X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=ansible%2Froles%2Fkube_master%2Ftasks%2Fmain.yml;fp=ansible%2Froles%2Fkube_master%2Ftasks%2Fmain.yml;h=49f74993ee5454e1252dbd1a7fa574bc702f6d11;hb=8321feb501701dcb4023e3c052cb6a982d5db3fa;hp=0000000000000000000000000000000000000000;hpb=5c0c2acd0caea77595026e996555547312518395;p=ta%2Fcaas-kubernetes.git diff --git a/ansible/roles/kube_master/tasks/main.yml b/ansible/roles/kube_master/tasks/main.yml new file mode 100644 index 0000000..49f7499 --- /dev/null +++ b/ansible/roles/kube_master/tasks/main.yml @@ -0,0 +1,141 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: concat certs for apiserver part 1 + shell: "cat {{ caas.cert_path }}/apiserver{{ nodeindex }}.pem > {{ caas.cert_path }}/tls-cert.pem" + become_user: "root" + +- name: concat certs for apiserver part 2 + shell: "cat {{ caas.cert_path }}/ca.pem >> {{ caas.cert_path }}/tls-cert.pem" + become_user: "root" + +- name: reducing permission of key file and cert file + file: + path: "{{ caas.cert_path }}/tls-cert.pem" + mode: 0000 + become_user: "root" + +- name: adding default acl read to {{ users.admin_user_name }} to {{ caas.cert_path }}/tls-cert.epm + acl: + name: "{{ caas.cert_path }}/tls-cert.pem" + entity: "{{ users.admin_user_name }}" + etype: user + permissions: r + state: present + become_user: "root" + +- name: adding default acl read to kube to {{ cert_path }}/tls-cert.epm + acl: + name: "{{ caas.cert_path }}/tls-cert.pem" + entity: "kube" + etype: user + permissions: r + state: present + become_user: "root" + +- name: set permission ca.pem and ca-key.pem + acl: + name: "{{ item }}" + entity: "kube" + etype: user + permissions: r + state: present + with_items: + - "/etc/openssl/ca.pem" + - "/etc/openssl/ca-key.pem" + become_user: "root" + +- name: create directory for kubernetes_audit_log + file: + path: /var/log/audit/kube_apiserver + recurse: yes + owner: "{{ caas.uid.kube }}" + group: "{{ caas.uid.kube }}" + state: directory + become_user: "root" + +- name: create directory for audit policy + file: + path: "{{ caas.caas_policy_directory }}" + state: directory + recurse: yes + become_user: "root" + +- name: template audit policy + template: + src: audit-policy.yaml + dest: "{{ caas.caas_policy_directory }}/audit-policy.yaml" + mode: 0000 + become_user: "root" + +- name: set permission to audit-policy.yaml + acl: + name: "{{ caas.caas_policy_directory }}/audit-policy.yaml" + entity: "{{ item }}" + etype: user + permissions: r + state: present + with_items: + - "{{ caas.uid.kube }}" + - "{{ users.admin_user_name }}" + become_user: "root" + +- name: template apiserver + vars: + apiserver: "{{ ansible_host }}" + apiserver_port: "{{ caas.apiserver_secure_port }}" + template: + src: apiserver.yml + dest: /etc/kubernetes/manifests/apiserver.yml + become_user: "root" + +- name: wait for container to start + wait_for: + host: "{{ ansible_host }}" + port: "{{ caas.apiserver_secure_port }}" + state: started + timeout: "{{ caas.container_wait_timeout }}" + +- name: check for namespace + command: '/usr/bin/curl -I + https://{{ ansible_host }}:{{ caas.apiserver_secure_port }}/api/v1/namespaces/kube-system + --key /etc/kubernetes/ssl/kubelet{{ nodeindex }}-key.pem + --cert /etc/kubernetes/ssl/kubelet{{ nodeindex }}.pem + --cacert /etc/openssl/ca.pem' + register: namespace_check + ignore_errors: yes + +- name: insert namespace + command: '/usr/bin/curl -i + https://{{ ansible_host }}:{{ caas.apiserver_secure_port }}/api/v1/namespaces + -X POST + -H "Content-Type: application/json" + --key /etc/kubernetes/ssl/kubelet{{ nodeindex }}-key.pem + --cert /etc/kubernetes/ssl/kubelet{{ nodeindex }}.pem + --cacert /etc/openssl/ca.pem + -d ''{"apiVersion":"v1","kind":"Namespace","metadata":{"name":"kube-system"}}''' + when: namespace_check.stdout.find('200 OK') != -1 + +- name: template manifests + vars: + apiserver: "{{ caas.apiserver_svc_ip }}" + apiserver_port: "{{ caas.apiserver_svc_port }}" + template: + src: "{{ item }}" + dest: "/etc/kubernetes/manifests/{{ item }}" + with_items: + - cm.yml + - scheduler.yml + become_user: "root"