From 380ddb892093f6adc7d64c5a2e00eaa3ccb9a609 Mon Sep 17 00:00:00 2001
From: Max <git@maximhutz.me>
Date: Wed, 31 Dec 2025 17:23:04 -0500
Subject: [PATCH] feat: up to final step

---
 playbooks/install_k8s.yml | 241 ++++++++++++++++++++------------------
 vault.yml                 |  70 +++++------
 2 files changed, 161 insertions(+), 150 deletions(-)

diff --git a/playbooks/install_k8s.yml b/playbooks/install_k8s.yml
index 07c256e..7218b75 100644
--- a/playbooks/install_k8s.yml
+++ b/playbooks/install_k8s.yml
@@ -1,126 +1,126 @@
-# - name: Configure compute for the cluster.
-#   hosts: servers
-#   gather_facts: false
-#   vars:
-#     kubernetes_version: v1.30
-#   tasks:
-#     - name: Download Kubernetes key.
-#       ansible.builtin.apt_key:
-#         url: https://pkgs.k8s.io/core:/stable:/{{ kubernetes_version }}/deb/Release.key
-#         state: present
+- name: Configure compute for the cluster.
+  hosts: servers
+  gather_facts: false
+  vars:
+    kubernetes_version: v1.30
+  tasks:
+    - name: Download Kubernetes key.
+      ansible.builtin.apt_key:
+        url: https://pkgs.k8s.io/core:/stable:/{{ kubernetes_version }}/deb/Release.key
+        state: present
 
-#     - name: Download Kubernetes repository.
-#       ansible.builtin.apt_repository:
-#         repo: "deb https://pkgs.k8s.io/core:/stable:/{{ kubernetes_version }}/deb/ /"
-#         state: present
+    - name: Download Kubernetes repository.
+      ansible.builtin.apt_repository:
+        repo: "deb https://pkgs.k8s.io/core:/stable:/{{ kubernetes_version }}/deb/ /"
+        state: present
 
-#     - name: Download CRI-O key.
-#       ansible.builtin.apt_key:
-#         url: https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key
-#         state: present
+    - name: Download CRI-O key.
+      ansible.builtin.apt_key:
+        url: https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key
+        state: present
 
-#     - name: Download CRI-O repository.
-#       ansible.builtin.apt_repository:
-#         repo: "deb https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/ /"
-#         state: present
+    - name: Download CRI-O repository.
+      ansible.builtin.apt_repository:
+        repo: "deb https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/ /"
+        state: present
 
-#     - name: Download Helm key.
-#       ansible.builtin.apt_key:
-#         url: https://packages.buildkite.com/helm-linux/helm-debian/gpgkey
-#         state: present
+    - name: Download Helm key.
+      ansible.builtin.apt_key:
+        url: https://packages.buildkite.com/helm-linux/helm-debian/gpgkey
+        state: present
 
-#     - name: Download Helm repository.
-#       ansible.builtin.apt_repository:
-#         repo: "deb https://packages.buildkite.com/helm-linux/helm-debian/any/ any main"
-#         state: present
+    - name: Download Helm repository.
+      ansible.builtin.apt_repository:
+        repo: "deb https://packages.buildkite.com/helm-linux/helm-debian/any/ any main"
+        state: present
 
-#     - name: Install packages.
-#       ansible.builtin.apt:
-#         state: present
-#         update_cache: true
-#         name: [cri-o, kubelet, kubeadm, kubectl, python3-pip, helm]
+    - name: Install packages.
+      ansible.builtin.apt:
+        state: present
+        update_cache: true
+        name: [cri-o, kubelet, kubeadm, kubectl, python3-pip, helm]
 
-#     - name: Install Kubernetes Python packages.
-#       ansible.builtin.pip:
-#         name: [kubernetes, pyyaml]
-#         state: present
-#         break_system_packages: true
+    - name: Install Kubernetes Python packages.
+      ansible.builtin.pip:
+        name: [kubernetes, pyyaml]
+        state: present
+        break_system_packages: true
 
-#     - name: Enable IPv4 forwarding.
-#       ansible.posix.sysctl:
-#         name: net.ipv4.ip_forward
-#         value: '1'
-#         sysctl_set: true
-#       notify: Reboot the nodes.
+    - name: Enable IPv4 forwarding.
+      ansible.posix.sysctl:
+        name: net.ipv4.ip_forward
+        value: '1'
+        sysctl_set: true
+      notify: Reboot the nodes.
 
