diff --git a/ansible/.env.example b/ansible/.env.example new file mode 100644 index 0000000..d2dbb9b --- /dev/null +++ b/ansible/.env.example @@ -0,0 +1,18 @@ +# 环境变量模板 +# 复制为 .env 并填写实际值,然后 source .env + +# Tailscale Auth Key (必须) +export TAILSCALE_AUTH_KEY="" + +# K3s Token (添加节点时需要,从首节点安装输出获取) +export K3S_TOKEN="" + +# K3s Server URL (添加节点时需要) +export K3S_SERVER_URL="https://k3s.dev.cm:6443" + +# SSH 密码 (如果使用密码认证,必须设置;如果使用密钥认证,留空) +export SSH_PASSWORD="" + +# SSH 公钥路径 (默认 ~/.ssh/id_rsa.pub) +# export SSH_PUBKEY="" + diff --git a/ansible/.gitignore b/ansible/.gitignore new file mode 100644 index 0000000..ddd6cba --- /dev/null +++ b/ansible/.gitignore @@ -0,0 +1,17 @@ +# Ansible 临时文件 +*.retry + +# 敏感文件 +kubeconfig.yaml +kubeconfig-*.yaml +*.pem +*.key + +# 本地环境 +.env +.env.local + +# IDE +.idea/ +.vscode/ + diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 0000000..6730a9f --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,166 @@ +# K3s Ansible 自动化安装 + +一键部署 K3s 集群,支持国内镜像加速、Tailscale 组网、SSH 安全加固。 + +## 目录结构 + +``` +ansible/ +├── ansible.cfg # Ansible 配置 +├── inventory/hosts.yml # 主机清单 ⭐ 需修改 +├── group_vars/all.yml # 全局变量 +├── .env.example # 环境变量模板 +├── roles/ +│ ├── ssh/ # SSH 安全加固 +│ │ ├── tasks/main.yml +│ │ └── templates/sshd_config.j2 +│ ├── common/ # 基础配置 (hostname, sysctl, tailscale) +│ │ ├── tasks/main.yml +│ │ └── handlers/main.yml +│ └── k3s/ # K3s 安装 +│ ├── tasks/main.yml +│ └── templates/ +│ ├── k3s-server.yaml.j2 # Server 配置 (统一 init/join) +│ ├── k3s-agent.yaml.j2 # Agent 配置 +│ └── registries.yaml.j2 # 镜像加速 +└── playbooks/ + ├── site.yml # 完整安装 + ├── init.yml # 首次安装 (含 SSH 加固) + └── add-node.yml # 添加节点 +``` + +## 快速开始 + +### 1. 配置主机清单 + +编辑 `inventory/hosts.yml`: + +```yaml +masters: + hosts: + master1: + ansible_host: 10.0.0.1 + node_hostname: master1 + cluster_init: true # 首个节点设为 true + node_region: cn-sh # 区域标签 + use_mirror: true # 使用镜像加速 + enable_lb: true # 启用 LB + netfilter_mode: "" # 阿里云/华为云设为 nodivert +``` + +### 2. 设置环境变量 + +```bash +# 必须 +export TAILSCALE_AUTH_KEY="tskey-auth-xxx" + +# 首次安装 (SSH 加固) +export SSH_PASSWORD="your-root-password" + +# 添加节点时 (从首节点安装输出获取) +export K3S_TOKEN="K10xxx::server:xxx" +export K3S_SERVER_URL="https://10.0.0.1:6443" +``` + +### 3. 执行安装 + +```bash +cd k3s/ansible + +# 方式一: 首次安装 (含 SSH 加固,端口改为 2103,启用密钥认证) +ansible-playbook playbooks/site.yml --tags ssh,common,k3s,status + +# 方式二: 常规安装 (已配置 SSH 密钥) +ansible-playbook playbooks/site.yml + +# 方式三: 仅安装首个 master +ansible-playbook playbooks/site.yml -l master1 + +# 方式四: 添加新节点 +ansible-playbook playbooks/add-node.yml -l agent1 +``` + +### 4. 获取 kubeconfig + +```bash +# 安装完成后自动保存到 ansible/kubeconfig.yaml +sed -i '' 's/127.0.0.1/k3s.yourdomain.com/g' kubeconfig.yaml +export KUBECONFIG=$(pwd)/kubeconfig.yaml +kubectl get nodes +``` + +## 节点变量 + +| 变量 | 类型 | 默认值 | 说明 | +|------|------|--------|------| +| `ansible_host` | string | - | 节点 IP | +| `node_hostname` | string | - | 主机名 | +| `cluster_init` | bool | false | 首个 master 设为 true | +| `node_region` | string | - | 区域标签 (cn-sh/hk/us-west) | +| `use_mirror` | bool | false | 使用镜像加速 | +| `enable_lb` | bool | - | 启用 K3s LB | +| `netfilter_mode` | string | "" | Tailscale netfilter: off/nodivert/on | +| `node_labels` | dict | - | 自定义标签 | +| `kubelet_reserved` | string | - | 资源预留: cpu=500m,memory=512Mi | + +## 环境变量 + +| 变量 | 必须 | 说明 | +|------|------|------| +| `TAILSCALE_AUTH_KEY` | ✅ | Tailscale Auth Key | +| `K3S_TOKEN` | 加入节点时 | 集群 Token | +| `K3S_SERVER_URL` | 加入节点时 | API Server 地址 | +| `SSH_PASSWORD` | 首次安装 | SSH 密码 | +| `SSH_PUBKEY` | - | SSH 公钥 (默认 ~/.ssh/id_rsa.pub) | + +## 镜像加速 + +当 `use_mirror: true` 时自动启用: + +- K3s 安装脚本: `rancher-mirror.rancher.cn` +- 常规容器镜像加速 + +## SSH 安全加固 + +首次安装时 (`--tags ssh`) 自动执行: + +1. 端口改为 2103 +2. 禁用密码登录 +3. 启用密钥认证 +4. 自动添加本地公钥 + +## 常用命令 + +```bash +# 测试连接 +ansible all -m ping + +# 仅运行特定阶段 +ansible-playbook playbooks/site.yml --tags common +ansible-playbook playbooks/site.yml --tags k3s + +# 指定节点 +ansible-playbook playbooks/site.yml -l master1,agent1 + +# 调试模式 +ansible-playbook playbooks/site.yml -vvv + +# 检查语法 +ansible-playbook playbooks/site.yml --syntax-check +``` + +## 故障排查 + +```bash +# K3s 状态 +systemctl status k3s +journalctl -u k3s -f + +# Tailscale 状态 +tailscale status + +# 获取 Token +cat /var/lib/rancher/k3s/server/node-token +``` + + diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..219d06f --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,18 @@ +[defaults] +inventory = inventory/hosts.yml +roles_path = roles +host_key_checking = False +retry_files_enabled = False +stdout_callback = yaml +interpreter_python = auto_silent + +[privilege_escalation] +become = True +become_method = sudo +become_user = root + +[ssh_connection] +pipelining = True +ssh_args = -o ControlMaster=auto -o ControlPersist=60s + + diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml new file mode 100644 index 0000000..561f838 --- /dev/null +++ b/ansible/group_vars/all.yml @@ -0,0 +1,46 @@ +# K3s Ansible 全局变量 +--- +# ============================================ +# 敏感信息 (通过环境变量传入) +# ============================================ +tailscale_auth_key: "{{ lookup('env', 'TAILSCALE_AUTH_KEY') }}" +k3s_token: "{{ lookup('env', 'K3S_TOKEN') }}" +k3s_server_url: "{{ lookup('env', 'K3S_SERVER_URL') | default('https://k3s.dev.cm:6443', true) }}" + +# ============================================ +# K3s 配置 +# ============================================ +k3s_version: "v1.31.4+k3s1" +k3s_tls_san: "k3s.dev.cm,k3s.fillcode.com" + +# ETCD 配置 +etcd_snapshot_retention: 1 +etcd_snapshot_schedule_cron: "0 0 * * *" +etcd_snapshot_compress: true + +# 禁用的组件 +k3s_disable_components: + - traefik + +# ============================================ +# 安装源配置 +# ============================================ +# 国内镜像源 +mirror_k3s_install_url: "https://rancher-mirror.rancher.cn/k3s/k3s-install.sh" +# 官方源 +global_k3s_install_url: "https://get.k3s.io" + +# ============================================ +# 镜像加速配置 (use_mirror: true 时启用) +# ============================================ +registry_mirrors: + docker.io: + - "docker.1ms.run" + - "docker.m.daocloud.io" + ghcr.io: + - "ghcr.m.daocloud.io" + registry.k8s.io: + - "k8s.m.daocloud.io" + quay.io: + - "quay.m.daocloud.io" + diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml new file mode 100644 index 0000000..320c4ef --- /dev/null +++ b/ansible/inventory/hosts.yml @@ -0,0 +1,54 @@ +# K3s 集群主机清单 +--- +all: + vars: + # SSH 配置 (初始连接使用密码) + ansible_user: root + ansible_port: 2103 + ansible_password: "{{ lookup('env', 'SSH_PASSWORD') }}" + + # SSH 安全配置 + ssh_new_port: 2103 + ssh_pubkey: "{{ lookup('env', 'SSH_PUBKEY') | default(lookup('file', '~/.ssh/id_rsa.pub'), true) }}" + + children: + # Master 节点 (Server) + masters: + hosts: + tca: + ansible_host: tca.node.dev.cm + node_hostname: tca + cluster_init: true + node_region: cn-sh + use_mirror: true + tcb: + ansible_host: tcb.node.dev.cm + node_hostname: tcb + node_region: cn-sh + use_mirror: true + tcc: + ansible_host: tcc.node.dev.cm + node_hostname: tcc + node_region: cn-sh + use_mirror: true + + # Agent 节点 (Worker) + agents: + hosts: + alihk: + ansible_host: alihk.node.dev.cm + node_hostname: alihk + node_region: cn-hk + enable_lb: true + netfilter_mode: nodivert + clawhk: + ansible_host: clawhk.node.dev.cm + node_hostname: clawhk + node_region: cn-hk + + # 节点分组 + k3s_cluster: + children: + masters: + agents: + diff --git a/ansible/playbooks/add-node.yml b/ansible/playbooks/add-node.yml new file mode 100644 index 0000000..f054696 --- /dev/null +++ b/ansible/playbooks/add-node.yml @@ -0,0 +1,19 @@ +# 添加新节点到集群 +# 使用: export K3S_TOKEN='xxx' K3S_SERVER_URL='xxx' TAILSCALE_AUTH_KEY='xxx' +# ansible-playbook playbooks/add-node.yml -l +--- +- name: Validate + hosts: localhost + gather_facts: no + tasks: + - ansible.builtin.fail: + msg: "请设置: export K3S_TOKEN='xxx'" + when: lookup('env', 'K3S_TOKEN') | length == 0 + +- name: Add node + hosts: masters:agents:!master_init + gather_facts: yes + roles: + - common + - k3s + diff --git a/ansible/playbooks/init.yml b/ansible/playbooks/init.yml new file mode 100644 index 0000000..7cc9aa2 --- /dev/null +++ b/ansible/playbooks/init.yml @@ -0,0 +1,8 @@ +# 首次安装 (包含 SSH 加固) +# 使用: export SSH_PASSWORD='xxx' TAILSCALE_AUTH_KEY='xxx' +# ansible-playbook playbooks/init.yml +--- +- name: First time installation with SSH hardening + import_playbook: site.yml + tags: [ssh, common, k3s, status] + diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml new file mode 100644 index 0000000..7d36284 --- /dev/null +++ b/ansible/playbooks/site.yml @@ -0,0 +1,93 @@ +# K3s 集群安装 Playbook +--- +- name: Validate environment + hosts: localhost + gather_facts: no + tasks: + - name: Check TAILSCALE_AUTH_KEY + ansible.builtin.fail: + msg: "请设置: export TAILSCALE_AUTH_KEY='tskey-auth-xxx'" + when: lookup('env', 'TAILSCALE_AUTH_KEY') | length == 0 + + - name: Check SSH credentials + ansible.builtin.debug: + msg: | + {% if lookup('env', 'SSH_PASSWORD') | length > 0 %} + ✓ 使用密码登录 (首次安装) + {% else %} + ✓ 使用密钥登录 + {% endif %} + +# ============================================ +# 阶段 1: SSH 安全加固 (可选,首次安装时使用) +# ============================================ +- name: SSH Security Hardening + hosts: k3s_cluster + gather_facts: no + tags: [ssh, never] + roles: + - ssh + +# ============================================ +# 阶段 2: 基础配置 +# ============================================ +- name: Common Setup + hosts: k3s_cluster + gather_facts: yes + tags: [common] + roles: + - common + +# ============================================ +# 阶段 3: 安装 K3s (按顺序: init -> masters -> agents) +# ============================================ +- name: Install K3s on init node + hosts: masters + gather_facts: yes + serial: 