Start Project

Author: Kaano1

Makefile

@@ -0,0 +1,24 @@
+TERRAFORM = terraform
+
+PREPARE = $(TERRAFORM) init
+APPLY = $(TERRAFORM) apply
+UPDATE = $(PREPARE) -upgrade
+DESTROY = $(TERRAFORM) destroy
+
+all: start
+
+start:
+	$(PREPARE) && $(APPLY) -auto-approve && terraform output instance_ids > ansible/inventory.ini
+
+update:
+	$(UPDATE) && $(APPLY) -auto-approve
+
+stop:
+	$(DESTROY) -auto-approve
+
+ansible:
+	cd ansible/ && ansible-playbook -i inventory.ini main.yml --private-key /home/kaan/myComputer.pem
+
+re: stop start
+
+.PHONY: all start stop output update update-apply re ansible

ansible/inventory.ini

@@ -0,0 +1 @@
+[email protected] ansible_user=ubuntu

ansible/main.yml

@@ -0,0 +1,125 @@
+---
+- name: Set up Kubernetes
+  hosts: all
+  become: true
+  tasks:
+
+# Disable swap on all the Nodes
+
+    - name: 1. Disable Swap for kubeadm to work properly 
+      ansible.builtin.shell:
+        cmd: swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
+
+#Enable IpTables Bridge traffic on all the Nodes
+
+    - name: 2. Added overlay & br_netfilter to /etc/modules-load.d/k8s.conf  # this file ensures these modules are loaded automatically every time the system boots
+      ansible.builtin.copy:
+        dest: /etc/modules-load.d/k8s.conf
+        content: |
+          overlay
+          br_netfilter
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: 3. Used modprobe for immediantly loading overlay and br_netfilter in running linux kernel # loading kernel modules
+      ansible.builtin.shell:
+        cmd: sudo modprobe overlay && sudo modprobe br_netfilter
+
+    - name: 4. Set iptables setting
+      ansible.builtin.shell:
+        cmd: cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
+             net.bridge.bridge-nf-call-iptables  = 1
+             net.bridge.bridge-nf-call-ip6tables = 1
+             net.ipv4.ip_forward                 = 1
+             EOF
+      # net.bridge.bridge-nf-call-iptables = ensures that traffic passing through a linux bridge is processed by iptables rules. This is essantial for kubernetes policies
+      # net.bridge.bridge-nf-call-ip6tables = Similar to the previoes setting but for ip6 traffic
+      # net.ipv4.ip_forward = allows the system to forward ipv4 packages between network interfaces.
+
+    - name: 5. Apply sysctl params without reboot
+      ansible.builtin.shell:
+        cmd: sysctl --system 
+
+# Install CRI-O Runtime On All The Nodes
+
+    
+    - name: 8.2 Download software-properties-common, gpg, curl, apt-transport-https, ca-certificates
+      ansible.builtin.shell:
+        cmd: sudo apt-get update -y && sudo apt-get install -y software-properties-common gpg curl apt-transport-https ca-certificates
+      ignore_errors: true
+
+    - name: 8.3.1 Check if cri-o-apt-keyring.gpg exists
+      ansible.builtin.stat:
+        path: /etc/apt/keyrings/cri-o-apt-keyring.gpg
+      register: cri_o_apt_keyring
+
+    - name: 8.3 Download the CRI-O GPG key and save it to a keyring
+      ansible.builtin.shell:
+        cmd:  curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
+      when: not cri_o_apt_keyring.stat.exists
+
+    - name: 8.4 Add the CRI-O repository to APT sources list
+      ansible.builtin.shell:
+        cmd: echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/ /" | tee /etc/apt/sources.list.d/cri-o.list
+
+
+      # GPG (GNU Privacy Guard), are cryptographic keys used to sign packages. By adding the GPG key for the repository, you ensure that your system can trust the packages coming from that repository.
+
+    - name: 9. Download cri-o
+      ansible.builtin.shell:
+        cmd: sudo apt-get update -y && sudo apt-get install -y cri-o
+      ignore_errors: true
+
+
+    - name: 10. Reload the systemd configurations and enable cri-o.
+      ansible.builtin.shell:
+        cmd: sudo systemctl daemon-reload && sudo systemctl enable crio --now && sudo systemctl start crio.service
+
+# Install Kubeadm & Kubelet & Kubectl
+
+    - name: 11. Establish /etc/apt/keyrings and set Kubernetes_version
+      ansible.builtin.shell:
+        cmd: KUBERNETES_VERSION=1.30 && sudo mkdir -p /etc/apt/keyrings
+
+    - name: 11. Download the GPG key for Kubernetes componants download
+      ansible.builtin.shell:
+        cmd: curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+
+    - name: 11.x
+      ansible.builtin.shell:
+        cmd: echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list
+
+    - name: 11.2 update
+      ansible.builtin.shell:
+        cmd: sudo apt-get update -y
+      ignore_errors: true
+
+    # /usr/share/keyrings/kubernetes-archive-keyring.gpg = It's a system-wide location typically used for storing trusted keys for package management.
+    # https://dl.k8s.io/apt/doc/apt-key.gpg = The Kubernetes APT repository is a software repository where Kubernetes packages (such as kubelet, kubeadm and kubectl) are stored for installation on systems using the APT package management system (such as Debian and Ubuntu)
+
+    - name: 12.x
+      ansible.builtin.shell:
+        cmd: apt-cache madison kubeadm | tac
+
+    - name: 13. Download kubelet kubeadm kubectl
+      ansible.builtin.shell:
+          cmd: sudo apt-get install -y kubelet kubeadm kubectl
+      
+    - name: 14. apt-mark hold prevents updates kubelet, kubectl and kubeadm # if we didn't prevent it, so it can be dangerous for stability
+      ansible.builtin.shell:
+        cmd: sudo apt-mark hold kubelet kubeadm kubectl
+
+    - name: 15. Downlaod jq for local_ip
+      ansible.builtin.shell:
+        sudo apt-get install -y jq
+
+    - name: 16. Take the local IP address of the 'eth1' network interface
+      ansible.builtin.shell:
+        cmd: |
+             local_ip="$(ip --json a s | jq -r '.[] | if .ifname == "eth1" then .addr_info[] | if .family == "inet" then .local else empty end else empty end')"
+             cat > /etc/default/kubelet << EOF
+             KUBELET_EXTRA_ARGS=--node-ip=$local_ip
+             EOF
+
+

