7c71b69333
Роль k8s-user сделана универсальной:
- generate_keys.yml: имена фактов стали динамическими — {{ k8s_service_user }}_ssh_private_key
вместо захардкоженных k8s_ssh_private_key (поддержка любого пользователя)
- distribute_keys.yml: обращение к фактам через [k8s_service_user + '_ssh_private_key']
playbooks/k8s-user.yml переработан — 12 plays (6 для k8s + 6 для devops):
- devops plays вызывают ту же роль k8s-user с vars-переопределением k8s_service_user
- теги k8s/k8s_user и devops/devops_user — можно запустить одного пользователя
- ключи сохраняются: ./keys/k8s_id_rsa, ./keys/devops_id_rsa (приватные в .gitignore)
- имя файла ключа динамическое: {{ k8s_service_user }}_id_rsa
group_vars/all/main.yml:
- добавлены devops_service_user, devops_service_user_comment, devops_service_user_sudo и др.
Запуск только devops: ansible-playbook playbooks/k8s-user.yml --tags devops
243 lines
9.0 KiB
YAML
243 lines
9.0 KiB
YAML
---
|
||
# ─────────────────────────────────────────────────────────────────────────────
|
||
# k8s-user: создание сервисных пользователей на всех серверах
|
||
#
|
||
# Роль k8s-user универсальна — вызывается дважды:
|
||
# • для пользователя k8s (автоматизация кластера)
|
||
# • для пользователя devops (инженеры DevOps)
|
||
#
|
||
# Для каждого пользователя:
|
||
# 1. Создать пользователя + sudo на всех нодах кластера
|
||
# 2. Сгенерировать RSA 4096 ключевую пару на первом мастере (один раз)
|
||
# 3. Сохранить ключи локально в ./keys/
|
||
# 4. Разложить ключи на все ноды кластера (SSH в любую сторону)
|
||
# 5. Обновить /etc/hosts на нодах кластера
|
||
# 6. То же самое для lab_hosts (через пароль из vault)
|
||
#
|
||
# Запуск: ansible-playbook playbooks/k8s-user.yml --ask-vault-pass
|
||
# Только один пользователь: ansible-playbook playbooks/k8s-user.yml --tags k8s
|
||
# ─────────────────────────────────────────────────────────────────────────────
|
||
|
||
# ════════════════════════════════════════════════════════════════════════════
|
||
# ПОЛЬЗОВАТЕЛЬ k8s
|
||
# ════════════════════════════════════════════════════════════════════════════
|
||
|
||
- name: "[k8s] Create service user on cluster nodes"
|
||
hosts: k3s_cluster
|
||
gather_facts: true
|
||
become: true
|
||
tags: [k8s, k8s_user]
|
||
roles:
|
||
- role: k8s-user
|
||
|
||
- name: "[k8s] Generate SSH key pair (first master only)"
|
||
hosts: "{{ groups['k3s_master'][0] }}"
|
||
gather_facts: false
|
||
become: true
|
||
tags: [k8s, k8s_user]
|
||
tasks:
|
||
- name: Generate RSA key pair and store facts
|
||
ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: generate_keys.yml
|
||
|
||
- name: "[k8s] Save SSH keys to local machine"
|
||
hosts: "{{ groups['k3s_master'][0] }}"
|
||
gather_facts: false
|
||
tags: [k8s, k8s_user]
|
||
tasks:
|
||
- name: Create local keys directory
|
||
ansible.builtin.file:
|
||
path: "{{ k8s_local_keys_dir }}"
|
||
state: directory
|
||
mode: '0700'
|
||
delegate_to: localhost
|
||
become: false
|
||
|
||
- name: Save private key locally
|
||
ansible.builtin.copy:
|
||
content: "{{ lookup('vars', k8s_service_user + '_ssh_private_key') }}"
|
||
dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa"
|
||
mode: '0600'
|
||
delegate_to: localhost
|
||
become: false
|
||
|
||
- name: Save public key locally
|
||
ansible.builtin.copy:
|
||
content: "{{ lookup('vars', k8s_service_user + '_ssh_public_key') }}\n"
|
||
dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa.pub"
|
||
mode: '0644'
|
||
delegate_to: localhost
|
||
become: false
|
||
|
||
- name: Show where keys were saved
|
||
ansible.builtin.debug:
|
||
msg: "SSH keys saved to {{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa"
|
||
|
||
- name: "[k8s] Distribute SSH keys to all cluster nodes"
|
||
hosts: k3s_cluster
|
||
gather_facts: false
|
||
become: true
|
||
tags: [k8s, k8s_user]
|
||
tasks:
|
||
- name: Deploy keys to node
|
||
ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: distribute_keys.yml
|
||
|
||
- name: "[k8s] Update /etc/hosts on cluster nodes"
|
||
hosts: k3s_cluster
|
||
gather_facts: false
|
||
become: true
|
||
tags: [k8s, k8s_user]
|
||
tasks:
|
||
- name: Update hosts file
|
||
ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: update_hosts.yml
|
||
|
||
- name: "[k8s] Setup user on lab hosts"
|
||
hosts: lab_hosts
|
||
gather_facts: true
|
||
become: true
|
||
tags: [k8s, k8s_user]
|
||
vars:
|
||
ansible_user: "{{ bootstrap_user }}"
|
||
ansible_password: "{{ bootstrap_password }}"
|
||
