cloud fix

cloud.yml

-
+---
+- hosts: cloud
+  remote_user: root
+  roles:
+  - cloud

hosts

+[cloud]
+192.168.137.201 
+[edge]
+192.168.137.200

roles/cloud/defaults/main.yml

+---
+MASTER_IP: 192.168.137.201
+KUBEEDGE_BASE: /etc/kubeedge
+

roles/cloud/handles/main.yml

+---
+- name: restaer cloudcore
+  service: name=cloudcore state=restarted

roles/cloud/tasks/main.yml

+---
+- name: 节点创建kubeedge以及k8s所需证书目录，配置目录
+  file: name={{ item }} state=directory
+  with_items:
+  - /etc/kubeedge/ca/
+  - /etc/kubeedge/certs/
+  - /etc/kubeedge/config/
+  - /etc/kubeedge/bin/
+  - /etc/kubernetes/pki/
+
+- name: 将k8s ca证书软链接到k8s证书目录/etc/kubernetes/pki/
+  file: src=/opt/kubernetes/ssl/ca.pem  dest=/etc/kubernetes/pki/ca.crt state=link
+- name: 将k8s ca证书软链接到k8s证书目录/etc/kubernetes/pki/
+  file: src=/opt/kubernetes/ssl/ca-key.pem  dest=/etc/kubernetes/pki/ca.key state=link
+#- name: 拷贝生成kubeedge cloud 证书脚本
+#  copy: src=certgen.sh dest={{ KUBEEDGE_BASE }}
+- name: 分发并渲染证书脚本
+  template: src=certgen.sh.j2 dest={{ KUBEEDGE_BASE }}/certgen.sh mode=777
+
+- name: 执行生成证书脚本
+  shell: sh {{ KUBEEDGE_BASE }}/certgen.sh stream 
+  
+- name: 设置cloud iptables
+  shell: iptables -t nat -A OUTPUT -p tcp  --dport 10350 -j DNAT --to {{ MASTER_IP }}:10003   
+
+- name: 在k8s中创建设备模块以及设备CRD yaml文件
+  shell: kubectl apply -f  /root/kubeedge/kubeedge/roles/cloud/files/device_crds_yaml/devices/ &&  kubectl apply -f /root/kubeedge/kubeedge/roles/cloud/files/device_crds_yaml/reliablesyncs/
+
+- name: 分发渲染配置cloud 配置文件
+  template: src=cloudcore.yaml.j2 dest={{ KUBEEDGE_BASE }}/config/cloudcore.yaml
+  notify: restart cloudcore 
+
+- name: 分发cloud二进制文件
+  copy: src=cloud/cloudcore dest={{ KUBEEDGE_BASE }}/bin/cloudcore mode=777
+
+- name: 分发渲染cloud service服务文件
+  template: src=cloudcore.service.j2 dest=/lib/systemd/system/cloudcore.service mode=777
+
+- name: 设置开启启动cloud service
+  service: name=cloudcore  enabled=yes
+