ec2-instance.tf

@@ -0,0 +1,26 @@
+resource "aws_instance" "master_node" {
+	ami = "ami-08eb150f611ca277f"
+	vpc_security_group_ids = [aws_security_group.control_plane.id]
+	subnet_id = aws_subnet.subnet_public_ip.id
+	instance_type = "t3.medium"
+	key_name = "myComputer"
+
+	tags = {
+		Name = "master_node"
+	}
+}
+
+/*
+resource "aws_instance" "worker-node" {
+	ami = "ami-08eb150f611ca277f"
+	vpc_security_group_ids = [aws_security_group.worker_node.id]
+	subnet_id = aws_subnet.subnet_public_ip.id
+	instance_type = "t3.medium"
+	count = 2
+	key_name = "myComputer"
+
+	tags = {
+		Name = "worker-node"
+	}
+}
+*/

main.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+	region = "eu-north-1"
+}

output.tf

@@ -0,0 +1,3 @@
+output "instance_ids" {
+  value = format("ubuntu@%s ansible_user=ubuntu", aws_instance.master_node.public_ip)
+}

security_group.tf

@@ -0,0 +1,137 @@
+# Master Node
+
+resource "aws_security_group" "control_plane" {
+  vpc_id      = "vpc-065771f2a3fc81dda"
+  name        = "control_plane_sg"
+  description = "Security group for Kubernetes control plane node"
+
+  tags = {
+    Name = "control_plane_sg"
+  }
+}
+
+# Ingress rules for control plane node
+resource "aws_security_group_rule" "control_plane_ingress_k8s_api" {
+  type                     = "ingress"
+  from_port                = 6443
+  to_port                  = 6443
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "control_plane_ingress_etcd" {
+  type                     = "ingress"
+  from_port                = 2379
+  to_port                  = 2380
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "control_plane_ingress_kubelet" {
+  type                     = "ingress"
+  from_port                = 10248
+  to_port                  = 10260
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "control_plane_ingress_generic" {
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 8080
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "control_plane_ingress_ssh" {
+  type                     = "ingress"
+  from_port                = 22
+  to_port                  = 22
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+
+resource "aws_security_group_rule" "control_plane_ingress_nodeport" {
+  type                     = "ingress"
+  from_port                = 30000
+  to_port                  = 32767
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.control_plane.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+# Egress rule for control plane node (allow all outbound)
+resource "aws_security_group_rule" "control_plane_egress" {
+  type                     = "egress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.control_plane.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+
+
+
+#--------------------------------------------------------------------------------------
+#--------------------------------------------------------------------------------------
+
+
+
+
+
+# Worker Node
+
+resource "aws_security_group" "worker_node" {
+  vpc_id      = "vpc-065771f2a3fc81dda"
+  name        = "worker_node_sg"
+  description = "Security group for Kubernetes worker plane node"
+
+  tags = {
+    Name = "worker_node_sg"
+  }
+}
+
+# Ingress rules for worker node
+resource "aws_security_group_rule" "worker_node_ingress_kubelet" {
+  type                     = "ingress"
+  from_port                = 10248
+  to_port                  = 10260
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.worker_node.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "worker_node_ingress_ssh" {
+  type                     = "ingress"
+  from_port                = 22
+  to_port                  = 22
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.worker_node.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "worker_node_ingress_nodeport" {
+  type                     = "ingress"
+  from_port                = 30000
+  to_port                  = 32767
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.worker_node.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}
+
+# Egress rule for worker node (allow all outbound)
+resource "aws_security_group_rule" "worker_node_egress" {
+  type                     = "egress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.worker_node.id
+  cidr_blocks              = ["0.0.0.0/0"]
+}

subnet.tf

@@ -0,0 +1,10 @@
+resource "aws_subnet" "subnet_public_ip" {
+  vpc_id                  = "vpc-065771f2a3fc81dda"
+  cidr_block              = "20.0.0.0/16"
+  map_public_ip_on_launch = true
+  availability_zone       = "eu-north-1a"
+
+  tags = {
+    Name = "subnet_public_ip"
+  }
+}