Quick Start Instructions
This are the instructions to quickly deploy Kuberentes Pi-cluster using cloud-init and Ansible Playbooks
Note:
Step-by-step manual process is also described in this documentation.
Preparing the Ansible Control node
-
Set-up a Ubuntu Server VM in your laptop to become ansible control node
pimasterand create the SSH public/private keys needed for connecting remotely to the serversFollow instructions in “Ansible Control Node”.
-
Clone Pi-Cluster Git repo or download using the ‘Download ZIP’ link on GitHub.
git clone https://github.com/ricsanfre/pi-cluster.git -
Install Ansible requirements:
Developed Ansible playbooks depend on external roles that need to be installed.
ansible-galaxy install -r requirements.yml
Ansible playbooks configuration
Inventory file
Adjust inventory.yml inventory file to meet your cluster configuration: IPs, hostnames, number of nodes, etc.
Tip:
If you maintain the private network assigned to the cluster (10.0.0.0/24) and the hostnames and IP addresses. The only field that you must change in inventory.yml file is the field mac containing the node’s mac address. This information will be used to configure automatically DHCP server and assign the proper IP to each node.
This information can be taken when Raspberry PI is booted for first time during the firmware update step: see Raspberry PI Firmware Update.
Configuring ansible remote access
The UNIX user to be used in remote connection (i.e.: ansible) user and its SSH key file location need to be specified
-
Set in
group_vars/all.ymlfile the UNIX user to be used by Ansible in the remote connection (default valueansible) -
Modify
ansible.cfgfile to include the path to the SSH key of theansibleuser used in remote connections (private-file-keyvariable)# SSH key private_key_file = $HOME/ansible-ssh-key.pem -
Modify
all.ymlfile to include your ansible remote UNIX user (ansible_uservariable) and
Configuring Ansible Playbooks
Encrypting secrets/key variables
All secrets/key/passwords variables are stored in a dedicated file, vars/vault.yml, so this file can be encrypted using Ansible Vault
vault.yml file is a Ansible vars file containing just a unique yaml variable, vault: a yaml dictionary containing all keys/passwords used by the different cluster components.
vault.yml sample file is like this:
---
# Encrypted variables - Ansible Vault
vault:
# K3s secrets
k3s:
k3s_token: s1cret0
# traefik secrets
traefik:
basic_auth_passwd: s1cret0
# Minio S3 secrets
minio:
root_password: supers1cret0
longhorn_key: supers1cret0
velero_key: supers1cret0
restic_key: supers1cret0
# elastic search
....
All needed password-type variables used by the Playbooks are in the sample file var/picluster-vault.yml. This file is not encrypted and must be used to start the ansible setup.
The steps to configure passwords/keys used in all Playbooks is the following:
-
Copy sample yaml
var/picluster-vault.ymlfile and rename it asvar/vault.yml -
Edit content of the file specifying your own values for each of the key/password/secret specified.
-
Encrypt file using ansible-vault
ansible-vault encrypt vault.ymlThe command ask for a ansible vault password to encrypt the file. After executing the command the file
vault.ymlis encrypted. Yaml content file is not readable.Note:
The file can be decrypted using the following command
ansible-vault decrypt vault.ymlThe password using during encryption need to be provided to decrypt the file After executing the command the file
vault.ymlis decrypted and show the content in plain text.
Important:
When using encrypted vault.yaml file all playbooks executed with ansible-playbook command need the argument --ask-vault-pass, so the password used to encrypt vault file can be provided when starting the playbook.
ansible-playbook playbook.yml --ask-vault-pass
Modify Ansible Playbook variables
Adjust ansible playbooks/roles variables defined within group_vars, host_vars and vars directories to meet your specific configuration.
