From c99563ec7e4c9bb943c173312756d780057cd53c Mon Sep 17 00:00:00 2001 From: jonas Date: Fri, 5 Nov 2021 16:06:45 +0100 Subject: [PATCH] added rancher --- salt/pillars/network.sls | 1 + salt/pillars/rancher.sls | 5 ++ salt/pillars/top.sls | 1 + salt/states/rancher/certs.sls | 80 +++++++++++++++++++ salt/states/rancher/files/rancher-ca.cnf | 41 ++++++++++ .../rancher/files/rancher-proxy.conf.jinja | 18 +++++ .../rancher/files/rancher-server.cnf.jinja | 29 +++++++ salt/states/rancher/files/rancher.service | 11 +++ salt/states/rancher/init.sls | 4 + salt/states/rancher/nginx.sls | 14 ++++ salt/states/rancher/server.sls | 52 ++++++++++++ salt/states/top.sls | 1 + 12 files changed, 257 insertions(+) create mode 100644 salt/pillars/rancher.sls create mode 100644 salt/states/rancher/certs.sls create mode 100644 salt/states/rancher/files/rancher-ca.cnf create mode 100644 salt/states/rancher/files/rancher-proxy.conf.jinja create mode 100644 salt/states/rancher/files/rancher-server.cnf.jinja create mode 100644 salt/states/rancher/files/rancher.service create mode 100644 salt/states/rancher/init.sls create mode 100644 salt/states/rancher/nginx.sls create mode 100644 salt/states/rancher/server.sls diff --git a/salt/pillars/network.sls b/salt/pillars/network.sls index f96ae8c..6faa1b0 100644 --- a/salt/pillars/network.sls +++ b/salt/pillars/network.sls @@ -11,6 +11,7 @@ network: ntp: 1 dns: 1 www: 1 + rancher: 1 switch: 10 harvester: 20 node1: 21 diff --git a/salt/pillars/rancher.sls b/salt/pillars/rancher.sls new file mode 100644 index 0000000..518aab4 --- /dev/null +++ b/salt/pillars/rancher.sls @@ -0,0 +1,5 @@ +rancher: + ca_passphrase: rancher + url: docker.io/rancher/rancher + tag: v2.6.1 + bootstrapPassword: rancher diff --git a/salt/pillars/top.sls b/salt/pillars/top.sls index 88cf51b..8c20bc4 100644 --- a/salt/pillars/top.sls +++ b/salt/pillars/top.sls @@ -10,6 +10,7 @@ base: - wireguard - hostapd - pxe + - rancher - tlu-harvester {% if salt['pillar.file_exists']('local.sls') %} - local diff --git a/salt/states/rancher/certs.sls b/salt/states/rancher/certs.sls new file mode 100644 index 0000000..057cb8d --- /dev/null +++ b/salt/states/rancher/certs.sls @@ -0,0 +1,80 @@ +Create the ca cnf file: + file.managed: + - name: /etc/rancher/ssl/rancher-ca.cnf + - source: salt://rancher/files/rancher-ca.cnf + - user: root + - group: root + - makedirs: True + - mode: "0600" + - dir_mode: "0755" + +Create rancher CA key: + x509.private_key_managed: + - name: /etc/rancher/ssl/rancher-ca.key + - passphrase: {{ pillar['rancher']['ca_passphrase'] }} + - bits: 2048 + - owner: root + - group: root + - mode: "0600" + +Create rancher CA certificate: + cmd.run: + - name: openssl req -config rancher-ca.cnf -key rancher-ca.key -new -x509 -days 3650 -sha256 -out rancher-ca.crt -passin pass:{{ pillar['rancher']['ca_passphrase'] }} + - cwd: /etc/rancher/ssl + - onchanges: + - file: Create the ca cnf file + +Create rancher-server key: + x509.private_key_managed: + - name: /etc/rancher/ssl/rancher-server.key + - bits: 2048 + - owner: root + - group: root + - mode: "0600" + +Create the server cnf file: + file.managed: + - name: /etc/rancher/ssl/rancher-server.cnf + - source: salt://rancher/files/rancher-server.cnf.jinja + - template: jinja + - user: root + - group: root + - mode: "0600" + +Create the rancher-server signing request: + cmd.run: + - name: openssl req -new -key rancher-server.key -config rancher-server.cnf -out rancher-server.csr + - cwd: /etc/rancher/ssl + - onchanges: + - file: Create the server cnf file + +Set permission on rancher-server singing request: + file.managed: + - name: /etc/rancher/ssl/rancher-server.csr + - replace: False + - user: root + - group: root + - mode: "0600" + +Create the rancher-server certificate: + cmd.run: + - name: openssl x509 -req -in rancher-server.csr -CA rancher-ca.crt -CAkey rancher-ca.key -CAcreateserial -out rancher-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rancher']['ca_passphrase'] }} + - cwd: /etc/rancher/ssl + - onchanges: + - cmd: Create the rancher-server signing request + +Set permission on rancher-server certificate: + file.managed: + - name: /etc/rancher/ssl/rancher-server.crt + - replace: False + - user: root + - group: root + - mode: "0600" + +Set permission on rancher CA serial: + file.managed: + - name: /etc/rancher/ssl/rancher-ca.srl + - replace: False + - user: root + - group: root + - mode: "0600" diff --git a/salt/states/rancher/files/rancher-ca.cnf b/salt/states/rancher/files/rancher-ca.cnf new file mode 100644 index 0000000..f503173 --- /dev/null +++ b/salt/states/rancher/files/rancher-ca.cnf @@ -0,0 +1,41 @@ +[ca] +default_ca = CA_default + +[CA_default] +default_bits = 2048 +x509_extensions = v3_ca +default_days = 3650 +default_md = default +policy = policy_optional +copy_extensions = copy +unique_subject = no + +[policy_optional] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +############################################### + +[req] +default_bits = 2048 +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +string_mask = utf8only +prompt = no + +[v3_ca] +basicConstraints = critical, CA:true +nsComment = "Rancher CA Certificate" +nsCertType = sslCA +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer + +############################################### +[ req_distinguished_name ] +CN = Rancher Certificate Authority diff --git a/salt/states/rancher/files/rancher-proxy.conf.jinja b/salt/states/rancher/files/rancher-proxy.conf.jinja new file mode 100644 index 0000000..b4045e6 --- /dev/null +++ b/salt/states/rancher/files/rancher-proxy.conf.jinja @@ -0,0 +1,18 @@ +server { + listen 443; + server_name rancher.{{ pillar['network']['domain'] }}; + ssl_certificate /etc/rancher/ssl/rancher-server.crt; + ssl_certificate_key /etc/rancher/ssl/rancher-server.key; + location /{ + proxy_pass https://localhost:6443; + proxy_ssl_trusted_certificate /etc/rancher/ssl/rancher-server.crt; + proxy_ssl_verify off; + proxy_set_header Host $host:$server_port; + } +} + +server { + listen 80; + server_name rancher.{{ pillar['network']['domain'] }}; + return 301 https://rancher.{{ pillar['network']['domain'] }}$request_uri; +} diff --git a/salt/states/rancher/files/rancher-server.cnf.jinja b/salt/states/rancher/files/rancher-server.cnf.jinja new file mode 100644 index 0000000..4eded85 --- /dev/null +++ b/salt/states/rancher/files/rancher-server.cnf.jinja @@ -0,0 +1,29 @@ +[req] +default_bits = 2048 +distinguished_name = req_distinguished_name +x509_extensions = v3_server_sign +string_mask = utf8only +prompt = no +req_extensions = v3_req + +[v3_server_sign] +basicConstraints = CA:false +nsComment = "Rancher Server Certificate" +nsCertType = server +keyUsage = digitalSignature, keyEncipherment, keyAgreement +extendedKeyUsage = serverAuth, clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +subjectAltName = @alt_names + +[v3_req] +basicConstraints = CA:false +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectAltName = @alt_names + +[req_distinguished_name] +CN = rancher.