dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动

feat(ansible): add K3s installation playbooks and configuration templates

浏览代码
这个提交包含在:
rohow
2026-02-09 14:03:42 +08:00
未验证
父节点 5f85a85844
当前提交 d6bcd22ecd
修改 28 个文件,包含 815 行新增13 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件
ansible/.env.example
+18
查看文件
@@ -0,0 +1,18 @@
# 环境变量模板
# 复制为 .env 并填写实际值,然后 source .env
# Tailscale Auth Key (必须)
export TAILSCALE_AUTH_KEY=""
# K3s Token (添加节点时需要,从首节点安装输出获取)
export K3S_TOKEN=""
# K3s Server URL (添加节点时需要)
export K3S_SERVER_URL="https://k3s.dev.cm:6443"
# SSH 密码 (如果使用密码认证,必须设置;如果使用密钥认证,留空)
export SSH_PASSWORD=""
# SSH 公钥路径 (默认 ~/.ssh/id_rsa.pub)
# export SSH_PUBKEY=""
ansible/.gitignore
+17
查看文件
@@ -0,0 +1,17 @@
# Ansible 临时文件
*.retry
# 敏感文件
kubeconfig.yaml
kubeconfig-*.yaml
*.pem
*.key
# 本地环境
.env
.env.local
# IDE
.idea/
.vscode/
ansible/README.md
+166
查看文件
@@ -0,0 +1,166 @@
# K3s Ansible 自动化安装
一键部署 K3s 集群,支持国内镜像加速、Tailscale 组网、SSH 安全加固。
## 目录结构
```
ansible/
├── ansible.cfg # Ansible 配置
├── inventory/hosts.yml # 主机清单 ⭐ 需修改
├── group_vars/all.yml # 全局变量
├── .env.example # 环境变量模板
├── roles/
│ ├── ssh/ # SSH 安全加固
│ │ ├── tasks/main.yml
│ │ └── templates/sshd_config.j2
│ ├── common/ # 基础配置 (hostname, sysctl, tailscale)
│ │ ├── tasks/main.yml
│ │ └── handlers/main.yml
│ └── k3s/ # K3s 安装
│ ├── tasks/main.yml
│ └── templates/
│ ├── k3s-server.yaml.j2 # Server 配置 (统一 init/join)
│ ├── k3s-agent.yaml.j2 # Agent 配置
│ └── registries.yaml.j2 # 镜像加速
└── playbooks/
├── site.yml # 完整安装
├── init.yml # 首次安装 (含 SSH 加固)
└── add-node.yml # 添加节点
```
## 快速开始
### 1. 配置主机清单
编辑 `inventory/hosts.yml`:
```yaml
masters:
hosts:
master1:
ansible_host: 10.0.0.1
node_hostname: master1
cluster_init: true # 首个节点设为 true
node_region: cn-sh # 区域标签
use_mirror: true # 使用镜像加速
enable_lb: true # 启用 LB
netfilter_mode: "" # 阿里云/华为云设为 nodivert
```
### 2. 设置环境变量
```bash
# 必须
export TAILSCALE_AUTH_KEY="tskey-auth-xxx"
# 首次安装 (SSH 加固)
export SSH_PASSWORD="your-root-password"
# 添加节点时 (从首节点安装输出获取)
export K3S_TOKEN="K10xxx::server:xxx"
export K3S_SERVER_URL="https://10.0.0.1:6443"
```
### 3. 执行安装
```bash
cd k3s/ansible
# 方式一: 首次安装 (含 SSH 加固,端口改为 2103,启用密钥认证)
ansible-playbook playbooks/site.yml --tags ssh,common,k3s,status
# 方式二: 常规安装 (已配置 SSH 密钥)
ansible-playbook playbooks/site.yml
# 方式三: 仅安装首个 master
ansible-playbook playbooks/site.yml -l master1
# 方式四: 添加新节点
ansible-playbook playbooks/add-node.yml -l agent1
```
### 4. 获取 kubeconfig
```bash
# 安装完成后自动保存到 ansible/kubeconfig.yaml
sed -i '' 's/127.0.0.1/k3s.yourdomain.com/g' kubeconfig.yaml
export KUBECONFIG=$(pwd)/kubeconfig.yaml
kubectl get nodes
```
## 节点变量
| 变量 | 类型 | 默认值 | 说明 |
|------|------|--------|------|
| `ansible_host` | string | - | 节点 IP |
| `node_hostname` | string | - | 主机名 |
| `cluster_init` | bool | false | 首个 master 设为 true |
| `node_region` | string | - | 区域标签 (cn-sh/hk/us-west) |
| `use_mirror` | bool | false | 使用镜像加速 |
| `enable_lb` | bool | - | 启用 K3s LB |
| `netfilter_mode` | string | "" | Tailscale netfilter: off/nodivert/on |
| `node_labels` | dict | - | 自定义标签 |
| `kubelet_reserved` | string | - | 资源预留: cpu=500m,memory=512Mi |
## 环境变量
| 变量 | 必须 | 说明 |
|------|------|------|
| `TAILSCALE_AUTH_KEY` | ✅ | Tailscale Auth Key |
