From 6adb3359931c02916acd70b15db71f88f78a3cc3 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Sun, 27 Nov 2022 20:42:58 +0800 Subject: [PATCH] adjust scripts to support recreating CA and certs --- example/config.yml | 3 +++ roles/calico/tasks/main.yml | 5 +++-- roles/cilium/tasks/main.yml | 8 ++++++++ roles/cluster-addon/tasks/coredns.yml | 6 ++++++ roles/cluster-addon/tasks/dashboard.yml | 6 ++++++ roles/cluster-addon/tasks/main.yml | 10 +++++----- roles/cluster-addon/tasks/metrics-server.yml | 6 ++++++ roles/cluster-addon/tasks/nodelocaldns.yml | 6 ++++++ roles/cluster-addon/tasks/prometheus.yml | 13 +++++++++++-- roles/cluster-addon/vars/main.yml | 3 --- roles/deploy/vars/main.yml | 3 --- roles/flannel/tasks/main.yml | 9 +++++++++ roles/kube-ovn/tasks/main.yml | 9 +++++++++ roles/kube-router/tasks/main.yml | 9 +++++++++ 14 files changed, 81 insertions(+), 15 deletions(-) diff --git a/example/config.yml b/example/config.yml index 19e689b..b7a1d82 100644 --- a/example/config.yml +++ b/example/config.yml @@ -16,6 +16,9 @@ OS_HARDEN: false CA_EXPIRY: "876000h" CERT_EXPIRY: "438000h" +# force to recreate CA and other certs, not suggested to set 'true' +CHANGE_CA: false + # kubeconfig 配置参数 CLUSTER_NAME: "cluster1" CONTEXT_NAME: "context-{{ CLUSTER_NAME }}" diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml index c439032..cd3c648 100644 --- a/roles/calico/tasks/main.yml +++ b/roles/calico/tasks/main.yml @@ -23,10 +23,11 @@ template: src=calico-{{ calico_ver_main }}.yaml.j2 dest={{ cluster_dir }}/yml/calico.yaml - name: 删除 calico网络 - shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/calico.yaml || echo NotFound" + shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/calico.yaml || echo NotFound; sleep 3" + when: 'CHANGE_CA|bool' - name: 运行 calico网络 - shell: "sleep 5 && {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/calico.yaml" + shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/calico.yaml" run_once: true connection: local tags: force_change_certs diff --git a/roles/cilium/tasks/main.yml b/roles/cilium/tasks/main.yml index d629736..f1c748b 100644 --- a/roles/cilium/tasks/main.yml +++ b/roles/cilium/tasks/main.yml @@ -10,10 +10,16 @@ - name: 创建 cilium chart 个性化设置 template: src=values.yaml.j2 dest={{ cluster_dir }}/yml/cilium-values.yaml + - name: helm 删除 cilium {{ cilium_ver }} + shell: "{{ base_dir }}/bin/helm delete cilium -n kube-system || echo true; sleep 3" + tags: force_change_certs + when: 'CHANGE_CA|bool' + - name: helm 创建 cilium {{ cilium_ver }} shell: "{{ base_dir }}/bin/helm upgrade cilium --install \ -n kube-system -f {{ cluster_dir }}/yml/cilium-values.yaml \ {{ base_dir }}/roles/cilium/files/cilium-{{ cilium_ver }}.tgz" + tags: force_change_certs run_once: true connection: local @@ -36,6 +42,7 @@ delay: 8 ignore_errors: true connection: local + tags: force_change_certs # hubble-relay 可能需要重启一下 - name: 重启hubble-relay pod @@ -44,3 +51,4 @@ run_once: true connection: local when: "cilium_hubble_enabled|bool" + tags: force_change_certs diff --git a/roles/cluster-addon/tasks/coredns.yml b/roles/cluster-addon/tasks/coredns.yml index b28c26a..fee0e8c 100644 --- a/roles/cluster-addon/tasks/coredns.yml +++ b/roles/cluster-addon/tasks/coredns.yml @@ -2,6 +2,12 @@ - name: 准备 DNS的部署文件 template: src=dns/coredns.yaml.j2 dest={{ cluster_dir }}/yml/coredns.yaml + - name: 删除coredns部署 + shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/coredns.yaml || echo true; sleep 3" + tags: force_change_certs + when: 'CHANGE_CA|bool' + - name: 创建coredns部署 shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/coredns.yaml" + tags: force_change_certs when: 'dns_install == "yes"' diff --git a/roles/cluster-addon/tasks/dashboard.yml b/roles/cluster-addon/tasks/dashboard.yml index 209216b..cee0965 100644 --- a/roles/cluster-addon/tasks/dashboard.yml +++ b/roles/cluster-addon/tasks/dashboard.yml @@ -9,6 +9,12 @@ - "admin-user-sa-rbac.yaml" - "read-user-sa-rbac.yaml" + - name: 