Package container images with the self-extracting installer for The Combine

.gitignore

@@ -83,7 +83,7 @@ deploy/scripts/semantic_domains/json/*.json
 database/semantic_domains/*
 
 # Combine installer
-installer/combine-installer.run
+installer/*.run
 installer/makeself-*
 installer/README.pdf
 

deploy/ansible/group_vars/nuc/main.yml

@@ -14,6 +14,7 @@
 k8s_engine: k3s
 
 image_pull_secret: aws-login-credentials
+use_airgap_images: false
 
 # k8s namespaces
 app_namespace: thecombine

deploy/ansible/group_vars/server/main.yml

@@ -9,11 +9,8 @@
 # Configure Kubernetes cluster
 ################################################
 
-# Specify which Kubernetes engine to install -
-# one of k3s, or none.
-k8s_engine: none
-
 image_pull_secret: aws-login-credentials
+use_airgap_images: false
 
 create_namespaces: []
 # k8s namespaces

deploy/ansible/host_vars/localhost/main.yml

@@ -7,11 +7,8 @@
 # Configure Kubernetes cluster
 ################################################
 
-# Specify which Kubernetes engine to install -
-# one of k3s or none.
-k8s_engine: k3s
-
 image_pull_secret: aws-login-credentials
+use_airgap_images: true
 
 # k8s namespaces
 app_namespace: thecombine

deploy/ansible/playbook_desktop_setup.yaml

@@ -15,27 +15,23 @@
 
   vars_files:
     - "vars/config_common.yml"
+    - "vars/k3s_versions.yml"
 
   tasks:
-    - name: Update packages
-      apt:
-        update_cache: yes
-        upgrade: "yes"
-
     - name: Setup WiFi Access Point
       import_role:
         name: wifi_ap
       when: has_wifi
 
-    - name: Enable hardware monitoring
-      import_role:
-        name: monitor_hardware
-      when: include_hw_monitoring
-
     - name: Configure Network Interfaces
       import_role:
         name: network_config
 
+    - name: Install Preloaded Images
+      import_role:
+        name: container_images
+      when: install_airgap_images
+
     - name: Install Container Engine
       import_role:
         name: container_engine
@@ -44,11 +40,6 @@
       import_role:
         name: k8s_install
 
-    - name: Install Helm
-      import_role:
-        name: helm_install
-      when: install_helm
-
     - name: Setup Support Tool
       import_role:
         name: support_tools

deploy/ansible/playbook_k3s_airgapped_files.yml

@@ -0,0 +1,58 @@
+---
+##############################################################
+# Playbook: playbook_k3s_airgap.yml
+#
+# playbook_k3s_airgap.yml downloads and packages the
+# files necessary to install k3s on an airgapped system.  This
+# includes:
+#  - the k3s airgap images
+#  - k3s executable
+#  - k3s installation script
+#  - kubectl
+#  - helm
+#
+##############################################################
+
+- name: Build package for k3s airgap installation
+  hosts: localhost
+  gather_facts: yes
+  become: no
+
+  vars_files:
+    - "vars/k3s_versions.yml"
+
+  tasks:
+    - name: Create package directory if necessary
+      file:
+        path: "{{ package_dir }}"
+        state: directory
+
+    - name: Download k3s assets
+      get_url:
+        dest: "{{ package_dir }}/{{ item }}"
+        url: "https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/{{ item }}"
+      loop:
+        - k3s-airgap-images-amd64.tar.zst
+        - k3s
+        - sha256sum-amd64.txt
+
+    - name: Verify k3s downloads
+      shell:
+        cmd: sha256sum --check --ignore-missing sha256sum-amd64.txt
+        chdir: "{{ package_dir }}"
+      changed_when: false
+
+    - name: Download k3s install script
+      get_url:
+        dest: "{{ package_dir }}/install.sh"
+        url: https://get.k3s.io/
+
+    - name: Download kubectl
+      get_url:
+        dest: "{{ package_dir }}/kubectl"
+        url: "https://dl.k8s.io/release/{{ kubectl_version }}/bin/linux/amd64/kubectl"
+
+    - name: Download helm
+      get_url:
+        dest: "{{ package_dir }}/helm.tar.gz"
+        url: "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz"

deploy/ansible/playbook_nuc_setup.yaml

@@ -16,6 +16,7 @@
 
   vars_files:
     - "vars/config_common.yml"
+    - "vars/k3s_versions.yml"
 
   tasks:
     - name: Update packages

deploy/ansible/roles/container_images/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# Default values for setting up the container images for
+# installing pre-downloaded images
+
+source_image_dir: ../airgap-images
+airgap_image_dir: /var/lib/rancher/k3s/agent/images