| `K3S_TOKEN` | 加入节点时 | 集群 Token |
| `K3S_SERVER_URL` | 加入节点时 | API Server 地址 |
| `SSH_PASSWORD` | 首次安装 | SSH 密码 |
| `SSH_PUBKEY` | - | SSH 公钥 (默认 ~/.ssh/id_rsa.pub) |
## 镜像加速
`use_mirror: true` 时自动启用:
- K3s 安装脚本: `rancher-mirror.rancher.cn`
- 常规容器镜像加速
## SSH 安全加固
首次安装时 (`--tags ssh`) 自动执行:
1. 端口改为 2103
2. 禁用密码登录
3. 启用密钥认证
4. 自动添加本地公钥
## 常用命令
```bash
# 测试连接
ansible all -m ping
# 仅运行特定阶段
ansible-playbook playbooks/site.yml --tags common
ansible-playbook playbooks/site.yml --tags k3s
# 指定节点
ansible-playbook playbooks/site.yml -l master1,agent1
# 调试模式
ansible-playbook playbooks/site.yml -vvv
# 检查语法
ansible-playbook playbooks/site.yml --syntax-check
```
## 故障排查
```bash
# K3s 状态
systemctl status k3s
journalctl -u k3s -f
# Tailscale 状态
tailscale status
# 获取 Token
cat /var/lib/rancher/k3s/server/node-token
```
ansible/ansible.cfg
+18
查看文件
@@ -0,0 +1,18 @@
[defaults]
inventory = inventory/hosts.yml
roles_path = roles
host_key_checking = False
retry_files_enabled = False
stdout_callback = yaml
interpreter_python = auto_silent
[privilege_escalation]
become = True
become_method = sudo
become_user = root
[ssh_connection]
pipelining = True
ssh_args = -o ControlMaster=auto -o ControlPersist=60s
ansible/group_vars/all.yml
+46
查看文件
@@ -0,0 +1,46 @@
# K3s Ansible 全局变量
---
# ============================================
# 敏感信息 (通过环境变量传入)
# ============================================
tailscale_auth_key: "{{ lookup('env', 'TAILSCALE_AUTH_KEY') }}"
k3s_token: "{{ lookup('env', 'K3S_TOKEN') }}"
k3s_server_url: "{{ lookup('env', 'K3S_SERVER_URL') | default('https://k3s.dev.cm:6443', true) }}"
# ============================================
# K3s 配置
# ============================================
k3s_version: "v1.31.4+k3s1"
k3s_tls_san: "k3s.dev.cm,k3s.fillcode.com"
# ETCD 配置
etcd_snapshot_retention: 1
etcd_snapshot_schedule_cron: "0 0 * * *"
etcd_snapshot_compress: true
# 禁用的组件
k3s_disable_components:
- traefik
# ============================================
# 安装源配置
# ============================================
# 国内镜像源
mirror_k3s_install_url: "https://rancher-mirror.rancher.cn/k3s/k3s-install.sh"
# 官方源
global_k3s_install_url: "https://get.k3s.io"
# ============================================
# 镜像加速配置 (use_mirror: true 时启用)
# ============================================
registry_mirrors:
docker.io:
- "docker.1ms.run"
- "docker.m.daocloud.io"
ghcr.io:
- "ghcr.m.daocloud.io"
registry.k8s.io:
- "k8s.m.daocloud.io"
quay.io:
- "quay.m.daocloud.io"
ansible/inventory/hosts.yml
+54
查看文件
@@ -0,0 +1,54 @@
# K3s 集群主机清单
---
all:
vars:
# SSH 配置 (初始连接使用密码)
ansible_user: root
ansible_port: 2103
ansible_password: "{{ lookup('env', 'SSH_PASSWORD') }}"
# SSH 安全配置
ssh_new_port: 2103
ssh_pubkey: "{{ lookup('env', 'SSH_PUBKEY') | default(lookup('file', '~/.ssh/id_rsa.pub'), true) }}"
children:
# Master 节点 (Server)
masters:
hosts:
tca:
ansible_host: tca.node.dev.cm
node_hostname: tca
cluster_init: true
node_region: cn-sh
use_mirror: true
tcb:
ansible_host: tcb.node.dev.cm
node_hostname: tcb
node_region: cn-sh
use_mirror: true
tcc:
ansible_host: tcc.node.dev.cm
node_hostname: tcc
node_region: cn-sh
use_mirror: true
# Agent 节点 (Worker)
agents:
hosts:
alihk:
