Jonny Ervine
694af68fb1
new file: files/admin-csr.json new file: files/ca-config.json new file: files/ca-csr.json new file: inventory new file: inventory.orig new file: k8s-deploy.yaml new file: k8s-deploy/00-k8s-requirements.yaml new file: k8s-deploy/01-k8s-certs-create.yaml new file: k8s-deploy/02-k8s-certs-copy.yaml new file: k8s-deploy/03-k8s-deploy-etcd.yaml new file: k8s-deploy/04-k8s-controller-deploy.yaml new file: k8s-deploy/05-k8s-nginx-deploy.yaml new file: k8s-deploy/06-k8s-workers-certs-deploy.yaml new file: k8s-deploy/07-k8s-worker-deploy.yaml new file: k8s-deploy/08-rbac-clusterrole-create.yaml new file: k8s-deploy/09-k8s-create-remote-admin.yaml new file: k8s-deploy/README.md new file: k8s-deploy/core-dns.yaml new file: k8s-deploy/defaults/main.yml new file: k8s-deploy/files/99_loopback.conf new file: k8s-deploy/files/X-csr.json new file: k8s-deploy/files/admin-csr.json new file: k8s-deploy/files/arm/etcd new file: k8s-deploy/files/arm/etcdctl new file: k8s-deploy/files/ca-config.json new file: k8s-deploy/files/ca-csr.json new file: k8s-deploy/files/clusterrole-api-to-kubelet.yaml new file: k8s-deploy/files/clusterrolebinding-api-to-kubelet.yaml new file: k8s-deploy/files/config.toml new file: k8s-deploy/files/containerd.service new file: k8s-deploy/files/kube-controller-manager-csr.json new file: k8s-deploy/files/kube-proxy-csr.json new file: k8s-deploy/files/kube-proxy.service new file: k8s-deploy/files/kube-scheduler-csr.json new file: k8s-deploy/files/kubelet.service new file: k8s-deploy/files/kubernetes-csr.json new file: k8s-deploy/files/service-account-csr.json new file: k8s-deploy/files/x86_64/etcd new file: k8s-deploy/files/x86_64/etcdctl new file: k8s-deploy/handlers/main.yml new file: k8s-deploy/k8s-deploy.yaml new file: k8s-deploy/k8s-uninstall.yaml new file: k8s-deploy/meta/main.yml new file: k8s-deploy/tasks/k8s-certs-create.yaml new file: k8s-deploy/tasks/main.yml new file: k8s-deploy/templates/10_bridge.conf.j2 new file: k8s-deploy/templates/encryption-config.j2 new file: k8s-deploy/templates/etcd.service-amd64.j2 new file: k8s-deploy/templates/etcd.service-arm.j2 new file: k8s-deploy/templates/kube-apiserver.service.j2 new file: k8s-deploy/templates/kube-controller-manager.service.j2 new file: k8s-deploy/templates/kube-proxy-config.yaml.j2 new file: k8s-deploy/templates/kube-scheduler.service.j2 new file: k8s-deploy/templates/kube-scheduler.yaml.j2 new file: k8s-deploy/templates/kubelet-config.yaml.j2 new file: k8s-deploy/templates/kubernetes.default.svc.cluster.local.j2 new file: k8s-deploy/templates/worker-csr_json.j2 new file: k8s-deploy/test.yaml new file: k8s-deploy/tests/inventory new file: k8s-deploy/tests/test.yml new file: k8s-deploy/vars/main.yml new file: rollback_k8s-deploy.yaml Initial commit
131 lines
7.0 KiB
YAML
131 lines
7.0 KiB
YAML
---
|
|
- name: Playbook to automate a manual k8s installation
|
|
hosts: localhost
|
|
vars:
|
|
worker_name:
|
|
- debian-k8s-node1
|
|
- debian-k8s-node2
|
|
server_name: "{{ item }}"
|
|
haproxy_addr: "192.168.11.58"
|
|
etcd_host1_ip: "192.168.11.167"
|
|
etcd_host2_ip: "192.168.11.94"
|
|
kube_cluster: "kubernetes"
|
|
become: true
|
|
tasks:
|
|
- name: Download and install the cfssl utility
|
|
get_url:
|
|
url: https://pkg.cfssl.org/R1.2/{{ item }}_linux-amd64
|
|
dest: /usr/local/bin/{{ item }}
|
|
mode: 0755
|
|
with_items:
|
|
- cfssl
|
|
- cfssljson
|
|
|
|
- name: Put the seed key material files in place
|
|
file:
|
|
path: /var/tmp/kubernetes
|
|
state: directory
|
|
- copy:
|
|
src: files/{{ item }}
|
|
dest: /var/tmp/kubernetes/
|
|
mode: preserve
|
|
with_items:
|
|
- ca-csr.json
|
|
- admin-csr.json
|
|
- ca-config.json
|
|
- kube-controller-manager-csr.json
|
|
- kube-proxy-csr.json
|
|
- kube-scheduler-csr.json
|
|
- kubernetes-csr.json
|
|
- service-account-csr.json
|
|
- template:
|
|
src: templates/worker-csr_json.j2
|
|
dest: /var/tmp/kubernetes/{{ item }}-csr.json
|
|
mode: preserve
|
|
with_items:
|
|
- "{{ worker_name }}"
|
|
|
|
- name: Create the CA
|
|
