choerodon · hindungWang · Aug 9, 2018 · Aug 9, 2018 · Aug 20, 2018 · Aug 20, 2018
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,11 @@
+# General
+.vagrant/
+.DS_Store
+
+# Log files (if you are creating logs in debug mode, uncomment this)
+# *.logs
+
+*.retry
 credentials/
-cluster.retry
 roles/debug
 debug.yml
-.DS_Store
-.vagrant
-debug.retry
diff --git a/upgrade-to-1.9.9.yml → 1.8.5-upgrade-to-1.9.9.yml b/upgrade-to-1.9.9.yml → 1.8.5-upgrade-to-1.9.9.yml
@@ -1,5 +1,5 @@
 # 集群更新存在一定风险，请谨慎操作
-# 使用命令：ansible-playbook -i inventory/hosts upgrade-to-1.9.9.yml
+# 使用命令：ansible-playbook -i inventory/hosts 1.8.5-upgrade-to-1.9.9.yml
 
 - hosts: all
   vars_prompt:
@@ -36,44 +36,6 @@
         --key /etc/ssl/etcd/ssl/client-key.pem \
         snapshot save {{ etcd_back_path.stdout }}
 
-# 升级etcd
-- hosts:
-  - etcd
-  tasks:
-  - name: Upgrade etcdctl
-    shell: >-
-      docker run --rm --entrypoint cat registry.cn-hangzhou.aliyuncs.com/choerodon-tools/etcd:v3.3.6 \
-      /usr/local/bin/etcdctl > /usr/local/bin/etcdctl && \
-      chmod +x /usr/local/bin/etcdctl
-    register: etcd_task_result
-    until: etcd_task_result.rc == 0
-    retries: 3
-    delay: 300
-    changed_when: false
-  - name: Edit etcd configfile
-    shell: sed -i 's/v3.2.4/v3.3.6/g' /usr/local/bin/etcd
-  - name: reload systemd
-    shell: systemctl daemon-reload
-  - name: Ensure etcd service is started and enabled
-    service:
-      name: etcd
-      enabled: yes
-      state: restarted
-  - name: Check if cluster is healthy
-    shell: >-
-      /usr/local/bin/etcdctl \
-      --ca-file /etc/ssl/etcd/ssl/ca.pem \
-      --cert-file /etc/ssl/etcd/ssl/client.pem \
-      --key-file /etc/ssl/etcd/ssl/client-key.pem \
-      --peers https://127.0.0.1:2379 cluster-health | grep -q 'cluster is healthy'
-    register: etcd_cluster_is_healthy
-    ignore_errors: true
-    changed_when: false
-    check_mode: no
-    until: etcd_cluster_is_healthy.rc == 0
-    retries: 10
-    delay: 5
-
 # 备份各节点配置文件
 - hosts:
   - kube-master
@@ -105,7 +67,8 @@
   - name: Edit master Kubernetes configfile
     shell: >-
       sed -i 's/kubernetesVersion.*$/kubernetesVersion\:\ v1.9.9/g' /etc/kubernetes/kubeadm-config.yaml \
-      && sed -i 's/GenericAdmissionWebhook/ValidatingAdmissionWebhook/g' /etc/kubernetes/kubeadm-config.yaml
+      && sed -i 's/GenericAdmissionWebhook/ValidatingAdmissionWebhook/g' /etc/kubernetes/kubeadm-config.yaml \
+      && sed -i 's/imageRepository.*$/imageRepository\:\ registry.cn-hangzhou.aliyuncs.com\/google_containers/g' /etc/kubernetes/kubeadm-config.yaml
 
 # 更新yum包
 - hosts:
@@ -139,31 +102,11 @@
   - name: Upgrade Kubernetes
     shell: 'kubeadm upgrade apply v1.9.9 --config=/etc/kubernetes/kubeadm-config.yaml -f'
 
-# 更新docker配置
-- hosts:
-  - kube-master
-  tasks:
-  - name: Upgrade docker configfile
-    ignore_errors: yes
-    shell: >-
-      jq '.["registry-mirrors"]|= .+["https://registry.docker-cn.com"]' /etc/docker/daemon.json > /tmp/docker-daemon.json && \
-      cp -f /tmp/docker-daemon.json /etc/docker/daemon.json
-  - name: remove old etcd_back
-    ignore_errors: yes
-    file: 
-      path: /tmp/docker-daemon.json
-      state: absent
-
 # 重启docker kubelet
 - hosts: all
   tasks:
   - name: reload systemd
     shell: systemctl daemon-reload
-  - name: restart docker
-    service:
-      name: docker
-      state: restarted
-      enabled: yes
   - name: restart kubelet
     service:
       name: kubelet