-#     - name: Enable `br_netfilter` module.
-#       community.general.modprobe:
-#         name: br_netfilter
-#         state: present
-#       notify: Reboot the nodes.
+    - name: Enable `br_netfilter` module.
+      community.general.modprobe:
+        name: br_netfilter
+        state: present
+      notify: Reboot the nodes.
 
-#   handlers:
-#     - name: Reboot the nodes.
-#       ansible.builtin.reboot:
+  handlers:
+    - name: Reboot the nodes.
+      ansible.builtin.reboot:
 
-# - name: Spawn new cluster on control node.
-#   hosts: control
-#   gather_facts: false
-#   vars:
-#     config_template: ../templates/InitConfiguration.yml.jinja2
-#     config:
-#       bootstrap_token: "{{ secrets.bootstrap_token }}"
-#       node_ip: 10.0.2.11
-#       node_name: control
-#   vars_files:
-#     - ../vault.yml
-#   tasks:
-#     - name: Test for cluster.
-#       kubernetes.core.k8s_cluster_info:
-#       register: api_status
-#       ignore_errors: true
+- name: Spawn new cluster on control node.
+  hosts: control
+  gather_facts: false
+  vars:
+    config_template: ../templates/InitConfiguration.yml.jinja2
+    config:
+      bootstrap_token: "{{ secrets.bootstrap_token }}"
+      node_ip: 10.0.2.11
+      node_name: control
+  vars_files:
+    - ../vault.yml
+  tasks:
+    - name: Test for cluster.
+      kubernetes.core.k8s_cluster_info:
+      register: api_status
+      ignore_errors: true
 
-#     - name: Copy configuration over.
-#       ansible.builtin.template:
-#         src: "{{ config_template }}"
-#         dest: InitConfiguration.yml
-#         mode: preserve
-#       when: "api_status.failed"
+    - name: Copy configuration over.
+      ansible.builtin.template:
+        src: "{{ config_template }}"
+        dest: InitConfiguration.yml
+        mode: preserve
+      when: "api_status.failed"
 
-#     - name: Initialize cluster.
-#       ansible.builtin.command:
-#         kubeadm init --config InitConfiguration.yml
-#       changed_when: true
-#       when: "api_status.failed"
+    - name: Initialize cluster.
+      ansible.builtin.command:
+        kubeadm init --config InitConfiguration.yml
+      changed_when: true
+      when: "api_status.failed"
 
-#     - name: Apply the Kubernetes config to the shell.
-#       ansible.builtin.lineinfile:
-#         path: /etc/environment
-#         line: 'KUBECONFIG=/etc/kubernetes/admin.conf'
-#       when: "api_status.failed"
+    - name: Apply the Kubernetes config to the shell.
+      ansible.builtin.lineinfile:
+        path: /etc/environment
+        line: 'KUBECONFIG=/etc/kubernetes/admin.conf'
+      when: "api_status.failed"
 
