From ce09c58b655ab32a3d8d694066b3c709ac9a5928 Mon Sep 17 00:00:00 2001
From: "haifeng_on_8.32" <haifengsss@163.com>
Date: Mon, 26 Oct 2020 16:59:26 +0800
Subject: [PATCH] updated etcd_install and k8s_master_install at migrating
 k8s-9.91 to k8s-10.21.

---
 .../ingress-nginx-controller/Dockerfile       |  3 +-
 etcd_install/tasks/create_etcd_dir.yml        | 33 +++++-----
 .../etcd_install/install_etcd_for_binary.yml  | 24 +++-----
 etcd_install/tasks/generate_certs.yml         | 61 ++++++++++++++++---
 k8s_master_install/defaults/main.yml          |  4 +-
 k8s_master_install/tasks/create_k8s_dir.yml   |  4 +-
 .../tasks/generate_k8s_certs.yml              | 61 ++++++++++++++-----
 .../tasks/install_k8s_master.yml              |  2 +-
 k8s_master_install/tasks/main.yml             |  2 +-
 .../k8s-dashboard-csr.json                    |  0
 .../k8s-front-proxy-ca-csr.json               |  0
 .../k8s-front-proxy-client-csr.json           |  0
 .../{ => k8s_certs_json}/k8s-gencert.json     |  0
 .../k8s-kube-apiserver-csr.json               |  0
 ...k8s-kube-apiserver-kubelet-client-csr.json |  0
 .../k8s-kube-controller-manager-csr.json      |  0
 .../k8s-kube-proxy-csr.json                   |  0
 .../k8s-kube-scheduler-csr.json               |  0
 .../k8s-kubernetes-admin-csr.json             |  0
 .../k8s-prometheus-adapter-csr.json           |  0
 .../{ => k8s_certs_json}/k8s-root-ca-csr.json |  0
 .../tasks/create_syncuser.yml                 |  3 +-
 mysql_binary_install/tasks/install_mysql.yml  |  1 +
 mysql_binary_install/tasks/sync_to_master.yml |  2 +-
 mysql_mha_install/defaults/main.yml           |  2 +-
 mysql_user/tasks/create_mysql_app_users.yml   |  3 +-
 .../tasks/install_pmm_client_for_tgz.yml      |  5 +-
 pmm-client_install/tasks/main.yml             | 35 +++++------
 28 files changed, 164 insertions(+), 81 deletions(-)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-dashboard-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-front-proxy-ca-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-front-proxy-client-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-gencert.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-kube-apiserver-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-kube-apiserver-kubelet-client-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-kube-controller-manager-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-kube-proxy-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-kube-scheduler-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-kubernetes-admin-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-prometheus-adapter-csr.json (100%)
 rename k8s_master_install/templates/{ => k8s_certs_json}/k8s-root-ca-csr.json (100%)

