teste com secrets falsos

inventory.ini

@@ -1,9 +1,9 @@
 [kube-master]
-master1 ansible_host=192.168.1.10 ansible_user=ubuntu
+master1 ansible_host=192.168.1.10 ansible_user=ubuntu ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 
 [kube-node]
-node1 ansible_host=192.168.1.11 ansible_user=ubuntu
+node1 ansible_host=192.168.1.11 ansible_user=ubuntu ansible_ssh_common_args='-o StrictHostKeyChecking=no'
-node2 ansible_host=192.168.1.12 ansible_user=ubuntu
+node2 ansible_host=192.168.1.12 ansible_user=ubuntu ansible_ssh_common_args='-o StrictHostKeyChecking=no'
 
-[all:vars]
+#[all:vars]
-ansible_python_interpreter=/usr/bin/python3
+#ansible_python_interpreter=/usr/bin/python3

playbook.yml

@@ -5,6 +5,7 @@
     - common
     - kubernetes
     - kube-master
+    - stolon
 
 - name: Configure Kubernetes Nodes
   hosts: workers

roles/kube-master/tasks/main.yml

@@ -1,73 +1,76 @@
 - name: Instalar pip3 no host remoto
+  become: true
   ansible.builtin.apt:
     name: python3-pip
     state: present
     update_cache: true
 
 - name: Instalar ruamel.yaml no host remoto
+  become: true
   ansible.builtin.pip:
     name: ruamel.yaml
     executable: pip3
 
 - name: Fazer download do manifest oficial do Flannel
+  become: true
   get_url:
     url: https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
     dest: /tmp/kube-flannel.yml
 
 - name: Substituir o CIDR da rede no manifest
+  become: true
   replace:
     path: /tmp/kube-flannel.yml
     regexp: '10\.244\.0\.0/16'
-    replace: '192.168.3.0/16'
+    replace: '10.244.0.0/16' # .3.
 
 - name: Corrigir net-conf.json no manifest do Flannel
+  become: true
   ansible.builtin.script:
     cmd: patch_netconf.py
 
 - name: cat flannel
+  become: true
   shell: |
     cat /tmp/kube-flannel.yml
   register: flannel_manifest
 
 - name: Mostrar conteúdo do manifest
+  become: true
   debug:
     var: flannel_manifest.stdout
 
-- name: Forçar uso da interface correta
+- name: Adicionar --iface=eth0 ao flanneld
-  replace:
+  become: true
+  ansible.builtin.lineinfile:
     path: /tmp/kube-flannel.yml
-    regexp: 'command: 
+    insertafter: '        - --kube-subnet-mgr'
-\[.*?flanneld.*?\]
+    line: '        - --iface=eth0'
-'
-    replace: |
-      command:
-        - /opt/bin/flanneld
-        - --ip-masq
-        - --kube-subnet-mgr
-        - --iface=eth1
         
 
 
 - name: Inicializar o cluster com kubeadm
+  become: true
   command:
     argv:
       - kubeadm
       - init
-      - --pod-network-cidr=192.168.3.0/16
+      - --pod-network-cidr=10.244.0.0/16 # .3. 
       - --apiserver-advertise-address=192.168.1.150
-      - --cri-socket=unix:///run/containerd/containerd.sock
     creates: /etc/kubernetes/admin.conf 
 
 
 
 
 - name: Verificar se o diretório .kube já existe
+  become: true
   stat:
     path: /home/fenix/.kube
   register: kube_dir
   
 
 - name: Criar diretório .kube para o usuário ubuntu
+  become: true
   ansible.builtin.file:
     path: /home/fenix/.kube
     state: directory
@@ -77,6 +80,7 @@
   when: not kube_dir.stat.exists
   
 - name: Set up kubeconfig for user
+  become: true
   copy:
     src: /etc/kubernetes/admin.conf
     dest: /home/fenix/.kube/config
@@ -87,6 +91,7 @@
   when: not kube_dir.stat.exists
 
 - name: 33 Wait for Kubernetes API to be ready
+  become: true
   shell: |
     kubectl get --raw='/healthz'
   environment:
@@ -98,23 +103,26 @@
   become: yes
 
 - name: cat flannel
+  become: true
   shell: |
     cat /tmp/kube-flannel.yml
   register: flannel_manifest2
 
 - name: Mostrar conteúdo do manifest
+  become: true
   debug:
     var: flannel_manifest2.stdout
 
-#- name: Aplicar o manifest do Flannel
+- name: Aplicar o manifest do Flannel
-#  become: yes
+  become: yes
-#  become_user: fenix 
+  become_user: fenix 
-#  shell: |
+  shell: |
-#    kubectl apply -f /tmp/kube-flannel.yml
+    kubectl apply -f /tmp/kube-flannel.yml
-#  environment:
+  environment:
-#    KUBECONFIG:  /home/fenix/.kube/config
+    KUBECONFIG:  /home/fenix/.kube/config
 
