--- # 探针 URL:CF_TUNNEL_TEST_URL(完整 HTTPS)与 CF_TUNNEL_TEST_HOST(仅主机名 → https://HOST/)二选一 - name: Deploy 03-04 Cloudflare Tunnel (cloudflared) hosts: k3s_server become: true run_once: true vars: k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml manifest_src: "{{ playbook_dir }}/../../files/03-04/cloudflared.yaml" manifest_dest: /tmp/cloudflared-deploy.yaml tunnel_token: "{{ lookup('env', 'TUNNEL_TOKEN') | default('', true) }}" _cf_tunnel_url_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_URL') | default('', true) | trim }}" _cf_tunnel_host_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_HOST') | default('', true) | trim }}" cf_tunnel_probe_url: >- {{ (_cf_tunnel_url_raw | length > 0) | ternary(_cf_tunnel_url_raw, ((_cf_tunnel_host_raw | length > 0) | ternary('https://' ~ (_cf_tunnel_host_raw | regex_replace('^https?://', '') | regex_replace('/.*$', '') | regex_replace('/+$', '')) ~ '/', ''))) }} tasks: - name: "Gate - tunnel probe URL required (CF_TUNNEL_TEST_URL or CF_TUNNEL_TEST_HOST)" when: cf_tunnel_probe_url | trim == "" ansible.builtin.include_role: name: verify_common tasks_from: gate-debug-end-play.yml vars: verify_gate_message: "[GATE] skipped doc_id=03-04 reason=missing_env missing=CF_TUNNEL_TEST_URL_or_CF_TUNNEL_TEST_HOST skip_scope=03-04 tunnel http probe" - name: Check cloudflared-credentials secret exists ansible.builtin.shell: | set -euo pipefail KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system get secret cloudflared-credentials args: executable: /bin/bash register: cloudflared_secret_check changed_when: false failed_when: false - name: "Gate - no TUNNEL_TOKEN and secret missing" when: cloudflared_secret_check.rc != 0 and (tunnel_token | trim | length) == 0 ansible.builtin.include_role: name: verify_common tasks_from: gate-debug-end-play.yml vars: verify_gate_message: "[GATE] skipped doc_id=03-04 reason=missing_dependency missing=cloudflared-credentials/TUNNEL_TOKEN skip_scope=03-04 cloudflared deploy" - name: Ensure cloudflared tunnel Secret from TUNNEL_TOKEN when: (tunnel_token | trim | length) > 0 ansible.builtin.include_role: name: verify_common tasks_from: ensure-cloudflared-tunnel-secret.yml vars: verify_tunnel_token: "{{ tunnel_token | trim }}" - name: Copy cloudflared Deployment manifest ansible.builtin.copy: src: "{{ manifest_src }}" dest: "{{ manifest_dest }}" mode: "0644" - name: Apply cloudflared Deployment ansible.builtin.shell: | set -euo pipefail KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f {{ manifest_dest }} args: executable: /bin/bash changed_when: true - name: Verify 03-04 Cloudflare Tunnel (rollout + HTTPS probe) hosts: k3s_server become: true run_once: true vars: k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml tunnel_token: "{{ lookup('env', 'TUNNEL_TOKEN') | default('', true) }}" _cf_tunnel_url_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_URL') | default('', true) | trim }}" _cf_tunnel_host_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_HOST') | default('', true) | trim }}" cf_tunnel_probe_url: >- {{ (_cf_tunnel_url_raw | length > 0) | ternary(_cf_tunnel_url_raw, ((_cf_tunnel_host_raw | length > 0) | ternary('https://' ~ (_cf_tunnel_host_raw | regex_replace('^https?://', '') | regex_replace('/.