diff --git a/dockerFiles/ingress-nginx-controller/Dockerfile b/dockerFiles/ingress-nginx-controller/Dockerfile
index b540b8e..93eefac 100644
--- a/dockerFiles/ingress-nginx-controller/Dockerfile
+++ b/dockerFiles/ingress-nginx-controller/Dockerfile
@@ -1 +1,2 @@
-FROM k8s.gcr.io/ingress-nginx/controller:v0.35.0
+#FROM k8s.gcr.io/ingress-nginx/controller:v0.35.0
+FROM k8s.gcr.io/ingress-nginx/controller:v0.40.2
diff --git a/etcd_install/tasks/create_etcd_dir.yml b/etcd_install/tasks/create_etcd_dir.yml
index 30d07f0..0bb5855 100644
--- a/etcd_install/tasks/create_etcd_dir.yml
+++ b/etcd_install/tasks/create_etcd_dir.yml
@@ -1,18 +1,23 @@
 - name: create etcd dir
   file: 
     path: '{{ item.path }}' 
-    owner: '{{ item.owner }}' 
-    group: '{{ item.group }}' 
-    mode: '{{ item.mode }}' 
+    owner: '{{ item.owner | default(etcd_run_user, true) }}' 
+    group: '{{ item.group | default(etcd_run_user, true) }}' 
+    mode: '{{ item.mode | default("0755", true)}}' 
     state: directory
-  with_items:
-    - { path: "{{app_base_dir}}", owner: root, group: root, mode: "0755" }
-    - { path: "{{etcd_log_dir}}", owner: '{{etcd_run_user}}', group: '{{etcd_run_user}}', mode: "0755" }
-    - { path: "{{etcd_data_dir}}", owner: '{{etcd_run_user}}', group: '{{etcd_run_user}}', mode: "0755" }
-    - { path: "{{etcd_data_dir}}/{{etcd_name}}.etcd", owner: '{{etcd_run_user}}', group: '{{etcd_run_user}}', mode: "0755" }
-    - { path: "{{etcd_data_dir}}/wal", owner: '{{etcd_run_user}}', group: '{{etcd_run_user}}', mode: "0755" }
-    - { path: "{{etcd_var_dir}}", owner: '{{etcd_run_user}}', group: '{{etcd_run_user}}', mode: "0755" }
-    - { path: "{{etcd_conf_dir}}", owner: '{{etcd_run_user}}', group: '{{etcd_run_user}}', mode: "0755" }
-    - { path: "{{etcd_conf_dir}}/ssl", owner: '{{etcd_run_user}}', group: '{{etcd_run_user}}', mode: "0755"}
-    - { path: "{{script_deploy_dir}}", owner: 'root', group: 'root', mode: "0755"}
-    - { path: "{{etcd_backup_dir}}", owner: '{{etcd_run_user}}', group: '{{etcd_run_user}}', mode: "0755"}
+  loop:
+    - path: "{{app_base_dir}}"
+      owner: root
+      group: root
+      mode: "0755"
+    - path: "{{etcd_log_dir}}"
+    - path: "{{etcd_data_dir}}"
+    - path: "{{etcd_data_dir}}/{{etcd_name}}.etcd"
+      mode: "0700"
+    - path: "{{etcd_data_dir}}/wal"
+      mode: "0700"
+    - path: "{{etcd_var_dir}}"
+    - path: "{{etcd_conf_dir}}"
+    - path: "{{etcd_conf_dir}}/ssl"
+    - path: "{{script_deploy_dir}}"
+    - path: "{{etcd_backup_dir}}"
diff --git a/etcd_install/tasks/etcd_install/install_etcd_for_binary.yml b/etcd_install/tasks/etcd_install/install_etcd_for_binary.yml
index 222df39..58a9410 100644
--- a/etcd_install/tasks/etcd_install/install_etcd_for_binary.yml
+++ b/etcd_install/tasks/etcd_install/install_etcd_for_binary.yml
@@ -11,30 +11,24 @@
 
 - name: cp and unarchive etcd_binary_tarball to remote host 
   unarchive: 
-    src: '{{ item.src }}' 
-    dest: '{{ item.dest }}' 
+    src: '{{ etcd_packet }}' 
+    dest: '{{ etcd_install_dir }}' 
     owner: '{{ etcd_run_user }}' 
     group: '{{ etcd_run_user }}' 
-    creates: '{{ item.creates }}'
+    creates: '{{ etcd_install_dir }}/{{etcd_dir_name.stdout }}'
     mode: "0755"
-  loop:
-    - { src: '{{etcd_packet}}', dest: '{{ etcd_install_dir}}/', creates: '{{ etcd_install_dir }}/{{etcd_dir_name.stdout}}' }
 
 - name: create etcd link dir
   file: 
-    src: '{{ item.src }}' 
-    dest: '{{item.dest}}' 
-    state: '{{ item.state }}'
-  with_items:
-    - { src: "{{app_base_dir}}/{{etcd_dir_name.stdout}}", dest: '{{etcd_base_dir}}', state: link}
+    src: '{{ etcd_install_dir}}/{{etcd_dir_name.stdout }}' 
+    dest: '{{etcd_base_dir}}' 
+    state: 'link'
   when: etcd_dir_name.stdout != "etcd"
 
 - name: create etcd conf dir link
   file: 
-    src: '{{ item.src }}' 
-    dest: '{{item.dest}}' 
-    state: '{{ item.state }}'
-  with_items:
-    - { src: "{{etcd_conf_dir}}", dest: '/etc/etcd', state: link}
+    src: '{{ etcd_conf_dir }}' 
+    dest: '/etc/etcd' 
+    state: 'link'
   ignore_errors: true
 
diff --git a/etcd_install/tasks/generate_certs.yml b/etcd_install/tasks/generate_certs.yml
index 1051769..a455c10 100644
--- a/etcd_install/tasks/generate_certs.yml
+++ b/etcd_install/tasks/generate_certs.yml
@@ -1,23 +1,66 @@
 