diff --git a/1.9.9-upgrade-to-1.10.12.yml b/1.9.9-upgrade-to-1.10.12.yml
@@ -0,0 +1,117 @@
+# 集群更新存在一定风险，请谨慎操作
+# 使用命令：ansible-playbook -i inventory/hosts 1.9.9-upgrade-to-1.10.12.yml
+
+- hosts: all
+  vars_prompt:
+    name: "upgrade_confirmation"
+    prompt: "Are you sure you want to upgrade cluster state? Type 'yes' to upgrade your cluster."
+    default: "no"
+    private: no
+  pre_tasks:
+  - name: upgrade confirmation
+    fail:
+      msg: "upgrade confirmation failed"
+    when: upgrade_confirmation != "yes"
+
+# 备份etcd数据
+- hosts:
+  - etcd
+  tasks:
+  - name: Ensure etcd backup directory
+    become: yes
+    file:
+      path: "{{item}}"
+      state: directory
+      mode: 0700
+    with_items:
+    - /etc/kubernetes/etcd_back
+  - name: Generate etcd backup file name 
+    shell: date "+/etc/kubernetes/etcd_back/etcd-%s.db"
+    register: etcd_back_path
+  - name: Snapshotting the etcd keyspace
+    shell: >-
+      ETCDCTL_API=3 /usr/local/bin/etcdctl \
+        --cacert /etc/ssl/etcd/ssl/ca.pem \
+        --cert /etc/ssl/etcd/ssl/client.pem \
+        --key /etc/ssl/etcd/ssl/client-key.pem \
+        snapshot save {{ etcd_back_path.stdout }}
+
+# 备份各节点配置文件
+- hosts:
+  - kube-master
+  - kube-node
+  tasks:
+  - name: Generate kubernetes backup configfile path
+    shell: date "+/etc/kubernetes_back/kubernetes-%s"
+    register: kubernetes_config_back_path
+  - name: Ensure backup directory
+    become: yes
+    file:
+      path: "{{item}}"
+      state: directory
+      mode: 0700
+    with_items:
+    - /etc/kubernetes_back
+    - "{{ kubernetes_config_back_path.stdout }}"
+  - name: Backup Kubernetes configfile
+    shell: cp -r /etc/kubernetes/* {{ kubernetes_config_back_path.stdout }}
+  - name: Remove old etcd_back
+    file: 
+      path: /etc/kubernetes/etcd_back
+      state: absent
+
+# 修改master节点配置文件
+- hosts:
+  - kube-master
+  tasks:
+  - name: Edit master Kubernetes configfile
+    shell: >-
+      sed -i 's/kubernetesVersion.*$/kubernetesVersion\:\ v1.10.12/g' /etc/kubernetes/kubeadm-config.yaml \
+      && sed -i 's/GenericAdmissionWebhook/ValidatingAdmissionWebhook/g' /etc/kubernetes/kubeadm-config.yaml \
+      && sed -i 's/imageRepository.*$/imageRepository\:\ registry.cn-hangzhou.aliyuncs.com\/google_containers/g' /etc/kubernetes/kubeadm-config.yaml
+
+# 更新yum包
+- hosts:
+  - kube-master
+  - kube-node
+  tasks:
+  - name: Ensure yum repository
+    become: yes
+    yum_repository:
+      name: kubernetes
+      description: kubernetes Repository
+      baseurl: https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
+      enabled: no
+      gpgcheck: no
+      state: present
+  - name: Ensure Kubernetes Yum repository
+    become: yes
+    yum:
+      enablerepo: kubernetes
+      name: "{{ item }}"
+      state: present
+    with_items:
+    - kubeadm-1.10.12-0.x86_64
+    - kubectl-1.10.12-0.x86_64
+    - kubelet-1.10.12-0.x86_64
+
+# 正式升级
+- hosts:
+  - kube-master
+  tasks:
+  - name: Upgrade Kubernetes
+    shell: 'kubeadm upgrade apply v1.10.12 --config=/etc/kubernetes/kubeadm-config.yaml -f'
+
+# 重启docker kubelet
+- hosts: all
+  tasks:
+  - name: reload systemd
+    shell: systemctl daemon-reload
+  - name: restart kubelet
+    service:
+      name: kubelet
+      state: restarted
+      enabled: yes
+  #Issues https://github.com/kubernetes/kubernetes/issues/21613
+  - name: Ensure KubeDNS is working
+    shell: echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables
diff --git a/README.md b/README.md
@@ -9,23 +9,10 @@ Kubeadmin ansible is a toolkit for simple and quick installing k8s cluster.
 Install the ansible run environment on the machine where the ansible script is to be executed:
 
 ```
-sudo yum install -y epel-release
-
-sudo yum install -y \
-    ansible \
-    git \
-    httpd-tools \
-    pyOpenSSL \
-    python-cryptography \
-    python-lxml \
-    python-netaddr \
-    python-passlib \
-    python-pip
-
-```
-View the version of ansible (version>=2.4.0.0)
-```
-ansible --version
+sudo yum install epel-release -y 
+sudo yum install git python36 sshpass -y
+sudo python3.6 -m ensurepip
+sudo /usr/local/bin/pip3 install --no-cache-dir ansible==2.7.5 netaddr
 ```
 
 Clone project：
@@ -447,4 +434,25 @@ Pull requests are welcome! Follow [this link](https://github.com/choerodon/choer
 ## 8. Upgrading the cluster
 
