mirror of https://github.com/easzlab/kubeasz.git
remove kubectl admin kubeconfig to improve security
parent
ab9603d509
commit
9983ec1ab7
|
@ -10,14 +10,19 @@
|
||||||
- name: 显示rr节点
|
- name: 显示rr节点
|
||||||
debug: var="NODE_IPS"
|
debug: var="NODE_IPS"
|
||||||
|
|
||||||
- name: 配置routeReflectorClusterID 和 node label
|
- name: 配置routeReflectorClusterID
|
||||||
shell: 'for ip in {{ NODE_IPS }};do \
|
shell: 'for ip in {{ NODE_IPS }};do \
|
||||||
node_name=$({{ bin_dir }}/calicoctl get node -owide|grep " $ip/"|cut -d" " -f1) && \
|
node_name=$({{ bin_dir }}/calicoctl get node -owide|grep " $ip/"|cut -d" " -f1) && \
|
||||||
{{ bin_dir }}/kubectl label node "$ip" route-reflector=true --overwrite && \
|
|
||||||
{{ bin_dir }}/calicoctl patch node "$node_name" \
|
{{ bin_dir }}/calicoctl patch node "$node_name" \
|
||||||
-p "{\"spec\": {\"bgp\": {\"routeReflectorClusterID\": \"244.0.0.1\"}}}"; \
|
-p "{\"spec\": {\"bgp\": {\"routeReflectorClusterID\": \"244.0.0.1\"}}}"; \
|
||||||
done'
|
done'
|
||||||
|
|
||||||
|
- name: node label
|
||||||
|
shell: 'for ip in {{ NODE_IPS }};do \
|
||||||
|
{{ base_dir }}/bin/kubectl label node "$ip" route-reflector=true --overwrite;
|
||||||
|
done'
|
||||||
|
connection: local
|
||||||
|
|
||||||
- name: 配置 calico bgp yaml文件
|
- name: 配置 calico bgp yaml文件
|
||||||
template: src={{ item }}.j2 dest=/etc/calico/{{ item }}
|
template: src={{ item }}.j2 dest=/etc/calico/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
|
|
|
@ -1,20 +1,39 @@
|
||||||
|
- block:
|
||||||
|
- name: 创建calico 证书请求
|
||||||
|
template: src=calico-csr.json.j2 dest={{ cluster_dir }}/ssl/calico-csr.json
|
||||||
|
|
||||||
|
- name: 创建 calico证书和私钥
|
||||||
|
shell: "cd {{ cluster_dir }}/ssl && {{ base_dir }}/bin/cfssl gencert \
|
||||||
|
-ca=ca.pem \
|
||||||
|
-ca-key=ca-key.pem \
|
||||||
|
-config=ca-config.json \
|
||||||
|
-profile=kubernetes calico-csr.json|{{ base_dir }}/bin/cfssljson -bare calico"
|
||||||
|
|
||||||
|
- name: get calico-etcd-secrets info
|
||||||
|
shell: "{{ base_dir }}/bin/kubectl get secrets -n kube-system"
|
||||||
|
register: secrets_info
|
||||||
|
|
||||||
|
- name: 创建 calico-etcd-secrets
|
||||||
|
shell: "cd {{ cluster_dir }}/ssl && \
|
||||||
|
{{ base_dir }}/bin/kubectl create secret generic -n kube-system calico-etcd-secrets \
|
||||||
|
--from-file=etcd-ca=ca.pem \
|
||||||
|
--from-file=etcd-key=calico-key.pem \
|
||||||
|
--from-file=etcd-cert=calico.pem"
|
||||||
|
when: '"calico-etcd-secrets" not in secrets_info.stdout'
|
||||||
|
|
||||||
|
- name: 配置 calico DaemonSet yaml文件
|
||||||
|
template: src=calico-{{ calico_ver_main }}.yaml.j2 dest={{ cluster_dir }}/yml/calico.yaml
|
||||||
|
|
||||||
|
- name: 运行 calico网络
|
||||||
|
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/calico.yaml"
|
||||||
|
run_once: true
|
||||||
|
connection: local
|
||||||
|
|
||||||
- name: 在节点创建相关目录
|
- name: 在节点创建相关目录
|
||||||
file: name={{ item }} state=directory
|
file: name={{ item }} state=directory
|
||||||
with_items:
|
with_items:
|
||||||
- /etc/calico/ssl
|
- /etc/calico/ssl
