added rancher

2021-11-05 16:06:45 +01:00 · 2021-11-05 16:06:45 +01:00 · c99563ec7e
commit c99563ec7e
parent d39b2edb17
12 changed files with 257 additions and 0 deletions
--- a/salt/pillars/network.sls
+++ b/salt/pillars/network.sls
@ -11,6 +11,7 @@ network:
    ntp: 1
    dns: 1
    www: 1
    rancher: 1
    switch: 10
    harvester: 20
    node1: 21
--- a/salt/pillars/rancher.sls
+++ b/salt/pillars/rancher.sls
@ -0,0 +1,5 @@
 rancher:
  ca_passphrase: rancher
  url: docker.io/rancher/rancher
  tag: v2.6.1
  bootstrapPassword: rancher
--- a/salt/pillars/top.sls
+++ b/salt/pillars/top.sls
@ -10,6 +10,7 @@ base:
    - wireguard
    - hostapd
    - pxe
    - rancher
    - tlu-harvester
 {% if salt['pillar.file_exists']('local.sls') %}
    - local
--- a/salt/states/rancher/certs.sls
+++ b/salt/states/rancher/certs.sls
@ -0,0 +1,80 @@
 Create the ca cnf file:
  file.managed:
    - name: /etc/rancher/ssl/rancher-ca.cnf
    - source: salt://rancher/files/rancher-ca.cnf
    - user: root
    - group: root
    - makedirs: True
    - mode: "0600"
    - dir_mode: "0755"
 Create rancher CA key:
  x509.private_key_managed:
    - name: /etc/rancher/ssl/rancher-ca.key
    - passphrase: {{ pillar['rancher']['ca_passphrase'] }}
    - bits: 2048
    - owner: root
    - group: root
    - mode: "0600"
 Create rancher CA certificate:
  cmd.run:
    - name: openssl req -config rancher-ca.cnf -key rancher-ca.key -new -x509 -days 3650 -sha256 -out rancher-ca.crt -passin pass:{{ pillar['rancher']['ca_passphrase'] }}
    - cwd: /etc/rancher/ssl
    - onchanges:
      - file: Create the ca cnf file
 Create rancher-server key:
  x509.private_key_managed:
    - name: /etc/rancher/ssl/rancher-server.key
    - bits: 2048
    - owner: root
    - group: root
    - mode: "0600"
 Create the server cnf file:
  file.managed:
    - name: /etc/rancher/ssl/rancher-server.cnf
    - source: salt://rancher/files/rancher-server.cnf.jinja
    - template: jinja
    - user: root
    - group: root
    - mode: "0600"
 Create the rancher-server signing request:
  cmd.run:
    - name: openssl req -new -key rancher-server.key -config rancher-server.cnf -out rancher-server.csr
    - cwd: /etc/rancher/ssl
    - onchanges:
      - file: Create the server cnf file
 Set permission on rancher-server singing request:
  file.managed:
    - name: /etc/rancher/ssl/rancher-server.csr
    - replace: False
    - user: root
    - group: root
    - mode: "0600"
 Create the rancher-server certificate:
  cmd.run:
    - name: openssl x509 -req -in rancher-server.csr -CA rancher-ca.crt -CAkey rancher-ca.key -CAcreateserial -out rancher-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rancher']['ca_passphrase'] }}
    - cwd: /etc/rancher/ssl
    - onchanges:
      - cmd: Create the rancher-server signing request
 Set permission on rancher-server certificate:
  file.managed:
    - name: /etc/rancher/ssl/rancher-server.crt
    - replace: False
    - user: root
    - group: root
    - mode: "0600"
 Set permission on rancher CA serial:
  file.managed:
    - name: /etc/rancher/ssl/rancher-ca.srl
    - replace: False
    - user: root
    - group: root
    - mode: "0600"
--- a/salt/states/rancher/files/rancher-ca.cnf
+++ b/salt/states/rancher/files/rancher-ca.cnf
@ -0,0 +1,41 @@
 [ca]
 default_ca                     = CA_default
 [CA_default]
 default_bits                   = 2048
 x509_extensions                = v3_ca
 default_days                   = 3650
 default_md                     = default
 policy                         = policy_optional
 copy_extensions                = copy
 unique_subject                 = no
 [policy_optional]
 countryName                    = optional
 stateOrProvinceName            = optional
 localityName                   = optional
 organizationName               = optional
 organizationalUnitName         = optional
 commonName                     = optional
 emailAddress                   = optional
 ###############################################
 [req]
 default_bits                   = 2048
 distinguished_name             = req_distinguished_name
 x509_extensions                = v3_ca
 string_mask                    = utf8only
 prompt                         = no
 [v3_ca]
 basicConstraints               = critical, CA:true
 nsComment                      = "Rancher CA Certificate"
 nsCertType                     = sslCA
 keyUsage                       = cRLSign, keyCertSign
 subjectKeyIdentifier           = hash
 authorityKeyIdentifier         = keyid:always,issuer
 ###############################################
 [ req_distinguished_name ]
 CN                             = Rancher Certificate Authority
--- a/salt/states/rancher/files/rancher-proxy.conf.jinja
+++ b/salt/states/rancher/files/rancher-proxy.conf.jinja
@ -0,0 +1,18 @@
 server {