 - name: generate etcd-root-ca
-  local_action: shell {{etcd_cfssl_cmd_path}}/cfssl gencert -initca {{etcd_cert_json_dir}}/etcd-root-ca-csr.json | {{etcd_cfssl_cmd_path}}/cfssljson --bare {{etcd_cert_dir}}/etcd-root-ca
-  args:
-    chdir: "{{etcd_work_dir}}"
-    #creates: "{{etcd_work_dir}}/{{etcd_cert_dir}}/etcd-root-ca.pem"
-    creates: "{{etcd_cert_dir}}/etcd-root-ca.pem"
+  local_action: 
+    module: shell 
+    #cmd: '{{etcd_cfssl_cmd_path}}/cfssl gencert -initca {{"-ca-key "~etcd_cert_dir~"/etcd-root-ca-key.pem" if etcd_work_dir~"/"~etcd_cert_dir~"/etcd-root-ca-key.pem" is exists else ""}} {{etcd_cert_json_dir}}/etcd-root-ca-csr.json | {{etcd_cfssl_cmd_path}}/cfssljson --bare {{etcd_cert_dir}}/etcd-root-ca'
+    #cmd: '{{etcd_cfssl_cmd_path}}/cfssl gencert -initca {%if "/data/apps/data/wanghaifeng/ansible/playbooks/k8s_91"~etcd_work_dir~"/"~etcd_cert_dir~"/etcd-root-ca-key.pem" is exists%}{{"-ca-key "~etcd_cert_dir~"/etcd-root-ca-key.pem"}}{%endif%} {{etcd_cert_json_dir}}/etcd-root-ca-csr.json | {{etcd_cfssl_cmd_path}}/cfssljson --bare {{etcd_cert_dir}}/etcd-root-ca'
+    #cmd: '{{etcd_cfssl_cmd_path}}/cfssl gencert -initca {%if "/data/apps/data/wanghaifeng/ansible/playbooks/k8s_91"~etcd_work_dir~"/"~etcd_cert_dir~"/etcd-root-ca-key.pem" is exists%}-ca-key {{etcd_cert_dir}}/etcd-root-ca-key.pem{%endif%} {{etcd_cert_json_dir}}/etcd-root-ca-csr.json | {{etcd_cfssl_cmd_path}}/cfssljson --bare {{etcd_cert_dir}}/etcd-root-ca'
+    #cmd: 'echo {%if etcd_work_dir~"/"~etcd_cert_dir~"/etcd-root-ca-key.pem" is exists%}"/etc/fstab"{%else%}"hehe"{%endif%}'
+    #cmd: 'echo {{ "/data/apps/data/wanghaifeng/ansible/playbooks/k8s_91/"~etcd_work_dir~"/"~etcd_cert_dir~"/etcd-root-ca-key.pem" }}'
+    #cmd: 'echo {% if "/data/apps/data/wanghaifeng/ansible/playbooks/k8s_91/"~etcd_work_dir~"/"~etcd_cert_dir~"/etcd-root-ca-keyss.pem" is exists %}haha{%endif%}'
+    cmd: |
+      if [ -e '{{ etcd_cert_dir~"/etcd-root-ca-key.pem" }}' ];then
+          echo 'cfssl gencert -initca -ca-key {{etcd_cert_dir~"/etcd-root-ca-key.pem"}} {{etcd_cert_json_dir}}/etcd-root-ca-csr.json | cfssljson --bare {{etcd_cert_dir}}/etcd-root-ca'
+          cfssl gencert -initca -ca-key {{etcd_cert_dir~"/etcd-root-ca-key.pem"}} {{etcd_cert_json_dir}}/etcd-root-ca-csr.json | cfssljson --bare {{etcd_cert_dir}}/etcd-root-ca
+
+      else
+          echo 'cfssl gencert -initca {{etcd_cert_json_dir}}/etcd-root-ca-csr.json | cfssljson --bare {{etcd_cert_dir}}/etcd-root-ca'
+          cfssl gencert -initca {{etcd_cert_json_dir}}/etcd-root-ca-csr.json | cfssljson --bare {{etcd_cert_dir}}/etcd-root-ca
+      fi
+    args:
+      chdir: "{{etcd_work_dir}}"
+      #creates: "{{etcd_work_dir}}/{{etcd_cert_dir}}/etcd-root-ca.pem"
+      creates: "{{etcd_cert_dir}}/etcd-root-ca.pem"
   run_once: true
+  environment:
+    PATH: '{{etcd_cfssl_cmd_path}}:{{ansible_env.PATH}}'
+
+#- name: test env
+#  local_action:
+#    module: shell
+#    cmd: echo $PATH
+#  environment:
+#    PATH: '{{etcd_cfssl_cmd_path}}:{{ansible_env.PATH}}'
+  
+#- meta: end_play
 
