Ansible for rke2 install on Alpine contiainers

.gitignore

@@ -2,4 +2,6 @@
 *.tfstate.backup
 .terraform
 *.tfstate
-.env
+.env
+# Other shit
+.vscode

ansible.cfg

@@ -0,0 +1,3 @@
+[defaults]
+interpreter_python = /usr/bin/python3
+inventory = inventory.py

group_vars/all.yml

@@ -0,0 +1,2 @@
+
+timezone: Europe/Oslo

init-kube.sh

@@ -5,16 +5,18 @@ cat /etc/apk/repositories | grep https &> /dev/null
 if [ \$? -eq 0 ]; then
     echo 'http://dl-cdn.alpinelinux.org/alpine/v3.20/main' > /etc/apk/repositories
     echo 'http://dl-cdn.alpinelinux.org/alpine/v3.20/community' >> /etc/apk/repositories
+    echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories
 fi
 export PATH=/sbin:\$PATH
 apk update
 apk upgrade
 openrc -s sshd status 2>&1 | grep 'does not exist' &> /dev/null
 if [ \$? -eq 0 ]; then
-    apk add openssh-server
-    openrc -s sshd start
+    apk add openssh-server python3 containerd tzdata cri-o crun
     rc-update add sshd
+    rc-update add crio
     echo 'Welcome to Alpine!' > /etc/motd
+    openrc -s sshd start
 fi
 EOF
 fi

inventory.py

@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+from json import dumps, loads
+from os import environ
+
+
+def get_tfstate(path = 'terraform.tfstate'):
+    with open(path, 'r') as f:
+        return loads(f.read())
+
+
+def gen_kube_inv(tf = get_tfstate()):
+    kube_ids = []
+    hosts = []
+    inv = {}
+
+    for res in tf.get('resources', []):
+        if res.get('type') != 'proxmox_virtual_environment_container':
+            continue
+
+        name = res.get('name', 'unknown').replace('-', '_')
+        if inv.get('name') == None:
+            inv[name] = {'hosts':[]}
+
+        for ins in res.get('instances', []):
+            attrs = ins.get('attributes', {})
+            host = (attrs
+                .get('initialization', [{}])[0]
+                .get('ip_config', [{}])[0]
+                .get('ipv4', [{}])[0]
+                .get('address', 'unknown')
+                .split('/')[0]
+            )
+            inv[name]['hosts'].append(host)
+            kube_ids.append(attrs['id'])
+            hosts.append(host)
+
+    inv['kubes'] = {'hosts': hosts}
+    return inv, kube_ids
+
+
+if __name__ == '__main__':
+    try:
+        inv, kube_ids = gen_kube_inv()
+    except KeyError as exc:
+        print('Malformed terraform.tfstate detected, try running terraform import')
+        raise exc
+
+    proxmox_endpoint = environ.get('TF_VAR_endpoint')
+    if proxmox_endpoint:
+        proxmox = proxmox_endpoint.split('/')[2].split(':')[0]
+        inv['_meta'] = {'hostvars': {proxmox: {'kube_ids': kube_ids}}}
+        inv['proxmox'] = {'hosts': [proxmox]}
+
+    print(dumps(inv, indent=2))

kubes-lxc.tf

@@ -45,6 +45,15 @@ resource "proxmox_virtual_environment_container" "kube-masters" {
   network_interface {
     name = "eth0"
   }
+  disk {
+    size = 12
+  }
+  cpu {
+    cores = 2
+  }
+  memory {
+    dedicated = 512
+  }
   startup {
     order = "1"
   }
@@ -79,6 +88,15 @@ resource "proxmox_virtual_environment_container" "kube-workers" {
   network_interface {
     name = "eth0"
   }
+  disk {
+    size = 12
+  }
+  cpu {
+    cores = 2
+  }
+  memory {
+    dedicated = 512
+  }
   startup {
     order = "3"
   }

roles/kube_prep/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Reboot server
+  ansible.builtin.reboot:
+    reboot_command: "{{ custom_reboot_command | default(omit) }}"
+  listen: reboot server

roles/kube_prep/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Set timezone
+  community.general.timezone:
+    name: "{{ timezone }}"
+  when: timezone is defined
+
+- name: Enable IPv4 forwarding
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    state: present
+    reload: true
+
+- name: Add kmsg service
+  ansible.builtin.copy:
+    content: >
+      #!/sbin/openrc-run
+
+      start() {
+        if [ ! -e /dev/kmsg ]; then
+            ln -s /dev/console /dev/kmsg
+        fi
+        mount --make-rshared /
+      }
+    dest: /etc/init.d/kmsg
+    mode: "0755"
+
+- name: Enable and start kmsg service
+  ansible.builtin.service:
+    name: kmsg
+    enabled: true
+    state: started
+
+- name: Configure containerd socket path for rke2 crictl
+  ansible.builtin.lineinfile:
+    regexp: "^  address = \"/run/containerd/containerd.sock\"$"
+    line: "  address = \"/run/k3s/containerd/containerd.sock\""
+    dest: /etc/containerd/config.toml
+    mode: "0600"

roles/proxmox/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Reboot LXC containers
+  ansible.builtin.command: pct reboot {{ item }}
+  loop: "{{ kube_ids }}"
+  changed_when: true
+  listen: reboot containers

roles/proxmox/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: Set apparmor profile unconfined
+  ansible.builtin.lineinfile:
+    dest: "/etc/pve/lxc/{{ item }}.conf"
+    regexp: ^lxc.apparmor.profile
+    line: "lxc.apparmor.profile: unconfined"
+  loop: "{{ kube_ids }}"
+  notify: reboot containers
+
+- name: Allow cgroup devices
+  ansible.builtin.lineinfile:
+    dest: "/etc/pve/lxc/{{ item }}.conf"
+    regexp: ^lxc.cgroup.devices.allow
+    line: "lxc.cgroup.devices.allow: a"
+  loop: "{{ kube_ids }}"
+  notify: reboot containers
+
+- name: Blank out lxc.cap.drop
+  ansible.builtin.lineinfile:
+    dest: "/etc/pve/lxc/{{ item }}.conf"
+    regexp: ^lxc.cap.drop
+    line: "lxc.cap.drop: "
+  loop: "{{ kube_ids }}"
+  notify: reboot containers
+
+- name: LXC auto mount proc and sys
+  ansible.builtin.lineinfile:
+    dest: "/etc/pve/lxc/{{ item }}.conf"
+    regexp: ^lxc.mount.auto
+    line: 'lxc.mount.auto: "proc:rw sys:rw"'
+  loop: "{{ kube_ids }}"
+  notify: reboot containers

roles/rke2/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Fetch install script
+  ansible.builtin.get_url:
+    url: https://get.rke2.io
+    dest: /usr/local/bin/install-rke2.sh
+    mode: 755
+
+- name: Run install script
+  ansible.builtin.raw: INSTALL_RKE2_SKIP_RELOAD=1 install-rke2.sh
+  register: install_rke2
+  changed_when: install_rke2.rc == 0
+
+- name: Remove install script
+  ansible.builtin.file:
+    path: /usr/local/bin/install-rke2.sh
+    state: absent

site.yml

@@ -0,0 +1,16 @@
+---
+- name: Prep Proxmox cluster
+  hosts: proxmox
+  become: true
+  roles:
+    - role: proxmox
+
+- name: Prep LXC containers
+  hosts: kubes
+  roles:
+    - role: kube_prep
+
+- name: Install rke2
+  hosts: kubes
+  roles:
+    - role: rke2