1 + tags: [k3s] + roles: + - role: k3s + when: cluster_init | default(false) + +- name: Install K3s on other masters + hosts: masters + gather_facts: yes + serial: 1 + tags: [k3s] + roles: + - role: k3s + when: not (cluster_init | default(false)) + +- name: Install K3s on agents + hosts: agents + gather_facts: yes + tags: [k3s] + roles: + - k3s + +# ============================================ +# 阶段 4: 显示集群状态 +# ============================================ +- name: Show cluster status + hosts: masters + gather_facts: no + tags: [status] + run_once: true + tasks: + - name: Get nodes + ansible.builtin.shell: kubectl get nodes -o wide + environment: + KUBECONFIG: /etc/rancher/k3s/k3s.yaml + register: nodes + when: cluster_init | default(false) + + - name: Display nodes + ansible.builtin.debug: + msg: | + ══════════════════════════════════════════════════════════════ + K3s 集群节点: + {{ nodes.stdout }} + ══════════════════════════════════════════════════════════════ + when: cluster_init | default(false) + diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml new file mode 100644 index 0000000..cabea91 --- /dev/null +++ b/ansible/roles/common/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Apply sysctl + ansible.builtin.command: sysctl --system + diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml new file mode 100644 index 0000000..55ad7e6 --- /dev/null +++ b/ansible/roles/common/tasks/main.yml @@ -0,0 +1,46 @@ +# 基础配置 Role +# 功能: hostname、sysctl、Tailscale 安装 +--- +- name: Set hostname + ansible.builtin.hostname: + name: "{{ node_hostname }}" + when: node_hostname is defined + +- name: Update /etc/hosts + ansible.builtin.lineinfile: + path: /etc/hosts + regexp: '^127\.0\.1\.1' + line: "127.0.1.1 {{ node_hostname }}" + when: node_hostname is defined + +- name: Configure sysctl for IP forwarding + ansible.builtin.copy: + dest: /etc/sysctl.d/99-k3s.conf + content: | + net.ipv4.ip_forward = 1 + net.ipv6.conf.all.forwarding = 1 + mode: '0644' + notify: Apply sysctl + +- name: Install dependencies + ansible.builtin.apt: + name: [curl, wget, ca-certificates] + state: present + update_cache: yes + +- name: Check if Tailscale is installed + ansible.builtin.command: which tailscale + register: tailscale_check + ignore_errors: yes + changed_when: false + +- name: Install Tailscale + ansible.builtin.shell: curl -fsSL https://tailscale.com/install.sh | sh + when: tailscale_check.rc != 0 + +- name: Enable Tailscale service + ansible.builtin.systemd: + name: tailscaled + enabled: yes + state: started + diff --git a/ansible/roles/k3s/tasks/main.yml b/ansible/roles/k3s/tasks/main.yml new file mode 100644 index 0000000..e972687 --- /dev/null +++ b/ansible/roles/k3s/tasks/main.yml @@ -0,0 +1,103 @@ +# K3s 安装 Role (统一 Server 和 Agent) +--- +- name: Validate TAILSCALE_AUTH_KEY + ansible.builtin.fail: + msg: "请设置环境变量: export TAILSCALE_AUTH_KEY='tskey-auth-xxx'" + when: tailscale_auth_key | length == 0 + +- name: Validate K3S_TOKEN for join nodes + ansible.builtin.fail: + msg: "请设置环境变量: export K3S_TOKEN='xxx'" + when: + - not (cluster_init | default(false)) + - k3s_token | length == 0 + +- name: Create K3s config directory + ansible.builtin.file: + path: /etc/rancher/k3s + state: directory + mode: '0755' + +# Server 节点配置 +- name: Deploy K3s server config + ansible.builtin.template: + src: k3s-server.yaml.j2 + dest: /etc/rancher/k3s/config.yaml + mode: '0600' + when: "'masters' in group_names" + +# Agent 节点配置 +- name: Deploy K3s agent config + ansible.builtin.template: + src: k3s-agent.yaml.j2 + dest: /etc/rancher/k3s/config.yaml + mode: '0600' + when: "'agents' in group_names" + +# 镜像加速配置 +- name: Deploy registries.yaml + ansible.builtin.template: + src: registries.yaml.j2 + dest: /etc/rancher/k3s/registries.yaml + mode: '0644' + when: use_mirror | default(false) + +# 安装 K3s +- name: Set install URL + ansible.builtin.set_fact: + k3s_install_url: "{{ mirror_k3s_install_url if (use_mirror | default(false)) else global_k3s_install_url }}" + k3s_install_mirror: "{{ 'INSTALL_K3S_MIRROR=cn' if (use_mirror | default(false)) else '' }}" + +- name: Check if K3s is installed + ansible.builtin.stat: + path: /usr/local/bin/k3s + register: k3s_binary + +- name: Install K3s server + ansible.builtin.shell: | + curl -sfL {{ k3s_install_url }} | {{ k3s_install_mirror }} INSTALL_K3S_VERSION={{ k3s_version }} sh -s - server + when: + - "'masters' in group_names" + - not k3s_binary.stat.exists + +- name: Install K3s agent + ansible.builtin.shell: | + curl -sfL {{ k3s_install_url }} | {{ k3s_install_mirror }} INSTALL_K3S_VERSION={{ k3s_version }} sh -s - agent + when: + - "'agents' in group_names" + - not k3s_binary.stat.exists + +# 等待 K3s 就绪 (仅 Server) +- name: Wait for K3s server ready + ansible.builtin.wait_for: + path: /var/lib/rancher/k3s/server/node-token + timeout: 120 + when: "'masters' in group_names" + +# 输出 Token (仅 cluster-init) +- name: Get node token + ansible.builtin.slurp: + src: /var/lib/rancher/k3s/server/node-token + register: node_token + when: cluster_init | default(false) + +- name: Display node token + ansible.builtin.debug: + msg: | + ══════════════════════════════════════════════════════════════ + K3S_TOKEN (用于添加新节点): + {{ node_token.content | b64decode | trim }} + + K3S_SERVER_URL: + https://{{ ansible_host }}:6443 + ══════════════════════════════════════════════════════════════ + when: cluster_init | default(false) + +# 保存 kubeconfig (仅 cluster-init) +- name: Fetch kubeconfig + ansible.builtin.fetch: + src: /etc/rancher/k3s/k3s.yaml + dest: "{{ playbook_dir }}/../kubeconfig.yaml" + flat: yes + when: cluster_init | default(false) + diff --git a/ansible/roles/k3s/templates/k3s-agent.yaml.j2 b/ansible/roles/k3s/templates/k3s-agent.yaml.j2 new file mode 100644 index 0000000..431cd73 --- /dev/null +++ b/ansible/roles/k3s/templates/k3s-agent.yaml.j2 @@ -0,0 +1,28 @@ +# K3s Agent 配置模板 +--- +server: "{{ k3s_server_url }}" +token: "{{ k3s_token }}" + +# Tailscale VPN +vpn-auth: "name=tailscale,joinKey={{ tailscale_auth_key }}{% if netfilter_mode | default('') %},extraArgs=--netfilter-mode={{ netfilter_mode }}{% endif %}" + +# 节点标签 +node-label: +{% if node_region is defined %} + - "topology.kubernetes.io/region={{ node_region }}" +{% endif %} +{% if enable_lb is defined %} + - "svccontroller.k3s.cattle.io/enablelb={{ enable_lb | string | lower }}" +{% endif %} +{% if node_labels is defined %} +{% for key, value in node_labels.items() %} + - "{{ key }}={{ value }}" +{% endfor %} +{% endif %} + +# Kubelet 资源预留 +{% if kubelet_reserved is defined %} +kubelet-arg: + - "kube-reserved={{ kubelet_reserved }}" +{% endif %} + diff --git a/ansible/roles/k3s/templates/k3s-server.yaml.j2 b/ansible/roles/k3s/templates/k3s-server.yaml.j2 new file mode 100644 index 0000000..8936dc6 --- /dev/null +++ b/ansible/roles/k3s/templates/k3s-server.yaml.j2 @@ -0,0 +1,42 @@ +# K3s Server 统一配置模板 (master-init 和 master-join) +--- +{% if cluster_init | default(false) %} +# 首个节点初始化集群 +cluster-init: true +{% else %} +# 加入已有集群 +server: "{{ k3s_server_url }}" +token: "{{ k3s_token }}" +{% endif %} + +tls-san: + - "{{ k3s_tls_san }}" + +# ETCD 快照配置 +etcd-snapshot-retention: {{ etcd_snapshot_retention }} +etcd-snapshot-schedule-cron: "{{ etcd_snapshot_schedule_cron }}" +etcd-snapshot-compress: {{ etcd_snapshot_compress | lower }} + +# Tailscale VPN +vpn-auth: "name=tailscale,joinKey={{ tailscale_auth_key }}{% if netfilter_mode | default('') %},extraArgs=--netfilter-mode={{ netfilter_mode }}{% endif %}" + +# 禁用组件 +disable: +{% for component in k3s_disable_components %} + - {{ component }} +{% endfor %} + +# 节点标签 +node-label: +{% if node_region is defined %} + - "topology.kubernetes.io/region={{ node_region }}" +{% endif %} +{% if enable_lb is defined %} + - "svccontroller.k3s.cattle.io/enablelb={{ enable_lb | string | lower }}" +{% endif %} +{% if node_labels is defined %} +{% for key, value in node_labels.items() %} + - "{{ key }}={{ value }}" +{% endfor %} +{% endif %} + diff --git a/ansible/roles/k3s/templates/registries.yaml.j2 b/ansible/roles/k3s/templates/registries.yaml.j2 new file mode 100644 index 0000000..e36f1c3 --- /dev/null +++ b/ansible/roles/k3s/templates/registries.yaml.j2 @@ -0,0 +1,11 @@ +# 镜像加速配置 +--- +mirrors: +{% for registry, endpoints in registry_mirrors.items() %} + "{{ registry }}": + endpoint: +{% for endpoint in endpoints %} + - "https://{{ endpoint }}" +{% endfor %} +{% endfor %} + diff --git a/ansible/roles/ssh/tasks/main.yml b/ansible/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..b10c947 --- /dev/null +++ b/ansible/roles/ssh/tasks/main.yml @@ -0,0 +1,51 @@ +# SSH 安全加固 Role +# 功能: 修改端口、配置密钥认证、禁用密码登录 +--- +- name: Ensure .ssh directory exists + ansible.builtin.file: + path: /root/.ssh + state: directory + mode: '0700' + +- name: Add SSH public key + ansible.builtin.authorized_key: + user: root + key: "{{ ssh_pubkey }}" + state: present + +- name: Backup original sshd_config + ansible.builtin.copy: + src: /etc/ssh/sshd_config + dest: /etc/ssh/sshd_config.bak + remote_src: yes + force: no + +- name: Deploy secure sshd_config + ansible.builtin.template: + src: sshd_config.j2 + dest: /etc/ssh/sshd_config + mode: '0600' + validate: '/usr/sbin/sshd -t -f %s' + register: sshd_config + +- name: Restart sshd service + ansible.builtin.systemd: + name: sshd + state: restarted + when: sshd_config.changed + +- name: Update ansible_port to new SSH port + ansible.builtin.set_fact: + ansible_port: "{{ ssh_new_port }}" + when: sshd_config.changed + +- name: Wait for SSH on new port + ansible.builtin.wait_for: + port: "{{ ssh_new_port }}" + host: "{{ ansible_host }}" + delay: 5 + timeout: 60 + delegate_to: localhost + become: no + when: sshd_config.changed + diff --git