | Patch `ingress-nginx-controller` configmap to for [use-proxy-protocol](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-proxy-protocol)
37 | ```shell
38 | kubectl -n ingress-nginx patch configmap ingress-nginx-controller --patch-file patch-configmap.yaml
39 | ```
40 | 
41 | ## Configure load balancing requests to ingress-nginx service
42 | See task `Configure haproxy` in [lb_playbook.yml](../create-ha-cluster/playbook/lb_playbook.yml)
43 | 
44 | ## Verify by deploying a nginx into Kubernetes cluster
45 | Source: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/
46 | 
47 | Deploy
48 | ```shell
49 | kubectl apply -f my-nginx-deploy.yaml
50 | kubectl get pods -l run=my-nginx
51 | ```
52 | 
53 | Expose service
54 | ```shell
55 | kubectl apply -f my-nginx-svc.yaml
56 | kubectl get svc my-nginx
57 | ```
58 | 
59 | [nip.io](https://nip.io/) allows us to map any IP Address to a hostname using the defined formats, then we do not need to edit `etc/hosts` file 
60 | ```shell
61 | kubectl apply -f my-nginx-ingress.yaml
62 | ```
63 | 
64 | Open on browser [http://172.16.0.16.nip.io](http://172.16.0.16.nip.io), or
65 | ```shell
66 | open http://172.16.0.16.nip.io
67 | ```
68 | 
69 | 


--------------------------------------------------------------------------------
/load-balancing-services/my-nginx-deploy.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: my-nginx
 5 | spec:
 6 |   selector:
 7 |     matchLabels:
 8 |       run: my-nginx
 9 |   replicas: 2
10 |   template:
11 |     metadata:
12 |       labels:
13 |         run: my-nginx
14 |     spec:
15 |       containers:
16 |         - name: my-nginx
17 |           image: nginx
18 |           ports:
19 |             - containerPort: 80
20 | 


--------------------------------------------------------------------------------
/load-balancing-services/my-nginx-ingress.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.k8s.io/v1
 2 | kind: Ingress
 3 | metadata:
 4 |   name: my-nginx
 5 |   annotations:
 6 |     nginx.ingress.kubernetes.io/rewrite-target: /
 7 | spec:
 8 |   ingressClassName: nginx
 9 |   rules:
10 |     - host: 172.16.0.16.nip.io
11 |       http:
12 |         paths:
13 |           - path: /
14 |             pathType: Prefix
15 |             backend:
16 |               service:
17 |                 name: my-nginx
18 |                 port:
19 |                   number: 80
20 | 


--------------------------------------------------------------------------------
/load-balancing-services/my-nginx-svc.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: my-nginx
 5 |   labels:
 6 |     run: my-nginx
 7 | spec:
 8 |   ports:
 9 |     - port: 80
10 |       protocol: TCP
11 |   selector:
12 |     run: my-nginx
13 | 


--------------------------------------------------------------------------------
/load-balancing-services/patch-configmap.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 |   name: ingress-nginx-controller
5 |   namespace: ingress-nginx
6 | data:
7 |   # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-proxy-protocol
8 |   use-proxy-protocol: "true"
9 | 


--------------------------------------------------------------------------------
/load-balancing-services/setup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tranductrinh/k8s/4ecb0802080582a13066ac335d57e5f649d459c8/load-balancing-services/setup.png


--------------------------------------------------------------------------------
/metallb/README.md:
--------------------------------------------------------------------------------
 1 | # MetalLB
 2 | 
 3 | ## Prerequisites
 4 | * [Virtualbox](https://www.virtualbox.org/)
 5 | * [Vagrant](https://www.vagrantup.com/)
 6 | * [Ansible](https://www.ansible.com/)
 7 | * [Helm](https://helm.sh/)
 8 | 
 9 | ## Setup Kubernetes cluster
10 | If you don't have a running cluster, follow [Create a single-master Kubernetes cluster with kubeadm by Ansible](../create-single-master-cluster) to set up a Kubernetes cluster.
11 | 
12 | ## Deploy a nginx into Kubernetes cluster
13 | Source: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/
14 | 
15 | Deploy
16 | ```shell
17 | kubectl apply -f my-nginx-deploy.yaml
18 | kubectl get pods -l run=my-nginx
19 | ```
20 | 
21 | Expose service type `LoadBalancer`
22 | ```shell
23 | kubectl apply -f my-nginx-svc.yaml
24 | kubectl get svc my-nginx
25 | ```
26 | 
27 | You will see that `EXTERNAL-IP` is always `pending`.
28 | 
29 | ## Install MetalLB with Helm
30 | Source: https://metallb.universe.tf/installation/#installation-with-helm
31 | 
32 | Install
33 | ```shell
34 | helm repo add metallb https://metallb.github.io/metallb
35 | helm install metallb metallb/metallb -f values.yaml
36 | ```
37 | 
38 | If you want to uninstall MetalLB, run `helm uninstall metallb`.
39 | 
40 | List all releases
41 | ```shell
42 | helm list --all -A
43 | ```
44 | 
45 | ## Verify
46 | Get services again
47 | ```shell
48 | kubectl get svc my-nginx
49 | ```
50 | 
51 | You will see that `EXTERNAL-IP` is assigned with an IP.
52 | 
53 | In order to be able to connect to the IP, you will need to be inside VM networks. SSH into the first master VM, then try to `curl` to the `EXTERNAL-IP` that you see above.
54 | ```shell
55 | ssh ci@172.16.1.11
56 | ```
57 | 
58 | If you would like to connect to the IP from your host, you can set up `Bridged Networking` on VirtualBox VMs, which is not covered here!
59 | 


--------------------------------------------------------------------------------
/metallb/my-nginx-deploy.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: my-nginx
 5 | spec:
 6 |   selector:
 7 |     matchLabels:
 8 |       run: my-nginx
 9 |   replicas: 2
10 |   template:
11 |     metadata:
12 |       labels:
13 |         run: my-nginx
14 |     spec:
15 |       containers:
16 |         - name: my-nginx
17 |           image: nginx
18 |           ports:
19 |             - containerPort: 80
20 | 


--------------------------------------------------------------------------------
/metallb/my-nginx-ingress.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: networking.k8s.io/v1
 2 | kind: Ingress
 3 | metadata:
 4 |   name: my-nginx
 5 |   annotations:
 6 |     nginx.ingress.kubernetes.io/rewrite-target: /
 7 | spec:
 8 |   ingressClassName: nginx
 9 |   rules:
10 |     - host: 172.16.0.16.nip.io
11 |       http:
12 |         paths:
13 |           - path: /
14 |             pathType: Prefix
15 |             backend:
16 |               service:
17 |                 name: my-nginx
18 |                 port:
19 |                   number: 80
20 | 


--------------------------------------------------------------------------------
/metallb/my-nginx-svc.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: my-nginx
 5 |   labels:
 6 |     run: my-nginx
 7 | spec:
 8 |   ports:
 9 |     - port: 80
10 |       protocol: TCP
11 |   type: LoadBalancer
12 |   selector:
13 |     run: my-nginx
14 | 


--------------------------------------------------------------------------------
/metallb/values.yaml:
--------------------------------------------------------------------------------
1 | configInline:
2 |   address-pools:
3 |     - name: default
4 |       protocol: layer2
5 |       addresses:
6 |         - 172.16.16.10-172.16.16.100
7 | 


--------------------------------------------------------------------------------
/nfs-subdir-external-provisioner/README.md:
--------------------------------------------------------------------------------
  1 | # NFS Subdir External Provisioner
  2 | 
  3 | ![Setup.png](Setup.png?raw=true "Setup.png")
  4 | 
  5 | ## Prerequisites
  6 | * [Virtualbox](https://www.virtualbox.org/)
  7 | * [Vagrant](https://www.vagrantup.com/)
  8 | * [Ansible](https://www.ansible.com/)
  9 | * [Helm](https://helm.sh/)
 10 | 
 11 | ## Setup Kubernetes cluster
 12 | Follow [Create a single-master Kubernetes cluster with kubeadm by Ansible](../create-single-master-cluster) to set up a Kubernetes cluster.
 13 | 
 14 | ## Setup NFS Server
 15 | ### Provision NFS VM
 16 | ```
 17 | cd nfs-subdir-external-provisioner
 18 | vagrant up
 19 | ```
 20 | 
 21 | ### Manual setup NFS Server
 22 | Source: https://www.tecmint.com/install-nfs-server-on-ubuntu/
 23 | 
 24 | #### Install NFS Kernel Server
 25 | ```
 26 | ssh ci@172.16.4.11
 27 | sudo apt update
 28 | sudo apt install nfs-kernel-server
 29 | ```
 30 | 
 31 | #### Create an NFS Export Directory
 32 | ```
 33 | sudo mkdir -p /mnt/nfs_share
 34 | sudo chown -R nobody:nogroup /mnt/nfs_share/
 35 | sudo chmod 777 /mnt/nfs_share/
 36 | ```
 37 | 
 38 | If you run `sudo ls /mnt/nfs_share/`, it should return empty directory.
 39 | 
 40 | #### Grant NFS Share Access to Client Systems
 41 | ```shell
 42 | sudo vi /etc/exports
 43 | ```
 44 | 
 45 | Add following lines to grant access from workers
 46 | ```text
 47 | /mnt/nfs_share 172.16.0.0/16(rw,insecure,sync,no_subtree_check)
 48 | ```
 49 | 
 50 | #### Export the NFS Share Directory
 51 | ```shell
 52 | sudo exportfs -a
 53 | sudo systemctl restart nfs-kernel-server
 54 | ```
 55 | 
 56 | #### Allow NFS Access through the Firewall
 57 | Check firewall status
 58 | ```shell
 59 | sudo ufw status
 60 | ```
 61 | 
 62 | If your firewall is enabled, then allow workers to connect to NFS port.
 63 | ```shell
 64 | sudo ufw allow from 172.16.0.0/16 to any port nfs
 65 | sudo ufw status numbered
 66 | ```
 67 | 
 68 | #### Install the NFS-Common Package on Workers
 69 | Worker 1
 70 | ```
 71 | ssh ci@172.16.2.11
 72 | sudo apt update
 73 | sudo apt install nfs-common
 74 | ```
 75 | 
 76 | Worker 2
 77 | ```
 78 | ssh ci@172.16.2.12
 79 | sudo apt update
 80 | sudo apt install nfs-common
 81 | ```
 82 | 
 83 | Worker 3
 84 | ```
 85 | ssh ci@172.16.2.13
 86 | sudo apt update
 87 | sudo apt install nfs-common
 88 | ```
 89 | 
 90 | ## Install NFS Subdir External Provisioner with Helm
 91 | Source: https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner
 92 | 
 93 | Install
 94 | ```shell
 95 | helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
 96 | helm install nfs-subdir-external-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner \
 97 |     --set nfs.server=172.16.4.11 \
 98 |     --set nfs.path=/mnt/nfs_share
 99 | ```
100 | 
101 | If you want to uninstall `nfs-subdir-external-provisioner`, run `helm uninstall nfs-subdir-external-provisioner`.
102 | 
103 | List StorageClass
104 | ```shell
105 | kubectl get storageclass
106 | ```
107 | There is `nfs-client` StorageClass created.
108 | 
109 | ## Verify
110 | ```shell
111 | kubectl apply -f my-nginx-pvc.yaml
112 | kubectl get pvc
113 | ```
114 | 
115 | `my-nginx-pvc` PersistentVolumeClaim is in `Bound` status. You should note the `VOLUME` hash.
116 | 
117 | ```shell
118 | kubectl apply -f my-nginx-deploy.yaml
119 | kubectl get pod
120 | ```
121 | 
122 | SSH to NFS Server, and check shared directory.
123 | ```shell
124 | ssh ci@172.16.4.11
125 | cd /mnt/nfs_share
126 | ls -alh
127 | ```
128 | 
129 | There is a directory inside `/mnt/nfs_share`, it has the `VOLUME` hash that you see above.
130 | 
131 | ```shell
132 | cd _VOLUME_HASH_DIRECTORY_
133 | echo "Hello from a PV on NFS Server" >> index.html
134 | ```
135 | 
136 | Create service
137 | ```shell
138 | kubectl apply -f my-nginx-svc.yaml
139 | kubectl get svc
140 | ```
141 | 
142 | Open `http://172.16.1.11:30080/` on browser.
143 | 


