easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

adjust scripts to support recreating CA and certs

v3.3
gjmzj 2022-11-27 20:42:58 +08:00
parent 6f6f8aea5a
commit a5fa5237a8
14 changed files with 81 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
example/config.yml
View File

@ -16,6 +16,9 @@ OS_HARDEN: false
CA_EXPIRY: "876000h" CA_EXPIRY: "876000h"
CERT_EXPIRY: "438000h" CERT_EXPIRY: "438000h"
# force to recreate CA and other certs, not suggested to set 'true'
CHANGE_CA: false
# kubeconfig 配置参数 # kubeconfig 配置参数
CLUSTER_NAME: "cluster1" CLUSTER_NAME: "cluster1"
CONTEXT_NAME: "context-{{ CLUSTER_NAME }}" CONTEXT_NAME: "context-{{ CLUSTER_NAME }}"

5
roles/calico/tasks/main.yml
View File

@ -23,10 +23,11 @@
template: src=calico-{{ calico_ver_main }}.yaml.j2 dest={{ cluster_dir }}/yml/calico.yaml template: src=calico-{{ calico_ver_main }}.yaml.j2 dest={{ cluster_dir }}/yml/calico.yaml
- name: 删除 calico网络 - name: 删除 calico网络
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/calico.yaml || echo NotFound" shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/calico.yaml || echo NotFound; sleep 3"
when: 'CHANGE_CA|bool'
- name: 运行 calico网络 - name: 运行 calico网络
shell: "sleep 5 && {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/calico.yaml" shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/calico.yaml"
run_once: true run_once: true
connection: local connection: local
tags: force_change_certs tags: force_change_certs

8
roles/cilium/tasks/main.yml
View File

@ -10,10 +10,16 @@
- name: 创建 cilium chart 个性化设置 - name: 创建 cilium chart 个性化设置
template: src=values.yaml.j2 dest={{ cluster_dir }}/yml/cilium-values.yaml template: src=values.yaml.j2 dest={{ cluster_dir }}/yml/cilium-values.yaml
- name: helm 删除 cilium {{ cilium_ver }}
shell: "{{ base_dir }}/bin/helm delete cilium -n kube-system || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: helm 创建 cilium {{ cilium_ver }} - name: helm 创建 cilium {{ cilium_ver }}
shell: "{{ base_dir }}/bin/helm upgrade cilium --install \ shell: "{{ base_dir }}/bin/helm upgrade cilium --install \
-n kube-system -f {{ cluster_dir }}/yml/cilium-values.yaml \ -n kube-system -f {{ cluster_dir }}/yml/cilium-values.yaml \
{{ base_dir }}/roles/cilium/files/cilium-{{ cilium_ver }}.tgz" {{ base_dir }}/roles/cilium/files/cilium-{{ cilium_ver }}.tgz"
tags: force_change_certs
run_once: true run_once: true
connection: local connection: local
@ -36,6 +42,7 @@
delay: 8 delay: 8
ignore_errors: true ignore_errors: true
connection: local connection: local
tags: force_change_certs
# hubble-relay 可能需要重启一下 # hubble-relay 可能需要重启一下
- name: 重启hubble-relay pod - name: 重启hubble-relay pod
@ -44,3 +51,4 @@
run_once: true run_once: true
connection: local connection: local
when: "cilium_hubble_enabled|bool" when: "cilium_hubble_enabled|bool"
tags: force_change_certs

6
roles/cluster-addon/tasks/coredns.yml
View File

@ -2,6 +2,12 @@
- name: 准备 DNS的部署文件 - name: 准备 DNS的部署文件
template: src=dns/coredns.yaml.j2 dest={{ cluster_dir }}/yml/coredns.yaml template: src=dns/coredns.yaml.j2 dest={{ cluster_dir }}/yml/coredns.yaml
- name: 删除coredns部署
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/coredns.yaml || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 创建coredns部署 - name: 创建coredns部署
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/coredns.yaml" shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/coredns.yaml"
tags: force_change_certs
when: 'dns_install == "yes"' when: 'dns_install == "yes"'

6
roles/cluster-addon/tasks/dashboard.yml
View File

@ -9,6 +9,12 @@
- "admin-user-sa-rbac.yaml" - "admin-user-sa-rbac.yaml"
- "read-user-sa-rbac.yaml" - "read-user-sa-rbac.yaml"
- name: 删除 dashboard部署
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/dashboard/ || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 创建 dashboard部署 - name: 创建 dashboard部署
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/dashboard/" shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/dashboard/"
tags: force_change_certs
when: 'dashboard_install == "yes"' when: 'dashboard_install == "yes"'

