k8s-calico initial commit

.gitignore

@@ -0,0 +1,8 @@
+down/*
+!down/download.sh
+bin/
+ansible.cfg
+hosts
+*.crt
+*.pem
+roles/prepare/files/ca*

01.prepare.yml

@@ -0,0 +1,17 @@
+# 在deploy节点生成CA相关证书，以供整个集群使用
+- hosts: deploy
+  gather_facts: False
+  roles:
+  - ca
+
+# 集群节点的公共配置任务
+- hosts: kube-cluster
+  gather_facts: False
+  roles:
+  - prepare
+
+# 可选，多master部署时的负载均衡配置
+- hosts: lb
+  gather_facts: False
+  roles:
+  - lb

02.etcd.yml

@@ -0,0 +1,4 @@
+- hosts: etcd
+  gather_facts: False
+  roles:
+  - etcd

03.kubectl.yml

@@ -0,0 +1,4 @@
+- hosts: kube-cluster
+  gather_facts: False
+  roles:
+  - kubectl

04.docker.yml

@@ -0,0 +1,4 @@
+- hosts: kube-cluster
+  gather_facts: False
+  roles:
+  - docker

05.calico.yml

@@ -0,0 +1,4 @@
+- hosts: kube-cluster
+  gather_facts: False
+  roles:
+  - calico 

06.kube-master.yml

@@ -0,0 +1,4 @@
+- hosts: kube-master
+  gather_facts: False
+  roles:
+  - kube-master

07.kube-node.yml

@@ -0,0 +1,4 @@
+- hosts: kube-node
+  gather_facts: False
+  roles:
+  - kube-node

90.setup.yml

@@ -0,0 +1,34 @@
+- hosts: kube-cluster
+  gather_facts: False
+  roles:
+  - prepare
+
+- hosts: etcd
+  gather_facts: False
+  roles:
+  - etcd
+
+- hosts: kube-cluster
+  gather_facts: False
+  roles:
+  - kubectl
+
+- hosts: kube-cluster
+  gather_facts: False
+  roles:
+  - docker
+
+- hosts: kube-cluster
+  gather_facts: False
+  roles:
+  - calico
+
+- hosts: kube-master
+  gather_facts: False
+  roles:
+  - kube-master
+
+- hosts: kube-node
+  gather_facts: False
+  roles:
+  - kube-node

95.clean.yml

@@ -0,0 +1,79 @@
+- hosts: kube-node
+  gather_facts: False
+  tasks:
+  - name: stop kube-node service
+    shell: "systemctl stop kubelet kube-proxy calico-node docker"
+    ignore_errors: true
+
+  - name: umount kubelet 挂载的目录
+    shell: "mount | grep '/var/lib/kubelet'| awk '{print $3}'|xargs umount"
+    ignore_errors: true
+
+  - name: 清理目录和文件
+    file: name={{ item }} state=absent
+    with_items:
+    - "/var/lib/kubelet/"
+    - "/var/lib/docker/"
+    - "/var/run/docker/"
+    - "/etc/kubernetes/"
+    - "/etc/systemd/system/kubelet.service"
+    - "/etc/systemd/system/docker.service"
+    - "/etc/systemd/system/kube-proxy.service"
+    - "/etc/systemd/system/calico-node.service"
+   # - "/root/local/bin/"
+
+  - name: 清理 iptables
+    shell: iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat
+
+  - name: 清理网络
+    shell: "ip link del docker0; ip link del tunl0"
+    ignore_errors: true
+
+- hosts: kube-master
+  gather_facts: False
+  tasks:
+  - name: stop kube-master service
+    shell: "systemctl stop kube-apiserver kube-controller-manager kube-scheduler calico-node"
+    ignore_errors: true
+
+  - name: 清理目录和文件
+    file: name={{ item }} state=absent
+    with_items:
+    - "/var/run/kubernetes"
+    - "/etc/systemd/system/kube-apiserver.service"
+    - "/etc/systemd/system/kube-controller-manager.service"
+    - "/etc/systemd/system/kube-scheduler.service"
+    - "/etc/kubernetes/"
+
+- hosts: etcd
+  gather_facts: False
+  tasks:
+  - name: stop etcd service
+    shell: systemctl stop etcd
+    ignore_errors: true
+
+  - name: 清理目录和文件
+    file: name={{ item }} state=absent
+    with_items:
+    - "/var/lib/etcd"
+    - "/etc/etcd/"
+    - "/etc/systemd/system/etcd.service"
+
+- hosts: lb
+  gather_facts: False
+  tasks:
+  - name: stop keepalived service
+    shell: systemctl disable keepalived && systemctl stop keepalived
+    ignore_errors: true
+
+  - name: stop haproxy service
+    shell: systemctl disable haproxy && systemctl stop haproxy
+    ignore_errors: true
+
+  - name: 清理LB 配置文件目录
+    file: name={{ item }} state=absent
+    with_items:
+    - "/etc/haproxy"
+    - "/etc/keepalived"
+    ignore_errors: true
+

LICENSE

@@ -0,0 +1,191 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object code,
+generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form, made
+available under the License, as indicated by a copyright notice that is included
+in or attached to the work (an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative Works
+thereof, that is intentionally submitted to Licensor for inclusion in the Work
+by the copyright owner or by an individual or Legal Entity authorized to submit
+on behalf of the copyright owner. For the purposes of this definition,
+"submitted" means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems, and
+issue tracking systems that are managed by, or on behalf of, the Licensor for
+the purpose of discussing and improving the Work, but excluding communication
+that is conspicuously marked or otherwise designated in writing by the copyright
+owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the Work and such
+Derivative Works in Source or Object form.
+
+3. Grant of Patent License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable (except as stated in this section) patent license to make, have
+made, use, offer to sell, sell, import, and otherwise transfer the Work, where
+such license applies only to those patent claims licensable by such Contributor
+that are necessarily infringed by their Contribution(s) alone or by combination
+of their Contribution(s) with the Work to which such Contribution(s) was
+submitted. If You institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work or a
+Contribution incorporated within the Work constitutes direct or contributory
+patent infringement, then any patent licenses granted to You under this License
+for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution.
+
+You may reproduce and distribute copies of the Work or Derivative Works thereof
+in any medium, with or without modifications, and in Source or Object form,
+provided that You meet the following conditions:
+
+You must give any other recipients of the Work or Derivative Works a copy of
+this License; and
+You must cause any modified files to carry prominent notices stating that You
+changed the files; and
+You must retain, in the Source form of any Derivative Works that You distribute,
+all copyright, patent, trademark, and attribution notices from the Source form
+of the Work, excluding those notices that do not pertain to any part of the
+Derivative Works; and
+If the Work includes a "NOTICE" text file as part of its distribution, then any
+Derivative Works that You distribute must include a readable copy of the
+attribution notices contained within such NOTICE file, excluding those notices
+that do not pertain to any part of the Derivative Works, in at least one of the
+following places: within a NOTICE text file distributed as part of the
+Derivative Works; within the Source form or documentation, if provided along
+with the Derivative Works; or, within a display generated by the Derivative
+Works, if and wherever such third-party notices normally appear. The contents of
+the NOTICE file are for informational purposes only and do not modify the
+License. You may add Your own attribution notices within Derivative Works that
+You distribute, alongside or as an addendum to the NOTICE text from the Work,
+provided that such additional attribution notices cannot be construed as
+modifying the License.
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction, or
+distribution of Your modifications, or for any such Derivative Works as a whole,
+provided Your use, reproduction, and distribution of the Work otherwise complies
+with the conditions stated in this License.
+
+5. Submission of Contributions.
+
+Unless You explicitly state otherwise, any Contribution intentionally submitted
+for inclusion in the Work by You to the Licensor shall be under the terms and
+conditions of this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify the terms of
+any separate license agreement you may have executed with Licensor regarding
+such Contributions.
+
+6. Trademarks.
+
+This License does not grant permission to use the trade names, trademarks,
+service marks, or product names of the Licensor, except as required for
+reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty.
+
+Unless required by applicable law or agreed to in writing, Licensor provides the
+Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
+including, without limitation, any warranties or conditions of TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
+solely responsible for determining the appropriateness of using or
+redistributing the Work and assume any risks associated with Your exercise of
+permissions under this License.
+
+8. Limitation of Liability.
+
+In no event and under no legal theory, whether in tort (including negligence),
+contract, or otherwise, unless required by applicable law (such as deliberate
+and grossly negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special, incidental,
+or consequential damages of any character arising as a result of this License or
+out of the use or inability to use the Work (including but not limited to
+damages for loss of goodwill, work stoppage, computer failure or malfunction, or
+any and all other commercial damages or losses), even if such Contributor has
+been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability.
+
+While redistributing the Work or Derivative Works thereof, You may choose to
+offer, and charge a fee for, acceptance of support, warranty, indemnity, or
+other liability obligations and/or rights consistent with this License. However,
+in accepting such obligations, You may act only on Your own behalf and on Your
+sole responsibility, not on behalf of any other Contributor, and only if You
+agree to indemnify, defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason of your
+accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work
+
+To apply the Apache License to your work, attach the following boilerplate
+notice, with the fields enclosed by brackets "{}" replaced with your own
+identifying information. (Don't include the brackets!) The text should be
+enclosed in the appropriate comment syntax for the file format. We also
+recommend that a file or class name and description of purpose be included on
+the same "printed page" as the copyright notice for easier identification within
+third-party archives.
+
+   Copyright 2017 jmgao
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -0,0 +1,80 @@
+# 利用Ansible部署kubernetes集群
+
+本文档记录自己实践部署高可用k8s集群的过程，利用ansible-playbook简化二进制方式部署过程。
+
+网上有很多类似shell脚本和ansible部署版本，要不看得太复杂，或者久未更新，所以这里自己造轮子吧。
+
+二进制方式手动部署，将有助于理解系统各组件的交互原理和熟悉组建启动参数，进而能快速解决实际问题。
+
+1. 建议阅读 [feisky.gitbooks](https://feisky.gitbooks.io/kubernetes/) 原理和部署章节。
+1. 建议阅读 [opsnull教程](https://github.com/opsnull/follow-me-install-kubernetes-cluster) 二进制手工部署。
+
+本文是按照上述文档，更新组件实践修饰而成，修改了部分安全特性。
+
+## 特性
+
+1. 截至2017-10-4 最新组件版本，参见[down版本](./down/download.sh) 文件。
+1. 因本人部署节点IP属于同一网段，使用flannel新后端[host-gw](https://github.com/coreos/flannel/blob/master/Documentation/backends.md) 提升部分性能。
+
+## 快速指南
+
+以下为快速体验k8s集群的测试、开发环境--AllinOne部署，觉得比官方的minikube方便、简单很多。
+
+### 1.准备一台虚机(推荐内存3G，CPU 2，硬盘 30G以上)，安装Ubuntu16.04，配置基础网络、更新源、SSH登陆等。
+### 2.安装python2/git/python-pip/ansible
+``` bash
+# 更新
+apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y
+# 删除不要的默认安装
+apt-get purge ufw lxd lxd-client lxcfs lxc-common
+# 安装依赖工具
+apt-get install python2.7 git python-pip
+# 安装ansible
+pip install pip --upgrade
+pip install ansible
+# 国内加速
+pip install pip --upgrade -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com
+pip install --no-cache-dir ansible -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com
+# 配置ansible ssh密钥登陆
+ssh-keygen -t rsa -b 2048 回车 回车 回车
+ssh-copy-id $IP //$IP为本虚机地址
+```
+### 3.安装k8s
+``` bash
+git clone https://gitee.com/netmon/deploy-k8s-with-ansible.git
+mv deploy-k8s-with-ansible/ /etc/ansible
+cd /etc/ansible
+# 配置ansible
+cp example/ansible.cfg.example ansible.cfg
+# 配置集群hosts
+cp example/hosts.allinone.example hosts
+然后根据实际情况修改此hosts文件
+# 准备二进制安装包
+按照down/download.sh文件提示先手工下载各种tar包到 ./down目录
+sh down/download.sh
+# 开始安装(一步安装)
+ansible-playbook 90.setup.yml
+# 或者采用分步安装
+ansible-playbook 01.prepare.yml
+ansible-playbook 02.etcd.yml
+...
+```
+如果执行成功，k8s集群就安装好了
+
+### 4.验证安装
+``` bash
+kubectl version
+kubectl get componentstatus # 可以看到scheduler/controller-manager/etcd等组件 Healthy
+kubectl clusterinfo # 可以看到kubernetes master(apiserver)组件 running
+kubectl get node # 可以看到单 node Ready状态
+kubectl get pod --all-namespaces # 可以查看所有集群pod状态
+kubectl get svc --all-namespaces # 可以查看所有集群服务状态
+```
+
+## 多节点指南(文档更新中...)
+1. 准备4台虚机(物理机也可，虚机实验更方便)，安装Ubuntu16.04(centos7理论上一样，不想ansible脚本太多条件判断)
+1. 准备一台部署机(可以复用上述4台虚机)，安装ansible，配置到4台目标机器ssh无密码登陆等
+1. 准备外部负载均衡，准备master节点的vip地址
+1. 规划集群节点，完成ansible inventory文件[参考](hosts)
+1. 其他安装步骤同单节点安装
+