--------------------------------------------------------------------------------
/nfs-subdir-external-provisioner/Setup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tranductrinh/k8s/4ecb0802080582a13066ac335d57e5f649d459c8/nfs-subdir-external-provisioner/Setup.png


--------------------------------------------------------------------------------
/nfs-subdir-external-provisioner/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure("2") do |config|
 2 |     config.vm.box = "generic/ubuntu2004"
 3 |     config.vm.box_version = "3.6.8"
 4 |     config.vm.hostname = "k8s-nfs"
 5 |     config.vm.network "private_network", ip: "172.16.4.11"
 6 | 
 7 |     config.vm.provider "virtualbox" do |vb|
 8 |         vb.name = "k8s-nfs"
 9 |         vb.memory = 1024
10 |         vb.cpus = 1
11 |     end
12 | 
13 |     config.vm.provision "shell" do |s|
14 |         ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa.pub").first.strip
15 |         s.inline = <<-SHELL
16 |             # Create ci user
17 |             useradd -s /bin/bash -d /home/ci/ -m -G sudo ci
18 |             echo 'ci ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
19 |             mkdir -p /home/ci/.ssh && chown -R ci /home/ci/.ssh
20 |             echo #{ssh_pub_key} >> /home/ci/.ssh/authorized_keys
21 |         SHELL
22 |     end
23 | end
24 | 


--------------------------------------------------------------------------------
/nfs-subdir-external-provisioner/my-nginx-deploy.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: my-nginx
 5 | spec:
 6 |   selector:
 7 |     matchLabels:
 8 |       run: my-nginx
 9 |   replicas: 2
10 |   template:
11 |     metadata:
12 |       labels:
13 |         run: my-nginx
14 |     spec:
15 |       containers:
16 |         - name: my-nginx
17 |           image: nginx
18 |           ports:
19 |             - containerPort: 80
20 |               name: http
21 |           volumeMounts:
22 |             - mountPath: "/usr/share/nginx/html"
23 |               name: my-nginx-pv
24 |       volumes:
25 |         - name: my-nginx-pv
26 |           persistentVolumeClaim:
27 |             claimName: my-nginx-pvc
28 | 


--------------------------------------------------------------------------------
/nfs-subdir-external-provisioner/my-nginx-pvc.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: PersistentVolumeClaim
 3 | metadata:
 4 |   name: my-nginx-pvc
 5 | spec:
 6 |   accessModes:
 7 |     - ReadWriteOnce
 8 |   volumeMode: Filesystem
 9 |   resources:
10 |     requests:
11 |       storage: 1Gi
12 |   storageClassName: nfs-client
13 | 


--------------------------------------------------------------------------------
/nfs-subdir-external-provisioner/my-nginx-svc.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: Service
 3 | metadata:
 4 |   name: my-nginx
 5 |   labels:
 6 |     run: my-nginx
 7 | spec:
 8 |   ports:
 9 |     - port: 80
10 |       nodePort: 30080
11 |       protocol: TCP
12 |   type: NodePort
13 |   selector:
14 |     run: my-nginx
15 | 


--------------------------------------------------------------------------------
/rook-ceph/README.md:
--------------------------------------------------------------------------------
 1 | # Set up Rook Ceph on a bare-metal cluster
 2 | 
 3 | ## Prerequisites
 4 | * [Virtualbox](https://www.virtualbox.org/)
 5 | * [Vagrant](https://www.vagrantup.com/)
 6 | * [Ansible](https://www.ansible.com/)
 7 | * [Helm](https://helm.sh/)
 8 | 
 9 | ## Set up Kubernetes cluster
10 | Bring up VMs: 1 master and 3 workers.
11 | ```shell
12 | cd rook-ceph
13 | vagrant up
14 | ```
15 | 
16 | SSH into `k8s-worker-1`, then list block devices.
17 | ```shell
18 | ssh ci@172.16.2.11
19 | lsblk
20 | ```
21 | 
22 | Provision a cluster
23 | ```shell
24 | cd ../create-single-master-cluster
25 | ansible-playbook -i playbook/inventory.yml playbook/playbook.yml
26 | ```
27 | 
28 | Download kubeconfig to  your local
29 | ```shell
30 | mkdir ~/.kube-local
31 | scp ci@172.16.1.11:/home/ci/.kube/config ~/.kube-local/config
32 | export KUBECONFIG=~/.kube-local/config && kubectl get nodes
33 | ```
34 | 
35 | ## Deploy Ceph Operator
36 | ```shell
37 | helm repo add rook-release https://charts.rook.io/release
38 | helm upgrade --install --create-namespace --namespace rook-ceph rook-ceph rook-release/rook-ceph
39 | ```
40 | 
41 | ```shell
42 | kubectl --namespace rook-ceph get pods -l "app=rook-ceph-operator"
43 | ```
44 | 
45 | ## Deploy Ceph Cluster
46 | ```shell
47 | helm repo add rook-release https://charts.rook.io/release
48 | helm upgrade --install --create-namespace --namespace rook-ceph rook-ceph-cluster \
49 |    --set operatorNamespace=rook-ceph rook-release/rook-ceph-cluster
50 | ```
51 | 
52 | ```shell
53 | kubectl --namespace rook-ceph get pods
54 | ```
55 | 
56 | Verify that the cluster is in a healthy state.
57 | ```shell
58 | cd ../rook-ceph
59 | kubectl create -f toolbox.yml
60 | kubectl -n rook-ceph rollout status deploy/rook-ceph-tools
61 | kubectl -n rook-ceph exec -it deploy/rook-ceph-tools -- bash
62 | ```
63 | 
64 | ```shell
65 | ceph status
66 | ```
67 | 


--------------------------------------------------------------------------------
/rook-ceph/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure("2") do |config|
 2 | 
 3 |     # Master Nodes
 4 |     MasterCount = 1
 5 |     (1..MasterCount).each do |i|
 6 |         config.vm.define "k8s-master-#{i}" do |master|
 7 |             master.vm.box = "generic/ubuntu2004"
 8 |             master.vm.box_version = "3.6.8"
 9 |             master.vm.hostname = "k8s-master-#{i}"
10 |             master.vm.network "private_network", ip: "172.16.1.1#{i}"
11 | 
12 |             master.vm.provider "virtualbox" do |vb|
13 |                 vb.name = "k8s-master-#{i}"
14 |                 vb.memory = 2048
15 |                 vb.cpus = 2
16 |             end
17 |         end
18 |     end
19 | 
20 |     # Worker Nodes
21 |     WorkerCount = 3
22 |     (1..WorkerCount).each do |i|
23 |         config.vm.define "k8s-worker-#{i}" do |worker|
24 |             worker.vm.box = "generic/ubuntu2004"
25 |             worker.vm.box_version = "3.6.8"
26 |             worker.vm.hostname = "k8s-worker-#{i}"
27 |             worker.vm.network "private_network", ip: "172.16.2.1#{i}"
28 | 
29 |             worker.vm.provider "virtualbox" do |vb|
30 |                 vb.name = "k8s-worker-#{i}"
31 |                 vb.memory = 2048
32 |                 vb.cpus = 2
33 |                 # https://rook.io/docs/rook/v1.9/quickstart.html#prerequisites
34 |                 # Ceph needs a raw disk for each of its nodes
35 |                 unless File.exist?("disks/k8s-worker-#{i}-second-disk.vdi")
36 |                     vb.customize ['createhd', '--filename', "disks/k8s-worker-#{i}-second-disk.vdi", '--variant', 'Fixed', '--size', 20 * 1024]
37 |                 end
38 |                 vb.customize ['storageattach', :id,  '--storagectl', 'IDE Controller', '--port', 1, '--device', 0, '--type', 'hdd', '--medium', "disks/k8s-worker-#{i}-second-disk.vdi"]
39 | 
40 |             end
41 |         end
42 |     end
43 | 
44 |     config.vm.provision "shell" do |s|
45 |         ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa.pub").first.strip
46 |         s.inline = <<-SHELL
47 |             # Create ci user
48 |             useradd -s /bin/bash -d /home/ci/ -m -G sudo ci
49 |             echo 'ci ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
50 |             mkdir -p /home/ci/.ssh && chown -R ci /home/ci/.ssh
51 |             echo #{ssh_pub_key} >> /home/ci/.ssh/authorized_keys
52 |         SHELL
53 |     end
54 | 
55 | end
56 | 


