Change the way binaries are installed
Now binaries are installed to the workdir, so they do not affect the system. I want to have this role more or less containerized Also some minor refactoring has been done as well
This commit is contained in:
parent
9928b63672
commit
3806fe53b5
@ -3,7 +3,7 @@
|
|||||||
# -- yq version
|
# -- yq version
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
yq:
|
yq:
|
||||||
version: v4.31.2
|
version: v4.35.2
|
||||||
binary: yq_linux_amd64
|
binary: yq_linux_amd64
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
# -- kubectl version
|
# -- kubectl version
|
||||||
@ -58,6 +58,10 @@ role: cluster-admin
|
|||||||
# binding_type: ClusterRoleBinding
|
# binding_type: ClusterRoleBinding
|
||||||
# role_type: ClusterRole
|
# role_type: ClusterRole
|
||||||
# role: cluster-admin
|
# role: cluster-admin
|
||||||
|
# k8s_config_path: /etc/kubernetes/admin.conf
|
||||||
|
# k8s_cert_path: /etc/kubernetes/pki
|
||||||
|
# k8s_cert_crt_file: ca.crt
|
||||||
|
# k8s_cert_key_file: ca.key
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
users: []
|
users: []
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
@ -65,3 +69,10 @@ users: []
|
|||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
# k8s_config_path: /var/snap/microk8s/current/credentials/client.config
|
# k8s_config_path: /var/snap/microk8s/current/credentials/client.config
|
||||||
# k8s_cert_path: /var/snap/microk8s/current/certs
|
# k8s_cert_path: /var/snap/microk8s/current/certs
|
||||||
|
# --------------------------------------
|
||||||
|
# -- Use with k3s
|
||||||
|
# --------------------------------------
|
||||||
|
# k8s_config_path: /etc/rancher/k3s/k3s.yaml
|
||||||
|
# k8s_cert_path: /var/lib/rancher/k3s/server/tls
|
||||||
|
# k8s_cert_crt_file: server-ca.crt
|
||||||
|
# k8s_cert_key_file: server-ca.key
|
||||||
|
@ -41,14 +41,14 @@
|
|||||||
# -- Get k8s server from admin.conf
|
# -- Get k8s server from admin.conf
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
- name: Get k8s server
|
- name: Get k8s server
|
||||||
shell: yq e '.clusters[0] | select(.name == "{{ cluster }}").cluster.server' "{{ k8s_config_path }}"
|
shell: "{{ working_dir }}/bin/yq e '.clusters[0] | select(.name == \"{{ cluster }}\").cluster.server' {{ k8s_config_path }}"
|
||||||
register: kubernetes_server_output
|
register: kubernetes_server_output
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
# -- Get k8s certificate authority data
|
# -- Get k8s certificate authority data
|
||||||
# -- from admin-conf
|
# -- from admin-conf
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
- name: Get k8s certificate authority data
|
- name: Get k8s certificate authority data
|
||||||
shell: yq e '.clusters[0] | select(.name == "{{ cluster }}").cluster.certificate-authority-data' "{{ k8s_config_path }}"
|
shell: "{{ working_dir }}/bin/yq e '.clusters[0] | select(.name == \"{{ cluster }}\").cluster.certificate-authority-data' {{ k8s_config_path }}"
|
||||||
register: kubernetes_cad_output
|
register: kubernetes_cad_output
|
||||||
|
|
||||||
- name: Get user cert data
|
- name: Get user cert data
|
||||||
@ -67,15 +67,15 @@
|
|||||||
user_key_data: " {{ user_key_data_output.stdout }}"
|
user_key_data: " {{ user_key_data_output.stdout }}"
|
||||||
|
|
||||||
- name: Create k8s user
|
- name: Create k8s user
|
||||||
ansible.builtin.shell: |
|
ansible.builtin.shell: >-
|
||||||
kubectl config set-credentials "{{ username }}"\
|
{{ working_dir }}/bin/kubectl config set-credentials {{ username }} \
|
||||||
--client-certificate="{{ cert_dir }}/{{ username }}.crt" \
|
--client-certificate="{{ cert_dir }}/{{ username }}.crt" \
|
||||||
--client-key="{{ cert_dir }}/{{ username }}.key"
|
--client-key="{{ cert_dir }}/{{ username }}.key"
|
||||||
notify: remove certificates
|
notify: remove certificates
|
||||||
|
|
||||||
- name: Set user context
|
- name: Set user context
|
||||||
ansible.builtin.shell: |
|
ansible.builtin.shell: >-
|
||||||
kubectl config set-context "{{ username }}@{{ cluster }}" \
|
{{ working_dir }}/bin/kubectl config set-context {{ username }}@{{ cluster }} \
|
||||||
--cluster={{ cluster }} --user="{{ username }}"
|
--cluster={{ cluster }} --user="{{ username }}"
|
||||||
|
|
||||||
- name: Create config file from template
|
- name: Create config file from template
|
||||||
@ -95,5 +95,5 @@
|
|||||||
- name: Apply role binding manifest
|
- name: Apply role binding manifest
|
||||||
environment:
|
environment:
|
||||||
KUBECONFIG: "{{ k8s_config_path }}"
|
KUBECONFIG: "{{ k8s_config_path }}"
|
||||||
