实例学习Ansible系列：安装kube-proxy

这篇文章介绍一下使用Ansible安装节点kube-proxy的方法。

所用到的Ansible基础知识：

template模块用于设定证书的csr文件
copy模块用于拷贝文件并设定权限
shell模块用于执行命令
file模块可以用于创建目录
register/until/retries/delay可用于确认服务启动等常见场景，并实现sleep+retry的功能

安装kube-proxy的基础知识

• kube-proxy的部分设定选项需要通过config选项传入
• kubeconfig通过在config文件中的设定选项传入
• 注意证书的CN和hosts信息
• 工作目录需要事先存在
• hostnameOverride需要正确设定当前节点的IP地址

示例代码

- name: create dirs for kubelet and kube-proxy
  file:
    path: "{{ item }}"
    state: directory
  with_items:
    - "{{ var_kube_opt_log_dir }}"
    - "{{ var_kube_dir_bin }}"
    - "{{ var_kube_dir_etc }}"
  tags:
    - "kubelet"
    - "kube-proxy"

- name: create dirs for kube-proxy
  file:
    path: "{{ item }}"
    state: directory
  with_items:
    - "{{ var_kube_proxy_dir_working }}"
  tags:
    - "kube-proxy"

- name: copy kube-proxy to install dir
  copy:
    src: "{{ item }}"
    dest: "{{ var_docker_dir_bin }}"
    mode: "{{ var_default_bin_mode }}"
  with_items:
    - "{{ var_src_k8s }}/kube-proxy"
  tags:
    - "kube-proxy"

- name: prepare certificates for node kube-proxy
  template:
    src: "{{ var_template_proxy_csr }}"
    dest: "{{ var_ssl_k8s_dir }}/{{ var_ssl_proxy_csr }}"
  tags:
    - "kube-proxy"

- name: create certificates for kube-proxy
  shell: "cd {{ var_ssl_k8s_dir }} \
          && cfssl gencert -ca={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_pem }} \
             -ca-key={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_key }} \
             -config={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_config }} \
             -profile={{ var_ssl_profile_k8s }} {{ var_ssl_proxy_csr }} | cfssljson -bare {{ var_ssl_proxy_cert_prefix }} "
  tags:
    - "kube-proxy"


- name: set kubeconfig for kube-proxy
  shell: "cd {{ var_ssl_k8s_dir }} \
          && kubectl config set-cluster {{ var_kubeconfig_cluster }}                \
             --certificate-authority={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_pem }} \
             --embed-certs={{ var_kubeconfig_embed_certs }} \
             --server={{ var_kube_master_https }}           \
             --kubeconfig={{ var_kubeconfig_kubeproxy }}    \
          && kubectl config set-credentials {{ var_kubeconfig_client_kubeproxy }}           \
             --client-certificate={{ var_ssl_k8s_dir }}/{{ var_ssl_proxy_cert_prefix }}.pem \
             --client-key={{ var_ssl_k8s_dir }}/{{ var_ssl_proxy_cert_prefix }}-key.pem     \
             --embed-certs={{ var_kubeconfig_embed_certs }} \
             --kubeconfig={{ var_kubeconfig_kubeproxy }}    \
          && kubectl config set-context {{ var_kubeconfig_context_default }} \
             --cluster={{ var_kubeconfig_cluster }}         \
             --user={{ var_kubeconfig_client_kubeproxy }}   \
             --kubeconfig={{ var_kubeconfig_kubeproxy }}    \
          && kubectl config use-context {{ var_kubeconfig_context_default }} --kubeconfig=kube-proxy.kubeconfig"
  tags:
    - "kube-proxy"


- name: create kube-proxy service file
  template:
    src: "{{ var_template_kubeproxy_service }}"
    dest: "{{ var_kubeproxy_service }}"
  tags:
    - "kube-proxy"

- name: create kube-proxy config file
  template:
    src: "{{ var_template_kubeproxy_config }}"
    dest: "{{ var_kube_dir_etc }}/{{ var_kubeproxy_opt_config }}"
  tags:
    - "kube-proxy"

- name: set system service for kube-proxy
  shell: "systemctl daemon-reload \
          && systemctl enable kube-proxy \
          && systemctl restart kube-proxy "
  tags:
    - "kube-proxy"


- name: confirm kube-proxy service state
  shell: "systemctl status kube-proxy.service|grep Active"
  register: ret_kubeproxy_status
  until: '"running" in ret_kubeproxy_status.stdout'
  retries: "{{ var_retry_max }}"
  delay: "{{ var_delay_cnt }}"
  tags:
    - "kube-proxy"

执行示例

[root@host131 ansible]# ansible-playbook node/tests/test.yml --tags="kube-proxy" 

PLAY [localhost] ************************************************************************************************************************************

TASK [node : create dirs for kubelet and kube-proxy] ************************************************************************************************
ok: [localhost] => (item=/var/log/kubernetes)
ok: [localhost] => (item=/usr/local/bin)
ok: [localhost] => (item=/etc/k8s)

TASK [node : create dirs for kube-proxy] ************************************************************************************************************
ok: [localhost] => (item=/var/lib/k8s/kube-proxy)

TASK [node : copy kube-proxy to install dir] ********************************************************************************************************
changed: [localhost] => (item=/tmp/binary/kubernetes/kube-proxy)

TASK [node : prepare certificates for node kube-proxy] **********************************************************************************************
changed: [localhost]

TASK [node : create certificates for kube-proxy] ****************************************************************************************************
changed: [localhost]

TASK [node : set kubeconfig for kube-proxy] *********************************************************************************************************
changed: [localhost]

TASK [node : create kube-proxy service file] ********************************************************************************************************
changed: [localhost]

TASK [node : create kube-proxy config file] *********************************************************************************************************
changed: [localhost]

TASK [node : set system service for kube-proxy] *****************************************************************************************************
changed: [localhost]

TASK [node : confirm kube-proxy service state] ******************************************************************************************************
changed: [localhost]

PLAY RECAP ******************************************************************************************************************************************
localhost                  : ok=10   changed=8    unreachable=0    failed=0   

[root@host131 ansible]#

ansible vs shell

和Shell脚本的比较可以参看，因为本系列示例主要用于说明类似功能使用Ansible如何实现，详细的K8S相关的设定可参看：

• https://liumiaocn.blog.csdn.net/article/details/88879433

代码路径

• https://github.com/liumiaocn/easypack/tree/master/k8s/ansible

其他Ansible内容

• https://liumiaocn.blog.csdn.net/article/details/87273800