*$', '') | regex_replace('/+$', '')) ~ '/', ''))) }} tasks: - name: "Gate - skip verify when tunnel probe URL missing" when: cf_tunnel_probe_url | trim == "" ansible.builtin.include_role: name: verify_common tasks_from: gate-debug-end-play.yml vars: verify_gate_message: "[GATE] skipped doc_id=03-04 reason=missing_env missing=CF_TUNNEL_TEST_URL_or_CF_TUNNEL_TEST_HOST skip_scope=03-04 tunnel http probe" - name: Ensure cloudflared tunnel Secret from TUNNEL_TOKEN (idempotent) when: (tunnel_token | trim | length) > 0 ansible.builtin.include_role: name: verify_common tasks_from: ensure-cloudflared-tunnel-secret.yml vars: verify_tunnel_token: "{{ tunnel_token | trim }}" - name: Check cloudflared-credentials secret exists ansible.builtin.shell: | set -euo pipefail KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system get secret cloudflared-credentials args: executable: /bin/bash register: cloudflared_secret_check changed_when: false failed_when: false - name: "Gate - no TUNNEL_TOKEN and secret missing" when: cloudflared_secret_check.rc != 0 and (tunnel_token | trim | length) == 0 ansible.builtin.include_role: name: verify_common tasks_from: gate-debug-end-play.yml vars: verify_gate_message: "[GATE] skipped doc_id=03-04 reason=missing_dependency missing=cloudflared-credentials/TUNNEL_TOKEN skip_scope=03-04 cloudflared verify" - name: Fail when secret missing but TUNNEL_TOKEN was set when: cloudflared_secret_check.rc != 0 and (tunnel_token | trim | length) > 0 ansible.builtin.fail: msg: "已设置 TUNNEL_TOKEN 但 cloudflared-credentials Secret 仍不可用,请检查 apiserver 与 kube-system 权限" - name: Rollout status cloudflared (kube-system) ansible.builtin.include_role: name: verify_common tasks_from: kubectl-rollout-status.yml vars: verify_rollout_ref: deployment/cloudflared verify_rollout_namespace: kube-system verify_rollout_timeout_s: 240 - name: HTTPS probe via Tunnel (CF_TUNNEL_TEST_URL / CF_TUNNEL_TEST_HOST) ansible.builtin.include_role: name: verify_common tasks_from: http-curl-expect.yml vars: verify_http_url: "{{ cf_tunnel_probe_url | trim }}" verify_http_expected_code: 200 verify_http_connect_timeout: 5 verify_http_max_time: 15 verify_http_retries: 12 verify_http_retry_sleep: 3 verify_http_assertion_label: cf_tunnel_03_04_https verify_http_tls_insecure: "{{ (lookup('env', 'CF_TUNNEL_CURL_INSECURE') | default('0', true) | trim) == '1' }}" - name: Teardown 03-04 Cloudflare Tunnel (optional) hosts: k3s_server become: true run_once: true vars: k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml verify_teardown: "{{ (VERIFY_TEARDOWN | default('1')) | string }}" _cf_tunnel_url_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_URL') | default('', true) | trim }}" _cf_tunnel_host_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_HOST') | default('', true) | trim }}" cf_tunnel_probe_url: >- {{ (_cf_tunnel_url_raw | length > 0) | ternary(_cf_tunnel_url_raw, ((_cf_tunnel_host_raw | length > 0) | ternary('https://' ~ (_cf_tunnel_host_raw | regex_replace('^https?://', '') | regex_replace('/.*$', '') | regex_replace('/+$', '')) ~ '/', ''))) }} tasks: - name: Skip teardown when 03-04 verify path not engaged when: cf_tunnel_probe_url | trim == "" meta: end_play - name: Delete cloudflared Deployment and credentials when VERIFY_TEARDOWN=1 when: verify_teardown == "1" ansible.builtin.shell: | set -euo pipefail KUBECONFIG={{ k3s_kubeconfig }} kubectl delete deployment cloudflared -n kube-system --ignore-not-found=true KUBECONFIG={{ k3s_kubeconfig }} kubectl delete secret cloudflared-credentials -n kube-system --ignore-not-found=true args: executable: /bin/bash changed_when: true