adjust scripts to support recreating CA and certs

dev3
gjmzj 2022-11-27 20:42:58 +08:00
parent 02bd98b18e
commit 6adb335993
14 changed files with 81 additions and 15 deletions

View File

@ -16,6 +16,9 @@ OS_HARDEN: false
CA_EXPIRY: "876000h"
CERT_EXPIRY: "438000h"
# force to recreate CA and other certs, not suggested to set 'true'
CHANGE_CA: false
# kubeconfig 配置参数
CLUSTER_NAME: "cluster1"
CONTEXT_NAME: "context-{{ CLUSTER_NAME }}"

View File

@ -23,10 +23,11 @@
template: src=calico-{{ calico_ver_main }}.yaml.j2 dest={{ cluster_dir }}/yml/calico.yaml
- name: 删除 calico网络
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/calico.yaml || echo NotFound"
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/calico.yaml || echo NotFound; sleep 3"
when: 'CHANGE_CA|bool'
- name: 运行 calico网络
shell: "sleep 5 && {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/calico.yaml"
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/calico.yaml"
run_once: true
connection: local
tags: force_change_certs

View File

@ -10,10 +10,16 @@
- name: 创建 cilium chart 个性化设置
template: src=values.yaml.j2 dest={{ cluster_dir }}/yml/cilium-values.yaml
- name: helm 删除 cilium {{ cilium_ver }}
shell: "{{ base_dir }}/bin/helm delete cilium -n kube-system || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: helm 创建 cilium {{ cilium_ver }}
shell: "{{ base_dir }}/bin/helm upgrade cilium --install \
-n kube-system -f {{ cluster_dir }}/yml/cilium-values.yaml \
{{ base_dir }}/roles/cilium/files/cilium-{{ cilium_ver }}.tgz"
tags: force_change_certs
run_once: true
connection: local
@ -36,6 +42,7 @@
delay: 8
ignore_errors: true
connection: local
tags: force_change_certs
# hubble-relay 可能需要重启一下
- name: 重启hubble-relay pod
@ -44,3 +51,4 @@
run_once: true
connection: local
when: "cilium_hubble_enabled|bool"
tags: force_change_certs

View File

@ -2,6 +2,12 @@
- name: 准备 DNS的部署文件
template: src=dns/coredns.yaml.j2 dest={{ cluster_dir }}/yml/coredns.yaml
- name: 删除coredns部署
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/coredns.yaml || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 创建coredns部署
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/coredns.yaml"
tags: force_change_certs
when: 'dns_install == "yes"'

View File

@ -9,6 +9,12 @@
- "admin-user-sa-rbac.yaml"
- "read-user-sa-rbac.yaml"
- name: 删除 dashboard部署
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/dashboard/ || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 创建 dashboard部署
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/dashboard/"
tags: force_change_certs
when: 'dashboard_install == "yes"'

View File

@ -12,22 +12,22 @@
- debug: var="CLUSTER_DNS_SVC_IP"
- import_tasks: coredns.yml
when: '"coredns" not in pod_info.stdout and dns_install == "yes"'
when: '"coredns" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: nodelocaldns.yml
when: '"node-local-dns" not in pod_info.stdout and ENABLE_LOCAL_DNS_CACHE|bool'
when: '"node-local-dns" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: metrics-server.yml
when: '"metrics-server" not in pod_info.stdout and metricsserver_install == "yes"'
when: '"metrics-server" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: dashboard.yml
when: '"kubernetes-dashboard" not in pod_info.stdout and dashboard_install == "yes"'
when: '"kubernetes-dashboard" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: prometheus.yml
when: 'prom_install == "yes"'
- import_tasks: nfs-provisioner.yml
when: '"nfs-client-provisioner" not in pod_info.stdout and nfs_provisioner_install == "yes"'
when: '"nfs-client-provisioner" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: cilium_connectivity_check.yml
when: 'CLUSTER_NETWORK == "cilium"'

View File

@ -2,6 +2,12 @@
- name: 准备 metrics-server的部署文件
template: src=metrics-server/components.yaml.j2 dest={{ cluster_dir }}/yml/metrics-server.yaml
- name: 删除 metrics-server部署
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/metrics-server.yaml || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 创建 metrics-server部署
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/metrics-server.yaml"
tags: force_change_certs
when: 'metricsserver_install == "yes"'

