Skip to content

Add complete single-node Kubernetes infrastructure project (Ansible + K8s manifests)#1

Merged
ondrejnr merged 1 commit intomainfrom
copilot/create-kubernetes-infrastructure
Feb 23, 2026
Merged

Add complete single-node Kubernetes infrastructure project (Ansible + K8s manifests)#1
ondrejnr merged 1 commit intomainfrom
copilot/create-kubernetes-infrastructure

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 23, 2026
edited
Loading

Implements a full infrastructure-as-code project that bootstraps a production-like Kubernetes environment on clean Debian Bookworm, deploying monitoring, nginx, etcd, and a health-checker daemon entirely via Ansible + raw K8s manifests.

Ansible Playbooks (playbooks/)

  • 01-k8s-cluster.yml – swap-off → containerd (Docker repo) → kubeadm init → Flannel CNI → local-path-provisioner (default StorageClass) → untaint control-plane
  • 02-namespaces.yml – creates monitoring, web, database, daemon
  • 03-monitoring.yml – Prometheus + Grafana + Alertmanager + Node Exporter DaemonSet + Nginx Exporter; waits for each rollout
  • 04-nginx.yml – webserver first, then proxy (order matters for upstream DNS)
  • 05-etcd.yml – deploy + smoke test; fault-tolerance steps (scale 5→3→5 + write/read) isolated under --tags fault_test
  • 06-daemon.yml – health-checker pod; waits 45s then validates svstat + log tail
  • site.yml – imports all six in order

K8s Manifests (k8s/)

Monitoring

  • Prometheus with kubernetes_sd for node-exporter endpoint discovery; alert rules: HighCpuLoad >80%, HighMemory >85%, InstanceDown, EtcdQuorumRisk
  • Grafana with auto-provisioned Prometheus datasource and dashboard (CPU, memory, load, nginx req/s); credentials via Secret (not plaintext env)
  • Node Exporter as DaemonSet with hostNetwork/hostPID and NoSchedule toleration

Nginx

  • Webserver (nginx:bookworm): stub_status at /stub_status, static index.html from ConfigMap; NodePort 30081
  • Proxy (nginx:bookworm): initContainer (debian:bookworm) generates self-signed cert via openssl; upstream with keepalive 32 + proxy_http_version 1.1 + Connection ""; proxy_cache backed by emptyDir; TLSv1.2+, strong ciphers, HSTS; NodePorts 30080/30443

Etcd

  • 5-node StatefulSet with headless Service; dynamic PEERS string constructed in-container via shell loop over INITIAL_CLUSTER_SIZE; 1Gi PVC per pod; NodePort 30379

Daemon

  • debian:bookworm container installs python3 + daemontools at startup; svscanboot → supervise process tree; multilog with timestamps and 1MiB rotation; health-checker.py polls every 30s:
    • Prometheus /api/v1/query for node_load1/5/15
    • Nginx /stub_status on both webserver and proxy (captures HTTP headers too)
    • Etcd /health + /v2/members
    • Output: key=value lines under a human-readable timestamped header

Notable decisions

  • All image tags pinned (e.g. prom/prometheus:v2.54.1, grafana/grafana:11.4.0) — no latest
  • Grafana admin credentials stored in a Secret referenced via secretKeyRef
  • Etcd fault-tolerance tasks tagged fault_test so normal runs don't modify cluster state
Original prompt

Úkol

Vytvořit kompletní infrastrukturní projekt, který z čistého Debian Bookworm automaticky:

  1. Vytvoří single-node Kubernetes cluster (kubeadm + containerd + Flannel CNI + local-path-provisioner)
  2. Nasadí všechny služby jako Kubernetes workloady

Požadované služby

Monitoring

  • Prometheus se scrape konfigurací pro všechny služby
  • Node Exporter jako DaemonSet na každém nodu
  • Nginx Exporter pro nginx metriky
  • BONUS: Grafana dashboard (CPU, memory, load, nginx req/s) – provisioned automaticky
  • BONUS2: Alertmanager s pravidly (HighCpuLoad >80%, HighMemory >85%, InstanceDown, EtcdQuorumRisk)

Nginx

  • Webserver – nginx:bookworm, hostuje statické soubory z ConfigMap, stub_status modul aktivní
  • Reverzní cacheující proxy – nginx:bookworm, proxy_cache, upstream = webserver
  • BONUS: keepalive connections proxy↔upstream (keepalive 32, proxy_http_version 1.1, Connection "")
  • BONUS2: Bezpečné SSL/TLS (TLSv1.2+, silné šifry, HSTS, session cache), certifikát generován v initContainer

Distribuovaný systém – Etcd

  • 5-node StatefulSet s headless service
  • PersistentVolumeClaims pro každý pod
  • Dynamický initial-cluster discovery přes shell script v command
  • Toleruje výpadek 2 instancí (quorum = 3) – playbook testuje scale down na 3 a write/read

