Ansible tasks when provisioning
4.3.3.3 Ansible tasks when provisioning
A number of automated tasks are run on your servers when the Ansible Provision action runs. It can be important to understand exactly what Ansible is doing to your servers to help you debug any issues or contribute any improvements to the process.
The Ansible tasks are located in infrastructure/server-setup/tasks. Tasks are structured by folders:
all: tasks are executed on all hosts defined in ansible inventorybackups: tasks to provision backup serverk8s: tasks to configure Kubernetes master and worker nodes
checks
all/checks-system.yml
Validates that some variables are defined properly in inventory files and Github Secrets
checks k8s
all/checks-k8s.yml
Check Kubernetes installed version with version supported by playbook
fail2ban
all/fail2ban.yml
Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall
tools
all/tools.yml
Some of our Bash (shell) scripts for deployment, backing up and restoring OpenCRVS for example require some libraries to be installed such as Python pip and jq.
updates
all/updates.yml
This task installs and configures the following package with the intention of keeping your current version of Ubuntu automatically up-to-date. We dont guarantee that this works but it should help you. You should always manually check that zero-day security vulnerabilities are applied on Ubuntu. Maintianing your Ubuntu installation is outside the scope of OpenCRVS.
users
all/users.yml
This task creates all the user accounts as listed in your inventory files, disables password & root access, installs and configures SSH key authentication mechanisms with Google Authenticator 2FA.
backup
backups/create-backup-server-credentials.yml
Create backup user and generate ssh keys.
backup
backups/setup-email-alert.yml
Configure email notifications on backup server
application
k8s/application.yml
Creates a directory on your server with the right permissions and manages application logs:
This directory will store all OpenCRVS related application files required for deployment such as the "infrastructure" folder containing docker-compose files for example. The Deploy process copies these files to this location.
k8s
k8s/backup-secret.yml
Create secret with backup server credentials (hostname/IP, user, ssh key). Credentials are generated by backups/create-backup-server-credentials.yml
data-partition decrypt-on-boot
k8s/validate-data-partition.yml
Encrypted data partition validation to make sure encryption key valid and LUKs header is not demaged.
data-partition decrypt-on-boot
k8s/data-partition.yml
Using the DISK_SPACE secret and the ENCRYPTION_KEY secret, a LUKS encrypted directory partition is created to store all OpenCRVS data. The directory is:
decrypt-on-boot
k8s/decrypt-on-boot.yml
If your server reboots, the encrypted directory above must be de-crypted and mounted. This file allows you to configure this and the location of the ENCRYPTION_KEY which you could decide to place within a Hardware Security Module for best practice.
k8s
k8s/dockerhub-secret.yml
Create Dockerhub credentials secret inside opencrvs-<environment> namespace. See #issues/10625
k8s
k8s/init-master.yml
Init Kubernetes master node with kubeadm, configure access for provision user, issue join worker node token.
containerd-setup k8s
k8s/install-containerd.yml
Install containerd with dependencies
k8s
k8s/install-kubernetes.yml
Install kubelet, kubeadm, kubectl with dependencies
k8s
k8s/install-network-plugin.yml
Install network plugin on master node
k8s
k8s/upgrade-k8s-master.yml
Upgrade master node on existing Kubernetes cluster
k8s
k8s/upgrade-k8s-workers.yml
Restart kubelet on worker nodes
k8s join-workers
k8s/join-workers.yml
Join worker nodes
k8s
k8s/kube-api-add-extra-sans.yml
Configure SSL certificate for API server to accept connections from multiple network interfaces, including KUBE_API_HOST
k8s
k8s/label-nodes.yml
Add labels to kubernetes nodes
k8s
k8s/metrics-server.yml
Install metrics server
k8s
k8s/self-hosted-runner.yml
Install GitHub self-hosted runner
k8s
k8s/system-preparation.yml
Configure kernel settings, disable swap, configure kernel modules for containerd
k8s users
k8s/user-kubeconfig.yml
Create kubernetes users and distribute configuration kube config files across user home directories.
k8s
k8s/ufw.yml
This installs and configures your server firewall using ufw, closing all ports and only opening those required for Docker Swarm and SSH
Last updated