ansible_become_password: "{{ bootstrap_sudo_password | default(bootstrap_password) }}"
|
||
ansible_ssh_common_args: >-
|
||
-o StrictHostKeyChecking=no
|
||
-o PasswordAuthentication=yes
|
||
-o PubkeyAuthentication=no
|
||
tasks:
|
||
- ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: create_user.yml
|
||
- ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: distribute_keys.yml
|
||
- ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: update_hosts.yml
|
||
|
||
# ════════════════════════════════════════════════════════════════════════════
|
||
# ПОЛЬЗОВАТЕЛЬ devops
|
||
# ════════════════════════════════════════════════════════════════════════════
|
||
|
||
- name: "[devops] Create service user on cluster nodes"
|
||
hosts: k3s_cluster
|
||
gather_facts: true
|
||
become: true
|
||
tags: [devops, devops_user]
|
||
vars:
|
||
k8s_service_user: "{{ devops_service_user }}"
|
||
k8s_service_user_comment: "{{ devops_service_user_comment }}"
|
||
k8s_service_user_key_comment: "{{ devops_service_user_key_comment }}"
|
||
k8s_service_user_sudo: "{{ devops_service_user_sudo }}"
|
||
k8s_service_user_shell: "{{ devops_service_user_shell }}"
|
||
roles:
|
||
- role: k8s-user
|
||
|
||
- name: "[devops] Generate SSH key pair (first master only)"
|
||
hosts: "{{ groups['k3s_master'][0] }}"
|
||
gather_facts: false
|
||
become: true
|
||
tags: [devops, devops_user]
|
||
vars:
|
||
k8s_service_user: "{{ devops_service_user }}"
|
||
tasks:
|
||
- name: Generate RSA key pair and store facts
|
||
ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: generate_keys.yml
|
||
|
||
- name: "[devops] Save SSH keys to local machine"
|
||
hosts: "{{ groups['k3s_master'][0] }}"
|
||
gather_facts: false
|
||
tags: [devops, devops_user]
|
||
vars:
|
||
k8s_service_user: "{{ devops_service_user }}"
|
||
tasks:
|
||
- name: Create local keys directory
|
||
ansible.builtin.file:
|
||
path: "{{ k8s_local_keys_dir }}"
|
||
state: directory
|
||
mode: '0700'
|
||
delegate_to: localhost
|
||
become: false
|
||
|
||
- name: Save private key locally
|
||
ansible.builtin.copy:
|
||
content: "{{ lookup('vars', k8s_service_user + '_ssh_private_key') }}"
|
||
dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa"
|
||
mode: '0600'
|
||
delegate_to: localhost
|
||
become: false
|
||
|
||
- name: Save public key locally
|
||
ansible.builtin.copy:
|
||
content: "{{ lookup('vars', k8s_service_user + '_ssh_public_key') }}\n"
|
||
dest: "{{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa.pub"
|
||
mode: '0644'
|
||
delegate_to: localhost
|
||
become: false
|
||
|
||
- name: Show where keys were saved
|
||
ansible.builtin.debug:
|
||
msg: "SSH keys saved to {{ k8s_local_keys_dir }}/{{ k8s_service_user }}_id_rsa"
|
||
|
||
- name: "[devops] Distribute SSH keys to all cluster nodes"
|
||
hosts: k3s_cluster
|
||
gather_facts: false
|
||
become: true
|
||
tags: [devops, devops_user]
|
||
vars:
|
||
k8s_service_user: "{{ devops_service_user }}"
|
||
tasks:
|
||
- name: Deploy keys to node
|
||
ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: distribute_keys.yml
|
||
|
||
- name: "[devops] Update /etc/hosts on cluster nodes"
|
||
hosts: k3s_cluster
|
||
gather_facts: false
|
||
become: true
|
||
tags: [devops, devops_user]
|
||
vars:
|
||
k8s_service_user: "{{ devops_service_user }}"
|
||
tasks:
|
||
- name: Update hosts file
|
||
ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: update_hosts.yml
|
||
|
||
- name: "[devops] Setup user on lab hosts"
|
||
hosts: lab_hosts
|
||
gather_facts: true
|
||
become: true
|
||
tags: [devops, devops_user]
|
||
vars:
|
||
k8s_service_user: "{{ devops_service_user }}"
|
||
k8s_service_user_comment: "{{ devops_service_user_comment }}"
|
||
k8s_service_user_key_comment: "{{ devops_service_user_key_comment }}"
|
||
k8s_service_user_sudo: "{{ devops_service_user_sudo }}"
|
||
k8s_service_user_shell: "{{ devops_service_user_shell }}"
|
||
ansible_user: "{{ bootstrap_user }}"
|
||
ansible_password: "{{ bootstrap_password }}"
|
||
ansible_become_password: "{{ bootstrap_sudo_password | default(bootstrap_password) }}"
|
||
ansible_ssh_common_args: >-
|
||
-o StrictHostKeyChecking=no
|
||
-o PasswordAuthentication=yes
|
||
-o PubkeyAuthentication=no
|
||
tasks:
|
||
- ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: create_user.yml
|
||
- ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: distribute_keys.yml
|
||
- ansible.builtin.include_role:
|
||
name: k8s-user
|
||
tasks_from: update_hosts.yml
|