deploy/ansible/roles/container_images/tasks/main.yml

@@ -0,0 +1,59 @@
+---
+# Setup airgap images in {{ airgap_image_dir }} to be
+# available when k3s and subsequent helm charts are installed.
+
+- name: Create airgap image directory
+  file:
+    path: "{{ airgap_image_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy image files
+  copy:
+    src: "{{ source_image_dir }}/{{ item }}"
+    dest: "{{ airgap_image_dir }}/{{ item }}"
+    owner: root
+    group: root
+    mode: 644
+  loop:
+    - k3s-airgap-images-amd64.tar.zst
+    - middleware-airgap-images-amd64.tar.zst
+    - combine-airgap-images-amd64.tar.zst
+
+# Add k3s, kubectl and the k3s installation script to
+# /usr/local/bin
+- name: Copy k3s & utility programes
+  copy:
+    src: "{{ source_image_dir }}/{{ item }}"
+    dest: /usr/local/bin/{{ item }}
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - k3s
+    - kubectl
+    - install.sh
+
+# Install helm
+- name: Create directory for helm installation
+  file:
+    path: /opt/helm/{{ helm_version }}
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Unpack helm
+  shell:
+    cmd: tar xzvf {{ source_image_dir }}/helm.tar.gz -C /opt/helm/{{ helm_version }}
+
+- name: Create link to helm binary
+  file:
+    src: /opt/helm/{{ helm_version }}/linux-amd64/helm
+    dest: /usr/local/bin/helm
+    state: link
+    owner: root
+    group: root
+    mode: 0x755

deploy/ansible/roles/helm_install/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-helm_version: v3.13.2
+helm_version: v3.15.2
 helm_arch: linux-amd64
 
 helm_download_dir: /opt/helm-{{ helm_version }}-{{ helm_arch }}

deploy/ansible/roles/k8s_install/defaults/main.yml

@@ -16,6 +16,3 @@ k3s_options:
   - traefik
   - --tls-san
   - "{{ k8s_dns_name }}"
-
-k3s_version: "v1.25.14+k3s1"
-kubectl_version: "v1.29"

deploy/ansible/roles/k8s_install/tasks/k3s.yml

@@ -21,50 +21,33 @@
   notify:
     - Reload k3s
 
-- name: Get home directory for {{ k8s_user }}
-  shell: >
-    getent passwd {{ k8s_user }} | awk -F: '{ print $6 }'
-  register: k8s_user_home
-  changed_when: false
-
-- name: Get user group id for {{ k8s_user }}
-  shell: >
-    getent passwd {{ k8s_user }} | awk -F: '{ print $4 }'
-  register: k8s_user_group_id
-  changed_when: false
-
-- name: Create .kube directories
+- name: Create keyring directory if necessary
   file:
-    path: "{{ item.home }}/.kube"
+    path: /etc/apt/keyrings
     state: directory
-    owner: "{{ item.owner }}"
-    group: "{{ item.group }}"
-    mode: 0700
-  loop:
-    - home: "{{ k8s_user_home.stdout }}"
-      owner: "{{ k8s_user }}"
-      group: "{{ k8s_user_group_id.stdout }}"
-    - home: /root
-      owner: root
-      group: root
+    owner: root
+    group: root
+    mode: "0755"
 
-- name: Copy /etc/rancher/k3s/k3s.yaml to .kube/config
-  shell: |
-    cp /etc/rancher/k3s/k3s.yaml {{ item.home }}/.kube/config
-    chown {{ item.owner }}:{{ item.group }} {{ item.home }}/.kube/config
-    chmod 600 {{ item.home }}/.kube/config
-  loop:
-    - home: "{{ k8s_user_home.stdout }}"
-      owner: "{{ k8s_user }}"
-      group: "{{ k8s_user_group_id.stdout }}"
-    - home: /root
-      owner: root
-      group: root
+- name: Download the Kubernetes public signing key
+  shell:
+    cmd: >
+      curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key
+      | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+    creates: /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+
+- name: Set signing key permissions
+  file:
+    name: /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+    mode: 0644
+    state: file
 
-- name: List contexts
-  command: kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml config get-contexts
-  register: k3s_contexts
+- name: Add repository
+  apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /"
+    filename: kubernetes
+    mode: 0644
 
-- name: Change context name from 'default'
-  command: kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml config rename-context default {{ kubecfgdir }}
-  when: k3s_contexts.stdout is regex("^\*? +default.*")
+- name: Install kubectl
+  apt:
+    name: kubectl

deploy/ansible/roles/k8s_install/tasks/k3s_airgap.yml

@@ -0,0 +1,22 @@
+---
+################################################
+# Install the k3s Lightweight Kubernetes Engine
+# from Rancher.
+# https://k3s.io/
+################################################
+- name: Install k3s
+  shell:
+    cmd: INSTALL_K3S_SKIP_DOWNLOAD=true /usr/local/bin/install.sh {{ k3s_options | join(' ') }}
+    creates: /etc/systemd/system/k3s.service
+
+# Change KillMode from "process" to "mixed" to eliminate 90s wait for k3s containers
+# to exit.  This limits the ability to upgrade k3s in-place without stopping the
+# current containers but that is not needed for the Combine use case.
+- name: Patch k3s service
+  lineinfile:
+    path: /etc/systemd/system/k3s.service
+    regexp: ^KillMode=
+    state: present
+    line: KillMode=mixed
+  notify:
+    - Reload k3s