|
||||||
|
|
||||||
- name: 创建calico 证书请求
|
|
||||||
template: src=calico-csr.json.j2 dest={{ cluster_dir }}/ssl/calico-csr.json
|
|
||||||
connection: local
|
|
||||||
|
|
||||||
- name: 创建 calico证书和私钥
|
|
||||||
shell: "cd {{ cluster_dir }}/ssl && {{ base_dir }}/bin/cfssl gencert \
|
|
||||||
-ca=ca.pem \
|
|
||||||
-ca-key=ca-key.pem \
|
|
||||||
-config=ca-config.json \
|
|
||||||
-profile=kubernetes calico-csr.json|{{ base_dir }}/bin/cfssljson -bare calico"
|
|
||||||
connection: local
|
|
||||||
|
|
||||||
- name: 分发calico证书相关
|
- name: 分发calico证书相关
|
||||||
copy: src={{ cluster_dir }}/ssl/{{ item }} dest=/etc/calico/ssl/{{ item }}
|
copy: src={{ cluster_dir }}/ssl/{{ item }} dest=/etc/calico/ssl/{{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
|
@ -22,30 +41,6 @@
|
||||||
- calico.pem
|
- calico.pem
|
||||||
- calico-key.pem
|
- calico-key.pem
|
||||||
|
|
||||||
- name: get calico-etcd-secrets info
|
|
||||||
shell: "{{ bin_dir }}/kubectl get secrets -n kube-system"
|
|
||||||
register: secrets_info
|
|
||||||
run_once: true
|
|
||||||
|
|
||||||
- name: 创建 calico-etcd-secrets
|
|
||||||
shell: "cd /etc/calico/ssl && \
|
|
||||||
{{ bin_dir }}/kubectl create secret generic -n kube-system calico-etcd-secrets \
|
|
||||||
--from-file=etcd-ca=ca.pem \
|
|
||||||
--from-file=etcd-key=calico-key.pem \
|
|
||||||
--from-file=etcd-cert=calico.pem"
|
|
||||||
when: '"calico-etcd-secrets" not in secrets_info.stdout'
|
|
||||||
run_once: true
|
|
||||||
|
|
||||||
- name: 配置 calico DaemonSet yaml文件
|
|
||||||
template: src=calico-{{ calico_ver_main }}.yaml.j2 dest={{ cluster_dir }}/yml/calico.yaml
|
|
||||||
run_once: true
|
|
||||||
connection: local
|
|
||||||
|
|
||||||
- name: 运行 calico网络
|
|
||||||
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/calico.yaml"
|
|
||||||
run_once: true
|
|
||||||
connection: local
|
|
||||||
|
|
||||||
- name: 删除默认cni配置
|
- name: 删除默认cni配置
|
||||||
file: path=/etc/cni/net.d/10-default.conf state=absent
|
file: path=/etc/cni/net.d/10-default.conf state=absent
|
||||||
|
|
||||||
|
@ -59,13 +54,14 @@
|
||||||
- name: 准备 calicoctl配置文件
|
- name: 准备 calicoctl配置文件
|
||||||
template: src=calicoctl.cfg.j2 dest=/etc/calico/calicoctl.cfg
|
template: src=calicoctl.cfg.j2 dest=/etc/calico/calicoctl.cfg
|
||||||
|
|
||||||
- name: 轮询等待calico-node 运行,视下载镜像速度而定
|
- name: 轮询等待calico-node 运行
|
||||||
shell: "{{ bin_dir }}/kubectl get pod -n kube-system -o wide|grep 'calico-node'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
shell: "{{ base_dir }}/bin/kubectl get pod -n kube-system -o wide|grep 'calico-node'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
||||||
register: pod_status
|
register: pod_status
|
||||||
until: pod_status.stdout == "Running"
|
until: pod_status.stdout == "Running"
|
||||||
retries: 15
|
retries: 15
|
||||||
delay: 15
|
delay: 15
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
connection: local
|
||||||
|
|
||||||
- import_tasks: calico-rr.yml
|
- import_tasks: calico-rr.yml
|
||||||
when: 'CALICO_RR_ENABLED|bool'
|
when: 'CALICO_RR_ENABLED|bool'
