hetzner-cluster/playbooks/install_k8s.yml

# - name: Configure compute for the cluster.
#   hosts: servers
#   gather_facts: false
#   vars:
#     kubernetes_version: v1.30
#   tasks:
#     - name: Download Kubernetes key.
#       ansible.builtin.apt_key:
#         url: https://pkgs.k8s.io/core:/stable:/{{ kubernetes_version }}/deb/Release.key
#         state: present

#     - name: Download Kubernetes repository.
#       ansible.builtin.apt_repository:
#         repo: "deb https://pkgs.k8s.io/core:/stable:/{{ kubernetes_version }}/deb/ /"
#         state: present

#     - name: Download CRI-O key.
#       ansible.builtin.apt_key:
#         url: https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key
#         state: present

#     - name: Download CRI-O repository.
#       ansible.builtin.apt_repository:
#         repo: "deb https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/ /"
#         state: present

#     - name: Download Helm key.
#       ansible.builtin.apt_key:
#         url: https://packages.buildkite.com/helm-linux/helm-debian/gpgkey
#         state: present

#     - name: Download Helm repository.
#       ansible.builtin.apt_repository:
#         repo: "deb https://packages.buildkite.com/helm-linux/helm-debian/any/ any main"
#         state: present

#     - name: Install packages.
#       ansible.builtin.apt:
#         state: present
#         update_cache: true
#         name: [cri-o, kubelet, kubeadm, kubectl, python3-pip, helm]

#     - name: Install Kubernetes Python packages.
#       ansible.builtin.pip:
#         name: [kubernetes, pyyaml]
#         state: present
#         break_system_packages: true

#     - name: Enable IPv4 forwarding.
#       ansible.posix.sysctl:
#         name: net.ipv4.ip_forward
#         value: '1'
#         sysctl_set: true
#       notify: Reboot the nodes.

#     - name: Enable `br_netfilter` module.
#       community.general.modprobe:
#         name: br_netfilter
#         state: present
#       notify: Reboot the nodes.

#   handlers:
#     - name: Reboot the nodes.
#       ansible.builtin.reboot:

# - name: Spawn new cluster on control node.
#   hosts: control
#   gather_facts: false
#   vars:
#     config_template: ../templates/InitConfiguration.yml.jinja2
#     config:
#       bootstrap_token: "{{ secrets.bootstrap_token }}"
#       node_ip: 10.0.2.11
#       node_name: control
#   vars_files:
#     - ../vault.yml
#   tasks:
#     - name: Test for cluster.
#       kubernetes.core.k8s_cluster_info:
#       register: api_status
#       ignore_errors: true

#     - name: Copy configuration over.
#       ansible.builtin.template:
#         src: "{{ config_template }}"
#         dest: InitConfiguration.yml
#         mode: preserve
#       when: "api_status.failed"

#     - name: Initialize cluster.
#       ansible.builtin.command:
#         kubeadm init --config InitConfiguration.yml
#       changed_when: true
#       when: "api_status.failed"

#     - name: Apply the Kubernetes config to the shell.
#       ansible.builtin.lineinfile:
#         path: /etc/environment
#         line: 'KUBECONFIG=/etc/kubernetes/admin.conf'
#       when: "api_status.failed"

# - name: Join worker nodes to cluster.
#   hosts: [node-a, node-b]
#   vars:
#     join_template: ../templates/JoinConfiguration.yml.jinja2
#     join_control_ip: 10.0.2.11
#     join_bootstrap_token: "{{ secrets.bootstrap_token }}"
#   vars_files:
#     - ../vault.yml
#   tasks:
#     - name: Copy join configuration over.
#       vars:
#         join_worker_ip: "{{ ansible_default_ipv4.address }}"
#         join_worker_name: "{{ ansible_hostname }}"
#       ansible.builtin.template:
#         src: "{{ join_template }}"
#         dest: JoinConfiguration.yml
#         mode: preserve

#     - name: Join the nodes.
#       ansible.builtin.command:
#         kubeadm join --config JoinConfiguration.yml
#       changed_when: true

- name: Install CNI.
  gather_facts: false
  hosts: control
  tasks:
    - name: Create Flannel namespace.
      kubernetes.core.k8s:
        state: present
        kind: Namespace
        name: kube-flannel

    - name: Add privilege to the namespace.
      kubernetes.core.k8s:
        state: patched
        kind: Namespace
        name: kube-flannel
        definition:
          metadata:
            labels:
              pod-security.kubernetes.io/enforce: privileged

    - name: Add Flannel repository.
      kubernetes.core.helm_repository:
        name: flannel
        url: https://flannel-io.github.io/flannel/
        state: present

    - name: Install Flannel.
      kubernetes.core.helm:
        name: flannel
        chart_ref: flannel/flannel
        namespace: kube-flannel
        values:
          podCidr: 10.244.0.0/16
        state: present

    - name: >
        Patch CoreDNS deployment so it still runs, even though the nodes don't
        have a external provider yet installed.
      kubernetes.core.k8s:
        name: coredns
        namespace: kube-system
        kind: Deployment
        state: present
        definition:
          - op: add
            path: /spec/template/spec/tolerations/-
            value:
              key: node.cloudprovider.kubernetes.io/uninitialized
              value: "true"
              effect: NoSchedule

- name: Install Hetzner Cloud Controller.
  gather_facts: false
  hosts: control
  vars_files:
    - ../vault.yml
    - ../secrets/tf_outputs.yml
  tasks:
    - name: Create `hcloud` secret.
      kubernetes.core.k8s:
        name: hcloud
        namespace: kube-system
        kind: Secret
        state: present
        definition:
          apiVersion: v1
          kind: Secret
          metadata:
            name: hcloud
            namespace: kube-system
          type: Opaque
          data:
            token: "{{ secrets.hcloud_token }}"
            network: "{{ private_network_id.value }}"