View File

@ -7,6 +7,12 @@
template: src=dns/nodelocaldns-iptables.yaml.j2 dest={{ cluster_dir }}/yml/nodelocaldns.yaml
when: "PROXY_MODE == 'iptables'"
- name: 删除dnscache部署
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/nodelocaldns.yaml || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 创建dnscache部署
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/nodelocaldns.yaml"
tags: force_change_certs
when: 'ENABLE_LOCAL_DNS_CACHE|bool'

View File

@ -23,7 +23,11 @@
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes etcd-client-csr.json|{{ base_dir }}/bin/cfssljson -bare etcd-client"
when: '"etcd-client-cert" not in secrets_info.stdout'
when: '"etcd-client-cert" not in secrets_info.stdout or CHANGE_CA|bool'
- name: 删除 etcd-client-cert
shell: "{{ base_dir }}/bin/kubectl delete secret -n {{ prom_namespace }} etcd-client-cert || echo true"
when: 'CHANGE_CA|bool'
- name: 创建 etcd-client-cert
shell: "cd {{ cluster_dir }}/ssl && \
@ -31,15 +35,20 @@
--from-file=etcd-ca=ca.pem \
--from-file=etcd-client=etcd-client.pem \
--from-file=etcd-client-key=etcd-client-key.pem"
when: '"etcd-client-cert" not in secrets_info.stdout'
when: '"etcd-client-cert" not in secrets_info.stdout or CHANGE_CA|bool'
- debug: var="K8S_VER"
- name: 创建 prom chart 个性化设置
template: src=prometheus/values.yaml.j2 dest={{ cluster_dir }}/yml/prom-values.yaml
- name: helm 删除 kube-prometheus-stack {{ prom_chart_ver }}
shell: "{{ base_dir }}/bin/helm delete prometheus -n {{ prom_namespace }} || echo true; sleep 3"
when: 'CHANGE_CA|bool'
- name: helm 创建 kube-prometheus-stack {{ prom_chart_ver }}
shell: "{{ base_dir }}/bin/helm upgrade prometheus --install \
-n {{ prom_namespace }} -f {{ cluster_dir }}/yml/prom-values.yaml \
{{ base_dir }}/roles/cluster-addon/files/kube-prometheus-stack-{{ prom_chart_ver }}.tgz"
when: 'prom_install == "yes"'
tags: force_change_certs

View File

@ -1,4 +1 @@
# default values
# CHANGE_CA: when set true, force to change ca certs
CHANGE_CA: false

View File

@ -4,6 +4,3 @@ KUBE_APISERVER: "https://{{ groups['kube_master'][0] }}:{{ SECURE_PORT }}"
#
ADD_KCFG: false
CUSTOM_EXPIRY: "438000h"
# CHANGE_CA: when set true, force to change ca certs
CHANGE_CA: false

View File

@ -11,10 +11,18 @@
run_once: true
connection: local
- name: 删除 flannel网络
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/flannel.yaml || echo true; sleep 3"
run_once: true
connection: local
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 运行 flannel网络
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/flannel.yaml"
run_once: true
connection: local
tags: force_change_certs
- name: 删除默认cni配置
file: path=/etc/cni/net.d/10-default.conf state=absent
@ -27,3 +35,4 @@
delay: 8
ignore_errors: true
connection: local
tags: force_change_certs

View File

@ -13,11 +13,19 @@
- kube-ovn.yaml
- ovn.yaml
- name: 删除 kube-ovn网络
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/crd.yaml; \
{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/ovn.yaml; \
{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/kube-ovn.yaml; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 运行 kube-ovn网络
shell: "{{ base_dir }}/bin/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/crd.yaml && sleep 5 && \
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/ovn.yaml && sleep 5 && \
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-ovn.yaml"
tags: force_change_certs
run_once: true
connection: local
@ -37,3 +45,4 @@
delay: 8
ignore_errors: true
connection: local
tags: force_change_certs

View File

@ -11,11 +11,19 @@
run_once: true
connection: local
- name: 删除 kube-router DaemonSet
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/kube-router.yaml || echo true; sleep 3"
run_once: true
connection: local
tags: force_change_certs
when: 'CHANGE_CA|bool'
# 只需单节点执行一次
- name: 运行 kube-router DaemonSet
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-router.yaml"
run_once: true
connection: local
tags: force_change_certs
# 删除原有cni配置
- name: 删除默认cni配置
@ -30,3 +38,4 @@
delay: 8
ignore_errors: true
connection: local
tags: force_change_certs