shell: kubectl apply -f "{{ cert_dir }}/{{ username }}.yaml"
|
shell: "{{ working_dir }}/bin/kubectl apply -f {{ cert_dir }}/{{ username }}.yaml"
|
||||||
tags: add_user
|
tags: add_user
|
||||||
|
@ -10,37 +10,43 @@
|
|||||||
- name: Ensure required packages are installed
|
- name: Ensure required packages are installed
|
||||||
tags: packages
|
tags: packages
|
||||||
block:
|
block:
|
||||||
# -------------------------
|
- name: Create a directory if it does not exist
|
||||||
# -- Prepare kubectl repo
|
ansible.builtin.file:
|
||||||
# -------------------------
|
path: "{{ working_dir }}"
|
||||||
- name: Add an apt signing key for Kubernetes
|
state: directory
|
||||||
become: true
|
mode: "0775"
|
||||||
apt_key:
|
- name: Prepare bin directory
|
||||||
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
|
block:
|
||||||
state: present
|
- name: Set workdir as fact
|
||||||
|
set_fact:
|
||||||
|
bin_dir: "{{ working_dir }}/bin"
|
||||||
|
|
||||||
- name: Adding apt repository for Kubernetes
|
- name: Create a directory if it does not exist
|
||||||
become: true
|
ansible.builtin.file:
|
||||||
apt_repository:
|
path: "{{ bin_dir }}"
|
||||||
repo: deb https://apt.kubernetes.io/ kubernetes-xenial main
|
state: directory
|
||||||
state: present
|
mode: "0775"
|
||||||
filename: kubernetes.list
|
|
||||||
|
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
# -- Install yq
|
# -- Install yq
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
|
- name: Install yq
|
||||||
|
block:
|
||||||
- name: Ensure yq is installed
|
- name: Ensure yq is installed
|
||||||
become: true
|
become: true
|
||||||
get_url:
|
get_url:
|
||||||
url: "https://github.com/mikefarah/yq/releases/download/{{ yq.version }}/{{ yq.binary }}"
|
url: "https://github.com/mikefarah/yq/releases/download/{{ yq.version }}/{{ yq.binary }}"
|
||||||
dest: /usr/bin/yq
|
dest: "{{ bin_dir }}/yq"
|
||||||
mode: "0777"
|
mode: "0777"
|
||||||
|
|
||||||
- block:
|
- name: Install kubectl
|
||||||
|
block:
|
||||||
- name: Download kubectl release
|
- name: Download kubectl release
|
||||||
uri:
|
become: true
|
||||||
|
get_url:
|
||||||
url: https://dl.k8s.io/release/{{ kubectl.version }}/bin/linux/{{ kubectl.arch }}/kubectl
|
url: https://dl.k8s.io/release/{{ kubectl.version }}/bin/linux/{{ kubectl.arch }}/kubectl
|
||||||
dest: /tmp
|
dest: "{{ bin_dir }}/kubectl"
|
||||||
|
mode: "0777"
|
||||||
|
|
||||||
- name: Download the kubectl checksum file
|
- name: Download the kubectl checksum file
|
||||||
uri:
|
uri:
|
||||||
@ -48,12 +54,12 @@
|
|||||||
dest: /tmp
|
dest: /tmp
|
||||||
|
|
||||||
- name: Validate the kubectl binary against the checksum file
|
- name: Validate the kubectl binary against the checksum file
|
||||||
shell: echo "$(cat /tmp/kubectl.sha256) /tmp/kubectl" | sha256sum --check
|
shell: echo "$(cat /tmp/kubectl.sha256) {{ bin_dir }}/kubectl" | sha256sum --check
|
||||||
register: result
|
register: result
|
||||||
|
|
||||||
- name: Assert that the kubectl binary is OK
|
- name: Assert that the kubectl binary is OK
|
||||||
vars:
|
vars:
|
||||||
expected: "/tmp/kubectl: OK"
|
expected: "{{ bin_dir }}/kubectl: OK"
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- result.stdout == expected
|
- result.stdout == expected
|
||||||
@ -66,12 +72,6 @@
|
|||||||
name: "openssl"
|
name: "openssl"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Create a directory if it does not exist
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ working_dir }}"
|
|
||||||
state: directory
|
|
||||||
mode: "0775"
|
|
||||||
|
|
||||||
- name: Create kubernetes user
|
- name: Create kubernetes user
|
||||||
loop: "{{ users }}"
|
loop: "{{ users }}"
|
||||||
include_tasks: create-user.yaml
|
include_tasks: create-user.yaml
|
||||||
@ -82,3 +82,7 @@
|
|||||||
binding_type: "{{ item.binding_type | default('ClusterRoleBinding') }}"
|
binding_type: "{{ item.binding_type | default('ClusterRoleBinding') }}"
|
||||||
role_type: "{{ item.role_type | default('ClusterRole') }}"
|
role_type: "{{ item.role_type | default('ClusterRole') }}"
|
||||||
role: "{{ item.role | default('cluster-admin') }}"
|
role: "{{ item.role | default('cluster-admin') }}"
|
||||||
|
user_k8s_config_path: "{{ item.k8s_config_path | default(k8s_config_path) }}"
|
||||||
|
user_k8s_cert_path: "{{ item.k8s_cert_path | default(k8s_cert_path) }}"
|
||||||
|
user_k8s_cert_crt_file: "{{ item.k8s_cert_crt_file | default(k8s_cert_crt_file) }}"
|
||||||
|
user_k8s_cert_key_file: "{{ item.k8s_cert_key_file | default(k8s_cert_key_file) }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user