{{ pillar['network']['domain'] }} + +[alt_names] +DNS.0 = rancher.{{ pillar['network']['domain'] }} +IP.0 = {{ pillar['network']['ip'] }} diff --git a/salt/states/rancher/files/rancher.service b/salt/states/rancher/files/rancher.service new file mode 100644 index 0000000..4a6461d --- /dev/null +++ b/salt/states/rancher/files/rancher.service @@ -0,0 +1,11 @@ +[Unit] +Description=Rancher podman container +Wants=network.target + +[Service] +Restart=on-failure +ExecStart=/usr/bin/podman start -a rancher +ExecStop=/usr/bin/podman stop -t 120 rancher + +[Install] +WantedBy=multi-user.target default.target diff --git a/salt/states/rancher/init.sls b/salt/states/rancher/init.sls new file mode 100644 index 0000000..c375ea2 --- /dev/null +++ b/salt/states/rancher/init.sls @@ -0,0 +1,4 @@ +include: + - rancher.certs + - rancher.server + - rancher.nginx diff --git a/salt/states/rancher/nginx.sls b/salt/states/rancher/nginx.sls new file mode 100644 index 0000000..f76144a --- /dev/null +++ b/salt/states/rancher/nginx.sls @@ -0,0 +1,14 @@ +proxy configuration for nginx: + file.managed: + - name: /etc/nginx/vhosts.d/rancher-proxy.conf + - source: salt://rancher/files/rancher-proxy.conf.jinja + - template: jinja + - user: root + - group: root + - mode: "0644" + +reload nginx: + service.running: + - name: nginx + - watch: + - file: proxy configuration for nginx diff --git a/salt/states/rancher/server.sls b/salt/states/rancher/server.sls new file mode 100644 index 0000000..6fde5e6 --- /dev/null +++ b/salt/states/rancher/server.sls @@ -0,0 +1,52 @@ +Create rancher systemd unit file: + file.managed: + - name: /etc/systemd/system/rancher.service + - source: salt://rancher/files/rancher.service + - user: root + - group: root + - mode: "0644" + +Realod systemd daemon: + cmd.run: + - name: systemctl daemon-reload + - onchanges: + - file: Create rancher systemd unit file + +Pull rancher image: + cmd.run: + - name: "podman image pull {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }}" + - unless: "podman image exists {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }}" + +Add persistant storage folder: + file.directory: + - name: /srv/rancher-container + - user: root + - group: root + - mode: "0640" + - replace: False + +Stop rancher container before rebuild: + service.dead: + - name: rancher + - onchanges: + - cmd: Pull rancher image + +Remove old rancher container: + cmd.run: + - name: podman container rm rancher + - onlyif: podman container exists rancher + - onchanges: + - cmd: Pull rancher image + +Create rancher container: + cmd.run: + - name: podman container create --name rancher --privileged --publish 6080:80 --publish 6443:443 --volume /etc/rancher/ssl/rancher-server.crt:/etc/rancher/ssl/cert.pem --volume /etc/rancher/ssl/rancher-server.key:/etc/rancher/ssl/key.pem --volume /etc/rancher/ssl/rancher-ca.crt:/etc/rancher/ssl/cacerts.pem --volume /srv/rancher-container:/var/lib/rancher --env CATTLE_BOOTSTRAP_PASSWORD={{ pillar['rancher']['bootstrapPassword'] }} {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }} + - unless: podman container exists rancher + +Start the rancher container: + service.running: + - name: rancher + - enable: True + - watch: + - file: Create rancher systemd unit file + diff --git a/salt/states/top.sls b/salt/states/top.sls index 11e514b..0ef22c1 100644 --- a/salt/states/top.sls +++ b/salt/states/top.sls @@ -14,6 +14,7 @@ base: - rmt - podman - docker.registry + - rancher - remote-desktop - wol - pxe