The following table shows the variable files defined at ansible’s group and host levels
| Group/Host Variable file | Nodes affected |
|---|---|
group_vars/all.yml |
all nodes of cluster + gateway node + pimaster |
group_vars/control.yml |
control group: gateway node + pimaster |
group_vars/k3s_cluster.yml |
all nodes of the k3s cluster |
group_vars/k3s_master.yml |
K3s master nodes |
host_vars/gateway.yml |
gateway node specific variables |
The following table shows the variable files used for configuring the storage, backup server and K3S cluster and services.
| Specific Variable File | Configuration |
|---|---|
vars/picluster.yml |
K3S cluster and services configuration variables |
vars/dedicated_disks/local_storage.yml |
Configuration nodes local storage: Dedicated disks setup |
vars/centralized_san/centralized_san_target.yml |
Configuration iSCSI target local storage and LUNs: Centralized SAN setup |
vars/centralized_san/centralized_san_initiator.yml |
Configuration iSCSI Initiator: Centralized SAN setup |
vars/backup/s3_minio.yml |
Configuration S3 Minio server |
Important: : About storage configuration
Ansible Playbook used for doing the basic OS configuration (setup_picluster.yml) is able to configure two different storage setups (dedicated disks or centralized SAN) depending on the value of the variable centralized_san located in group_vars/all.yml. If centralized_san is false (default value) dedicated disk setup will be applied, otherwise centralized san setup will be configured.
-
Centralized SAN setup assumes
gatewaynode has a SSD disk attached (/dev/sda) that it is partitioned the first time the server is booted (part of the cloud-init configuration) reserving 30Gb for the root partition and the rest of available disk for hosting the LUNsFinal
gatewaydisk configuration is:- /dev/sda1: Boot partition
- /dev/sda2: Root Filesystem
- /dev/sda3: For being used for creating LUNS using LVM.
LVM configuration is done bysetup_picluster.ymlAnsible’s playbook and the variables used in the configuration can be found invars/centralized_san/centralized_san_target.yml:storage_volumegroupsandstorage_volumesvariables. Sizes of the different LUNs can be tweaked to fit the size of the SSD Disk used. I used a 480GB disk so, I was able to create LUNs of 100GB for each of the nodes. -
Dedicated disks setup assumes that all cluster nodes (
node1-5) have a SSD disk attached that it is partitioned the first time the server is booted (part of the cloud-init configuration) reserving 30Gb for the root partition and the rest of available disk for creating a logical volume (LVM) mounted as/storageFinal
node1-5disk configuration is:- /dev/sda1: Boot partition
- /dev/sda2: Root filesystem
- /dev/sda3: /storage partition
LVM configuration is done bysetup_picluster.ymlAnsible’s playbook and the variables used in the configuration can be found invars/dedicated_disks/local_storage.yml:storage_volumegroups,storage_volumes,storage_filesystemsandstorage_mountsvariables. The default configuration assings all available space in sda3 to a new logical volume formatted with ext4 and mounted as/storage
Installing the nodes
Update Raspberry Pi firmware
Update firmware in all Raspberry-PIs following the procedure described in “Raspberry PI firmware update”
Install gateway node
Install gateway Operating System on Rapberry PI.
The installation procedure followed is the described in “Ubuntu OS Installation” using cloud-init configuration files (user-data and network-config) for gateway, depending on the storage setup selected:
| Storage Configuration | User data | Network configuration |
|---|---|---|
| Dedicated Disks | user-data | network-config |
| Centralized SAN | user-data | network-config |
Warning: About SSH keys
Before applying the cloud-init files of the table above, remember to change the following
user-datafile:ssh_authorized_keysfields for both users (ansibleandoss). Your own ssh public keys, created duringpimastercontrol node preparation, must be included.timezoneandlocalecan be changed as well to fit your environment.
network-configfile: to fit yor home wifi network- Replace
and by your home wifi credentials - IP address (192.168.0.11 in the sample file ), and your home network gateway (192.168.0.1 in the sample file)
- Replace
Configure gateway node
For automatically execute basic OS setup tasks and configuration of gateway’s services (DNS, DHCP, NTP, Firewall, etc.), executes the playbook:
ansible-playbook setup_picluster.yml --tags "gateway" [--ask-vault-pass]
Install cluster nodes.