 - **There are certain risks in cluster update. Please be cautious.**
-- Use command：`ansible-playbook -i inventory/hosts upgrade-to-1.9.9.yml`
+- Use command upgrade to 1.9.9 version：`ansible-playbook -i inventory/hosts 1.8.5-upgrade-to-1.9.9.yml`
+- Use command upgrade to 1.10.12 version：`ansible-playbook -i inventory/hosts 1.9.9-upgrade-to-1.10.12.yml`
+
+## 9. Refresh cluster certificate
+
+> The prerequisite for refreshing the certificate is to ensure that the CA root certificate exists. After the certificate is refreshed, the master node kubelet is restarted to apply the new certificate. At this time, the cluster may not be operated for 1-2 minutes, but the business application is not affected.
+
+```
+ansible-playbook -i inventory/hosts -e @inventory/vars renew-certs.yml
+```
+
+## 10. Load Choerodon images
+
+If you need to separately import the images of the Choerodon platform to speed up the installation,Please execute on the machine where ansible is installed:
+
+```
+wget -O ~/c7n.tar http://oss.saas.hand-china.com/c7n.tar
+
+export ANSIBLE_HOST_KEY_CHECKING=False
+
+ansible-playbook -i inventory/hosts load-choerodon-images.yml
+```
diff --git a/README_zh-CN.md b/README_zh-CN.md
@@ -5,21 +5,10 @@
 在要执行ansible脚本的机器上安装ansible运行需要的环境：
 
 ```
-sudo yum install -y epel-release
-
-sudo yum install -y \
-    ansible \
-    git \
-    httpd-tools \
-    pyOpenSSL \
-    python-cryptography \
-    python-lxml \
-    python-netaddr \
-    python-passlib \
-    python-pip
-
-# 查看ansible版本（version>=2.4.0.0）
-ansible --version
+sudo yum install epel-release -y 
+sudo yum install git python36 sshpass -y
+sudo python3.6 -m ensurepip
+sudo /usr/local/bin/pip3 install --no-cache-dir ansible==2.7.5 netaddr -i https://mirrors.aliyun.com/pypi/simple/
 ```
 
 克隆项目：
@@ -433,5 +422,28 @@ spec:
 
 ## 8. 升级集群
 
+> 由于使用kubeadm限制，不能跨次版本号进行升级，故需升级至1.10.12版本Kubernetes请先升级集群至1.9.9版本。
+
 - **集群更新存在一定风险，请谨慎操作**
-- 使用命令：`ansible-playbook -i inventory/hosts upgrade-to-1.9.9.yml`
+- 升级至1.9.9版本：`ansible-playbook -i inventory/hosts 1.8.5-upgrade-to-1.9.9.yml`
+- 升级至1.10.12版本：`ansible-playbook -i inventory/hosts 1.9.9-upgrade-to-1.10.12.yml`
+
+## 9. 刷新集群证书
+
+> 刷新证书的前提需要保证CA根证书存在，证书刷新后会重启master节点 kubelet 以应用新的证书，届时可能导致1-2分钟无法操作集群，但业务应用是不受影响的。
+
+```
+ansible-playbook -i inventory/hosts -e @inventory/vars renew-certs.yml
+```
+
+## 10. 导入猪齿鱼平台镜像
+
+如果需要单独导入猪齿鱼平台的镜像以加快安装速度，请在安装ansible的机器上执行：
+
+```
+wget -O ~/c7n.tar http://oss.saas.hand-china.com/c7n.tar
+
+export ANSIBLE_HOST_KEY_CHECKING=False
+
+ansible-playbook -i inventory/hosts load-choerodon-images.yml
+```
diff --git a/Vagrantfile b/Vagrantfile
@@ -11,7 +11,8 @@ Vagrant.configure(2) do |config|
     n = 10 + i
     s.vm.network "private_network", ip: "192.168.56.#{n}"
     s.vm.provider "virtualbox" do |v|
-        v.memory = 2048
+        v.cpus = 2
+        v.memory = 4096
     end
     end
 end
@@ -20,4 +21,4 @@ if Vagrant.has_plugin?("vagrant-cachier")
     config.cache.scope = :box
 end
 
-end
+end
diff --git a/inventory/hosts b/inventory/hosts
@@ -1,24 +1,19 @@
 [all]
-node1 ansible_host=192.168.56.11 ansible_user=root ansible_ssh_pass=vagrant ansible_become=true
-node2 ansible_host=192.168.56.12 ansible_user=root ansible_ssh_pass=vagrant ansible_become=true
-node3 ansible_host=192.168.56.13 ansible_user=root ansible_ssh_pass=vagrant ansible_become=true
+node1 ansible_host=192.168.56.11 ip=192.168.56.11 ansible_user=root ansible_ssh_pass=vagrant ansible_become=true
+node2 ansible_host=192.168.56.12 ip=192.168.56.12 ansible_user=root ansible_ssh_pass=vagrant ansible_become=true
+node3 ansible_host=192.168.56.13 ip=192.168.56.13 ansible_user=root ansible_ssh_pass=vagrant ansible_become=true
 
 [kube-master]
 node1
 node2
 node3
 
-
 [etcd]
 node1
 node2
 node3
 
-
 [kube-node]
 node1
 node2
 node3
-
-
-