down/download.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+#主要组件版本如下
+export K8S_VER=v1.7.7
+export ETCD_VER=v3.2.8
+export FLANNEL_VER=v0.9.0
+export DOCKER_VER=17.09.0-ce
+export CALICO_VER=v1.6.1
+
+echo "\n----download k8s binary at:"
+echo https://dl.k8s.io/${K8S_VER}/kubernetes-server-linux-amd64.tar.gz
+
+echo "\n----download etcd binary at:"
+echo https://github.com/coreos/etcd/releases/download/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz
+echo https://storage.googleapis.com/etcd/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz
+
+echo "\n----download flannel binary at:"
+echo https://github.com/coreos/flannel/releases/download/${FLANNEL_VER}/flannel-${FLANNEL_VER}-linux-amd64.tar.gz
+
+echo "\n----download calicoctl binary at:"
+echo https://github.com/projectcalico/calicoctl/releases/download/${CALICO_VER}/calicoctl
+
+echo "\n----download docker binary at:"
+echo https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VER}.tgz
+
+echo "\n----download ca tools at:"
+echo https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
+echo https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
+echo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
+
+echo "\n注意1：因为网络原因不进行自动下载"
+echo "请按照以上链接手动下载二进制包到down目录中，包含如下："
+echo "-rw-r--r-- 1 root root   6595195 Mar 30  2016 cfssl-certinfo_linux-amd64"
+echo "-rw-r--r-- 1 root root   2277873 Mar 30  2016 cfssljson_linux-amd64"
+echo "-rw-r--r-- 1 root root  10376657 Mar 30  2016 cfssl_linux-amd64"
+echo "-rwxr--r-- 1 root root  29699281 Aug 24 17:09 docker-17.06.1-ce.tgz*"
+echo "-rwxr--r-- 1 root root  10176124 Aug 24 17:09 etcd-v3.2.6-linux-amd64.tar.gz*"
+echo "-rwxr--r-- 1 root root   9090192 Aug 24 17:09 flannel-v0.8.0-linux-amd64.tar.gz*"
+echo "-rwxr--r-- 1 root root 437406487 Aug 24 17:09 kubernetes-server-linux-amd64.tar.gz*"
+
+echo "\n注意2：如果还没有手工下载tar包，请Ctrl-c结束此脚本\nsleep 60"
+sleep 60
+
+mkdir -p ../bin
+### 准备证书工具程序
+echo "\n准备证书工具程序..."
+if [ -f "cfssl_linux-amd64" ]; then
+  mv cfssl_linux-amd64 ../bin/cfssl
+else
+  echo 请先下载https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
+fi
+if [ -f "cfssljson_linux-amd64" ]; then
+  mv cfssljson_linux-amd64 ../bin/cfssljson
+else
+  echo 请先下载https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
+fi
+if [ -f "cfssl-certinfo_linux-amd64" ]; then
+  mv cfssl-certinfo_linux-amd64 ../bin/cfssl-certinfo
+else
+  echo 请先下载https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
+fi
+
+### 准备etcd程序
+echo "\n准备etcd二进制程序..."
+if [ -f "etcd-${ETCD_VER}-linux-amd64.tar.gz" ]; then
+  echo "\nextracting etcd binaries..."
+  tar zxf etcd-${ETCD_VER}-linux-amd64.tar.gz
+  mv etcd-${ETCD_VER}-linux-amd64/etcd* ../bin
+else
+  echo 请先下载etcd-${ETCD_VER}-linux-amd64.tar.gz
+fi
+
+### 准备flannel程序
+echo "\n准备flannel二进制程序..."
+if [ -f "flannel-${FLANNEL_VER}-linux-amd64.tar.gz" ]; then
+  echo "\nextracting flannel binaries..."
+  tar zxf flannel-${FLANNEL_VER}-linux-amd64.tar.gz
+  mv flanneld mk-docker-opts.sh ../bin
+  rm README.md
+else
+  echo 请先下载flannel-${FLANNEL_VER}-linux-amd64.tar.gz
+fi
+
+### 准备kubernetes程序
+echo "\n准备kubernetes二进制程序..."
+if [ -f "kubernetes-server-linux-amd64.tar.gz" ]; then
+  echo "\nextracting kubernetes binaries..."
+  tar zxf kubernetes-server-linux-amd64.tar.gz
+  mv kubernetes/server/bin/kube-apiserver ../bin
+  mv kubernetes/server/bin/kube-controller-manager ../bin
+  mv kubernetes/server/bin/kubectl ../bin
+  mv kubernetes/server/bin/kubelet ../bin
+  mv kubernetes/server/bin/kube-proxy ../bin
+  mv kubernetes/server/bin/kube-scheduler ../bin
+else
+  echo 请先下载kubernetes-server-linux-amd64.tar.gz
+fi
+
+### 准备docker程序
+echo "\n准备docker二进制程序..."
+if [ -f "docker-${DOCKER_VER}.tgz" ]; then
+  echo "\nextracting docker binaries..."
+  tar zxf docker-${DOCKER_VER}.tgz
+  mv docker/docker* ../bin
+  if [ -f "docker/completion/bash/docker" ]; then
+    mv -f docker/completion/bash/docker ../roles/kube-node/files/docker
+  fi
+else
+  echo 请先下载docker-${DOCKER_VER}.tgz
+fi

