feat: добавлены аддоны CSI-S3, CSI-Ceph, CSI-GlusterFS, Vaultwarden

- CSI-S3 (ctrox/csi-s3): монтирование S3/MinIO бакетов как PVC, авто-интеграция с addon_minio через internal MinIO endpoint - Rook-Ceph (csi-ceph): distributed block (RWO) и filesystem (RWX) storage, оператор Helm + CephCluster CRD + StorageClasses, опциональный Dashboard Ingress - CSI GlusterFS: установка glusterfs-client на все ноды, CSI Driver из GitHub releases, StorageClass с Heketi provisioner, Endpoints для прямых подключений - Vaultwarden (guerzon/vaultwarden): self-hosted Bitwarden, авто-версия, SMTP smtp.yandex.ru:465/force_tls, WebSocket, ingress TLS, ServiceMonitor Обновлены: playbooks/addons.yml (8 пропущенных аддонов + 4 новых), group_vars/all/addons.yml (флаги + комментарии конфигурации), vault.yml.example (vaultwarden_admin_token, smtp_password, heketi_secret), Makefile (PHONY + 4 новых цели)
2026-04-25 18:19:22 +03:00
parent 5dc0fbcd3a
commit a209b8a9bf
20 changed files with 891 additions and 0 deletions
--- a/addons/vaultwarden/playbook.yml
+++ b/addons/vaultwarden/playbook.yml
@@ -0,0 +1,7 @@
+---
+- name: Install Vaultwarden
+  hosts: k3s_master[0]
+  gather_facts: false
+  become: true
+  roles:
+    - role: "{{ playbook_dir }}/role"
--- a/addons/vaultwarden/role/defaults/main.yml
+++ b/addons/vaultwarden/role/defaults/main.yml
@@ -0,0 +1,53 @@
+---
+vaultwarden_version: ""    # "" = автоматически последняя версия чарта
+vaultwarden_namespace: "vaultwarden"
+vaultwarden_chart_repo: "https://guerzon.github.io/vaultwarden/"
+
+# ── Основные настройки ────────────────────────────────────────────────────────
+# Публичный URL Vaultwarden (используется для WebAuthn, email-ссылок и т.д.)
+vaultwarden_domain: "https://vault.antropoff.ru"
+
+# Регистрация новых пользователей
+vaultwarden_signups_allowed: false
+
+# WebSocket (нужен для живых уведомлений в клиентах)
+vaultwarden_websocket_enabled: true
+
+# ── Admin Panel ───────────────────────────────────────────────────────────────
+# Токен доступа к /admin — задай в vault.yml: vault_vaultwarden_admin_token
+# Оставь пустым чтобы отключить панель администратора
+vaultwarden_admin_token: "{{ vault_vaultwarden_admin_token | default('') }}"
+
+# ── SMTP ──────────────────────────────────────────────────────────────────────
+vaultwarden_smtp_enabled: false    # включить только если заданы SMTP настройки
+vaultwarden_smtp_host: "smtp.yandex.ru"
+vaultwarden_smtp_from: "vault@antropoff.ru"
+vaultwarden_smtp_from_name: "Vaultwarden"
+vaultwarden_smtp_port: 465
+vaultwarden_smtp_security: "force_tls"    # force_tls | starttls | off
+vaultwarden_smtp_username: "sergey@antropoff.ru"
+# Пароль задаётся в vault.yml: vault_vaultwarden_smtp_password
+vaultwarden_smtp_password: "{{ vault_vaultwarden_smtp_password | default('') }}"
+
+# ── Ingress ───────────────────────────────────────────────────────────────────
+vaultwarden_ingress_enabled: true
+vaultwarden_ingress_host: "vault.antropoff.ru"
+vaultwarden_ingress_class: "{{ ingress_nginx_class_name | default('nginx') }}"
+vaultwarden_ingress_tls: true
+vaultwarden_ingress_cert_issuer: "{{ cert_manager_default_issuer_name | default('letsencrypt-prod') }}"
+
+# ── Хранилище ─────────────────────────────────────────────────────────────────
+vaultwarden_storage_size: "1Gi"
+vaultwarden_storage_class: ""
+
+# ── Метрики ───────────────────────────────────────────────────────────────────
+vaultwarden_metrics_enabled: true
+# ServiceMonitor создаётся только когда addon_prometheus_stack: true
+
+vaultwarden_resources:
+  requests:
+    cpu: 50m
+    memory: 64Mi
+  limits:
+    cpu: 300m
+    memory: 256Mi
--- a/addons/vaultwarden/role/tasks/main.yml
+++ b/addons/vaultwarden/role/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+- name: Add Vaultwarden Helm repo
+  kubernetes.core.helm_repository:
+    name: vaultwarden
+    repo_url: "{{ vaultwarden_chart_repo }}"
+  environment:
+    KUBECONFIG: "{{ k3s_kubeconfig_path }}"
+
