{"id":20656366,"url":"https://github.com/flaconi/ansible-role-kops","last_synced_at":"2025-04-19T12:22:37.387Z","repository":{"id":38307697,"uuid":"133057520","full_name":"Flaconi/ansible-role-kops","owner":"Flaconi","description":"Ansible role to render and execute Kops cluster templates","archived":false,"fork":false,"pushed_at":"2022-12-13T14:05:33.000Z","size":220,"stargazers_count":11,"open_issues_count":0,"forks_count":6,"subscribers_count":22,"default_branch":"master","last_synced_at":"2023-03-01T19:23:35.399Z","etag":null,"topics":["ansible","ansible-role","aws","cluster","kops","kubernetes","role"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Flaconi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null}},"created_at":"2018-05-11T15:33:21.000Z","updated_at":"2022-03-17T10:43:00.000Z","dependencies_parsed_at":"2023-01-28T12:47:01.888Z","dependency_job_id":null,"html_url":"https://github.com/Flaconi/ansible-role-kops","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flaconi%2Fansible-role-kops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flaconi%2Fansible-role-kops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flaconi%2Fansible-role-kops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flaconi%2Fansible-role-kops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Flaconi","download_url":"https://codeload.github.com/Flaconi/ansible-role-kops/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224951615,"owners_count":17397425,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","aws","cluster","kops","kubernetes","role"],"created_at":"2024-11-16T18:14:57.204Z","updated_at":"2024-11-16T18:14:57.771Z","avatar_url":"https://github.com/Flaconi.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kops\n\nThis Ansible role handles the generation of Kops configuration files and optionally also\nupdating kops state store as well as creating or updating the cluster.\n\nFull dry-run is supported.\n\n**Note:** By default only configuration files are created, actual state store or cluster actions\nmust be explicitly stated.\n\n[![CI build](https://github.com/Flaconi/ansible-role-kops/actions/workflows/ci.yaml/badge.svg)](https://github.com/Flaconi/ansible-role-kops/actions/workflows/ci.yaml)\n[![Version](https://img.shields.io/github/tag/Flaconi/ansible-role-kops.svg)](https://github.com/Flaconi/ansible-role-kops/tags)\n[![Ansible Galaxy](https://img.shields.io/ansible/role/d/25923.svg)](https://galaxy.ansible.com/Flaconi/kops/)\n\n## Role tagging\n\nThis Ansible role is tagged according to the latest compatible (and tested by us) version of [kops](https://github.com/kubernetes/kops/blob/master/docs/install.md) used.\n\n\n## Requirements\n\n* Ansible 2.9\n* Python lib: [pyaml](https://github.com/yaml/pyyaml)\n* Binary: [kops](https://github.com/kubernetes/kops/blob/master/docs/install.md) 1.22+\n\n## Run-time variables\n\nWhen using this role it will simply generate the kops configuration files as well as shell scripts\nto deploy each defined cluster. You can also choose to use Ansible to provision kops. This can be done for\nmultiple different stages as defined below:\n\n| Variable            | Default   | Choices                 |\n|---------------------|-----------|-------------------------|\n| `kops_update`       | undefined | `state` `update`, `all` |\n| `kops_cluster_name` | undefined | If `kops_cluster` list contains more than one cluster definition, you can limit the roll-out to this specific cluster from the list. (Defined by `kops_cluster[].name`) |\n\n**Note:** As this role is fully dry-run capable you should use it in the following order for\nproductionized stacks:\n\n1. Dry run to see state store differences\n2. Run state store update\n3. Dry run to see cluster update differences\n4. Run cluster update\n\n#### Update the state store\n\nIn order to update Kops' state store in S3, you need to add the following variable to your Ansible\ncommand:\n```\n-e kops_update=state\n```\n\n#### Update the Cluster\n\nIn order to apply all settings from the state store to the cluster, you need to add the following\nvariables to your Ansible command:\n```\n-e kops_update=update\n```\n\n#### Update the state store and the cluster afterwards\n\nIn order to both apply state store