--- # ───────────────────────────────────────────────────────────────────────────── # k8s-user: создание сервисных пользователей на всех серверах # # Роль k8s-user универсальна — вызывается дважды: # • для пользователя k8s (автоматизация кластера) # • для пользователя devops (инженеры DevOps) # # Для каждого пользователя: # 1. Создать пользователя + sudo на всех нодах кластера # 2. Сгенерировать RSA 4096 ключевую пару на первом мастере (один раз) # 3. Сохранить ключи локально в ./keys/ # 4. Разложить ключи на все ноды кластера (SSH в любую сторону) # 5. Обновить /etc/hosts на нодах кластера # 6. То же самое для lab_hosts (через пароль из vault) # # Запуск: ansible-playbook playbooks/k8s-user.yml --ask-vault-pass # Только один пользователь: ansible-playbook playbooks/k8s-user.yml --tags k8s # ───────────────────────────────────────────────────────────────────────────── # ════════════════════════════════════════════════════════════════════════════ # ПОЛЬЗОВАТЕЛЬ k8s # ════════════════════════════════════════════════════════════════════════════ - name: "[k8s] Create service user on cluster nodes" hosts: k3s_cluster gather_facts: true become: true tags: [k8s, k8s_user] roles: - role: k8s-user - name: "[k8s] Generate SSH key pair (first master only)" hosts: "{{ groups['k3s_master'][0] }}" gather_facts: false become: true tags: [k8s, k8s_user] tasks: - name: Generate RSA key pair and store facts ansible.builtin.include_role: name: k8s-user tasks_from: generate_keys.yml - name: "[k8s] Save SSH keys to local machine" hosts: "{{ groups['k3s_master'][0] }}" gather_facts: false tags: [k8s, k8s_user] tasks: - name: Create local keys directory ansible.builtin.file: path: "{{ k8s_local_keys_dir }}" state: directory mode: '0700' delegate_to: localhost become: false - name: Save private key locally ansible.builtin.copy: content: "{{ lookup('vars', k8s_service_user + '_ssh_private_key') }}" dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa" mode: '0600' delegate_to: localhost become: false - name: Save public key locally ansible.builtin.copy: content: "{{ lookup('vars', k8s_service_user + '_ssh_public_key') }}\n" dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa.pub" mode: '0644' delegate_to: localhost become: false - name: Show where keys were saved ansible.builtin.debug: msg: "SSH keys saved to {{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa" - name: "[k8s] Distribute SSH keys to all cluster nodes" hosts: k3s_cluster gather_facts: false become: true tags: [k8s, k8s_user] tasks: - name: Deploy keys to node ansible.builtin.include_role: name: k8s-user tasks_from: distribute_keys.yml - name: "[k8s] Update /etc/hosts on cluster nodes" hosts: k3s_cluster gather_facts: false become: true tags: [k8s, k8s_user] tasks: - name: Update hosts file ansible.builtin.include_role: name: k8s-user tasks_from: update_hosts.yml - name: "[k8s] Setup user on lab hosts" hosts: lab_hosts gather_facts: true become: true tags: [k8s, k8s_user] vars: ansible_user: "{{ bootstrap_user }}" ansible_password: "{{ bootstrap_password }}" ansible_become_password: "{{ bootstrap_sudo_password | default(bootstrap_password) }}" ansible_ssh_common_args: >- -o StrictHostKeyChecking=no -o PasswordAuthentication=yes -o PubkeyAuthentication=no tasks: - ansible.builtin.include_role: name: k8s-user tasks_from: create_user.yml - ansible.builtin.include_role: name: k8s-user tasks_from: distribute_keys.yml - ansible.builtin.include_role: name: k8s-user tasks_from: update_hosts.yml # ════════════════════════════════════════════════════════════════════════════ # ПОЛЬЗОВАТЕЛЬ devops # ════════════════════════════════════════════════════════════════════════════ - name: "[devops] Create service user on cluster nodes" hosts: k3s_cluster gather_facts: true become: true tags: [devops, devops_user] vars: k8s_service_user: "{{ devops_service_user }}" k8s_service_user_comment: "{{ devops_service_user_comment }}" k8s_service_user_key_comment: "{{ devops_service_user_key_comment }}" k8s_service_user_sudo: "{{ devops_service_user_sudo }}" k8s_service_user_shell: "{{ devops_service_user_shell }}" roles: - role: k8s-user - name: "[devops] Generate SSH key pair (first master only)" hosts: "{{ groups['k3s_master'][0] }}" gather_facts: false become: true tags: [devops, devops_user] vars: k8s_service_user: "{{ devops_service_user }}" tasks: - name: Generate RSA key pair and store facts ansible.builtin.include_role: name: k8s-user tasks_from: generate_keys.yml - name: "[devops] Save SSH keys to local machine" hosts: "{{ groups['k3s_master'][0] }}" gather_facts: false tags: [devops, devops_user] vars: k8s_service_user: "{{ devops_service_user }}" tasks: - name: Create local keys directory ansible.builtin.file: path: "{{ k8s_local_keys_dir }}" state: directory mode: '0700' delegate_to: localhost become: false - name: Save private key locally ansible.builtin.copy: content: "{{ lookup('vars', k8s_service_user + '_ssh_private_key') }}" dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa" mode: '0600' delegate_to: localhost become: false - name: Save public key locally ansible.builtin.copy: content: "{{ lookup('vars', k8s_service_user + '_ssh_public_key') }}\n" dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa.pub" mode: '0644' delegate_to: localhost become: false - name: Show where keys were saved ansible.builtin.debug: msg: "SSH keys saved to {{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa" - name: "[devops] Distribute SSH keys to all cluster nodes" hosts: k3s_cluster gather_facts: false become: true tags: [devops, devops_user] vars: k8s_service_user: "{{ devops_service_user }}" tasks: - name: Deploy keys to node ansible.builtin.include_role: name: k8s-user tasks_from: distribute_keys.yml - name: "[devops] Update /etc/hosts on cluster nodes" hosts: k3s_cluster gather_facts: false become: true tags: [devops, devops_user] vars: k8s_service_user: "{{ devops_service_user }}" tasks: - name: Update hosts file ansible.builtin.include_role: name: k8s-user tasks_from: update_hosts.yml - name: "[devops] Setup user on lab hosts" hosts: lab_hosts gather_facts: true become: true tags: [devops, devops_user] vars: k8s_service_user: "{{ devops_service_user }}" k8s_service_user_comment: "{{ devops_service_user_comment }}" k8s_service_user_key_comment: "{{ devops_service_user_key_comment }}" k8s_service_user_sudo: "{{ devops_service_user_sudo }}" k8s_service_user_shell: "{{ devops_service_user_shell }}" ansible_user: "{{ bootstrap_user }}" ansible_password: "{{ bootstrap_password }}" ansible_become_password: "{{ bootstrap_sudo_password | default(bootstrap_password) }}" ansible_ssh_common_args: >- -o StrictHostKeyChecking=no -o PasswordAuthentication=yes -o PubkeyAuthentication=no tasks: - ansible.builtin.include_role: name: k8s-user tasks_from: create_user.yml - ansible.builtin.include_role: name: k8s-user tasks_from: distribute_keys.yml - ansible.builtin.include_role: name: k8s-user tasks_from: update_hosts.yml