Skip to content

tingweiwang / kubeedge

Go to a project
Commit 75cefbe1 by tingweiwang
Options

cloud fix

1 parent 907a8e4f
Inline Side-by-side
Showing with 247 additions and 16 deletions
cloud.yml
---
- hosts: cloud
remote_user: root
roles:
- cloud
hosts 0 → 100644
[cloud]
192.168.137.201
[edge]
192.168.137.200
roles/cloud/defaults/main.yml 0 → 100644
---
MASTER_IP: 192.168.137.201
KUBEEDGE_BASE: /etc/kubeedge
roles/cloud/files/cloud/admission/admission deleted 100755 → 0
The file could not be displayed because it is too large.
roles/cloud/files/cloud/csidriver/csidriver deleted 100755 → 0
The file could not be displayed because it is too large.
roles/cloud/handles/main.yml 0 → 100644
---
- name: restaer cloudcore
service: name=cloudcore state=restarted
roles/cloud/tasks/main.yml 0 → 100644
---
- name: 节点创建kubeedge以及k8s所需证书目录,配置目录
file: name={{ item }} state=directory
with_items:
- /etc/kubeedge/ca/
- /etc/kubeedge/certs/
- /etc/kubeedge/config/
- /etc/kubeedge/bin/
- /etc/kubernetes/pki/
- name: 将k8s ca证书软链接到k8s证书目录/etc/kubernetes/pki/
file: src=/opt/kubernetes/ssl/ca.pem dest=/etc/kubernetes/pki/ca.crt state=link
- name: 将k8s ca证书软链接到k8s证书目录/etc/kubernetes/pki/
file: src=/opt/kubernetes/ssl/ca-key.pem dest=/etc/kubernetes/pki/ca.key state=link
#- name: 拷贝生成kubeedge cloud 证书脚本
# copy: src=certgen.sh dest={{ KUBEEDGE_BASE }}
- name: 分发并渲染证书脚本
template: src=certgen.sh.j2 dest={{ KUBEEDGE_BASE }}/certgen.sh mode=777
- name: 执行生成证书脚本
shell: sh {{ KUBEEDGE_BASE }}/certgen.sh stream
- name: 设置cloud iptables
shell: iptables -t nat -A OUTPUT -p tcp --dport 10350 -j DNAT --to {{ MASTER_IP }}:10003
- name: 在k8s中创建设备模块以及设备CRD yaml文件
shell: kubectl apply -f /root/kubeedge/kubeedge/roles/cloud/files/device_crds_yaml/devices/ && kubectl apply -f /root/kubeedge/kubeedge/roles/cloud/files/device_crds_yaml/reliablesyncs/
- name: 分发渲染配置cloud 配置文件
template: src=cloudcore.yaml.j2 dest={{ KUBEEDGE_BASE }}/config/cloudcore.yaml
notify: restart cloudcore
- name: 分发cloud二进制文件
copy: src=cloud/cloudcore dest={{ KUBEEDGE_BASE }}/bin/cloudcore mode=777
- name: 分发渲染cloud service服务文件
template: src=cloudcore.service.j2 dest=/lib/systemd/system/cloudcore.service mode=777
- name: 设置开启启动cloud service
service: name=cloudcore enabled=yes
roles/cloud/templates/certgen.sh.j2 0 → 100755
#!/usr/bin/env bash
set -o errexit
readonly caPath=${CA_PATH:-/etc/kubeedge/ca}
readonly caSubject=${CA_SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge/CN=kubeedge.io}
readonly certPath=${CERT_PATH:-/etc/kubeedge/certs}
readonly subject=${SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge/CN=kubeedge.io}
genCA() {
openssl genrsa -des3 -out ${caPath}/rootCA.key -passout pass:kubeedge.io 4096
openssl req -x509 -new -nodes -key ${caPath}/rootCA.key -sha256 -days 3650 \
-subj ${subject} -passin pass:kubeedge.io -out ${caPath}/rootCA.crt
}
ensureCA() {
if [ ! -e ${caPath}/rootCA.key ] || [ ! -e ${caPath}/rootCA.crt ]; then
genCA
fi
}
ensureFolder() {
if [ ! -d ${caPath} ]; then
mkdir -p ${caPath}
fi
if [ ! -d ${certPath} ]; then
mkdir -p ${certPath}
fi
}
genCsr() {
local name=$1
openssl genrsa -out ${certPath}/${name}.key 2048
openssl req -new -key ${certPath}/${name}.key -subj ${subject} -out ${certPath}/${name}.csr
}
genCert() {
local name=$1
openssl x509 -req -in ${certPath}/${name}.csr -CA ${caPath}/rootCA.crt -CAkey ${caPath}/rootCA.key \
-CAcreateserial -passin pass:kubeedge.io -out ${certPath}/${name}.crt -days 365 -sha256
}
genCertAndKey() {
ensureFolder
ensureCA
local name=$1
genCsr $name
genCert $name
}
stream() {
readonly streamsubject=${SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge}
readonly STREAM_KEY_FILE=${certPath}/stream.key
readonly STREAM_CSR_FILE=${certPath}/stream.csr
readonly STREAM_CRT_FILE=${certPath}/stream.crt
readonly K8SCA_FILE=/etc/kubernetes/pki/ca.crt
readonly K8SCA_KEY_FILE=/etc/kubernetes/pki/ca.key
if [ -z {{ CLOUDCORE_IPS }} ]; then #变量变量
echo "You must set CLOUDCOREIPS Env,The environment variable is set to specify the IP addresses of all cloudcore"
echo "If there are more than one IP need to be separated with space."
