Custom role for control plane

2025-12-25 13:46:59 +01:00 · 2018-08-01 11:10:51 +02:00 · 2018-08-01 11:10:51 +02:00 · 126143e7e1
commit 126143e7e1
parent 44a7d1684f
18 changed files with 1445 additions and 5 deletions
--- a/roles/kubernetes-controller/tasks/main.yml
+++ b/roles/kubernetes-controller/tasks/main.yml
@ -0,0 +1,264 @@
+---
+- name: Create Kubernetes/kube-apiserver config directory
+  file:
+    path: "{{k8s_conf_dir}}"
+    state: directory
+    mode: 0700
+    owner: root
+    group: root
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Create kube-controller-manager config directory
+  file:
+    path: "{{k8s_controller_manager_conf_dir}}"
+    state: directory
+    mode: 0700
+    owner: root
+    group: root
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Create kube-controller-manager kubeconfig
+  template:
+    src: "{{k8s_config_directory}}/kube-controller-manager.kubeconfig"
+    dest: "{{k8s_controller_manager_conf_dir}}/kube-controller-manager.kubeconfig"
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - k8s-worker
+    - k8s-controller-base
+
+- name: Create scheduler config directory
+  file:
+    path: "{{k8s_scheduler_conf_dir}}"
+    state: directory
+    mode: 0700
+    owner: root
+    group: root
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Create kube-scheduler kubeconfig
+  template:
+    src: "{{k8s_config_directory}}/kube-scheduler.kubeconfig"
+    dest: "{{k8s_scheduler_conf_dir}}/kube-scheduler.kubeconfig"
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Create kube-scheduler.yaml
+  template:
+    src: "templates/var/lib/kube-scheduler/kube-scheduler.yaml.j2"
+    dest: "{{k8s_scheduler_conf_dir}}/kube-scheduler.yaml"
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Create kubeconfig for admin user
+  template:
+    src: "{{k8s_config_directory}}/admin.kubeconfig"
+    dest: "{{k8s_conf_dir}}/admin.kubeconfig"
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Copy etcd certificates
+  copy:
+    src: "{{k8s_ca_conf_directory}}/{{item}}"
+    dest: "{{k8s_conf_dir}}/{{item}}"
+    mode: 0640
+    owner: root
+    group: root
+  with_items:
+    - "{{etcd_certificates}}"
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Copy Kubernetes certificates
+  copy:
+    src: "{{k8s_ca_conf_directory}}/{{item}}"
+    dest: "{{k8s_conf_dir}}/{{item}}"
+    mode: 0640
+    owner: root
+    group: root
+  with_items:
+    - "{{k8s_certificates}}"
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Downloading official Kubernetes binaries
+  get_url:
+    url: https://storage.googleapis.com/kubernetes-release/release/v{{k8s_release}}/bin/linux/amd64/{{item}}
+    dest: "{{k8s_bin_dir}}"
+    mode: 0755
+  with_items:
+    - "{{k8s_controller_binaries}}"
+  notify:
+    - restart kube-apiserver
+    - restart kube-controller-manager
+    - restart kube-scheduler
+  tags:
+    - k8s-controller
+
+- name: Copy encryption provider config file
+  copy:
+    src: "{{k8s_config_directory}}/encryption-config.yaml"
+    dest: "{{k8s_conf_dir}}/encryption-config.yaml"
+    mode: 0644
+    owner: root
+    group: root
+  tags:
+    - k8s-controller
+    - k8s-controller-base
+
+- name: Combine k8s_apiserver_settings and k8s_apiserver_settings_user (if defined)
+  set_fact:
+    k8s_apiserver_settings: "{{k8s_apiserver_settings | combine(k8s_apiserver_settings_user|default({})) }}"
+  tags:
+    - k8s-controller
+
+- name: Create systemd unit file for kube-apiserver
+  template:
+    src: etc/systemd/system/kube-apiserver.service.j2
+    dest: /etc/systemd/system/kube-apiserver.service