    listen       443;
    server_name  rancher.{{ pillar['network']['domain'] }};
    ssl_certificate     /etc/rancher/ssl/rancher-server.crt;
    ssl_certificate_key /etc/rancher/ssl/rancher-server.key;
    location /{ 
        proxy_pass https://localhost:6443;
 	proxy_ssl_trusted_certificate /etc/rancher/ssl/rancher-server.crt;
 	proxy_ssl_verify off;
        proxy_set_header Host      $host:$server_port;
    }
 }
 server {
    listen 80;
    server_name rancher.{{ pillar['network']['domain'] }};
    return 301 https://rancher.{{ pillar['network']['domain'] }}$request_uri;
 }
--- a/salt/states/rancher/files/rancher-server.cnf.jinja
+++ b/salt/states/rancher/files/rancher-server.cnf.jinja
@ -0,0 +1,29 @@
 [req]
 default_bits                   = 2048
 distinguished_name             = req_distinguished_name
 x509_extensions                = v3_server_sign
 string_mask                    = utf8only
 prompt                         = no
 req_extensions                 = v3_req
 [v3_server_sign]
 basicConstraints               = CA:false
 nsComment                      = "Rancher Server Certificate"
 nsCertType                     = server
 keyUsage                       = digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage               = serverAuth, clientAuth
 subjectKeyIdentifier           = hash
 authorityKeyIdentifier         = keyid,issuer:always
 subjectAltName                 = @alt_names
 [v3_req]
 basicConstraints               = CA:false
 keyUsage                       = digitalSignature, keyEncipherment, keyAgreement
 subjectAltName                 = @alt_names
 [req_distinguished_name]
 CN                             = rancher.{{ pillar['network']['domain'] }}
 [alt_names]
 DNS.0                          = rancher.{{ pillar['network']['domain'] }}
 IP.0                           = {{ pillar['network']['ip'] }}
--- a/salt/states/rancher/files/rancher.service
+++ b/salt/states/rancher/files/rancher.service
@ -0,0 +1,11 @@
 [Unit]
 Description=Rancher podman container
 Wants=network.target
 [Service]
 Restart=on-failure
 ExecStart=/usr/bin/podman start -a rancher
 ExecStop=/usr/bin/podman stop -t 120 rancher
 [Install]
 WantedBy=multi-user.target default.target
--- a/salt/states/rancher/init.sls
+++ b/salt/states/rancher/init.sls
@ -0,0 +1,4 @@
 include:
  - rancher.certs
  - rancher.server
  - rancher.nginx
--- a/salt/states/rancher/nginx.sls
+++ b/salt/states/rancher/nginx.sls
@ -0,0 +1,14 @@
 proxy configuration for nginx:
  file.managed:
    - name: /etc/nginx/vhosts.d/rancher-proxy.conf
    - source: salt://rancher/files/rancher-proxy.conf.jinja
    - template: jinja
    - user: root
    - group: root
    - mode: "0644"
 reload nginx:
  service.running:
    - name: nginx
    - watch:
      - file: proxy configuration for nginx
--- a/salt/states/rancher/server.sls
+++ b/salt/states/rancher/server.sls
@ -0,0 +1,52 @@
 Create rancher systemd unit file:
  file.managed:
    - name: /etc/systemd/system/rancher.service
    - source: salt://rancher/files/rancher.service
    - user: root
    - group: root
    - mode: "0644"
 Realod systemd daemon:
  cmd.run:
    - name: systemctl daemon-reload
    - onchanges:
      - file: Create rancher systemd unit file
 Pull rancher image:
  cmd.run:
    - name: "podman image pull {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }}"
    - unless: "podman image exists {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }}"
 Add persistant storage folder:
  file.directory:
    - name: /srv/rancher-container
    - user: root
    - group: root
    - mode: "0640"
    - replace: False
 Stop rancher container before rebuild:
  service.dead:
    - name: rancher
    - onchanges:
      - cmd: Pull rancher image
 Remove old rancher container:
  cmd.run:
    - name: podman container rm rancher
    - onlyif: podman container exists rancher
    - onchanges:
      - cmd: Pull rancher image
 Create rancher container:
  cmd.run:
    - name: podman container create --name rancher --privileged --publish 6080:80 --publish 6443:443 --volume /etc/rancher/ssl/rancher-server.crt:/etc/rancher/ssl/cert.pem --volume /etc/rancher/ssl/rancher-server.key:/etc/rancher/ssl/key.pem --volume /etc/rancher/ssl/rancher-ca.crt:/etc/rancher/ssl/cacerts.pem --volume /srv/rancher-container:/var/lib/rancher --env CATTLE_BOOTSTRAP_PASSWORD={{ pillar['rancher']['bootstrapPassword'] }} {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }}
    - unless: podman container exists rancher
 Start the rancher container:
  service.running:
    - name: rancher
    - enable: True
    - watch: 
      - file: Create rancher systemd unit file
--- a/salt/states/top.sls
+++ b/salt/states/top.sls
@ -14,6 +14,7 @@ base:
    - rmt
    - podman
    - docker.registry
    - rancher
    - remote-desktop
    - wol
    - pxe