# 在集群内起临时 Pod 做 HTTP 探针(不经宿主机 :80)。 # 默认可选 traefik.kube-system + verify_traefik_path;若集群 Traefik ClusterIP 不可达,请在 playbook 设 verify_incluster_http_url 直链 Service(如 http://nginx-m1.default.svc.cluster.local/)。 # # 必填:verify_traefik_kubeconfig、verify_traefik_assertion # 与 URL 二选一默认:verify_traefik_path(配合 Traefik)或 verify_incluster_http_url(直链 backend Service) # 可选:verify_traefik_header_name / verify_traefik_header_value(同时非空则校验响应头) - name: Resolve in-cluster probe URL ansible.builtin.set_fact: _vf_url: "{{ verify_incluster_http_url | default('http://traefik.kube-system.svc.cluster.local' ~ (verify_traefik_path | default('/')), true) }}" - name: Ephemeral pod name for in-cluster HTTP check ansible.builtin.set_fact: _vf_http_pod: "vf-http-{{ 1000000000 | random }}-{{ 100000 | random }}" - name: Render in-cluster probe Pod manifest ansible.builtin.template: src: incluster-traefik-http-probe-pod.yml.j2 dest: "/tmp/{{ _vf_http_pod }}-probe.yaml" mode: "0644" - name: Apply probe Pod and wait for success ansible.builtin.shell: | set -euo pipefail export KUBECONFIG={{ verify_traefik_kubeconfig }} POD={{ _vf_http_pod | quote }} f="/tmp/{{ _vf_http_pod }}-probe.yaml" kubectl delete pod -n default "$POD" --ignore-not-found --wait=false 2>/dev/null || true kubectl apply -f "$f" ok=0 for i in $(seq 1 120); do phase=$(kubectl get pod -n default "$POD" -o jsonpath='{.status.phase}' 2>/dev/null || echo "") if [ "$phase" = "Succeeded" ]; then ok=1; break; fi if [ "$phase" = "Failed" ]; then echo "[ERR] probe pod Failed" kubectl describe pod -n default "$POD" | tail -50 || true kubectl logs -n default "$POD" 2>&1 || true exit 1 fi sleep 2 done if [ "$ok" != "1" ]; then echo "[ERR] probe pod timeout (expected Succeeded)" kubectl describe pod -n default "$POD" | tail -50 || true kubectl logs -n default "$POD" 2>&1 || true exit 1 fi kubectl delete pod -n default "$POD" --wait=false 2>/dev/null || true rm -f "$f" args: executable: /bin/bash changed_when: false