roles/cloud/templates/certgen.sh.j2

+#!/usr/bin/env bash
+
+set -o errexit
+
+readonly caPath=${CA_PATH:-/etc/kubeedge/ca}
+readonly caSubject=${CA_SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge/CN=kubeedge.io}
+readonly certPath=${CERT_PATH:-/etc/kubeedge/certs}
+readonly subject=${SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge/CN=kubeedge.io}
+
+genCA() {
+    openssl genrsa -des3 -out ${caPath}/rootCA.key -passout pass:kubeedge.io 4096
+    openssl req -x509 -new -nodes -key ${caPath}/rootCA.key -sha256 -days 3650 \
+    -subj ${subject} -passin pass:kubeedge.io -out ${caPath}/rootCA.crt
+}
+
+ensureCA() {
+    if [ ! -e ${caPath}/rootCA.key ] || [ ! -e ${caPath}/rootCA.crt ]; then
+        genCA
+    fi
+}
+
+ensureFolder() {
+    if [ ! -d ${caPath} ]; then
+        mkdir -p ${caPath}
+    fi
+    if [ ! -d ${certPath} ]; then
+        mkdir -p ${certPath}
+    fi
+}
+
+genCsr() {
+    local name=$1
+    openssl genrsa -out ${certPath}/${name}.key 2048
+    openssl req -new -key ${certPath}/${name}.key -subj ${subject} -out ${certPath}/${name}.csr
+}
+
+genCert() {
+    local name=$1
+    openssl x509 -req -in ${certPath}/${name}.csr -CA ${caPath}/rootCA.crt -CAkey ${caPath}/rootCA.key \
+    -CAcreateserial -passin pass:kubeedge.io -out ${certPath}/${name}.crt -days 365 -sha256
+}
+
+genCertAndKey() {
+    ensureFolder
+    ensureCA
+    local name=$1
+    genCsr $name
+    genCert $name
+}
+
+stream() {
+    readonly streamsubject=${SUBJECT:-/C=CN/ST=Zhejiang/L=Hangzhou/O=KubeEdge}
+    readonly STREAM_KEY_FILE=${certPath}/stream.key
+    readonly STREAM_CSR_FILE=${certPath}/stream.csr
+    readonly STREAM_CRT_FILE=${certPath}/stream.crt
+    readonly K8SCA_FILE=/etc/kubernetes/pki/ca.crt
+    readonly K8SCA_KEY_FILE=/etc/kubernetes/pki/ca.key
+
+    if [ -z {{ CLOUDCORE_IPS }} ]; then  #变量变量
+        echo "You must set CLOUDCOREIPS Env,The environment variable is set to specify the IP addresses of all cloudcore"
+        echo "If there are more than one IP need to be separated with space."
+        exit 1
+    fi
+
+    index=1
+    SUBJECTALTNAME="subjectAltName = IP.1:127.0.0.1"
+    for ip in {{ CLOUDCORE_IPS }}; do      #变量 变量
+        SUBJECTALTNAME="${SUBJECTALTNAME},"
+        index=$(($index+1))
+        SUBJECTALTNAME="${SUBJECTALTNAME}IP.${index}:${ip}"
+    done
+
+    cp /etc/kubernetes/pki/ca.crt ${caPath}/streamCA.crt
+    echo $SUBJECTALTNAME > /tmp/server-extfile.cnf
+
+    openssl genrsa -out ${STREAM_KEY_FILE}  2048
+    openssl req -new -key ${STREAM_KEY_FILE} -subj ${streamsubject} -out ${STREAM_CSR_FILE}
+
+    # verify
+    openssl req -in ${STREAM_CSR_FILE} -noout -text
+    openssl x509 -req -in ${STREAM_CSR_FILE} -CA ${K8SCA_FILE} -CAkey ${K8SCA_KEY_FILE} -CAcreateserial -out ${STREAM_CRT_FILE} -days 5000 -sha256 -extfile /tmp/server-extfile.cnf
+    #verify
+    openssl x509 -in ${STREAM_CRT_FILE} -text -noout
+
+}
+
+buildSecret() {
+    local name="edge"
+    genCertAndKey ${name} > /dev/null 2>&1
+    cat <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudcore
+  namespace: kubeedge
+  labels:
+    k8s-app: kubeedge
+    kubeedge: cloudcore
+stringData:
+  rootCA.crt: |
+$(pr -T -o 4 ${caPath}/rootCA.crt)
+  edge.crt: |
+$(pr -T -o 4 ${certPath}/${name}.crt)
+  edge.key: |
+$(pr -T -o 4 ${certPath}/${name}.key)
+
+EOF
+}
+
+$1 $2

roles/cloud/templates/cloudcore.service.j2

+[Unit]
+Description=cloudcore.service
+
+[Service]
+Type=simple
+Restart=always
+ExecStart={{ KUBEEDGE_BASE }}/bin/cloudcore   
+
+[Install]
+WantedBy=multi-user.target

