jonas/tlu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added rancher

Browse Source
This commit is contained in:
jonas 2021-11-05 16:06:45 +01:00
parent d39b2edb17
commit c99563ec7e
12 changed files with 257 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
salt/pillars/network.sls
View File

@ -11,6 +11,7 @@ network:
ntp: 1
dns: 1
www: 1
rancher: 1
switch: 10
harvester: 20
node1: 21

5
salt/pillars/rancher.sls Normal file
View File

@ -0,0 +1,5 @@
rancher:
ca_passphrase: rancher
url: docker.io/rancher/rancher
tag: v2.6.1
bootstrapPassword: rancher

1
salt/pillars/top.sls
View File

@ -10,6 +10,7 @@ base:
- wireguard
- hostapd
- pxe
- rancher
- tlu-harvester
{% if salt['pillar.file_exists']('local.sls') %}
- local

80
salt/states/rancher/certs.sls Normal file
View File

@ -0,0 +1,80 @@
Create the ca cnf file:
file.managed:
- name: /etc/rancher/ssl/rancher-ca.cnf
- source: salt://rancher/files/rancher-ca.cnf
- user: root
- group: root
- makedirs: True
- mode: "0600"
- dir_mode: "0755"
Create rancher CA key:
x509.private_key_managed:
- name: /etc/rancher/ssl/rancher-ca.key
- passphrase: {{ pillar['rancher']['ca_passphrase'] }}
- bits: 2048
- owner: root
- group: root
- mode: "0600"
Create rancher CA certificate:
cmd.run:
- name: openssl req -config rancher-ca.cnf -key rancher-ca.key -new -x509 -days 3650 -sha256 -out rancher-ca.crt -passin pass:{{ pillar['rancher']['ca_passphrase'] }}
- cwd: /etc/rancher/ssl
- onchanges:
- file: Create the ca cnf file
Create rancher-server key:
x509.private_key_managed:
- name: /etc/rancher/ssl/rancher-server.key
- bits: 2048
- owner: root
- group: root
- mode: "0600"
Create the server cnf file:
file.managed:
- name: /etc/rancher/ssl/rancher-server.cnf
- source: salt://rancher/files/rancher-server.cnf.jinja
- template: jinja
- user: root
- group: root
- mode: "0600"
Create the rancher-server signing request:
cmd.run:
- name: openssl req -new -key rancher-server.key -config rancher-server.cnf -out rancher-server.csr
- cwd: /etc/rancher/ssl
- onchanges:
- file: Create the server cnf file
Set permission on rancher-server singing request:
file.managed:
- name: /etc/rancher/ssl/rancher-server.csr
- replace: False
- user: root
- group: root
- mode: "0600"
Create the rancher-server certificate:
cmd.run:
- name: openssl x509 -req -in rancher-server.csr -CA rancher-ca.crt -CAkey rancher-ca.key -CAcreateserial -out rancher-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rancher']['ca_passphrase'] }}
- cwd: /etc/rancher/ssl
- onchanges:
- cmd: Create the rancher-server signing request
Set permission on rancher-server certificate:
file.managed:
- name: /etc/rancher/ssl/rancher-server.crt
- replace: False
- user: root
- group: root
- mode: "0600"
Set permission on rancher CA serial:
file.managed:
- name: /etc/rancher/ssl/rancher-ca.srl
- replace: False
- user: root
- group: root
- mode: "0600"

41
salt/states/rancher/files/rancher-ca.cnf Normal file
View File

@ -0,0 +1,41 @@
[ca]
default_ca = CA_default
[CA_default]
default_bits = 2048
x509_extensions = v3_ca
default_days = 3650
default_md = default
policy = policy_optional
copy_extensions = copy
unique_subject = no
[policy_optional]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
###############################################
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only
prompt = no
[v3_ca]
basicConstraints = critical, CA:true
nsComment = "Rancher CA Certificate"
nsCertType = sslCA
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
###############################################
[ req_distinguished_name ]
CN = Rancher Certificate Authority