 - name: 34 Wait for Kubernetes API to be ready
+  become: true
   shell: |
     kubectl get --raw='/healthz'
   environment:
@@ -126,9 +134,11 @@
   become: yes
 
 - name: Get kubeadm join command
+  become: true
   shell: kubeadm token create --print-join-command
   register: join_cmd
   
 - name: Set join command as fact
+  become: true
   set_fact:
     kubeadm_join_command: "{{ join_cmd.stdout }}"

roles/kube-master/tasks/patch_netconf.py

@@ -10,11 +10,11 @@ with open("/tmp/kube-flannel.yml", "r") as f:
 for doc in docs:
     if doc.get("kind") == "ConfigMap" and doc.get("metadata", {}).get("name") == "kube-flannel-cfg":
         doc["data"]["net-conf.json"] = '''{
-  "Network": "192.168.3.0/16",
+  "Network": "10.244.0.0/16",
   "Backend": {
     "Type": "vxlan"
   },
-  "Interface": "eth1"
+  "Interface": "eth0"
 }'''
 
 with open("/tmp/kube-flannel.yml", "w") as f:

roles/kube-node/tasks/main.yml

@@ -2,6 +2,30 @@
   hostname:
     name: "ubuntu-{{ ansible_play_hosts.index(inventory_hostname) }}"
 
+
+- name: Obter hostname real do nó
+  become: true
+  command: hostname
+  register: node_hostname
+
+- name: Verificar se o nó já está no cluster
+  shell: |
+    kubectl get nodes --no-headers | grep -w {{ node_hostname.stdout }} || echo "NOT_IN_CLUSTER"
+  register: node_status
+  environment:
+    KUBECONFIG: /etc/kubernetes/kubelet.conf
+
+
 - name: Join Kubernetes cluster
   shell: "{{ hostvars['master1']['kubeadm_join_command'] }}"
-  when: hostvars['master1']['kubeadm_join_command'] is defined
+  when: 
+    - hostvars['master1']['kubeadm_join_command'] is defined
+    - node_status.stdout | trim == "NOT_IN_CLUSTER"
+
+
+#- name: Atribuir podCIDR ao nó via hostname real
+#  shell: |
+#    kubectl patch node {{ node_hostname.stdout }} -p '{"spec":{"podCIDR":"192.168.2.0/24"}}'
+#  when: 
+#    - hostvars['master1']['kubeadm_join_command'] is defined
+#    - node_status.stdout | trim == "NOT_IN_CLUSTER"

roles/kubernetes/tasks/main.yml

@@ -1,23 +1,69 @@
-- name: Install containerd
+- name: disable UFW firewall for labs
+  service:
+    name: ufw
+    state: stopped
+    enabled: false
+
+- name: Disable SWAP
+  shell: |
+    swapoff -a
+
+- name: Disable SWAP in fstab
+  lineinfile:
+    path: /etc/fstab
+    regexp: '^.*swap.*$'
+    line: '#\0'
+    backrefs: yes
+
+- name: Installation of apt-utils
+  become: true
+  apt:
+    name:
+      - apt-transport-https
+    state: present
+    update_cache: yes
+
+
+- name: Instalar containerd
+  become: true
   apt:
     name: containerd
     state: present
-    update_cache: no
+    update_cache: yes
-  become: true
 
-- name: Hold Kubernetes packages
+- name: Criar diretório de configuração do containerd
   become: true
-  ansible.builtin.shell: |
+  file:
-    apt-mark hold containerd
+    path: /etc/containerd
-#- name: Add Kubernetes APT key
+    state: directory
-#  apt_key:
+    mode: '0755'
-#    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
+
-#    state: present
+- name: Gerar config.toml padrão do containerd
+  become: true
+  shell: containerd config default > /etc/containerd/config.toml
+  args:
+    creates: /etc/containerd/config.toml
+
+- name: Ativar SystemdCgroup no containerd
+  become: true
+  replace:
+    path: /etc/containerd/config.toml
+    regexp: 'SystemdCgroup = false'
+    replace: 'SystemdCgroup = true'
+
+- name: Reiniciar e habilitar containerd
+  become: true
+  systemd:
+    name: containerd
+    state: restarted
+    enabled: true
+    
+
+- name: Setting value of SystemdCgroup
+  shell: |
+    containerd config default | sudo tee /etc/containerd/config.toml | grep SystemdCgroup
+    sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml
 
-#- name: Add Kubernetes repo
-#  apt_repository:
-#    repo: deb http://apt.kubernetes.io/ kubernetes-jammy main
-#    state: present
     
 - name: Adicionar chave GPG do Kubernetes
   become: true
@@ -63,13 +109,13 @@
     state: absent
 