 - name: generate etcd certs
-  local_action: shell {{etcd_cfssl_cmd_path}}/cfssl gencert -ca={{etcd_cert_dir}}/etcd-root-ca.pem -ca-key={{etcd_cert_dir}}/etcd-root-ca-key.pem -config={{etcd_cert_json_dir}}/etcd-ca-config.json -profile={{item.split('-')[1]}} {{etcd_cert_json_dir}}/{{item}}-csr.json | {{etcd_cfssl_cmd_path}}/cfssljson --bare {{etcd_cert_dir}}/{{item}}
-  args:
-    chdir: "{{etcd_work_dir}}"
+  local_action: 
+    module: shell
+    #cmd: "{{etcd_cfssl_cmd_path}}/cfssl gencert -ca={{etcd_cert_dir}}/etcd-root-ca.pem -ca-key={{etcd_cert_dir}}/etcd-root-ca-key.pem -config={{etcd_cert_json_dir}}/etcd-ca-config.json -profile={{item.split('-')[1]}} {{etcd_cert_json_dir}}/{{item}}-csr.json | {{etcd_cfssl_cmd_path}}/cfssljson --bare {{etcd_cert_dir}}/{{item}}"
+    cmd: |
+      if [ -e '{{ etcd_cert_dir~"/"~item~"-key.pem" }}' ];then
+          # 如果 key 存在，那么先根据 key 生成 csr, 然后通过 sign 命令签署证书
+          #cfssl gencsr -key ../ansible_etcd_certs/etcd-key.pem etcd-csr.json > /tmp/etcd.csr
+          csr_strings=$(cfssl gencsr -key {{etcd_cert_dir~"/"~item~"-key.pem"}} {{etcd_cert_json_dir}}/{{item}}-csr.json | awk -F':' '{split($2,A,"\"");print A[2]}')
+          echo -e ${csr_strings} | grep -v '^$' > {{etcd_cert_dir}}/{{item}}.csr
+          cat {{etcd_cert_dir}}/{{item}}.csr | cfssl sign -ca={{etcd_cert_dir}}/etcd-root-ca.pem -ca-key={{etcd_cert_dir}}/etcd-root-ca-key.pem -config={{etcd_cert_json_dir}}/etcd-ca-config.json -profile={{item.split('-')[1]}} - | cfssljson -bare {{etcd_cert_dir}}/{{item}}
+          # cat /tmp/etcd.csr  |cfssl sign -ca etcd-root-ca.pem -ca-key etcd-root-ca-key.pem -config ../ansible_certs_json/etcd-ca-config.json --profile server - | cfssljson -bare /tmp/etcd
+          #2020/10/22 14:02:24 [INFO] signed certificate with serial number 292409825673861649077494967297457537903606409692     
+      else
+          cfssl gencert -ca={{etcd_cert_dir}}/etcd-root-ca.pem -ca-key={{etcd_cert_dir}}/etcd-root-ca-key.pem -config={{etcd_cert_json_dir}}/etcd-ca-config.json -profile={{item.split('-')[1]}} {{etcd_cert_json_dir}}/{{item}}-csr.json | cfssljson --bare {{etcd_cert_dir}}/{{item}}
+      fi
+    args:
+      chdir: "{{etcd_work_dir}}"
     #creates: "{{etcd_work_dir}}/{{etcd_cert_dir}}/{{item}}.pem"
-    creates: "{{etcd_cert_dir}}/{{item}}.pem"
+      creates: "{{etcd_cert_dir}}/{{item}}.pem"
   loop:
     - etcd-client-ca
     - etcd-member-ca
     - etcd-server-ca
   run_once: true
+  environment:
+    PATH: '{{etcd_cfssl_cmd_path}}:{{ansible_env.PATH}}'
 
 
 #- name: generate etcd-server-ca
diff --git a/k8s_master_install/defaults/main.yml b/k8s_master_install/defaults/main.yml
index 181c11d..5103eb9 100644
--- a/k8s_master_install/defaults/main.yml
+++ b/k8s_master_install/defaults/main.yml
@@ -15,7 +15,7 @@ k8s_master_packet:
 #k8s_master_dir_name: "{{lookup('pipe', 'tar tf '+ k8s_master_packet).split('\n')[-1].split(' ')[-1].split('/')| first}}"
 k8s_master_dir_name: "{{lookup('pipe', 'tar tf '+ k8s_master_packet).split('\n')[-1].split('/')| first}}"
 k8s_work_dir: /root/k8s
-k8s_cert_json_dir: certs_json
+k8s_cert_json_dir: ansible_certs_json
 k8s_work_conf_dir: ansible_k8s_confs
 k8s_cert_dir: ansible_k8s_certs
 