|
||||||
|
|
|
@ -52,7 +52,7 @@ data:
|
||||||
"type": "k8s"
|
"type": "k8s"
|
||||||
},
|
},
|
||||||
"kubernetes": {
|
"kubernetes": {
|
||||||
"kubeconfig": "/root/.kube/config"
|
"kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -55,7 +55,7 @@ data:
|
||||||
"type": "k8s"
|
"type": "k8s"
|
||||||
},
|
},
|
||||||
"kubernetes": {
|
"kubernetes": {
|
||||||
"kubeconfig": "/root/.kube/config"
|
"kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -28,13 +28,14 @@
|
||||||
file: path=/etc/cni/net.d/10-default.conf state=absent
|
file: path=/etc/cni/net.d/10-default.conf state=absent
|
||||||
|
|
||||||
# 等待网络插件部署成功,视下载镜像速度而定
|
# 等待网络插件部署成功,视下载镜像速度而定
|
||||||
- name: 轮询等待cilium-node 运行,视下载镜像速度而定
|
- name: 轮询等待cilium-node 运行
|
||||||
shell: "{{ bin_dir }}/kubectl get pod -n kube-system -owide -lk8s-app=cilium|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
shell: "{{ base_dir }}/bin/kubectl get pod -n kube-system -owide -lk8s-app=cilium|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
||||||
register: pod_status
|
register: pod_status
|
||||||
until: pod_status.stdout == "Running"
|
until: pod_status.stdout == "Running"
|
||||||
retries: 15
|
retries: 15
|
||||||
delay: 8
|
delay: 8
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
connection: local
|
||||||
|
|
||||||
# hubble-relay 可能需要重启一下
|
# hubble-relay 可能需要重启一下
|
||||||
- name: 重启hubble-relay pod
|
- name: 重启hubble-relay pod
|
||||||
|
|
|
@ -27,7 +27,7 @@
|
||||||
shell: "cd {{ cluster_dir }}/ssl && \
|
shell: "cd {{ cluster_dir }}/ssl && \
|
||||||
{{ base_dir }}/bin/cfssl gencert -initca ca-csr.json | {{ base_dir }}/bin/cfssljson -bare ca"
|
{{ base_dir }}/bin/cfssl gencert -initca ca-csr.json | {{ base_dir }}/bin/cfssljson -bare ca"
|
||||||
|
|
||||||
#----------- 创建配置文件: /root/.kube/config
|
#----------- 创建配置文件: kubectl.kubeconfig
|
||||||
- import_tasks: create-kubectl-kubeconfig.yml
|
- import_tasks: create-kubectl-kubeconfig.yml
|
||||||
tags: create_kctl_cfg
|
tags: create_kctl_cfg
|
||||||
|
|
||||||
|
|
|
@ -20,9 +20,10 @@
|
||||||
file: path=/etc/cni/net.d/10-default.conf state=absent
|
file: path=/etc/cni/net.d/10-default.conf state=absent
|
||||||
|
|
||||||
- name: 轮询等待flannel 运行,视下载镜像速度而定
|
- name: 轮询等待flannel 运行,视下载镜像速度而定
|
||||||
shell: "{{ bin_dir }}/kubectl get pod -n kube-system -o wide|grep 'flannel'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
shell: "{{ base_dir }}/bin/kubectl get pod -n kube-system -o wide|grep 'flannel'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
||||||
register: pod_status
|
register: pod_status
|
||||||
until: pod_status.stdout == "Running"
|
until: pod_status.stdout == "Running"
|
||||||
retries: 15
|
retries: 15
|
||||||
delay: 8
|
delay: 8
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
connection: local
|
||||||
|
|
|
@ -7,6 +7,15 @@
|
||||||
- kubectl
|
- kubectl
|
||||||
tags: upgrade_k8s
|
tags: upgrade_k8s
|
||||||
|
|
||||||
|
- name: 分发 kubeconfig配置文件
|
||||||
|
copy: src={{ cluster_dir }}/kubectl.kubeconfig dest=/root/.kube/config mode=0400
|
||||||
|
|