example/ansible.cfg.example

@@ -0,0 +1,264 @@
+# config file for ansible -- http://ansible.com/
+# ==============================================
+
+# nearly all parameters can be overridden in ansible-playbook 
+# or with command line flags. ansible will read ANSIBLE_CONFIG,
+# ansible.cfg in the current working directory, .ansible.cfg in
+# the home directory or /etc/ansible/ansible.cfg, whichever it
+# finds first
+
+[defaults]
+
+# some basic default values...
+
+#inventory      = /etc/ansible/hosts
+#library        = /usr/share/my_modules/
+#remote_tmp     = $HOME/.ansible/tmp
+#forks          = 5
+#poll_interval  = 15
+#sudo_user      = root
+#ask_sudo_pass = True
+#ask_pass      = True
+#transport      = smart
+#remote_port    = 22
+#module_lang    = C
+
+# plays will gather facts by default, which contain information about
+# the remote system.
+#
+# smart - gather by default, but don't regather if already gathered
+# implicit - gather by default, turn off with gather_facts: False
+# explicit - do not gather by default, must say gather_facts: True
+#gathering = implicit
+
+# additional paths to search for roles in, colon separated
+roles_path    = /etc/ansible/roles
+
+# uncomment this to disable SSH key host checking
+#host_key_checking = False
+
+# change the default callback
+#stdout_callback = skippy
+# enable additional callbacks
+#callback_whitelist = timer, mail
+
+# change this for alternative sudo implementations
+#sudo_exe = sudo
+
+# What flags to pass to sudo
+# WARNING: leaving out the defaults might create unexpected behaviours
+#sudo_flags = -H -S -n
+
+# SSH timeout
+#timeout = 10
+
+# default user to use for playbooks if user is not specified
+# (/usr/bin/ansible will use current user as default)
+#remote_user = root
+
+# logging is off by default unless this path is defined
+# if so defined, consider logrotate
+#log_path = /var/log/ansible.log
+
+# default module name for /usr/bin/ansible
+#module_name = command
+
+# use this shell for commands executed under sudo
+# you may need to change this to bin/bash in rare instances
+# if sudo is constrained
+#executable = /bin/sh
+
+# if inventory variables overlap, does the higher precedence one win
+# or are hash values merged together?  The default is 'replace' but
+# this can also be set to 'merge'.
+#hash_behaviour = replace
+
+# by default, variables from roles will be visible in the global variable
+# scope. To prevent this, the following option can be enabled, and only
+# tasks and handlers within the role will see the variables there
+#private_role_vars = yes
+
+# list any Jinja2 extensions to enable here:
+#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
+
+# if set, always use this private key file for authentication, same as 
+# if passing --private-key to ansible or ansible-playbook
+#private_key_file = /path/to/file
+
+# format of string {{ ansible_managed }} available within Jinja2
+# templates indicates to users editing templates files will be replaced.
+# replacing {file}, {host} and {uid} and strftime codes with proper values.
+#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+# This short version is better used in templates as it won't flag the file as changed every run.
+#ansible_managed = Ansible managed: {file} on {host}
+
+# by default, ansible-playbook will display "Skipping [host]" if it determines a task
+# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping" 
+# messages. NOTE: the task header will still be shown regardless of whether or not the 
+# task is skipped.
+#display_skipped_hosts = True
+
+# by default (as of 1.3), Ansible will raise errors when attempting to dereference 
+# Jinja2 variables that are not set in templates or action lines. Uncomment this line
+# to revert the behavior to pre-1.3.
+#error_on_undefined_vars = False
+
+# by default (as of 1.6), Ansible may display warnings based on the configuration of the
+# system running ansible itself. This may include warnings about 3rd party packages or
+# other conditions that should be resolved if possible.
+# to disable these warnings, set the following value to False:
+#system_warnings = True
+
+# by default (as of 1.4), Ansible may display deprecation warnings for language
+# features that should no longer be used and will be removed in future versions.
+# to disable these warnings, set the following value to False:
+#deprecation_warnings = True
+
+# (as of 1.8), Ansible can optionally warn when usage of the shell and
+# command module appear to be simplified by using a default Ansible module
+# instead.  These warnings can be silenced by adjusting the following
+# setting or adding warn=yes or warn=no to the end of the command line 
+# parameter string.  This will for example suggest using the git module
+# instead of shelling out to the git command.
+# command_warnings = False
+
+
+# set plugin path directories here, separate with colons
+#action_plugins     = /usr/share/ansible/plugins/action
+#callback_plugins   = /usr/share/ansible/plugins/callback
+#connection_plugins = /usr/share/ansible/plugins/connection
+#lookup_plugins     = /usr/share/ansible/plugins/lookup
+#vars_plugins       = /usr/share/ansible/plugins/vars
+#filter_plugins     = /usr/share/ansible/plugins/filter
+#test_plugins       = /usr/share/ansible/plugins/test
+
+# by default callbacks are not loaded for /bin/ansible, enable this if you
+# want, for example, a notification or logging callback to also apply to 
+# /bin/ansible runs
+#bin_ansible_callbacks = False
+
+
+# don't like cows?  that's unfortunate.
+# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 
+#nocows = 1
+
+# set which cowsay stencil you'd like to use by default. When set to 'random',
+# a random stencil will be selected for each task. The selection will be filtered
+# against the `cow_whitelist` option below.
+#cow_selection = default
+#cow_selection = random
+
+# when using the 'random' option for cowsay, stencils will be restricted to this list.
+# it should be formatted as a comma-separated list with no spaces between names.
+# NOTE: line continuations here are for formatting purposes only, as the INI parser
+#       in python does not support them.
+#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
+#              hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
+#              stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
+
+# don't like colors either?
+# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
+#nocolor = 1
+
+# if set to a persistent type (not 'memory', for example 'redis') fact values
+# from previous runs in Ansible will be stored.  This may be useful when
+# wanting to use, for example, IP information from one group of servers
+# without having to talk to them in the same playbook run to get their
+# current IP information.
+#fact_caching = memory
+
+
+# retry files
+# When a playbook fails by default a .retry file will be created in ~/
+# You can disable this feature by setting retry_files_enabled to False
+# and you can change the location of the files by setting retry_files_save_path
+
+#retry_files_enabled = False
+#retry_files_save_path = ~/.ansible-retry
+
+
+# prevents logging of task data, off by default
+#no_log = False
+
+# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
+#no_target_syslog = False
+
+# controls the compression level of variables sent to
+# worker processes. At the default of 0, no compression
+# is used. This value must be an integer from 0 to 9.
+#var_compression_level = 9
+
+[privilege_escalation]
+#become=True
+#become_method=sudo
+#become_user=root
+#become_ask_pass=False
+
+[paramiko_connection]
+
+# uncomment this line to cause the paramiko connection plugin to not record new host
+# keys encountered.  Increases performance on new host additions.  Setting works independently of the
+# host key checking setting above.
+#record_host_keys=False
+
+# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
+# line to disable this behaviour.
+#pty=False
+
+[ssh_connection]
+
+# ssh arguments to use
+# Leaving off ControlPersist will result in poor performance, so use 
+# paramiko on older platforms rather than removing it
+#ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+
+# The path to use for the ControlPath sockets. This defaults to
+# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
+# very long hostnames or very long path names (caused by long user names or 
+# deeply nested home directories) this can exceed the character limit on
+# file socket names (108 characters for most platforms). In that case, you 
+# may wish to shorten the string below.
+# 
+# Example: 
+# control_path = %(directory)s/%%h-%%r
+#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
+
+# Enabling pipelining reduces the number of SSH operations required to 
+# execute a module on the remote server. This can result in a significant 
+# performance improvement when enabled, however when using "sudo:" you must 
+# first disable 'requiretty' in /etc/sudoers
+#
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+# 
+#pipelining = False
+
+# if True, make ansible use scp if the connection type is ssh 
+# (default is sftp)
+#scp_if_ssh = True
+
+# if False, sftp will not use batch mode to transfer files. This may cause some
+# types of file transfer failures impossible to catch however, and should
+# only be disabled if your sftp version has problems with batch mode
+#sftp_batch_mode = False
+
+[accelerate]
+#accelerate_port = 5099
+#accelerate_timeout = 30
+#accelerate_connect_timeout = 5.0
+
+# The daemon timeout is measured in minutes. This time is measured
+# from the last activity to the accelerate daemon.
+#accelerate_daemon_timeout = 30 
+
+# If set to yes, accelerate_multi_key will allow multiple
+# private keys to be uploaded to it, though each user must
+# have access to the system via SSH to add a new key. The default
+# is "no".
+#accelerate_multi_key = yes
+
+[selinux]
+# file systems that require special treatment when dealing with security context
+# the default behaviour that copies the existing context or uses the user default
+# needs to be changed to use the file system dependent context.
+#special_context_filesystems=nfs,vboxsf,fuse,ramfs