Daemon Health Checker

  • Debian Bookworm pod s daemontools (svscanboot → supervise)
  • BONUS: multilog s rotací a timestampy
  • Python skript health-checker.py periodicky (30s) kontroluje:
    • Monitoring: node_load1, node_load5, node_load15 z Prometheus API
    • Nginx: stub_status z webserveru i proxy, včetně HTTP hlaviček
    • Etcd: /health endpoint + /v2/members
  • Formát: human readable + strojově zpracovatelný (klíč=hodnota)

Struktura souborů k vytvoření

ansible.cfg
inventory/hosts.yml
playbooks/
  site.yml              # master playbook
  01-k8s-cluster.yml    # kubeadm init, containerd, Flannel, local-path, untaint
  02-namespaces.yml     # monitoring, web, database, daemon
  03-monitoring.yml     # Prometheus + Grafana + Alertmanager + exporters
  04-nginx.yml          # webserver + SSL proxy
  05-etcd.yml           # 5-node StatefulSet + fault tolerance test
  06-daemon.yml         # daemontools + multilog + health-checker
k8s/
  namespaces.yml
  monitoring/
    prometheus-configmap.yml    # prometheus.yml + alert_rules.yml
    prometheus-deployment.yml   # ServiceAccount + RBAC + Deployment + NodePort 30090
    alertmanager.yml            # ConfigMap + Deployment + NodePort 30093
    grafana.yml                 # Provisioning ConfigMaps + Dashboard JSON + Deployment + NodePort 30030
    node-exporter.yml           # DaemonSet (hostNetwork, hostPID) + headless Service
    nginx-exporter.yml          # Deployment + Service in namespace web
  nginx/
    webserver.yml               # ConfigMap (default.conf + index.html) + Deployment + NodePort 30081
    proxy.yml                   # ConfigMap (proxy.conf) + Deployment with initContainer ssl-gen + NodePort 30080/30443
  etcd/
    etcd.yml                    # headless Service + NodePort Service + StatefulSet (5 replicas) + PVC
  daemon/
    daemon.yml                  # ConfigMap (health-checker.py + run + log-run) + Deployment
setup.sh                        # bash skript, který celou strukturu vytvoří (pro referenci)
README.md                       # dokumentace s instrukcemi

Detailní specifikace souborů

ansible.cfg

[defaults]
inventory = inventory/hosts.yml
host_key_checking = False
retry_files_enabled = False

inventory/hosts.yml

all:
  hosts:
    localhost:
      ansible_connection: local
  vars:
    project_dir: "{{ playbook_dir }}/.."
    k8s_dir: "{{ project_dir }}/k8s"
    kubeconfig: /etc/kubernetes/admin.conf
    pod_cidr: "10.244.0.0/16"
    k8s_version: "1.30"

playbooks/site.yml

Import all playbooks 01 through 06 in order.

playbooks/01-k8s-cluster.yml

Must perform these steps in order:

  1. swapoff -a + remove swap from /etc/fstab
  2. modprobe overlay, br_netfilter + persist in /etc/modules-load.d/k8s.conf
  3. sysctl net.bridge.bridge-nf-call-iptables=1, net.bridge.bridge-nf-call-ip6tables=1, net.ipv4.ip_forward=1
  4. Install containerd.io from Docker repo for Debian bookworm
  5. Generate default containerd config, enable SystemdCgroup=true
  6. Add K8s repo from pkgs.k8s.io v1.30, install kubeadm kubelet kubectl, hold
  7. kubeadm init --pod-network-cidr=10.244.0.0/16 (skip if /etc/kubernetes/admin.conf exists)
  8. Copy kubeconfig to /root/.kube/config
  9. kubectl apply Flannel CNI
  10. Untaint control-plane node
  11. Install Rancher local-path-provisioner + set as default StorageClass
  12. Wait for node Ready + all kube-system pods Ready

playbooks/02-namespaces.yml

Apply k8s/namespaces.yml

playbooks/03-monitoring.yml

Apply all files in k8s/monitoring/ directory, wait for rollouts

playbooks/04-nginx.yml

Apply webserver.yml first, wait, then proxy.yml, wait

...

This pull request was created from Copilot chat.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@ondrejnr ondrejnr marked this pull request as ready for review February 23, 2026 23:24
@ondrejnr ondrejnr merged commit 08ea96f into main Feb 23, 2026
1 check passed
Copilot AI changed the title [WIP] Create complete infrastructure project for Kubernetes cluster Add complete single-node Kubernetes infrastructure project (Ansible + K8s manifests) Feb 23, 2026
Copilot AI requested a review from ondrejnr February 23, 2026 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ondrejnr ondrejnr Awaiting requested review from ondrejnr

Assignees

@ondrejnr ondrejnr

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ondrejnr