Generate and apply Talso configs

2023-08-29 00:17:21 +02:00 · 2023-08-29 00:17:21 +02:00 · 09c9ff41c2
parent 647ed922b8
commit 09c9ff41c2
10 changed files with 162 additions and 4 deletions
--- a/playbook.yml
+++ b/playbook.yml
@ -6,4 +6,6 @@
  hosts:
    - talos
  roles:
+    - role: talos_configs
    - role: machine_status
+    - role: talos_apply
--- a/roles/machine_status/tasks/main.yml
+++ b/roles/machine_status/tasks/main.yml
@ -4,14 +4,22 @@
  delegate_to: localhost
  become: false
  ansible.builtin.command:
-    cmd: "talosctl  get  machinestatus  --endpoints '{{ ansible_remote }}'  --nodes '{{ ansible_remote }}' --insecure  --output json"
-  register: _machine_status_output
+    cmd: "talosctl  get  machinestatus  --endpoints '{{ ansible_remote }}'  --nodes '{{ ansible_remote }}'  --output json"
+  register: _machine_status_cmd
+  failed_when: _machine_status_cmd.rc not in [0, 1]

+- name: Get machine status - insecure
+  when: "_machine_status_cmd.rc == 1"
+  delegate_to: localhost
+  become: false
+  ansible.builtin.command:
+    cmd: "talosctl  get  machinestatus  --endpoints '{{ ansible_remote }}'  --nodes '{{ ansible_remote }}'  --insecure  --output json"
+  register: _machine_status_cmd_insec

 - name: Parse machine status
  ansible.builtin.set_fact:
-    _machine_status: "{{ _machine_status_output.stdout | from_json }}"
+    talos_machine_status: "{{ _machine_status_cmd_insec.stdout | default(_machine_status_cmd.stdout) | from_json }}"