ansible_host: alihk.node.dev.cm
node_hostname: alihk
node_region: cn-hk
enable_lb: true
netfilter_mode: nodivert
clawhk:
ansible_host: clawhk.node.dev.cm
node_hostname: clawhk
node_region: cn-hk
# 节点分组
k3s_cluster:
children:
masters:
agents:
ansible/playbooks/add-node.yml
+19
查看文件
@@ -0,0 +1,19 @@
# 添加新节点到集群
# 使用: export K3S_TOKEN='xxx' K3S_SERVER_URL='xxx' TAILSCALE_AUTH_KEY='xxx'
# ansible-playbook playbooks/add-node.yml -l <node_name>
---
- name: Validate
hosts: localhost
gather_facts: no
tasks:
- ansible.builtin.fail:
msg: "请设置: export K3S_TOKEN='xxx'"
when: lookup('env', 'K3S_TOKEN') | length == 0
- name: Add node
hosts: masters:agents:!master_init
gather_facts: yes
roles:
- common
- k3s
ansible/playbooks/init.yml
+8
查看文件
@@ -0,0 +1,8 @@
# 首次安装 (包含 SSH 加固)
# 使用: export SSH_PASSWORD='xxx' TAILSCALE_AUTH_KEY='xxx'
# ansible-playbook playbooks/init.yml
---
- name: First time installation with SSH hardening
import_playbook: site.yml
tags: [ssh, common, k3s, status]
ansible/playbooks/site.yml
+93
查看文件
@@ -0,0 +1,93 @@
# K3s 集群安装 Playbook
---
- name: Validate environment
hosts: localhost
gather_facts: no
tasks:
- name: Check TAILSCALE_AUTH_KEY
ansible.builtin.fail:
msg: "请设置: export TAILSCALE_AUTH_KEY='tskey-auth-xxx'"
when: lookup('env', 'TAILSCALE_AUTH_KEY') | length == 0
- name: Check SSH credentials
ansible.builtin.debug:
msg: |
{% if lookup('env', 'SSH_PASSWORD') | length > 0 %}
✓ 使用密码登录 (首次安装)
{% else %}
✓ 使用密钥登录
{% endif %}
# ============================================
# 阶段 1: SSH 安全加固 (可选,首次安装时使用)
# ============================================
- name: SSH Security Hardening
hosts: k3s_cluster
gather_facts: no
tags: [ssh, never]
roles:
- ssh
# ============================================
# 阶段 2: 基础配置
# ============================================
- name: Common Setup
hosts: k3s_cluster
gather_facts: yes
tags: [common]
roles:
- common
# ============================================
# 阶段 3: 安装 K3s (按顺序: init -> masters -> agents)
# ============================================
- name: Install K3s on init node
hosts: masters
gather_facts: yes
serial: 1
tags: [k3s]
roles:
- role: k3s
when: cluster_init | default(false)
- name: Install K3s on other masters
hosts: masters
gather_facts: yes
serial: 1
tags: [k3s]
roles:
- role: k3s
when: not (cluster_init | default(false))
- name: Install K3s on agents
hosts: agents
gather_facts: yes
tags: [k3s]
roles:
- k3s
# ============================================
# 阶段 4: 显示集群状态
# ============================================
- name: Show cluster status
hosts: masters
gather_facts: no
tags: [status]
run_once: true
tasks:
- name: Get nodes
ansible.builtin.shell: kubectl get nodes -o wide
environment:
KUBECONFIG: /etc/rancher/k3s/k3s.yaml
register: nodes
when: cluster_init | default(false)
- name: Display nodes
ansible.builtin.debug:
msg: |
══════════════════════════════════════════════════════════════
K3s 集群节点:
{{ nodes.stdout }}
══════════════════════════════════════════════════════════════
when: cluster_init | default(false)
ansible/roles/common/handlers/main.yml
+4
查看文件
@@ -0,0 +1,4 @@
---
- name: Apply sysctl
ansible.builtin.command: sysctl --system
ansible/roles/common/tasks/main.yml
+46
查看文件