||||||
|
- name: 分发controller/scheduler kubeconfig配置文件
|
||||||
|
copy: src={{ cluster_dir }}/{{ item }} dest=/etc/kubernetes/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- kube-controller-manager.kubeconfig
|
||||||
|
- kube-scheduler.kubeconfig
|
||||||
|
|
||||||
- name: 注册变量 KUBERNETES_SVC_IP
|
- name: 注册变量 KUBERNETES_SVC_IP
|
||||||
shell: echo {{ SERVICE_CIDR }}|cut -d/ -f1|awk -F. '{print $1"."$2"."$3"."$4+1}'
|
shell: echo {{ SERVICE_CIDR }}|cut -d/ -f1|awk -F. '{print $1"."$2"."$3"."$4+1}'
|
||||||
register: KUBERNETES_SVC_IP
|
register: KUBERNETES_SVC_IP
|
||||||
|
|
|
@ -1,13 +1,37 @@
|
||||||
- name: 准备kubelet 证书签名请求
|
- block:
|
||||||
template: src=kubelet-csr.json.j2 dest={{ cluster_dir }}/ssl/{{ inventory_hostname }}-kubelet-csr.json
|
- name: 准备kubelet 证书签名请求
|
||||||
connection: local
|
template: src=kubelet-csr.json.j2 dest={{ cluster_dir }}/ssl/{{ inventory_hostname }}-kubelet-csr.json
|
||||||
|
|
||||||
- name: 创建 kubelet 证书与私钥
|
- name: 创建 kubelet 证书与私钥
|
||||||
shell: "cd {{ cluster_dir }}/ssl && {{ base_dir }}/bin/cfssl gencert \
|
shell: "cd {{ cluster_dir }}/ssl && {{ base_dir }}/bin/cfssl gencert \
|
||||||
-ca=ca.pem \
|
-ca=ca.pem \
|
||||||
-ca-key=ca-key.pem \
|
-ca-key=ca-key.pem \
|
||||||
-config=ca-config.json \
|
-config=ca-config.json \
|
||||||
-profile=kubernetes {{ inventory_hostname }}-kubelet-csr.json | {{ base_dir }}/bin/cfssljson -bare {{ inventory_hostname }}-kubelet"
|
-profile=kubernetes {{ inventory_hostname }}-kubelet-csr.json | {{ base_dir }}/bin/cfssljson -bare {{ inventory_hostname }}-kubelet"
|
||||||
|
|
||||||
|
- name: 设置集群参数
|
||||||
|
shell: "{{ base_dir }}/bin/kubectl config set-cluster kubernetes \
|
||||||
|
--certificate-authority={{ cluster_dir }}/ssl/ca.pem \
|
||||||
|
--embed-certs=true \
|
||||||
|
--server={{ KUBE_APISERVER }} \
|
||||||
|
--kubeconfig={{ cluster_dir }}/{{ inventory_hostname }}-kubelet.kubeconfig"
|
||||||
|
|
||||||
|
- name: 设置客户端认证参数
|
||||||
|
shell: "{{ base_dir }}/bin/kubectl config set-credentials system:node:{{ inventory_hostname }} \
|
||||||
|
--client-certificate={{ cluster_dir }}/ssl/{{ inventory_hostname }}-kubelet.pem \
|
||||||
|
--embed-certs=true \
|
||||||
|
--client-key={{ cluster_dir }}/ssl/{{ inventory_hostname }}-kubelet-key.pem \
|
||||||
|
--kubeconfig={{ cluster_dir }}/{{ inventory_hostname }}-kubelet.kubeconfig"
|
||||||
|
|
||||||
|
- name: 设置上下文参数
|
||||||
|
shell: "{{ base_dir }}/bin/kubectl config set-context default \
|
||||||
|
--cluster=kubernetes \
|
||||||
|
--user=system:node:{{ inventory_hostname }} \
|
||||||
|
--kubeconfig={{ cluster_dir }}/{{ inventory_hostname }}-kubelet.kubeconfig"
|
||||||
|
|
||||||
|
- name: 选择默认上下文
|
||||||
|
shell: "{{ base_dir }}/bin/kubectl config use-context default \
|
||||||
|
--kubeconfig={{ cluster_dir }}/{{ inventory_hostname }}-kubelet.kubeconfig"
|
||||||
connection: local
|
connection: local
|
||||||
|
|
||||||
- name: 分发ca 证书
|
- name: 分发ca 证书
|
||||||
|
@ -19,27 +43,5 @@
|
||||||
- kubelet.pem
|
- kubelet.pem
|
||||||
- kubelet-key.pem
|
- kubelet-key.pem
