Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ansible container in the kubernetes

nnao45
September 21, 2018
1.5k

Ansible container in the kubernetes

nnao45

September 21, 2018
Tweet

Transcript

  1. ࣗݾ঺հ MY NAME IS NNAO45 ˏnnao45 ✓ 26ࡀ(ฏ੒3೥ੜ·Ε) ✓ ࠓ͸ओʹΫϥ΢υ԰

    ✓ \“͑͵ͳ͓\”ͱݺͼ·͢ɻ ✓ ςχεྺ10೥ ✓ ITྺ4೥໨ ✓ Go࠷ߴ!!zsh࠷ߴ!! ✓cndjpษڧձӡӦ ✓גࣜձࣾαΠόʔΤʔδΣϯτॴଐ ✓ ݩISPͷNW͕ϝΠϯ
  2. What is Kubernetes? INTRODUCTION OF START UP THE K8S MONITORING.

    ཁ͸ɺίϯςφʔͷΦʔέετϨʔλʔɻ ·ͨͦΕΛୡ੒͢ΔͨΊͷϚΠΫϩαʔϏε܈ɻ http://dondocker.com/guardar-nuestras-imagenes-docker/
  3. Getting Startted Ansible Container Initilize the Ansible container ~/myproject #

    ansible-container init Ansible Container initialized. ~/myproject # ls ansible-requirements.txt…࣮ߦ͢ΔansibleͷϞδϡʔϧࢦఆ ansible.cfg…΄ͱΜͲ࢖Θͳ͍ container.yml…ຊମ meta.yml…Ansible Garaxyʹొ࿥͢Δͱ͖ʹඞཁ requirements.yml…conainter.ymlͰRoleϞδϡʔϧΛ࢖͏࣌ʹඞཁ
  4. ʁ

  5. Getting Startted Ansible Container What is container.yaml project_name: myproject #

    deployment_output_path: ./ansible-deployment k8s_auth: # path to a K8s config file config_file: # name of a context found within the config file context: # URL for accessing the K8s API host: # An API authentication token api_key: # Path to a ca cert file ssl_ca_cert: # Path to a cert file cert_file: # Path to a key file key_file: # boolean, indicating if SSL certs should be validated #verify_ssl: k8s_namespace: name: description: display_name: services: { ɹ//σϓϩΠ͢ΔઌͷαʔϏεΛॻ͍͓ͯ͘ɻ } registries: { //͜͜ͰCDϥΠϯͰϏϧυޙʹొ࿥͢ΔϨϙδτ ϦΛॻ͍͓ͯ͘ɻ }
  6. Getting Startted Ansible Container What is container.yaml project_name: myproject #

    deployment_output_path: ./ansible-deployment k8s_auth: # path to a K8s config file config_file: # name of a context found within the config file context: # URL for accessing the K8s API host: # An API authentication token api_key: # Path to a ca cert file ssl_ca_cert: # Path to a cert file cert_file: # Path to a key file key_file: # boolean, indicating if SSL certs should be validated #verify_ssl: k8s_namespace: name: description: display_name: services: { ɹ//σϓϩΠ͢ΔઌͷαʔϏεΛॻ͍͓ͯ͘ɻ } registries: { //͜͜ͰCDϥΠϯͰϏϧυޙʹొ࿥͢ΔϨϙδτ ϦΛॻ͍͓ͯ͘ɻ }
  7. Getting Startted Ansible Container What is container.yaml services: web: from:

    "ubuntu:xenial" ports: - "80:80" command: ["/usr/sbin/nginx", "-g", "daemon off;"] roles: - “apache-container" wordpress-db: from: "mysql:latest" expose: [3306] environment: MYSQL_MAJOR: 5.7 MYSQL_VERSION: 5.7.18-1debian8 MYSQL_DATABASE: wordpress MYSQL_USER: wordpress MYSQL_PASSWORD: foobar MYSQL_ROOT_PASSWORD: foobar services ωετͨ͠1൪໨ͷkey͕group໊ʹͳΓ·͢ɻ from ͲͷίϯςφΛϕʔεʹ͢Δ͔Λࢦఆ͠·͢ɻv0.4.0ͷࠒ͸imageͰ͕ͨ͠ɺ௚ײత ʹ෼͔Δkey໊ʹͳΓ·ͨ͠Ͷɻ ports ֎෦͔Βࢀরͤ͞ΔͨΊͷϙʔτΛࢦఆ͠·͢ɻ಺֎Ͱಉ͡ϙʔτΛ࢖͏৔߹Ͱ΋ɺ ෼͔Γ΍͘͢"80:80"ͷΑ͏ʹॻ͍͓ͯ͘ͱྑ͍͔ͱࢥ͍·͢ɻ command ίϯςφىಈ࣌ͷίϚϯυΛࢦఆ͠·͢ɻσϞͰ͸ɺNginx͸"/etc/init.d/nginx start" ͸όοΫάϥ΢ϯυͰͷ࣮ߦʹͳͬͯ͠·͍ίϯςφ͕͙͢མͪͯ͠·͏ͷͰɺϑΥ Ξάϥ΢ϯυͰ࣮ߦ͞ΕΔΑ͏ʹ"-g daemon off;"ΛҾ਺ʹ͢ΔΑ͏ʹࢦఆ͍ͯ͠· ͢ɻ roles ίϯςφʹର࣮ͯ͠ߦ͢ΔRoleΛࢦఆ͠·͢ɻRoleΛAnsible GalaxyΑΓऔಘ͢Δ ৔߹͸requirements.ymlʹ΋هࡌ͢Δඞཁ͕͋Γ·͢ɻ dev_overrides ansible-container runͷ৔߹ʹͷΈద༻͞Εɺbuild, deploy࣮ߦ࣌͸ແࢹ͞Ε·͢ɻ ϩʔΧϧ΍։ൃ؀ڥͰͷΈࢼ͢͜ͱ͕͋Δ৔߹ʹ༗༻Ͱ͢ɻྫ͑͹ɺ։ൃ؀ڥͷΈϙʔ τΛม͑ͯΈΔɺͱ͔ɺίϯϑΟά͕feature flagsͷΑ͏ͳ࡞Γʹͳ͍ͬͯΔ࣌ʹ։ൃ Λࣔ͢؀ڥม਺Λ༩͑Δɺͱ͍͏͜ͱ͕ՄೳͰ͢ɻσϞͰ͸هࡌ͋Γ·ͤΜ͕ɺॏཁ ͳύϥϝʔλͷͨΊ঺հ͠·ͨ͠ɻ https://qiita.com/komattaka/items/698f47358bb945ec125e
  8. Getting Startted Ansible Container container.yaml in kubernetes config example Serviceͷઃఆ

    k8s: service: force: false cluster_ip: 10.0.171.239 load_balancer_ip: 78.11.24.19 type: LoadBalancer metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-ssl- cert: arn:aws:acm:us-east-1:123456789012:certificate/ 12345678-1234-1234-1234-123456789012 Deploymentͷઃఆ k8s: deployment: force: false replicas: 2 security_context: run_as_user: root strategy: type: Rolling rolling_params: timeout_seconds: 120 max_surge: "20%" max_unavailable: "10%" pre: {} post: {} triggers: - type: "ImageChange" image_change_params: automatic: true from: kind: "ImageStreamTag" name: "test-mkii-web:latest" container_names: - “web” And volumes, routes…
  9. Getting Startted Ansible Container How it build? > ansible-container build

    Conductor container Target container image ίϯμΫλʔίϯςφ͕ίϯςφϥϯλΠϜΛհͯ͠ʢଟ෼execͱ ͔ͯ͠ΔΜ͡ΌͶʣansible͕࣮ߦ͢ΔͷͰɺ໨ඪͷίϯςφΛσϓ ϩΠ͢Δͷʹssh΍ೝূΛߟ͑ͯͳͯ͘Α͘ͳΔ(࠷େͷಛ௃͔΋Ͷ) ansible-container build͸ɺ —debug͚࣮ͭͯߦ͢Δͱॲ ཧશମ͕ΈΕͯΦεεϝΑ
  10. Getting Startted Ansible Container How conductor container works Conductor container