a/ansible/roles/ssh/templates/sshd_config.j2 b/ansible/roles/ssh/templates/sshd_config.j2 new file mode 100644 index 0000000..1c3bbfd --- /dev/null +++ b/ansible/roles/ssh/templates/sshd_config.j2 @@ -0,0 +1,12 @@ +# SSH 配置模板 +Port {{ ssh_new_port }} +PermitRootLogin prohibit-password +PasswordAuthentication no +PubkeyAuthentication yes +ChallengeResponseAuthentication no +UsePAM yes +X11Forwarding no +PrintMotd no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server + diff --git a/apps/infra/data/cloudnative-pg/helmchart.yaml b/apps/infra/data/cloudnative-pg/helmchart.yaml index cdf1865..eb21f3a 100644 --- a/apps/infra/data/cloudnative-pg/helmchart.yaml +++ b/apps/infra/data/cloudnative-pg/helmchart.yaml @@ -19,7 +19,7 @@ spec: values: - "cn-sh" tolerations: - - key: "node-role.kubernetes.io/control-plane" + - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule" image: diff --git a/apps/infra/devops/cert-manager/helmchart-dnspod.yaml b/apps/infra/devops/cert-manager/helmchart-dnspod.yaml index 892ae73..736a3a4 100644 --- a/apps/infra/devops/cert-manager/helmchart-dnspod.yaml +++ b/apps/infra/devops/cert-manager/helmchart-dnspod.yaml @@ -30,6 +30,6 @@ spec: values: - "cn-sh" tolerations: - - key: "node-role.kubernetes.io/control-plane" + - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule" diff --git a/apps/infra/devops/cert-manager/helmchart.yaml b/apps/infra/devops/cert-manager/helmchart.yaml index b04c80e..79395a0 100644 --- a/apps/infra/devops/cert-manager/helmchart.yaml +++ b/apps/infra/devops/cert-manager/helmchart.yaml @@ -21,7 +21,7 @@ spec: values: - "cn-sh" tolerations: - - key: "node-role.kubernetes.io/control-plane" + - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule" webhook: @@ -35,7 +35,7 @@ spec: values: - "cn-sh" tolerations: - - key: "node-role.kubernetes.io/control-plane" + - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule" cainjector: @@ -49,7 +49,7 @@ spec: values: - "cn-sh" tolerations: - - key: "node-role.kubernetes.io/control-plane" + - key: "node-role.kubernetes.io/master" operator: "Exists" effect: "NoSchedule" # 在删除证书时同时删除secret diff --git a/apps/infra/devops/velero/helmchart.yaml b/apps/infra/devops/velero/helmchart.yaml index 7b9e784..74d5121 100644 --- a/apps/infra/devops/velero/helmchart.yaml +++ b/apps/infra/devops/velero/helmchart.yaml @@ -26,6 +26,10 @@ spec: operator: In values: - homea + kubectl: + image: + repository: alpine/k8s + tag: "1.34.0" deployNodeAgent: true snapshotsEnabled: false configuration: diff --git a/apps/infra/gitops/flux/clusterrolebinding.yaml b/apps/infra/gitops/flux/clusterrolebinding.yaml new file mode 100644 index 0000000..921d13c --- /dev/null +++ b/apps/infra/gitops/flux/clusterrolebinding.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: dev-cm-flux-web-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flux-web-admin +subjects: + - kind: Group + name: dev.cm:owners + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: dev.cm:admins + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: dev-cm-flux-web-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flux-web-user +subjects: + - kind: Group + name: dev.cm + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/apps/infra/gitops/flux/flux-instance.yaml