|
||||||
|
|
||||||
# 创建kubelet.kubeconfig
|
- name: 分发kubeconfig
|
||||||
- name: 设置集群参数
|
copy: src={{ cluster_dir }}/{{ inventory_hostname }}-kubelet.kubeconfig dest=/etc/kubernetes/kubelet.kubeconfig
|
||||||
shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
|
|
||||||
--certificate-authority={{ ca_dir }}/ca.pem \
|
|
||||||
--embed-certs=true \
|
|
||||||
--server={{ KUBE_APISERVER }} \
|
|
||||||
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
|
|
||||||
|
|
||||||
- name: 设置客户端认证参数
|
|
||||||
shell: "{{ bin_dir }}/kubectl config set-credentials system:node:{{ inventory_hostname }} \
|
|
||||||
--client-certificate={{ ca_dir }}/kubelet.pem \
|
|
||||||
--embed-certs=true \
|
|
||||||
--client-key={{ ca_dir }}/kubelet-key.pem \
|
|
||||||
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
|
|
||||||
|
|
||||||
- name: 设置上下文参数
|
|
||||||
shell: "{{ bin_dir }}/kubectl config set-context default \
|
|
||||||
--cluster=kubernetes \
|
|
||||||
--user=system:node:{{ inventory_hostname }} \
|
|
||||||
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
|
|
||||||
|
|
||||||
- name: 选择默认上下文
|
|
||||||
shell: "{{ bin_dir }}/kubectl config use-context default \
|
|
||||||
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
|
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
with_items:
|
with_items:
|
||||||
- /var/lib/kubelet
|
- /var/lib/kubelet
|
||||||
- /var/lib/kube-proxy
|
- /var/lib/kube-proxy
|
||||||
- /etc/cni/net.d
|
|
||||||
|
|
||||||
- name: 下载 kubelet,kube-proxy 二进制和基础 cni plugins
|
- name: 下载 kubelet,kube-proxy 二进制和基础 cni plugins
|
||||||
copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
|
copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
|
||||||
|
@ -16,12 +15,6 @@
|
||||||
- loopback
|
- loopback
|
||||||
tags: upgrade_k8s
|
tags: upgrade_k8s
|
||||||
|
|
||||||
- name: 替换 kubeconfig 的 apiserver 地址
|
|
||||||
lineinfile:
|
|
||||||
dest: /root/.kube/config
|
|
||||||
regexp: "^ server"
|
|
||||||
line: " server: {{ KUBE_APISERVER }}"
|
|
||||||
|
|
||||||
##----------kubelet 配置部分--------------
|
##----------kubelet 配置部分--------------
|
||||||
# 创建 kubelet 相关证书及 kubelet.kubeconfig
|
# 创建 kubelet 相关证书及 kubelet.kubeconfig
|
||||||
- import_tasks: create-kubelet-kubeconfig.yml
|
- import_tasks: create-kubelet-kubeconfig.yml
|
||||||
|
@ -53,6 +46,9 @@
|
||||||
tags: upgrade_k8s, restart_node
|
tags: upgrade_k8s, restart_node
|
||||||
|
|
||||||
##-------kube-proxy部分----------------
|
##-------kube-proxy部分----------------
|
||||||
|
- name: 分发 kube-proxy.kubeconfig配置文件
|
||||||
|
copy: src={{ cluster_dir }}/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig
|
||||||
|
|
||||||
- name: 替换 kube-proxy.kubeconfig 的 apiserver 地址
|
- name: 替换 kube-proxy.kubeconfig 的 apiserver 地址
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: /etc/kubernetes/kube-proxy.kubeconfig
|
dest: /etc/kubernetes/kube-proxy.kubeconfig
|
||||||
|
@ -94,13 +90,15 @@
|
||||||
tags: reload-kube-proxy, upgrade_k8s, restart_node
|
tags: reload-kube-proxy, upgrade_k8s, restart_node
|
||||||
|