18
salt/states/rancher/files/rancher-proxy.conf.jinja Normal file
View File

@ -0,0 +1,18 @@
server {
listen 443;
server_name rancher.{{ pillar['network']['domain'] }};
ssl_certificate /etc/rancher/ssl/rancher-server.crt;
ssl_certificate_key /etc/rancher/ssl/rancher-server.key;
location /{
proxy_pass https://localhost:6443;
proxy_ssl_trusted_certificate /etc/rancher/ssl/rancher-server.crt;
proxy_ssl_verify off;
proxy_set_header Host $host:$server_port;
}
}
server {
listen 80;
server_name rancher.{{ pillar['network']['domain'] }};
return 301 https://rancher.{{ pillar['network']['domain'] }}$request_uri;
}

29
salt/states/rancher/files/rancher-server.cnf.jinja Normal file
View File

@ -0,0 +1,29 @@
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_server_sign
string_mask = utf8only
prompt = no
req_extensions = v3_req
[v3_server_sign]
basicConstraints = CA:false
nsComment = "Rancher Server Certificate"
nsCertType = server
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = @alt_names
[v3_req]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, keyAgreement
subjectAltName = @alt_names
[req_distinguished_name]
CN = rancher.{{ pillar['network']['domain'] }}
[alt_names]
DNS.0 = rancher.{{ pillar['network']['domain'] }}
IP.0 = {{ pillar['network']['ip'] }}

11
salt/states/rancher/files/rancher.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Rancher podman container
Wants=network.target
[Service]
Restart=on-failure
ExecStart=/usr/bin/podman start -a rancher
ExecStop=/usr/bin/podman stop -t 120 rancher
[Install]
WantedBy=multi-user.target default.target

4
salt/states/rancher/init.sls Normal file
View File

@ -0,0 +1,4 @@
include:
- rancher.certs
- rancher.server
- rancher.nginx

14
salt/states/rancher/nginx.sls Normal file
View File

@ -0,0 +1,14 @@
proxy configuration for nginx:
file.managed:
- name: /etc/nginx/vhosts.d/rancher-proxy.conf
- source: salt://rancher/files/rancher-proxy.conf.jinja
- template: jinja
- user: root
- group: root
- mode: "0644"
reload nginx:
service.running:
- name: nginx
- watch:
- file: proxy configuration for nginx

52
salt/states/rancher/server.sls Normal file
View File

@ -0,0 +1,52 @@
Create rancher systemd unit file:
file.managed:
- name: /etc/systemd/system/rancher.service
- source: salt://rancher/files/rancher.service
- user: root
- group: root
- mode: "0644"
Realod systemd daemon:
cmd.run:
- name: systemctl daemon-reload
- onchanges:
- file: Create rancher systemd unit file
Pull rancher image:
cmd.run:
- name: "podman image pull {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }}"
- unless: "podman image exists {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }}"
Add persistant storage folder:
file.directory:
- name: /srv/rancher-container
- user: root
- group: root
- mode: "0640"
- replace: False
Stop rancher container before rebuild:
service.dead:
- name: rancher
- onchanges:
- cmd: Pull rancher image
Remove old rancher container:
cmd.run:
- name: podman container rm rancher
- onlyif: podman container exists rancher
- onchanges:
- cmd: Pull rancher image
Create rancher container:
cmd.run:
- name: podman container create --name rancher --privileged --publish 6080:80 --publish 6443:443 --volume /etc/rancher/ssl/rancher-server.crt:/etc/rancher/ssl/cert.pem --volume /etc/rancher/ssl/rancher-server.key:/etc/rancher/ssl/key.pem --volume /etc/rancher/ssl/rancher-ca.crt:/etc/rancher/ssl/cacerts.pem --volume /srv/rancher-container:/var/lib/rancher --env CATTLE_BOOTSTRAP_PASSWORD={{ pillar['rancher']['bootstrapPassword'] }} {{ pillar['rancher']['url'] }}:{{ pillar['rancher']['tag'] }}
- unless: podman container exists rancher
Start the rancher container:
service.running:
- name: rancher
- enable: True
- watch:
- file: Create rancher systemd unit file

1
salt/states/top.sls
View File

@ -14,6 +14,7 @@ base:
- rmt
- podman
- docker.registry
- rancher
- remote-desktop
- wol
- pxe