feat: Configuration stockage local et token K3S partagé

- Passage stockage local-nvme pour acemagician et elitedesk (40G) - Token K3S partagé via cloud-init pour cluster HA - Configuration FluxCD avec GitRepository Forgejo - Déploiement Hello World via FluxCD - Manifestes Kubernetes pour application demo
2025-12-09 11:55:19 +01:00 · 2025-12-09 11:55:19 +01:00 · 3b5f1fc2d2
commit 3b5f1fc2d2
parent a818aab4be
17 changed files with 193 additions and 84 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -1,44 +1,32 @@
 ---
-# Global variables for all nodes
-
-# K3s Configuration
 k3s_version: "v1.28.5+k3s1"
 k3s_install_url: "https://get.k3s.io"

-# K3s Server Configuration
 k3s_server_1_ip: "10.100.20.10"
 k3s_server_2_ip: "10.100.20.20"
 k3s_witness_ip: "10.100.20.30"

-# K3s token (shared between servers)
-# In production, this should be stored in a vault
 k3s_token_file: "/etc/rancher/k3s/token"

-# Network Configuration
 pod_cidr: "10.42.0.0/16"
 service_cidr: "10.43.0.0/16"
 cluster_dns: "10.43.0.10"

-# System Configuration
 timezone: "Europe/Paris"
 swap_enabled: false

-# Unattended Upgrades Configuration
 unattended_upgrades_enabled: true
 unattended_upgrades_automatic_reboot: true
 unattended_upgrades_automatic_reboot_with_users: false

-# Reboot schedule (staggered to maintain availability)
 reboot_schedule:
  k3s-server-1: "02:00"
  k3s-server-2: "04:00"
  etcd-witness: "06:00"

-# FluxCD Configuration
 flux_version: "v2.2.0"
 flux_namespace: "flux-system"

-# System packages to install on all nodes
 common_packages:
  - curl
  - wget
@ -52,7 +40,6 @@ common_packages:
  - python3
  - python3-pip

-# Kernel parameters for K3s
 sysctl_config:
  net.bridge.bridge-nf-call-iptables: 1
  net.bridge.bridge-nf-call-ip6tables: 1
--- a/ansible/roles/etcd-witness/tasks/main.yml
+++ b/ansible/roles/etcd-witness/tasks/main.yml
@ -1,19 +1,19 @@
 ---
-# etcd witness node configuration
-# This node participates in etcd quorum but does not run K8s workloads
-
 - name: Check if K3s is already installed
  stat:
    path: /usr/local/bin/k3s
  register: k3s_binary

- name: Get K3s token from first server
+- name: Load K3s token from environment
  set_fact:
-    k3s_token: >-
-      {{
-        lookup('file', k3s_token_file, errors='ignore')
-        | default('PLACEHOLDER')
-      }}
+    k3s_token: "{{ lookup('env', 'K3S_TOKEN') }}"
+
+- name: Wait for first server API
+  wait_for:
+    host: "{{ k3s_server_1_ip }}"
+    port: 6443
+    delay: 60
+    timeout: 900

 - name: Install K3s as server (witness mode)
  shell: >
--- a/ansible/roles/k3s-server/files/k3s-pre-reboot.sh
+++ b/ansible/roles/k3s-server/files/k3s-pre-reboot.sh
@ -1,19 +1,13 @@
 #!/bin/bash
-# K3s pre-reboot script
-# Drains the node before system reboot to migrate workloads gracefully
-
 set -e

-# Only run if k3s is active
 if systemctl is-active --quiet k3s; then
  NODE_NAME=$(hostname)

  echo "$(date): Starting pre-reboot drain for node $NODE_NAME" | logger -t k3s-pre-reboot

-  # Set KUBECONFIG
  export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

-  # Drain the node (migrate pods to other nodes)
  /usr/local/bin/k3s kubectl drain "$NODE_NAME" \
    --ignore-daemonsets \
    --delete-emptydir-data \
--- a/ansible/roles/k3s-server/tasks/flux.yml
+++ b/ansible/roles/k3s-server/tasks/flux.yml
@ -1,6 +1,4 @@
 ---
-# Install and configure FluxCD
-
 - name: Check if flux is already installed
  command: k3s kubectl get namespace {{ flux_namespace }}
  register: flux_installed
@ -44,9 +42,73 @@
  changed_when: false
  when: flux_installed.rc != 0