example/hosts.allinone.example

@@ -0,0 +1,74 @@
+# 部署节点：运行ansible 脚本的节点
+[deploy]
+192.168.1.1
+
+#etcd集群请提供如下NODE_NAME、NODE_IP变量
+[etcd]
+192.168.1.1 NODE_NAME=etcd1 NODE_IP="192.168.1.1"
+
+[kube-master]
+192.168.1.1
+
+#确保node节点有变量NODE_ID=node1
+[kube-node]
+192.168.1.1 NODE_ID=node1 NODE_IP="192.168.1.1"
+
+[kube-cluster:children]
+kube-node
+kube-master
+
+[kube-cluster:vars]
+# ---------集群主要参数---------------
+#集群 MASTER IP
+MASTER_IP="192.168.1.1"
+
+#集群 APISERVER
+KUBE_APISERVER="https://192.168.1.1:6443"
+
+#TLS Bootstrapping 使用的 Token，使用 head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 生成
+BOOTSTRAP_TOKEN="d18f94b5fa585c7123f56803d925d2e7"
+
+# 服务网段 (Service CIDR），部署前路由不可达，部署后集群内使用 IP:Port 可达
+SERVICE_CIDR="10.68.0.0/16"
+
+# POD 网段 (Cluster CIDR），部署前路由不可达，**部署后**路由可达 (flanneld 保证)
+CLUSTER_CIDR="172.20.0.0/16"
+
+# 服务端口范围 (NodePort Range)
+NODE_PORT_RANGE="2000-8000"
+
+# flanneld 网络配置前缀
+FLANNEL_ETCD_PREFIX="/kubernetes/network"
+
+# kubernetes 服务 IP (预分配，一般是 SERVICE_CIDR 中第一个IP)
+CLUSTER_KUBERNETES_SVC_IP="10.68.0.1"
+
+# 集群 DNS 服务 IP (从 SERVICE_CIDR 中预分配)
+CLUSTER_DNS_SVC_IP="10.68.0.2"
+
+# 集群 DNS 域名
+CLUSTER_DNS_DOMAIN="cluster.local."
+
+# etcd 集群间通信的IP和端口, **根据实际 etcd 集群成员设置**
+ETCD_NODES="etcd1=https://192.168.1.1:2380"
+
+# etcd 集群服务地址列表, **根据实际 etcd 集群成员设置**
+ETCD_ENDPOINTS="https://192.168.1.1:2379"
+
+# 集群basic auth 使用的用户名和密码
+BASIC_AUTH_USER="admin"
+BASIC_AUTH_PASS="test1234"
+
+# ---------附加参数--------------------
+#默认二进制文件目录
+bin_dir="/root/local/bin"
+
+#证书目录
+ca_dir="/etc/kubernetes/ssl"
+
+#部署目录，即 ansible 工作目录
+base_dir="/etc/ansible"
+
+#私有仓库 harbor服务器 (域名或者IP)
+#需要把 harbor服务器证书复制到roles/harbor/files/harbor-ca.crt
+HARBOR_SERVER="harbor.yourdomain.com"

example/hosts.m-masters.example

@@ -0,0 +1,91 @@
+# 部署节点：运行这份 ansible 脚本的节点
+[deploy]
+192.168.1.1
+
+# 负载均衡至少两个节点，安装 haproxy+keepalived
+[lb]
+192.168.1.1 LB_NAME=lb1 LB_IF="eth0" LB_ROLE=master
+192.168.1.2 LB_NAME=lb2 LB_IF="eth0" LB_ROLE=backup
+[lb:vars]
+LB_EP1="192.168.1.1:6443"	# api-server 实际成员地址端口
+LB_EP2="192.168.1.2:6443"	# api-server 实际成员地址端口
+MASTER_IP="192.168.1.100"  	# api-server 虚地址
+MASTER_PORT="8443"		# api-server 服务端口
+
+# etcd集群请提供如下NODE_NAME、NODE_IP变量
+# 请注意etcd集群必须是3,5,7...奇数个节点
+[etcd]
+192.168.1.1 NODE_NAME=etcd1 NODE_IP="192.168.1.1"
+192.168.1.2 NODE_NAME=etcd2 NODE_IP="192.168.1.2"
+192.168.1.3 NODE_NAME=etcd3 NODE_IP="192.168.1.3"
+
+[kube-master]
+192.168.1.1
+192.168.1.2
+
+#确保node节点有变量NODE_ID=node1
+[kube-node]
+192.168.1.1 NODE_ID=node1 NODE_IP="192.168.1.1"
+192.168.1.2 NODE_ID=node2 NODE_IP="192.168.1.2"
+192.168.1.3 NODE_ID=node3 NODE_IP="192.168.1.3"
+192.168.1.4 NODE_ID=node4 NODE_IP="192.168.1.4"
+192.168.1.5 NODE_ID=node5 NODE_IP="192.168.1.5"
+
+[kube-cluster:children]
+kube-node
+kube-master
+lb
+
+[kube-cluster:vars]
+# ---------集群主要参数---------------
+#集群 MASTER IP, 需要外部负载均衡，一般为VIP地址
+MASTER_IP="192.168.1.100"
+KUBE_APISERVER="https://192.168.1.100:8443"
+
+#TLS Bootstrapping 使用的 Token，使用 head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 生成
+BOOTSTRAP_TOKEN="d18f94b5fa585c7123f56803d925d2e7"
+
+# 服务网段 (Service CIDR），部署前路由不可达，部署后集群内使用 IP:Port 可达
+SERVICE_CIDR="10.68.0.0/16"
+
+# POD 网段 (Cluster CIDR），部署前路由不可达，**部署后**路由可达 (flanneld 保证)
+CLUSTER_CIDR="172.20.0.0/16"
+
+# 服务端口范围 (NodePort Range)
+NODE_PORT_RANGE="2000-8000"
+
+# flanneld 网络配置前缀
+FLANNEL_ETCD_PREFIX="/kubernetes/network"
+
+# kubernetes 服务 IP (预分配，一般是 SERVICE_CIDR 中第一个IP)
+CLUSTER_KUBERNETES_SVC_IP="10.68.0.1"
+
+# 集群 DNS 服务 IP (从 SERVICE_CIDR 中预分配)
+CLUSTER_DNS_SVC_IP="10.68.0.2"
+
+# 集群 DNS 域名
+CLUSTER_DNS_DOMAIN="cluster.local."
+
+# etcd 集群间通信的IP和端口, **根据实际 etcd 集群成员设置**
+ETCD_NODES="etcd1=https://192.168.1.1:2380,etcd2=https://192.168.1.2:2380,etcd3=https://192.168.1.3:2380"
+
+# etcd 集群服务地址列表, **根据实际 etcd 集群成员设置**
+ETCD_ENDPOINTS="https://192.168.1.1:2379,https://192.168.1.2:2379,https://192.168.1.3:2379"
+
+# 集群basic auth 使用的用户名和密码
+BASIC_AUTH_USER="admin"
+BASIC_AUTH_PASS="test1234"
+
+# ---------附加参数--------------------
+#默认二进制文件目录
+bin_dir="/root/local/bin"
+
+#证书目录
+ca_dir="/etc/kubernetes/ssl"
+
+#部署目录，即 ansible 工作目录
+base_dir="/etc/ansible"
+
+#私有仓库 harbor服务器 (域名或者IP)
+#需要把 harbor服务器证书复制到roles/harbor/files/harbor-ca.crt
+HARBOR_SERVER="harbor.yourdomain.com"

example/hosts.s-master.example

@@ -0,0 +1,78 @@
+# 部署节点：运行ansible 脚本的节点
+[deploy]
+192.168.1.1
+
+#etcd集群请提供如下NODE_NAME、NODE_IP变量
+[etcd]
+192.168.1.1 NODE_NAME=etcd1 NODE_IP="192.168.1.1"
+192.168.1.2 NODE_NAME=etcd2 NODE_IP="192.168.1.2"
+192.168.1.3 NODE_NAME=etcd3 NODE_IP="192.168.1.3"
+
+[kube-master]
+192.168.1.1
+
+#确保node节点有变量NODE_ID=node1
+[kube-node]
+192.168.1.1 NODE_ID=node1 NODE_IP="192.168.1.1"
+192.168.1.2 NODE_ID=node2 NODE_IP="192.168.1.2"
+192.168.1.3 NODE_ID=node3 NODE_IP="192.168.1.3"
+
+[kube-cluster:children]
+kube-node
+kube-master
+
+[kube-cluster:vars]
+# ---------集群主要参数---------------
+#集群 MASTER IP
+MASTER_IP="192.168.1.1"
+
+#集群 APISERVER
+KUBE_APISERVER="https://192.168.1.1:6443"
+
+#TLS Bootstrapping 使用的 Token，使用 head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 生成
+BOOTSTRAP_TOKEN="d18f94b5fa585c7123f56803d925d2e7"
+
+# 服务网段 (Service CIDR），部署前路由不可达，部署后集群内使用 IP:Port 可达
+SERVICE_CIDR="10.68.0.0/16"
+
+# POD 网段 (Cluster CIDR），部署前路由不可达，**部署后**路由可达 (flanneld 保证)
+CLUSTER_CIDR="172.20.0.0/16"
+
+# 服务端口范围 (NodePort Range)
+NODE_PORT_RANGE="2000-8000"
+
+# flanneld 网络配置前缀
+FLANNEL_ETCD_PREFIX="/kubernetes/network"
+
+# kubernetes 服务 IP (预分配，一般是 SERVICE_CIDR 中第一个IP)
+CLUSTER_KUBERNETES_SVC_IP="10.68.0.1"
+
+# 集群 DNS 服务 IP (从 SERVICE_CIDR 中预分配)
+CLUSTER_DNS_SVC_IP="10.68.0.2"
+
+# 集群 DNS 域名
+CLUSTER_DNS_DOMAIN="cluster.local."
+
+# etcd 集群间通信的IP和端口, **根据实际 etcd 集群成员设置**
+ETCD_NODES="etcd1=https://192.168.1.1:2380,etcd2=https://192.168.1.2:2380,etcd3=https://192.168.1.3:2380"
+
+# etcd 集群服务地址列表, **根据实际 etcd 集群成员设置**
+ETCD_ENDPOINTS="https://192.168.1.1:2379,https://192.168.1.2:2379,https://192.168.1.3:2379"
+
+# 集群basic auth 使用的用户名和密码
+BASIC_AUTH_USER="admin"
+BASIC_AUTH_PASS="test1234"
+
+# ---------附加参数--------------------
+#默认二进制文件目录
+bin_dir="/root/local/bin"
+
+#证书目录
+ca_dir="/etc/kubernetes/ssl"
+
+#部署目录，即 ansible 工作目录
+base_dir="/etc/ansible"
+
+#私有仓库 harbor服务器 (域名或者IP)
+#需要把 harbor服务器证书复制到roles/harbor/files/harbor-ca.crt
+HARBOR_SERVER="harbor.yourdomain.com"