    ίϯμΫλʔίϯςφ͸σϑΥϧτͰϕʔ ε͸centos:7͕ͩɺଞͷOSʹม͑Δࣄ͕Ͱ ͖Δɻࣗ࡞ͷίϯςφΠϝʔδͰ΋౰વ OK ansible-requiment.txtΛॻ͖׵͑ΔࣄͰί ϯμΫλʔίϯςφ಺ͷansibleͰ࢖ΘΕΔ ύοέʔδͷόʔδϣϯ΋ม͑ΒΕΔɻ ansible-containerͰ͸σϑΥϧτͰ gather_facts͕༗ޮʹͳ͍ͬͯΔ͕ɺ͜Ε ΋ansible.cfgʹهࡌ͢Ε͹ࢭΊΒΕΔɻ
  11. Getting Startted Ansible Container How it build? > ansible-container snipet

    > ansible-playbook *.yml Target kubernetes service Ansible-container snipetίϚϯυͰansible-playbookͰ࣮ߦՄೳͳܗࣜ ʹdeployment΍roleͳͲΛม׵ͯ͠ɺansible-playbookͰ࣮ߦ͢ΔࣄͰ kubernetes্ʹల։ग़དྷ·͢ɻ
  12. Getting Startted Ansible Container For example summary. # Init the

    project $ ansible-container init # Make Role or Install the jenkins-container role $ ansible-container install awasilyev.jenkins-container # Build the images on the ADB virtual machine $ ansible-container --no-selinux build # Generate the deployment playbook and role $ ansible-container --no-selinux shipit k8s --local-images # Set the working directory to ansible $ cd ansible # Run the playbook $ ansible-playbook shipit-k8s.yml
  13. Addition Amazon EKS αʔϏεϩʔϧΛ࡞੒͢Δ Amazon EKS Ϋϥελʔ VPC Λ࡞੒͢Δ Amazon

    EKS ͷ kubectl ΛΠϯετʔϧ͠ɺઃఆ͢Δ Amazon EKS ͷ aws-iam-authenticator ΛΠϯετʔϧ͢Δ ࠷৽ͷ AWS CLI Λμ΢ϯϩʔυ͠ɺΠϯετʔϧ͢Δ Amazon EKS ΫϥελʔΛ࡞੒͢Δ Amazon EKS ͷ kubectl Λઃఆ͢Δ Amazon EKS ϫʔΧʔϊʔυΛىಈͯ͠ઃఆ͢Δ Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  14. Addition Amazon EKS αʔϏεϩʔϧΛ࡞੒͢Δ Amazon EKS Ϋϥελʔ VPC Λ࡞੒͢Δ Amazon

    EKS ͷ kubectl ΛΠϯετʔϧ͠ɺઃఆ͢Δ Amazon EKS ͷ aws-iam-authenticator ΛΠϯετʔϧ͢Δ ࠷৽ͷ AWS CLI Λμ΢ϯϩʔυ͠ɺΠϯετʔϧ͢Δ Amazon EKS ΫϥελʔΛ࡞੒͢Δ Amazon EKS ͷ kubectl Λઃఆ͢Δ Amazon EKS ϫʔΧʔϊʔυΛىಈͯ͠ઃఆ͢Δ Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  15. Addition Amazon EKS αʔϏεϩʔϧΛ࡞੒͢Δ - name: "copy" copy: src: ./eks-roles-policy.json

    dest: /root/eks-roles-policy.json owner: root group: root mode: 0600 register: result - name: "create-role" shell: | aws iam create-role --role-name eks --assume-role-policy-document file://eks-roles-policy.json register: result - name: "attach-role1" shell: | aws iam attach-role-policy --role-name eks --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy register: result - name: "attach-role2" shell: | aws iam attach-role-policy --role-name eks --policy-arn arn:aws:iam::aws:policy/AmazonEKSServicePolicy register: result Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] eks-roles-policy.json
  16. Addition Amazon EKS αʔϏεϩʔϧΛ࡞੒͢Δ Amazon EKS Ϋϥελʔ VPC Λ࡞੒͢Δ Amazon