@@ -41,7 +41,7 @@ k8s_cert_l: "Beijing"
 k8s_cert_o: "k8s"
 # tech. sa, dev
 k8s_cert_ou: "System"
-k8s_cert_conf_files: '{{q("fileglob", "templates/*.json")}}'
+k8s_cert_conf_files: '{{q("fileglob", "templates/k8s_certs_json/*.json")}}'
 k8s_cert_hosts:
 
 
diff --git a/k8s_master_install/tasks/create_k8s_dir.yml b/k8s_master_install/tasks/create_k8s_dir.yml
index 6c746db..adc1ed1 100644
--- a/k8s_master_install/tasks/create_k8s_dir.yml
+++ b/k8s_master_install/tasks/create_k8s_dir.yml
@@ -1,5 +1,5 @@
-# editor: haifeng
-# 2020/04/30
+# editor: haifengsss@163.com
+# 2019/04/30
 
 - name: create k8s user
   user: 
diff --git a/k8s_master_install/tasks/generate_k8s_certs.yml b/k8s_master_install/tasks/generate_k8s_certs.yml
index 57a441c..0d871d5 100644
--- a/k8s_master_install/tasks/generate_k8s_certs.yml
+++ b/k8s_master_install/tasks/generate_k8s_certs.yml
@@ -2,7 +2,16 @@
 - name: generate k8s-root-ca
   local_action: 
     module: shell 
-    cmd: '{{k8s_cfssl_cmd_path}}/cfssl gencert -initca {{k8s_cert_json_dir}}/k8s-root-ca-csr.json | {{k8s_cfssl_cmd_path}}/cfssljson --bare {{k8s_cert_dir}}/k8s-root-ca'
+    #cmd: 'cfssl gencert -initca {{k8s_cert_json_dir}}/k8s-root-ca-csr.json | cfssljson --bare {{k8s_cert_dir}}/k8s-root-ca'
+    cmd: |
+      if [ -e '{{k8s_cert_dir}}/k8s-root-ca-key.pem' ];then
+          echo "$PATH"
+          echo 'cfssl gencert -initca -ca-key {{k8s_cert_dir}}/k8s-root-ca-key.pem {{k8s_cert_json_dir}}/k8s-root-ca-csr.json | cfssljson --bare {{k8s_cert_dir}}/k8s-root-ca'
+          cfssl gencert -initca -ca-key {{k8s_cert_dir}}/k8s-root-ca-key.pem {{k8s_cert_json_dir}}/k8s-root-ca-csr.json | cfssljson --bare {{k8s_cert_dir}}/k8s-root-ca
+      else
+          echo 'cfssl gencert -initca {{k8s_cert_json_dir}}/k8s-root-ca-csr.json | cfssljson --bare {{k8s_cert_dir}}/k8s-root-ca'
+          cfssl gencert -initca {{k8s_cert_json_dir}}/k8s-root-ca-csr.json | cfssljson --bare {{k8s_cert_dir}}/k8s-root-ca
+      fi
     args:
       chdir: "{{k8s_work_dir}}"
       #creates: "{{k8s_work_dir}}/{{k8s_cert_dir}}/k8s-root-ca.pem"
@@ -10,11 +19,21 @@
   run_once: true
   tags:
     - generate_k8s_root_ca
+  environment:
+    PATH: '{{k8s_cfssl_cmd_path}}:{{ansible_env.PATH}}'  
 