roles/ca/tasks/main.yml

@@ -0,0 +1,28 @@
+- name: prepare some dirs
+  file: name={{ item }} state=directory
+  with_items:
+  - "{{ bin_dir }}"
+  - "{{ ca_dir }}"
+
+- name: 下载证书工具 CFSSL
+  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
+  with_items:
+  - cfssl
+  - cfssl-certinfo
+  - cfssljson
+
+- name: 准备CA配置文件
+  template: src=ca-config.json.j2 dest={{ ca_dir }}/ca-config.json
+
+- name: 准备CA签名请求
+  template: src=ca-csr.json.j2 dest={{ ca_dir }}/ca-csr.json
+
+- name: 生成 CA 证书和私钥
+  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert -initca ca-csr.json | {{ bin_dir }}/cfssljson -bare ca" 
+
+- name: 准备分发 CA证书
+  shell: "cd {{ ca_dir }} && cp ca*  {{ base_dir }}/roles/prepare/files/"
+
+- name: 复制 CA证书生成calico secret 使用
+  shell: "cp -f {{ ca_dir }}/ca.pem  {{ base_dir }}/roles/calico/files/"
+

roles/ca/templates/ca-config.json.j2

@@ -0,0 +1,18 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "87600h"
+    },
+    "profiles": {
+      "kubernetes": {
+        "usages": [
+            "signing",
+            "key encipherment",
+            "server auth",
+            "client auth"
+        ],
+        "expiry": "87600h"
+      }
+    }
+  }
+}

roles/ca/templates/ca-csr.json.j2

@@ -0,0 +1,16 @@
+{
+  "CN": "kubernetes",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CN",
+      "ST": "HangZhou",
+      "L": "XS",
+      "O": "k8s",
+      "OU": "System"
+    }
+  ]
+}

roles/calico/files/rbac.yaml

@@ -0,0 +1,64 @@
+# Calico Version v2.6.2
+# https://docs.projectcalico.org/v2.6/releases#v2.6.2
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+rules:
+  - apiGroups:
+    - ""
+    - extensions
+    resources:
+      - pods
+      - namespaces
+      - networkpolicies
+    verbs:
+      - watch
+      - list
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-kube-controllers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-kube-controllers
+subjects:
+- kind: ServiceAccount
+  name: calico-kube-controllers
+  namespace: kube-system
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-node
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+    verbs:
+      - get
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-node
+subjects:
+- kind: ServiceAccount
+  name: calico-node
+  namespace: kube-system

roles/calico/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: 创建calico证书目录
+  file: name=/etc/calico/ssl state=directory
+
+- name: 复制CA 证书和etcd 证书
+  copy: src={{ item }} dest=/etc/calico/ssl/{{ item }}
+  with_items:
+  - ca.pem
+  - etcd.pem
+  - etcd-key.pem
+
+- name: 创建 calico 的 systemd unit 文件
+  template: src=calico-node.service.j2 dest=/etc/systemd/system/calico-node.service
+
+- name: daemon-reload
+  shell: systemctl daemon-reload
+
+- name: enable-calico
+  shell: systemctl enable calico-node
+
+- name: 重新启动calico
+  shell: systemctl restart calico-node
+
+- name: 下载calico cni plugins
+  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
+  with_items:
+  - calico
+  - calico-ipam
+  - loopback
+
+- name: 创建cni config 目录
+  file: name=/etc/cni/net.d state=directory
+
+- name: 准备 cni配置文件
+  template: src=cni-calico.conf.j2 dest=/etc/cni/net.d/10-calico.conf

roles/calico/templates/calico-node.service.j2

@@ -0,0 +1,37 @@
+[Unit]
+Description=calico node
+After=docker.service
+Requires=docker.service
+
+[Service]
+User=root
+PermissionsStartOnly=true
+ExecStart={{ bin_dir }}/docker run --net=host --privileged --name=calico-node \
+  -e ETCD_ENDPOINTS={{ ETCD_ENDPOINTS }} \
+  -e ETCD_CA_CERT_FILE=/etc/calico/ssl/ca.pem \
+  -e ETCD_CERT_FILE=/etc/calico/ssl//etcd.pem \
+  -e ETCD_KEY_FILE=/etc/calico/ssl/etcd-key.pem \
+  -e CALICO_LIBNETWORK_ENABLED=true \
+  -e CALICO_NETWORKING_BACKEND=bird \
+  -e CALICO_DISABLE_FILE_LOGGING=true \
+  -e CALICO_IPV4POOL_CIDR={{ CLUSTER_CIDR }} \
+  -e CALICO_IPV4POOL_IPIP=always \
+  -e FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT \
+  -e FELIX_IPV6SUPPORT=false \
+  -e FELIX_LOGSEVERITYSCREEN=info \
+  -e FELIX_IPINIPMTU=1440 \
+  -e FELIX_HEALTHENABLED=true \
+  -e IP= \
+  -v /etc/calico/ssl:/etc/calico/ssl \
+  -v /var/run/calico:/var/run/calico \
+  -v /lib/modules:/lib/modules \
+  -v /run/docker/plugins:/run/docker/plugins \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  -v /var/log/calico:/var/log/calico \
+  calico/node:v2.6.2
+ExecStop={{ bin_dir }}/docker rm -f calico-node
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target

