Add kubeadm example (#4)

* Add kubeadm example

* Fix dns

---------

Co-authored-by: Fedor Batonogov <f.batonogov@yandex.ru>

ansible/roles/haproxy_static_pods/files/check_apiserver.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+errorExit() {
+    echo "*** $*" 1>&2
+    exit 1
+}
+
+curl --silent --max-time 2 --insecure https://localhost:7443/ -o /dev/null || errorExit "Error GET https://localhost:7443/"
+if ip addr | grep -q 10.0.70.85; then
+    curl --silent --max-time 2 --insecure https://10.0.70.85:7443/ -o /dev/null || errorExit "Error GET https://10.0.70.85:7443/"
+fi

ansible/roles/haproxy_static_pods/files/haproxy.cfg

@@ -0,0 +1,52 @@
+# /etc/haproxy/haproxy.cfg
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    log /dev/log local0
+    log /dev/log local1 notice
+    daemon
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 1
+    timeout http-request    10s
+    timeout queue           20s
+    timeout connect         5s
+    timeout client          20s
+    timeout server          20s
+    timeout http-keep-alive 10s
+    timeout check           10s
+
+#---------------------------------------------------------------------
+# apiserver frontend which proxys to the control plane nodes
+#---------------------------------------------------------------------
+frontend apiserver
+    bind *:7443
+    mode tcp
+    option tcplog
+    default_backend apiserverbackend
+
+#---------------------------------------------------------------------
+# round robin balancing for apiserver
+#---------------------------------------------------------------------
+backend apiserverbackend
+    option httpchk GET /healthz
+    http-check expect status 200
+    mode tcp
+    option ssl-hello-chk
+    balance     roundrobin
+        server 10.0.70.70 10.0.70.70:6443 check
+        server 10.0.70.78 10.0.70.78:6443 check
+        server 10.0.70.79 10.0.70.79:6443 check
+        # [...]

ansible/roles/haproxy_static_pods/files/haproxy.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: haproxy
+  namespace: kube-system
+spec:
+  containers:
+  - image: haproxy:2.9.7
+    name: haproxy
+    livenessProbe:
+      failureThreshold: 8
+      httpGet:
+        host: localhost
+        path: /healthz
+        port: 7443
+        scheme: HTTPS
+    volumeMounts:
+    - mountPath: /usr/local/etc/haproxy/haproxy.cfg
+      name: haproxyconf
+      readOnly: true
+  hostNetwork: true
+  volumes:
+  - hostPath:
+      path: /etc/haproxy/haproxy.cfg
+      type: FileOrCreate
+    name: haproxyconf
+status: {}

ansible/roles/haproxy_static_pods/files/keepalived.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  creationTimestamp: null
+  name: keepalived
+  namespace: kube-system
+spec:
+  containers:
+  - image: osixia/keepalived:2.0.20
+    name: keepalived
+    resources: {}
+    securityContext:
+      capabilities:
+        add:
+        - NET_ADMIN
+        - NET_BROADCAST
+        - NET_RAW
+    volumeMounts:
+    - mountPath: /usr/local/etc/keepalived/keepalived.conf
+      name: config
+    - mountPath: /etc/keepalived/check_apiserver.sh
+      name: check
+  hostNetwork: true
+  volumes:
+  - hostPath:
+      path: /etc/keepalived/keepalived.conf
+    name: config
+  - hostPath:
+      path: /etc/keepalived/check_apiserver.sh
+    name: check
+status: {}

ansible/roles/haproxy_static_pods/tasks/main.yml

@@ -0,0 +1,40 @@
+# tasks file for haproxy_static_pods
+- name: Создать директории /etc/kubernetes/manifests и /etc/keepalived
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: directory
+    mode: '755'
+  with_items:
+    - /etc/kubernetes/manifests
+    - /etc/keepalived
+    - /etc/haproxy
+
+- name: Наливаю конфигурацию keepalived
+  ansible.builtin.template:
+    src: keepalived.conf.j2
+    dest: /etc/keepalived/keepalived.conf
+    mode: "644"
+
+- name: Наливаю check_apiserver.sh
+  ansible.builtin.copy:
+    src: check_apiserver.sh
+    dest: /etc/keepalived/check_apiserver.sh
+    mode: '644'
+
+- name: Наливаю haproxy.cfg
+  ansible.builtin.copy:
+    src: haproxy.cfg
+    dest: /etc/haproxy/haproxy.cfg
+    mode: '644'
+
+- name: Наливаю keepalived static pods manifest
+  ansible.builtin.copy:
+    src: keepalived.yaml
+    dest: /etc/kubernetes/manifests/keepalived.yaml
+    mode: '644'
+
+- name: Наливаю haproxy static pods manifest
+  ansible.builtin.copy:
+    src: haproxy.yaml
+    dest: /etc/kubernetes/manifests/haproxy.yaml
+    mode: '644'

ansible/roles/haproxy_static_pods/templates/keepalived.conf.j2

@@ -0,0 +1,29 @@
+! /etc/keepalived/keepalived.conf
+! Configuration File for keepalived
+global_defs {
+    router_id LVS_DEVEL
+}
+vrrp_script check_apiserver {
+  script "/etc/keepalived/check_apiserver.sh"
+  interval 3
+  weight -2
+  fall 10
+  rise 2
+}
+
+vrrp_instance VI_1 {
+    state MASTER
+    interface eth0
+    virtual_router_id 51
+    priority 101
+    authentication {
+        auth_type PASS
+        auth_pass {{ lookup('password', 'secrets/kubeadm/keepalived/auth_pass length=64') }}
+    }
+    virtual_ipaddress {
+        10.0.70.85/24
+    }
+    track_script {
+        check_apiserver
+    }
+}