Once gateway is up and running the rest of the nodes can be installed and connected to the LAN switch, so they can obtain automatic network configuration via DHCP.
Install node1-5 Operating System on Raspberry Pi
Follow the installation procedure indicated in “Ubuntu OS Installation” using the corresponding cloud-init configuration files (user-data and network-config) depending on the storage setup selected. Since DHCP is used there is no need to change default /boot/network-config file located in the ubuntu image.
| Storage Architeture | node1 | node2 | node3 | node4 | node5 |
|---|---|---|---|---|---|
| Dedicated Disks | user-data | user-data | user-data | user-data | user-data |
| Centralized SAN | user-data | user-data | user-data | user-data | user-data |
Warning: About SSH keys
Before applying the cloud-init files of the table above, remember to change the following
user-datafile:ssh_authorized_keysfields for both users (ansibleandoss). Your own ssh public keys, created duringpimastercontrol node preparation, must be included.timezoneandlocalecan be changed as well to fit your environment.
Configure cluster nodes
For automatically execute basic OS setup tasks (DNS, DHCP, NTP, etc.), executes the playbook:
ansible-playbook setup_picluster.yml --tags "node"
Configuring backup server (S3) and OS level backup
Configure backup server (Playbook assumes S3 server is installed in node1) and automated backup tasks at OS level with restic in all nodes (node1-node5 and gateway) running the playbook:
ansible-playbook backup_configuration.yml
Note:
List of directories to be backed up by restic in each node can be found in variables file var/all.yml: restic_backups_dirs
Variable restic_clean_service which configure and schedule restic’s purging activities need to be set to “true” only in one of the nodes. Defaul configuration set gateway as the node for executing these tasks.
K3S
K3S Installation
To install K3S cluster execute the playbook:
ansible-playbook k3s_install.yml
K3S basic services deployment
To deploy and configure basic services (metallb, traefik, certmanager, linkerd, longhorn, EFK, Prometheus, Velero) run the playbook:
ansible-playbook k3s_deploy.yml
Different ansible tags can be used to select the componentes to deploy:
ansible-playbook k3s_deploy.yml --tags <ansible_tag>
The following table shows the different components and their dependencies.
| Ansible Tag | Component to configure/deploy | Dependencies |
|---|---|---|
metallb |
Metal LB | - |
certmanager |
Cert-manager | - |
linkerd |
Linkerd | Cert-manager |
traefik |
Traefik | Linkerd |
longhorn |
Longhorn | Linkerd |
monitoring |
Prometheus Stack | Longhorn, Linkerd |
linkerd-viz |
Linkerd Viz | Prometheus Stack, Linkerd |
logging |
EFK Stack | Longhorn, Linkerd |
backup |
Velero | Linkerd |
K3s Cluster reset
If you mess anything up in your Kubernetes cluster, and want to start fresh, the K3s Ansible playbook includes a reset playbook, that you can use to remove the installation of K3S:
ansible-playbook k3s_reset.yml
Note:
Reset can be used as well whenever we want to test the latest stable software version of the components of the cluster (K3S, Cert-manager, Longhorn, EFK, Prometheus, etc.). After a cluster reset:
- Execution of
k3s_install.ymlplaybook will install latest stable version of K3S - Execution of
k3s_deploy.ymlplaybook will install latest Helm Chart version of the different components.
Shutting down the Raspeberry Pi Cluster
To automatically shut down the Raspberry PI cluster, Ansible can be used.
For shutting down the cluster run this command:
ansible-playbook shutdown.yml
This playbook will connect to each Raspberry PI in the cluster (including gateway node) and execute the command sudo shutdown -h 1m, commanding the raspberry-pi to shutdown in 1 minute.
After a couple of minutes all raspberry pi will be shutdown. You can notice that when the Switch ethernet ports LEDs are off. Then it is safe to unplug the Raspberry PIs.
Updating Ubuntu packages
To automatically update Ubuntu OS packages run the following playbook:
ansible-playbook update.yml
This playbook automatically updates OS packages to the latest stable version and it performs a system reboot if needed.