--------------------------------------------------------------------------------
/rook-ceph/toolbox.yml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: rook-ceph-tools
 5 |   namespace: rook-ceph # namespace:cluster
 6 |   labels:
 7 |     app: rook-ceph-tools
 8 | spec:
 9 |   replicas: 1
10 |   selector:
11 |     matchLabels:
12 |       app: rook-ceph-tools
13 |   template:
14 |     metadata:
15 |       labels:
16 |         app: rook-ceph-tools
17 |     spec:
18 |       dnsPolicy: ClusterFirstWithHostNet
19 |       containers:
20 |         - name: rook-ceph-tools
21 |           image: rook/ceph:master
22 |           command: ["/bin/bash"]
23 |           args: ["-m", "-c", "/usr/local/bin/toolbox.sh"]
24 |           imagePullPolicy: IfNotPresent
25 |           tty: true
26 |           securityContext:
27 |             runAsNonRoot: true
28 |             runAsUser: 2016
29 |             runAsGroup: 2016
30 |           env:
31 |             - name: ROOK_CEPH_USERNAME
32 |               valueFrom:
33 |                 secretKeyRef:
34 |                   name: rook-ceph-mon
35 |                   key: ceph-username
36 |             - name: ROOK_CEPH_SECRET
37 |               valueFrom:
38 |                 secretKeyRef:
39 |                   name: rook-ceph-mon
40 |                   key: ceph-secret
41 |           volumeMounts:
42 |             - mountPath: /etc/ceph
43 |               name: ceph-config
44 |             - name: mon-endpoint-volume
45 |               mountPath: /etc/rook
46 |       volumes:
47 |         - name: mon-endpoint-volume
48 |           configMap:
49 |             name: rook-ceph-mon-endpoints
50 |             items:
51 |               - key: data
52 |                 path: mon-endpoints
53 |         - name: ceph-config
54 |           emptyDir: {}
55 |       tolerations:
56 |         - key: "node.kubernetes.io/unreachable"
57 |           operator: "Exists"
58 |           effect: "NoExecute"
59 |           tolerationSeconds: 5
60 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/README.md:
--------------------------------------------------------------------------------
 1 | # Set up a High Availability etcd Cluster with kubeadm
 2 | 
 3 | This will set up a highly available etcd cluster, and a single-master Kubernetes cluster using kubeadm
 4 | * 3 etcd nodes, each etcd has 2 CPUs and 2 GBs RAM
 5 | * 1 master has 2 CPUs and 2 GBs RAM
 6 | * 1 worker has 2 CPUs and 2 GBs RAM
 7 | 
 8 | ![setup.png](setup.png?raw=true "setup.png")
 9 | 
10 | ## Prerequisites
11 | Before you want to try this on your local, here are requirements
12 | * Directly download [Virtualbox](https://www.virtualbox.org/) and install, or use homebrew
13 |     ```
14 |     brew install --cask virtualbox
15 |     ```
16 | * Vagrant
17 |     ```
18 |     brew install --cask vagrant
19 |     ```
20 | * [(Optional) Vagrant Manager](http://vagrantmanager.com/)
21 |     ```
22 |     brew install --cask vagrant-manager
23 |     ```
24 | 
25 | ## Generate SSH key pair for CI user
26 | ```
27 | cd ~
28 | ssh-keygen -t rsa
29 | ```
30 | 
31 | Remember to enter `ci` as suffix in they key filename: `id_rsa_ci`
32 | 
33 | ## Provision VMs
34 | ```
35 | cd setup-ha-etcd-cluster
36 | vagrant up
37 | ```
38 | 
39 | Check if we can ssh to the master VM, be aware that we use `~/.ssh/id_rsa_ci` key to ssh
40 | ```
41 | ssh -i ~/.ssh/id_rsa_ci ci@172.16.1.11
42 | ```
43 | 
44 | ## Setup etcd cluster
45 | This playbook can be run in parallel with load balancer playbook
46 | ```
47 | ansible-playbook -i playbook/etcd_cluster_inventory.yml playbook/etcd_cluster_playbook.yml
48 | ```
49 | 
50 | Check etcd cluster health
51 | ```
52 | ssh -i ~/.ssh/id_rsa_ci ci@172.16.3.11
53 | export ETCD_TAG=3.5.1-0
54 | export HOST0=172.16.3.11
55 | docker run --rm -it \
56 | --net host \
57 | -v /etc/kubernetes:/etc/kubernetes k8s.gcr.io/etcd:${ETCD_TAG} etcdctl \
58 | --cert /etc/kubernetes/pki/etcd/peer.crt \
59 | --key /etc/kubernetes/pki/etcd/peer.key \
60 | --cacert /etc/kubernetes/pki/etcd/ca.crt \
61 | --endpoints https://${HOST0}:2379 endpoint health --cluster
62 | ```
63 | 
64 | ## Setup Kubernetes cluster
65 | ```
66 | ansible-playbook -i playbook/k8s_cluster_inventory.yml playbook/k8s_cluster_playbook.yml
67 | ```
68 | 
69 | Download kubeconfig to your local, and verify the Kubernetes cluster
70 | ```
71 | rm -rf ~/.kube-local
72 | mkdir ~/.kube-local
73 | scp -i ~/.ssh/id_rsa_ci ci@172.16.1.11:/home/ci/.kube/config ~/.kube-local/config
74 | export KUBECONFIG=$HOME/.kube-local/config && kubectl get nodes
75 | ```
76 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure("2") do |config|
 2 | 
 3 |     # Master Nodes
 4 |     MasterCount = 1
 5 |     (1..MasterCount).each do |i|
 6 |         config.vm.define "k8s-master-#{i}" do |master|
 7 |             master.vm.box = "generic/ubuntu2004"
 8 |             master.vm.box_version = "3.6.8"
 9 |             master.vm.hostname = "k8s-master-#{i}"
10 |             master.vm.network "private_network", ip: "172.16.1.1#{i}"
11 | 
12 |             master.vm.provider "virtualbox" do |vb|
13 |                 vb.name = "k8s-master-#{i}"
14 |                 vb.memory = 2048
15 |                 vb.cpus = 2
16 |             end
17 |         end
18 |     end
19 | 
20 |     # Worker Nodes
21 |     WorkerCount = 1
22 |     (1..WorkerCount).each do |i|
23 |         config.vm.define "k8s-worker-#{i}" do |worker|
24 |             worker.vm.box = "generic/ubuntu2004"
25 |             worker.vm.box_version = "3.6.8"
26 |             worker.vm.hostname = "k8s-worker-#{i}"
27 |             worker.vm.network "private_network", ip: "172.16.2.1#{i}"
28 | 
29 |             worker.vm.provider "virtualbox" do |vb|
30 |                 vb.name = "k8s-worker-#{i}"
31 |                 vb.memory = 2048
32 |                 vb.cpus = 2
33 |             end
34 |         end
35 |     end
36 | 
37 |     # etcd Nodes
38 |     EtcdCount = 3
39 |     (1..EtcdCount).each do |i|
40 |         config.vm.define "k8s-etcd-#{i}" do |etcd|
41 |             etcd.vm.box = "generic/ubuntu2004"
42 |             etcd.vm.box_version = "3.6.8"
43 |             etcd.vm.hostname = "k8s-etcd-#{i}"
44 |             etcd.vm.network "private_network", ip: "172.16.3.1#{i}"
45 | 
46 |             etcd.vm.provider "virtualbox" do |vb|
47 |                 vb.name = "k8s-etcd-#{i}"
48 |                 vb.memory = 2048
49 |                 vb.cpus = 2
50 |             end
51 |         end
52 |     end
53 | 
54 |     config.vm.provision "file", source: "#{Dir.home}/.ssh/id_rsa_ci", destination: "/tmp/id_rsa"
55 |     config.vm.provision "shell" do |s|
56 |         ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa_ci.pub").first.strip
57 |         s.inline = <<-SHELL
58 |             # Create ci user
59 |             useradd -s /bin/bash -d /home/ci/ -m -G sudo ci
60 |             echo 'ci ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
61 |             mkdir -p /home/ci/.ssh
62 |             echo #{ssh_pub_key} >> /home/ci/.ssh/authorized_keys
63 |             mv /tmp/id_rsa /home/ci/.ssh/id_rsa
64 |             chown -R ci:ci /home/ci/.ssh
65 |         SHELL
66 |     end
67 | 
68 | end
69 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | host_key_checking = False
3 | private_key_file =  ~/.ssh/id_rsa_ci
4 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/kube-flannel-v0.16.3.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | apiVersion: policy/v1beta1
  3 | kind: PodSecurityPolicy
  4 | metadata:
  5 |   name: psp.flannel.unprivileged
  6 |   annotations:
  7 |     seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
  8 |     seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  9 |     apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
 10 |     apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
 11 | spec:
 12 |   privileged: false
 13 |   volumes:
 14 |     - configMap
 15 |     - secret
 16 |     - emptyDir
 17 |     - hostPath
 18 |   allowedHostPaths:
 19 |     - pathPrefix: "/etc/cni/net.d"
 20 |     - pathPrefix: "/etc/kube-flannel"
 21 |     - pathPrefix: "/run/flannel"
 22 |   readOnlyRootFilesystem: false
 23 |   # Users and groups
 24 |   runAsUser:
 25 |     rule: RunAsAny
 26 |   supplementalGroups:
 27 |     rule: RunAsAny
 28 |   fsGroup:
 29 |     rule: RunAsAny
 30 |   # Privilege Escalation
 31 |   allowPrivilegeEscalation: false
 32 |   defaultAllowPrivilegeEscalation: false
 33 |   # Capabilities
 34 |   allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
 35 |   defaultAddCapabilities: []
 36 |   requiredDropCapabilities: []
 37 |   # Host namespaces
 38 |   hostPID: false
 39 |   hostIPC: false
 40 |   hostNetwork: true
 41 |   hostPorts:
 42 |     - min: 0
 43 |       max: 65535
 44 |   # SELinux
 45 |   seLinux:
 46 |     # SELinux is unused in CaaSP
 47 |     rule: 'RunAsAny'
 48 | ---
 49 | kind: ClusterRole
 50 | apiVersion: rbac.authorization.k8s.io/v1
 51 | metadata:
 52 |   name: flannel
 53 | rules:
 54 |   - apiGroups: ['extensions']
 55 |     resources: ['podsecuritypolicies']
 56 |     verbs: ['use']
 57 |     resourceNames: ['psp.flannel.unprivileged']
 58 |   - apiGroups:
 59 |       - ""
 60 |     resources:
 61 |       - pods
 62 |     verbs:
 63 |       - get
 64 |   - apiGroups:
 65 |       - ""
 66 |     resources:
 67 |       - nodes
 68 |     verbs:
 69 |       - list
 70 |       - watch
 71 |   - apiGroups:
 72 |       - ""
 73 |     resources:
 74 |       - nodes/status
 75 |     verbs:
 76 |       - patch
 77 | ---
 78 | kind: ClusterRoleBinding
 79 | apiVersion: rbac.authorization.k8s.io/v1
 80 | metadata:
 81 |   name: flannel
 82 | roleRef:
 83 |   apiGroup: rbac.authorization.k8s.io
 84 |   kind: ClusterRole
 85 |   name: flannel
 86 | subjects:
 87 |   - kind: ServiceAccount
 88 |     name: flannel
 89 |     namespace: kube-system
 90 | ---
 91 | apiVersion: v1
 92 | kind: ServiceAccount
 93 | metadata:
 94 |   name: flannel
 95 |   namespace: kube-system
 96 | ---
 97 | kind: ConfigMap
 98 | apiVersion: v1
 99 | metadata:
100 |   name: kube-flannel-cfg
101 |   namespace: kube-system
102 |   labels:
103 |     tier: node
104 |     app: flannel
105 | data:
106 |   cni-conf.json: |
107 |     {
108 |       "name": "cbr0",
109 |       "cniVersion": "0.3.1",
110 |       "plugins": [
111 |         {
112 |           "type": "flannel",
113 |           "delegate": {
114 |             "hairpinMode": true,
115 |             "isDefaultGateway": true
116 |           }
117 |         },
118 |         {
119 |           "type": "portmap",
120 |           "capabilities": {
121 |             "portMappings": true
122 |           }
123 |         }
124 |       ]
125 |     }
126 |   net-conf.json: |
127 |     {
128 |       "Network": "10.244.0.0/16",
129 |       "Backend": {
130 |         "Type": "vxlan"
131 |       }
132 |     }
133 | ---
134 | apiVersion: apps/v1
135 | kind: DaemonSet
136 | metadata:
137 |   name: kube-flannel-ds
138 |   namespace: kube-system
139 |   labels:
140 |     tier: node
141 |     app: flannel
142 | spec:
143 |   selector:
144 |     matchLabels:
145 |       app: flannel
146 |   template:
147 |     metadata:
148 |       labels:
149 |         tier: node
150 |         app: flannel
151 |     spec:
152 |       affinity:
153 |         nodeAffinity:
154 |           requiredDuringSchedulingIgnoredDuringExecution:
155 |             nodeSelectorTerms:
156 |               - matchExpressions:
157 |                   - key: kubernetes.io/os
158 |                     operator: In
159 |                     values:
160 |                       - linux
161 |       hostNetwork: true
162 |       priorityClassName: system-node-critical
163 |       tolerations:
164 |         - operator: Exists
165 |           effect: NoSchedule
166 |       serviceAccountName: flannel
167 |       initContainers:
168 |         - name: install-cni-plugin
169 |           #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le (dockerhub limitations may apply)
170 |           image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1
171 |           command:
172 |             - cp
173 |           args:
174 |             - -f
175 |             - /flannel
176 |             - /opt/cni/bin/flannel
177 |           volumeMounts:
178 |             - name: cni-plugin
179 |               mountPath: /opt/cni/bin
180 |         - name: install-cni
181 |           #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
182 |           image: rancher/mirrored-flannelcni-flannel:v0.16.1
183 |           command:
184 |             - cp
185 |           args:
186 |             - -f
187 |             - /etc/kube-flannel/cni-conf.json
188 |             - /etc/cni/net.d/10-flannel.conflist
189 |           volumeMounts:
190 |             - name: cni
191 |               mountPath: /etc/cni/net.d
192 |             - name: flannel-cfg
193 |               mountPath: /etc/kube-flannel/
194 |       containers:
195 |         - name: kube-flannel
196 |           #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
197 |           image: rancher/mirrored-flannelcni-flannel:v0.16.1
198 |           command:
199 |             - /opt/bin/flanneld
200 |           args:
201 |             - --ip-masq
202 |             - --kube-subnet-mgr
203 |             - --iface=eth1
204 |           resources:
205 |             requests:
206 |               cpu: "100m"
207 |               memory: "50Mi"
208 |             limits:
209 |               cpu: "100m"
210 |               memory: "50Mi"
211 |           securityContext:
212 |             privileged: false
213 |             capabilities:
214 |               add: ["NET_ADMIN", "NET_RAW"]
215 |           env:
216 |             - name: POD_NAME
217 |               valueFrom:
218 |                 fieldRef:
219 |                   fieldPath: metadata.name
220 |             - name: POD_NAMESPACE
221 |               valueFrom:
222 |                 fieldRef:
223 |                   fieldPath: metadata.namespace
224 |           volumeMounts:
225 |             - name: run
226 |               mountPath: /run/flannel
227 |             - name: flannel-cfg
228 |               mountPath: /etc/kube-flannel/
229 |             - name: xtables-lock
230 |               mountPath: /run/xtables.lock
231 |       volumes:
232 |         - name: run
233 |           hostPath:
234 |             path: /run/flannel
235 |         - name: cni-plugin
236 |           hostPath:
237 |             path: /opt/cni/bin
238 |         - name: cni
239 |           hostPath:
240 |             path: /etc/cni/net.d
241 |         - name: flannel-cfg
242 |           configMap:
243 |             name: kube-flannel-cfg
244 |         - name: xtables-lock
245 |           hostPath:
246 |             path: /run/xtables.lock
247 |             type: FileOrCreate
248 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/playbook/etcd_cluster_inventory.yml:
--------------------------------------------------------------------------------
1 | etcd:
2 |   hosts:
3 |     172.16.3.11: null
4 |     172.16.3.12: null
5 |     172.16.3.13: null
6 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/playbook/etcd_cluster_playbook.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | 
  3 | - hosts: etcd
  4 |   name: Setup container runtine, kubelet, kubeadm
  5 |   remote_user: ci
  6 |   become: yes
  7 |   tasks:
  8 |     # https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#before-you-begin
  9 |     - name: Disable swap
 10 |       shell: swapoff -a
 11 | 
 12 |     - name: Remove swap entry from /etc/fstab
 13 |       lineinfile:
 14 |         dest: /etc/fstab
 15 |         regexp: swap
 16 |         state: absent
 17 | 
 18 |     - name: Load br_netfilter module
 19 |       shell: |
 20 |         cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
 21 |         br_netfilter
 22 |         EOF
 23 | 
 24 |     - name: Configure iptables to see bridged traffic
 25 |       shell: |
 26 |         cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
 27 |         net.bridge.bridge-nf-call-ip6tables = 1
 28 |         net.bridge.bridge-nf-call-iptables = 1
 29 |         EOF
 30 | 
 31 |     - name: Read values from all system directories
 32 |       shell: sysctl --system
 33 | 
 34 |     # https://docs.docker.com/engine/install/ubuntu/#installation-methods
 35 |     - name: Install packages to allow apt to use a repository over HTTPS
 36 |       apt:
 37 |         name:
 38 |           - ca-certificates
 39 |           - gnupg
 40 |           - apt-transport-https
 41 |         state: present
 42 |         update_cache: yes
 43 | 
 44 |     - name: Add Docker’s official GPG key
 45 |       apt_key:
 46 |         url: https://download.docker.com/linux/ubuntu/gpg
 47 |         state: present
 48 | 
 49 |     - name: Get Ubuntu release version
 50 |       shell: lsb_release -cs
 51 |       register: ubuntu_version
 52 | 
 53 |     - name: Get architecture
 54 |       shell: dpkg --print-architecture
 55 |       register: architecture
 56 | 
 57 |     - name: Add Docker repository
 58 |       apt_repository:
 59 |         repo: "deb [arch={{ architecture.stdout }}] https://download.docker.com/linux/ubuntu {{ ubuntu_version.stdout }} stable"
 60 |         state: present
 61 |         filename: docker
 62 | 
 63 |     - name: Update apt packages
 64 |       apt:
 65 |         update_cache: "yes"
 66 |         force_apt_get: "yes"
 67 | 
 68 |     - name: Install Docker engine
 69 |       apt:
 70 |         name:
 71 |           - docker-ce
 72 |           - docker-ce-cli
 73 |           - containerd.io
 74 |         state: present
 75 |         update_cache: yes
 76 | 
 77 |     # https://kubernetes.io/docs/setup/production-environment/container-runtimes/#docker
 78 |     - name: Create Docker directory
 79 |       file:
 80 |         path: /etc/docker
 81 |         state: directory
 82 | 
 83 |     - name: Create Docker daemon empty file
 84 |       copy:
 85 |         content: ""
 86 |         dest: /etc/docker/daemon.json
 87 |         force: no
 88 | 
 89 |     - name: Configure Docker daemon
 90 |       shell: |
 91 |         cat <<EOF | sudo tee /etc/docker/daemon.json
 92 |         {
 93 |           "exec-opts": ["native.cgroupdriver=systemd"],
 94 |           "log-driver": "json-file",
 95 |           "log-opts": {
 96 |             "max-size": "100m"
 97 |           },
 98 |           "storage-driver": "overlay2"
 99 |         }
100 |         EOF
101 | 
102 |     - name: Restart Docker
103 |       systemd:
104 |         name: docker
105 |         state: restarted
106 |         enabled: yes
107 |         daemon-reload: yes
108 | 
109 |     - name: Add current user to docker group
110 |       user:
111 |         name: "{{ ansible_user }}"
112 |         groups: docker
113 |         append: yes
114 |       become: yes
115 | 
116 |     - name: Add Google Cloud public signing key
117 |       apt_key:
118 |         url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
119 |         state: present
120 | 
121 |     - name: Add Kubernetes repository
122 |       apt_repository:
123 |         repo: deb http://apt.kubernetes.io/ kubernetes-xenial main
124 |         state: present
125 |         filename: kubernetes
126 |         mode: 0600
127 | 
128 |     - name: Install kubelet and kubeadm
129 |       apt:
130 |         name:
131 |           - kubeadm=1.23.1-00
132 |           - kubelet=1.23.1-00
133 |         state: present
134 | 
135 |     - name: Enable kubelet service
136 |       service:
137 |         name: kubelet
138 |         enabled: yes
139 | 
140 | - hosts: etcd
141 |   name: Setup etcd cluster
142 |   remote_user: ci
143 |   become: yes
144 |   environment:
145 |     HOST0: '172.16.3.11'
146 |     HOST1: '172.16.3.12'
147 |     HOST2: '172.16.3.13'
148 |     NAME0: 'k8s-etcd-1'
149 |     NAME1: 'k8s-etcd-2'
150 |     NAME2: 'k8s-etcd-3'
151 |   tasks:
152 |     # https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/
153 |     - name: Configure the kubelet to be a service manager for etcd