 - name: generate kube-apiserver-ca kubernetes-admin kube-apiserver-kubelet-client
   local_action: 
     module: shell 
-    cmd: '{{k8s_cfssl_cmd_path}}/cfssl gencert -ca={{k8s_cert_dir}}/k8s-root-ca.pem -ca-key={{k8s_cert_dir}}/k8s-root-ca-key.pem -config={{k8s_cert_json_dir}}/k8s-gencert.json -profile=kubernetes {{k8s_cert_json_dir}}/{{item}}-csr.json | {{k8s_cfssl_cmd_path}}/cfssljson --bare {{k8s_cert_dir}}/{{item}}'
+    #cmd: 'cfssl gencert -ca={{k8s_cert_dir}}/k8s-root-ca.pem -ca-key={{k8s_cert_dir}}/k8s-root-ca-key.pem -config={{k8s_cert_json_dir}}/k8s-gencert.json -profile=kubernetes {{k8s_cert_json_dir}}/{{item}}-csr.json | cfssljson --bare {{k8s_cert_dir}}/{{item}}'
+    cmd: |
+      if [ -e '{{ k8s_cert_dir~"/"~item~"-key.pem" }}' ];then
+          csr_strings=$(cfssl gencsr -key {{k8s_cert_dir~"/"~item~"-key.pem"}} {{k8s_cert_json_dir}}/{{item}}-csr.json | awk -F':' '{split($2,A,"\"");print A[2]}')
+          echo -e ${csr_strings} | grep -v '^$' > {{k8s_cert_dir}}/{{item}}.csr
+          cat {{k8s_cert_dir}}/{{item}}.csr | cfssl sign -ca={{k8s_cert_dir}}/k8s-root-ca.pem -ca-key={{k8s_cert_dir}}/k8s-root-ca-key.pem -config={{k8s_cert_json_dir}}/k8s-gencert.json -profile=kubernetes - | cfssljson -bare {{k8s_cert_dir}}/{{item}}
+      else
+          cfssl gencert -ca={{k8s_cert_dir}}/k8s-root-ca.pem -ca-key={{k8s_cert_dir}}/k8s-root-ca-key.pem -config={{k8s_cert_json_dir}}/k8s-gencert.json -profile=kubernetes {{k8s_cert_json_dir}}/{{item}}-csr.json | cfssljson --bare {{k8s_cert_dir}}/{{item}}
+      fi
     args:
       chdir: "{{k8s_work_dir}}"
       creates: "{{k8s_cert_dir}}/{{item}}.pem"
@@ -26,30 +45,44 @@
     - k8s-kube-scheduler
     - k8s-kube-proxy
     - k8s-dashboard
+    - kubernetes
   run_once: true
+  environment:
+    PATH: '{{k8s_cfssl_cmd_path}}:{{ansible_env.PATH}}'
+  #when: k8s_work_dir~"/"~k8s_cert_json_dir~"/"~item~"-csr.json" is exists
 
 - name: generate k8s-front-proxy-ca
-  local_action: shell {{k8s_cfssl_cmd_path}}/cfssl gencert -initca {{k8s_cert_json_dir}}/k8s-front-proxy-ca-csr.json | {{k8s_cfssl_cmd_path}}/cfssljson --bare {{k8s_cert_dir}}/k8s-front-proxy-ca
-  args:
-    chdir: "{{k8s_work_dir}}"
-    creates: "{{k8s_cert_dir}}/k8s-front-proxy-ca.pem"
+  local_action: 
+    module: shell 
+    cmd: '{{k8s_cfssl_cmd_path}}/cfssl gencert -initca {{k8s_cert_json_dir}}/k8s-front-proxy-ca-csr.json | {{k8s_cfssl_cmd_path}}/cfssljson --bare {{k8s_cert_dir}}/k8s-front-proxy-ca'
+    args:
+      chdir: "{{k8s_work_dir}}"
+      creates: "{{k8s_cert_dir}}/k8s-front-proxy-ca.pem"
   run_once: true
+  environment:
+    PATH: '{{k8s_cfssl_cmd_path}}:{{ansible_env.PATH}}'  
 
 - name: generate k8s-front-proxy-client
-  local_action: shell {{k8s_cfssl_cmd_path}}/cfssl gencert -ca={{k8s_cert_dir}}/k8s-front-proxy-ca.pem -ca-key={{k8s_cert_dir}}/k8s-front-proxy-ca-key.pem -config={{k8s_cert_json_dir}}/k8s-gencert.json -profile=kubernetes {{k8s_cert_json_dir}}/{{item}}-csr.json | {{k8s_cfssl_cmd_path}}/cfssljson --bare {{k8s_cert_dir}}/{{item}}
-  args:
-    chdir: "{{k8s_work_dir}}"
-    creates: "{{k8s_cert_dir}}/{{item}}.pem"
+  local_action: 
+    module: shell
+    cmd: 'cfssl gencert -ca={{k8s_cert_dir}}/k8s-front-proxy-ca.pem -ca-key={{k8s_cert_dir}}/k8s-front-proxy-ca-key.pem -config={{k8s_cert_json_dir}}/k8s-gencert.json -profile=kubernetes {{k8s_cert_json_dir}}/{{item}}-csr.json | cfssljson --bare {{k8s_cert_dir}}/{{item}}'
+    args:
+      chdir: "{{k8s_work_dir}}"
+      creates: "{{k8s_cert_dir}}/{{item}}.pem"
   loop:
     - k8s-front-proxy-client
   run_once: true
+  environment:
+    PATH: '{{k8s_cfssl_cmd_path}}:{{ansible_env.PATH}}'  
 
