From d80404b7d980640213b039bc9da5b8d7cdd76c40 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Thu, 14 Feb 2019 14:13:13 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E6=B7=BB=E5=8A=A0etcd?= =?UTF-8?q?=E8=8A=82=E7=82=B9=E8=84=9A=E6=9C=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 19.addetcd.yml | 54 ++++++++++++++++++++ roles/new-etcd/clean-etcd.yml | 19 +++++++ roles/new-etcd/defaults/main.yml | 4 ++ roles/new-etcd/tasks/main.yml | 62 +++++++++++++++++++++++ roles/new-etcd/templates/etcd-csr.json.j2 | 20 ++++++++ roles/new-etcd/templates/etcd.service.j2 | 32 ++++++++++++ 6 files changed, 191 insertions(+) create mode 100644 19.addetcd.yml create mode 100644 roles/new-etcd/clean-etcd.yml create mode 100644 roles/new-etcd/defaults/main.yml create mode 100644 roles/new-etcd/tasks/main.yml create mode 100644 roles/new-etcd/templates/etcd-csr.json.j2 create mode 100644 roles/new-etcd/templates/etcd.service.j2 diff --git a/19.addetcd.yml b/19.addetcd.yml new file mode 100644 index 0000000..cde6813 --- /dev/null +++ b/19.addetcd.yml @@ -0,0 +1,54 @@ +# add new-etcd node, one at a time +- hosts: + - new-etcd + tasks: + - name: add a new etcd member + shell: "ETCDCTL_API=3 {{ bin_dir }}/etcdctl member add {{ NODE_NAME }} --peer-urls=https://{{ inventory_hostname }}:2380" + delegate_to: "{{ groups.etcd[0] }}" + when: "inventory_hostname == groups['new-etcd'][0]" + +# start the new-etcd node +- hosts: + - new-etcd + roles: + - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes' and inventory_hostname == groups['new-etcd'][0]" } + - { role: prepare, when: "inventory_hostname == groups['new-etcd'][0]" } + - { role: new-etcd, when: "inventory_hostname == groups['new-etcd'][0]" } + +# restart the original etcd cluster with the new configuration +- hosts: + - etcd + roles: + - { role: new-etcd, when: "groups['new-etcd']|length > 0" } + +# modify the ansible hosts file +- hosts: + - new-etcd + tasks: + - name: tag new-etcd's node FINISHED=yes + lineinfile: + dest: "{{ base_dir }}/hosts" + state: present + regexp: '{{ NODE_NAME }}' + line: "{{ inventory_hostname }} NODE_NAME={{ NODE_NAME }} FINISHED=yes" + connection: local + when: "inventory_hostname == groups['new-etcd'][0]" + + - name: cp new-etcd's node to etcd group + lineinfile: + dest: "{{ base_dir }}/hosts" + state: present + insertafter: '^\[etcd\]' + firstmatch: yes + line: "{{ inventory_hostname }} NODE_NAME={{ NODE_NAME }}" + connection: local + when: "inventory_hostname == groups['new-etcd'][0]" + +- hosts: deploy + tasks: + - name: rm new-etcd's node + lineinfile: + dest: "{{ base_dir }}/hosts" + state: absent + regexp: 'FINISHED=yes' + connection: local diff --git a/roles/new-etcd/clean-etcd.yml b/roles/new-etcd/clean-etcd.yml new file mode 100644 index 0000000..7c841f9 --- /dev/null +++ b/roles/new-etcd/clean-etcd.yml @@ -0,0 +1,19 @@ +# to clean 'etcd' nodes +- hosts: + - etcd + - new-etcd + tasks: + - name: stop and disable etcd service + service: + name: etcd + state: stopped + enabled: no + ignore_errors: true + + - name: remove files and dirs + file: name={{ item }} state=absent + with_items: + - "/var/lib/etcd" + - "/etc/etcd/" + - "/backup/k8s" + - "/etc/systemd/system/etcd.service" diff --git a/roles/new-etcd/defaults/main.yml b/roles/new-etcd/defaults/main.yml new file mode 100644 index 0000000..d2e1352 --- /dev/null +++ b/roles/new-etcd/defaults/main.yml @@ -0,0 +1,4 @@ +# etcd 集群间通信的IP和端口, 根据etcd组成员自动生成 +# 新增 etcd 节点,一次只能增加一个 +TMP_NODES: "{% for h in groups['etcd'] %}{{ hostvars[h]['NODE_NAME'] }}=https://{{ h }}:2380,{% endfor %}{% if groups['new-etcd']|length > 0 %}{{ hostvars[groups['new-etcd'][0]]['NODE_NAME'] }}=https://{{ groups['new-etcd'][0] }}:2380,{% endif %}" +ETCD_NODES: "{{ TMP_NODES.rstrip(',') }}" diff --git a/roles/new-etcd/tasks/main.yml b/roles/new-etcd/tasks/main.yml new file mode 100644 index 0000000..7cafffe --- /dev/null +++ b/roles/new-etcd/tasks/main.yml @@ -0,0 +1,62 @@ +- name: prepare some dirs + file: name={{ item }} state=directory + with_items: + - "{{ bin_dir }}" + - "{{ ca_dir }}" + - "/etc/etcd/ssl" # etcd 证书目录 + - "/var/lib/etcd" # etcd 工作目录 + +- name: 下载etcd二进制文件 + copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755 + with_items: + - etcd + - etcdctl + tags: upgrade_etcd + +- name: 分发证书相关 + synchronize: src={{ ca_dir }}/{{ item }} dest={{ ca_dir }}/{{ item }} + with_items: + - ca.pem + - ca-key.pem + - ca.csr + - ca-config.json + delegate_to: "{{ groups.deploy[0] }}" + +# 注册变量p,根据p的stat信息判断是否已经生成过etcd证书,如果没有,下一步生成证书 +# 如果已经有etcd证书,为了保证整个安装的幂等性,跳过证书生成的步骤 +- name: 读取etcd证书stat信息 + stat: path="/etc/etcd/ssl/etcd.pem" + register: p + +- name: 创建etcd证书请求 + template: src=etcd-csr.json.j2 dest=/etc/etcd/ssl/etcd-csr.json + when: p.stat.isreg is not defined + +- name: 创建 etcd证书和私钥 + when: p.stat.isreg is not defined + shell: "cd /etc/etcd/ssl && {{ bin_dir }}/cfssl gencert \ + -ca={{ ca_dir }}/ca.pem \ + -ca-key={{ ca_dir }}/ca-key.pem \ + -config={{ ca_dir }}/ca-config.json \ + -profile=kubernetes etcd-csr.json | {{ bin_dir }}/cfssljson -bare etcd" + +- name: 创建etcd的systemd unit文件 + template: src=etcd.service.j2 dest=/etc/systemd/system/etcd.service + tags: upgrade_etcd + +- name: 开机启用etcd服务 + shell: systemctl enable etcd + ignore_errors: true + +- name: 开启etcd服务 + shell: systemctl daemon-reload && systemctl restart etcd + ignore_errors: true + tags: upgrade_etcd + +- name: 以轮询的方式等待服务同步完成 + shell: "systemctl status etcd.service|grep Active" + register: etcd_status + until: '"running" in etcd_status.stdout' + retries: 8 + delay: 8 + tags: upgrade_etcd diff --git a/roles/new-etcd/templates/etcd-csr.json.j2 b/roles/new-etcd/templates/etcd-csr.json.j2 new file mode 100644 index 0000000..674a334 --- /dev/null +++ b/roles/new-etcd/templates/etcd-csr.json.j2 @@ -0,0 +1,20 @@ +{ + "CN": "etcd", + "hosts": [ + "127.0.0.1", + "{{ inventory_hostname }}" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "ST": "HangZhou", + "L": "XS", + "O": "k8s", + "OU": "System" + } + ] +} diff --git a/roles/new-etcd/templates/etcd.service.j2 b/roles/new-etcd/templates/etcd.service.j2 new file mode 100644 index 0000000..a38b16b --- /dev/null +++ b/roles/new-etcd/templates/etcd.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Etcd Server +After=network.target +After=network-online.target +Wants=network-online.target +Documentation=https://github.com/coreos + +[Service] +Type=notify +WorkingDirectory=/var/lib/etcd/ +ExecStart={{ bin_dir }}/etcd \ + --name={{ NODE_NAME }} \ + --cert-file=/etc/etcd/ssl/etcd.pem \ + --key-file=/etc/etcd/ssl/etcd-key.pem \ + --peer-cert-file=/etc/etcd/ssl/etcd.pem \ + --peer-key-file=/etc/etcd/ssl/etcd-key.pem \ + --trusted-ca-file={{ ca_dir }}/ca.pem \ + --peer-trusted-ca-file={{ ca_dir }}/ca.pem \ + --initial-advertise-peer-urls=https://{{ inventory_hostname }}:2380 \ + --listen-peer-urls=https://{{ inventory_hostname }}:2380 \ + --listen-client-urls=https://{{ inventory_hostname }}:2379,http://127.0.0.1:2379 \ + --advertise-client-urls=https://{{ inventory_hostname }}:2379 \ + --initial-cluster-token=etcd-cluster-0 \ + --initial-cluster={{ ETCD_NODES }} \ + --initial-cluster-state=existing \ + --data-dir=/var/lib/etcd +Restart=on-failure +RestartSec=5 +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target