154 |       shell: |
155 |         cat << EOF > /etc/systemd/system/kubelet.service.d/20-etcd-service-manager.conf
156 |         [Service]
157 |         ExecStart=
158 |         # We do not set --container-runtime and --container-runtime-endpoint, since default vaules are correct
159 |         ExecStart=/usr/bin/kubelet --address=127.0.0.1 --pod-manifest-path=/etc/kubernetes/manifests --cgroup-driver=systemd
160 |         Restart=always
161 |         EOF
162 | 
163 |     - name: Reload daemon configs
164 |       service:
165 |         daemon_reload: yes
166 | 
167 |     - name: Restart kubelet service
168 |       service:
169 |         name: kubelet
170 |         state: restarted
171 | 
172 |     - name: Configure the kubelet to be a service manager for etcd
173 |       args:
174 |         executable: /bin/bash
175 |       shell: |
176 |         # Create temp directories to store files that will end up on other hosts.
177 |         mkdir -p /tmp/${HOST0}/ /tmp/${HOST1}/ /tmp/${HOST2}/
178 | 
179 |         HOSTS=(${HOST0} ${HOST1} ${HOST2})
180 |         NAMES=(${NAME0} ${NAME1} ${NAME2})
181 | 
182 |         for i in "${!HOSTS[@]}"; do
183 |         HOST=${HOSTS[$i]}
184 |         NAME=${NAMES[$i]}
185 |         cat << EOF > /tmp/${HOST}/kubeadmcfg.yaml
186 |         ---
187 |         apiVersion: "kubeadm.k8s.io/v1beta3"
188 |         kind: InitConfiguration
189 |         nodeRegistration:
190 |             name: ${NAME}
191 |         localAPIEndpoint:
192 |             advertiseAddress: ${HOST}
193 |         ---
194 |         apiVersion: "kubeadm.k8s.io/v1beta3"
195 |         kind: ClusterConfiguration
196 |         etcd:
197 |             local:
198 |                 serverCertSANs:
199 |                 - "${HOST}"
200 |                 peerCertSANs:
201 |                 - "${HOST}"
202 |                 extraArgs:
203 |                     initial-cluster: ${NAMES[0]}=https://${HOSTS[0]}:2380,${NAMES[1]}=https://${HOSTS[1]}:2380,${NAMES[2]}=https://${HOSTS[2]}:2380
204 |                     initial-cluster-state: new
205 |                     name: ${NAME}
206 |                     listen-peer-urls: https://${HOST}:2380
207 |                     listen-client-urls: https://${HOST}:2379
208 |                     advertise-client-urls: https://${HOST}:2379
209 |                     initial-advertise-peer-urls: https://${HOST}:2380
210 |         EOF
211 |         done
212 | 
213 |     - name: Generate the certificate authority
214 |       shell: kubeadm init phase certs etcd-ca
215 |       run_once: yes
216 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
217 | 
218 |     - name: Create certificates for each member
219 |       shell: |
220 |         kubeadm init phase certs etcd-server --config=/tmp/${HOST2}/kubeadmcfg.yaml
221 |         kubeadm init phase certs etcd-peer --config=/tmp/${HOST2}/kubeadmcfg.yaml
222 |         kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST2}/kubeadmcfg.yaml
223 |         kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST2}/kubeadmcfg.yaml
224 |         cp -R /etc/kubernetes/pki /tmp/${HOST2}/
225 |         # cleanup non-reusable certificates
226 |         find /etc/kubernetes/pki -not -name ca.crt -not -name ca.key -type f -delete
227 | 
228 |         kubeadm init phase certs etcd-server --config=/tmp/${HOST1}/kubeadmcfg.yaml
229 |         kubeadm init phase certs etcd-peer --config=/tmp/${HOST1}/kubeadmcfg.yaml
230 |         kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST1}/kubeadmcfg.yaml
231 |         kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST1}/kubeadmcfg.yaml
232 |         cp -R /etc/kubernetes/pki /tmp/${HOST1}/
233 |         find /etc/kubernetes/pki -not -name ca.crt -not -name ca.key -type f -delete
234 | 
235 |         kubeadm init phase certs etcd-server --config=/tmp/${HOST0}/kubeadmcfg.yaml
236 |         kubeadm init phase certs etcd-peer --config=/tmp/${HOST0}/kubeadmcfg.yaml
237 |         kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST0}/kubeadmcfg.yaml
238 |         kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST0}/kubeadmcfg.yaml
239 |         # No need to move the certs because they are for HOST0
240 | 
241 |         # clean up certs that should not be copied off this host
242 |         find /tmp/${HOST2} -name ca.key -type f -delete
243 |         find /tmp/${HOST1} -name ca.key -type f -delete
244 |       run_once: yes
245 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
246 | 
247 |     - name: Change permissions on /tmp/172.16.3.12 to ci user
248 |       shell: chown -R ci:ci /tmp/172.16.3.12
249 |       run_once: yes
250 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
251 | 
252 |     - name: Copy certificates and kubeadm configs to k8s-etcd-2
253 |       shell: "scp -i /home/ci/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r /tmp/172.16.3.12/* ci@172.16.3.12:/home/ci/"
254 |       run_once: yes
255 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
256 | 
257 |     - name: Copy certificates and kubeadm configs on k8s-etcd-2 into /etc/kubernetes
258 |       copy:
259 |         remote_src: yes
260 |         src: /home/ci/pki
261 |         dest: /etc/kubernetes/
262 |         owner: root
263 |         group: root
264 |       run_once: yes
265 |       delegate_to: "172.16.3.12" # This is k8s-etcd-2
266 | 
267 |     - name: Remove certificates and kubeadm configs in home directory
268 |       file:
269 |         path: /home/ci/pki
270 |         state: absent
271 |       run_once: yes
272 |       delegate_to: "172.16.3.12" # This is k8s-etcd-2
273 | 
274 |     - name: Change permissions on /tmp/172.16.3.13 to ci user
275 |       shell: chown -R ci:ci /tmp/172.16.3.13
276 |       run_once: yes
277 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
278 | 
279 |     - name: Copy certificates and kubeadm configs to k8s-etcd-3
280 |       shell: "scp -i /home/ci/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r /tmp/172.16.3.13/* ci@172.16.3.13:/home/ci/"
281 |       run_once: yes
282 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
283 | 
284 |     - name: Copy certificates and kubeadm configs on k8s-etcd-3 into /etc/kubernetes
285 |       copy:
286 |         remote_src: yes
287 |         src: /home/ci/pki
288 |         dest: /etc/kubernetes/
289 |         owner: root
290 |         group: root
291 |       run_once: yes
292 |       delegate_to: "172.16.3.13" # This is k8s-etcd-3
293 | 
294 |     - name: Remove certificates and kubeadm configs in home directory
295 |       file:
296 |         path: /home/ci/pki
297 |         state: absent
298 |       run_once: yes
299 |       delegate_to: "172.16.3.13" # This is k8s-etcd-3
300 | 
301 |     - name: Create the static pod manifests on k8s-etcd-1
302 |       shell: kubeadm init phase etcd local --config=/tmp/172.16.3.11/kubeadmcfg.yaml
303 |       run_once: yes
304 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
305 | 
306 |     - name: Create the static pod manifests on k8s-etcd-2
307 |       shell: kubeadm init phase etcd local --config=/home/ci/kubeadmcfg.yaml
308 |       run_once: yes
309 |       delegate_to: "172.16.3.12" # This is k8s-etcd-2
310 | 
311 |     - name: Create the static pod manifests on k8s-etcd-3
312 |       shell: kubeadm init phase etcd local --config=/home/ci/kubeadmcfg.yaml
313 |       run_once: yes
314 |       delegate_to: "172.16.3.13" # This is k8s-etcd-3
315 | 
316 |     - name: Remove certificates in /tmp
317 |       shell: rm -rf /tmp/172.16.3.1*
318 |       run_once: yes
319 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
320 | 
321 |     - name: Copy pki/etcd/ca.crt to k8s-master-1
322 |       shell: "scp -i /home/ci/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r /etc/kubernetes/pki/etcd/ca.crt ci@172.16.1.11:/home/ci/"
323 |       run_once: yes
324 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
325 | 
326 |     - name: Copy pki/apiserver-etcd-client.crt to k8s-master-1
327 |       shell: "scp -i /home/ci/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r /etc/kubernetes/pki/apiserver-etcd-client.crt ci@172.16.1.11:/home/ci/"
328 |       run_once: yes
329 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
330 | 
331 |     - name: Copy pki/apiserver-etcd-client.key to k8s-master-1
332 |       shell: "scp -i /home/ci/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r /etc/kubernetes/pki/apiserver-etcd-client.key ci@172.16.1.11:/home/ci/"
333 |       run_once: yes
334 |       delegate_to: "172.16.3.11" # This is k8s-etcd-1
335 | 
336 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/playbook/k8s_cluster_inventory.yml:
--------------------------------------------------------------------------------
 1 | all:
 2 |   children:
 3 |     masters:
 4 |       hosts:
 5 |         172.16.1.11: null
 6 | 
 7 |     workers:
 8 |       hosts:
 9 |         172.16.2.11: null
10 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/playbook/k8s_cluster_playbook.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | 
  3 | - hosts: masters, workers
  4 |   name: Setup container runtine, kubelet, kubectl, kubeadm
  5 |   remote_user: ci
  6 |   become: yes
  7 |   tasks:
  8 |     # https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#before-you-begin
  9 |     - name: Disable swap
 10 |       shell: swapoff -a
 11 | 
 12 |     - name: Remove swap entry from /etc/fstab
 13 |       lineinfile:
 14 |         dest: /etc/fstab
 15 |         regexp: swap
 16 |         state: absent
 17 | 
 18 |     - name: Load br_netfilter module
 19 |       shell: |
 20 |         cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
 21 |         br_netfilter
 22 |         EOF
 23 | 
 24 |     - name: Configure iptables to see bridged traffic
 25 |       shell: |
 26 |         cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
 27 |         net.bridge.bridge-nf-call-ip6tables = 1
 28 |         net.bridge.bridge-nf-call-iptables = 1
 29 |         EOF
 30 | 
 31 |     - name: Read values from all system directories
 32 |       shell: sysctl --system
 33 | 
 34 |     # https://docs.docker.com/engine/install/ubuntu/#installation-methods
 35 |     - name: Install packages to allow apt to use a repository over HTTPS
 36 |       apt:
 37 |         name:
 38 |           - ca-certificates
 39 |           - gnupg
 40 |           - apt-transport-https
 41 |         state: present
 42 |         update_cache: yes
 43 | 
 44 |     - name: Add Docker’s official GPG key
 45 |       apt_key:
 46 |         url: https://download.docker.com/linux/ubuntu/gpg
 47 |         state: present
 48 | 
 49 |     - name: Get Ubuntu release version
 50 |       shell: lsb_release -cs
 51 |       register: ubuntu_version
 52 | 
 53 |     - name: Get architecture
 54 |       shell: dpkg --print-architecture
 55 |       register: architecture
 56 | 
 57 |     - name: Add Docker repository
 58 |       apt_repository:
 59 |         repo: "deb [arch={{ architecture.stdout }}] https://download.docker.com/linux/ubuntu {{ ubuntu_version.stdout }} stable"
 60 |         state: present
 61 |         filename: docker
 62 | 
 63 |     - name: Update apt packages
 64 |       apt:
 65 |         update_cache: "yes"
 66 |         force_apt_get: "yes"
 67 | 
 68 |     - name: Install Docker engine
 69 |       apt:
 70 |         name:
 71 |           - docker-ce
 72 |           - docker-ce-cli
 73 |           - containerd.io
 74 |         state: present
 75 |         update_cache: yes
 76 | 
 77 |     # https://kubernetes.io/docs/setup/production-environment/container-runtimes/#docker
 78 |     - name: Create Docker directory
 79 |       file:
 80 |         path: /etc/docker
 81 |         state: directory
 82 | 
 83 |     - name: Create Docker daemon empty file
 84 |       copy:
 85 |         content: ""
 86 |         dest: /etc/docker/daemon.json
 87 |         force: no
 88 | 
 89 |     - name: Configure Docker daemon
 90 |       shell: |
 91 |         cat <<EOF | sudo tee /etc/docker/daemon.json
 92 |         {
 93 |           "exec-opts": ["native.cgroupdriver=systemd"],
 94 |           "log-driver": "json-file",
 95 |           "log-opts": {
 96 |             "max-size": "100m"
 97 |           },
 98 |           "storage-driver": "overlay2"
 99 |         }
100 |         EOF
101 | 
102 |     - name: Restart Docker
103 |       systemd:
104 |         name: docker
105 |         state: restarted
106 |         enabled: yes
107 |         daemon-reload: yes
108 | 
109 |     - name: Add current user to docker group
110 |       user:
111 |         name: "{{ ansible_user }}"
112 |         groups: docker
113 |         append: yes
114 |       become: yes
115 | 
116 |     - name: Add Google Cloud public signing key
117 |       apt_key:
118 |         url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
119 |         state: present
120 | 
121 |     - name: Add Kubernetes repository
122 |       apt_repository:
123 |         repo: deb http://apt.kubernetes.io/ kubernetes-xenial main
124 |         state: present
125 |         filename: kubernetes
126 |         mode: 0600
127 | 
128 |     - name: Install kubelet, kubeadm and kubectl
129 |       apt:
130 |         name:
131 |           - kubeadm=1.23.1-00
132 |           - kubectl=1.23.1-00
133 |           - kubelet=1.23.1-00
134 |         state: present
135 | 
136 |     - name: Enable kubelet service
137 |       service:
138 |         name: kubelet
139 |         enabled: yes
140 | 
141 | - hosts: masters
142 |   name: Init cluster and join masters
143 |   remote_user: ci
144 |   become: yes
145 |   tasks:
146 |     - name: Reset existing cluster
147 |       shell: kubeadm reset -f
148 | 
149 |     - name: Remove .kube in user home directory
150 |       shell: rm -rf .kube
151 | 
152 |     - name: Remove /etc/kubernetes/manifests directory
153 |       shell: rm -rf /etc/kubernetes/manifests
154 | 
155 |     - name: Remove /var/lib/etcd directory
156 |       shell: rm -rf /var/lib/etcd
157 | 
158 |     - name: Ensures /etc/kubernetes/pki/etcd dir exists
159 |       file: path=/etc/kubernetes/pki/etcd state=directory
160 | 
161 |     - name: Copy ca.crt on k8s-master-1 into /etc/kubernetes
162 |       copy:
163 |         remote_src: yes
164 |         src: /home/ci/ca.crt
165 |         dest: /etc/kubernetes/pki/etcd
166 |         owner: root
167 |         group: root
168 |       run_once: yes
169 |       delegate_to: "172.16.1.11" # This is k8s-master-1
170 | 
171 |     - name: Copy apiserver-etcd-client.crt on k8s-master-1 into /etc/kubernetes
172 |       copy:
173 |         remote_src: yes
174 |         src: /home/ci/apiserver-etcd-client.crt
175 |         dest: /etc/kubernetes/pki
176 |         owner: root
177 |         group: root
178 |       run_once: yes
179 |       delegate_to: "172.16.1.11" # This is k8s-master-1
180 | 
181 |     - name: Copy apiserver-etcd-client.key on k8s-master-1 into /etc/kubernetes
182 |       copy:
183 |         remote_src: yes
184 |         src: /home/ci/apiserver-etcd-client.key
185 |         dest: /etc/kubernetes/pki
186 |         owner: root
187 |         group: root
188 |       run_once: yes
189 |       delegate_to: "172.16.1.11" # This is k8s-master-1
190 | 
191 |     - name: Create file kubeadm-config.yaml
192 |       shell: |
193 |         cat << EOF > kubeadm-config.yaml
194 |         ---
195 |         apiVersion: kubeadm.k8s.io/v1beta3
196 |         kind: ClusterConfiguration
197 |         kubernetesVersion: stable
198 |         controlPlaneEndpoint: "172.16.1.11:6443"
199 |         etcd:
200 |           external:
201 |             endpoints:
202 |               - https://172.16.3.11:2379
203 |               - https://172.16.3.12:2379
204 |               - https://172.16.3.13:2379
205 |             caFile: /etc/kubernetes/pki/etcd/ca.crt
206 |             certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
207 |             keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key
208 |         EOF
209 |       run_once: yes
210 |       delegate_to: "172.16.1.11" # This is k8s-master-1
211 | 
212 |     - name: Init kubernetes cluster
213 |       shell: kubeadm init --config kubeadm-config.yaml --upload-certs
214 |       run_once: yes
215 |       delegate_to: "172.16.1.11"
216 | 
217 |     # This got updated after the video
218 |     # Use release 0.16.3, rather than master version!
219 |     - name: Copy kube-flannel-v0.16.3.yml
220 |       copy:
221 |         src: ../kube-flannel-v0.16.3.yml
222 |         dest: /home/ci/kube-flannel-v0.16.3.yml
223 |         owner: ci
224 |         group: ci
225 |         mode: '0644'
226 |       when: inventory_hostname == "172.16.1.11"
227 | 
228 |     - name: Deploy Flannel network
229 |       shell: kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f kube-flannel-v0.16.3.yml
230 |       run_once: yes
231 |       delegate_to: "172.16.1.11"
232 | 
233 |     - name: Print join command
234 |       shell: kubeadm token create --print-join-command
235 |       register: kubernetes_join_command
236 |       run_once: yes
237 |       delegate_to: "172.16.1.11"
238 | 
239 |     - name: Copy join command to local
240 |       become: no
241 |       local_action: copy content="{{ kubernetes_join_command.stdout_lines[0] }}" dest="/tmp/kubernetes_join_command" mode=0777
242 |       run_once: yes
243 |       delegate_to: "172.16.1.11"
244 | 
245 |     - name: Generate certificate key
246 |       shell: kubeadm init phase upload-certs --upload-certs
247 |       register: kubernetes_certificate_key
248 |       run_once: yes
249 |       delegate_to: "172.16.1.11"
250 | 
251 |     # This got updated after the video
252 |     # Because of https://github.com/kubernetes/kubernetes/issues/60835#issuecomment-395931644
253 |     - name: Edit kubeadm.conf
254 |       blockinfile:
255 |         path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
256 |         block: |
257 |           Environment="KUBELET_EXTRA_ARGS=--node-ip={{ inventory_hostname }}"
258 | 
259 |     - name: Restart kubelet service
260 |       service:
261 |         name: kubelet
262 |         daemon-reload: yes
263 |         state: restarted
264 | 
265 |     - name: Create directory for kube config
266 |       file:
267 |         path: /home/ci/.kube
268 |         state: directory
269 |         owner: ci
270 |         group: ci
271 |         mode: 0755
272 | 
273 |     - name: Copy /etc/kubernetes/admin.conf to user home directory
274 |       become_user: root
275 |       become_method: sudo
276 |       become: yes
277 |       copy:
278 |         src: /etc/kubernetes/admin.conf
279 |         dest: /home/ci/.kube/config
280 |         remote_src: yes
281 |         owner: ci
282 |         group: ci
283 |         mode: '0644'
284 | 
285 | - hosts: workers
286 |   name: Join workers
287 |   remote_user: ci
288 |   become: yes
289 |   tasks:
290 |     - name: Reset existing cluster
291 |       shell: kubeadm reset -f
292 | 
293 |     - name: Remove .kube in user home directory
294 |       shell: rm -rf .kube
295 | 
296 |     - name: Remove /etc/kubernetes/manifests directory
297 |       shell: rm -rf /etc/kubernetes/manifests
298 | 
299 |     - name: Copy join command to workers
300 |       copy:
301 |         src: /tmp/kubernetes_join_command
302 |         dest: /tmp/kubernetes_join_command
303 |         mode: 0777
304 | 
305 |     - name: Execute worker join command
306 |       shell: sh /tmp/kubernetes_join_command
307 | 
308 |     # This got updated after the video
309 |     # Because of https://github.com/kubernetes/kubernetes/issues/60835#issuecomment-395931644
310 |     - name: Edit kubeadm.conf
311 |       blockinfile:
312 |         path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
313 |         block: |
314 |           Environment="KUBELET_EXTRA_ARGS=--node-ip={{ inventory_hostname }}"
315 | 
316 |     - name: Restart kubelet service
317 |       service:
318 |         name: kubelet
319 |         daemon-reload: yes
320 |         state: restarted
321 | 