@@ -0,0 +1,46 @@
# 基础配置 Role
# 功能: hostname、sysctl、Tailscale 安装
---
- name: Set hostname
ansible.builtin.hostname:
name: "{{ node_hostname }}"
when: node_hostname is defined
- name: Update /etc/hosts
ansible.builtin.lineinfile:
path: /etc/hosts
regexp: '^127\.0\.1\.1'
line: "127.0.1.1 {{ node_hostname }}"
when: node_hostname is defined
- name: Configure sysctl for IP forwarding
ansible.builtin.copy:
dest: /etc/sysctl.d/99-k3s.conf
content: |
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
mode: '0644'
notify: Apply sysctl
- name: Install dependencies
ansible.builtin.apt:
name: [curl, wget, ca-certificates]
state: present
update_cache: yes
- name: Check if Tailscale is installed
ansible.builtin.command: which tailscale
register: tailscale_check
ignore_errors: yes
changed_when: false
- name: Install Tailscale
ansible.builtin.shell: curl -fsSL https://tailscale.com/install.sh | sh
when: tailscale_check.rc != 0
- name: Enable Tailscale service
ansible.builtin.systemd:
name: tailscaled
enabled: yes
state: started
ansible/roles/k3s/tasks/main.yml
+103
查看文件
@@ -0,0 +1,103 @@
# K3s 安装 Role (统一 Server 和 Agent)
---
- name: Validate TAILSCALE_AUTH_KEY
ansible.builtin.fail:
msg: "请设置环境变量: export TAILSCALE_AUTH_KEY='tskey-auth-xxx'"
when: tailscale_auth_key | length == 0
- name: Validate K3S_TOKEN for join nodes
ansible.builtin.fail:
msg: "请设置环境变量: export K3S_TOKEN='xxx'"
when:
- not (cluster_init | default(false))
- k3s_token | length == 0
- name: Create K3s config directory
ansible.builtin.file:
path: /etc/rancher/k3s
state: directory
mode: '0755'
# Server 节点配置
- name: Deploy K3s server config
ansible.builtin.template:
src: k3s-server.yaml.j2
dest: /etc/rancher/k3s/config.yaml
mode: '0600'
when: "'masters' in group_names"
# Agent 节点配置
- name: Deploy K3s agent config
ansible.builtin.template:
src: k3s-agent.yaml.j2
dest: /etc/rancher/k3s/config.yaml
mode: '0600'
when: "'agents' in group_names"
# 镜像加速配置
- name: Deploy registries.yaml
ansible.builtin.template:
src: registries.yaml.j2
dest: /etc/rancher/k3s/registries.yaml
mode: '0644'
when: use_mirror | default(false)
# 安装 K3s
- name: Set install URL
ansible.builtin.set_fact:
k3s_install_url: "{{ mirror_k3s_install_url if (use_mirror | default(false)) else global_k3s_install_url }}"
k3s_install_mirror: "{{ 'INSTALL_K3S_MIRROR=cn' if (use_mirror | default(false)) else '' }}"
- name: Check if K3s is installed
ansible.builtin.stat:
path: /usr/local/bin/k3s
register: k3s_binary
- name: Install K3s server
ansible.builtin.shell: |
curl -sfL {{ k3s_install_url }} | {{ k3s_install_mirror }} INSTALL_K3S_VERSION={{ k3s_version }} sh -s - server
when:
- "'masters' in group_names"
- not k3s_binary.stat.exists
- name: Install K3s agent
ansible.builtin.shell: |
curl -sfL {{ k3s_install_url }} | {{ k3s_install_mirror }} INSTALL_K3S_VERSION={{ k3s_version }} sh -s - agent
when:
- "'agents' in group_names"
- not k3s_binary.stat.exists
# 等待 K3s 就绪 (仅 Server)
- name: Wait for K3s server ready
ansible.builtin.wait_for:
path: /var/lib/rancher/k3s/server/node-token
timeout: 120
when: "'masters' in group_names"
# 输出 Token (仅 cluster-init)
- name: Get node token
ansible.builtin.slurp:
src: /var/lib/rancher/k3s/server/node-token