 - name: Show machine status
  ansible.builtin.debug:
-    var: _machine_status
+    var: talos_machine_status
--- a/roles/talos_configs/defaults/main.yaml
+++ b/roles/talos_configs/defaults/main.yaml
@ -0,0 +1,12 @@
+kubernetes_version: v1.26.7
+talos_version: v1.5.1
+ansible_root_dir: "{{ inventory_dir | ansible.builtin.dirname }}"
+ansible_vault_password_file: "{{ ansible_root_dir }}/.ansible/vault_pass"
+talos_generic_config_dir: "{{ ansible_root_dir }}/configs/talos"
+talos_cluster_config_dir: "{{ ansible_root_dir }}/configs/{{ cluster_name }}"
+talos_cluster_secrets_file: "{{ talos_cluster_config_dir }}/talos-secrets.yaml"
+talos_control_lb_hostname: "control.{{ cluster_name }}"
+talos_node_config_file: "{{ talos_cluster_config_dir }}/talos-{{ inventory_hostname }}.yaml"
+talosconfig: "{{ talos_cluster_config_dir }}/talosconfig.yaml"
+kubeconfig: "{{ talos_cluster_config_dir }}/kubeconfig.yaml"
+talos_image_version: v1.4.7
--- a/roles/talos_configs/handlers/main.yml
+++ b/roles/talos_configs/handlers/main.yml
@ -0,0 +1,30 @@
+---
+
+- name: Encrypt secrets
+  delegate_to: localhost
+  become: no
+  run_once: yes
+  ansible.builtin.command:
+    cmd: >-
+      ansible-vault  encrypt
+        --vault-password-file '{{ ansible_vault_password_file }}'
+        --output '{{ talos_cluster_secrets_file }}.enc'
+        '{{ talos_cluster_secrets_file }}'"
+
+- name: Update talosconfig - endpoints
+  listen: Update talosconfig
+  delegate_to: localhost
+  become: no
+  run_once: yes
+  ansible.builtin.command:
+    cmd: >-
+      talosctl  config  endpoints  '{{ talos_control_lb_hostname }}'
+
+- name: Update talosconfig - nodes
+  listen: Update talosconfig
+  delegate_to: localhost
+  become: no
+  run_once: yes
+  ansible.builtin.command:
+    cmd: >-
+      talosctl  config  nodes  '{{ talos_control_lb_hostname }}'
--- a/roles/talos_configs/tasks/apply_node_config.yml
+++ b/roles/talos_configs/tasks/apply_node_config.yml
@ -0,0 +1,12 @@
+---
+
+- name: Apply Talos node config
+  delegate_to: localhost
+  become: no
+  ansible.builtin.command:
+    cmd: >-
+      talosctl  apply-config
+        --file '{{ talos_node_config_file }}'
+        --nodes '{{ ansible_remote }}'
+        --endpoints '{{ ansible_remote }}'
+        {% if talos_machine_status.spec.stage == 'maintenance' %} --insecure{% endif %}
--- a/roles/talos_configs/tasks/create_control_configs.yml
+++ b/roles/talos_configs/tasks/create_control_configs.yml
@ -0,0 +1,21 @@
+---
+
+- name: Create Talos control node config
+  delegate_to: localhost
+  become: no
+  ansible.builtin.command:
+    cmd: >-
+      talosctl  gen  config  '{{ cluster_name }}'  'https://{{ talos_control_lb_hostname }}:6443'
+        --output-types controlplane
+        --output '{{ talos_node_config_file }}'
+        --with-secrets '{{ talos_cluster_secrets_file }}'
+        --config-patch @'{{ talos_generic_config_dir }}/talos-patch.yaml'
+        --config-patch-control-plane @'{{ talos_generic_config_dir }}/talos-patch-control.yaml'
+        --config-patch='[{"op": "replace", "path": "/machine/network/hostname", "value": "{{ inventory_hostname }}"}]'
+        --talos-version '{{ talos_image_version }}'
+        --kubernetes-version '{{ kubernetes_version }}'
+        --additional-sans '{{ talos_control_lb_hostname }}'
+        --force
+    creates: "{{ talos_node_config_file }}"
+
+
--- a/roles/talos_configs/tasks/create_secrets.yml
+++ b/roles/talos_configs/tasks/create_secrets.yml
@ -0,0 +1,12 @@
+---
+
+- name: Create secrets file for Talos
+  delegate_to: localhost
+  become: no
+  run_once: yes
+  ansible.builtin.command:
+    cmd: >-
+      talosctl  gen  secrets
+        --output-file '{{ talos_cluster_secrets_file }}'
+    creates: "{{ talos_cluster_secrets_file }}"
+  notify: Encrypt secrets
--- a/roles/talos_configs/tasks/create_talosconfig.yml
+++ b/roles/talos_configs/tasks/create_talosconfig.yml
@ -0,0 +1,15 @@
+---
+
+- name: Create talosctl config
+  delegate_to: localhost
+  become: no
+  run_once: yes
+  ansible.builtin.command:
+    cmd: >-
+      talosctl  gen  config  '{{ cluster_name }}'  'https://{{ talos_control_lb_hostname }}:6443'
+        --output-types talosconfig
+        --output '{{ talosconfig }}'
+        --with-secrets '{{ talos_cluster_secrets_file }}'
+        --force
+    creates: "{{ talosconfig }}"
+  notify: Update talosconfig
--- a/roles/talos_configs/tasks/create_worker_configs.yml
+++ b/roles/talos_configs/tasks/create_worker_configs.yml
@ -0,0 +1,21 @@
+---
+
+- name: Create Talos worker node config
+  delegate_to: localhost
+  become: no
+  ansible.builtin.command:
+    cmd: >-
+      talosctl  gen  config  '{{ cluster_name }}'  'https://{{ talos_control_lb_hostname }}:6443'
+        --output-types worker
+        --output '{{ talos_node_config_file }}'
+        --with-secrets '{{ talos_cluster_secrets_file }}'
+        --config-patch @'{{ talos_generic_config_dir }}/talos-patch.yaml'
+        --config-patch-worker @'{{ talos_generic_config_dir }}/talos-patch-worker.yaml'
+        --config-patch='[{"op": "replace", "path": "/machine/network/hostname", "value": "{{ inventory_hostname }}"}]'
+        --talos-version '{{ talos_image_version }}'
+        --kubernetes-version '{{ kubernetes_version }}'
+        --additional-sans '{{ talos_control_lb_hostname }}'
+        --force
+    creates: "{{ talos_node_config_file }}"
+
+
--- a/roles/talos_configs/tasks/main.yml
+++ b/roles/talos_configs/tasks/main.yml
@ -0,0 +1,25 @@
+---
+- name: Directory for configs
+  delegate_to: localhost
+  become: false
+  ansible.builtin.file:
+    path: "{{ talos_cluster_config_dir }}"
+    state: directory
+    mode: u=rwX,go=
+
+- name: Import create_secrets tasks
+  ansible.builtin.import_tasks: create_secrets.yml
+
+- name: Import create_talosconfig tasks
+  ansible.builtin.import_tasks: create_talosconfig.yml
+
+- name: Import create_control_configs tasks
+  when: "'talos_control_nodes' in group_names"
+  ansible.builtin.import_tasks: create_control_configs.yml
+
+- name: Import create_worker_configs tasks
+  when: "'talos_worker_nodes' in group_names"
+  ansible.builtin.import_tasks: create_worker_configs.yml
+
+- name: Import apply_node_config tasks
+  ansible.builtin.import_tasks: ../../talos_configs/tasks/apply_node_config.yml