    EKS ͷ kubectl ΛΠϯετʔϧ͠ɺઃఆ͢Δ Amazon EKS ͷ aws-iam-authenticator ΛΠϯετʔϧ͢Δ ࠷৽ͷ AWS CLI Λμ΢ϯϩʔυ͠ɺΠϯετʔϧ͢Δ Amazon EKS ΫϥελʔΛ࡞੒͢Δ Amazon EKS ͷ kubectl Λઃఆ͢Δ Amazon EKS ϫʔΧʔϊʔυΛىಈͯ͠ઃఆ͢Δ Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  17. Addition Amazon EKS Ϋϥελʔ VPC Λ࡞੒͢Δ - name: "create eks-demo-vpc

    deploy" shell: aws cloudformation create-stack --stack-name eks-vpc --region us-east-1 --template-url https://amazon-eks.s3-us- west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-vpc- sample.yaml register: result - debug: var=result.stdout_lines when: result | success tags: - always Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  18. Addition Amazon EKS αʔϏεϩʔϧΛ࡞੒͢Δ Amazon EKS Ϋϥελʔ VPC Λ࡞੒͢Δ Amazon

    EKS ͷ kubectl ΛΠϯετʔϧ͠ɺઃఆ͢Δ Amazon EKS ͷ aws-iam-authenticator ΛΠϯετʔϧ͢Δ ࠷৽ͷ AWS CLI Λμ΢ϯϩʔυ͠ɺΠϯετʔϧ͢Δ Amazon EKS ΫϥελʔΛ࡞੒͢Δ Amazon EKS ͷ kubectl Λઃఆ͢Δ Amazon EKS ϫʔΧʔϊʔυΛىಈͯ͠ઃఆ͢Δ Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  19. Addition Amazon EKS ͷ kubectl ΛΠϯετʔϧ͠ɺઃఆ͢Δ Amazon EKS ͷ aws-iam-authenticator

    ΛΠϯετʔϧ͢Δ ࠷৽ͷ AWS CLI Λμ΢ϯϩʔυ͠ɺΠϯετʔϧ͢Δ - name: "download" become: yes shell: curl {{ KUBECTL_CLI.URL }} -o {{ GET_URL_TEMP_DIRECTORY }}/ {{ KUBECTL_CLI.FILE_NAME }} - name: "chmod" become: yes shell: chmod +x {{ GET_URL_TEMP_DIRECTORY }}/{{ KUBECTL_CLI.FILE_NAME }} - name: "cp" become: yes shell: cp {{ GET_URL_TEMP_DIRECTORY }}/{{ KUBECTL_CLI.FILE_NAME }} /bin/ {{ KUBECTL_CLI.FILE_NAME }} Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  20. Addition Amazon EKS αʔϏεϩʔϧΛ࡞੒͢Δ Amazon EKS Ϋϥελʔ VPC Λ࡞੒͢Δ Amazon

    EKS ͷ kubectl ΛΠϯετʔϧ͠ɺઃఆ͢Δ Amazon EKS ͷ aws-iam-authenticator ΛΠϯετʔϧ͢Δ ࠷৽ͷ AWS CLI Λμ΢ϯϩʔυ͠ɺΠϯετʔϧ͢Δ Amazon EKS ΫϥελʔΛ࡞੒͢Δ Amazon EKS ͷ kubectl Λઃఆ͢Δ Amazon EKS ϫʔΧʔϊʔυΛىಈͯ͠ઃఆ͢Δ Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  21. Addition Amazon EKS ΫϥελʔΛ࡞੒͢Δ - name: "regist var1" shell: aws

    cloudformation describe-stacks --stack-name eks-vpc --query 'Stacks[0].Outputs[?OutputKey==`SubnetIds`] [].OutputValue' --output text register: var1 - name: "regist var2" shell: aws cloudformation describe-stacks --stack-name eks-vpc --query 'Stacks[0].Outputs[? OutputKey==`SecurityGroups`][].OutputValue' --output text register: var2 - name: "regist var3" shell: aws iam get-role --role-name eks --query 'Role.Arn' --output text register: var3 - name: "create cluster" shell: | aws eks create-cluster --name test-cluster --role-arn {{ var3.stdout }} --resources-vpc-config subnetIds={{ var1.stdout }},securityGroupIds={{ var2.stdout }} register: result Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  22. Addition Amazon EKS αʔϏεϩʔϧΛ࡞੒͢Δ Amazon EKS Ϋϥελʔ VPC Λ࡞੒͢Δ Amazon

