jack
8c43761962
- ansible/files 改为与文档 XX-YY 对齐的目录结构,更新相关 playbook 路径 - 新增 scripts/verify.sh 与 ansible/playbooks/verify/*.yml,移除单体 verify-matrix.yml - 补充 docs/00-02 矩阵状态、00-05 验证框架与流程、00-04 环境与 ylc65 工作机说明 - 增加 k3s 存储准备、Longhorn、local-path 等 playbook 与辅助脚本 Made-with: Cursor
99 lines
3.2 KiB
YAML
99 lines
3.2 KiB
YAML
- name: Deploy 03-02 Traefik ACME (gated)
|
||
hosts: k3s_server
|
||
become: true
|
||
run_once: true
|
||
vars:
|
||
k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||
manifest_src: "{{ playbook_dir }}/../../files/03-02-traefik-acme/traefik-acme.yaml"
|
||
manifest_dest: /tmp/traefik-acme.yaml
|
||
acme_email: "{{ ACME_EMAIL | default('') }}"
|
||
tasks:
|
||
- name: "Gate - require ACME_EMAIL and cloudflare-api-token secret"
|
||
ansible.builtin.shell: |
|
||
set -e
|
||
test -n "{{ acme_email }}"
|
||
KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system get secret cloudflare-api-token >/dev/null
|
||
args:
|
||
executable: /bin/bash
|
||
register: acme_gate
|
||
changed_when: false
|
||
failed_when: false
|
||
|
||
- name: Copy manifest
|
||
when: acme_gate.rc == 0
|
||
ansible.builtin.copy:
|
||
src: "{{ manifest_src }}"
|
||
dest: "{{ manifest_dest }}"
|
||
mode: "0644"
|
||
|
||
- name: Replace ACME email placeholder
|
||
when: acme_gate.rc == 0
|
||
ansible.builtin.shell: |
|
||
set -e
|
||
sed -i "s/<YOUR_REAL_EMAIL>/{{ acme_email | replace('/', '\\/') }}/g" {{ manifest_dest }}
|
||
args:
|
||
executable: /bin/bash
|
||
changed_when: true
|
||
|
||
- name: Apply manifest + restart traefik
|
||
when: acme_gate.rc == 0
|
||
ansible.builtin.shell: |
|
||
set -e
|
||
KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f {{ manifest_dest }}
|
||
KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system rollout restart deploy/traefik || true
|
||
args:
|
||
executable: /bin/bash
|
||
changed_when: true
|
||
|
||
- name: Verify 03-02 Traefik ACME (gated)
|
||
hosts: k3s_server
|
||
become: true
|
||
run_once: true
|
||
vars:
|
||
k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||
acme_email: "{{ ACME_EMAIL | default('') }}"
|
||
tasks:
|
||
- name: "Gate - require ACME_EMAIL and cloudflare-api-token secret"
|
||
ansible.builtin.shell: |
|
||
set -e
|
||
test -n "{{ acme_email }}"
|
||
KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system get secret cloudflare-api-token >/dev/null
|
||
args:
|
||
executable: /bin/bash
|
||
register: acme_gate
|
||
changed_when: false
|
||
failed_when: false
|
||
|
||
- name: Wait traefik rollout
|
||
when: acme_gate.rc == 0
|
||
ansible.builtin.shell: |
|
||
set -e
|
||
KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system rollout status deploy/traefik --timeout=180s
|
||
args:
|
||
executable: /bin/bash
|
||
changed_when: false
|
||
|
||
- name: Teardown 03-02 Traefik ACME (optional)
|
||
hosts: k3s_server
|
||
become: true
|
||
run_once: true
|
||
vars:
|
||
k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
|
||
verify_teardown: "{{ (VERIFY_TEARDOWN | default('1')) | string }}"
|
||
manifest_dest: /tmp/traefik-acme.yaml
|
||
acme_email: "{{ ACME_EMAIL | default('') }}"
|
||
tasks:
|
||
- name: Delete resources when VERIFY_TEARDOWN=1
|
||
when: verify_teardown == "1"
|
||
ansible.builtin.shell: |
|
||
set -e
|
||
# gated:只有在 deploy gate 通过且文件存在时才清理;否则跳过,避免 fail-fast。
|
||
test -n "{{ acme_email }}"
|
||
test -f "{{ manifest_dest }}"
|
||
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete -f {{ manifest_dest }} --ignore-not-found=true
|
||
args:
|
||
executable: /bin/bash
|
||
changed_when: true
|
||
failed_when: false
|
||
|