+- name: Load Forgejo token from environment
+  set_fact:
+    forgejo_token: "{{ lookup('env', 'FORGEJO_TOKEN') }}"
+    forgejo_repo_url: "{{ lookup('env', 'REPO_URL') }}"
+
+- name: Create Forgejo secret for FluxCD
+  shell: |
+    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+    k3s kubectl create secret generic forgejo-auth \
+      --namespace={{ flux_namespace }} \
+      --from-literal=username=git \
+      --from-literal=password={{ forgejo_token }} \
+      --dry-run=client -o yaml | k3s kubectl apply -f -
+  when: flux_installed.rc != 0
+
+- name: Create GitRepository manifest
+  copy:
+    dest: /tmp/gitrepository.yaml
+    content: |
+      apiVersion: source.toolkit.fluxcd.io/v1
+      kind: GitRepository
+      metadata:
+        name: infra
+        namespace: {{ flux_namespace }}
+      spec:
+        interval: 1m
+        url: {{ forgejo_repo_url }}
+        ref:
+          branch: main
+        secretRef:
+          name: forgejo-auth
+    mode: '0644'
+  when: flux_installed.rc != 0
+
+- name: Apply GitRepository
+  shell: |
+    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+    k3s kubectl apply -f /tmp/gitrepository.yaml
+  when: flux_installed.rc != 0
+
+- name: Create Kustomization manifest
+  copy:
+    dest: /tmp/kustomization.yaml
+    content: |
+      apiVersion: kustomize.toolkit.fluxcd.io/v1
+      kind: Kustomization
+      metadata:
+        name: apps
+        namespace: {{ flux_namespace }}
+      spec:
+        interval: 1m
+        sourceRef:
+          kind: GitRepository
+          name: infra
+        path: ./k8s
+        prune: true
+        wait: true
+    mode: '0644'
+  when: flux_installed.rc != 0
+
+- name: Apply Kustomization
+  shell: |
+    export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
+    k3s kubectl apply -f /tmp/kustomization.yaml
+  when: flux_installed.rc != 0
+
 - name: Display FluxCD installation status
  debug:
-    msg: >-
-      FluxCD installed successfully.
-      Configure GitRepository in kubernetes/flux-system/
+    msg: "FluxCD configured to sync from {{ forgejo_repo_url }}"
  when: flux_installed.rc != 0
--- a/ansible/roles/k3s-server/tasks/main.yml
+++ b/ansible/roles/k3s-server/tasks/main.yml
@ -1,6 +1,4 @@
 ---
-# K3s server installation and configuration
-
 - name: Check if K3s is already installed
  stat:
    path: /usr/local/bin/k3s
@ -17,10 +15,15 @@
  set_fact:
    is_first_server: "{{ ansible_default_ipv4.address == k3s_server_1_ip }}"

+- name: Load K3s token from environment
+  set_fact:
+    k3s_token: "{{ lookup('env', 'K3S_TOKEN') }}"
+
 - name: Install K3s on first server (cluster-init)
  shell: >
    curl -sfL {{ k3s_install_url }} |
    INSTALL_K3S_VERSION="{{ k3s_version }}"
+    K3S_TOKEN="{{ k3s_token }}"
    sh -s - server
      --cluster-init
      --tls-san {{ k3s_server_1_ip }}
@ -44,17 +47,13 @@
    timeout: 300
  when: is_first_server

- name: Get K3s token from first server
-  slurp:
-    src: /var/lib/rancher/k3s/server/node-token
-  register: k3s_token_encoded
-  when: is_first_server
-  run_once: true
-
- name: Save K3s token
-  set_fact:
-    k3s_token: "{{ k3s_token_encoded.content | b64decode | trim }}"
-  when: is_first_server
+- name: Wait for first server API (second server)
+  wait_for:
+    host: "{{ k3s_server_1_ip }}"
+    port: 6443
+    delay: 30
+    timeout: 600
+  when: not is_first_server

 - name: Install K3s on second server (join cluster)
  shell: >
@ -62,7 +61,7 @@
    INSTALL_K3S_VERSION="{{ k3s_version }}"
    sh -s - server
      --server https://{{ k3s_server_1_ip }}:6443
-      --token {{ k3s_token | default('PLACEHOLDER') }}
+      --token {{ k3s_token }}
      --tls-san {{ k3s_server_2_ip }}
      --write-kubeconfig-mode 644
      --disable traefik
--- a/ansible/site.yml
+++ b/ansible/site.yml
@ -1,14 +1,10 @@
 ---
-# Main playbook for K3s GitOps infrastructure
-# This playbook is executed by ansible-pull on each VM
-
 - name: Configure K3s Infrastructure
  hosts: localhost
  connection: local
  become: true

  vars:
-    # Read node role from file created by cloud-init
    node_role: >-
      {{
        lookup('file', '/etc/node-role', errors='ignore')
@ -34,14 +30,11 @@
        cache_valid_time: 3600

  roles:
-    # Common role applies to all nodes
    - role: common

-    # K3s server role (server + worker)
    - role: k3s-server
      when: node_role == 'server'

-    # etcd witness role (etcd only, no k8s workloads)
    - role: etcd-witness
      when: node_role == 'witness'