updated

HAProxy/rke2/haproxy.cfg

@@ -0,0 +1,80 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+	log	global
+	mode	tcp
+#	option	httplog
+	option	dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+frontend rke2-api
+    bind *:6443
+    mode tcp
+    option tcplog
+    default_backend rke2-masters
+
+backend rke2-masters
+    mode tcp
+    balance roundrobin
+    option tcp-check
+    default-server inter 10s fall 2 rise 3
+    server master1 10.128.0.22:6443 check
+    server master2 10.128.0.23:6443 check
+    server master3 10.162.0.2:6443 check
+
+# NGINX Ingress HTTP frontend
+frontend http-ingress
+    bind *:80
+    mode tcp
+    option tcplog
+    default_backend nginx-http
+
+# NGINX Ingress HTTPS frontend
+frontend https-ingress
+    bind *:443
+    mode tcp
+    option tcplog
+    default_backend nginx-https
+
+# Backend for NGINX Ingress HTTP
+backend nginx-http
+    mode tcp
+    balance roundrobin
+    server nginx1 10.188.0.200:80 check
+
+# Backend for NGINX Ingress HTTPS
+backend nginx-https
+    mode tcp
+    balance roundrobin
+    server nginx1 10.188.0.200:443 check
+
+
+    helm uninstall rke2-canal -n kube-system
+    kubectl delete pod helm-install-rke2-ingress-nginx-kg8zq -n kube-system
+

Kubernetes/rke2/ansible/install_kubectl_helm.yml

@@ -0,0 +1,63 @@
+---
+- hosts: masters
+  become: yes
+  tasks:
+    - name: Download kubectl
+      shell: |
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
+        echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
+
+    - name: Install kubectl
+      shell: |
+        sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+        kubectl version --client
+      args:
+        warn: false
+
+    - name: Download and install Helm
+      shell: |
+        curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+        chmod 700 get_helm.sh
+        ./get_helm.sh
+
+    - name: Add KUBECONFIG to bashrc
+      lineinfile:
+        path: /root/.bashrc
+        line: 'export KUBECONFIG=/etc/rancher/rke2/rke2.yaml'
+        state: present
+
+    - name: Manually set KUBECONFIG in the current session
+      shell: "export KUBECONFIG=/etc/rancher/rke2/rke2.yaml && kubectl get nodes"
+      register: kubectl_output
+
+    - debug:
+        msg: "Kubectl command output: {{ kubectl_output.stdout }}"
+
+    - name: Set permissions for /etc/rancher/rke2
+      file:
+        path: /etc/rancher/rke2
+        mode: '0755'
+
+    - name: Set permissions for /etc/rancher
+      file:
+        path: /etc/rancher
+        mode: '0755'
+
+    - name: Set permissions for /etc/rancher/rke2/rke2.yaml
+      file:
+        path: /etc/rancher/rke2/rke2.yaml
+        mode: '0644'
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+
+    - name: Change permission to 600 for /etc/rancher/rke2/rke2.yaml
+      file:
+        path: /etc/rancher/rke2/rke2.yaml
+        mode: '0600'
+
+    - name: Change ownership of /etc/rancher/rke2/rke2.yaml to user
+      file:
+        path: /etc/rancher/rke2/rke2.yaml
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"

Kubernetes/rke2/ansible/inventory.ini

@@ -0,0 +1,19 @@
+[all]
+server1 ansible_host=10.162.0.6 ansible_user=root
+server2 ansible_host=10.162.0.7 ansible_user=root
+server3 ansible_host=10.162.0.8 ansible_user=root
+server4 ansible_host=10.162.0.9 ansible_user=root
+server5 ansible_host=10.188.0.4 ansible_user=root
+server6 ansible_host=10.188.0.5 ansible_user=root
+
+[load_balancer]
+load-balancer ansible_host=10.188.0.6 ansible_user=root
+
+------------------------------------------------------------
+[all]
+server1 ansible_host=10.128.0.29 ansible_user=root
+server2 ansible_host=10.128.0.30 ansible_user=root
+server3 ansible_host=10.128.0.31 ansible_user=root
+
+[load_balancer]
+load-balancer ansible_host=10.128.0.28 ansible_user=root

Kubernetes/rke2/ansible/rke2.ini

@@ -0,0 +1,12 @@
+[masters]
+master1 ansible_host=10.162.0.6 ansible_user=ismoilovdev
+master2 ansible_host=10.162.0.7 ansible_user=ismoilovdev
+master3 ansible_host=10.162.0.8 ansible_user=ismoilovdev
+
+[nodes]
+node1 ansible_host=10.162.0.9 ansible_user=root
+node2 ansible_host=10.188.0.4 ansible_user=ismoilovdev
+node3 ansible_host=10.188.0.5 ansible_user=ismoilovdev
+
+[load_balancer]
+load-balancer ansible_host=10.188.0.6 ansible_user=ismoilovdev