-# - name: Join worker nodes to cluster.
-#   hosts: [node-a, node-b]
-#   vars:
-#     join_template: ../templates/JoinConfiguration.yml.jinja2
-#     join_control_ip: 10.0.2.11
-#     join_bootstrap_token: "{{ secrets.bootstrap_token }}"
-#   vars_files:
-#     - ../vault.yml
-#   tasks:
-#     - name: Copy join configuration over.
-#       vars:
-#         join_worker_ip: "{{ ansible_default_ipv4.address }}"
-#         join_worker_name: "{{ ansible_hostname }}"
-#       ansible.builtin.template:
-#         src: "{{ join_template }}"
-#         dest: JoinConfiguration.yml
-#         mode: preserve
+- name: Join worker nodes to cluster.
+  hosts: [node-a, node-b]
+  vars:
+    join_template: ../templates/JoinConfiguration.yml.jinja2
+    join_control_ip: 10.0.2.11
+    join_bootstrap_token: "{{ secrets.bootstrap_token }}"
+  vars_files:
+    - ../vault.yml
+  tasks:
+    - name: Copy join configuration over.
+      vars:
+        join_worker_ip: "{{ ansible_default_ipv4.address }}"
+        join_worker_name: "{{ ansible_hostname }}"
+      ansible.builtin.template:
+        src: "{{ join_template }}"
+        dest: JoinConfiguration.yml
+        mode: preserve
 
-#     - name: Join the nodes.
-#       ansible.builtin.command:
-#         kubeadm join --config JoinConfiguration.yml
-#       changed_when: true
+    - name: Join the nodes.
+      ansible.builtin.command:
+        kubeadm join --config JoinConfiguration.yml
+      changed_when: true
 
 - name: Install CNI.
   gather_facts: false
@@ -157,15 +157,12 @@
           podCidr: 10.244.0.0/16
         state: present
 