--------------------------------------------------------------------------------
/setup-ha-etcd-cluster/setup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tranductrinh/k8s/4ecb0802080582a13066ac335d57e5f649d459c8/setup-ha-etcd-cluster/setup.png


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/README.md:
--------------------------------------------------------------------------------
 1 | # Setup load balancer for kuber-apiservers
 2 | 
 3 | This will set up a new multi-master Kubernetes cluster that has
 4 | * 3 masters, each master has 2 CPUs and 2 GBs RAM
 5 | * 3 workers, each worker has 2 CPUs and 2 GBs RAM
 6 | * 1 load balancers, each load balancer has 1 CPU and 1 GB RAM
 7 | 
 8 | ![setup.png](setup.png?raw=true "setup.png")
 9 | 
10 | ## Prerequisites
11 | Before you want to try this on your local, here are requirements
12 | * Your computer must have at least 13 CPUs, 13 GBs RAM
13 | * A public key in .ssh/id_rsa.pub in your home directory
14 | * Directly download [Virtualbox](https://www.virtualbox.org/) and install, or use homebrew
15 |     ```
16 |     brew install --cask virtualbox
17 |     ```
18 | * Vagrant
19 |     ```
20 |     brew install --cask vagrant
21 |     ```
22 | * [(Optional) Vagrant Manager](http://vagrantmanager.com/)
23 |     ```
24 |     brew install --cask vagrant-manager
25 |     ```
26 | 
27 | ## Provision VMs
28 | ```
29 | cd setup-load-balancer-for-kube-apiservers
30 | vagrant up
31 | ```
32 | 
33 | ## Setup load balancer
34 | ```
35 | ansible-playbook -i playbook/load_balancer_inventory.yml playbook/load_balancer_playbook.yml
36 | ```
37 | 
38 | Let's ssh into the load balancer VM, and check haproxy service status
39 | ```
40 | ssh ci@172.16.0.11
41 | systemctl status haproxy
42 | ```
43 | 
44 | ## Setup Kubernetes cluster
45 | ```
46 | ansible-playbook -i playbook/cluster_inventory.yml playbook/cluster_playbook.yml
47 | ```
48 | 
49 | Let's ssh into the first master VM, and verify the cluster
50 | ```
51 | ssh ci@172.16.1.11
52 | kubectl get nodes
53 | ```
54 | 
55 | Download kubeconfig to  your local
56 | ```
57 | mkdir ~/.kube-local
58 | scp ci@172.16.1.11:/home/ci/.kube/config ~/.kube-local/config
59 | export KUBECONFIG=$HOME/.kube-local/config && kubectl get nodes
60 | ```
61 | 
62 | ## Creating and exploring an nginx deployment
63 | Source: https://kubernetes.io/docs/tasks/run-application/run-stateless-application-deployment/
64 | 
65 | ### Create a Deployment
66 | ```
67 | kubectl apply -f https://k8s.io/examples/application/deployment.yaml
68 | ```
69 | 
70 | ### Display information about the Deployment
71 | ```
72 | kubectl describe deployment nginx-deployment
73 | ```
74 | 
75 | ### List the Pods created by the deployment
76 | ```
77 | kubectl get pods -l app=nginx
78 | ```
79 | 
80 | 