roles/calico/templates/calico.yaml

@@ -0,0 +1,358 @@
+# Calico Version v2.6.2
+# https://docs.projectcalico.org/v2.6/releases#v2.6.2
+# This manifest includes the following component versions:
+#   calico/node:v2.6.2
+#   calico/cni:v1.11.0
+#   calico/kube-controllers:v1.0.0
+
+# This ConfigMap is used to configure a self-hosted Calico installation.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: calico-config
+  namespace: kube-system
+data:
+  # Configure this with the location of your etcd cluster.
+  etcd_endpoints: "http://127.0.0.1:2379"
+
+  # Configure the Calico backend to use.
+  calico_backend: "bird"
+
+  # The CNI network configuration to install on each node.
+  cni_network_config: |-
+    {
+        "name": "k8s-pod-network",
+        "cniVersion": "0.1.0",
+        "type": "calico",
+        "etcd_endpoints": "__ETCD_ENDPOINTS__",
+        "etcd_key_file": "__ETCD_KEY_FILE__",
+        "etcd_cert_file": "__ETCD_CERT_FILE__",
+        "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
+        "log_level": "info",
+        "mtu": 1500,
+        "ipam": {
+            "type": "calico-ipam"
+        },
+        "policy": {
+            "type": "k8s",
+            "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
+            "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
+        },
+        "kubernetes": {
+            "kubeconfig": "__KUBECONFIG_FILEPATH__"
+        }
+    }
+
+  # If you're using TLS enabled etcd uncomment the following.
+  # You must also populate the Secret below with these files.
+  etcd_ca: ""   # "/calico-secrets/etcd-ca"
+  etcd_cert: "" # "/calico-secrets/etcd-cert"
+  etcd_key: ""  # "/calico-secrets/etcd-key"
+
+---
+
+# The following contains k8s Secrets for use with a TLS enabled etcd cluster.
+# For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: calico-etcd-secrets
+  namespace: kube-system
+data:
+  # Populate the following files with etcd TLS configuration if desired, but leave blank if
+  # not using TLS for etcd.
+  # This self-hosted install expects three files with the following names.  The values
+  # should be base64 encoded strings of the entire contents of each file.
+  # etcd-key: null
+  # etcd-cert: null
+  # etcd-ca: null
+
+---
+
+# This manifest installs the calico/node container, as well
+# as the Calico CNI plugins and network config on
+# each master and worker node in a Kubernetes cluster.
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: calico-node
+  namespace: kube-system
+  labels:
+    k8s-app: calico-node
+spec:
+  selector:
+    matchLabels:
+      k8s-app: calico-node
+  template:
+    metadata:
+      labels:
+        k8s-app: calico-node
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+        scheduler.alpha.kubernetes.io/tolerations: |
+          [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
+           {"key":"CriticalAddonsOnly", "operator":"Exists"}]
+    spec:
+      hostNetwork: true
+      serviceAccountName: calico-node
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 0
+      containers:
+        # Runs calico/node container on each Kubernetes node.  This
+        # container programs network policy and routes on each
+        # host.
+        - name: calico-node
+          image: quay.io/calico/node:v2.6.2
+          env:
+            # The location of the Calico etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_endpoints
+            # Choose the backend to use.
+            - name: CALICO_NETWORKING_BACKEND
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: calico_backend
+            # Cluster type to identify the deployment type
+            - name: CLUSTER_TYPE
+              value: "k8s,bgp"
+            # Disable file logging so `kubectl logs` works.
+            - name: CALICO_DISABLE_FILE_LOGGING
+              value: "true"
+            # Set Felix endpoint to host default action to ACCEPT.
+            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+              value: "ACCEPT"
+            # Configure the IP Pool from which Pod IPs will be chosen.
+            - name: CALICO_IPV4POOL_CIDR
+              value: "192.168.0.0/16"
+            - name: CALICO_IPV4POOL_IPIP
+              value: "always"
+            # Disable IPv6 on Kubernetes.
+            - name: FELIX_IPV6SUPPORT
+              value: "false"
+            # Set Felix logging to "info"
+            - name: FELIX_LOGSEVERITYSCREEN
+              value: "info"
+            # Set MTU for tunnel device used if ipip is enabled
+            - name: FELIX_IPINIPMTU
+              value: "1440"
+            # Location of the CA certificate for etcd.
+            - name: ETCD_CA_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_ca
+            # Location of the client key for etcd.
+            - name: ETCD_KEY_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_key
+            # Location of the client certificate for etcd.
+            - name: ETCD_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_cert
+            # Auto-detect the BGP IP address.
+            - name: IP
+              value: ""
+            - name: FELIX_HEALTHENABLED
+              value: "true"
+          securityContext:
+            privileged: true
+          resources:
+            requests:
+              cpu: 250m
+          livenessProbe:
+            httpGet:
+              path: /liveness
+              port: 9099
+            periodSeconds: 10
+            initialDelaySeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 9099
+            periodSeconds: 10
+          volumeMounts:
+            - mountPath: /lib/modules
+              name: lib-modules
+              readOnly: true
+            - mountPath: /var/run/calico
+              name: var-run-calico
+              readOnly: false
+            - mountPath: /calico-secrets
+              name: etcd-certs
+        # This container installs the Calico CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+          image: quay.io/calico/cni:v1.11.0
+          command: ["/install-cni.sh"]
+          env:
+            # The location of the Calico etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_endpoints
+            # The CNI network config to install on each node.
+            - name: CNI_NETWORK_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: cni_network_config
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /calico-secrets
+              name: etcd-certs
+      volumes:
+        # Used by calico/node.
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: var-run-calico
+          hostPath:
+            path: /var/run/calico
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: /opt/cni/bin
+        - name: cni-net-dir
+          hostPath:
+            path: /etc/cni/net.d
+        # Mount in the etcd TLS secrets.
+        - name: etcd-certs
+          secret:
+            secretName: calico-etcd-secrets
+
+---
+
+# This manifest deploys the Calico Kubernetes controllers.
+# See https://github.com/projectcalico/kube-controllers
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+  labels:
+    k8s-app: calico-kube-controllers
+  annotations:
+    scheduler.alpha.kubernetes.io/critical-pod: ''
+    scheduler.alpha.kubernetes.io/tolerations: |
+      [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
+       {"key":"CriticalAddonsOnly", "operator":"Exists"}]
+spec:
+  # The controllers can only have a single active instance.
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      name: calico-kube-controllers
+      namespace: kube-system
+      labels:
+        k8s-app: calico-kube-controllers
+    spec:
+      # The controllers must run in the host network namespace so that
+      # it isn't governed by policy that would prevent it from working.
+      hostNetwork: true
+      serviceAccountName: calico-kube-controllers
+      containers:
+        - name: calico-kube-controllers
+          image: quay.io/calico/kube-controllers:v1.0.0
+          env:
+            # The location of the Calico etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_endpoints
+            # Location of the CA certificate for etcd.
+            - name: ETCD_CA_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_ca
+            # Location of the client key for etcd.
+            - name: ETCD_KEY_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_key
+            # Location of the client certificate for etcd.
+            - name: ETCD_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_cert
+          volumeMounts:
+            # Mount in the etcd TLS secrets.
+            - mountPath: /calico-secrets
+              name: etcd-certs
+      volumes:
+        # Mount in the etcd TLS secrets.
+        - name: etcd-certs
+          secret:
+            secretName: calico-etcd-secrets
+
+---
+
+# This deployment turns off the old "policy-controller". It should remain at 0 replicas, and then
+# be removed entirely once the new kube-controllers deployment has been deployed above.
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: calico-policy-controller
+  namespace: kube-system
+  labels:
+    k8s-app: calico-policy
+spec:
+  # Turn this deployment off in favor of the kube-controllers deployment above.
+  replicas: 0
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      name: calico-policy-controller
+      namespace: kube-system
+      labels:
+        k8s-app: calico-policy
+    spec:
+      hostNetwork: true
+      serviceAccountName: calico-kube-controllers
+      containers:
+        - name: calico-policy-controller
+          image: quay.io/calico/kube-controllers:v1.0.0
+          env:
+            # The location of the Calico etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_endpoints
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-node
+  namespace: kube-system

roles/calico/templates/cni-calico.conf.j2

@@ -0,0 +1,22 @@
+{
+    "name": "calico-k8s-network",
+    "cniVersion": "0.1.0",
+    "type": "calico",
+    "etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
+    "etcd_key_file": "/etc/calico/ssl/etcd-key.pem",
+    "etcd_cert_file": "/etc/calico/ssl//etcd.pem",
+    "etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
+    "log_level": "info",
+    "mtu": 1500,
+    "ipam": {
+        "type": "calico-ipam"
+    },
+    "policy": {
+        "type": "k8s",
+        "k8s_api_root": "{{ KUBE_APISERVER }}",
+        "k8s_auth_token": "{{ BOOTSTRAP_TOKEN }}"
+    },
+    "kubernetes": {
+        "kubeconfig": "/root/.kube/config"
+    }
+}

roles/docker/files/daemon.json

@@ -0,0 +1,3 @@
+{
+  "registry-mirrors": ["https://registry.docker-cn.com"] 
+}

roles/docker/tasks/main.yml

@@ -0,0 +1,33 @@
+## ---------docker daemon配置部分-----------
+- name: 下载 docker 二进制文件
+  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
+  with_items:
+  - docker-containerd
+  - docker-containerd-shim
+  - docker-init
+  - docker-runc
+  - docker
+  - docker-containerd-ctr
+  - dockerd
+  - docker-proxy
+
+- name: docker命令自动补全
+  copy: src=docker dest=/etc/bash_completion.d/docker mode=0644
+
+- name: docker国内镜像加速
+  copy: src=daemon.json dest=/etc/docker/daemon.json
+
+- name: 创建docker的systemd unit文件
+  template: src=docker.service.j2 dest=/etc/systemd/system/docker.service
+
+- name: daemon-reload
+  shell: systemctl daemon-reload
+
+- name: enable-docker
+  shell: systemctl enable docker
+
+- name: flush-iptables
+  shell: iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat
+
+- name: start-docker
+  shell: systemctl restart docker

roles/docker/templates/docker.service.j2

@@ -0,0 +1,19 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.io
+
+[Service]
+Environment="PATH={{ bin_dir }}:/bin:/sbin:/usr/bin:/usr/sbin"
+ExecStart={{ bin_dir }}/dockerd --log-level=error 
+ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
+ExecReload=/bin/kill -s HUP $MAINPID
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=infinity
+LimitNPROC=infinity
+LimitCORE=infinity
+Delegate=yes
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

roles/etcd/tasks/main.yml

@@ -0,0 +1,38 @@
+- name: 下载etcd二进制文件
+  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
+  with_items:
+  - etcd
+  - etcdctl
+
+- name: 创建etcd证书目录
+  file: name=/etc/etcd/ssl state=directory
+
+- name: 创建etcd证书请求
+  template: src=etcd-csr.json.j2 dest=/etc/etcd/ssl/etcd-csr.json
+
+- name: 创建 etcd证书和私钥
+  shell: "cd /etc/etcd/ssl && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes etcd-csr.json | {{ bin_dir }}/cfssljson -bare etcd"
+
+- name: 复制ectd相关证书生成calico secrets使用
+  shell: "cd /etc/etcd/ssl && \
+	cp etcd.pem etcd-key.pem {{ base_dir }}/roles/calico/files/"
+  when: NODE_NAME is defined and NODE_NAME == "etcd1"
+
+- name: 创建etcd工作目录
+  file: name=/var/lib/etcd state=directory
+
+- name: 创建etcd的systemd unit文件
+  template: src=etcd.service.j2 dest=/etc/systemd/system/etcd.service
+
+- name: daemon-reload
+  shell: systemctl daemon-reload
+
+- name: enable-etcd
+  shell: systemctl enable etcd
+
+- name: 重启etcd服务
+  shell: systemctl restart etcd

roles/etcd/templates/etcd-csr.json.j2

@@ -0,0 +1,20 @@
+{
+  "CN": "etcd",
+  "hosts": [
+    "127.0.0.1",
+    "{{ NODE_IP }}"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CN",
+      "ST": "HangZhou",
+      "L": "XS",
+      "O": "k8s",
+      "OU": "System"
+    }
+  ]
+}

roles/etcd/templates/etcd.service.j2

@@ -0,0 +1,32 @@
+[Unit]
+Description=Etcd Server
+After=network.target
+After=network-online.target
+Wants=network-online.target
+Documentation=https://github.com/coreos
+
+[Service]
+Type=notify
+WorkingDirectory=/var/lib/etcd/
+ExecStart={{ bin_dir }}/etcd \
+  --name={{ NODE_NAME }} \
+  --cert-file=/etc/etcd/ssl/etcd.pem \
+  --key-file=/etc/etcd/ssl/etcd-key.pem \
+  --peer-cert-file=/etc/etcd/ssl/etcd.pem \
+  --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
+  --trusted-ca-file={{ ca_dir }}/ca.pem \
+  --peer-trusted-ca-file={{ ca_dir }}/ca.pem \
+  --initial-advertise-peer-urls=https://{{ NODE_IP }}:2380 \
+  --listen-peer-urls=https://{{ NODE_IP }}:2380 \
+  --listen-client-urls=https://{{ NODE_IP }}:2379,http://127.0.0.1:2379 \
+  --advertise-client-urls=https://{{ NODE_IP }}:2379 \
+  --initial-cluster-token=etcd-cluster-0 \
+  --initial-cluster={{ ETCD_NODES }} \
+  --initial-cluster-state=new \
+  --data-dir=/var/lib/etcd
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target