+- name: Get latest Vaultwarden chart version
+  ansible.builtin.shell: |
+    helm search repo vaultwarden/vaultwarden --output json | \
+    python3 -c "import sys,json; print(json.load(sys.stdin)[0]['version'])"
+  register: _vaultwarden_latest_version
+  changed_when: false
+  when: vaultwarden_version == ""
+  environment:
+    KUBECONFIG: "{{ k3s_kubeconfig_path }}"
+
+- name: Set Vaultwarden chart version
+  ansible.builtin.set_fact:
+    _vaultwarden_version: "{{ vaultwarden_version if vaultwarden_version != '' else _vaultwarden_latest_version.stdout | trim }}"
+
+- name: Template Vaultwarden values
+  ansible.builtin.template:
+    src: vaultwarden-values.yaml.j2
+    dest: /tmp/vaultwarden-values.yaml
+    mode: '0600'
+
+- name: Install Vaultwarden via Helm
+  kubernetes.core.helm:
+    name: vaultwarden
+    chart_ref: vaultwarden/vaultwarden
+    chart_version: "{{ _vaultwarden_version }}"
+    release_namespace: "{{ vaultwarden_namespace }}"
+    create_namespace: true
+    wait: true
+    timeout: "5m0s"
+    values_files:
+      - /tmp/vaultwarden-values.yaml
+  environment:
+    KUBECONFIG: "{{ k3s_kubeconfig_path }}"
+
+- name: Wait for Vaultwarden to be ready
+  ansible.builtin.command: >
+    k3s kubectl -n {{ vaultwarden_namespace }}
+    rollout status deployment/vaultwarden --timeout=120s
+  changed_when: false
+  retries: 3
+  delay: 10
+
+- name: Show Vaultwarden access info
+  ansible.builtin.debug:
+    msg:
+      - "Vaultwarden установлен в namespace: {{ vaultwarden_namespace }}"
+      - "URL: {{ vaultwarden_domain }}"
+      - "Admin panel: {{ vaultwarden_domain }}/admin"
+      - "{% if vaultwarden_admin_token %}Admin token задан (из vault.yml){% else %}Admin panel отключена (admin_token не задан){% endif %}"
+      - "Регистрация: {{ 'разрешена' if vaultwarden_signups_allowed else 'запрещена' }}"
+      - "SMTP: {{ 'включён (' + vaultwarden_smtp_host + ':' + vaultwarden_smtp_port | string + ')' if vaultwarden_smtp_enabled else 'отключён' }}"
--- a/addons/vaultwarden/role/templates/vaultwarden-values.yaml.j2
+++ b/addons/vaultwarden/role/templates/vaultwarden-values.yaml.j2
@@ -0,0 +1,59 @@
+domain: "{{ vaultwarden_domain }}"
+
+signupsAllowed: {{ vaultwarden_signups_allowed | lower }}
+
+websocket:
+  enabled: {{ vaultwarden_websocket_enabled | lower }}
+
+adminToken:
+  value: "{{ vaultwarden_admin_token }}"
+
+smtp:
+  enabled: {{ vaultwarden_smtp_enabled | lower }}
+{% if vaultwarden_smtp_enabled | bool %}
+  host: "{{ vaultwarden_smtp_host }}"
+  from: "{{ vaultwarden_smtp_from }}"
+  fromName: "{{ vaultwarden_smtp_from_name }}"
+  port: {{ vaultwarden_smtp_port }}
+  security: "{{ vaultwarden_smtp_security }}"
+  username: "{{ vaultwarden_smtp_username }}"
+  password: "{{ vaultwarden_smtp_password }}"
+{% endif %}
+
+ingress:
+  enabled: {{ vaultwarden_ingress_enabled | lower }}
+{% if vaultwarden_ingress_enabled | bool %}
+  hostname: "{{ vaultwarden_ingress_host }}"
+  ingressClassName: "{{ vaultwarden_ingress_class }}"
+  tls: {{ vaultwarden_ingress_tls | lower }}
+{% if vaultwarden_ingress_tls | bool %}
+  annotations:
+    cert-manager.io/cluster-issuer: "{{ vaultwarden_ingress_cert_issuer }}"
+  tlsSecret: "vaultwarden-tls"
+{% endif %}
+{% endif %}
+
+storage:
+  data:
+    accessMode: ReadWriteOnce
+    size: "{{ vaultwarden_storage_size }}"
+{% if vaultwarden_storage_class %}
+    storageClass: "{{ vaultwarden_storage_class }}"
+{% endif %}
+
+metrics:
+  enabled: {{ vaultwarden_metrics_enabled | lower }}
+{% if vaultwarden_metrics_enabled | bool %}
+  serviceMonitor:
+    enabled: {{ (addon_prometheus_stack | default(false)) | lower }}
+    labels:
+      release: kube-prometheus-stack
+{% endif %}
+
+resources:
+  requests:
+    cpu: "{{ vaultwarden_resources.requests.cpu }}"
+    memory: "{{ vaultwarden_resources.requests.memory }}"
+  limits:
+    cpu: "{{ vaultwarden_resources.limits.cpu }}"
+    memory: "{{ vaultwarden_resources.limits.memory }}"