 
-- name: Ativar ip_forward de forma idempotente
+#- name: Ativar ip_forward de forma idempotente
-  become: true
+#  become: true
-  ansible.builtin.sysctl:
+#  ansible.builtin.sysctl:
-    name: net.ipv4.ip_forward
+#    name: net.ipv4.ip_forward
-    value: '1'
+#    value: '1'
-    state: present
+#    state: present
-    reload: yes
+#    reload: yes
 
 - name: Configurar sysctl para Kubernetes
   become: true
@@ -89,6 +135,7 @@
 
   
 - name: Criar arquivo de configuração sysctl para Kubernetes
+  become: true
   ansible.builtin.copy:
     dest: /etc/sysctl.d/k8s.conf
     content: |
@@ -100,11 +147,13 @@
   notify: Reload sysctl
 
 - name: Carregar módulo br_netfilter se necessário
+  become: true
   ansible.builtin.modprobe:
     name: br_netfilter
     state: present
 
 - name: Garantir que o módulo br_netfilter seja carregado na inicialização
+  become: true
   ansible.builtin.copy:
     dest: /etc/modules-load.d/k8s.conf
     content: |

roles/stolon/kubernetes-files/docker-secrets.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: regcred
+  namespace: postgresql
+data:
+  .dockerconfigjson: >-
+    eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzIiwiYXV0aCI6ImRmamlla2ZlcldFS1dFa29mY2RrbzM0MzUzZmQ9In19fQ==
+type: kubernetes.io/dockerconfigjson

roles/stolon/kubernetes-files/stolon-keeper

@@ -0,0 +1,109 @@
+# PetSet was renamed to StatefulSet in k8s 1.5
+# apiVersion: apps/v1alpha1
+# kind: PetSet
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: stolon-keeper
+  namespace: postgresql
+spec:
+  serviceName: "stolon-keeper"
+  replicas: 3
+  selector:
+    matchLabels:
+      component: stolon-keeper
+      stolon-cluster: kube-stolon
+  template:
+    metadata:
+      labels:
+        component: stolon-keeper
+        stolon-cluster: kube-stolon
+      annotations:
+        pod.alpha.kubernetes.io/initialized: "true"
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8080"
+    spec:
+      imagePullSecrets:
+      - name: regcred
+      terminationGracePeriodSeconds: 10
+      containers:
+        - name: stolon-keeper
+          image: sorintlab/stolon:master-pg15
+          command:
+            - "/bin/bash"
+            - "-ec"
+            - |
+              id stolon
+              # Generate our keeper uid using the pod index
+              IFS='-' read -ra ADDR <<< "$(hostname)"
+              export STKEEPER_UID="keeper${ADDR[-1]}"
+              export POD_IP=$(hostname -i)
+              export STKEEPER_PG_LISTEN_ADDRESS=$POD_IP
+              mkdir -p /stolon-data/data
+              export STOLON_DATA=/stolon-data/data
+              chown stolon:stolon /stolon-data
+              chown stolon:stolon $STOLON_DATA
+              exec gosu stolon stolon-keeper --data-dir $STOLON_DATA
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: STKEEPER_CLUSTER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['stolon-cluster']
+            - name: STKEEPER_STORE_BACKEND
+              value: "kubernetes"
+            - name: STKEEPER_KUBE_RESOURCE_KIND
+              value: "configmap"
+            - name: STKEEPER_PG_REPL_USERNAME
+              #value: "repluser"
+              valueFrom:
+                secretKeyRef:
+                  name: stolon-repl-secret
+                  key: username
+            - name: STKEEPER_PG_REPL_PASSWORD
+              #value: "replpassword"
+              valueFrom:
+                secretKeyRef:
+                  name: stolon-repl-secret
+                  key: password
+            - name: STKEEPER_PG_SU_USERNAME
+              #value: "stolon"
+              valueFrom:
+                secretKeyRef:
+                  name: stolon-secret
+                  key: username
+            - name: STKEEPER_PG_SU_PASSWORDFILE
+              value: "/etc/secrets/stolon/password"
+            - name: STKEEPER_METRICS_LISTEN_ADDRESS
+              value: "0.0.0.0:8080"
+            # Uncomment this to enable debug logs
+            #- name: STKEEPER_DEBUG
+            #  value: "true"
+          ports:
+            - containerPort: 5432
+            - containerPort: 8080
+          volumeMounts:
+            - mountPath: /stolon-data
+              name: data
+            - mountPath: /etc/secrets/stolon
+              name: stolon
+      volumes:
+        - name: stolon
+          secret:
+            secretName: stolon-secret
+  volumeClaimTemplates:
+    - kind: PersistentVolumeClaim
+      apiVersion: v1
+      metadata:
+        name: data
+        namespace: postgresql
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+        storageClassName: stolon-nfs-csi