roles/kube-master/tasks/main.yml

@@ -0,0 +1,55 @@
+- name: 下载 kube-master 二进制
+  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
+  with_items:
+  - kube-apiserver
+  - kube-controller-manager
+  - kube-scheduler
+  - kubectl
+  - kube-proxy
+  - kubelet
+
+- name: 创建 kubernetes 证书签名请求
+  template: src=kubernetes-csr.json.j2 dest={{ ca_dir }}/kubernetes-csr.json
+
+- name: 创建 kubernetes 证书和私钥
+  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes kubernetes-csr.json | {{ bin_dir }}/cfssljson -bare kubernetes"
+
+- name: 创建 token.csv
+  template: src=token.csv.j2 dest={{ ca_dir }}/token.csv
+
+- name: 创建 basic-auth.csv
+  template: src=basic-auth.csv.j2 dest={{ ca_dir }}/basic-auth.csv
+
+- name: 创建kube-apiserver的systemd unit文件
+  template: src=kube-apiserver.service.j2 dest=/etc/systemd/system/kube-apiserver.service
+
+- name: 创建kube-controller-manager的systemd unit文件
+  template: src=kube-controller-manager.service.j2 dest=/etc/systemd/system/kube-controller-manager.service
+
+- name: 创建kube-scheduler的systemd unit文件
+  template: src=kube-scheduler.service.j2 dest=/etc/systemd/system/kube-scheduler.service
+
+- name: daemon-reload
+  shell: systemctl daemon-reload
+
+- name: enable-kube-apiserver
+  shell: systemctl enable kube-apiserver
+
+- name: enable-kube-controller-manager
+  shell: systemctl enable kube-controller-manager
+
+- name: enable-kube-scheduler
+  shell: systemctl enable kube-scheduler
+
+- name: start-kube-apiserver
+  shell: systemctl restart kube-apiserver
+
+- name: start-kube-controller-manager
+  shell: systemctl restart kube-controller-manager
+
+- name: start-kube-scheduler
+  shell: systemctl restart kube-scheduler

roles/kube-master/templates/basic-auth.csv.j2

@@ -0,0 +1,2 @@
+{{ BASIC_AUTH_PASS }},{{ BASIC_AUTH_USER }},1
+readonly,readonly,2

roles/kube-master/templates/kube-apiserver.service.j2

@@ -0,0 +1,42 @@
+[Unit]
+Description=Kubernetes API Server
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+After=network.target
+
+[Service]
+ExecStart={{ bin_dir }}/kube-apiserver \
+  --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \
+  --bind-address={{ NODE_IP }} \
+  --insecure-bind-address=127.0.0.1 \
+  --authorization-mode=Node,RBAC \
+  --runtime-config=rbac.authorization.k8s.io/v1beta1 \
+  --kubelet-https=true \
+  --anonymous-auth=false \
+  --basic-auth-file={{ ca_dir }}/basic-auth.csv \
+  --experimental-bootstrap-token-auth \
+  --token-auth-file={{ ca_dir }}/token.csv \
+  --service-cluster-ip-range={{ SERVICE_CIDR }} \
+  --service-node-port-range={{ NODE_PORT_RANGE }} \
+  --tls-cert-file={{ ca_dir }}/kubernetes.pem \
+  --tls-private-key-file={{ ca_dir }}/kubernetes-key.pem \
+  --client-ca-file={{ ca_dir }}/ca.pem \
+  --service-account-key-file={{ ca_dir }}/ca-key.pem \
+  --etcd-cafile={{ ca_dir }}/ca.pem \
+  --etcd-certfile={{ ca_dir }}/kubernetes.pem \
+  --etcd-keyfile={{ ca_dir }}/kubernetes-key.pem \
+  --etcd-servers={{ ETCD_ENDPOINTS }} \
+  --enable-swagger-ui=true \
+  --allow-privileged=true \
+  --audit-log-maxage=30 \
+  --audit-log-maxbackup=3 \
+  --audit-log-maxsize=100 \
+  --audit-log-path=/var/lib/audit.log \
+  --event-ttl=1h \
+  --v=2
+Restart=on-failure
+RestartSec=5
+Type=notify
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target

roles/kube-master/templates/kube-controller-manager.service.j2

@@ -0,0 +1,23 @@
+[Unit]
+Description=Kubernetes Controller Manager
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+
+[Service]
+ExecStart={{ bin_dir }}/kube-controller-manager \
+  --address=127.0.0.1 \
+  --master=http://127.0.0.1:8080 \
+  --allocate-node-cidrs=true \
+  --service-cluster-ip-range={{ SERVICE_CIDR }} \
+  --cluster-cidr={{ CLUSTER_CIDR }} \
+  --cluster-name=kubernetes \
+  --cluster-signing-cert-file={{ ca_dir }}/ca.pem \
+  --cluster-signing-key-file={{ ca_dir }}/ca-key.pem \
+  --service-account-private-key-file={{ ca_dir }}/ca-key.pem \
+  --root-ca-file={{ ca_dir }}/ca.pem \
+  --leader-elect=true \
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

roles/kube-master/templates/kube-scheduler.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=Kubernetes Scheduler
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+
+[Service]
+ExecStart={{ bin_dir }}/kube-scheduler \
+  --address=127.0.0.1 \
+  --master=http://127.0.0.1:8080 \
+  --leader-elect=true \
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

roles/kube-master/templates/kubernetes-csr.json.j2

@@ -0,0 +1,27 @@
+{
+  "CN": "kubernetes",
+  "hosts": [
+    "127.0.0.1",
+    "{{ MASTER_IP }}",
+    "{{ NODE_IP }}",
+    "{{ CLUSTER_KUBERNETES_SVC_IP }}",
+    "kubernetes",
+    "kubernetes.default",
+    "kubernetes.default.svc",
+    "kubernetes.default.svc.cluster",
+    "kubernetes.default.svc.cluster.local"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CN",
+      "ST": "HangZhou",
+      "L": "XS",
+      "O": "k8s",
+      "OU": "System"
+    }
+  ]
+}

roles/kube-master/templates/token.csv.j2

@@ -0,0 +1 @@
+{{ BOOTSTRAP_TOKEN }},kubelet-bootstrap,10001,"system:kubelet-bootstrap"

roles/kube-node/tasks/main.yml

@@ -0,0 +1,106 @@
+##----------kubelet 配置部分--------------
+- name: 下载 kubelet和kube-proxy 二进制
+  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
+  with_items:
+  - kubelet
+  - kube-proxy
+
+# kubelet 启动时向 kube-apiserver 发送 TLS bootstrapping 请求，需要绑定该角色
+# 只需单节点执行一次，重复执行的报错可以忽略
+- name: kubelet-bootstrap-setting
+  shell: "{{ bin_dir }}/kubectl create clusterrolebinding kubelet-bootstrap \
+        --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap"
+  when: NODE_ID is defined and NODE_ID == "node1"
+  ignore_errors: true
+
+#创建bootstrap.kubeconfig配置文件
+- name: 设置集群参数
+  shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
+        --certificate-authority={{ ca_dir }}/ca.pem \
+        --embed-certs=true \
+        --server={{ KUBE_APISERVER }} \
+        --kubeconfig=bootstrap.kubeconfig"
+- name: 设置客户端认证参数
+  shell: "{{ bin_dir }}/kubectl config set-credentials kubelet-bootstrap \
+        --token={{ BOOTSTRAP_TOKEN }} \
+        --kubeconfig=bootstrap.kubeconfig"
+- name: 设置上下文参数
+  shell: "{{ bin_dir }}/kubectl config set-context default \
+	--cluster=kubernetes \
+	--user=kubelet-bootstrap \
+	--kubeconfig=bootstrap.kubeconfig"
+- name: 选择默认上下文
+  shell: "{{ bin_dir }}/kubectl config use-context default --kubeconfig=bootstrap.kubeconfig"
+
+- name: 安装bootstrap.kubeconfig配置文件
+  shell: "mv $HOME/bootstrap.kubeconfig /etc/kubernetes/bootstrap.kubeconfig"
+
+- name: 创建kubelet的工作目录
+  file: name=/var/lib/kubelet state=directory
+
+- name: 创建kubelet的systemd unit文件
+  template: src=kubelet.service.j2 dest=/etc/systemd/system/kubelet.service
+
+- name: daemon-reload
+  shell: systemctl daemon-reload
+
+- name: enable-kubelet
+  shell: systemctl enable kubelet
+
+- name: start-kubelet
+  shell: systemctl restart kubelet
+
+- name: approve-kubelet-csr
+  shell: "{{ bin_dir }}/kubectl get csr|grep 'Pending' | awk 'NR>0{print $1}'| xargs {{ bin_dir }}/kubectl certificate approve"
+  when: NODE_ID is defined and NODE_ID == "node1"
+  ignore_errors: true
+
+##-------kube-proxy部分----------------
+- name: 准备kube-proxy 证书签名请求
+  template: src=kube-proxy-csr.json.j2 dest={{ ca_dir }}/kube-proxy-csr.json
+
+- name: 创建 kube-proxy证书与私钥
+  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes kube-proxy-csr.json | {{ bin_dir }}/cfssljson -bare kube-proxy"
+
+#创建kube-proxy.kubeconfig配置文件
+- name: 设置集群参数
+  shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
+        --certificate-authority={{ ca_dir }}/ca.pem \
+        --embed-certs=true \
+        --server={{ KUBE_APISERVER }} \
+        --kubeconfig=kube-proxy.kubeconfig"
+- name: 设置客户端认证参数
+  shell: "{{ bin_dir }}/kubectl config set-credentials kube-proxy \
+	--client-certificate={{ ca_dir }}/kube-proxy.pem \
+	--client-key={{ ca_dir }}/kube-proxy-key.pem \
+        --embed-certs=true \
+        --kubeconfig=kube-proxy.kubeconfig"
+- name: 设置上下文参数
+  shell: "{{ bin_dir }}/kubectl config set-context default \
+        --cluster=kubernetes \
+        --user=kube-proxy \
+        --kubeconfig=kube-proxy.kubeconfig"
+- name: 选择默认上下文
+  shell: "{{ bin_dir }}/kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig"
+
+- name: 安装kube-proxy.kubeconfig配置文件
+  shell: "mv $HOME/kube-proxy.kubeconfig /etc/kubernetes/kube-proxy.kubeconfig"
+
+- name: 创建kube-proxy的工作目录
+  file: name=/var/lib/kube-proxy state=directory
+
+- name: 创建kube-proxy的systemd unit文件
+  template: src=kube-proxy.service.j2 dest=/etc/systemd/system/kube-proxy.service
+
+- name: daemon-reload
+  shell: systemctl daemon-reload
+
+- name: enable-kube-proxy
+  shell: systemctl enable kube-proxy
+
+- name: start-kube-proxy
+  shell: systemctl restart kube-proxy