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - k8s-controller
+  notify:
+    - reload systemd
+
+- name: Enable and start kube-apiserver
+  service:
+    name: kube-apiserver
+    enabled: yes
+    state: started
+  tags:
+    - k8s-controller
+
+- name: Combine k8s_controller_manager_settings and k8s_controller_manager_settings_user (if defined)
+  set_fact:
+    k8s_controller_manager_settings: "{{k8s_controller_manager_settings | combine(k8s_controller_manager_settings_user|default({})) }}"
+  tags:
+    - k8s-controller
+
+- name: Create systemd unit file for kube-controller-manager
+  template:
+    src: etc/systemd/system/kube-controller-manager.service.j2
+    dest: /etc/systemd/system/kube-controller-manager.service
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload systemd
+  tags:
+    - k8s-controller
+
+- name: Enable and start kube-controller-manager
+  service:
+    name: kube-controller-manager
+    enabled: yes
+    state: started
+  tags:
+    - k8s-controller
+
+- name: Combine k8s_scheduler_settings and k8s_scheduler_settings_user (if defined)
+  set_fact:
+    k8s_scheduler_settings: "{{k8s_scheduler_settings | combine(k8s_scheduler_settings_user|default({})) }}"
+  tags:
+    - k8s-controller
+ 
+- name: Create systemd unit file for kube-scheduler
+  template:
+    src: etc/systemd/system/kube-scheduler.service.j2
+    dest: /etc/systemd/system/kube-scheduler.service
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload systemd
+  tags:
+    - k8s-controller
+
+- name: Enable and start kube-scheduler
+  service:
+    name: kube-scheduler
+    enabled: yes
+    state: started
+  tags:
+    - k8s-controller
+
+# TODO: Check if ClusterRole + ClusterRoleBinding are already configured
+
+- name: Copy kube-apiserver-to-kubelet ClusterRole
+  copy:
+    src: "files/kube-apiserver-to-kubelet_cluster_role.yaml"
+    dest: "/tmp/kube-apiserver-to-kubelet_cluster_role.yaml"
+    mode: 0600
+  run_once: true
+  delegate_to: "{{groups.k8s_master|first}}"
+  tags:
+    - k8s-controller
+
+- name: Copy kube-apiserver-to-kubelet ClusterRoleBinding
+  copy:
+    src: "files/kube-apiserver-to-kubelet_cluster_role_binding.yaml"
+    dest: "/tmp/kube-apiserver-to-kubelet_cluster_role_binding.yaml"
+    mode: 0600
+  run_once: true
+  delegate_to: "{{groups.k8s_master|first}}"
+  tags:
+    - k8s-controller
+
+- name: Wait 300 seconds for kube-apiserver port 6443 to become open on the host
+  wait_for:
+    port: 6443
+    delay: 5
+    host: "{{hostvars[inventory_hostname]['ansible_' + k8s_interface].ipv4.address}}"
+  run_once: true
+  delegate_to: "{{groups.k8s_master|first}}"
+
+- name: Apply kube-apiserver-to-kubelet ClusterRole
+  shell: "kubectl apply --kubeconfig {{k8s_conf_dir}}/admin.kubeconfig -f /tmp/kube-apiserver-to-kubelet_cluster_role.yaml"
+  register: kube_apiserver_to_kubelet_cluster_role
+  run_once: true
+  delegate_to: "{{groups.k8s_master|first}}"
+  tags:
+    - k8s-controller
+
+- name: Apply kube-apiserver-to-kubelet ClusterRoleBinding
+  shell: "kubectl apply --kubeconfig {{k8s_conf_dir}}/admin.kubeconfig -f /tmp/kube-apiserver-to-kubelet_cluster_role_binding.yaml"
+  register: kube_apiserver_to_kubelet_cluster_role_binding
+  run_once: true
+  delegate_to: "{{groups.k8s_master|first}}"
+  tags:
+    - k8s-controller
+
+- name: Remove temporary files
+  file:
+    path: "{{item}}"
+    state: absent
+  with_items:
+    - "/tmp/kube-apiserver-to-kubelet_cluster_role.yaml"
+    - "/tmp/kube-apiserver-to-kubelet_cluster_role_binding.yaml"
+  run_once: true
+  delegate_to: "{{groups.k8s_master|first}}"
+  tags:
+    - k8s-controller