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure("2") do |config|
 2 | 
 3 |     # Load Balancer Nodes
 4 |     LoadBalancerCount = 1
 5 |     (1..LoadBalancerCount).each do |i|
 6 |         config.vm.define "k8s-lb-#{i}" do |lb|
 7 |             lb.vm.box = "generic/ubuntu2004"
 8 |             lb.vm.box_version = "3.6.8"
 9 |             lb.vm.hostname = "k8s-lb-#{i}"
10 |             lb.vm.network "private_network", ip: "172.16.0.1#{i}"
11 | 
12 |             lb.vm.provider "virtualbox" do |vb|
13 |                 vb.name = "k8s-lb-#{i}"
14 |                 vb.memory = 1024
15 |                 vb.cpus = 1
16 |             end
17 |         end
18 |     end
19 | 
20 |     # Master Nodes
21 |     MasterCount = 3
22 |     (1..MasterCount).each do |i|
23 |         config.vm.define "k8s-master-#{i}" do |master|
24 |             master.vm.box = "generic/ubuntu2004"
25 |             master.vm.box_version = "3.6.8"
26 |             master.vm.hostname = "k8s-master-#{i}"
27 |             master.vm.network "private_network", ip: "172.16.1.1#{i}"
28 | 
29 |             master.vm.provider "virtualbox" do |vb|
30 |                 vb.name = "k8s-master-#{i}"
31 |                 vb.memory = 2048
32 |                 vb.cpus = 2
33 |             end
34 |         end
35 |     end
36 | 
37 |     # Worker Nodes
38 |     WorkerCount = 3
39 |     (1..WorkerCount).each do |i|
40 |         config.vm.define "k8s-worker-#{i}" do |worker|
41 |             worker.vm.box = "generic/ubuntu2004"
42 |             worker.vm.box_version = "3.6.8"
43 |             worker.vm.hostname = "k8s-worker-#{i}"
44 |             worker.vm.network "private_network", ip: "172.16.2.1#{i}"
45 | 
46 |             worker.vm.provider "virtualbox" do |vb|
47 |                 vb.name = "k8s-worker-#{i}"
48 |                 vb.memory = 2048
49 |                 vb.cpus = 2
50 |             end
51 |         end
52 |     end
53 | 
54 |     config.vm.provision "shell" do |s|
55 |         ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa.pub").first.strip
56 |         s.inline = <<-SHELL
57 |             # Create ci user
58 |             useradd -s /bin/bash -d /home/ci/ -m -G sudo ci
59 |             echo 'ci ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
60 |             mkdir -p /home/ci/.ssh && chown -R ci /home/ci/.ssh
61 |             echo #{ssh_pub_key} >> /home/ci/.ssh/authorized_keys
62 |         SHELL
63 |     end
64 | 
65 | end
66 | 


