forked from easzlab/kubeasz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
133 lines (112 loc) · 5.34 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
- name: prepare some dirs
file: name={{ item }} state=directory
with_items:
- "{{ base_dir }}/.cluster/ssl"
- "{{ base_dir }}/.cluster/backup"
- name: 本地设置 bin 目录权限
file: path={{ base_dir }}/bin state=directory mode=0755 recurse=yes
# 注册变量p,根据p的stat信息判断是否已经生成过ca证书,如果没有,下一步生成证书
# 如果已经有ca证书,为了保证整个安装的幂等性,跳过证书生成的步骤
- name: 读取ca证书stat信息
stat: path="{{ base_dir }}/.cluster/ssl/ca.pem"
register: p
- name: 准备CA配置文件和签名请求
template: src={{ item }}.j2 dest={{ base_dir }}/.cluster/ssl/{{ item }}
with_items:
- "ca-config.json"
- "ca-csr.json"
when: p.stat.isreg is not defined
- name: 生成 CA 证书和私钥
when: p.stat.isreg is not defined
shell: "cd {{ base_dir }}/.cluster/ssl && \
{{ base_dir }}/bin/cfssl gencert -initca ca-csr.json | {{ base_dir }}/bin/cfssljson -bare ca"
#----------- 创建kubectl kubeconfig文件: /root/.kube/config
- block:
- name: 删除原有kubeconfig
file: path=/root/.kube/config state=absent
ignore_errors: true
- name: 下载 group:read rbac 文件
copy: src=read-group-rbac.yaml dest=/tmp/read-group-rbac.yaml
when: USER_NAME == "read"
- name: 创建group:read rbac 绑定
shell: "{{ base_dir }}/bin/kubectl apply -f /tmp/read-group-rbac.yaml"
when: USER_NAME == "read"
- name: 准备kubectl使用的{{ USER_NAME }}证书签名请求
template: src={{ USER_NAME }}-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-csr.json
- name: 创建{{ USER_NAME }}证书与私钥
shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes {{ USER_NAME }}-csr.json | {{ base_dir }}/bin/cfssljson -bare {{ USER_NAME }}"
- name: 设置集群参数
shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \
--certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \
--embed-certs=true \
--server={{ KUBE_APISERVER }}"
- name: 设置客户端认证参数
shell: "{{ base_dir }}/bin/kubectl config set-credentials {{ USER_NAME }} \
--client-certificate={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}.pem \
--embed-certs=true \
--client-key={{ base_dir }}/.cluster/ssl/{{ USER_NAME }}-key.pem"
- name: 设置上下文参数
shell: "{{ base_dir }}/bin/kubectl config set-context {{ CONTEXT_NAME }} \
--cluster={{ CLUSTER_NAME }} --user={{ USER_NAME }}"
- name: 选择默认上下文
shell: "{{ base_dir }}/bin/kubectl config use-context {{ CONTEXT_NAME }}"
tags: create_kctl_cfg
#------------创建kube-proxy配置文件: kube-proxy.kubeconfig
- name: 准备kube-proxy 证书签名请求
template: src=kube-proxy-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/kube-proxy-csr.json
- name: 创建 kube-proxy证书与私钥
shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kube-proxy-csr.json | {{ base_dir }}/bin/cfssljson -bare kube-proxy"
- name: 设置集群参数
shell: "{{ base_dir }}/bin/kubectl config set-cluster kubernetes \
--certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \
--embed-certs=true \
--server={{ KUBE_APISERVER }} \
--kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig"
- name: 设置客户端认证参数
shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-proxy \
--client-certificate={{ base_dir }}/.cluster/ssl/kube-proxy.pem \
--client-key={{ base_dir }}/.cluster/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig"
- name: 设置上下文参数
shell: "{{ base_dir }}/bin/kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig"
- name: 选择默认上下文
shell: "{{ base_dir }}/bin/kubectl config use-context default \
--kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig"
- name: 本地创建 easzctl 工具的软连接
file: src={{ base_dir }}/tools/easzctl dest=/usr/bin/easzctl state=link
# ansible 控制端一些易用性配置
# 注册变量以判断是否容器化运行ansible控制端,如果容器化运行那么进程数小于20
- name: 注册变量以判断是否容器化运行ansible控制端
shell: "ps aux|wc -l"
register: procs
- name: ansible 控制端写入环境变量$PATH
lineinfile:
dest: ~/.bashrc
state: present
regexp: 'kubeasz'
line: 'export PATH={{ base_dir }}/bin/:$PATH # generated by kubeasz'
when: "procs.stdout|int > 50"
ignore_errors: true
- name: ansible 控制端添加 kubectl 自动补全
lineinfile:
dest: ~/.bashrc
state: present
regexp: 'kubectl completion'
line: 'source <(kubectl completion bash)'
when: "procs.stdout|int > 50"
ignore_errors: true
- name: ansible 控制端创建 kubectl 软链接
file: src={{ base_dir }}/bin/kubectl dest=/usr/bin/kubectl state=link
ignore_errors: true