register: node_token
when: cluster_init | default(false)
- name: Display node token
ansible.builtin.debug:
msg: |
══════════════════════════════════════════════════════════════
K3S_TOKEN (用于添加新节点):
{{ node_token.content | b64decode | trim }}
K3S_SERVER_URL:
https://{{ ansible_host }}:6443
══════════════════════════════════════════════════════════════
when: cluster_init | default(false)
# 保存 kubeconfig (仅 cluster-init)
- name: Fetch kubeconfig
ansible.builtin.fetch:
src: /etc/rancher/k3s/k3s.yaml
dest: "{{ playbook_dir }}/../kubeconfig.yaml"
flat: yes
when: cluster_init | default(false)
ansible/roles/k3s/templates/k3s-agent.yaml.j2
+28
查看文件
@@ -0,0 +1,28 @@
# K3s Agent 配置模板
---
server: "{{ k3s_server_url }}"
token: "{{ k3s_token }}"
# Tailscale VPN
vpn-auth: "name=tailscale,joinKey={{ tailscale_auth_key }}{% if netfilter_mode | default('') %},extraArgs=--netfilter-mode={{ netfilter_mode }}{% endif %}"
# 节点标签
node-label:
{% if node_region is defined %}
- "topology.kubernetes.io/region={{ node_region }}"
{% endif %}
{% if enable_lb is defined %}
- "svccontroller.k3s.cattle.io/enablelb={{ enable_lb | string | lower }}"
{% endif %}
{% if node_labels is defined %}
{% for key, value in node_labels.items() %}
- "{{ key }}={{ value }}"
{% endfor %}
{% endif %}
# Kubelet 资源预留
{% if kubelet_reserved is defined %}
kubelet-arg:
- "kube-reserved={{ kubelet_reserved }}"
{% endif %}
ansible/roles/k3s/templates/k3s-server.yaml.j2
+42
查看文件
@@ -0,0 +1,42 @@
# K3s Server 统一配置模板 (master-init 和 master-join)
---
{% if cluster_init | default(false) %}
# 首个节点初始化集群
cluster-init: true
{% else %}
# 加入已有集群
server: "{{ k3s_server_url }}"
token: "{{ k3s_token }}"
{% endif %}
tls-san:
- "{{ k3s_tls_san }}"
# ETCD 快照配置
etcd-snapshot-retention: {{ etcd_snapshot_retention }}
etcd-snapshot-schedule-cron: "{{ etcd_snapshot_schedule_cron }}"
etcd-snapshot-compress: {{ etcd_snapshot_compress | lower }}
# Tailscale VPN
vpn-auth: "name=tailscale,joinKey={{ tailscale_auth_key }}{% if netfilter_mode | default('') %},extraArgs=--netfilter-mode={{ netfilter_mode }}{% endif %}"
# 禁用组件
disable:
{% for component in k3s_disable_components %}
- {{ component }}
{% endfor %}
# 节点标签
node-label:
{% if node_region is defined %}
- "topology.kubernetes.io/region={{ node_region }}"
{% endif %}
{% if enable_lb is defined %}
- "svccontroller.k3s.cattle.io/enablelb={{ enable_lb | string | lower }}"
{% endif %}
{% if node_labels is defined %}
{% for key, value in node_labels.items() %}
- "{{ key }}={{ value }}"
{% endfor %}
{% endif %}
ansible/roles/k3s/templates/registries.yaml.j2
+11
查看文件
@@ -0,0 +1,11 @@
# 镜像加速配置
---
mirrors:
{% for registry, endpoints in registry_mirrors.items() %}
"{{ registry }}":
endpoint:
{% for endpoint in endpoints %}
- "https://{{ endpoint }}"
{% endfor %}
{% endfor %}
ansible/roles/ssh/tasks/main.yml
+51
查看文件
@@ -0,0 +1,51 @@
# SSH 安全加固 Role
# 功能: 修改端口、配置密钥认证、禁用密码登录
---
- name: Ensure .ssh directory exists
ansible.builtin.file:
path: /root/.ssh
state: directory
mode: '0700'
- name: Add SSH public key
ansible.builtin.authorized_key:
user: root
key: "{{ ssh_pubkey }}"
state: present
- name: Backup original sshd_config
ansible.builtin.copy:
src: /etc/ssh/sshd_config
dest: /etc/ssh/sshd_config.bak
remote_src: yes
force: no
- name: Deploy secure sshd_config
ansible.builtin.template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
mode: '0600'
validate: '/usr/sbin/sshd -t -f %s'
register: sshd_config
- name: Restart sshd service
ansible.builtin.systemd:
name: sshd
state: restarted
when: sshd_config.changed
- name: Update ansible_port to new SSH port
ansible.builtin.set_fact:
ansible_port: "{{ ssh_new_port }}"
when: sshd_config.changed
- name: Wait for SSH on new port
ansible.builtin.wait_for:
port: "{{ ssh_new_port }}"
host: "{{ ansible_host }}"
delay: 5
timeout: 60
delegate_to: localhost
become: no
when: sshd_config.changed
ansible/roles/ssh/templates/sshd_config.j2
+12
查看文件
@@ -0,0 +1,12 @@
# SSH 配置模板
Port {{ ssh_new_port }}
PermitRootLogin prohibit-password
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
apps/infra/data/cloudnative-pg/helmchart.yaml
+1 -1
查看文件
@@ -19,7 +19,7 @@ spec:
values: values:
- "cn-sh" - "cn-sh"
tolerations: tolerations:
- key: "node-role.kubernetes.io/control-plane" - key: "node-role.kubernetes.io/master"
operator: "Exists" operator: "Exists"
effect: "NoSchedule" effect: "NoSchedule"
image: image:
apps/infra/devops/cert-manager/helmchart-dnspod.yaml
+1 -1
查看文件
@@ -30,6 +30,6 @@ spec:
values: values:
- "cn-sh" - "cn-sh"
tolerations: tolerations:
- key: "node-role.kubernetes.io/control-plane" - key: "node-role.kubernetes.io/master"
operator: "Exists" operator: "Exists"
effect: "NoSchedule" effect: "NoSchedule"
apps/infra/devops/cert-manager/helmchart.yaml
+3 -3
查看文件
@@ -21,7 +21,7 @@ spec:
values: values:
- "cn-sh" - "cn-sh"
tolerations: tolerations:
- key: "node-role.kubernetes.io/control-plane" - key: "node-role.kubernetes.io/master"
operator: "Exists" operator: "Exists"
effect: "NoSchedule" effect: "NoSchedule"
webhook: webhook:
@@ -35,7 +35,7 @@ spec:
values: values:
- "cn-sh" - "cn-sh"
tolerations: tolerations:
- key: "node-role.kubernetes.io/control-plane" - key: "node-role.kubernetes.io/master"
operator: "Exists" operator: "Exists"
effect: "NoSchedule" effect: "NoSchedule"
cainjector: cainjector:
@@ -49,7 +49,7 @@ spec:
values: values:
- "cn-sh" - "cn-sh"
tolerations: tolerations:
- key: "node-role.kubernetes.io/control-plane" - key: "node-role.kubernetes.io/master"
operator: "Exists" operator: "Exists"
effect: "NoSchedule" effect: "NoSchedule"
# 在删除证书时同时删除secret # 在删除证书时同时删除secret
apps/infra/devops/velero/helmchart.yaml
+4
查看文件
@@ -26,6 +26,10 @@ spec:
operator: In operator: In
values: values:
- homea - homea
kubectl:
image:
repository: alpine/k8s
tag: "1.34.0"
deployNodeAgent: true deployNodeAgent: true
snapshotsEnabled: false snapshotsEnabled: false
configuration: configuration:
apps/infra/gitops/flux/clusterrolebinding.yaml
+29
查看文件
@@ -0,0 +1,29 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dev-cm-flux-web-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flux-web-admin
subjects:
- kind: Group
name: dev.cm:owners
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: dev.cm:admins
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dev-cm-flux-web-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flux-web-user
subjects:
- kind: Group
name: dev.cm
apiGroup: rbac.authorization.k8s.io
apps/infra/gitops/flux/flux-instance.yaml
+18 -2
查看文件
@@ -10,7 +10,6 @@ spec:
artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests" artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
components: components:
- source-controller - source-controller
- source-watcher
- kustomize-controller - kustomize-controller
- helm-controller - helm-controller
- notification-controller - notification-controller
@@ -22,4 +21,21 @@ spec:
domain: "cluster.local" domain: "cluster.local"
storage: storage:
class: "local-path" class: "local-path"
size: "10Gi" size: "10Gi"
kustomize:
patches:
- target:
kind: Deployment
patch: |
- op: add
path: /spec/template/spec/affinity
value:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
apps/infra/gitops/flux/helmchart.yaml
+10
查看文件
@@ -8,6 +8,16 @@ spec:
targetNamespace: infra-gitops targetNamespace: infra-gitops
version: 0.40.0 version: 0.40.0
valuesContent: |- valuesContent: |-
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- homea
installCRDs: true installCRDs: true
web: web:
config: config:
apps/kube/coredns/nodelocaldns.yaml
+1 -1
查看文件
@@ -126,7 +126,7 @@ spec:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms: nodeSelectorTerms:
- matchExpressions: - matchExpressions:
- key: node-role.kubernetes.io/control-plane - key: node-role.kubernetes.io/master
operator: NotIn operator: NotIn
values: values:
- "true" - "true"
apps/kube/patch-affinity.yaml
+8 -1
查看文件
@@ -6,7 +6,14 @@ spec:
requiredDuringSchedulingIgnoredDuringExecution: requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms: nodeSelectorTerms:
- matchExpressions: - matchExpressions:
- key: node-role.kubernetes.io/control-plane - key: node-role.kubernetes.io/master
operator: In operator: In
values: values:
- "true" - "true"
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
install/README.md
+2 -2
查看文件
@@ -59,7 +59,7 @@ mkdir -p /etc/rancher/k3s && vim /etc/rancher/k3s/config.yaml
```shell ```shell
curl -sfL https://get.k3s.io | \ curl -sfL https://get.k3s.io | \
INSTALL_K3S_VERSION=v1.33.2+k3s1 \ INSTALL_K3S_VERSION=v1.34.2+k3s1 \
sh -s - server sh -s - server
``` ```
@@ -69,7 +69,7 @@ curl -sfL https://get.k3s.io | \
```shell ```shell
curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | \ curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | \
INSTALL_K3S_VERSION=v1.33.2+k3s1 \ INSTALL_K3S_VERSION=v1.34.2+k3s1 \
INSTALL_K3S_MIRROR=cn \ INSTALL_K3S_MIRROR=cn \
sh -s - server sh -s - server
``` ```
install/agent.config.yaml
+2 -2
查看文件
@@ -4,8 +4,8 @@ token: "K1010dd6f0853e824cfaf417117f31a0d797a738aa2d4b9d01cd5972a9b084c81a0::ser
# 网络相关 # 网络相关
# WARN 阿里云、华为云因使用100网段作为dns等内部服务 需要关闭netfilter 否则会自动添加iptables规则导致无法访问dns # WARN 阿里云、华为云因使用100网段作为dns等内部服务 需要关闭netfilter 否则会自动添加iptables规则导致无法访问dns
# WARN 需要添加 extraArgs=--netfilter-mode=off # WARN 需要添加 extraArgs=--netfilter-mode=nodivert
vpn-auth: "name=tailscale,joinKey=tskey-auth-kUMo6hWP9711CNTRL-oo21xakMTxCKJBWK8t9XxComm3fAFUvy,extraArgs=--netfilter-mode=off" vpn-auth: "name=tailscale,joinKey=tskey-auth-kUMo6hWP9711CNTRL-oo21xakMTxCKJBWK8t9XxComm3fAFUvy"
# 节点相关 # 节点相关
# 保留节点资源 根据节点做不同配置 # 保留节点资源 根据节点做不同配置