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | host_key_checking = False
3 | 


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/kube-flannel-v0.16.3.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | apiVersion: policy/v1beta1
  3 | kind: PodSecurityPolicy
  4 | metadata:
  5 |   name: psp.flannel.unprivileged
  6 |   annotations:
  7 |     seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
  8 |     seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  9 |     apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
 10 |     apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
 11 | spec:
 12 |   privileged: false
 13 |   volumes:
 14 |     - configMap
 15 |     - secret
 16 |     - emptyDir
 17 |     - hostPath
 18 |   allowedHostPaths:
 19 |     - pathPrefix: "/etc/cni/net.d"
 20 |     - pathPrefix: "/etc/kube-flannel"
 21 |     - pathPrefix: "/run/flannel"
 22 |   readOnlyRootFilesystem: false
 23 |   # Users and groups
 24 |   runAsUser:
 25 |     rule: RunAsAny
 26 |   supplementalGroups:
 27 |     rule: RunAsAny
 28 |   fsGroup:
 29 |     rule: RunAsAny
 30 |   # Privilege Escalation
 31 |   allowPrivilegeEscalation: false
 32 |   defaultAllowPrivilegeEscalation: false
 33 |   # Capabilities
 34 |   allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
 35 |   defaultAddCapabilities: []
 36 |   requiredDropCapabilities: []
 37 |   # Host namespaces
 38 |   hostPID: false
 39 |   hostIPC: false
 40 |   hostNetwork: true
 41 |   hostPorts:
 42 |     - min: 0
 43 |       max: 65535
 44 |   # SELinux
 45 |   seLinux:
 46 |     # SELinux is unused in CaaSP
 47 |     rule: 'RunAsAny'
 48 | ---
 49 | kind: ClusterRole
 50 | apiVersion: rbac.authorization.k8s.io/v1
 51 | metadata:
 52 |   name: flannel
 53 | rules:
 54 |   - apiGroups: ['extensions']
 55 |     resources: ['podsecuritypolicies']
 56 |     verbs: ['use']
 57 |     resourceNames: ['psp.flannel.unprivileged']
 58 |   - apiGroups:
 59 |       - ""
 60 |     resources:
 61 |       - pods
 62 |     verbs:
 63 |       - get
 64 |   - apiGroups:
 65 |       - ""
 66 |     resources:
 67 |       - nodes
 68 |     verbs:
 69 |       - list
 70 |       - watch
 71 |   - apiGroups:
 72 |       - ""
 73 |     resources:
 74 |       - nodes/status
 75 |     verbs:
 76 |       - patch
 77 | ---
 78 | kind: ClusterRoleBinding
 79 | apiVersion: rbac.authorization.k8s.io/v1
 80 | metadata:
 81 |   name: flannel
 82 | roleRef:
 83 |   apiGroup: rbac.authorization.k8s.io
 84 |   kind: ClusterRole
 85 |   name: flannel
 86 | subjects:
 87 |   - kind: ServiceAccount
 88 |     name: flannel
 89 |     namespace: kube-system
 90 | ---
 91 | apiVersion: v1
 92 | kind: ServiceAccount
 93 | metadata:
 94 |   name: flannel
 95 |   namespace: kube-system
 96 | ---
 97 | kind: ConfigMap
 98 | apiVersion: v1
 99 | metadata:
100 |   name: kube-flannel-cfg
101 |   namespace: kube-system
102 |   labels:
103 |     tier: node
104 |     app: flannel
105 | data:
106 |   cni-conf.json: |
107 |     {
108 |       "name": "cbr0",
109 |       "cniVersion": "0.3.1",
110 |       "plugins": [
111 |         {
112 |           "type": "flannel",
113 |           "delegate": {
114 |             "hairpinMode": true,
115 |             "isDefaultGateway": true
116 |           }
117 |         },
118 |         {
119 |           "type": "portmap",
120 |           "capabilities": {
121 |             "portMappings": true
122 |           }
123 |         }
124 |       ]
125 |     }
126 |   net-conf.json: |
127 |     {
128 |       "Network": "10.244.0.0/16",
129 |       "Backend": {
130 |         "Type": "vxlan"
131 |       }
132 |     }
133 | ---
134 | apiVersion: apps/v1
135 | kind: DaemonSet
136 | metadata:
137 |   name: kube-flannel-ds
138 |   namespace: kube-system
139 |   labels:
140 |     tier: node
141 |     app: flannel
142 | spec:
143 |   selector:
144 |     matchLabels:
145 |       app: flannel
146 |   template:
147 |     metadata:
148 |       labels:
149 |         tier: node
150 |         app: flannel
151 |     spec:
152 |       affinity:
153 |         nodeAffinity:
154 |           requiredDuringSchedulingIgnoredDuringExecution:
155 |             nodeSelectorTerms:
156 |               - matchExpressions:
157 |                   - key: kubernetes.io/os
158 |                     operator: In
159 |                     values:
160 |                       - linux
161 |       hostNetwork: true
162 |       priorityClassName: system-node-critical
163 |       tolerations:
164 |         - operator: Exists
165 |           effect: NoSchedule
166 |       serviceAccountName: flannel
167 |       initContainers:
168 |         - name: install-cni-plugin
169 |           #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le (dockerhub limitations may apply)
170 |           image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1
171 |           command:
172 |             - cp
173 |           args:
174 |             - -f
175 |             - /flannel
176 |             - /opt/cni/bin/flannel
177 |           volumeMounts:
178 |             - name: cni-plugin
179 |               mountPath: /opt/cni/bin
180 |         - name: install-cni
181 |           #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
182 |           image: rancher/mirrored-flannelcni-flannel:v0.16.1
183 |           command:
184 |             - cp
185 |           args:
186 |             - -f
187 |             - /etc/kube-flannel/cni-conf.json
188 |             - /etc/cni/net.d/10-flannel.conflist
189 |           volumeMounts:
190 |             - name: cni
191 |               mountPath: /etc/cni/net.d
192 |             - name: flannel-cfg
193 |               mountPath: /etc/kube-flannel/
194 |       containers:
195 |         - name: kube-flannel
196 |           #image: flannelcni/flannel:v0.16.1 for ppc64le (dockerhub limitations may apply)
197 |           image: rancher/mirrored-flannelcni-flannel:v0.16.1
198 |           command:
199 |             - /opt/bin/flanneld
200 |           args:
201 |             - --ip-masq
202 |             - --kube-subnet-mgr
203 |             - --iface=eth1
204 |           resources:
205 |             requests:
206 |               cpu: "100m"
207 |               memory: "50Mi"
208 |             limits:
209 |               cpu: "100m"
210 |               memory: "50Mi"
211 |           securityContext:
212 |             privileged: false
213 |             capabilities:
214 |               add: ["NET_ADMIN", "NET_RAW"]
215 |           env:
216 |             - name: POD_NAME
217 |               valueFrom:
218 |                 fieldRef:
219 |                   fieldPath: metadata.name
220 |             - name: POD_NAMESPACE
221 |               valueFrom:
222 |                 fieldRef:
223 |                   fieldPath: metadata.namespace
224 |           volumeMounts:
225 |             - name: run
226 |               mountPath: /run/flannel
227 |             - name: flannel-cfg
228 |               mountPath: /etc/kube-flannel/
229 |             - name: xtables-lock
230 |               mountPath: /run/xtables.lock
231 |       volumes:
232 |         - name: run
233 |           hostPath:
234 |             path: /run/flannel
235 |         - name: cni-plugin
236 |           hostPath:
237 |             path: /opt/cni/bin
238 |         - name: cni
239 |           hostPath:
240 |             path: /etc/cni/net.d
241 |         - name: flannel-cfg
242 |           configMap:
243 |             name: kube-flannel-cfg
244 |         - name: xtables-lock
245 |           hostPath:
246 |             path: /run/xtables.lock
247 |             type: FileOrCreate
248 | 


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/playbook/cluster_inventory.yml:
--------------------------------------------------------------------------------
 1 | all:
 2 |   children:
 3 |     masters:
 4 |       hosts:
 5 |         172.16.1.11: null
 6 |         172.16.1.12: null
 7 |         172.16.1.13: null
 8 | 
 9 |     workers:
10 |       hosts:
11 |         172.16.2.11: null
12 |         172.16.2.12: null
13 |         172.16.2.13: null
14 | 