 # serviceAccount private key
 - name: generate sa private.key
-  local_action: shell openssl genrsa -out {{k8s_cert_dir}}/k8s-sa.key 2048
-  args:
-    chdir: "{{k8s_work_dir}}"
-    creates: "{{k8s_cert_dir}}/k8s-sa.key"
+  local_action: 
+    module: shell
+    cmd: openssl genrsa -out {{k8s_cert_dir}}/k8s-sa.key 2048
+    args:
+      chdir: "{{k8s_work_dir}}"
+      creates: "{{k8s_cert_dir}}/k8s-sa.key"
   run_once: true
 
 - name: generate sa public key
diff --git a/k8s_master_install/tasks/install_k8s_master.yml b/k8s_master_install/tasks/install_k8s_master.yml
index 90f2a5c..a15b541 100644
--- a/k8s_master_install/tasks/install_k8s_master.yml
+++ b/k8s_master_install/tasks/install_k8s_master.yml
@@ -1,4 +1,4 @@
-# edirtor: haifeng
+# edirtor: haifengsss@163.com
 # 2017/01/12
 
 - name: get k8s_master packet dir name
diff --git a/k8s_master_install/tasks/main.yml b/k8s_master_install/tasks/main.yml
index 0b0ea5d..c9108ea 100644
--- a/k8s_master_install/tasks/main.yml
+++ b/k8s_master_install/tasks/main.yml
@@ -1,4 +1,4 @@
-# edirtor: haifeng
+# editor: haifengsss@163.com
 # 2017/01/12
 
 - import_tasks: create_k8s_work_dir.yml
diff --git a/k8s_master_install/templates/k8s-dashboard-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-dashboard-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-dashboard-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-dashboard-csr.json
diff --git a/k8s_master_install/templates/k8s-front-proxy-ca-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-front-proxy-ca-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-front-proxy-ca-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-front-proxy-ca-csr.json
diff --git a/k8s_master_install/templates/k8s-front-proxy-client-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-front-proxy-client-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-front-proxy-client-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-front-proxy-client-csr.json
diff --git a/k8s_master_install/templates/k8s-gencert.json b/k8s_master_install/templates/k8s_certs_json/k8s-gencert.json
similarity index 100%
rename from k8s_master_install/templates/k8s-gencert.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-gencert.json
diff --git a/k8s_master_install/templates/k8s-kube-apiserver-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-kube-apiserver-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-kube-apiserver-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-kube-apiserver-csr.json
diff --git a/k8s_master_install/templates/k8s-kube-apiserver-kubelet-client-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-kube-apiserver-kubelet-client-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-kube-apiserver-kubelet-client-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-kube-apiserver-kubelet-client-csr.json
diff --git a/k8s_master_install/templates/k8s-kube-controller-manager-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-kube-controller-manager-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-kube-controller-manager-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-kube-controller-manager-csr.json
diff --git a/k8s_master_install/templates/k8s-kube-proxy-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-kube-proxy-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-kube-proxy-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-kube-proxy-csr.json
diff --git a/k8s_master_install/templates/k8s-kube-scheduler-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-kube-scheduler-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-kube-scheduler-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-kube-scheduler-csr.json
diff --git a/k8s_master_install/templates/k8s-kubernetes-admin-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-kubernetes-admin-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-kubernetes-admin-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-kubernetes-admin-csr.json
diff --git a/k8s_master_install/templates/k8s-prometheus-adapter-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-prometheus-adapter-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-prometheus-adapter-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-prometheus-adapter-csr.json
diff --git a/k8s_master_install/templates/k8s-root-ca-csr.json b/k8s_master_install/templates/k8s_certs_json/k8s-root-ca-csr.json
similarity index 100%
rename from k8s_master_install/templates/k8s-root-ca-csr.json
rename to k8s_master_install/templates/k8s_certs_json/k8s-root-ca-csr.json
diff --git a/mysql_binary_install/tasks/create_syncuser.yml b/mysql_binary_install/tasks/create_syncuser.yml
index 8bc76f3..f793751 100644
--- a/mysql_binary_install/tasks/create_syncuser.yml
+++ b/mysql_binary_install/tasks/create_syncuser.yml
@@ -1,7 +1,8 @@
 - name: install MySQL-python packet
   yum: 
     name:
-      - MySQL-python
+      #- MySQL-python
+      - python2-PyMySQL
     state: latest
 
