easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

在role:kube-master中增加basic_auth相关配置

pull/485/head
gjmzj 2019-03-14 23:51:04 +08:00
parent 75defebbf5
commit 0559c97a11
5 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
roles/kube-master/defaults/main.yml
View File

@ -10,8 +10,7 @@ MASTER_CERT_HOSTS:
#- "www.test.com" #- "www.test.com"
# apiserver 基础认证(用户名/密码)配置 # apiserver 基础认证(用户名/密码)配置
# BASIC_AUTH_PASS 初次运行时会被随机密码覆盖
# 在 master 节点文件‘/etc/kubernetes/ssl/basic-auth.csv 可以查看密码 # 在 master 节点文件‘/etc/kubernetes/ssl/basic-auth.csv 可以查看密码
BASIC_AUTH_ENABLE: "yes" BASIC_AUTH_ENABLE: "no" # 是否启用 yes/no
BASIC_AUTH_USER: "admin" BASIC_AUTH_USER: "admin"
BASIC_AUTH_PASS: "test1234" BASIC_AUTH_PASS: "_pwd_" # BASIC_AUTH_PASS 初次运行时会被随机密码覆盖

14
roles/kube-master/tasks/main.yml
View File

@ -42,8 +42,22 @@
-profile=kubernetes aggregator-proxy-csr.json | {{ bin_dir }}/cfssljson -bare aggregator-proxy" -profile=kubernetes aggregator-proxy-csr.json | {{ bin_dir }}/cfssljson -bare aggregator-proxy"
tags: upgrade_k8s tags: upgrade_k8s
- block:
- name: 生成 basic-auth 随机密码
shell: 'PWD=`date +%s%N|md5sum|head -c16`; \
sed -i "s/_pwd_/$PWD/g" {{ base_dir }}/roles/kube-master/defaults/main.yml; \
echo $PWD;'
connection: local
register: TMP_PASS
run_once: true
- name: 设置 basic-auth 随机密码
set_fact: BASIC_AUTH_PASS="{{ TMP_PASS.stdout }}"
when: 'BASIC_AUTH_ENABLE == "yes" and BASIC_AUTH_PASS == "_pwd_"'
- name: 创建 basic-auth.csv - name: 创建 basic-auth.csv
template: src=basic-auth.csv.j2 dest={{ ca_dir }}/basic-auth.csv template: src=basic-auth.csv.j2 dest={{ ca_dir }}/basic-auth.csv
when: 'BASIC_AUTH_ENABLE == "yes"'
# 为兼容v1.8版本,配置不同 kube-apiserver的systemd unit文件 # 为兼容v1.8版本,配置不同 kube-apiserver的systemd unit文件
- name: 获取 k8s 版本信息 - name: 获取 k8s 版本信息

1
roles/kube-master/templates/basic-auth.csv.j2
View File

@ -1,2 +1 @@
{{ BASIC_AUTH_PASS }},{{ BASIC_AUTH_USER }},1 {{ BASIC_AUTH_PASS }},{{ BASIC_AUTH_USER }},1
readonly,readonly,2

2
roles/kube-master/templates/kube-apiserver-v1.8.service.j2
View File

@ -13,7 +13,9 @@ ExecStart={{ bin_dir }}/kube-apiserver \
--kubelet-client-certificate={{ ca_dir }}/admin.pem \ --kubelet-client-certificate={{ ca_dir }}/admin.pem \
--kubelet-client-key={{ ca_dir }}/admin-key.pem \ --kubelet-client-key={{ ca_dir }}/admin-key.pem \
--anonymous-auth=false \ --anonymous-auth=false \
{% if BASIC_AUTH_ENABLE == "yes" %}
--basic-auth-file={{ ca_dir }}/basic-auth.csv \ --basic-auth-file={{ ca_dir }}/basic-auth.csv \
{% endif %}
--service-cluster-ip-range={{ SERVICE_CIDR }} \ --service-cluster-ip-range={{ SERVICE_CIDR }} \
--service-node-port-range={{ NODE_PORT_RANGE }} \ --service-node-port-range={{ NODE_PORT_RANGE }} \
--tls-cert-file={{ ca_dir }}/kubernetes.pem \ --tls-cert-file={{ ca_dir }}/kubernetes.pem \

2
roles/kube-master/templates/kube-apiserver.service.j2
View File

@ -13,7 +13,9 @@ ExecStart={{ bin_dir }}/kube-apiserver \
--kubelet-client-certificate={{ ca_dir }}/admin.pem \ --kubelet-client-certificate={{ ca_dir }}/admin.pem \
--kubelet-client-key={{ ca_dir }}/admin-key.pem \ --kubelet-client-key={{ ca_dir }}/admin-key.pem \
--anonymous-auth=false \ --anonymous-auth=false \
{% if BASIC_AUTH_ENABLE == "yes" %}
--basic-auth-file={{ ca_dir }}/basic-auth.csv \ --basic-auth-file={{ ca_dir }}/basic-auth.csv \
{% endif %}
--service-cluster-ip-range={{ SERVICE_CIDR }} \ --service-cluster-ip-range={{ SERVICE_CIDR }} \
--service-node-port-range={{ NODE_PORT_RANGE }} \ --service-node-port-range={{ NODE_PORT_RANGE }} \
--tls-cert-file={{ ca_dir }}/kubernetes.pem \ --tls-cert-file={{ ca_dir }}/kubernetes.pem \