|
||||||
- name: 轮询等待node达到Ready状态
|
- name: 轮询等待node达到Ready状态
|
||||||
shell: "{{ bin_dir }}/kubectl get node {{ inventory_hostname }}|awk 'NR>1{print $2}'"
|
shell: "{{ base_dir }}/bin/kubectl get node {{ inventory_hostname }}|awk 'NR>1{print $2}'"
|
||||||
register: node_status
|
register: node_status
|
||||||
until: node_status.stdout == "Ready" or node_status.stdout == "Ready,SchedulingDisabled"
|
until: node_status.stdout == "Ready" or node_status.stdout == "Ready,SchedulingDisabled"
|
||||||
retries: 8
|
retries: 8
|
||||||
delay: 8
|
delay: 8
|
||||||
tags: upgrade_k8s, restart_node
|
tags: upgrade_k8s, restart_node
|
||||||
|
connection: local
|
||||||
|
|
||||||
- name: 设置node节点role
|
- name: 设置node节点role
|
||||||
shell: "{{ bin_dir }}/kubectl label node {{ inventory_hostname }} kubernetes.io/role=node --overwrite"
|
shell: "{{ base_dir }}/bin/kubectl label node {{ inventory_hostname }} kubernetes.io/role=node --overwrite"
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
connection: local
|
||||||
|
|
|
@ -1,45 +1,39 @@
|
||||||
- name: 创建相关目录
|
- block:
|
||||||
file: name={{ item }} state=directory
|
- name: 注册变量 ovn_default_gateway
|
||||||
with_items:
|
shell: echo {{ CLUSTER_CIDR }}|cut -d/ -f1|awk -F. '{print $1"."$2"."$3"."$4+1}'
|
||||||
- /etc/cni/net.d
|
register: ovn_default_gateway
|
||||||
- /opt/kube/kube-ovn
|
|
||||||
|
|
||||||
- name: 注册变量 ovn_default_gateway
|
- name: 设置变量 kube_ovn_default_gateway
|
||||||
shell: echo {{ CLUSTER_CIDR }}|cut -d/ -f1|awk -F. '{print $1"."$2"."$3"."$4+1}'
|
set_fact: kube_ovn_default_gateway={{ ovn_default_gateway.stdout }}
|
||||||
register: ovn_default_gateway
|
|
||||||
|
|
||||||
- name: 设置变量 kube_ovn_default_gateway
|
- name: 创建配置文件
|
||||||
set_fact: kube_ovn_default_gateway={{ ovn_default_gateway.stdout }}
|
template: src={{ item }}.j2 dest={{ cluster_dir }}/yml/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- crd.yaml
|
||||||
|
- kube-ovn.yaml
|
||||||
|
- ovn.yaml
|
||||||
|
|
||||||
- name: 配置 crd.yaml 文件
|
- name: 运行 kube-ovn网络
|
||||||
template: src=crd.yaml.j2 dest=/opt/kube/kube-ovn/crd.yaml
|
shell: "{{ base_dir }}/bin/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \
|
||||||
|
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/crd.yaml && sleep 5 && \
|
||||||
- name: 配置 kube-ovn.yaml 文件
|
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/ovn.yaml && sleep 5 && \
|
||||||
template: src=kube-ovn.yaml.j2 dest=/opt/kube/kube-ovn/kube-ovn.yaml
|
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-ovn.yaml"
|
||||||
|
|
||||||
- name: 配置 ovn.yaml 文件
|
|
||||||
template: src=ovn.yaml.j2 dest=/opt/kube/kube-ovn/ovn.yaml
|
|
||||||
|
|
||||||
- name: 配置 kubectl plugin
|
|
||||||
template: src=kubectl-ko.j2 dest=/usr/local/bin/kubectl-ko mode=0755
|
|
||||||
|
|
||||||
# 只需单节点执行一次
|
|
||||||
- name: 运行 kube-ovn网络
|
|
||||||
shell: "{{ bin_dir }}/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \
|
|
||||||
{{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/crd.yaml && sleep 5 && \
|
|
||||||
