增加添加etcd节点脚本

19.addetcd.yml

@@ -0,0 +1,54 @@
+# add new-etcd node, one at a time
+- hosts:
+  - new-etcd
+  tasks:
+  - name: add a new etcd member
+    shell: "ETCDCTL_API=3 {{ bin_dir }}/etcdctl member add {{ NODE_NAME }} --peer-urls=https://{{ inventory_hostname }}:2380"
+    delegate_to: "{{ groups.etcd[0] }}"
+    when: "inventory_hostname == groups['new-etcd'][0]"
+
+# start the new-etcd node
+- hosts:
+  - new-etcd
+  roles:
+  - { role: chrony, when: "hostvars[groups.deploy[0]]['NTP_ENABLED'] == 'yes' and inventory_hostname == groups['new-etcd'][0]" } 
+  - { role: prepare, when: "inventory_hostname == groups['new-etcd'][0]" }
+  - { role: new-etcd, when: "inventory_hostname == groups['new-etcd'][0]" }
+
+# restart the original etcd cluster with the new configuration 
+- hosts:
+  - etcd
+  roles:
+  - { role: new-etcd, when: "groups['new-etcd']|length > 0" }
+
+# modify the ansible hosts file
+- hosts:
+  - new-etcd
+  tasks:
+  - name: tag new-etcd's node FINISHED=yes
+    lineinfile:
+      dest: "{{ base_dir }}/hosts"
+      state: present
+      regexp: '{{ NODE_NAME }}'
+      line: "{{ inventory_hostname }} NODE_NAME={{ NODE_NAME }} FINISHED=yes"
+    connection: local
+    when: "inventory_hostname == groups['new-etcd'][0]"
+
+  - name: cp new-etcd's node to etcd group
+    lineinfile:
+      dest: "{{ base_dir }}/hosts"
+      state: present
+      insertafter: '^\[etcd\]'
+      firstmatch: yes
+      line: "{{ inventory_hostname }} NODE_NAME={{ NODE_NAME }}"
+    connection: local
+    when: "inventory_hostname == groups['new-etcd'][0]"
+
+- hosts: deploy
+  tasks:
+  - name: rm new-etcd's node
+    lineinfile:
+      dest: "{{ base_dir }}/hosts"
+      state: absent
+      regexp: 'FINISHED=yes'
+    connection: local

roles/new-etcd/clean-etcd.yml

@@ -0,0 +1,19 @@
+# to clean 'etcd' nodes
+- hosts:
+  - etcd
+  - new-etcd
+  tasks:
+  - name: stop and disable etcd service
+    service:
+      name: etcd
+      state: stopped
+      enabled: no
+    ignore_errors: true
+
+  - name: remove files and dirs
+    file: name={{ item }} state=absent
+    with_items:
+    - "/var/lib/etcd"
+    - "/etc/etcd/"
+    - "/backup/k8s"
+    - "/etc/systemd/system/etcd.service"

roles/new-etcd/defaults/main.yml

@@ -0,0 +1,4 @@
+# etcd 集群间通信的IP和端口, 根据etcd组成员自动生成
+# 新增 etcd 节点，一次只能增加一个
+TMP_NODES: "{% for h in groups['etcd'] %}{{ hostvars[h]['NODE_NAME'] }}=https://{{ h }}:2380,{% endfor %}{% if groups['new-etcd']|length > 0 %}{{ hostvars[groups['new-etcd'][0]]['NODE_NAME'] }}=https://{{ groups['new-etcd'][0] }}:2380,{% endif %}"
+ETCD_NODES: "{{ TMP_NODES.rstrip(',') }}"