roles/kube-node/templates/kube-proxy-csr.json.j2

@@ -0,0 +1,17 @@
+{
+  "CN": "system:kube-proxy",
+  "hosts": [],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CN",
+      "ST": "HangZhou",
+      "L": "XS",
+      "O": "k8s",
+      "OU": "System"
+    }
+  ]
+}

roles/kube-node/templates/kube-proxy.service.j2

@@ -0,0 +1,20 @@
+[Unit]
+Description=Kubernetes Kube-Proxy Server
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+After=network.target
+
+[Service]
+WorkingDirectory=/var/lib/kube-proxy
+ExecStart={{ bin_dir }}/kube-proxy \
+  --bind-address={{ NODE_IP }} \
+  --hostname-override={{ NODE_IP }} \
+  --cluster-cidr={{ SERVICE_CIDR }} \
+  --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig \
+  --logtostderr=true \
+  --v=2
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target

roles/kube-node/templates/kubelet.service.j2

@@ -0,0 +1,37 @@
+[Unit]
+Description=Kubernetes Kubelet
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+After=docker.service
+Requires=docker.service
+
+[Service]
+WorkingDirectory=/var/lib/kubelet
+#--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest
+ExecStart={{ bin_dir }}/kubelet \
+  --address={{ NODE_IP }} \
+  --hostname-override={{ NODE_IP }} \
+  --pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0 \
+  --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \
+  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
+  --require-kubeconfig \
+  --cert-dir={{ ca_dir }} \
+  --network-plugin=cni \
+  --cni-conf-dir=/etc/cni/net.d \
+  --cni-bin-dir={{ bin_dir }} \
+  --cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
+  --cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
+  --hairpin-mode promiscuous-bridge \
+  --allow-privileged=true \
+  --serialize-image-pulls=false \
+  --logtostderr=true \
+  --v=2
+#kubelet cAdvisor 默认在所有接口监听 4194 端口的请求, 以下iptables限制内网访问
+ExecStartPost=/sbin/iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 4194 -j ACCEPT
+ExecStartPost=/sbin/iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 4194 -j ACCEPT
+ExecStartPost=/sbin/iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 4194 -j ACCEPT
+ExecStartPost=/sbin/iptables -A INPUT -p tcp --dport 4194 -j DROP
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

roles/kubectl/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: 下载kubectl二进制
+  copy: src={{ base_dir }}/bin/kubectl dest={{ bin_dir }}/kubectl mode=0755
+
+- name: 准备kubectl使用的admin 证书签名请求
+  template: src=admin-csr.json.j2 dest={{ ca_dir }}/admin-csr.json
+
+- name: 创建 admin证书与私钥
+  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes admin-csr.json | {{ bin_dir }}/cfssljson -bare admin"
+
+# 创建kubectl kubeconfig 文件
+- name: 设置集群参数
+  shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
+	--certificate-authority={{ ca_dir }}/ca.pem \
+	--embed-certs=true \
+	--server={{ KUBE_APISERVER }}"
+- name: 设置客户端认证参数
+  shell: "{{ bin_dir }}/kubectl config set-credentials admin \
+	--client-certificate={{ ca_dir }}/admin.pem \
+	--embed-certs=true \
+	--client-key={{ ca_dir }}/admin-key.pem"
+- name: 设置上下文参数
+  shell: "{{ bin_dir }}/kubectl config set-context kubernetes \
+	--cluster=kubernetes --user=admin"
+- name: 选择默认上下文
+  shell: "{{ bin_dir }}/kubectl config use-context kubernetes"

roles/kubectl/templates/admin-csr.json.j2

@@ -0,0 +1,17 @@
+{
+  "CN": "admin",
+  "hosts": [],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CN",
+      "ST": "HangZhou",
+      "L": "XS",
+      "O": "system:masters",
+      "OU": "System"
+    }
+  ]
+}

roles/lb/tasks/main.yml

@@ -0,0 +1,29 @@
+
+- name: 安装 haproxy
+  shell: "apt-get update && apt-get install haproxy -y"
+
+- name: 创建haproxy配置目录
+  file: name=/etc/haproxy state=directory
+
+- name: 配置 haproxy
+  template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg
+
+- name: 安装 keepalived
+  shell: "apt-get install keepalived -y"
+
+- name: 创建keepalived配置目录
+  file: name=/etc/keepalived state=directory
+
+- name: 配置 keepalived 主节点
+  template: src=keepalived-master.conf.j2 dest=/etc/keepalived/keepalived.conf
+  when: LB_ROLE == "master"
+
+- name: 配置 keepalived 备节点
+  template: src=keepalived-backup.conf.j2 dest=/etc/keepalived/keepalived.conf
+  when: LB_ROLE == "backup"
+
+- name: 重启haproxy服务
+  shell: systemctl enable haproxy && systemctl restart haproxy
+
+- name: 重启keepalived服务
+  shell: systemctl enable keepalived && systemctl restart keepalived

roles/lb/templates/haproxy.cfg.j2

@@ -0,0 +1,24 @@
+global
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+        nbproc 1
+
+defaults
+        log     global
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+
+listen kube-master
+        bind 0.0.0.0:{{ MASTER_PORT }}
+        mode tcp
+        option tcplog
+        balance source
+        server s1 {{ LB_EP1 }}  check inter 10000 fall 2 rise 2 weight 1
+        server s2 {{ LB_EP2 }}  check inter 10000 fall 2 rise 2 weight 1

roles/lb/templates/keepalived-backup.conf.j2

@@ -0,0 +1,15 @@
+global_defs {
+    router_id {{ LB_NAME }}
+}
+
+vrrp_instance VI-kube-master {
+    state BACKUP
+    priority 110
+    dont_track_primary
+    interface {{ LB_IF }}
+    virtual_router_id 51
+    advert_int 3
+    virtual_ipaddress {
+        {{ MASTER_IP }}
+    }
+}

roles/lb/templates/keepalived-master.conf.j2

@@ -0,0 +1,24 @@
+global_defs {
+    router_id {{ LB_NAME }}
+}
+
+vrrp_script check-haproxy {
+    script "killall -0 haproxy"
+    interval 5
+    weight -30
+}
+
+vrrp_instance VI-kube-master {
+    state MASTER
+    priority 120
+    dont_track_primary
+    interface {{ LB_IF }}
+    virtual_router_id 51
+    advert_int 3
+    track_script {
+        check-haproxy
+    }
+    virtual_ipaddress {
+        {{ MASTER_IP }}
+    }
+}

roles/prepare/tasks/main.yml

@@ -0,0 +1,28 @@
+- name: prepare some dirs
+  file: name={{ item }} state=directory
+  with_items:
+  - "{{ bin_dir }}"
+  - "{{ ca_dir }}"
+  - /root/.kube
+  - /etc/docker
+
+- name: 集群hosts文件更新
+  copy: src=hosts.j2 dest=/etc/hosts
+
+- name: 写入环境变量$PATH 
+  shell: "echo export PATH={{ bin_dir }}:$PATH >> /etc/profile"
+
+- name: 下载证书工具 CFSSL
+  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
+  with_items:
+  - cfssl
+  - cfssl-certinfo
+  - cfssljson
+
+- name: 分发CA 证书
+  copy: src={{ item }} dest={{ ca_dir }}/{{ item }} mode=0644
+  with_items:
+  - ca.pem
+  - ca-key.pem
+  - ca.csr
+  - ca-config.json