updates in S3 and then update the cluster accordingly, you need\nto add the following variable to your Ansible command:\n```\n-e kops_update=all\n```\n\n#### Limit update to a specific cluster\n\nIn case your kops_cluster list contains multiple items, you can limit the whole roll-out/dry-run\nto a specific cluster defined by its name:\n```\n-e kops_cluster_name=playground-cluster-shop.k8s.local\n```\n\n\n## Additional variables\n\nAdditional variables that can be used (either as `host_vars`/`group_vars` or via command line args):\n\n| Variable                                     | Default        | Description                  |\n|----------------------------------------------|----------------|------------------------------|\n| `kops_profile`                               | undefined      | Boto profule name to be used |\n| `kops_default_version`                       | `v1.10.7`      | Kubernetes Cluster version |\n| `kops_default_region`                        | `eu-central-1` | Default region to use |\n| `kops_default_image`                         | `kope.io/k8s-1.9-debian-jessie-amd64-hvm-ebs-2018-03-11` | Default AMI to use. [See here for other AMIs'](https://github.com/kubernetes/kops/blob/master/channels/stable) |\n| `kops_default_api_access`                    | `[0.0.0.0/32]` | Array of allowed IP's to access the API from |\n| `kops_ssh_additional_cidrs_from_sg`          | `\"\"` | Name of the Security Group with the corresponding Ingress CIDRs that will connect to the jumpbox via SSH |\n| `kops_default_ssh_access`                    | `[0.0.0.0/32]` | Array of allowed IP's to ssh into the machines from |\n| `kops_externally_managed_egress`             | `false`        | If you manage default routing separately, e.g. in case of VGW or TGW please set to True |\n| `kops_default_az`                            | `[a, b, c]`    | Available availability zones to be used by master, worker and bastion hosts |\n| `kops_default_master_az`                     | `[a, b, c]`    | Availability zones to launch master nodes in |\n| `kops_default_worker_az`                     | `[a, b, c]`    | Availability zones to launch worker nodes in |\n| `kops_default_bastion_az`                    | `[a]`          | Availability zones to launch bastion node(s) in |\n| `kops_default_master_instance_type`          | `t2.medium`    | Default instance type for master nodes |\n| `kops_default_worker_instance_type`          | `t2.medium`    | Default instance type for worker nodes |\n| `kops_default_bastion_instance_type`         | `t2.micro`     | Default instance type for bastion nodes |\n| `kops_default_master_count`                  | `3`            | Number of master nodes to launch |\n|` kops_default_worker_min_size`               | `1`            | Minimum number of worker nodes per instance group |\n|` kops_default_worker_max_size`               | `3`            | Maximum number of worker nodes per instance group |\n|` kops_default_worker_vol_size`               | `200`          | Root volume size in GB for each worker node |\n| `kops_default_ssh_pub_key`                   | undefined      | Public ssh key for create cluster scripts |\n| `kops_default_build_directory`               | `build`        | Template generation directory |\n| `kops_default_aws_account_limit`             | `[]`           | Limit generated cluster shell scripts to only run for the specified accounts to prevent accidental roll-out in wrong environment. |\n| `kops_default_aws_iam_authenticator_enabled` | `false`        | Enable AWS IAM authenticator |\n| `kops_default_dockerconfig` | `[`\u003cbr/\u003e`url:'https://auth.docker.io/token?service=registry.docker.io\u0026scope=repository:ratelimitpreview/test:pull',`\u003cbr/\u003e`timeout: 5,`\u003cbr/\u003e`]`| Define a general setting for dockerhub registry, then create `kops_dockerconfig_creds` in vault|\n| `kops_dockerconfig_creds` | `[url: 'URL', timeout, 'TIMEOUT', user: 'USER', token: 'TOKEN']`| Please use a valid user and token to login dockerhub, otherwise replace URL to your private registry.