roles/new-etcd/tasks/main.yml

@@ -0,0 +1,62 @@
+- name: prepare some dirs
+  file: name={{ item }} state=directory
+  with_items:
+  - "{{ bin_dir }}"
+  - "{{ ca_dir }}"
+  - "/etc/etcd/ssl"    # etcd 证书目录
+  - "/var/lib/etcd"    # etcd 工作目录
+
+- name: 下载etcd二进制文件
+  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
+  with_items:
+  - etcd
+  - etcdctl
+  tags: upgrade_etcd
+
+- name: 分发证书相关
+  synchronize: src={{ ca_dir }}/{{ item }} dest={{ ca_dir }}/{{ item }}
+  with_items:
+  - ca.pem
+  - ca-key.pem
+  - ca.csr
+  - ca-config.json
+  delegate_to: "{{ groups.deploy[0] }}"
+
+# 注册变量p，根据p的stat信息判断是否已经生成过etcd证书，如果没有，下一步生成证书
+# 如果已经有etcd证书，为了保证整个安装的幂等性，跳过证书生成的步骤
+- name: 读取etcd证书stat信息
+  stat: path="/etc/etcd/ssl/etcd.pem"
+  register: p
+
+- name: 创建etcd证书请求
+  template: src=etcd-csr.json.j2 dest=/etc/etcd/ssl/etcd-csr.json
+  when: p.stat.isreg is not defined 
+
+- name: 创建 etcd证书和私钥
+  when: p.stat.isreg is not defined 
+  shell: "cd /etc/etcd/ssl && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes etcd-csr.json | {{ bin_dir }}/cfssljson -bare etcd"
+
+- name: 创建etcd的systemd unit文件
+  template: src=etcd.service.j2 dest=/etc/systemd/system/etcd.service
+  tags: upgrade_etcd
+
+- name: 开机启用etcd服务
+  shell: systemctl enable etcd
+  ignore_errors: true
+
+- name: 开启etcd服务
+  shell: systemctl daemon-reload && systemctl restart etcd
+  ignore_errors: true
+  tags: upgrade_etcd
+
+- name: 以轮询的方式等待服务同步完成
+  shell: "systemctl status etcd.service|grep Active"
+  register: etcd_status
+  until: '"running" in etcd_status.stdout'
+  retries: 8
+  delay: 8
+  tags: upgrade_etcd

roles/new-etcd/templates/etcd-csr.json.j2

@@ -0,0 +1,20 @@
+{
+  "CN": "etcd",
+  "hosts": [
+    "127.0.0.1",
+    "{{ inventory_hostname }}"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CN",
+      "ST": "HangZhou",
+      "L": "XS",
+      "O": "k8s",
+      "OU": "System"
+    }
+  ]
+}

roles/new-etcd/templates/etcd.service.j2

@@ -0,0 +1,32 @@
+[Unit]
+Description=Etcd Server
+After=network.target
+After=network-online.target
+Wants=network-online.target
+Documentation=https://github.com/coreos
+
+[Service]
+Type=notify
+WorkingDirectory=/var/lib/etcd/
+ExecStart={{ bin_dir }}/etcd \
+  --name={{ NODE_NAME }} \
+  --cert-file=/etc/etcd/ssl/etcd.pem \
+  --key-file=/etc/etcd/ssl/etcd-key.pem \
+  --peer-cert-file=/etc/etcd/ssl/etcd.pem \
+  --peer-key-file=/etc/etcd/ssl/etcd-key.pem \
+  --trusted-ca-file={{ ca_dir }}/ca.pem \
+  --peer-trusted-ca-file={{ ca_dir }}/ca.pem \
+  --initial-advertise-peer-urls=https://{{ inventory_hostname }}:2380 \
+  --listen-peer-urls=https://{{ inventory_hostname }}:2380 \
+  --listen-client-urls=https://{{ inventory_hostname }}:2379,http://127.0.0.1:2379 \
+  --advertise-client-urls=https://{{ inventory_hostname }}:2379 \
+  --initial-cluster-token=etcd-cluster-0 \
+  --initial-cluster={{ ETCD_NODES }} \
+  --initial-cluster-state=existing \
+  --data-dir=/var/lib/etcd
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target