-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
130 lines (112 loc) · 5.02 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
- name: prepare some dirs
file: name={{ item }} state=directory
with_items:
- "{{ bin_dir }}"
- "{{ ca_dir }}"
- "{{ base_dir }}"
- "/etc/kubernetes"
- name: 下载证书工具 CFSSL和 kubectl
copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
with_items:
- cfssl
- cfssl-certinfo
- cfssljson
- kubectl
# 注册变量p,根据p的stat信息判断是否已经生成过ca证书,如果没有,下一步生成证书
# 如果已经有ca证书,为了保证整个安装的幂等性,跳过证书生成的步骤
- name: 读取ca证书stat信息
stat: path="{{ ca_dir }}/ca.pem"
register: p
- name: 准备CA配置文件
template: src=ca-config.json.j2 dest={{ ca_dir }}/ca-config.json
when: p.stat.isreg is not defined
- name: 准备CA签名请求
template: src=ca-csr.json.j2 dest={{ ca_dir }}/ca-csr.json
when: p.stat.isreg is not defined
- name: 生成 CA 证书和私钥
when: p.stat.isreg is not defined
shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert -initca ca-csr.json | {{ bin_dir }}/cfssljson -bare ca"
# 随机生成集群 basic auth 使用的密码
- name: 生成随机 basic auth 密码
shell: 'export PWD=`date +%s%N | md5sum | head -c 16`; sed -i "s/^BASIC_AUTH_PASS.*$/BASIC_AUTH_PASS=\"$PWD\"/g" {{ base_dir }}/hosts'
connection: local
when: p.stat.isreg is not defined
#----------- 创建kubectl kubeconfig文件: /root/.kube/config
- name: 准备kubectl使用的admin 证书签名请求
template: src=admin-csr.json.j2 dest={{ ca_dir }}/admin-csr.json
- name: 创建 admin证书与私钥
shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
-ca={{ ca_dir }}/ca.pem \
-ca-key={{ ca_dir }}/ca-key.pem \
-config={{ ca_dir }}/ca-config.json \
-profile=kubernetes admin-csr.json | {{ bin_dir }}/cfssljson -bare admin"
# 设置集群参数,指定CA证书和apiserver地址
- name: 设置集群参数
shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
--certificate-authority={{ ca_dir }}/ca.pem \
--embed-certs=true \
--server={{ KUBE_APISERVER }}"
# 设置客户端认证参数,指定使用admin证书和私钥
- name: 设置客户端认证参数
shell: "{{ bin_dir }}/kubectl config set-credentials admin \
--client-certificate={{ ca_dir }}/admin.pem \
--embed-certs=true \
--client-key={{ ca_dir }}/admin-key.pem"
# 设置上下文参数,说明使用cluster集群和用户admin
- name: 设置上下文参数
shell: "{{ bin_dir }}/kubectl config set-context kubernetes \
--cluster=kubernetes --user=admin"
# 选择默认上下文
- name: 选择默认上下文
shell: "{{ bin_dir }}/kubectl config use-context kubernetes"
#------------创建kube-proxy.kubeconfig配置文件: /root/kube-proxy.kubeconfig
- name: 准备kube-proxy 证书签名请求
template: src=kube-proxy-csr.json.j2 dest={{ ca_dir }}/kube-proxy-csr.json
- name: 创建 kube-proxy证书与私钥
shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
-ca={{ ca_dir }}/ca.pem \
-ca-key={{ ca_dir }}/ca-key.pem \
-config={{ ca_dir }}/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | {{ bin_dir }}/cfssljson -bare kube-proxy"
- name: 设置集群参数
shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
--certificate-authority={{ ca_dir }}/ca.pem \
--embed-certs=true \
--server={{ KUBE_APISERVER }} \
--kubeconfig=kube-proxy.kubeconfig"
- name: 设置客户端认证参数
shell: "{{ bin_dir }}/kubectl config set-credentials kube-proxy \
--client-certificate={{ ca_dir }}/kube-proxy.pem \
--client-key={{ ca_dir }}/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig"
- name: 设置上下文参数
shell: "{{ bin_dir }}/kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig"
- name: 选择默认上下文
shell: "{{ bin_dir }}/kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig"
- name: 移动 kube-proxy.kubeconfig
shell: "mv /root/kube-proxy.kubeconfig /etc/kubernetes/"
# --- 以下为兼容ansible执行节点与deploy节点分离情况-------
- block:
- name: 在 ansible 执行节点创建 .kube 目录
file: path=/root/.kube state=directory
- name: 获取 kubeconfig 文件
fetch: src=/root/.kube/config dest=/root/.kube/config flat=yes
- name: 创建 kubectl 命令的软连接
file: src={{ base_dir }}/bin/kubectl dest=/usr/bin/kubectl state=link
connection: local
- name: 安装 rsync
package: name=rsync state=present
- name: 复制 manifests至 deploy节点
#copy: src={{ base_dir }}/manifests dest={{ base_dir }}
synchronize: src={{ base_dir }}/manifests dest={{ base_dir }}
- name: 推送 ssh 密钥对至 deploy节点
copy: src=~/.ssh/{{ item }} dest=~/.ssh/{{ item }} mode=0600
with_items:
- id_rsa
- known_hosts
run_once: true
when: "ansible_env['SSH_CLIENT'].split(' ')[0] != inventory_hostname"