删除 dashboard部署 + shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/dashboard/ || echo true; sleep 3" + tags: force_change_certs + when: 'CHANGE_CA|bool' + - name: 创建 dashboard部署 shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/dashboard/" + tags: force_change_certs when: 'dashboard_install == "yes"' diff --git a/roles/cluster-addon/tasks/main.yml b/roles/cluster-addon/tasks/main.yml index ad1b911..85076aa 100644 --- a/roles/cluster-addon/tasks/main.yml +++ b/roles/cluster-addon/tasks/main.yml @@ -12,22 +12,22 @@ - debug: var="CLUSTER_DNS_SVC_IP" - import_tasks: coredns.yml - when: '"coredns" not in pod_info.stdout and dns_install == "yes"' + when: '"coredns" not in pod_info.stdout or CHANGE_CA|bool' - import_tasks: nodelocaldns.yml - when: '"node-local-dns" not in pod_info.stdout and ENABLE_LOCAL_DNS_CACHE|bool' + when: '"node-local-dns" not in pod_info.stdout or CHANGE_CA|bool' - import_tasks: metrics-server.yml - when: '"metrics-server" not in pod_info.stdout and metricsserver_install == "yes"' + when: '"metrics-server" not in pod_info.stdout or CHANGE_CA|bool' - import_tasks: dashboard.yml - when: '"kubernetes-dashboard" not in pod_info.stdout and dashboard_install == "yes"' + when: '"kubernetes-dashboard" not in pod_info.stdout or CHANGE_CA|bool' - import_tasks: prometheus.yml when: 'prom_install == "yes"' - import_tasks: nfs-provisioner.yml - when: '"nfs-client-provisioner" not in pod_info.stdout and nfs_provisioner_install == "yes"' + when: '"nfs-client-provisioner" not in pod_info.stdout or CHANGE_CA|bool' - import_tasks: cilium_connectivity_check.yml when: 'CLUSTER_NETWORK == "cilium"' diff --git a/roles/cluster-addon/tasks/metrics-server.yml b/roles/cluster-addon/tasks/metrics-server.yml index 7b86a59..0770c6d 100644 --- a/roles/cluster-addon/tasks/metrics-server.yml +++ b/roles/cluster-addon/tasks/metrics-server.yml @@ -2,6 +2,12 @@ - name: 准备 metrics-server的部署文件 template: src=metrics-server/components.yaml.j2 dest={{ cluster_dir }}/yml/metrics-server.yaml + - name: 删除 metrics-server部署 + shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/metrics-server.yaml || echo true; sleep 3" + tags: force_change_certs + when: 'CHANGE_CA|bool' + - name: 创建 metrics-server部署 shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/metrics-server.yaml" + tags: force_change_certs when: 'metricsserver_install == "yes"' diff --git a/roles/cluster-addon/tasks/nodelocaldns.yml b/roles/cluster-addon/tasks/nodelocaldns.yml index be47fd1..e82416c 100644 --- a/roles/cluster-addon/tasks/nodelocaldns.yml +++ b/roles/cluster-addon/tasks/nodelocaldns.yml @@ -7,6 +7,12 @@ template: src=dns/nodelocaldns-iptables.yaml.j2 dest={{ cluster_dir }}/yml/nodelocaldns.yaml when: "PROXY_MODE == 'iptables'" + - name: 删除dnscache部署 + shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/nodelocaldns.yaml || echo true; sleep 3" + tags: force_change_certs + when: 'CHANGE_CA|bool' + - name: 创建dnscache部署 shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/nodelocaldns.yaml" + tags: force_change_certs when: 'ENABLE_LOCAL_DNS_CACHE|bool' diff --git a/roles/cluster-addon/tasks/prometheus.yml b/roles/cluster-addon/tasks/prometheus.yml index 345dc73..f02ff01 100644 --- a/roles/cluster-addon/tasks/prometheus.yml +++ b/roles/cluster-addon/tasks/prometheus.yml @@ -23,7 +23,11 @@ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes etcd-client-csr.json|{{ base_dir }}/bin/cfssljson -bare etcd-client" - when: '"etcd-client-cert" not in secrets_info.stdout' + when: '"etcd-client-cert" not in secrets_info.stdout or CHANGE_CA|bool' + + - name: 删除 etcd-client-cert + shell: "{{ base_dir }}/bin/kubectl delete secret -n {{ prom_namespace }} etcd-client-cert || echo true" + when: 'CHANGE_CA|bool' - name: 创建 etcd-client-cert shell: "cd {{ cluster_dir }}/ssl && \ @@ -31,15 +35,20 @@ --from-file=etcd-ca=ca.pem \ --from-file=etcd-client=etcd-client.pem \ --from-file=etcd-client-key=etcd-client-key.pem" - when: '"etcd-client-cert" not in secrets_info.stdout' + when: '"etcd-client-cert" not in secrets_info.stdout or CHANGE_CA|bool' - debug: var="K8S_VER" - name: 创建 prom chart 个性化设置 template: src=prometheus/values.yaml.j2 dest={{ cluster_dir }}/yml/prom-values.yaml + - name: helm 删除 kube-prometheus-stack {{ prom_chart_ver }} + shell: "{{ base_dir }}/bin/helm delete prometheus -n {{ prom_namespace }} || echo true; sleep 3" + when: 'CHANGE_CA|bool' + - name: helm 创建 kube-prometheus-stack {{ prom_chart_ver }} shell: "{{ base_dir }}/bin/helm upgrade prometheus --install \ -n {{ prom_namespace }} -f {{ cluster_dir }}/yml/prom-values.yaml \ {{ base_dir }}/roles/cluster-addon/files/kube-prometheus-stack-{{ prom_chart_ver }}.tgz" when: 'prom_install == "yes"' + tags: force_change_certs diff --git a/roles/cluster-addon/vars/main.yml b/roles/cluster-addon/vars/main.yml index 23e2510..d6c93d3 100644 --- a/roles/cluster-addon/vars/main.yml +++ b/roles/cluster-addon/vars/main.yml @@ -1,4 +1 @@ # default values - -# CHANGE_CA: when set true, force to change ca certs -CHANGE_CA: false diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index 9d6d06e..94525c5 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -4,6 +4,3 @@ KUBE_APISERVER: "https://{{ groups['kube_master'][0] }}:{{ SECURE_PORT }}" # ADD_KCFG: false CUSTOM_EXPIRY: "438000h" - -# CHANGE_CA: when set true, force to change ca certs -CHANGE_CA: false diff --git a/roles/flannel/tasks/main.yml b/roles/flannel/tasks/main.yml index 304121b..0f7f8bb 100644 --- a/roles/flannel/tasks/main.yml +++ b/roles/flannel/tasks/main.yml @@ -11,10 +11,18 @@ run_once: true connection: local +- name: 删除 flannel网络 + shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/flannel.yaml || echo true; sleep 3" + run_once: true + connection: local + tags: force_change_certs + when: 'CHANGE_CA|bool' + - name: 运行 flannel网络 shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/flannel.yaml" run_once: true connection: local + tags: force_change_certs - name: 删除默认cni配置 file: path=/etc/cni/net.d/10-default.conf state=absent @@ -27,3 +35,4 @@ delay: 8 ignore_errors: true connection: local + tags: force_change_certs diff --git a/roles/kube-ovn/tasks/main.yml b/roles/kube-ovn/tasks/main.yml index 811480a..b953234 100644 --- a/roles/kube-ovn/tasks/main.yml +++ b/roles/kube-ovn/tasks/main.yml @@ -13,11 +13,19 @@ - kube-ovn.yaml - ovn.yaml + - name: 删除 kube-ovn网络 + shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/crd.yaml; \ + {{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/ovn.yaml; \ + {{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/kube-ovn.yaml; sleep 3" + tags: force_change_certs + when: 'CHANGE_CA|bool' + - name: 运行 kube-ovn网络 shell: "{{ base_dir }}/bin/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \ {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/crd.yaml && sleep 5 && \ {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/ovn.yaml && sleep 5 && \ {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-ovn.yaml" + tags: force_change_certs run_once: true connection: local @@ -37,3 +45,4 @@ delay: 8 ignore_errors: true connection: local + tags: force_change_certs diff --git a/roles/kube-router/tasks/main.yml b/roles/kube-router/tasks/main.yml index 4d9189f..97ef0e3 100644 --- a/roles/kube-router/tasks/main.yml +++ b/roles/kube-router/tasks/main.yml @@ -11,11 +11,19 @@ run_once: true connection: local +- name: 删除 kube-router DaemonSet + shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/kube-router.yaml || echo true; sleep 3" + run_once: true + connection: local + tags: force_change_certs + when: 'CHANGE_CA|bool' + # 只需单节点执行一次 - name: 运行 kube-router DaemonSet shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-router.yaml" run_once: true connection: local + tags: force_change_certs # 删除原有cni配置 - name: 删除默认cni配置 @@ -30,3 +38,4 @@ delay: 8 ignore_errors: true connection: local + tags: force_change_certs