roles/cloud/templates/cloudcore.yaml.j2

@@ -6,7 +6,7 @@ apiVersion: cloudcore.config.kubeedge.io/v1alpha1
 kind: CloudCore
 kind: CloudCore
 kubeAPIConfig:
 kubeAPIConfig:
   kubeConfig: /root/.kube/config
   kubeConfig: /root/.kube/config
-  master: "https://{{MASTER_IP}}:6443"   #master api 地址
+  master: "https://{{ MASTER_IP }}:6443"   #master api 地址
 leaderelection:
 leaderelection:
   LeaderElect: false
   LeaderElect: false
   LeaseDuration: 0s
   LeaseDuration: 0s
@@ -18,16 +18,16 @@ leaderelection:
 modules:
 modules:
   cloudHub:
   cloudHub:
     advertiseAddress:
     advertiseAddress:
-    - {{MASTER_IP}}  #cloud server 地址
+    - {{ MASTER_IP }}  #cloud server 地址
     https:
     https:
       address: 0.0.0.0
       address: 0.0.0.0
       enable: true
       enable: true
       port: 10002
       port: 10002
     nodeLimit: 10
     nodeLimit: 10
-    tlsCAFile: /etc/kubeedge/ca/rootCA.crt
-    tlsCAKeyFile: /etc/kubeedge/ca/rootCA.key
-    tlsCertFile: /etc/kubeedge/certs/server.crt
-    tlsPrivateKeyFile: /etc/kubeedge/certs/server.key
+    tlsCAFile: {{ KUBEEDGE_BASE }}/ca/rootCA.crt     #kubeedge安装路径
+    tlsCAKeyFile: {{ KUBEEDGE_BASE }}/ca/rootCA.key
+    tlsCertFile: {{ KUBEEDGE_BASE }}/certs/server.crt
+    tlsPrivateKeyFile: {{ KUBEEDGE_BASE }}/certs/server.key
     unixsocket:
     unixsocket:
       address: unix:///var/lib/kubeedge/kubeedge.sock
       address: unix:///var/lib/kubeedge/kubeedge.sock
       enable: true
       enable: true

roles/cloud/vars/main.yml

+---
+MASTER_IP: 192.168.137.201
+KUBEEDGE_BASE: /etc/kubeedge
+CLOUDCORE_IPS: 192.168.137.201
+

roles/edge/tasks/main.yml

+---
+- name: 节点创建kubeedge以及k8s所需证书目录，配置目录
+  file: name={{ item }} state=directory
+  with_items:
+  - /etc/kubeedge/ca/
+  - /etc/kubeedge/certs/
+  - /etc/kubeedge/config/
+  - /etc/kubeedge/bin/
+  - /etc/kubernetes/pki/
+
+- name: 将k8s ca证书软链接到k8s证书目录/etc/kubernetes/pki/
+  file: src=/opt/kubernetes/ssl/ca.pem  dest=/etc/kubernetes/pki/ca.crt state=link
+- name: 将k8s ca证书软链接到k8s证书目录/etc/kubernetes/pki/
+  file: src=/opt/kubernetes/ssl/ca-key.pem  dest=/etc/kubernetes/pki/ca.key state=link
+#- name: 拷贝生成kubeedge cloud 证书脚本
+#  copy: src=certgen.sh dest={{ KUBEEDGE_BASE }}
+- name: 分发并渲染证书脚本
+  template: src=certgen.sh.j2 dest={{ KUBEEDGE_BASE }}/certgen.sh mode=777
+
+- name: 执行生成证书脚本
+  shell: sh {{ KUBEEDGE_BASE }}/certgen.sh stream 
+  
+- name: 设置cloud iptables
+  shell: iptables -t nat -A OUTPUT -p tcp  --dport 10350 -j DNAT --to {{ MASTER_IP }}:10003   
+
+- name: 在k8s中创建设备模块以及设备CRD yaml文件
+  shell: kubectl apply -f  /root/kubeedge/kubeedge/roles/cloud/files/device_crds_yaml/devices/ &&  kubectl apply -f /root/kubeedge/kubeedge/roles/cloud/files/device_crds_yaml/reliablesyncs/
+
+- name: 分发渲染配置cloud 配置文件
+  template: src=cloudcore.yaml.j2 dest={{ KUBEEDGE_BASE }}/config/cloudcore.yaml
+  notify: restart cloudcore 
+
+- name: 分发cloud二进制文件
+  copy: src=cloud/cloudcore dest={{ KUBEEDGE_BASE }}/bin/cloudcore mode=777
+
+- name: 分发渲染cloud service服务文件
+  template: src=cloudcore.service.j2 dest=/lib/systemd/system/cloudcore.service mode=777
+
+- name: 设置开启启动cloud service
+  service: name=cloudcore  enabled=yes
+