    EKS ͷ kubectl ΛΠϯετʔϧ͠ɺઃఆ͢Δ Amazon EKS ͷ aws-iam-authenticator ΛΠϯετʔϧ͢Δ ࠷৽ͷ AWS CLI Λμ΢ϯϩʔυ͠ɺΠϯετʔϧ͢Δ Amazon EKS ΫϥελʔΛ࡞੒͢Δ Amazon EKS ͷ kubectl Λઃఆ͢Δ Amazon EKS ϫʔΧʔϊʔυΛىಈͯ͠ઃఆ͢Δ Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  23. Addition Amazon EKS ͷ kubectl Λઃఆ͢Δ - name: "mkdir" file:

    path=/root/.kube state=directory owner=root group=root mode=700 - name: "regist var1" shell: aws eks describe-cluster --name test-cluster --query cluster.endpoint register: endpoint - name: "regist var2" shell: aws eks describe-cluster --name test-cluster --query cluster.certificateAuthority.data register: base64 - name: "template" template: src=template/config-test-cluster.j2 dest=/root/.kube/config-test-cluster owner=root group=root mode=0600 Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  24. Addition Amazon EKS ͷ kubectl Λઃఆ͢Δ - name: "mkdir" file:

    path=/root/.kube state=directory owner=root group=root mode=700 - name: "regist var1" shell: aws eks describe-cluster --name test-cluster --query cluster.endpoint register: endpoint - name: "regist var2" shell: aws eks describe-cluster --name test-cluster --query cluster.certificateAuthority.data register: base64 - name: "template" template: src=template/config-test-cluster.j2 dest=/root/.kube/config-test-cluster owner=root group=root mode=0600 Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ apiVersion: v1 clusters: - cluster: server: {{ endpoint.stdout }} certificate-authority-data: {{ base64.stdout }} name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/ v1alpha1 command: aws-iam-authenticator args: - "token" - “-i" - "test-cluster" config-test-cluster.j2
  25. Addition Amazon EKS αʔϏεϩʔϧΛ࡞੒͢Δ Amazon EKS Ϋϥελʔ VPC Λ࡞੒͢Δ Amazon

    EKS ͷ kubectl ΛΠϯετʔϧ͠ɺઃఆ͢Δ Amazon EKS ͷ aws-iam-authenticator ΛΠϯετʔϧ͢Δ ࠷৽ͷ AWS CLI Λμ΢ϯϩʔυ͠ɺΠϯετʔϧ͢Δ Amazon EKS ΫϥελʔΛ࡞੒͢Δ Amazon EKS ͷ kubectl Λઃఆ͢Δ Amazon EKS ϫʔΧʔϊʔυΛىಈͯ͠ઃఆ͢Δ Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ
  26. Addition Amazon EKS ϫʔΧʔϊʔυΛىಈͯ͠ઃఆ͢Δ - name: "regist subnet” shell: aws

    cloudformation describe-stacks --stack-name eks-vpc --query 'Stacks[0].Outputs[?OutputKey==`SubnetIds`] [].OutputValue' --output text register: subnet - name: "regist vpc” shell: aws cloudformation describe-stacks --stack-name eks-vpc --query 'Stacks[0].Outputs[?OutputKey==`VpcIds`] [].OutputValue' --output text register: vpc - name: "regist sg” shell: aws cloudformation describe-stacks --stack-name eks-vpc --query 'Stacks[0].Outputs[?OutputKey==`SecurityGroups`] [].OutputValue' --output text register: sg - name: "create eks-demo-vpc deploy" shell: aws cloudformation create-stack --stack-name eks-vpc --region us-east-1 --template-url https://amazon-eks.s3-us- west-2.amazonaws.com/1.10.3/2018-07-26/amazon-eks-nodegroup.yaml —parameters ClusterName=test- cluster,ClusterControlPlaneSecurityGroup={{ sg.output }},NodeGroupName=test- cluster,NodeAutoScalingGroupMinSize=1,NodeAutoScalingGroupMaxSize=1,NodeInstanceType=t2.large,NodeImageId=ami-048 486555686d18a0,VpcId={{ vpc.output }},Subnets={{ subnet.output }} register: result Լ४උ͚ͩͰ͜Μ͚ͩɾɾɾ