feat: добавлен пользователь devops по аналогии с k8s-user
Роль k8s-user сделана универсальной:
- generate_keys.yml: имена фактов стали динамическими — {{ k8s_service_user }}_ssh_private_key
вместо захардкоженных k8s_ssh_private_key (поддержка любого пользователя)
- distribute_keys.yml: обращение к фактам через [k8s_service_user + '_ssh_private_key']
playbooks/k8s-user.yml переработан — 12 plays (6 для k8s + 6 для devops):
- devops plays вызывают ту же роль k8s-user с vars-переопределением k8s_service_user
- теги k8s/k8s_user и devops/devops_user — можно запустить одного пользователя
- ключи сохраняются: ./keys/k8s_id_rsa, ./keys/devops_id_rsa (приватные в .gitignore)
- имя файла ключа динамическое: {{ k8s_service_user }}_id_rsa
group_vars/all/main.yml:
- добавлены devops_service_user, devops_service_user_comment, devops_service_user_sudo и др.
Запуск только devops: ansible-playbook playbooks/k8s-user.yml --tags devops
This commit is contained in:
Sergey Antropoff
@@ -1,9 +1,13 @@
|
||||
---
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
# k8s-user: создание сервисного пользователя k8s на всех серверах
|
||||
# k8s-user: создание сервисных пользователей на всех серверах
|
||||
#
|
||||
# Последовательность:
|
||||
# 1. Создать пользователя k8s + sudo на всех нодах кластера
|
||||
# Роль k8s-user универсальна — вызывается дважды:
|
||||
# • для пользователя k8s (автоматизация кластера)
|
||||
# • для пользователя devops (инженеры DevOps)
|
||||
#
|
||||
# Для каждого пользователя:
|
||||
# 1. Создать пользователя + sudo на всех нодах кластера
|
||||
# 2. Сгенерировать RSA 4096 ключевую пару на первом мастере (один раз)
|
||||
# 3. Сохранить ключи локально в ./keys/
|
||||
# 4. Разложить ключи на все ноды кластера (SSH в любую сторону)
|
||||
@@ -11,32 +15,36 @@
|
||||
# 6. То же самое для lab_hosts (через пароль из vault)
|
||||
#
|
||||
# Запуск: ansible-playbook playbooks/k8s-user.yml --ask-vault-pass
|
||||
# Только кластер: ansible-playbook playbooks/k8s-user.yml --limit k3s_cluster
|
||||
# Только один пользователь: ansible-playbook playbooks/k8s-user.yml --tags k8s
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
# ── 1. Создать пользователя k8s на всех нодах кластера ───────────────────────
|
||||
- name: Create k8s service user on cluster nodes
|
||||
# ════════════════════════════════════════════════════════════════════════════
|
||||
# ПОЛЬЗОВАТЕЛЬ k8s
|
||||
# ════════════════════════════════════════════════════════════════════════════
|
||||
|
||||
- name: "[k8s] Create service user on cluster nodes"
|
||||
hosts: k3s_cluster
|
||||
gather_facts: true
|
||||
become: true
|
||||
tags: [k8s, k8s_user]
|
||||
roles:
|
||||
- role: k8s-user
|
||||
|
||||
# ── 2. Сгенерировать ключевую пару на первом мастере ─────────────────────────
|
||||
- name: Generate k8s SSH key pair (first master only)
|
||||
- name: "[k8s] Generate SSH key pair (first master only)"
|
||||
hosts: "{{ groups['k3s_master'][0] }}"
|
||||
gather_facts: false
|
||||
become: true
|
||||
tags: [k8s, k8s_user]
|
||||
tasks:
|
||||
- name: Generate RSA key pair and store facts
|
||||
ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: generate_keys.yml
|
||||
|
||||
# ── 3. Сохранить ключи локально в ./keys/ ────────────────────────────────────
|
||||
- name: Save k8s SSH keys to local machine
|
||||
- name: "[k8s] Save SSH keys to local machine"
|
||||
hosts: "{{ groups['k3s_master'][0] }}"
|
||||
gather_facts: false
|
||||
tags: [k8s, k8s_user]
|
||||
tasks:
|
||||
- name: Create local keys directory
|
||||
ansible.builtin.file:
|
||||
@@ -48,52 +56,51 @@
|
||||
|
||||
- name: Save private key locally
|
||||
ansible.builtin.copy:
|
||||
content: "{{ k8s_ssh_private_key }}"
|
||||
dest: "{{ k8s_local_keys_dir }}/k8s_id_rsa"
|
||||
content: "{{ lookup('vars', k8s_service_user + '_ssh_private_key') }}"
|
||||
dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa"
|
||||
mode: '0600'
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
- name: Save public key locally
|
||||
ansible.builtin.copy:
|
||||
content: "{{ k8s_ssh_public_key }}\n"
|
||||
dest: "{{ k8s_local_keys_dir }}/k8s_id_rsa.pub"
|
||||
content: "{{ lookup('vars', k8s_service_user + '_ssh_public_key') }}\n"
|
||||
dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa.pub"
|
||||
mode: '0644'
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
- name: Show where keys were saved
|
||||
ansible.builtin.debug:
|
||||
msg: "SSH keys saved to {{ k8s_local_keys_dir }}"
|
||||
msg: "SSH keys saved to {{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa"
|
||||
|
||||
# ── 4. Разложить ключи на все ноды кластера ──────────────────────────────────
|
||||
- name: Distribute k8s SSH keys to all cluster nodes
|
||||
- name: "[k8s] Distribute SSH keys to all cluster nodes"
|
||||
hosts: k3s_cluster
|
||||
gather_facts: false
|
||||
become: true
|
||||
tags: [k8s, k8s_user]
|
||||
tasks:
|
||||
- name: Deploy keys to node
|
||||
ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: distribute_keys.yml
|
||||
|
||||
# ── 5. Обновить /etc/hosts на нодах кластера ─────────────────────────────────
|
||||
- name: Update /etc/hosts on cluster nodes
|
||||
- name: "[k8s] Update /etc/hosts on cluster nodes"
|
||||
hosts: k3s_cluster
|
||||
gather_facts: false
|
||||
become: true
|
||||
tags: [k8s, k8s_user]
|
||||
tasks:
|
||||
- name: Update hosts file
|
||||
ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: update_hosts.yml
|
||||
|
||||
# ── 6. Bootstrap lab_hosts: создать пользователя, разложить ключи, обновить hosts
|
||||
# Подключение через логин/пароль из host_vars/<host>/vault.yml
|
||||
- name: Setup k8s user on lab hosts
|
||||
- name: "[k8s] Setup user on lab hosts"
|
||||
hosts: lab_hosts
|
||||
gather_facts: true
|
||||
become: true
|
||||
tags: [k8s, k8s_user]
|
||||
vars:
|
||||
ansible_user: "{{ bootstrap_user }}"
|
||||
ansible_password: "{{ bootstrap_password }}"
|
||||
@@ -103,17 +110,133 @@
|
||||
-o PasswordAuthentication=yes
|
||||
-o PubkeyAuthentication=no
|
||||
tasks:
|
||||
- name: Create k8s user on lab host
|
||||
ansible.builtin.include_role:
|
||||
- ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: create_user.yml
|
||||
- ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: distribute_keys.yml
|
||||
- ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: update_hosts.yml
|
||||
|
||||
- name: Distribute k8s SSH keys to lab host
|
||||
# ════════════════════════════════════════════════════════════════════════════
|
||||
# ПОЛЬЗОВАТЕЛЬ devops
|
||||
# ════════════════════════════════════════════════════════════════════════════
|
||||
|
||||
- name: "[devops] Create service user on cluster nodes"
|
||||
hosts: k3s_cluster
|
||||
gather_facts: true
|
||||
become: true
|
||||
tags: [devops, devops_user]
|
||||
vars:
|
||||
k8s_service_user: "{{ devops_service_user }}"
|
||||
k8s_service_user_comment: "{{ devops_service_user_comment }}"
|
||||
k8s_service_user_key_comment: "{{ devops_service_user_key_comment }}"
|
||||
k8s_service_user_sudo: "{{ devops_service_user_sudo }}"
|
||||
k8s_service_user_shell: "{{ devops_service_user_shell }}"
|
||||
roles:
|
||||
- role: k8s-user
|
||||
|
||||
- name: "[devops] Generate SSH key pair (first master only)"
|
||||
hosts: "{{ groups['k3s_master'][0] }}"
|
||||
gather_facts: false
|
||||
become: true
|
||||
tags: [devops, devops_user]
|
||||
vars:
|
||||
k8s_service_user: "{{ devops_service_user }}"
|
||||
tasks:
|
||||
- name: Generate RSA key pair and store facts
|
||||
ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: generate_keys.yml
|
||||
|
||||
- name: "[devops] Save SSH keys to local machine"
|
||||
hosts: "{{ groups['k3s_master'][0] }}"
|
||||
gather_facts: false
|
||||
tags: [devops, devops_user]
|
||||
vars:
|
||||
k8s_service_user: "{{ devops_service_user }}"
|
||||
tasks:
|
||||
- name: Create local keys directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ k8s_local_keys_dir }}"
|
||||
state: directory
|
||||
mode: '0700'
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
- name: Save private key locally
|
||||
ansible.builtin.copy:
|
||||
content: "{{ lookup('vars', k8s_service_user + '_ssh_private_key') }}"
|
||||
dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa"
|
||||
mode: '0600'
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
- name: Save public key locally
|
||||
ansible.builtin.copy:
|
||||
content: "{{ lookup('vars', k8s_service_user + '_ssh_public_key') }}\n"
|
||||
dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa.pub"
|
||||
mode: '0644'
|
||||
delegate_to: localhost
|
||||
become: false
|
||||
|
||||
- name: Show where keys were saved
|
||||
ansible.builtin.debug:
|
||||
msg: "SSH keys saved to {{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa"
|
||||
|
||||
- name: "[devops] Distribute SSH keys to all cluster nodes"
|
||||
hosts: k3s_cluster
|
||||
gather_facts: false
|
||||
become: true
|
||||
tags: [devops, devops_user]
|
||||
vars:
|
||||
k8s_service_user: "{{ devops_service_user }}"
|
||||
tasks:
|
||||
- name: Deploy keys to node
|
||||
ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: distribute_keys.yml
|
||||
|
||||
- name: Update /etc/hosts on lab host
|
||||
- name: "[devops] Update /etc/hosts on cluster nodes"
|
||||
hosts: k3s_cluster
|
||||
gather_facts: false
|
||||
become: true
|
||||
tags: [devops, devops_user]
|
||||
vars:
|
||||
k8s_service_user: "{{ devops_service_user }}"
|
||||
tasks:
|
||||
- name: Update hosts file
|
||||
ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: update_hosts.yml
|
||||
|
||||
- name: "[devops] Setup user on lab hosts"
|
||||
hosts: lab_hosts
|
||||
gather_facts: true
|
||||
become: true
|
||||
tags: [devops, devops_user]
|
||||
vars:
|
||||
k8s_service_user: "{{ devops_service_user }}"
|
||||
k8s_service_user_comment: "{{ devops_service_user_comment }}"
|
||||
k8s_service_user_key_comment: "{{ devops_service_user_key_comment }}"
|
||||
k8s_service_user_sudo: "{{ devops_service_user_sudo }}"
|
||||
k8s_service_user_shell: "{{ devops_service_user_shell }}"
|
||||
ansible_user: "{{ bootstrap_user }}"
|
||||
ansible_password: "{{ bootstrap_password }}"
|
||||
ansible_become_password: "{{ bootstrap_sudo_password | default(bootstrap_password) }}"
|
||||
ansible_ssh_common_args: >-
|
||||
-o StrictHostKeyChecking=no
|
||||
-o PasswordAuthentication=yes
|
||||
-o PubkeyAuthentication=no
|
||||
tasks:
|
||||
- ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: create_user.yml
|
||||
- ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: distribute_keys.yml
|
||||
- ansible.builtin.include_role:
|
||||
name: k8s-user
|
||||
tasks_from: update_hosts.yml
|
||||
|
||||
Reference in New Issue
Block a user