Kubernetes/rke2/ansible/test.yml

@@ -0,0 +1,88 @@
+---
+all:
+  vars:
+    install_rke2_version: v1.31.0+rke2r1
+    # # In air-gapped envs, it might be convenient to download the tar files from custom URLs
+    # rke2_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz
+    # rke2_image_tar_urls:
+    # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst
+    # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-core.linux-amd64.tar.zst
+
+rke2_cluster:
+  children:
+    rke2_servers:
+      vars:
+        # # Set generic rke2_config at the group level.
+        # # Every host in this group will inherit these rke2 configurations
+        # # See https://docs.rke2.io/reference/server_config for more options
+        # # These options can also be set in the group_vars folder
+        rke2_config:
+          node-label:
+            - serverGroupLabel=true
+          # profile: cis-1.6
+          # kube-controller-manager-arg:
+          # - "tls-min-version=VersionTLS12"
+          # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+          # kube-scheduler-arg:
+          # - "tls-min-version=VersionTLS12"
+          # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+          # kube-apiserver-arg:
+          # - "tls-min-version=VersionTLS12"
+          # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+          # - "enable-admission-plugins=ValidatingAdmissionWebhook,NodeRestriction,PodSecurityPolicy"
+          # - "request-timeout=300s"
+          # # Enable only when auditing is enabled, blocks API when audit fails
+          # #- "audit-log-mode=blocking-strict"
+          #
+          # kubelet-arg:
+          # - "feature-gates=DynamicKubeletConfig=false"
+          # - "protect-kernel-defaults=true"
+          # - "streaming-connection-idle-timeout=5m"
+          #
+          # etcd-extra-env:
+          # - "ETCD_AUTO_TLS=false"
+          # - "ETCD_PEER_AUTO_TLS=false"
+          #
+          # write-kubeconfig-mode: "0640"
+          # # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
+          # # Add a policy configuration file by specifying the file path on the control host
+          # audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml"
+          # # See https://docs.rke2.io/install/containerd_registry_configuration/
+          # # Add a registry configuration file by specifying the file path on the control host
+          # registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"
+          # # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts
+          # # Add manifest files by specifying the directory path on the control host
+          # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/"
+      hosts:
+        # # Optional hostvars that can be pased in to individual nodes include
+        # # node_ip, node_name, bind_address, advertise_address, node_taints=[],
+        # # node_labels=[], and node_external_ip
+        10.128.0.29:
+          node_name: "master1"
+          ansible_user: root
+          node_labels:
+            - server0Label=true
+        10.128.0.30:
+          node_name: "master2"
+          ansible_user: root
+          node_labels:
+            - server0Label=true
+          # node_ip: "10.10.10.10"
+          # node_name: "server0.example.com"
+          # bind_address: "10.10.10.10"
+          # advertise_address: "10.10.10.10"
+          # node_external_ip: "52.52.52.52"
+          # node_taints:
+          # - CriticalAddonsOnly=true:NoSchedule
+          # cloud_provider_name: "aws"
+    rke2_agents:
+      vars:
+        rke2_config:
+          node-label:
+            - agentGroupLabel=true
+      hosts:
+        10.128.0.31:
+          node_name: "node1"
+          ansible_user: root
+          node_labels:
+            - agent0Label=true

Kubernetes/rke2/ansible/update_upgrade.yml

@@ -0,0 +1,54 @@
+---
+- hosts: all
+  become: yes
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+
+    - name: Upgrade all packages
+      apt:
+        upgrade: dist
+        autoclean: yes
+        autoremove: yes
+
+    - name: Install required packages
+      apt:
+        name:
+          - software-properties-common
+          - ca-certificates
+          - curl
+          - gnupg
+          - zip
+          - unzip
+        state: present
+        update_cache: yes
+
+- hosts: load_balancer
+  become: yes
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+
+    - name: Upgrade all packages
+      apt:
+        upgrade: dist
+        autoclean: yes
+        autoremove: yes
+
+    - name: Install software-properties-common without recommends
+      apt:
+        name: software-properties-common
+        state: present
+        install_recommends: no
+
+    - name: Add HAProxy PPA repository
+      apt_repository:
+        repo: ppa:vbernat/haproxy-2.8
+        state: present
+
+    - name: Install HAProxy 2.8
+      apt:
+        name: haproxy=2.8.*
+        state: present

Kubernetes/rke2/hosts.yml

@@ -57,17 +57,17 @@ rke2_cluster:
         # # Optional hostvars that can be pased in to individual nodes include
         # # node_ip, node_name, bind_address, advertise_address, node_taints=[],
         # # node_labels=[], and node_external_ip
-        10.128.0.22:
+        10.162.0.6:
           node_name: "master1"
           ansible_user: root
           node_labels:
             - server0Label=true
-        10.128.0.23:
+        10.162.0.7:
           node_name: "master2"
           ansible_user: root
           node_labels:
             - server0Label=true
-        10.162.0.2:
+        10.162.0.8:
           node_name: "master3"
           ansible_user: root
           node_labels:
@@ -86,17 +86,17 @@ rke2_cluster:
           node-label:
             - agentGroupLabel=true
       hosts:
-        10.128.0.24:
+        10.162.0.9:
           node_name: "node1"
           ansible_user: root
           node_labels:
             - agent0Label=true
-        10.188.0.2:
+        10.188.0.4:
           node_name: "node2"
           ansible_user: root
           node_labels:
             - agent1Label=true
-        10.188.0.3:
+        10.188.0.5:
           node_name: "node3"
           ansible_user: root
           node_labels:

Kubernetes/rke2/ingress-nginx-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx
+  namespace: kube-system
+  annotations:
+    metallb.universe.tf/address-pool: first-pool
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: ingress-nginx
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+    - name: https
+      port: 443
+      targetPort: 443