roles/edge/templates/edge.service.j2

+[Unit]
+Description=cloudcore.service
+
+[Service]
+Type=simple
+Restart=always
+ExecStart={{KUBEEDGE_BASE}}/edgecore   #kubeedge安装目录，默认是/etc/kubeedge
+
+[Install]
+WantedBy=multi-user.target

roles/cloud/templates/edgecore.yaml.j2 → roles/edge/templates/edgecore.yaml.j2

@@ -9,16 +9,16 @@ kind: EdgeCore
 modules:
 modules:
   edgeHub:
   edgeHub:
     heartbeat: 15
     heartbeat: 15
-    httpServer: https://192.168.137.201:10002
+    httpServer: https://{{ MASTER_IP }}:10002                        #cloudcore ip地址，也就是k8s master ip地址
     tlsCaFile: /etc/kubeedge/ca/rootCA.crt
     tlsCaFile: /etc/kubeedge/ca/rootCA.crt
     tlsCertFile: /etc/kubeedge/certs/server.crt
     tlsCertFile: /etc/kubeedge/certs/server.crt
     tlsPrivateKeyFile: /etc/kubeedge/certs/server.key
     tlsPrivateKeyFile: /etc/kubeedge/certs/server.key
-    token: "08ce39b001305c78fcc96c3dceb65d9ab0b1ca8ff7fa2793f956b1c17af62fd7.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTQyNjY4Mjh9.7M1Yt-E-qJQHvfsPPnkJkqvmaOIU0eoxRYF-tnQLklw"
+    token: {{ CLOUD_TOKEN }}                                         #cloucore token
     websocket:
     websocket:
       enable: true
       enable: true
       handshakeTimeout: 30
       handshakeTimeout: 30
       readDeadline: 15
       readDeadline: 15
-      server: 192.168.137.201:10000
+      server: {{ MASTER_IP }}:10000                                 #cloudcore ip地址，也就是k8s master ip地址
       writeDeadline: 15
       writeDeadline: 15
   edged:
   edged:
     cgroupDriver: cgroupfs
     cgroupDriver: cgroupfs
@@ -29,10 +29,10 @@ modules:
     devicePluginEnabled: false
     devicePluginEnabled: false
     dockerAddress: unix:///var/run/docker.sock
     dockerAddress: unix:///var/run/docker.sock
     gpuPluginEnabled: false
     gpuPluginEnabled: false
-    hostnameOverride: seetaas-cpu-200
-    interfaceName: ens33
-    nodeIP: 192.168.137.200
-    podSandboxImage: kubeedge/pause:3.1
+    hostnameOverride: ansible_nodename                             #内部变量，自动获取host为node节点的主机名
+    interfaceName: ansible_default_ipv4['interface']               #内部变量，自动获取host为node节点的内网网卡地址  
+    nodeIP: ansible_default_ipv4['address']                        #内部变量，自动获取host为node节点的内网IP地址
+    podSandboxImage: {{ SANDBOX_IMAGE}}                            #edge节点的pause镜像， 默认amd64是 kubeedge/pause:3.1，arm的需要查找
     remoteImageEndpoint: unix:///var/run/dockershim.sock
     remoteImageEndpoint: unix:///var/run/dockershim.sock
     remoteRuntimeEndpoint: unix:///var/run/dockershim.sock
     remoteRuntimeEndpoint: unix:///var/run/dockershim.sock
     runtimeType: docker
     runtimeType: docker
@@ -42,5 +42,3 @@ modules:
     mqttRetain: false
     mqttRetain: false
     mqttServerExternal: tcp://127.0.0.1:1883
     mqttServerExternal: tcp://127.0.0.1:1883
     mqttServerInternal: tcp://127.0.0.1:1884
     mqttServerInternal: tcp://127.0.0.1:1884
-
-

roles/edge/vars/main.yaml

+NODE_NAME: {{ansible_all_ipv4_addresses}}