\u003cbr/\u003eurl and timeout are optional|\n\n## Example definition\n\n#### With sane defaults\nWhen using the sane defaults, the only thing to configure for each cluster is\n\n* cluster name\n* s3 bucket name\n* its worker nodes\n\n```yml\nkops_default_ssh_pub_key: ssh-ed25519 AAAANSLxbLKF6DL8GDFE70AAAAIP8kH/aB4LKI2+S6a921rCwl2OZdL09iBhGHJ23jk\n\nkops_cluster:\n  - name: playground-cluster-shop.k8s.local\n    s3_bucket_name: playground-cluster-shop-state-store\n    workers:\n      - name: c4xlargea\n      - name: c4xlargeb\n      - name: c4xlargec\n```\n\n#### Fully customized\nInstead of using somebody's sane defaults, you can also fully customize your cluster.\n\n```yml\n# Generated shell scripts should only run in those AWS accounts.\n# This prevents a user from accidentally rolling it out in wrong environments.\nkops_default_aws_account_limit:\n  - 123456789\n  - 987654321\n\nkops_cluster:\n  - name: playground-cluster-shop.k8s.local\n    master_public_name: api-playground-cluster-shop.example.net\n    aws_iam_authenticator_enabled: true\n    kube_api_server:\n      oidcIssuerURL: https://oidc.example.net\n      oidcClientID: clientID\n      oidcUsernameClaim: email\n      oidcUsernamePrefix: \"oidc:\"\n      oidcGroupsClaim: groups\n      oidcGroupsPrefix: \"oidc:\"\n    # https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#fileassets\n    file_assets:\n      - name: audit-policy-config\n        path: /srv/kubernetes/audit/policy-config.yaml\n        roles:\n          - Master\n        content: |\n          apiVersion: audit.k8s.io/v1\n          kind: Policy\n          rules:\n            - level: Metadata\n    additionalPolicies:\n        node: |\n          [\n            {\n              \"Effect\": \"Allow\",\n              \"Action\": [\"route53:*\"],\n              \"Resource\": [\"*\"]\n            }\n          ]\n        master: |\n          [\n            {\n              \"Effect\": \"Allow\",\n              \"Action\": [\"route53:*\"],\n              \"Resource\": [\"*\"]\n            }\n          ]\n    version: v1.10.4\n    type: private\n    region: eu-central-1\n    image: kope.io/k8s-1.8-debian-jessie-amd64-hvm-ebs-2018-02-08\n    s3_bucket_name: playground-cluster-shop-state-store\n    ssh_pub_key: ssh-ed25519 AAAANSLxbLKF6DL8GDFE70AAAAIP8kH/aB4LKI2+S6a921rCwl2OZdL09iBhGHJ23jk\n    api_access:\n      - 185.28.180.95/32\n    api_additional_sgs:\n      - \"security_group_name\"\n    ssh_access:\n      - 185.28.180.95/32\n    az: [a, b, c]\n    bastion:\n      az: [a]\n      instance_type: t2.micro\n    masters:\n      count: 3\n      instance_type: t2.medium\n      az: [a, b, c]\n    workers:\n      - name: c4xlargea\n        instance_type: c4.xlarge\n        min_size: 1\n        max_size: 3\n        volume_size: 200\n        availability_zones: [a]\n      - name: c4xlargeb\n        instance_type: c4.xlarge\n        min_size: 1\n        max_size: 3\n        volume_size: 200\n        availability_zones: [b]\n      - name: c4xlargec\n        instance_type: c4.xlarge\n        min_size: 1\n        max_size: 3\n        volume_size: 200\n        availability_zones: [c]\n        cloud_labels:\n          - key: team\n            val: me\n          - key: project\n            value: ion\n        node_labels:\n          - key: name\n            val: some-fancy-name\n          - key: purpose\n            value: something-important\n    encryptionConfig:\n      enabled: true\n      image: \"\u003cPROVIDER\u003e/aws-encryption-provider\"\n      kms_id: \"12345678-9abc-defg-hijk-000000000001\"\n```\n\n Credentials for login dockerhub registry in your vault, there is a task to verify your account. If this user is invalid, the task will fail on verification. If you don't need secret/dockerconfig anymore, you have to remove `kops_dockerconfig_creds` from your vault.\n```yml\nkops_dockerconfig_creds:\n  user: 'USER'\n  token: 'TOKEN'\n```\n\n\n## Testing\n\n#### Requirements\n\n* Docker\n* [yamllint](https://github.com/adrienverge/yamllint)\n\n#### Run tests\n\n```bash\n# Lint the source files\nmake lint\n\n# Run integration tests with default Ansible version\nmake test\n\n# Run integration tests with custom Ansible version\nmake test ANSIBLE_VERSION=2.4\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflaconi%2Fansible-role-kops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflaconi%2Fansible-role-kops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflaconi%2Fansible-role-kops/lists"}