exit 1
fi
index=1
SUBJECTALTNAME="subjectAltName = IP.1:127.0.0.1"
for ip in {{ CLOUDCORE_IPS }}; do #变量 变量
SUBJECTALTNAME="${SUBJECTALTNAME},"
index=$(($index+1))
SUBJECTALTNAME="${SUBJECTALTNAME}IP.${index}:${ip}"
done
cp /etc/kubernetes/pki/ca.crt ${caPath}/streamCA.crt
echo $SUBJECTALTNAME > /tmp/server-extfile.cnf
openssl genrsa -out ${STREAM_KEY_FILE} 2048
openssl req -new -key ${STREAM_KEY_FILE} -subj ${streamsubject} -out ${STREAM_CSR_FILE}
# verify
openssl req -in ${STREAM_CSR_FILE} -noout -text
openssl x509 -req -in ${STREAM_CSR_FILE} -CA ${K8SCA_FILE} -CAkey ${K8SCA_KEY_FILE} -CAcreateserial -out ${STREAM_CRT_FILE} -days 5000 -sha256 -extfile /tmp/server-extfile.cnf
#verify
openssl x509 -in ${STREAM_CRT_FILE} -text -noout
}
buildSecret() {
local name="edge"
genCertAndKey ${name} > /dev/null 2>&1
cat <<EOF
apiVersion: v1
kind: Secret
metadata:
name: cloudcore
namespace: kubeedge
labels:
k8s-app: kubeedge
kubeedge: cloudcore
stringData:
rootCA.crt: |
$(pr -T -o 4 ${caPath}/rootCA.crt)
edge.crt: |
$(pr -T -o 4 ${certPath}/${name}.crt)
edge.key: |
$(pr -T -o 4 ${certPath}/${name}.key)
EOF
}
$1 $2
roles/cloud/templates/cloudcore.service.j2 0 → 100644
[Unit]
Description=cloudcore.service
[Service]
Type=simple
Restart=always
ExecStart={{ KUBEEDGE_BASE }}/bin/cloudcore
[Install]
WantedBy=multi-user.target
roles/cloud/templates/cloudcore.yaml.j2
......@@ -6,7 +6,7 @@ apiVersion: cloudcore.config.kubeedge.io/v1alpha1
kind: CloudCore
kubeAPIConfig:
kubeConfig: /root/.kube/config
master: "https://{{MASTER_IP}}:6443" #master api 地址
master: "https://{{ MASTER_IP }}:6443" #master api 地址
leaderelection:
LeaderElect: false
LeaseDuration: 0s
......@@ -18,16 +18,16 @@ leaderelection:
modules:
cloudHub:
advertiseAddress:
- {{MASTER_IP}} #cloud server 地址
- {{ MASTER_IP }} #cloud server 地址
https:
address: 0.0.0.0
enable: true
port: 10002
nodeLimit: 10
tlsCAFile: /etc/kubeedge/ca/rootCA.crt
tlsCAKeyFile: /etc/kubeedge/ca/rootCA.key
tlsCertFile: /etc/kubeedge/certs/server.crt
tlsPrivateKeyFile: /etc/kubeedge/certs/server.key
tlsCAFile: {{ KUBEEDGE_BASE }}/ca/rootCA.crt #kubeedge安装路径
tlsCAKeyFile: {{ KUBEEDGE_BASE }}/ca/rootCA.key
tlsCertFile: {{ KUBEEDGE_BASE }}/certs/server.crt
tlsPrivateKeyFile: {{ KUBEEDGE_BASE }}/certs/server.key
unixsocket:
address: unix:///var/lib/kubeedge/kubeedge.sock
enable: true
......
roles/cloud/vars/main.yml 0 → 100644
---
MASTER_IP: 192.168.137.201
KUBEEDGE_BASE: /etc/kubeedge
CLOUDCORE_IPS: 192.168.137.201
roles/cloud/files/edge/edgecore roles/edge/files/edgecore
The file could not be displayed because it is too large.
