jack/Deploy-Laboratory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
be97836e0d4b8ba8f9a0d3914b0c53543801cac0
Deploy-Laboratory/ansible/playbooks/nginx-matrix-tls-deploy.yml
jack de1be1dbe5 基本框架
2026-03-21 04:36:06 +08:00

189 lines
11 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
# Ansible 一键部署 nginx 矩阵 TLS 版M1M4HTTPS
# 对应文档docs/03-02-k3s-traefik-acme.md
#
# 说明:复制 TLS + HTTP-only manifests → 自动删除已存在的不含 TLS 的 nginx 矩阵02-05→ kubectl apply含 TLS 与 HTTP-only 共 8 个路由)→ 等待 Pod 就绪 → HTTP-only / HTTPS curl 矩阵验证test01test04.jackadam.top
# manifestsansible/files/nginx-matrix-tls/,域名为 test01test04.jackadam.topM2/M4 hostname 按实际修改Ingress/IngressRoute 中 TLS 路由仅绑定 websecureHTTP-only 路由仅绑定 web
# 前置:已按 03-02 配置 ACMESecret + traefik-acme.yaml且 test01test04.jackadam.top 已解析到入口 IP
#
# 执行(在 ansible/ 目录下):
# ansible-playbook -i inventory.ini playbooks/nginx-matrix-tls-deploy.yml
# 或在仓库根目录:
# ansible-playbook -i ansible/inventory.ini ansible/playbooks/nginx-matrix-tls-deploy.yml
# 验证时对所有 k3s_nodes 做 HTTPS 请求(所有节点均为入口点,与 02-05 HTTP 矩阵一致)
- name: Deploy or cleanup nginx matrix TLS (M1~M4, HTTPS)
hosts: k3s_server
become: true
run_once: true
vars:
# mode 由 -e mode=cleanup 传入,未传时默认为 deploy勿在 vars 中写 mode: "{{ mode | default('deploy') }}" 会递归)
k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
manifests_path: "{{ playbook_dir }}/../files/nginx-matrix-tls"
tls_domains:
- test01.jackadam.top
- test02.jackadam.top
- test03.jackadam.top
- test04.jackadam.top
tasks:
- name: Deploy nginx matrix TLS (mode=deploy)
when: (mode | default('deploy')) == 'deploy'
block:
- name: Ensure manifests path exists
ansible.builtin.stat:
path: "{{ manifests_path }}"
register: manifests_stat
- name: Fail if manifests not found
ansible.builtin.fail:
msg: "manifests 未找到: {{ manifests_path }},请从仓库根目录或 ansible 同级执行"
when: not manifests_stat.stat.exists
# 部署前确保 control-plane/worker 标签存在M1/M3 需此才能调度节点名为短主机名ylc61ylc64
- name: Ensure control-plane label on k3s_server nodes (for M1)
ansible.builtin.shell: |
KUBECONFIG={{ k3s_kubeconfig }} kubectl label node {{ item }} node-role.kubernetes.io/control-plane= --overwrite
loop: "{{ groups['k3s_server'] | default([]) }}"
- name: Ensure worker label on k3s_worker nodes (for M3)
ansible.builtin.shell: |
KUBECONFIG={{ k3s_kubeconfig }} kubectl label node {{ item }} node-role.kubernetes.io/worker= --overwrite
loop: "{{ groups['k3s_worker'] | default([]) }}"
- name: Copy nginx matrix TLS manifests to server
ansible.builtin.copy:
src: "{{ manifests_path }}/"
dest: /tmp/nginx-matrix-tls/
mode: '0644'
# 若存在不含 TLS 的 nginx 矩阵02-05先删掉避免与 TLS 版 Ingress 冲突或残留
- name: Delete non-TLS nginx matrix if present (deployments, ingress, ingressroute, middleware, configmaps)
ansible.builtin.shell: |
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete deployment,svc -n default nginx-m1 nginx-m2 nginx-m3 nginx-m4 --ignore-not-found=true
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete ingress -n default nginx-m1 nginx-m3 --ignore-not-found=true
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete ingressroute -n default nginx-m2 nginx-m4 --ignore-not-found=true
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete middleware -n default stripprefix-m1 stripprefix-m2 stripprefix-m3 stripprefix-m4 --ignore-not-found=true
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete configmap -n default nginx-m1-html nginx-m2-html nginx-m3-html nginx-m4-html --ignore-not-found=true
register: del_non_tls
changed_when: "'deleted' in del_non_tls.stdout"
- name: kubectl apply nginx matrix TLS + HTTP-only
ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f /tmp/nginx-matrix-tls/ -R
register: k8s_apply
changed_when: "'configured' in k8s_apply.stdout or 'created' in k8s_apply.stdout"
- name: Restart nginx deployments so pods pick up ConfigMap (M1M4 标识)
ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl rollout restart deployment nginx-m1 nginx-m2 nginx-m3 nginx-m4 -n default
register: restart_out
changed_when: true
- name: Wait for nginx pods to be ready
ansible.builtin.shell: |
KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
-l app=nginx-m1 --timeout=60s
KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
-l app=nginx-m2 --timeout=60s
KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
-l app=nginx-m3 --timeout=120s
KUBECONFIG={{ k3s_kubeconfig }} kubectl wait --for=condition=ready pod \
-l app=nginx-m4 --timeout=120s
register: wait_result
changed_when: false
- name: Verify nginx matrix TLS resources
ansible.builtin.shell: KUBECONFIG={{ k3s_kubeconfig }} kubectl get pod,svc,ing,ingressroute -n default -o wide