10
roles/cluster-addon/tasks/main.yml
View File

@ -12,22 +12,22 @@
- debug: var="CLUSTER_DNS_SVC_IP" - debug: var="CLUSTER_DNS_SVC_IP"
- import_tasks: coredns.yml - import_tasks: coredns.yml
when: '"coredns" not in pod_info.stdout and dns_install == "yes"' when: '"coredns" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: nodelocaldns.yml - import_tasks: nodelocaldns.yml
when: '"node-local-dns" not in pod_info.stdout and ENABLE_LOCAL_DNS_CACHE|bool' when: '"node-local-dns" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: metrics-server.yml - import_tasks: metrics-server.yml
when: '"metrics-server" not in pod_info.stdout and metricsserver_install == "yes"' when: '"metrics-server" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: dashboard.yml - import_tasks: dashboard.yml
when: '"kubernetes-dashboard" not in pod_info.stdout and dashboard_install == "yes"' when: '"kubernetes-dashboard" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: prometheus.yml - import_tasks: prometheus.yml
when: 'prom_install == "yes"' when: 'prom_install == "yes"'
- import_tasks: nfs-provisioner.yml - import_tasks: nfs-provisioner.yml
when: '"nfs-client-provisioner" not in pod_info.stdout and nfs_provisioner_install == "yes"' when: '"nfs-client-provisioner" not in pod_info.stdout or CHANGE_CA|bool'
- import_tasks: cilium_connectivity_check.yml - import_tasks: cilium_connectivity_check.yml
when: 'CLUSTER_NETWORK == "cilium"' when: 'CLUSTER_NETWORK == "cilium"'

6
roles/cluster-addon/tasks/metrics-server.yml
View File

@ -2,6 +2,12 @@
- name: 准备 metrics-server的部署文件 - name: 准备 metrics-server的部署文件
template: src=metrics-server/components.yaml.j2 dest={{ cluster_dir }}/yml/metrics-server.yaml template: src=metrics-server/components.yaml.j2 dest={{ cluster_dir }}/yml/metrics-server.yaml
- name: 删除 metrics-server部署
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/metrics-server.yaml || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 创建 metrics-server部署 - name: 创建 metrics-server部署
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/metrics-server.yaml" shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/metrics-server.yaml"
tags: force_change_certs
when: 'metricsserver_install == "yes"' when: 'metricsserver_install == "yes"'

6
roles/cluster-addon/tasks/nodelocaldns.yml
View File

@ -7,6 +7,12 @@
template: src=dns/nodelocaldns-iptables.yaml.j2 dest={{ cluster_dir }}/yml/nodelocaldns.yaml template: src=dns/nodelocaldns-iptables.yaml.j2 dest={{ cluster_dir }}/yml/nodelocaldns.yaml
when: "PROXY_MODE == 'iptables'" when: "PROXY_MODE == 'iptables'"
- name: 删除dnscache部署
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/nodelocaldns.yaml || echo true; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 创建dnscache部署 - name: 创建dnscache部署
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/nodelocaldns.yaml" shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/nodelocaldns.yaml"
tags: force_change_certs
when: 'ENABLE_LOCAL_DNS_CACHE|bool' when: 'ENABLE_LOCAL_DNS_CACHE|bool'

13
roles/cluster-addon/tasks/prometheus.yml
View File

@ -23,7 +23,11 @@
-ca-key=ca-key.pem \ -ca-key=ca-key.pem \
-config=ca-config.json \ -config=ca-config.json \
-profile=kubernetes etcd-client-csr.json|{{ base_dir }}/bin/cfssljson -bare etcd-client" -profile=kubernetes etcd-client-csr.json|{{ base_dir }}/bin/cfssljson -bare etcd-client"
when: '"etcd-client-cert" not in secrets_info.stdout' when: '"etcd-client-cert" not in secrets_info.stdout or CHANGE_CA|bool'
- name: 删除 etcd-client-cert
shell: "{{ base_dir }}/bin/kubectl delete secret -n {{ prom_namespace }} etcd-client-cert || echo true"
when: 'CHANGE_CA|bool'
- name: 创建 etcd-client-cert - name: 创建 etcd-client-cert
shell: "cd {{ cluster_dir }}/ssl && \ shell: "cd {{ cluster_dir }}/ssl && \
@ -31,15 +35,20 @@
--from-file=etcd-ca=ca.pem \ --from-file=etcd-ca=ca.pem \
--from-file=etcd-client=etcd-client.pem \ --from-file=etcd-client=etcd-client.pem \
--from-file=etcd-client-key=etcd-client-key.pem" --from-file=etcd-client-key=etcd-client-key.pem"
when: '"etcd-client-cert" not in secrets_info.stdout' when: '"etcd-client-cert" not in secrets_info.stdout or CHANGE_CA|bool'
- debug: var="K8S_VER" - debug: var="K8S_VER"
- name: 创建 prom chart 个性化设置 - name: 创建 prom chart 个性化设置
template: src=prometheus/values.yaml.j2 dest={{ cluster_dir }}/yml/prom-values.yaml template: src=prometheus/values.yaml.j2 dest={{ cluster_dir }}/yml/prom-values.yaml
- name: helm 删除 kube-prometheus-stack {{ prom_chart_ver }}
shell: "{{ base_dir }}/bin/helm delete prometheus -n {{ prom_namespace }} || echo true; sleep 3"
when: 'CHANGE_CA|bool'
- name: helm 创建 kube-prometheus-stack {{ prom_chart_ver }} - name: helm 创建 kube-prometheus-stack {{ prom_chart_ver }}
shell: "{{ base_dir }}/bin/helm upgrade prometheus --install \ shell: "{{ base_dir }}/bin/helm upgrade prometheus --install \
-n {{ prom_namespace }} -f {{ cluster_dir }}/yml/prom-values.yaml \ -n {{ prom_namespace }} -f {{ cluster_dir }}/yml/prom-values.yaml \
{{ base_dir }}/roles/cluster-addon/files/kube-prometheus-stack-{{ prom_chart_ver }}.tgz" {{ base_dir }}/roles/cluster-addon/files/kube-prometheus-stack-{{ prom_chart_ver }}.tgz"
when: 'prom_install == "yes"' when: 'prom_install == "yes"'
tags: force_change_certs