shell: /usr/local/bin/cfssl gencert -initca ca-csr.json | /usr/local/bin/cfssljson -bare ca
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the admin KMOs
|
|
shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | /usr/local/bin/cfssljson -bare admin
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the worker node certificates
|
|
shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{ item }} -profile=kubernetes {{ item }}-csr.json | /usr/local/bin/cfssljson -bare {{ item }}
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
with_items:
|
|
- "{{ worker_name }}"
|
|
|
|
- name: Create the kube-controller-manager KMOs
|
|
shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | /usr/local/bin/cfssljson -bare kube-controller-manager
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the kube-proxy KMOs
|
|
shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | /usr/local/bin/cfssljson -bare kube-proxy
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the kube-scheduler KMOs
|
|
shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | /usr/local/bin/cfssljson -bare kube-scheduler
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the kubernetes cluster KMOs
|
|
shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname=10.32.0.1,"{{ etcd_host1_ip }}","{{ etcd_host2_ip }}","{{ haproxy_addr }}",127.0.0.1,kubernetes.default -profile=kubernetes kubernetes-csr.json | /usr/local/bin/cfssljson -bare kubernetes
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the kubernetes service account KMOs
|
|
shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes service-account-csr.json | /usr/local/bin/cfssljson -bare service-account
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the worker node kubeconfig files
|
|
shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://{{ haproxy_addr }}:6443 --kubeconfig={{ item }}.kubeconfig; kubectl config set-credentials system:node:{{ item }} --client-certificate={{ item }}.pem --client-key={{ item }}-key.pem --embed-certs=true --kubeconfig={{ item }}.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=system:node:{{ item }} --kubeconfig={{ item }}.kubeconfig; kubectl config use-context default --kubeconfig={{ item }}.kubeconfig
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
with_items:
|
|
- "{{ worker_name }}"
|
|
|
|
- name: Create the kube-proxy kubeconfig file
|
|
shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://{{ haproxy_addr }}:6443 --kubeconfig=kube-proxy.kubeconfig; kubectl config set-credentials system:kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=system:kube-proxy --kubeconfig=kube-proxy.kubeconfig; kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the controller-manager kubeconfig file
|
|
shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-controller-manager.kubeconfig; kubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig; kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create the kube-scheduler kubeconfig file
|
|
shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-scheduler.kubeconfig; kubectl config set-credentials system:kube-scheduler --client-certificate=kube-scheduler.pem --client-key=kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig; kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create admin kubeconfig file
|
|
shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=admin.kubeconfig; kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=admin.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=admin --kubeconfig=admin.kubeconfig; kubectl config use-context default --kubeconfig=admin.kubeconfig
|
|
args:
|
|
chdir: /var/tmp/kubernetes
|
|
|
|
- name: Create data encryption key
|
|
shell: head -c 32 /dev/urandom | base64
|
|
register: enc_key
|
|
- name: Generate the encryption file
|
|
template:
|
|
src: templates/encryption-config.j2
|
|
dest: /var/tmp/kubernetes/encryption-config.yaml
|
|
|
|
- name: Set the owner of files to be ansible
|
|
file:
|
|
path: /var/tmp/kubernetes
|
|
owner: jonny
|
|
recurse: true
|
|
|