register: verify
changed_when: false
- name: ">>> nginx matrix TLS 资源"
ansible.builtin.debug:
msg: "{{ item }}"
loop: "{{ verify.stdout_lines }}"
- name: 验证 M1M4 标识Pod 内 index.html 含 Mx、响应头 X-Backend取首个入口节点
ansible.builtin.shell: |
first_ip="{{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | first }}"
for id in 1 2 3 4; do
echo "=== M$id Pod 内 index.html 前 2 行 ==="
KUBECONFIG={{ k3s_kubeconfig }} kubectl exec -n default deployment/nginx-m$id -- cat /usr/share/nginx/html/index.html 2>/dev/null | head -2 || echo "(exec 失败)"
echo "=== M$id 响应头 X-Backend (入口 $first_ip) ==="
curl -sI "https://test0$id.jackadam.top/" --resolve "test0$id.jackadam.top:443:$first_ip" -k 2>/dev/null | grep -i x-backend || echo "(未看到 X-Backend)"
echo ""
done
register: m_check
changed_when: false
failed_when: false
- name: ">>> M1M4 验证"
ansible.builtin.debug:
msg: "{{ item }}"
loop: "{{ m_check.stdout_lines }}"
- name: HTTP curl 验证HTTP-only16 个目标,所有节点 × 4 域名)
ansible.builtin.shell: |
bases="{{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | join(' ') }}"
count=0
ok=0
echo "=== 16 个目标 (4 节点 × 4 域名) HTTP ==="
echo "节点 M1(test01) M2(test02) M3(test03) M4(test04)"
for base in $bases; do
m1=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 http://test01.jackadam.top/ --resolve "test01.jackadam.top:80:$base" 2>/dev/null) || m1="fail"
m2=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 http://test02.jackadam.top/ --resolve "test02.jackadam.top:80:$base" 2>/dev/null) || m2="fail"
m3=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 http://test03.jackadam.top/ --resolve "test03.jackadam.top:80:$base" 2>/dev/null) || m3="fail"
m4=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 http://test04.jackadam.top/ --resolve "test04.jackadam.top:80:$base" 2>/dev/null) || m4="fail"
printf "%-12s %-14s %-14s %-14s %s\n" "$base" "$m1" "$m2" "$m3" "$m4"
for c in $m1 $m2 $m3 $m4; do count=$((count+1)); [ "$c" = "200" ] && ok=$((ok+1)); done
done
echo "---"
echo "共验证 $count 个目标,$ok 个返回 200"
register: curl_http_result
changed_when: false
failed_when: false
- name: ">>> HTTP curl 矩阵HTTP-only"
ansible.builtin.debug:
msg: "{{ item }}"
loop: "{{ curl_http_result.stdout_lines }}"
- name: HTTPS curl 验证16 个目标:所有节点 × 4 域名,所有节点均为入口点)
ansible.builtin.shell: |
bases="{{ groups['k3s_nodes'] | map('extract', hostvars) | map(attribute='ansible_host') | join(' ') }}"
count=0
ok=0
echo "=== 16 个目标 (4 节点 × 4 域名) HTTPS ==="
echo "节点 M1(test01) M2(test02) M3(test03) M4(test04)"
for base in $bases; do
m1=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 5 https://test01.jackadam.top/ --resolve "test01.jackadam.top:443:$base" 2>/dev/null) || m1="fail"
m2=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 5 https://test02.jackadam.top/ --resolve "test02.jackadam.top:443:$base" 2>/dev/null) || m2="fail"
m3=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 5 https://test03.jackadam.top/ --resolve "test03.jackadam.top:443:$base" 2>/dev/null) || m3="fail"
m4=$(curl -sk -o /dev/null -w "%{http_code}" --connect-timeout 5 https://test04.jackadam.top/ --resolve "test04.jackadam.top:443:$base" 2>/dev/null) || m4="fail"
printf "%-12s %-14s %-14s %-14s %s\n" "$base" "$m1" "$m2" "$m3" "$m4"
for c in $m1 $m2 $m3 $m4; do count=$((count+1)); [ "$c" = "200" ] && ok=$((ok+1)); done
done
echo "---"
echo "共验证 $count 个目标,$ok 个返回 200"
register: curl_result
changed_when: false
failed_when: false
- name: ">>> HTTPS curl 矩阵"
ansible.builtin.debug:
msg: "{{ item }}"
loop: "{{ curl_result.stdout_lines }}"
- name: Cleanup nginx matrix TLS (mode=cleanup)
when: (mode | default('deploy')) == 'cleanup'
block:
- name: Delete nginx matrix TLS + HTTP-only resources (deployments, ingress, ingressroute, configmaps)
ansible.builtin.shell: |
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete deployment,svc -n default nginx-m1 nginx-m2 nginx-m3 nginx-m4 --ignore-not-found=true
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete ingress -n default nginx-m1 nginx-m3 nginx-m1-http nginx-m3-http --ignore-not-found=true
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete ingressroute -n default nginx-m2 nginx-m4 nginx-m2-http nginx-m4-http --ignore-not-found=true
KUBECONFIG={{ k3s_kubeconfig }} kubectl delete configmap -n default nginx-m1-html nginx-m2-html nginx-m3-html nginx-m4-html --ignore-not-found=true
register: del_tls
changed_when: "'deleted' in del_tls.stdout"
- name: Remove copied nginx matrix TLS manifests directory
ansible.builtin.file:
path: /tmp/nginx-matrix-tls
state: absent
Reference in New Issue View Git Blame Copy Permalink