 - name: rename ~/.my.cnf if exists
diff --git a/mysql_binary_install/tasks/install_mysql.yml b/mysql_binary_install/tasks/install_mysql.yml
index 82fdc30..39532a1 100644
--- a/mysql_binary_install/tasks/install_mysql.yml
+++ b/mysql_binary_install/tasks/install_mysql.yml
@@ -5,6 +5,7 @@
   local_action: 
     module: shell 
     cmd: tar tf {{mysql_packet}} |head -n 1 |awk -F'/' '{print $1}'
+    warn: false
   register: mysql_dir_name
   run_once: true
 
diff --git a/mysql_binary_install/tasks/sync_to_master.yml b/mysql_binary_install/tasks/sync_to_master.yml
index 72a8ffc..4072668 100644
--- a/mysql_binary_install/tasks/sync_to_master.yml
+++ b/mysql_binary_install/tasks/sync_to_master.yml
@@ -13,7 +13,7 @@
     master_password: '{{mysql_master_sync_pass}}' 
     master_auto_position: 1 
     mode: '{{ item }}'
-  with_items:
+  loop:
     - stopslave
     - changemaster
     - startslave
diff --git a/mysql_mha_install/defaults/main.yml b/mysql_mha_install/defaults/main.yml
index 1408813..87cd795 100644
--- a/mysql_mha_install/defaults/main.yml
+++ b/mysql_mha_install/defaults/main.yml
@@ -30,7 +30,7 @@ mysql_login_pass:
 mysql_login_user:
 mysql_sock:
 mysql_vip:
-mysql_mha_user:
+mysql_mha_user: mha
 mysql_mha_pass:
 mysql_mha_priv: '*.*:all'
 
diff --git a/mysql_user/tasks/create_mysql_app_users.yml b/mysql_user/tasks/create_mysql_app_users.yml
index 74dcaa8..9729edf 100644
--- a/mysql_user/tasks/create_mysql_app_users.yml
+++ b/mysql_user/tasks/create_mysql_app_users.yml
@@ -1,7 +1,8 @@
 - name: install MySQL-python packet
   yum: 
     name:
-    - MySQL-python 
+    #- MySQL-python 
+    - python2-PyMySQL
     state: latest
   when: mysql_user_install_driver == True
 
diff --git a/pmm-client_install/tasks/install_pmm_client_for_tgz.yml b/pmm-client_install/tasks/install_pmm_client_for_tgz.yml
index fc4c6d6..7cbfb1d 100644
--- a/pmm-client_install/tasks/install_pmm_client_for_tgz.yml
+++ b/pmm-client_install/tasks/install_pmm_client_for_tgz.yml
@@ -1,6 +1,9 @@
 
 - name: get pmm_client packet dir name
-  local_action: shell tar tvf {{pmm_client_packet}} |tail -n 1 |awk '{print $NF}' |awk -F'/' '{print $1}'
+  local_action: 
+    module: shell 
+    cmd: tar tf {{pmm_client_packet}} | head -n 1 |awk -F'/' '{print $1}'
+    warn: false
   register: packet_dir_name
   run_once: true
 
diff --git a/pmm-client_install/tasks/main.yml b/pmm-client_install/tasks/main.yml
index 6110e33..62aa8dc 100644
--- a/pmm-client_install/tasks/main.yml
+++ b/pmm-client_install/tasks/main.yml
@@ -22,25 +22,26 @@
   debug:
     msg: '{{mysql_pmm_user}}'
 
-#- include_tasks: install_mysql_driver.yml
-#  tags:
-#    - install_mysql_driver
-#  when: mysql_pmm_user is not none
-#
-#- include_tasks: create_mysql_user.yml
-#  tags:
-#    - create_mysql_user
-#  when: mysql_pmm_user != ''
-#
-#- include_tasks: pmm_add_mysql.yml
-#  tags:
-#    - pmm_add_mysql
-#  when: mysql_pmm_user != ''
+- include_tasks: install_mysql_driver.yml
+  tags:
+    - install_mysql_driver
+  when: mysql_pmm_user is not none
+
+- include_tasks: create_mysql_user.yml
+  tags:
+    - create_mysql_user
+  when: mysql_pmm_user != ''
 
-- include_tasks: pmm_add_mongodb.yml
+- include_tasks: pmm_add_mysql.yml
   tags:
-    - pmm_add_mongodb
-  when: pmm_mongo_user != ''
+    - pmm_add_mysql
+  when: mysql_pmm_user != ''
+
+#- include_tasks: pmm_add_mongodb.yml
+#  tags:
+#    - pmm_add_mongodb
+#  when: 
+#    - pmm_mongo_user != ''
 
 - import_tasks: copy_pmm_conf.yml
   tags: