This Ansible playbook helps you setup a multi-master Kubernetes cluster on Exoscale.

Put the api-key and api-secret for your account into the cloudstack.ini file. Alternatively you can also use the CLOUDSTACK_KEY and CLOUDSTACK_SECRET environment variables. If you do, make sure to remove key and secret from the ini file.

You can get your key and secret here: https://portal.exoscale.ch/account/profile/api

To bootstrap your cluster, install the requirements via pip and put kubectl in your path. Then run the playbook.

Warning: Ansible doesn't play nice in a Virtualenv on systems with Selinux. To fix this, make sure you have python-selinux bindings installed and include system packages in your virtualenv.

# only required when selinux is enabled
sudo dnf install libselinux-python

virtualenv --system-site-packages .venv
source .venv/bin/activate

# install the requirements
pip install -r requirements.txt

# run the Ansible playbook
ansible-playbook cluster-bootstrap.yml

Tip: The cluster-bootstrap playbook is safe to re-run at any time to make sure your cluster is configured correctly.

Bootstrapping the cluster takes a few minutes. When the playbook finishes, you can see the cluster nodes come up using:

kubectl get nodes -w

If you want to add more workers simply run the worker-add playbook. Specify the desired number of worker nodes. The default cluster has 3 worker nodes. Below command adds 2 more for a total of 5.

ansible-playbook -e desired_num_worker_nodes=5 worker-add.yml

The cluster-upgrade playbook takes care of one by one updating Kubernetes on each of the nodes and restarting services as required. The upgrade does lead to a short unavailability of the apiserver due to the restart of the etcd members. Member restarts take a couple of retries before they succeed, this is caused by ports still being in use.

ansible-playbook cluster-upgrade.yml

The initial cluster consists of 3 master nodes and 3 worker nodes. Master nodes are pets, worker nodes are cattle. All nodes run CoreOS.

Master nodes run:

• infra-etcd2: Etcd2 cluster used for Flanneld overlay networking and Locksmithd
• flanneld: for the container overlay network
• locksmithd: to orchestrate automatic updates
• dockerd
• kubelet
• kubernetes-etcd2: Etcd2 cluster used for Kubernetes
• kube-apiserver
• kube-scheduler
• kube-controller-manager
• kube-proxy

Worker nodes run:

• flanneld: for the container overlay network
• locksmithd: to orchestrate automatic updates
• dockerd
• kubelet
• kube-proxy
• haproxy
• and your containers of course

Flanneld, Locksmithd, Docker, infra-etcd2 and the kubelet are started using Systemd. All other components most notably kubernetes-etcd2 and kube-* are started by the kubelet.

CoreOS is configured to do automatic updates. Locksmith is configured to make sure only one of the six cluster nodes reboots at the same time. It is also configured to ensure a maintenance window for master nodes between 4 and 5am and for worker nodes between 5 and 6am daily. Automatic updates only include the OS components that are part of CoreOS.

Cluster bootstrap includes the nginx-ingress-controller to make services available externally using ingress resources.

Haproxy on each worker node listens on 0.0.0.0:80 and 0.0.0.0:443 and forwards TCP traffic to the ingress controller service.

Simply setup a wildcard DNS entry to point to the IPs of your worker nodes.

Kube-lego is supported by the nginx-ingress-controller but is not automatically installed.

Master and worker nodes each have their own security-groups and only open the required ports between nodes within the same group or between nodes of the other group respectively.

All nodes allow external SSH access. (Required for Ansible unless you use a bastion host.)

On top of the firewall rules enforced by the security groups, all components are configured to communicate via TLS using certificates.

The required certificate authorities and certificates are generated using cfssl automatically.

kubectl is configured to talk to the first master node via IP. If the first master node is unavailable, you need to update your kubectl config to talk to another master node or bring the master node back up. You can of course setup DNS A records for each one of your nodes and use a DNS name instead of the IP in your config.