-    - name: >
-        Patch CoreDNS deployment so it still runs, even though the nodes don't
-        have a external provider yet installed.
-      kubernetes.core.k8s:
+    - name: Patch CoreDNS deployment.
+      kubernetes.core.k8s_json_patch:
         name: coredns
         namespace: kube-system
         kind: Deployment
-        state: present
-        definition:
+        patch:
           - op: add
             path: /spec/template/spec/tolerations/-
             value:
@@ -194,5 +191,19 @@
             namespace: kube-system
           type: Opaque
           data:
-            token: "{{ secrets.hcloud_token }}"
-            network: "{{ private_network_id.value }}"
+            token: "{{ secrets.hcloud_token | b64encode }}"
+            network: "{{ private_network_id.value | b64encode }}"
+
+    - name: Add Cloud Controller repository.
+      kubernetes.core.helm_repository:
+        name: hcloud
+        url: https://charts.hetzner.cloud
+        state: present
+
+    - name: Install it.
+      kubernetes.core.helm:
+        name: hccm
+        chart_ref: hcloud/hcloud-cloud-controller-manager
+        namespace: kube-system
+        state: present
+        update_repo_cache: true
diff --git a/vault.yml b/vault.yml
index 4fca181..5dc1e9c 100644
--- a/vault.yml
+++ b/vault.yml
@@ -1,36 +1,36 @@
 $ANSIBLE_VAULT;1.1;AES256
-65366334626132336336326139616239386137396633343835393031653436383330386334303638
-3033623632333764343365383538353364336536363636620a663431306631303030343766666663
-65343236393733356639613161613638363535636531353938343230666135373932393633633230
-3061323439383137300a326130386262376461643931333766323634386562343135363761656265
-37386430303238626265656539633730656665376333626537663432313632636235393033326231
-65616130396632623162636430306662633261383934313561306565643965666561323135366131
-32653938666339643461393665313339333239633866653038323338633031613666613438616537
-39356463363231613664383363656437623862396535626661653832396432363961306263623739
-32626234646435643466663432643734623164383637383561306132313437363665353264353561
-63333836376463383765666235336531346635626130656564376337323932353532336663646364
-36393661303065393566376338366662393662333032353533626161353035643136333139653538
-38343065373364323437356636653733356566373238646661313765393131313332663339336232
-32313530646530666634353961656565373562643031623738393362386166373539333239373062
-38386261623330643636306537326364393335633333323933663735646130333639306331323361
-38366131323636656235616361633734346438343238613463323330396662626165313336323437
-34616239666132653730643465326562346538636138363739633731633439653239666131393565
-63616531373533313263613032393661616433326661326461313834653531336637616539633530
-35303561346632366339613632643164363432303366383831363431613932356630343165343365
-62333438396263656130383934333531643665616637303665323264636238666134626332343836
-32366361646162393662343330613334646462613762313766663264613734633732316439393333
-37653732616138656131363039396465633531353434613461356166636633353637373534323262
-63323966656631376464373261656235396265393564663333656534613766663764653636353631
-32336536616561346661376164343066366335656637333466343533653430633636343131376534
-33303631393638376530666131383463353934663562386366353330363836363132613537383332
-65333330623130333334383639306166663962636233613534393662623733306433363665303130
-63383432363761356562343437386133343262643233343663363036663136326566326636626530
-33343764303932333366376132366265376462646332326662336361623464353362643533326233
-32383837356234323665623364643463353066366366616662343432663466343631613930333131
-38656665323664656436303961316462656139386138383165346331613863326133393631333132
-39323861666433313364346461666132343834376562646531626438383832663364316461303165
-37616666626234346261366663323239343734623963643730666233643864623234373765653737
-38646630636261343839616237393066333564323437633230653261396539313634303263333437
-61303066373164366333383238303961376138383836633961386566663964366337643435323433
-34326261333564316534383564363166616430323666396634303265613364643862653637386532
-386331383338343638343537316236366131
+66346130316130363833656139333733306135303061323864643937636639326333316235303262
+3236323131623963633431333334663933653665376635360a383561366230666365323732383032
+32643731613032616362313561633337336266633161326636366363346638613638643830316438
+6130653230323362330a316231346462323366386539316566653139633937326364363030663631
+31343239663464363366363261616631383935323161636630646132316230646332613461323366
+31393235623932636366373961313538663733363565663363346534363063396632336261356265
+34633064383364393664336639653461636666393662633031616165396537396466643461393862
+64613862616663343565393836333834393463623335643139373966366236363262646461666365
+38373331613461376431343934333761333436373664623831366261363835323437363033386363
+36633862343134323130656465386462646235393833376563343161313130333536333733636636
+66353162393639343765396464666130306530333030386564363361356364616338363865636565
+33393233636631643563316336653461343733313266653433316265383661653264626666393830
+39666239333965383464653766333263306439653231653163323130333437336432353666366531
+64613737346336643263306538353131343030356164323237623937633238666336306165646231
+38383837313963626531653236376530313563363333313330653439393733396136333937313061
+36386131396337313131333730326639366439373933626130626537353265306434666265373063
+32313832613632346563346565656366336430663762316437376461656639346634306663326165
+34653534623031396564326563303132626562326131666337643839633366306462643436323635
+66666665383332336636356639373863663237303064386533653837636466313461376438383238
+39616434363263646235336432323139326139346364616431626532313861666266373836396363
+33356137363130396237353931316137653066303930353733356432356664636431306165646136
+37643666373532393936333064306661363331666332336363623430366435313962646563616261
+34613166393764343830303733333033643563333032303536326131323461383535353134643036
+38306531383135633431633863346465613333663433343433363633636439326636643938373265
+65643066646364613230396536623537663961356531653164303134383736323064363637353738
+31356630376635633930353239306633326432383031373632346234373536666431653963653566
+35353163373938383736396135386266653636383066636637376238316139346239653234363830
+64663432663339346634323366366138306133326562643736373964326265393537326663386364
+61373039313739343031623134613435656461616165386430366333346161666530376338663961
+32353231656162393138653837663863653562626236393630316635363537306130346238313161
+64613566363163363966653533333664643633656533613939616533336136376635333336333233
+39373638363538636632656133363864653136613231613532313531643565396237306338353263
+33616132666364663036643437326463633265316236323835323039336361393739653361373632
+37336162353635643333373937346333373433346333613133633936616430666637613235623937
+636334616134303130303561633437353736