roles/edge/tasks/main.yml 0 → 100644
---
- name: 节点创建kubeedge以及k8s所需证书目录,配置目录
file: name={{ item }} state=directory
with_items:
- /etc/kubeedge/ca/
- /etc/kubeedge/certs/
- /etc/kubeedge/config/
- /etc/kubeedge/bin/
- /etc/kubernetes/pki/
- name: 将k8s ca证书软链接到k8s证书目录/etc/kubernetes/pki/
file: src=/opt/kubernetes/ssl/ca.pem dest=/etc/kubernetes/pki/ca.crt state=link
- name: 将k8s ca证书软链接到k8s证书目录/etc/kubernetes/pki/
file: src=/opt/kubernetes/ssl/ca-key.pem dest=/etc/kubernetes/pki/ca.key state=link
#- name: 拷贝生成kubeedge cloud 证书脚本
# copy: src=certgen.sh dest={{ KUBEEDGE_BASE }}
- name: 分发并渲染证书脚本
template: src=certgen.sh.j2 dest={{ KUBEEDGE_BASE }}/certgen.sh mode=777
- name: 执行生成证书脚本
shell: sh {{ KUBEEDGE_BASE }}/certgen.sh stream
- name: 设置cloud iptables
shell: iptables -t nat -A OUTPUT -p tcp --dport 10350 -j DNAT --to {{ MASTER_IP }}:10003
- name: 在k8s中创建设备模块以及设备CRD yaml文件
shell: kubectl apply -f /root/kubeedge/kubeedge/roles/cloud/files/device_crds_yaml/devices/ && kubectl apply -f /root/kubeedge/kubeedge/roles/cloud/files/device_crds_yaml/reliablesyncs/
- name: 分发渲染配置cloud 配置文件
template: src=cloudcore.yaml.j2 dest={{ KUBEEDGE_BASE }}/config/cloudcore.yaml
notify: restart cloudcore
- name: 分发cloud二进制文件
copy: src=cloud/cloudcore dest={{ KUBEEDGE_BASE }}/bin/cloudcore mode=777
- name: 分发渲染cloud service服务文件
template: src=cloudcore.service.j2 dest=/lib/systemd/system/cloudcore.service mode=777
- name: 设置开启启动cloud service
service: name=cloudcore enabled=yes
roles/edge/templates/edge.service.j2 0 → 100644
[Unit]
Description=cloudcore.service
[Service]
Type=simple
Restart=always
ExecStart={{KUBEEDGE_BASE}}/edgecore #kubeedge安装目录,默认是/etc/kubeedge
[Install]
WantedBy=multi-user.target
roles/cloud/templates/edgecore.yaml.j2 roles/edge/templates/edgecore.yaml.j2
......@@ -9,16 +9,16 @@ kind: EdgeCore
modules:
edgeHub:
heartbeat: 15
httpServer: https://192.168.137.201:10002
httpServer: https://{{ MASTER_IP }}:10002 #cloudcore ip地址,也就是k8s master ip地址
tlsCaFile: /etc/kubeedge/ca/rootCA.crt
tlsCertFile: /etc/kubeedge/certs/server.crt
tlsPrivateKeyFile: /etc/kubeedge/certs/server.key
token: "08ce39b001305c78fcc96c3dceb65d9ab0b1ca8ff7fa2793f956b1c17af62fd7.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTQyNjY4Mjh9.7M1Yt-E-qJQHvfsPPnkJkqvmaOIU0eoxRYF-tnQLklw"
token: {{ CLOUD_TOKEN }} #cloucore token
websocket:
enable: true
handshakeTimeout: 30
readDeadline: 15
server: 192.168.137.201:10000
server: {{ MASTER_IP }}:10000 #cloudcore ip地址,也就是k8s master ip地址
writeDeadline: 15
edged:
cgroupDriver: cgroupfs
......@@ -29,10 +29,10 @@ modules:
devicePluginEnabled: false
dockerAddress: unix:///var/run/docker.sock
gpuPluginEnabled: false
hostnameOverride: seetaas-cpu-200
interfaceName: ens33
nodeIP: 192.168.137.200
podSandboxImage: kubeedge/pause:3.1
hostnameOverride: ansible_nodename #内部变量,自动获取host为node节点的主机名
interfaceName: ansible_default_ipv4['interface'] #内部变量,自动获取host为node节点的内网网卡地址
nodeIP: ansible_default_ipv4['address'] #内部变量,自动获取host为node节点的内网IP地址
podSandboxImage: {{ SANDBOX_IMAGE}} #edge节点的pause镜像, 默认amd64是 kubeedge/pause:3.1,arm的需要查找
remoteImageEndpoint: unix:///var/run/dockershim.sock
remoteRuntimeEndpoint: unix:///var/run/dockershim.sock
runtimeType: docker
......@@ -42,5 +42,3 @@ modules:
mqttRetain: false
mqttServerExternal: tcp://127.0.0.1:1883
mqttServerInternal: tcp://127.0.0.1:1884
roles/edge/vars/main.yaml 0 → 100644
NODE_NAME: {{ansible_all_ipv4_addresses}}
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!