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/playbook/cluster_playbook.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | 
  3 | - hosts: masters, workers
  4 |   name: Setup masters and workers
  5 |   remote_user: ci
  6 |   become: yes
  7 |   tasks:
  8 |     # https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#before-you-begin
  9 |     - name: Disable swap
 10 |       shell: swapoff -a
 11 | 
 12 |     - name: Remove swap entry from /etc/fstab
 13 |       lineinfile:
 14 |         dest: /etc/fstab
 15 |         regexp: swap
 16 |         state: absent
 17 | 
 18 |     - name: Load br_netfilter module
 19 |       shell: |
 20 |         cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
 21 |         br_netfilter
 22 |         EOF
 23 | 
 24 |     - name: Configure iptables to see bridged traffic
 25 |       shell: |
 26 |         cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
 27 |         net.bridge.bridge-nf-call-ip6tables = 1
 28 |         net.bridge.bridge-nf-call-iptables = 1
 29 |         EOF
 30 | 
 31 |     - name: Read values from all system directories
 32 |       shell: sysctl --system
 33 | 
 34 |     # https://docs.docker.com/engine/install/ubuntu/#installation-methods
 35 |     - name: Install packages to allow apt to use a repository over HTTPS
 36 |       apt:
 37 |         name:
 38 |           - ca-certificates
 39 |           - gnupg
 40 |           - apt-transport-https
 41 |         state: present
 42 |         update_cache: yes
 43 | 
 44 |     - name: Add Docker’s official GPG key
 45 |       apt_key:
 46 |         url: https://download.docker.com/linux/ubuntu/gpg
 47 |         state: present
 48 | 
 49 |     - name: Get Ubuntu release version
 50 |       shell: lsb_release -cs
 51 |       register: ubuntu_version
 52 | 
 53 |     - name: Get architecture
 54 |       shell: dpkg --print-architecture
 55 |       register: architecture
 56 | 
 57 |     - name: Add Docker repository
 58 |       apt_repository:
 59 |         repo: "deb [arch={{ architecture.stdout }}] https://download.docker.com/linux/ubuntu {{ ubuntu_version.stdout }} stable"
 60 |         state: present
 61 |         filename: docker
 62 | 
 63 |     - name: Update apt packages
 64 |       apt:
 65 |         update_cache: "yes"
 66 |         force_apt_get: "yes"
 67 | 
 68 |     - name: Install Docker engine
 69 |       apt:
 70 |         name:
 71 |           - docker-ce
 72 |           - docker-ce-cli
 73 |           - containerd.io
 74 |         state: present
 75 |         update_cache: yes
 76 | 
 77 |     # https://kubernetes.io/docs/setup/production-environment/container-runtimes/#docker
 78 |     - name: Create Docker directory
 79 |       file:
 80 |         path: /etc/docker
 81 |         state: directory
 82 | 
 83 |     - name: Create Docker daemon empty file
 84 |       copy:
 85 |         content: ""
 86 |         dest: /etc/docker/daemon.json
 87 |         force: no
 88 | 
 89 |     - name: Configure Docker daemon
 90 |       shell: |
 91 |         cat <<EOF | sudo tee /etc/docker/daemon.json
 92 |         {
 93 |           "exec-opts": ["native.cgroupdriver=systemd"],
 94 |           "log-driver": "json-file",
 95 |           "log-opts": {
 96 |             "max-size": "100m"
 97 |           },
 98 |           "storage-driver": "overlay2"
 99 |         }
100 |         EOF
101 | 
102 |     - name: Restart Docker
103 |       systemd:
104 |         name: docker
105 |         state: restarted
106 |         enabled: yes
107 |         daemon-reload: yes
108 | 
109 |     - name: Add current user to docker group
110 |       user:
111 |         name: "{{ ansible_user }}"
112 |         groups: docker
113 |         append: yes
114 |       become: yes
115 | 
116 |     - name: Add Google Cloud public signing key
117 |       apt_key:
118 |         url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
119 |         state: present
120 | 
121 |     - name: Add Kubernetes repository
122 |       apt_repository:
123 |         repo: deb http://apt.kubernetes.io/ kubernetes-xenial main
124 |         state: present
125 |         filename: kubernetes
126 |         mode: 0600
127 | 
128 |     - name: Install kubelet, kubeadm and kubectl
129 |       apt:
130 |         name:
131 |           - kubeadm=1.23.1-00
132 |           - kubectl=1.23.1-00
133 |           - kubelet=1.23.1-00
134 |         state: present
135 | 
136 |     - name: Enable kubelet service
137 |       service:
138 |         name: kubelet
139 |         enabled: yes
140 | 
141 | - hosts: masters
142 |   name: Init cluster and join masters
143 |   remote_user: ci
144 |   become: yes
145 |   tasks:
146 |     - name: Reset existing cluster
147 |       shell: kubeadm reset -f
148 | 
149 |     - name: Remove .kube in user home directory
150 |       shell: rm -rf .kube
151 | 
152 |     - name: Remove /etc/kubernetes/manifests directory
153 |       shell: rm -rf /etc/kubernetes/manifests
154 | 
155 |     - name: Remove /var/lib/etcd directory
156 |       shell: rm -rf /var/lib/etcd
157 | 
158 |     - name: Init kubernetes cluster
159 |       shell: kubeadm init --control-plane-endpoint=172.16.0.11:6443 --upload-certs --apiserver-advertise-address=172.16.1.11 --pod-network-cidr=10.244.0.0/16
160 |       run_once: yes
161 |       delegate_to: "172.16.1.11"
162 | 
163 |     # This got updated after the video
164 |     # Use release 0.16.3, rather than master version!
165 |     - name: Copy kube-flannel-v0.16.3.yml
166 |       copy:
167 |         src: ../kube-flannel-v0.16.3.yml
168 |         dest: /home/ci/kube-flannel-v0.16.3.yml
169 |         owner: ci
170 |         group: ci
171 |         mode: '0644'
172 |       when: inventory_hostname == "172.16.1.11"
173 | 
174 |     - name: Deploy Flannel network
175 |       shell: kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f kube-flannel-v0.16.3.yml
176 |       run_once: yes
177 |       delegate_to: "172.16.1.11"
178 | 
179 |     - name: Print join command
180 |       shell: kubeadm token create --print-join-command
181 |       register: kubernetes_join_command
182 |       run_once: yes
183 |       delegate_to: "172.16.1.11"
184 | 
185 |     - name: Copy join command to local
186 |       become: no
187 |       local_action: copy content="{{ kubernetes_join_command.stdout_lines[0] }}" dest="/tmp/kubernetes_join_command" mode=0777
188 |       run_once: yes
189 |       delegate_to: "172.16.1.11"
190 | 
191 |     - name: Generate certificate key
192 |       shell: kubeadm init phase upload-certs --upload-certs
193 |       register: kubernetes_certificate_key
194 |       run_once: yes
195 |       delegate_to: "172.16.1.11"
196 | 
197 |     - name: Execute master join command
198 |       become: yes
199 |       when: inventory_hostname != "172.16.1.11"
200 |       shell: "{{ kubernetes_join_command.stdout_lines[0] }} --control-plane --certificate-key {{ kubernetes_certificate_key.stdout_lines[2] }} --apiserver-advertise-address={{ inventory_hostname }}"
201 | 
202 |     # This got updated after the video
203 |     # Because of https://github.com/kubernetes/kubernetes/issues/60835#issuecomment-395931644
204 |     - name: Edit kubeadm.conf
205 |       blockinfile:
206 |         path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
207 |         block: |
208 |           Environment="KUBELET_EXTRA_ARGS=--node-ip={{ inventory_hostname }}"
209 | 
210 |     - name: Restart kubelet service
211 |       service:
212 |         name: kubelet
213 |         daemon-reload: yes
214 |         state: restarted
215 | 
216 |     - name: Create directory for kube config
217 |       file:
218 |         path: /home/ci/.kube
219 |         state: directory
220 |         owner: ci
221 |         group: ci
222 |         mode: 0755
223 | 
224 |     - name: Copy /etc/kubernetes/admin.conf to user home directory
225 |       become_user: root
226 |       become_method: sudo
227 |       become: yes
228 |       copy:
229 |         src: /etc/kubernetes/admin.conf
230 |         dest: /home/ci/.kube/config
231 |         remote_src: yes
232 |         owner: ci
233 |         group: ci
234 |         mode: '0644'
235 | 
236 | - hosts: workers
237 |   name: Join workers
238 |   remote_user: ci
239 |   become: yes
240 |   tasks:
241 |     - name: Reset existing cluster
242 |       shell: kubeadm reset -f
243 | 
244 |     - name: Remove .kube in user home directory
245 |       shell: rm -rf .kube
246 | 
247 |     - name: Remove /etc/kubernetes/manifests directory
248 |       shell: rm -rf /etc/kubernetes/manifests
249 | 
250 |     - name: Copy join command to workers
251 |       copy:
252 |         src: /tmp/kubernetes_join_command
253 |         dest: /tmp/kubernetes_join_command
254 |         mode: 0777
255 | 
256 |     - name: Execute worker join command
257 |       shell: sh /tmp/kubernetes_join_command
258 | 
259 |     # This got updated after the video
260 |     # Because of https://github.com/kubernetes/kubernetes/issues/60835#issuecomment-395931644
261 |     - name: Edit kubeadm.conf
262 |       blockinfile:
263 |         path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
264 |         block: |
265 |           Environment="KUBELET_EXTRA_ARGS=--node-ip={{ inventory_hostname }}"
266 | 
267 |     - name: Restart kubelet service
268 |       service:
269 |         name: kubelet
270 |         daemon-reload: yes
271 |         state: restarted
272 | 


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/playbook/load_balancer_inventory.yml:
--------------------------------------------------------------------------------
1 | lbs:
2 |   hosts:
3 |     172.16.0.11: null
4 | 


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/playbook/load_balancer_playbook.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - hosts: lbs
 4 |   name: Setup load balancers
 5 |   remote_user: ci
 6 |   become: yes
 7 |   tasks:
 8 |     - name: Install haproxy
 9 |       apt:
10 |         name:
11 |           - haproxy
12 |         state: present
13 |         update_cache: yes
14 | 
15 |     - name: Create haproxy conf empty file
16 |       copy:
17 |         content: ""
18 |         dest: /etc/haproxy/haproxy.cfg
19 |         force: yes
20 | 
21 |     - name: Configure haproxy
22 |       shell: |
23 |         cat <<EOF | sudo tee /etc/haproxy/haproxy.cfg
24 |         frontend kubernetes-frontend
25 |           bind *:6443
26 |           mode tcp
27 |           option tcplog
28 |           default_backend kubernetes-backend
29 | 
30 |         backend kubernetes-backend
31 |           option httpchk GET /healthz
32 |           http-check expect status 200
33 |           mode tcp
34 |           option ssl-hello-chk
35 |           balance roundrobin
36 |             server k8s-master-1 172.16.1.11:6443 check fall 3 rise 2
37 |             server k8s-master-2 172.16.1.12:6443 check fall 3 rise 2
38 |             server k8s-master-3 172.16.1.13:6443 check fall 3 rise 2
39 |         EOF
40 | 
41 |     - name: Restart haproxy
42 |       systemd:
43 |         name: haproxy
44 |         state: restarted
45 |         enabled: yes
46 |         daemon-reload: yes
47 | 


--------------------------------------------------------------------------------
/setup-load-balancer-for-kube-apiservers/setup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tranductrinh/k8s/4ecb0802080582a13066ac335d57e5f649d459c8/setup-load-balancer-for-kube-apiservers/setup.png


--------------------------------------------------------------------------------