roles/stolon/kubernetes-files/stolon-nfs-csi.yaml

@@ -0,0 +1,11 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: stolon-nfs-csi
+  namespace: postgresql
+provisioner: nfs.csi.k8s.io
+parameters:
+  server: 192.168.1.34
+  share: /mnt/pool/data/k8s-Volumes/postgress_stolon/keepers
+allowVolumeExpansion: true
+reclaimPolicy: Retain

roles/stolon/kubernetes-files/stolon-proxy-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: stolon-proxy-service
+  namespace: postgresql
+spec:
+  ports:
+    - port: 5432
+      targetPort: 5432
+  selector:
+    component: stolon-proxy
+    stolon-cluster: kube-stolon
+  type: LoadBalancer
+  loadBalancerIP: 192.168.1.100

roles/stolon/kubernetes-files/stolon-proxy.yaml

@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: stolon-proxy
+  namespace: postgresql
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      component: stolon-proxy
+      stolon-cluster: kube-stolon
+  template:
+    metadata:
+      labels:
+        component: stolon-proxy
+        stolon-cluster: kube-stolon
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8080"
+    spec:
+      imagePullSecrets:
+      - name: regcred
+      containers:
+        - name: stolon-proxy
+          image: sorintlab/stolon:master-pg10
+          command:
+            - "/bin/bash"
+            - "-ec"
+            - |
+              exec gosu stolon stolon-proxy
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: STPROXY_CLUSTER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['stolon-cluster']
+            - name: STPROXY_STORE_BACKEND
+              value: "kubernetes"
+            - name: STPROXY_KUBE_RESOURCE_KIND
+              value: "configmap"
+            - name: STPROXY_LISTEN_ADDRESS
+              value: "0.0.0.0"
+            - name: STPROXY_METRICS_LISTEN_ADDRESS
+              value: "0.0.0.0:8080"
+            ## Uncomment this to enable debug logs
+            #- name: STPROXY_DEBUG
+            #  value: "true"
+          ports:
+            - containerPort: 5432
+            - containerPort: 8080
+          readinessProbe:
+            tcpSocket:
+              port: 5432
+            initialDelaySeconds: 10
+            timeoutSeconds: 5

roles/stolon/kubernetes-files/stolon-repl-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: stolon-repl-secret
+    namespace: postgresql
+type: Opaque
+data:
+    username: asOndDQ5aWZqa2w0aW85
+    password: asOndDQ5aWZqa2w0aW85

roles/stolon/kubernetes-files/stolon-role-binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: stolon-role-binding
+  namespace: postgresql
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: stolon-role
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: postgresql

roles/stolon/kubernetes-files/stolon-role.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: stolon-role
+  namespace: postgresql
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - configmaps
+  - events
+  verbs:
+  - "*"

roles/stolon/kubernetes-files/stolon-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: stolon-secret
+    namespace: postgresql
+type: Opaque
+data:
+    username: asOndDQ5aWZqa2w0aW85
+    password: asOndDQ5aWZqa2w0aW85

roles/stolon/kubernetes-files/stolon-sentinel.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: stolon-sentinel
+  namespace: postgresql
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      component: stolon-sentinel
+      stolon-cluster: kube-stolon
+  template:
+    metadata:
+      labels:
+        component: stolon-sentinel
+        stolon-cluster: kube-stolon
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8080"
+    spec:
+      imagePullSecrets:
+      - name: regcred
+      containers:
+        - name: stolon-sentinel
+          image: sorintlab/stolon:master-pg10
+          command:
+            - "/bin/bash"
+            - "-ec"
+            - |
+              exec gosu stolon stolon-sentinel
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: STSENTINEL_CLUSTER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['stolon-cluster']
+            - name: STSENTINEL_STORE_BACKEND
+              value: "kubernetes"
+            - name: STSENTINEL_KUBE_RESOURCE_KIND
+              value: "configmap"
+            - name: STSENTINEL_METRICS_LISTEN_ADDRESS
+              value: "0.0.0.0:8080"
+            ## Uncomment this to enable debug logs
+            #- name: STSENTINEL_DEBUG
+            #  value: "true"
+          ports:
+            - containerPort: 8080

roles/stolon/tasks/main.yml

@@ -0,0 +1,14 @@
+- name: Criar diretório temporário no remoto
+  file:
+    path: /tmp/stolon/kubernetes-files
+    state: directory
+    mode: '0755'
+
+- name: Copiar arquivos YAML para o remoto
+  copy:
+    src: ./roles/stolon/kubernetes-files
+    dest: /tmp/stolon/kubernetes-files
+    mode: '0644'
+
+- name: Aplicar os YAMLs com kubectl
+  command: kubectl apply -f /tmp/k8s_yamls/