From 8c80487481619ba465b9c5cacc6c8f4dce42c43d Mon Sep 17 00:00:00 2001 From: Kevin Midboe Date: Tue, 3 Jan 2023 00:32:26 +0100 Subject: [PATCH] etcd role for controller nodes --- roles/etcd/tasks/certs-controller.yml | 14 ++++++++++++ roles/etcd/tasks/certs-lb.yml | 14 ++++++++++++ roles/etcd/tasks/certs-worker.yml | 18 +++++++++++++++ roles/etcd/tasks/install.yml | 8 +++++++ roles/etcd/tasks/main.yml | 14 ++++++++++++ roles/etcd/tasks/systemd-service.yml | 32 +++++++++++++++++++++++++++ roles/etcd/templates/etcd.service.j2 | 31 ++++++++++++++++++++++++++ 7 files changed, 131 insertions(+) create mode 100644 roles/etcd/tasks/certs-controller.yml create mode 100644 roles/etcd/tasks/certs-lb.yml create mode 100644 roles/etcd/tasks/certs-worker.yml create mode 100644 roles/etcd/tasks/install.yml create mode 100644 roles/etcd/tasks/main.yml create mode 100644 roles/etcd/tasks/systemd-service.yml create mode 100644 roles/etcd/templates/etcd.service.j2 diff --git a/roles/etcd/tasks/certs-controller.yml b/roles/etcd/tasks/certs-controller.yml new file mode 100644 index 0000000..f636c58 --- /dev/null +++ b/roles/etcd/tasks/certs-controller.yml @@ -0,0 +1,14 @@ +--- +- name: Copy controller certificates + copy: + src: "{{ playbook_dir }}/../../kazan-ssl/pki/{{ item }}" + dest: "/etc/etcd/" + owner: root + group: root + mode: 0644 + + become: true + with_items: + - ca/ca.pem + - api/kubernetes-key.pem + - api/kubernetes.pem diff --git a/roles/etcd/tasks/certs-lb.yml b/roles/etcd/tasks/certs-lb.yml new file mode 100644 index 0000000..df06ad5 --- /dev/null +++ b/roles/etcd/tasks/certs-lb.yml @@ -0,0 +1,14 @@ +--- +- name: Copy load-balancer certificates + copy: + src: "{{ playbook_dir }}/../../kazan-ssl/pki/{{ item }}" + dest: "/etc/etcd/" + owner: root + group: root + mode: 0644 + + become: true + with_items: + - ca/ca.pem + - api/kubernetes-key.pem + - api/kubernetes.pem diff --git a/roles/etcd/tasks/certs-worker.yml b/roles/etcd/tasks/certs-worker.yml new file mode 100644 index 0000000..2709ed8 --- /dev/null +++ b/roles/etcd/tasks/certs-worker.yml @@ -0,0 +1,18 @@ +--- +- name: Copy worker certificates + copy: + src: "{{ playbook_dir }}/../../kazan-ssl/pki/{{ item }}" + dest: "/etc/etcd/" + owner: root + group: root + mode: 0644 + + become: true + with_items: + - ca/ca.pem + - clients/w1.kazan.schleppe-key.pem + - clients/w1.kazan.schleppe.pem + - clients/w2.kazan.schleppe-key.pem + - clients/w2.kazan.schleppe.pem + - clients/w3.kazan.schleppe-key.pem + - clients/w3.kazan.schleppe.pem \ No newline at end of file diff --git a/roles/etcd/tasks/install.yml b/roles/etcd/tasks/install.yml new file mode 100644 index 0000000..c9866d7 --- /dev/null +++ b/roles/etcd/tasks/install.yml @@ -0,0 +1,8 @@ +--- +- name: Create etcd config dir + file: path=/etc/etcd state=directory + become: true + +- name: Create etcd data dir + file: path=/var/lib/etcd state=directory + become: true diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml new file mode 100644 index 0000000..5b9292f --- /dev/null +++ b/roles/etcd/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- include: install.yml + +- include: certs-controller.yml + when: "'controller' in group_names or 'load-balancer' in group_names" + +# - include: certs-lb.yml +# when: "'load-balancer' in group_names" + +- include: certs-worker.yml + when: "'worker' in group_names" + +- include: systemd-service.yml + when: "'controller' in group_names" \ No newline at end of file diff --git a/roles/etcd/tasks/systemd-service.yml b/roles/etcd/tasks/systemd-service.yml new file mode 100644 index 0000000..8c3e04b --- /dev/null +++ b/roles/etcd/tasks/systemd-service.yml @@ -0,0 +1,32 @@ +--- +- name: Add etcd systemd unit + template: + src: etcd.service.j2 + dest: /etc/systemd/system/etcd.service + mode: 700 + become: true + +- name: Reload systemd + command: systemctl daemon-reload + become: true + +- name: Enable etcd service + command: systemctl enable etcd + become: true + +- name: Restart etcd + service: + name: etcd + state: restarted + enabled: yes + become: true + +- name: Wait for etcd listening + wait_for: port=2379 timeout=60 + +# - name: Verify etcd cluster health +# shell: etcdctl --ca-file=/etc/etcd/ca.pem cluster-health +# register: cmd_result +# until: cmd_result.stdout.find("cluster is healthy") != -1 +# retries: 5 +# delay: 5 \ No newline at end of file diff --git a/roles/etcd/templates/etcd.service.j2 b/roles/etcd/templates/etcd.service.j2 new file mode 100644 index 0000000..d771e3d --- /dev/null +++ b/roles/etcd/templates/etcd.service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=etcd +Documentation=https://github.com/coreos + +[Service] +Environment=ETCDCTL_API=3 +ExecStart=/usr/bin/etcd \ + --name {{ inventory_hostname }} \ + --data-dir=/var/lib/etcd \ + --listen-peer-urls https://{{ ansible_default_ipv4.address }}:2380 \ + --listen-client-urls https://{{ ansible_default_ipv4.address }}:2379,https://127.0.0.1:2379 \ + --initial-advertise-peer-urls https://{{ ansible_default_ipv4.address }}:2380 \ + --initial-cluster c1.kazan.schleppe=https://10.0.0.141:2380,c2.kazan.schleppe=https://10.0.0.142:2380,c3.kazan.schleppe=https://10.0.0.143:2380 \ + --initial-cluster-state new \ + --initial-cluster-token etcd-cluster-0 \ + --advertise-client-urls https://{{ ansible_default_ipv4.address }}:2379 \ + --cert-file=/etc/etcd/kubernetes.pem \ + --key-file=/etc/etcd/kubernetes-key.pem \ + --client-cert-auth \ + --trusted-ca-file=/etc/etcd/ca.pem \ + --peer-cert-file=/etc/etcd/kubernetes.pem \ + --peer-key-file=/etc/etcd/kubernetes-key.pem \ + --peer-client-cert-auth \ + --peer-trusted-ca-file=/etc/etcd/ca.pem + +Type=notify +Restart=on-failure +RestartSec=5 + +[Install] +WantedBy=multi-user.target \ No newline at end of file