b/apps/infra/gitops/flux/flux-instance.yaml index 5de300d..6333379 100644 --- a/apps/infra/gitops/flux/flux-instance.yaml +++ b/apps/infra/gitops/flux/flux-instance.yaml @@ -10,7 +10,6 @@ spec: artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests" components: - source-controller - - source-watcher - kustomize-controller - helm-controller - notification-controller @@ -22,4 +21,21 @@ spec: domain: "cluster.local" storage: class: "local-path" - size: "10Gi" \ No newline at end of file + size: "10Gi" + kustomize: + patches: + - target: + kind: Deployment + patch: | + - op: add + path: /spec/template/spec/affinity + value: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - homea \ No newline at end of file diff --git a/apps/infra/gitops/flux/helmchart.yaml b/apps/infra/gitops/flux/helmchart.yaml index b8ce06c..7ccbe85 100644 --- a/apps/infra/gitops/flux/helmchart.yaml +++ b/apps/infra/gitops/flux/helmchart.yaml @@ -8,6 +8,16 @@ spec: targetNamespace: infra-gitops version: 0.40.0 valuesContent: |- + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - homea installCRDs: true web: config: diff --git a/apps/kube/coredns/nodelocaldns.yaml b/apps/kube/coredns/nodelocaldns.yaml index a1ddd6c..80c0ffa 100644 --- a/apps/kube/coredns/nodelocaldns.yaml +++ b/apps/kube/coredns/nodelocaldns.yaml @@ -126,7 +126,7 @@ spec: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: node-role.kubernetes.io/control-plane + - key: node-role.kubernetes.io/master operator: NotIn values: - "true" diff --git a/apps/kube/patch-affinity.yaml b/apps/kube/patch-affinity.yaml index a1089d8..7d6d312 100644 --- a/apps/kube/patch-affinity.yaml +++ b/apps/kube/patch-affinity.yaml @@ -6,7 +6,14 @@ spec: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - - key: node-role.kubernetes.io/control-plane + - key: node-role.kubernetes.io/master operator: In values: - "true" + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule \ No newline at end of file diff --git a/install/README.md b/install/README.md index 3b61f81..7ac76c8 100644 --- a/install/README.md +++ b/install/README.md @@ -59,7 +59,7 @@ mkdir -p /etc/rancher/k3s && vim /etc/rancher/k3s/config.yaml ```shell curl -sfL https://get.k3s.io | \ - INSTALL_K3S_VERSION=v1.33.2+k3s1 \ + INSTALL_K3S_VERSION=v1.34.2+k3s1 \ sh -s - server ``` @@ -69,7 +69,7 @@ curl -sfL https://get.k3s.io | \ ```shell curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | \ - INSTALL_K3S_VERSION=v1.33.2+k3s1 \ + INSTALL_K3S_VERSION=v1.34.2+k3s1 \ INSTALL_K3S_MIRROR=cn \ sh -s - server ``` diff --git a/install/agent.config.yaml b/install/agent.config.yaml index ca4a9e2..4a05d73 100644 --- a/install/agent.config.yaml +++ b/install/agent.config.yaml @@ -4,8 +4,8 @@ token: "K1010dd6f0853e824cfaf417117f31a0d797a738aa2d4b9d01cd5972a9b084c81a0::ser # 网络相关 # WARN 阿里云、华为云因使用100网段作为dns等内部服务 需要关闭netfilter 否则会自动添加iptables规则导致无法访问dns -# WARN 需要添加 extraArgs=--netfilter-mode=off -vpn-auth: "name=tailscale,joinKey=tskey-auth-kUMo6hWP9711CNTRL-oo21xakMTxCKJBWK8t9XxComm3fAFUvy,extraArgs=--netfilter-mode=off" +# WARN 需要添加 extraArgs=--netfilter-mode=nodivert +vpn-auth: "name=tailscale,joinKey=tskey-auth-kUMo6hWP9711CNTRL-oo21xakMTxCKJBWK8t9XxComm3fAFUvy" # 节点相关 # 保留节点资源 根据节点做不同配置