3
roles/cluster-addon/vars/main.yml
View File

@ -1,4 +1 @@
# default values # default values
# CHANGE_CA: when set true, force to change ca certs
CHANGE_CA: false

3
roles/deploy/vars/main.yml
View File

@ -4,6 +4,3 @@ KUBE_APISERVER: "https://{{ groups['kube_master'][0] }}:{{ SECURE_PORT }}"
# #
ADD_KCFG: false ADD_KCFG: false
CUSTOM_EXPIRY: "438000h" CUSTOM_EXPIRY: "438000h"
# CHANGE_CA: when set true, force to change ca certs
CHANGE_CA: false

9
roles/flannel/tasks/main.yml
View File

@ -11,10 +11,18 @@
run_once: true run_once: true
connection: local connection: local
- name: 删除 flannel网络
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/flannel.yaml || echo true; sleep 3"
run_once: true
connection: local
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 运行 flannel网络 - name: 运行 flannel网络
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/flannel.yaml" shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/flannel.yaml"
run_once: true run_once: true
connection: local connection: local
tags: force_change_certs
- name: 删除默认cni配置 - name: 删除默认cni配置
file: path=/etc/cni/net.d/10-default.conf state=absent file: path=/etc/cni/net.d/10-default.conf state=absent
@ -27,3 +35,4 @@
delay: 8 delay: 8
ignore_errors: true ignore_errors: true
connection: local connection: local
tags: force_change_certs

9
roles/kube-ovn/tasks/main.yml
View File

@ -13,11 +13,19 @@
- kube-ovn.yaml - kube-ovn.yaml
- ovn.yaml - ovn.yaml
- name: 删除 kube-ovn网络
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/crd.yaml; \
{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/ovn.yaml; \
{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/kube-ovn.yaml; sleep 3"
tags: force_change_certs
when: 'CHANGE_CA|bool'
- name: 运行 kube-ovn网络 - name: 运行 kube-ovn网络
shell: "{{ base_dir }}/bin/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \ shell: "{{ base_dir }}/bin/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/crd.yaml && sleep 5 && \ {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/crd.yaml && sleep 5 && \
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/ovn.yaml && sleep 5 && \ {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/ovn.yaml && sleep 5 && \
{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-ovn.yaml" {{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-ovn.yaml"
tags: force_change_certs
run_once: true run_once: true
connection: local connection: local
@ -37,3 +45,4 @@
delay: 8 delay: 8
ignore_errors: true ignore_errors: true
connection: local connection: local
tags: force_change_certs

9
roles/kube-router/tasks/main.yml
View File

@ -11,11 +11,19 @@
run_once: true run_once: true
connection: local connection: local
- name: 删除 kube-router DaemonSet
shell: "{{ base_dir }}/bin/kubectl delete -f {{ cluster_dir }}/yml/kube-router.yaml || echo true; sleep 3"
run_once: true
connection: local
tags: force_change_certs
when: 'CHANGE_CA|bool'
# 只需单节点执行一次 # 只需单节点执行一次
- name: 运行 kube-router DaemonSet - name: 运行 kube-router DaemonSet
shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-router.yaml" shell: "{{ base_dir }}/bin/kubectl apply -f {{ cluster_dir }}/yml/kube-router.yaml"
run_once: true run_once: true
connection: local connection: local
tags: force_change_certs
# 删除原有cni配置 # 删除原有cni配置
- name: 删除默认cni配置 - name: 删除默认cni配置
@ -30,3 +38,4 @@
delay: 8 delay: 8
ignore_errors: true ignore_errors: true
connection: local connection: local
tags: force_change_certs