{{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/ovn.yaml && sleep 5 && \
|
|
||||||
{{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/kube-ovn.yaml"
|
|
||||||
run_once: true
|
run_once: true
|
||||||
|
connection: local
|
||||||
|
|
||||||
# 删除原有cni配置
|
# 删除原有cni配置
|
||||||
- name: 删除默认cni配置
|
- name: 删除默认cni配置
|
||||||
file: path=/etc/cni/net.d/10-default.conf state=absent
|
file: path=/etc/cni/net.d/10-default.conf state=absent
|
||||||
|
|
||||||
|
- name: 配置 kubectl plugin
|
||||||
|
template: src=kubectl-ko.j2 dest=/usr/local/bin/kubectl-ko mode=0755
|
||||||
|
|
||||||
# 等待网络插件部署成功,视下载镜像速度而定
|
# 等待网络插件部署成功,视下载镜像速度而定
|
||||||
- name: 轮询等待kube-ovn 运行,视下载镜像速度而定
|
- name: 轮询等待kube-ovn 运行,视下载镜像速度而定
|
||||||
shell: "{{ bin_dir }}/kubectl get pod -n kube-ovn -o wide|grep 'kube-ovn-cni'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
shell: "{{ base_dir }}/bin/kubectl get pod -n kube-ovn -o wide|grep 'kube-ovn-cni'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
||||||
register: pod_status
|
register: pod_status
|
||||||
until: pod_status.stdout == "Running"
|
until: pod_status.stdout == "Running"
|
||||||
retries: 15
|
retries: 15
|
||||||
delay: 8
|
delay: 8
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
connection: local
|
||||||
|
|
|
@ -23,9 +23,10 @@
|
||||||
|
|
||||||
# 等待网络插件部署成功,视下载镜像速度而定
|
# 等待网络插件部署成功,视下载镜像速度而定
|
||||||
- name: 轮询等待kube-router 运行,视下载镜像速度而定
|
- name: 轮询等待kube-router 运行,视下载镜像速度而定
|
||||||
shell: "{{ bin_dir }}/kubectl get pod -n kube-system -o wide|grep 'kube-router'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
shell: "{{ base_dir }}/bin/kubectl get pod -n kube-system -o wide|grep 'kube-router'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
|
||||||
register: pod_status
|
register: pod_status
|
||||||
until: pod_status.stdout == "Running"
|
until: pod_status.stdout == "Running"
|
||||||
retries: 15
|
retries: 15
|
||||||
delay: 8
|
delay: 8
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
connection: local
|
||||||
|
|
|
@ -59,18 +59,3 @@
|
||||||
state: present
|
state: present
|
||||||
regexp: 'easzlab.io.local'
|
regexp: 'easzlab.io.local'
|
||||||
line: "{{ ansible_env.SSH_CLIENT.split(' ')[0] }} easzlab.io.local"
|
line: "{{ ansible_env.SSH_CLIENT.split(' ')[0] }} easzlab.io.local"
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: 分发 kubeconfig配置文件
|
|
||||||
copy: src={{ cluster_dir }}/kubectl.kubeconfig dest=/root/.kube/config mode=0400
|
|
||||||
|
|
||||||
- name: 分发 kube-proxy.kubeconfig配置文件
|
|
||||||
copy: src={{ cluster_dir }}/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig
|
|
||||||
|
|
||||||
- name: 分发controller/scheduler kubeconfig配置文件
|
|
||||||
copy: src={{ cluster_dir }}/{{ item }} dest=/etc/kubernetes/{{ item }}
|
|
||||||
with_items:
|
|
||||||
- kube-controller-manager.kubeconfig
|
|
||||||
- kube-scheduler.kubeconfig
|
|
||||||
when: "inventory_hostname in groups['kube_master']"
|
|
||||||
when: "inventory_hostname in groups['kube_master'] or inventory_hostname in groups['kube_node']"
|
|
||||||
|
|
Loading…
Reference in New Issue