Remove kubeadm-aio
As part of the move to helm v3, we migrated how we setup deploying kubernetes from a series of playbooks to using a bash script. This had the advantage of being easier to follow and deploy locally, as well as easier to debug when an issue arose. While the kubeadm-aio was very useful in the past to help lower run-times, currently it appears that optimizations in our jobs have seem to mitigate a lot of the issues that were lessened with the AIO. Change-Id: If0c6a97aed4083307a9b6f5beb4ec525e8103e01
This commit is contained in:
parent
1e56dd59ea
commit
ad133069aa
@ -1,32 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
version:
|
|
||||||
kubernetes: v1.19.15
|
|
||||||
helm: v2.17.0
|
|
||||||
cni: v0.8.5
|
|
||||||
|
|
||||||
proxy:
|
|
||||||
http: null
|
|
||||||
https: null
|
|
||||||
noproxy: null
|
|
||||||
|
|
||||||
images:
|
|
||||||
kubernetes:
|
|
||||||
kubeadm_aio: openstackhelm/kubeadm-aio:dev
|
|
||||||
|
|
||||||
url:
|
|
||||||
google_kubernetes_repo: https://storage.googleapis.com/kubernetes-release/release/{{ version.kubernetes }}/bin/linux/amd64
|
|
||||||
helm_repo: https://get.helm.sh
|
|
||||||
cni_repo: https://github.com/containernetworking/plugins/releases/download/{{ version.cni }}
|
|
||||||
...
|
|
@ -1,98 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: set zuul_site_mirror_fqdn from env var if not defined
|
|
||||||
when: zuul_site_mirror_fqdn is not defined
|
|
||||||
ignore_errors: True
|
|
||||||
set_fact:
|
|
||||||
zuul_site_mirror_fqdn: "{{ lookup('env','zuul_site_mirror_fqdn') }}"
|
|
||||||
|
|
||||||
# NOTE(portdirect): Untill https://github.com/ansible/ansible/issues/21433 is
|
|
||||||
# reolved, we build with a shell script to make use of the host network.
|
|
||||||
- name: Kubeadm-AIO build
|
|
||||||
block:
|
|
||||||
# NOTE(portdirect): we do this to ensure we are feeding the docker build
|
|
||||||
# a clean path to work with.
|
|
||||||
- name: Kubeadm-AIO image build path
|
|
||||||
shell: cd "{{ work_dir }}"; pwd
|
|
||||||
register: kubeadm_aio_path
|
|
||||||
# - name: build the Kubeadm-AIO image
|
|
||||||
# docker_image:
|
|
||||||
# path: "{{ kubeadm_aio_path.stdout }}/"
|
|
||||||
# name: "{{ images.kubernetes.kubeadm_aio }}"
|
|
||||||
# dockerfile: "tools/images/kubeadm-aio/Dockerfile"
|
|
||||||
# force: yes
|
|
||||||
# pull: yes
|
|
||||||
# state: present
|
|
||||||
# rm: yes
|
|
||||||
# buildargs:
|
|
||||||
# KUBE_VERSION: "{{ version.kubernetes }}"
|
|
||||||
# CNI_VERSION: "{{ version.cni }}"
|
|
||||||
# HELM_VERSION: "{{ version.helm }}"
|
|
||||||
# CHARTS: "calico,flannel,tiller,kube-dns"
|
|
||||||
- name: Kubeadm-AIO image build path with proxy
|
|
||||||
when: proxy.http
|
|
||||||
shell: |-
|
|
||||||
set -e
|
|
||||||
docker build \
|
|
||||||
--network host \
|
|
||||||
--force-rm \
|
|
||||||
--tag "{{ images.kubernetes.kubeadm_aio }}" \
|
|
||||||
--file tools/images/kubeadm-aio/Dockerfile \
|
|
||||||
--build-arg KUBE_VERSION="{{ version.kubernetes }}" \
|
|
||||||
--build-arg CNI_VERSION="{{ version.cni }}" \
|
|
||||||
--build-arg HELM_VERSION="{{ version.helm }}" \
|
|
||||||
--build-arg CHARTS="calico,flannel,tiller,kube-dns,kubernetes-keystone-webhook" \
|
|
||||||
--build-arg GOOGLE_KUBERNETES_REPO_URL="{{ url.google_kubernetes_repo }}" \
|
|
||||||
--build-arg GOOGLE_HELM_REPO_URL="{{ url.helm_repo }}" \
|
|
||||||
--build-arg CNI_REPO_URL="{{ url.cni_repo }}" \
|
|
||||||
--build-arg HTTP_PROXY="{{ proxy.http }}" \
|
|
||||||
--build-arg HTTPS_PROXY="{{ proxy.https }}" \
|
|
||||||
--build-arg NO_PROXY="{{ proxy.noproxy }}" \
|
|
||||||
{% if zuul_site_mirror_fqdn is defined and zuul_site_mirror_fqdn %}
|
|
||||||
--build-arg UBUNTU_URL="http://{{ zuul_site_mirror_fqdn }}/ubuntu/" \
|
|
||||||
--build-arg ALLOW_UNAUTHENTICATED="true" \
|
|
||||||
--build-arg PIP_INDEX_URL="http://{{ zuul_site_mirror_fqdn }}/pypi/simple" \
|
|
||||||
--build-arg PIP_TRUSTED_HOST="{{ zuul_site_mirror_fqdn }}" \
|
|
||||||
{% endif %}
|
|
||||||
.
|
|
||||||
args:
|
|
||||||
chdir: "{{ kubeadm_aio_path.stdout }}/"
|
|
||||||
executable: /bin/bash
|
|
||||||
- name: Kubeadm-AIO image build path
|
|
||||||
when: not proxy.http
|
|
||||||
shell: |-
|
|
||||||
set -e
|
|
||||||
docker build \
|
|
||||||
--network host \
|
|
||||||
--force-rm \
|
|
||||||
--tag "{{ images.kubernetes.kubeadm_aio }}" \
|
|
||||||
--file tools/images/kubeadm-aio/Dockerfile \
|
|
||||||
--build-arg KUBE_VERSION="{{ version.kubernetes }}" \
|
|
||||||
--build-arg CNI_VERSION="{{ version.cni }}" \
|
|
||||||
--build-arg HELM_VERSION="{{ version.helm }}" \
|
|
||||||
--build-arg CHARTS="calico,flannel,tiller,kube-dns,kubernetes-keystone-webhook" \
|
|
||||||
--build-arg GOOGLE_KUBERNETES_REPO_URL="{{ url.google_kubernetes_repo }}" \
|
|
||||||
--build-arg GOOGLE_HELM_REPO_URL="{{ url.helm_repo }}" \
|
|
||||||
--build-arg CNI_REPO_URL="{{ url.cni_repo }}" \
|
|
||||||
{% if zuul_site_mirror_fqdn is defined and zuul_site_mirror_fqdn %}
|
|
||||||
--build-arg UBUNTU_URL="http://{{ zuul_site_mirror_fqdn }}/ubuntu/" \
|
|
||||||
--build-arg ALLOW_UNAUTHENTICATED="true" \
|
|
||||||
--build-arg PIP_INDEX_URL="http://{{ zuul_site_mirror_fqdn }}/pypi/simple" \
|
|
||||||
--build-arg PIP_TRUSTED_HOST="{{ zuul_site_mirror_fqdn }}" \
|
|
||||||
{% endif %}
|
|
||||||
.
|
|
||||||
args:
|
|
||||||
chdir: "{{ kubeadm_aio_path.stdout }}/"
|
|
||||||
executable: /bin/bash
|
|
||||||
...
|
|
@ -1,15 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- include: kubeadm-aio.yaml
|
|
||||||
...
|
|
@ -1,55 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
kubernetes_cluster_cni: calico
|
|
||||||
kubernetes_cluster_pod_subnet: 192.168.0.0/16
|
|
||||||
kubernetes_cluster_domain: cluster.local
|
|
||||||
kubernetes_network_default_device: null
|
|
||||||
kubernetes_selfhosted: false
|
|
||||||
kubernetes_keystone_auth: false
|
|
||||||
|
|
||||||
images:
|
|
||||||
kubernetes:
|
|
||||||
kubeadm_aio: openstackhelm/kubeadm-aio:dev
|
|
||||||
|
|
||||||
nodes:
|
|
||||||
labels:
|
|
||||||
primary:
|
|
||||||
- name: openstack-helm-node-class
|
|
||||||
value: primary
|
|
||||||
nodes:
|
|
||||||
- name: openstack-helm-node-class
|
|
||||||
value: general
|
|
||||||
all:
|
|
||||||
- name: openstack-control-plane
|
|
||||||
value: enabled
|
|
||||||
- name: openstack-compute-node
|
|
||||||
value: enabled
|
|
||||||
- name: openvswitch
|
|
||||||
value: enabled
|
|
||||||
- name: linuxbridge
|
|
||||||
value: enabled
|
|
||||||
- name: ceph-mon
|
|
||||||
value: enabled
|
|
||||||
- name: ceph-osd
|
|
||||||
value: enabled
|
|
||||||
- name: ceph-mds
|
|
||||||
value: enabled
|
|
||||||
- name: ceph-rgw
|
|
||||||
value: enabled
|
|
||||||
- name: ceph-mgr
|
|
||||||
value: enabled
|
|
||||||
|
|
||||||
gate_fqdn_test: false
|
|
||||||
gate_fqdn_tld: openstackhelm.test
|
|
||||||
...
|
|
@ -1,69 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: master
|
|
||||||
vars:
|
|
||||||
kubeadm_aio_action: clean-host
|
|
||||||
block:
|
|
||||||
- name: "kubeadm-aio performing action: {{ kubeadm_aio_action }}"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
image: "{{ images.kubernetes.kubeadm_aio }}"
|
|
||||||
state: started
|
|
||||||
detach: false
|
|
||||||
recreate: yes
|
|
||||||
pid_mode: host
|
|
||||||
network_mode: host
|
|
||||||
capabilities: SYS_ADMIN
|
|
||||||
volumes:
|
|
||||||
- /sys:/sys:rw
|
|
||||||
- /run:/run:rw
|
|
||||||
- /:/mnt/rootfs:rw
|
|
||||||
- /etc:/etc:rw
|
|
||||||
env:
|
|
||||||
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
ACTION="{{ kubeadm_aio_action }}"
|
|
||||||
KUBE_BIND_DEVICE="{{ kubernetes_default_device }}"
|
|
||||||
USER_UID="{{ playbook_user_id }}"
|
|
||||||
USER_GID="{{ playbook_group_id }}"
|
|
||||||
USER_HOME="{{ playbook_user_dir }}"
|
|
||||||
CNI_ENABLED="{{ kubernetes_cluster_cni }}"
|
|
||||||
PVC_SUPPORT_CEPH=true
|
|
||||||
PVC_SUPPORT_NFS=true
|
|
||||||
NET_SUPPORT_LINUXBRIDGE=true
|
|
||||||
KUBE_NET_POD_SUBNET="{{ kubernetes_cluster_pod_subnet }}"
|
|
||||||
KUBE_NET_DNS_DOMAIN="{{ kubernetes_cluster_domain }}"
|
|
||||||
CONTAINER_RUNTIME=docker
|
|
||||||
register: kubeadm_master_deploy
|
|
||||||
ignore_errors: True
|
|
||||||
rescue:
|
|
||||||
- name: getting logs from kubeadm-aio container
|
|
||||||
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
register: out
|
|
||||||
- name: dumping logs from kubeadm-aio container
|
|
||||||
debug:
|
|
||||||
var: out.stdout_lines
|
|
||||||
- name: exiting if the kubeadm deploy failed
|
|
||||||
command: exit 1
|
|
||||||
always:
|
|
||||||
- name: removing kubeadm-aio container
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
state: absent
|
|
||||||
...
|
|
@ -1,27 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: setting node labels
|
|
||||||
vars:
|
|
||||||
kubeadm_kubelet_labels_node:
|
|
||||||
- "{% if nodes.labels.all is defined %}{% set comma = joiner(\",\") %}{% for item in nodes.labels.all %}{{ comma() }}{{ item.name }}={{ item.value }}{% endfor %}{% else %}\"\"{% endif %}"
|
|
||||||
- "{% set comma = joiner(\",\") %}{% for group in group_names %}{% if nodes.labels[group] is defined %}{% for item in nodes.labels[group] %}{{ comma() }}{{ item.name }}={{ item.value }}{% endfor %}{% else %}\"\"{% endif %}{% endfor %}"
|
|
||||||
set_fact:
|
|
||||||
kubeadm_kubelet_labels: "{% set comma = joiner(\",\") %}{% for item in kubeadm_kubelet_labels_node %}{{ comma() }}{{ item }}{% endfor %}"
|
|
||||||
|
|
||||||
- name: deploy-kubelet
|
|
||||||
vars:
|
|
||||||
kubeadm_aio_action: deploy-kubelet
|
|
||||||
include: util-kubeadm-aio-run.yaml
|
|
||||||
...
|
|
@ -1,36 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: setting playbook facts
|
|
||||||
set_fact:
|
|
||||||
playbook_user_id: "{{ ansible_user_uid }}"
|
|
||||||
playbook_group_id: "{{ ansible_user_gid }}"
|
|
||||||
playbook_user_dir: "{{ ansible_user_dir }}"
|
|
||||||
kubernetes_default_device: "{{ ansible_default_ipv4.alias }}"
|
|
||||||
kubernetes_default_address: null
|
|
||||||
primary_node_default_ip: "{{ hostvars[(groups['primary'][0])]['ansible_default_ipv4']['address'] }}"
|
|
||||||
|
|
||||||
- name: if we have defined a custom interface for kubernetes use that
|
|
||||||
when: kubernetes_network_default_device is defined and kubernetes_network_default_device
|
|
||||||
set_fact:
|
|
||||||
kubernetes_default_device: "{{ kubernetes_network_default_device }}"
|
|
||||||
|
|
||||||
- name: if we are in openstack infra use the private IP for kubernetes
|
|
||||||
when: (nodepool is defined) and (nodepool.private_ipv4 is defined)
|
|
||||||
set_fact:
|
|
||||||
kubernetes_default_address: "{{ nodepool.private_ipv4 }}"
|
|
||||||
|
|
||||||
- include: clean-node.yaml
|
|
||||||
|
|
||||||
- include: deploy-kubelet.yaml
|
|
||||||
...
|
|
@ -1,83 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: Run Kubeadm-AIO container
|
|
||||||
vars:
|
|
||||||
kubeadm_aio_action: null
|
|
||||||
kubeadm_kubelet_labels: ""
|
|
||||||
block:
|
|
||||||
- name: "performing {{ kubeadm_aio_action }} action"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
image: "{{ images.kubernetes.kubeadm_aio }}"
|
|
||||||
state: started
|
|
||||||
detach: false
|
|
||||||
recreate: yes
|
|
||||||
pid_mode: host
|
|
||||||
network_mode: host
|
|
||||||
capabilities: SYS_ADMIN
|
|
||||||
volumes:
|
|
||||||
- /sys:/sys:rw
|
|
||||||
- /run:/run:rw
|
|
||||||
- /:/mnt/rootfs:rw
|
|
||||||
- /etc:/etc:rw
|
|
||||||
env:
|
|
||||||
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
ACTION="{{ kubeadm_aio_action }}"
|
|
||||||
KUBE_BIND_DEVICE="{{ kubernetes_default_device }}"
|
|
||||||
KUBE_BIND_ADDR="{{ kubernetes_default_address }}"
|
|
||||||
USER_UID="{{ playbook_user_id }}"
|
|
||||||
USER_GID="{{ playbook_group_id }}"
|
|
||||||
USER_HOME="{{ playbook_user_dir }}"
|
|
||||||
CNI_ENABLED="{{ kubernetes_cluster_cni }}"
|
|
||||||
PVC_SUPPORT_CEPH=true
|
|
||||||
PVC_SUPPORT_NFS=true
|
|
||||||
NET_SUPPORT_LINUXBRIDGE=true
|
|
||||||
KUBE_NET_POD_SUBNET="{{ kubernetes_cluster_pod_subnet }}"
|
|
||||||
KUBE_NET_DNS_DOMAIN="{{ kubernetes_cluster_domain }}"
|
|
||||||
CONTAINER_RUNTIME=docker
|
|
||||||
KUBELET_NODE_LABELS="{{ kubeadm_kubelet_labels }}"
|
|
||||||
KUBE_SELF_HOSTED="{{ kubernetes_selfhosted }}"
|
|
||||||
KUBE_KEYSTONE_AUTH="{{ kubernetes_keystone_auth }}"
|
|
||||||
GATE_FQDN_TEST="{{ gate_fqdn_test }}"
|
|
||||||
GATE_FQDN_TLD="{{ gate_fqdn_tld }}"
|
|
||||||
GATE_INGRESS_IP="{{ primary_node_default_ip }}"
|
|
||||||
register: kubeadm_master_deploy
|
|
||||||
rescue:
|
|
||||||
- name: "getting logs for {{ kubeadm_aio_action }} action"
|
|
||||||
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
register: out
|
|
||||||
- name: "dumping logs for {{ kubeadm_aio_action }} action"
|
|
||||||
debug:
|
|
||||||
var: out.stdout_lines
|
|
||||||
- name: "exiting if {{ kubeadm_aio_action }} action failed"
|
|
||||||
command: exit 1
|
|
||||||
always:
|
|
||||||
- name: "removing container for {{ kubeadm_aio_action }} action"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
state: absent
|
|
||||||
- name: add labels to namespaces
|
|
||||||
command: kubectl label --overwrite namespace {{ item }} name={{ item }}
|
|
||||||
with_items:
|
|
||||||
- default
|
|
||||||
- kube-system
|
|
||||||
- kube-public
|
|
||||||
ignore_errors: True
|
|
||||||
...
|
|
@ -1,31 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: setting playbook user info facts before escalating privileges
|
|
||||||
set_fact:
|
|
||||||
playbook_user_id: "{{ ansible_user_uid }}"
|
|
||||||
playbook_group_id: "{{ ansible_user_gid }}"
|
|
||||||
playbook_user_dir: "{{ ansible_user_dir }}"
|
|
||||||
|
|
||||||
- name: deploying kubelet and support assets to node
|
|
||||||
include_role:
|
|
||||||
name: deploy-kubeadm-aio-common
|
|
||||||
tasks_from: main
|
|
||||||
|
|
||||||
- name: deploying kubernetes on master node
|
|
||||||
vars:
|
|
||||||
kubeadm_aio_action: deploy-kube
|
|
||||||
include_role:
|
|
||||||
name: deploy-kubeadm-aio-common
|
|
||||||
tasks_from: util-kubeadm-aio-run
|
|
||||||
...
|
|
@ -1,17 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
images:
|
|
||||||
kubernetes:
|
|
||||||
kubeadm_aio: openstackhelm/kubeadm-aio:dev
|
|
||||||
...
|
|
@ -1,51 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: setting playbook user info facts before escalating privileges
|
|
||||||
set_fact:
|
|
||||||
playbook_user_id: "{{ ansible_user_uid }}"
|
|
||||||
playbook_group_id: "{{ ansible_user_gid }}"
|
|
||||||
playbook_user_dir: "{{ ansible_user_dir }}"
|
|
||||||
kube_master: "{{ groups['primary'][0] }}"
|
|
||||||
kube_worker: "{{ inventory_hostname }}"
|
|
||||||
kube_node_hostname: "{{ ansible_fqdn }}"
|
|
||||||
|
|
||||||
- name: deploying kubelet and support assets to node
|
|
||||||
include_role:
|
|
||||||
name: deploy-kubeadm-aio-common
|
|
||||||
tasks_from: main
|
|
||||||
|
|
||||||
- name: generating the kubeadm join command for the node
|
|
||||||
include: util-generate-join-command.yaml
|
|
||||||
delegate_to: "{{ kube_master }}"
|
|
||||||
|
|
||||||
- name: joining node to kubernetes cluster
|
|
||||||
vars:
|
|
||||||
kubeadm_aio_action: join-kube
|
|
||||||
kubeadm_aio_join_command: "{{ kubeadm_cluster_join_command }}"
|
|
||||||
include: util-run-join-command.yaml
|
|
||||||
|
|
||||||
# FIXME(portdirect): running as root for now to unblock the gates, though this
|
|
||||||
# runs ok under ansible 2.5.4 locally without privileges
|
|
||||||
- name: waiting for node to be ready
|
|
||||||
delegate_to: "{{ kube_master }}"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
shell: kubectl get node "{{ kube_node_hostname }}" -o jsonpath="{$.status.conditions[?(@.reason=='KubeletReady')]['type']}" || echo "Not registered yet"
|
|
||||||
environment:
|
|
||||||
KUBECONFIG: '/etc/kubernetes/admin.conf'
|
|
||||||
register: task_result
|
|
||||||
until: task_result.stdout == 'Ready'
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
...
|
|
@ -1,56 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: generate the kubeadm join command for nodes
|
|
||||||
vars:
|
|
||||||
kubeadm_aio_action: generate-join-cmd
|
|
||||||
kubeadm_cluster_join_ttl: 30m
|
|
||||||
kube_worker: null
|
|
||||||
block:
|
|
||||||
- name: "deploying kubeadm {{ kubeadm_aio_action }} container"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
|
|
||||||
image: "{{ images.kubernetes.kubeadm_aio }}"
|
|
||||||
state: started
|
|
||||||
detach: false
|
|
||||||
recreate: yes
|
|
||||||
network_mode: host
|
|
||||||
volumes:
|
|
||||||
- /etc/kubernetes:/etc/kubernetes:ro
|
|
||||||
env:
|
|
||||||
ACTION=generate-join-cmd
|
|
||||||
TTL="{{ kubeadm_cluster_join_ttl }}"
|
|
||||||
register: kubeadm_generate_join_command
|
|
||||||
- name: "getting logs for {{ kubeadm_aio_action }} action"
|
|
||||||
command: "docker logs kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
register: kubeadm_aio_action_logs
|
|
||||||
- name: storing cluster join command
|
|
||||||
set_fact: kubeadm_cluster_join_command="{{ kubeadm_aio_action_logs.stdout | regex_search('kubeadm join.*') }}"
|
|
||||||
rescue:
|
|
||||||
- name: "dumping logs for {{ kubeadm_aio_action }} action"
|
|
||||||
debug:
|
|
||||||
var: kubeadm_aio_action_logs.stdout_lines
|
|
||||||
- name: "exiting if {{ kubeadm_aio_action }} action failed"
|
|
||||||
command: exit 1
|
|
||||||
always:
|
|
||||||
- name: "removing container for {{ kubeadm_aio_action }} action"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
|
|
||||||
state: absent
|
|
||||||
...
|
|
@ -1,59 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: master
|
|
||||||
vars:
|
|
||||||
kubeadm_aio_action: join-kube
|
|
||||||
kubeadm_aio_join_command: null
|
|
||||||
block:
|
|
||||||
- name: "deploying kubeadm {{ kubeadm_aio_action }} container"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
image: "{{ images.kubernetes.kubeadm_aio }}"
|
|
||||||
state: started
|
|
||||||
detach: false
|
|
||||||
recreate: yes
|
|
||||||
pid_mode: host
|
|
||||||
network_mode: host
|
|
||||||
capabilities: SYS_ADMIN
|
|
||||||
volumes:
|
|
||||||
- /sys:/sys:rw
|
|
||||||
- /run:/run:rw
|
|
||||||
- /:/mnt/rootfs:rw
|
|
||||||
- /etc:/etc:rw
|
|
||||||
env:
|
|
||||||
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
ACTION="{{ kubeadm_aio_action }}"
|
|
||||||
KUBEADM_JOIN_COMMAND="{{ kubeadm_aio_join_command }}"
|
|
||||||
register: kubeadm_aio_join_container
|
|
||||||
rescue:
|
|
||||||
- name: "getting logs for {{ kubeadm_aio_action }} action"
|
|
||||||
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
register: kubeadm_aio_join_container_output
|
|
||||||
- name: "dumping logs for {{ kubeadm_aio_action }} action"
|
|
||||||
debug:
|
|
||||||
msg: "{{ kubeadm_aio_join_container_output.stdout_lines }}"
|
|
||||||
- name: "exiting if {{ kubeadm_aio_action }} action failed"
|
|
||||||
command: exit 1
|
|
||||||
always:
|
|
||||||
- name: "removing container for {{ kubeadm_aio_action }} action"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "kubeadm-{{ kubeadm_aio_action }}"
|
|
||||||
state: absent
|
|
||||||
...
|
|
@ -1,119 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
FROM docker.io/ubuntu:bionic
|
|
||||||
MAINTAINER pete.birley@att.com
|
|
||||||
|
|
||||||
ARG UBUNTU_URL=http://archive.ubuntu.com/ubuntu/
|
|
||||||
ARG ALLOW_UNAUTHENTICATED=false
|
|
||||||
ARG PIP_INDEX_URL=https://pypi.python.org/simple/
|
|
||||||
ARG PIP_TRUSTED_HOST=pypi.python.org
|
|
||||||
ENV PIP_INDEX_URL=${PIP_INDEX_URL}
|
|
||||||
ENV PIP_TRUSTED_HOST=${PIP_TRUSTED_HOST}
|
|
||||||
|
|
||||||
COPY ./tools/images/kubeadm-aio/sources.list /etc/apt/
|
|
||||||
RUN sed -i \
|
|
||||||
-e "s|%%UBUNTU_URL%%|${UBUNTU_URL}|g" \
|
|
||||||
/etc/apt/sources.list ;\
|
|
||||||
echo "APT::Get::AllowUnauthenticated \"${ALLOW_UNAUTHENTICATED}\";\n\
|
|
||||||
Acquire::AllowInsecureRepositories \"${ALLOW_UNAUTHENTICATED}\";\n\
|
|
||||||
Acquire::AllowDowngradeToInsecureRepositories \"${ALLOW_UNAUTHENTICATED}\";" \
|
|
||||||
>> /etc/apt/apt.conf.d/allow-unathenticated
|
|
||||||
|
|
||||||
ARG GOOGLE_KUBERNETES_REPO_URL=https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/bin/linux/amd64
|
|
||||||
ENV GOOGLE_KUBERNETES_REPO_URL ${GOOGLE_KUBERNETES_REPO_URL}
|
|
||||||
|
|
||||||
ARG HELM_REPO_URL=https://get.helm.sh
|
|
||||||
ENV HELM_REPO_URL ${HELM_REPO_URL}
|
|
||||||
|
|
||||||
ARG KUBE_VERSION="v1.19.15"
|
|
||||||
ENV KUBE_VERSION ${KUBE_VERSION}
|
|
||||||
|
|
||||||
ARG CNI_VERSION="v0.8.5"
|
|
||||||
ENV CNI_VERSION ${CNI_VERSION}
|
|
||||||
|
|
||||||
ARG CNI_REPO_URL=https://github.com/containernetworking/plugins/releases/download/$CNI_VERSION
|
|
||||||
ENV CNI_REPO_URL ${CNI_REPO_URL}
|
|
||||||
|
|
||||||
ARG HELM_VERSION="v2.17.0"
|
|
||||||
ENV HELM_VERSION ${HELM_VERSION}
|
|
||||||
|
|
||||||
ARG CHARTS="calico,flannel,tiller,kube-dns,kubernetes-keystone-webhook"
|
|
||||||
ENV CHARTS ${CHARTS}
|
|
||||||
|
|
||||||
ARG HTTP_PROXY=""
|
|
||||||
ENV HTTP_PROXY ${HTTP_PROXY}
|
|
||||||
ENV http_proxy ${HTTP_PROXY}
|
|
||||||
|
|
||||||
ARG HTTPS_PROXY=""
|
|
||||||
ENV HTTPS_PROXY ${HTTPS_PROXY}
|
|
||||||
ENV https_proxy ${HTTPS_PROXY}
|
|
||||||
|
|
||||||
ARG NO_PROXY="127.0.0.1,localhost,.svc.cluster.local"
|
|
||||||
ENV NO_PROXY ${NO_PROXY}
|
|
||||||
ENV no_proxy ${NO_PROXY}
|
|
||||||
|
|
||||||
ENV container="docker" \
|
|
||||||
DEBIAN_FRONTEND="noninteractive" \
|
|
||||||
CNI_BIN_DIR="/opt/cni/bin"
|
|
||||||
|
|
||||||
RUN set -ex ;\
|
|
||||||
apt-get update ;\
|
|
||||||
apt-get upgrade -y ;\
|
|
||||||
apt-get install -y --no-install-recommends \
|
|
||||||
bash \
|
|
||||||
ca-certificates \
|
|
||||||
curl \
|
|
||||||
jq \
|
|
||||||
python3-pip \
|
|
||||||
gawk ;\
|
|
||||||
pip3 --no-cache-dir install --upgrade pip==21.0.1 ;\
|
|
||||||
hash -r ;\
|
|
||||||
pip3 --no-cache-dir install --upgrade setuptools ;\
|
|
||||||
# NOTE(srwilkers): Pinning ansible to 2.5.5, as pip installs 2.6 by default.
|
|
||||||
# 2.6 introduces a new command flag (init) for the docker_container module
|
|
||||||
# that is incompatible with what we have currently. 2.5.5 ensures we match
|
|
||||||
# what's deployed in the gates
|
|
||||||
pip3 --no-cache-dir install --upgrade \
|
|
||||||
requests \
|
|
||||||
docker \
|
|
||||||
kubernetes \
|
|
||||||
"ansible==2.5.5" ;\
|
|
||||||
for BINARY in kubectl kubeadm; do \
|
|
||||||
curl -sSL -o /usr/bin/${BINARY} \
|
|
||||||
${GOOGLE_KUBERNETES_REPO_URL}/${BINARY} ;\
|
|
||||||
chmod +x /usr/bin/${BINARY} ;\
|
|
||||||
done ;\
|
|
||||||
mkdir -p /opt/assets/usr/bin ;\
|
|
||||||
curl -sSL -o /opt/assets/usr/bin/kubelet \
|
|
||||||
${GOOGLE_KUBERNETES_REPO_URL}/kubelet ;\
|
|
||||||
chmod +x /opt/assets/usr/bin/kubelet ;\
|
|
||||||
mkdir -p /opt/assets${CNI_BIN_DIR} ;\
|
|
||||||
curl -sSL ${CNI_REPO_URL}/cni-plugins-linux-amd64-$CNI_VERSION.tgz | \
|
|
||||||
tar -zxv --strip-components=1 -C /opt/assets${CNI_BIN_DIR} ;\
|
|
||||||
TMP_DIR=$(mktemp -d) ;\
|
|
||||||
curl -sSL ${HELM_REPO_URL}/helm-${HELM_VERSION}-linux-amd64.tar.gz | tar -zxv --strip-components=1 -C ${TMP_DIR} ;\
|
|
||||||
mv ${TMP_DIR}/helm /usr/bin/helm ;\
|
|
||||||
rm -rf ${TMP_DIR} ;\
|
|
||||||
apt-get purge -y --auto-remove \
|
|
||||||
curl ;\
|
|
||||||
rm -rf /var/lib/apt/lists/* /tmp/* /root/.cache
|
|
||||||
|
|
||||||
COPY ./ /tmp/source
|
|
||||||
RUN set -ex ;\
|
|
||||||
cp -rfav /tmp/source/tools/images/kubeadm-aio/assets/* / ;\
|
|
||||||
IFS=','; for CHART in $CHARTS; do \
|
|
||||||
mv -v /tmp/source/${CHART} /opt/charts/; \
|
|
||||||
done ;\
|
|
||||||
rm -rf /tmp/source
|
|
||||||
|
|
||||||
ENTRYPOINT ["/entrypoint.sh"]
|
|
@ -1,134 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
set -e
|
|
||||||
if [ "x${ACTION}" == "xgenerate-join-cmd" ]; then
|
|
||||||
: ${TTL:="10m"}
|
|
||||||
DISCOVERY_TOKEN="$(kubeadm token --kubeconfig /etc/kubernetes/admin.conf create --ttl ${TTL} --usages signing,authentication --groups '')"
|
|
||||||
DISCOVERY_TOKEN_CA_HASH="$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* /sha256:/')"
|
|
||||||
API_SERVER=$(cat /etc/kubernetes/admin.conf | python3 -c "import sys, yaml; print(yaml.safe_load(sys.stdin)['clusters'][0]['cluster']['server'].split(\"//\",1).pop())")
|
|
||||||
exec echo "kubeadm join \
|
|
||||||
--token ${DISCOVERY_TOKEN} \
|
|
||||||
--discovery-token-ca-cert-hash ${DISCOVERY_TOKEN_CA_HASH} \
|
|
||||||
${API_SERVER}"
|
|
||||||
elif [ "x${ACTION}" == "xjoin-kube" ]; then
|
|
||||||
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-node.yaml \
|
|
||||||
--inventory=/opt/playbooks/inventory.ini \
|
|
||||||
--extra-vars="kubeadm_join_command=\"${KUBEADM_JOIN_COMMAND}\""
|
|
||||||
fi
|
|
||||||
|
|
||||||
: ${ACTION:="deploy-kube"}
|
|
||||||
: ${CONTAINER_NAME:="null"}
|
|
||||||
: ${CONTAINER_RUNTIME:="docker"}
|
|
||||||
: ${CNI_ENABLED:="calico"}
|
|
||||||
: ${CNI_HOST_IP:="10.96.232.136"}
|
|
||||||
: ${NET_SUPPORT_LINUXBRIDGE:="true"}
|
|
||||||
: ${PVC_SUPPORT_CEPH:="false"}
|
|
||||||
: ${PVC_SUPPORT_NFS:="false"}
|
|
||||||
: ${HELM_TILLER_IMAGE:="ghcr.io/helm/tiller:${HELM_VERSION}"}
|
|
||||||
: ${KUBE_VERSION:="${KUBE_VERSION}"}
|
|
||||||
: ${KUBE_IMAGE_REPO:="k8s.gcr.io"}
|
|
||||||
: ${KUBE_API_BIND_PORT:="6443"}
|
|
||||||
: ${KUBE_NET_DNS_DOMAIN:="cluster.local"}
|
|
||||||
: ${KUBE_NET_POD_SUBNET:="192.168.0.0/16"}
|
|
||||||
: ${KUBE_NET_SUBNET_SUBNET:="10.96.0.0/12"}
|
|
||||||
: ${KUBE_BIND_DEVICE:=""}
|
|
||||||
: ${KUBE_BIND_ADDR:=""}
|
|
||||||
: ${KUBE_API_BIND_DEVICE:="${KUBE_BIND_DEVICE}"}
|
|
||||||
: ${KUBE_API_BIND_ADDR:="${KUBE_BIND_ADDR}"}
|
|
||||||
: ${KUBE_CERTS_DIR:="/etc/kubernetes/pki"}
|
|
||||||
: ${KUBE_SELF_HOSTED:="false"}
|
|
||||||
: ${KUBE_KEYSTONE_AUTH:="false"}
|
|
||||||
: ${KUBELET_NODE_LABELS:=""}
|
|
||||||
: ${GATE_FQDN_TEST:="false"}
|
|
||||||
: ${GATE_INGRESS_IP:="127.0.0.1"}
|
|
||||||
: ${GATE_FQDN_TLD:="openstackhelm.test"}
|
|
||||||
|
|
||||||
PLAYBOOK_VARS="{
|
|
||||||
\"my_container_name\": \"${CONTAINER_NAME}\",
|
|
||||||
\"user\": {
|
|
||||||
\"uid\": ${USER_UID},
|
|
||||||
\"gid\": ${USER_GID},
|
|
||||||
\"home\": \"${USER_HOME}\"
|
|
||||||
},
|
|
||||||
\"cluster\": {
|
|
||||||
\"cni\": \"${CNI_ENABLED}\",
|
|
||||||
\"cni_host_ip\": \"${CNI_HOST_IP}\"
|
|
||||||
},
|
|
||||||
\"kubelet\": {
|
|
||||||
\"container_runtime\": \"${CONTAINER_RUNTIME}\",
|
|
||||||
\"net_support_linuxbridge\": ${NET_SUPPORT_LINUXBRIDGE},
|
|
||||||
\"pv_support_nfs\": ${PVC_SUPPORT_NFS},
|
|
||||||
\"pv_support_ceph\": ${PVC_SUPPORT_CEPH}
|
|
||||||
},
|
|
||||||
\"helm\": {
|
|
||||||
\"tiller_image\": \"${HELM_TILLER_IMAGE}\"
|
|
||||||
},
|
|
||||||
\"k8s\": {
|
|
||||||
\"kubernetesVersion\": \"${KUBE_VERSION}\",
|
|
||||||
\"imageRepository\": \"${KUBE_IMAGE_REPO}\",
|
|
||||||
\"certificatesDir\": \"${KUBE_CERTS_DIR}\",
|
|
||||||
\"selfHosted\": \"${KUBE_SELF_HOSTED}\",
|
|
||||||
\"keystoneAuth\": \"${KUBE_KEYSTONE_AUTH}\",
|
|
||||||
\"api\": {
|
|
||||||
\"bindPort\": ${KUBE_API_BIND_PORT}
|
|
||||||
},
|
|
||||||
\"networking\": {
|
|
||||||
\"dnsDomain\": \"${KUBE_NET_DNS_DOMAIN}\",
|
|
||||||
\"podSubnet\": \"${KUBE_NET_POD_SUBNET}\",
|
|
||||||
\"serviceSubnet\": \"${KUBE_NET_SUBNET_SUBNET}\"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
\"gate\": {
|
|
||||||
\"fqdn_testing\": \"${GATE_FQDN_TEST}\",
|
|
||||||
\"ingress_ip\": \"${GATE_INGRESS_IP}\",
|
|
||||||
\"fqdn_tld\": \"${GATE_FQDN_TLD}\"
|
|
||||||
}
|
|
||||||
}"
|
|
||||||
|
|
||||||
set -x
|
|
||||||
if [ "x${ACTION}" == "xdeploy-kubelet" ]; then
|
|
||||||
|
|
||||||
if [ "x${KUBE_BIND_ADDR}" != "x" ]; then
|
|
||||||
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_addr\": \"${KUBE_BIND_ADDR}\"}")
|
|
||||||
elif [ "x${KUBE_BIND_DEVICE}" != "x" ]; then
|
|
||||||
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_device\": \"${KUBE_BIND_DEVICE}\"}")
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "x${KUBELET_NODE_LABELS}" != "x" ]; then
|
|
||||||
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"kubelet_labels\": \"${KUBELET_NODE_LABELS}\"}")
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-kubelet.yaml \
|
|
||||||
--inventory=/opt/playbooks/inventory.ini \
|
|
||||||
--inventory=/opt/playbooks/vars.yaml \
|
|
||||||
--extra-vars="${PLAYBOOK_VARS}"
|
|
||||||
elif [ "x${ACTION}" == "xdeploy-kube" ]; then
|
|
||||||
if [ "x${KUBE_API_BIND_ADDR}" != "x" ]; then
|
|
||||||
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddress\": \"${KUBE_API_BIND_ADDR}\"}")
|
|
||||||
elif [ "x${KUBE_API_BIND_DEVICE}" != "x" ]; then
|
|
||||||
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddressDevice\": \"${KUBE_API_BIND_DEVICE}\"}")
|
|
||||||
fi
|
|
||||||
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-master.yaml \
|
|
||||||
--inventory=/opt/playbooks/inventory.ini \
|
|
||||||
--inventory=/opt/playbooks/vars.yaml \
|
|
||||||
--extra-vars="${PLAYBOOK_VARS}"
|
|
||||||
elif [ "x${ACTION}" == "xclean-host" ]; then
|
|
||||||
exec ansible-playbook /opt/playbooks/kubeadm-aio-clean.yaml \
|
|
||||||
--inventory=/opt/playbooks/inventory.ini \
|
|
||||||
--inventory=/opt/playbooks/vars.yaml \
|
|
||||||
--extra-vars="${PLAYBOOK_VARS}"
|
|
||||||
else
|
|
||||||
exec ${ACTION}
|
|
||||||
fi
|
|
@ -1,2 +0,0 @@
|
|||||||
[node]
|
|
||||||
/mnt/rootfs ansible_connection=chroot
|
|
@ -1,21 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- hosts: all
|
|
||||||
gather_facts: True
|
|
||||||
become: yes
|
|
||||||
roles:
|
|
||||||
- clean-host
|
|
||||||
tags:
|
|
||||||
- clean-host
|
|
||||||
...
|
|
@ -1,21 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- hosts: all
|
|
||||||
gather_facts: True
|
|
||||||
become: yes
|
|
||||||
roles:
|
|
||||||
- deploy-kubelet
|
|
||||||
tags:
|
|
||||||
- deploy-kubelet
|
|
||||||
...
|
|
@ -1,20 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- hosts: all
|
|
||||||
become: yes
|
|
||||||
roles:
|
|
||||||
- deploy-kubeadm-master
|
|
||||||
tags:
|
|
||||||
- deploy-kubeadm-master
|
|
||||||
...
|
|
@ -1,20 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- hosts: all
|
|
||||||
become: yes
|
|
||||||
roles:
|
|
||||||
- deploy-kubeadm-node
|
|
||||||
tags:
|
|
||||||
- deploy-kubeadm-node
|
|
||||||
...
|
|
@ -1,62 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: clean | kube | remove config
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
with_items:
|
|
||||||
- /etc/kubernetes
|
|
||||||
|
|
||||||
- name: clean | kube | stop kubelet service
|
|
||||||
ignore_errors: yes
|
|
||||||
systemd:
|
|
||||||
name: kubelet
|
|
||||||
state: stopped
|
|
||||||
enabled: no
|
|
||||||
masked: no
|
|
||||||
|
|
||||||
- name: clean | kube | removing any old docker containers
|
|
||||||
ignore_errors: yes
|
|
||||||
shell: MY_CONTAINER_ID=$(docker inspect --format {% raw %}'{{ .Id }}'{% endraw %} "{{ my_container_name }}"); docker ps --all --no-trunc --quiet | awk '!'"/${MY_CONTAINER_ID}/ { print \$1 }" | xargs -r -l1 -P16 docker rm -f
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
|
|
||||||
- name: clean | kube | remove any mounts
|
|
||||||
ignore_errors: yes
|
|
||||||
shell: |-
|
|
||||||
for MOUNT in $(findmnt --df --output TARGET | grep "^/var/lib/kubelet"); do
|
|
||||||
umount --force $MOUNT
|
|
||||||
done
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
|
|
||||||
- name: clean | kube | remove dirs
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
with_items:
|
|
||||||
- /etc/kubernetes
|
|
||||||
- /etc/cni/net.d
|
|
||||||
- /etc/systemd/system/kubelet.service
|
|
||||||
- /etc/systemd/system/kubelet.service.d
|
|
||||||
- /var/lib/kubelet
|
|
||||||
- /var/lib/etcd
|
|
||||||
- /var/etcd
|
|
||||||
- /opt/cni/bin
|
|
||||||
|
|
||||||
- name: clean | kube | reload systemd
|
|
||||||
systemd:
|
|
||||||
daemon_reload: yes
|
|
||||||
...
|
|
@ -1,142 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: setting up bootstrap tiller
|
|
||||||
block:
|
|
||||||
- name: pull the helm tiller Image
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_image:
|
|
||||||
pull: true
|
|
||||||
name: "{{ helm.tiller_image }}"
|
|
||||||
- name: deploying bootstrap tiller
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "helm-tiller"
|
|
||||||
image: "{{ helm.tiller_image }}"
|
|
||||||
state: started
|
|
||||||
detach: true
|
|
||||||
recreate: yes
|
|
||||||
network_mode: host
|
|
||||||
user: root
|
|
||||||
volumes:
|
|
||||||
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
|
|
||||||
env:
|
|
||||||
KUBECONFIG=/etc/kubernetes/admin.conf
|
|
||||||
register: kubeadm_aio_tiller_container
|
|
||||||
ignore_errors: True
|
|
||||||
- name: wait for tiller to be ready
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: helm version --server
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
|
|
||||||
- name: kubeadm | cni | get default mtu
|
|
||||||
block:
|
|
||||||
- name: getting default route device mtu
|
|
||||||
shell: echo $(cat /sys/class/net/$(sudo ip -4 route list 0/0 | awk '{ print $5; exit }')/mtu)
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
register: cni_default_device_mtu
|
|
||||||
|
|
||||||
- name: Generate self-signed certificates
|
|
||||||
when: cluster.cni == 'calico'
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: Get cfssl
|
|
||||||
get_url:
|
|
||||||
url: "https://pkg.cfssl.org/R1.2/{{ item }}_linux-amd64"
|
|
||||||
dest: "/usr/local/bin/{{ item }}"
|
|
||||||
mode: 744
|
|
||||||
with_items:
|
|
||||||
- cfssl
|
|
||||||
- cfssljson
|
|
||||||
- name: Add ca-config
|
|
||||||
template:
|
|
||||||
src: ca-config.json.j2
|
|
||||||
dest: /etc/kubernetes/pki/calico/ca-config.json
|
|
||||||
- name: Copy CA
|
|
||||||
copy:
|
|
||||||
src: /etc/kubernetes/pki/{{ item }}
|
|
||||||
dest: /etc/kubernetes/pki/calico/{{ item }}
|
|
||||||
with_items:
|
|
||||||
- ca.crt
|
|
||||||
- ca.key
|
|
||||||
- name: Prepare certificates for Calico
|
|
||||||
shell: |
|
|
||||||
echo '{"CN":"server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=server -hostname="{{ cluster.cni_host_ip }},127.0.0.1,localhost" - | cfssljson -bare server
|
|
||||||
echo '{"CN":"client","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=client - | cfssljson -bare client
|
|
||||||
args:
|
|
||||||
chdir: /etc/kubernetes/pki/calico
|
|
||||||
executable: /bin/bash
|
|
||||||
- name: Add script file
|
|
||||||
template:
|
|
||||||
src: certs.py.j2
|
|
||||||
dest: /etc/kubernetes/pki/calico/certs.py
|
|
||||||
|
|
||||||
- name: Create yaml file
|
|
||||||
shell: python3 /etc/kubernetes/pki/calico/certs.py
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
chdir: /etc/kubernetes/pki/calico
|
|
||||||
|
|
||||||
- name: kubeadm | cni | calico
|
|
||||||
when: cluster.cni == 'calico'
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: kubeadm | cni | calico | label node
|
|
||||||
command: kubectl label --overwrite nodes {{ kubeadm_node_hostname }} node-role.kubernetes.io/master=
|
|
||||||
environment:
|
|
||||||
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
|
|
||||||
- name: kubeadm | cni | calico
|
|
||||||
command: helm install /opt/charts/calico --name calico --namespace kube-system --set networking.podSubnet="{{ k8s.networking.podSubnet }}" --set conf.node.IP_AUTODETECTION_METHOD="can-reach={% if k8s.api.advertiseAddress is defined %}{{ k8s.api.advertiseAddress }}{% else %}{% if k8s.api.advertiseAddressDevice is defined %}{{ hostvars[inventory_hostname]['ansible_'+k8s.api.advertiseAddressDevice].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %}" --set networking.mtu="{{ cni_default_device_mtu.stdout }}" --values="/etc/kubernetes/pki/calico/calico_certs.yaml" --set monitoring.prometheus.calico_node.port="{{ calico.prometheus_port }}" --wait --timeout=600
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
- name: kubeadm | cni | calico
|
|
||||||
command: helm status calico
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: kubeadm_helm_cni_status
|
|
||||||
- name: kubeadm | cni | status
|
|
||||||
debug:
|
|
||||||
msg: "{{ kubeadm_helm_cni_status.stdout_lines }}"
|
|
||||||
|
|
||||||
- name: kubeadm | cni | flannel
|
|
||||||
when: cluster.cni == 'flannel'
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: kubeadm | cni | flannel
|
|
||||||
command: helm install /opt/charts/flannel --name flannel --namespace kube-system --set networking.podSubnet="{{ k8s.networking.podSubnet }}" --wait --timeout=600
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
- name: kubeadm | cni | flannel
|
|
||||||
command: helm status flannel
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: kubeadm_helm_cni_status
|
|
||||||
- name: kubeadm | cni | status
|
|
||||||
debug:
|
|
||||||
msg: "{{ kubeadm_helm_cni_status.stdout_lines }}"
|
|
||||||
|
|
||||||
- name: "removing bootstrap tiller container"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "helm-tiller"
|
|
||||||
state: absent
|
|
||||||
...
|
|
@ -1,89 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: setting up bootstrap tiller
|
|
||||||
block:
|
|
||||||
- name: pull the helm tiller Image
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_image:
|
|
||||||
pull: true
|
|
||||||
name: "{{ helm.tiller_image }}"
|
|
||||||
- name: deploying bootstrap tiller
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "helm-tiller"
|
|
||||||
image: "{{ helm.tiller_image }}"
|
|
||||||
state: started
|
|
||||||
detach: true
|
|
||||||
recreate: yes
|
|
||||||
network_mode: host
|
|
||||||
user: root
|
|
||||||
volumes:
|
|
||||||
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
|
|
||||||
env:
|
|
||||||
KUBECONFIG: /etc/kubernetes/admin.conf
|
|
||||||
register: kubeadm_aio_tiller_container
|
|
||||||
ignore_errors: True
|
|
||||||
- name: wait for tiller to be ready
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: helm version --server
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
|
|
||||||
- name: ensure tiller release installed
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: install tiller release
|
|
||||||
command: helm install /opt/charts/tiller --name tiller --namespace kube-system --set monitoring.prometheus.enabled=true --wait
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
- name: get the status for tiller release
|
|
||||||
command: helm status tiller
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: kubeadm_helm_cni_status
|
|
||||||
- name: display the status for tiller release
|
|
||||||
debug:
|
|
||||||
msg: "{{ kubeadm_helm_cni_status }}"
|
|
||||||
|
|
||||||
- name: "removing bootstrap tiller container"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "helm-tiller"
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: setting up helm client on host
|
|
||||||
block:
|
|
||||||
- name: copying helm binary to host
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
copy:
|
|
||||||
src: /usr/bin/helm
|
|
||||||
dest: /usr/bin/helm
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 365
|
|
||||||
- name: setting up helm client for user
|
|
||||||
environment:
|
|
||||||
http_proxy: "{{ proxy.http }}"
|
|
||||||
https_proxy: "{{ proxy.https }}"
|
|
||||||
no_proxy: "{{ proxy.noproxy }}"
|
|
||||||
command: helm init --client-only --skip-refresh --stable-repo-url "https://charts.helm.sh/stable"
|
|
||||||
...
|
|
@ -1,71 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: setting up bootstrap tiller
|
|
||||||
block:
|
|
||||||
- name: pull the helm tiller Image
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_image:
|
|
||||||
pull: true
|
|
||||||
name: "{{ helm.tiller_image }}"
|
|
||||||
- name: deploying bootstrap tiller
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "helm-tiller"
|
|
||||||
image: "{{ helm.tiller_image }}"
|
|
||||||
state: started
|
|
||||||
detach: true
|
|
||||||
recreate: yes
|
|
||||||
network_mode: host
|
|
||||||
user: root
|
|
||||||
volumes:
|
|
||||||
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
|
|
||||||
env:
|
|
||||||
KUBECONFIG=/etc/kubernetes/admin.conf
|
|
||||||
register: kubeadm_aio_tiller_container
|
|
||||||
ignore_errors: True
|
|
||||||
- name: wait for tiller to be ready
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: helm version --server
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
|
|
||||||
- name: kubeadm | dns
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: kubeadm | dns
|
|
||||||
command: "helm install /opt/charts/kube-dns --name kube-dns --namespace kube-system --set networking.dnsDomain={{ k8s.networking.dnsDomain }} --wait"
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
- name: kubeadm | dns
|
|
||||||
command: helm status kube-dns
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: kubeadm_helm_dns_status
|
|
||||||
- name: kubeadm | dns
|
|
||||||
debug:
|
|
||||||
msg: "{{ kubeadm_helm_dns_status }}"
|
|
||||||
|
|
||||||
- name: "removing bootstrap tiller container"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "helm-tiller"
|
|
||||||
state: absent
|
|
||||||
...
|
|
@ -1,102 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: setting up bootstrap tiller
|
|
||||||
block:
|
|
||||||
- name: pull the helm tiller Image
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_image:
|
|
||||||
pull: true
|
|
||||||
name: "{{ helm.tiller_image }}"
|
|
||||||
- name: deploying bootstrap tiller
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "helm-tiller"
|
|
||||||
image: "{{ helm.tiller_image }}"
|
|
||||||
state: started
|
|
||||||
detach: true
|
|
||||||
recreate: yes
|
|
||||||
network_mode: host
|
|
||||||
user: root
|
|
||||||
volumes:
|
|
||||||
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
|
|
||||||
env:
|
|
||||||
KUBECONFIG=/etc/kubernetes/admin.conf
|
|
||||||
register: kubeadm_aio_tiller_container
|
|
||||||
ignore_errors: True
|
|
||||||
- name: wait for tiller to be ready
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: helm version --server
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
|
|
||||||
- name: kubeadm | get certs
|
|
||||||
block:
|
|
||||||
- name: kubeadm | get kubeapi cert
|
|
||||||
shell: cat /etc/kubernetes/pki/apiserver.crt
|
|
||||||
register: kubeadm_kubeapi_cert
|
|
||||||
- name: kubeadm | get kubeapi key
|
|
||||||
shell: cat /etc/kubernetes/pki/apiserver.key
|
|
||||||
register: kubeadm_kubeapi_key
|
|
||||||
|
|
||||||
- name: kubeadm | keystone auth
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: kubeadm | keystone auth
|
|
||||||
command: "helm upgrade --install kubernetes-keystone-webhook /opt/charts/kubernetes-keystone-webhook --namespace=kube-system --set endpoints.identity.namespace=openstack --set endpoints.kubernetes.auth.api.tls.crt='{{ kubeadm_kubeapi_cert.stdout }}' --set endpoints.kubernetes.auth.api.tls.key='{{ kubeadm_kubeapi_key.stdout }}'"
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
- name: kubeadm | keystone auth
|
|
||||||
command: helm status kubernetes-keystone-webhook
|
|
||||||
environment:
|
|
||||||
HELM_HOST: 'localhost:44134'
|
|
||||||
register: kubeadm_helm_keystone_status
|
|
||||||
- name: kubeadm | keystone auth
|
|
||||||
debug:
|
|
||||||
msg: "{{ kubeadm_helm_keystone_status }}"
|
|
||||||
|
|
||||||
- name: kubeadm | setup api server for keystone
|
|
||||||
block:
|
|
||||||
- name: kubeadm | copying webhook config to host
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
template:
|
|
||||||
src: webhook.kubeconfig.j2
|
|
||||||
dest: /etc/kubernetes/pki/webhook.kubeconfig
|
|
||||||
mode: 416
|
|
||||||
- name: kubeadm | configuring api server
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
shell: |
|
|
||||||
# TODO(lamt): Clean up this way of restarting the kube-apiserver. Preferably,
|
|
||||||
# the setting is in place when the kube-apiserver comes up. Currently, the
|
|
||||||
# kube-apiserver does not start whenever the webhook fails.
|
|
||||||
cat /etc/kubernetes/manifests/kube-apiserver.yaml > /tmp/kube-apiserver.yaml
|
|
||||||
sed -i '/etcd-keyfile/a \ \ \ \ -\ --authentication-token-webhook-config-file=/etc/kubernetes/pki/webhook.kubeconfig\n \ \ \ \- --authorization-webhook-config-file=/etc/kubernetes/pki/webhook.kubeconfig' /tmp/kube-apiserver.yaml
|
|
||||||
sed -i -e 's/Node,RBAC/Node,Webhook,RBAC/g' /tmp/kube-apiserver.yaml
|
|
||||||
sed -i '/hostNetwork: true/a\ \ dnsPolicy: ClusterFirstWithHostNet' /tmp/kube-apiserver.yaml
|
|
||||||
mv /tmp/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml
|
|
||||||
|
|
||||||
- name: "removing bootstrap tiller container"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
docker_container:
|
|
||||||
name: "helm-tiller"
|
|
||||||
state: absent
|
|
||||||
...
|
|
@ -1,240 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: storing node hostname
|
|
||||||
set_fact:
|
|
||||||
kubeadm_node_hostname: "{% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %}"
|
|
||||||
|
|
||||||
- name: deploy config file and make dir structure
|
|
||||||
block:
|
|
||||||
- name: setup directorys on host
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- /etc/kubernetes
|
|
||||||
- /etc/kubernetes/pki
|
|
||||||
- /etc/kubernetes/pki/calico
|
|
||||||
- name: generating initial admin token
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: /usr/bin/kubeadm token generate
|
|
||||||
register: kubeadm_bootstrap_token
|
|
||||||
- name: storing initial admin token
|
|
||||||
set_fact:
|
|
||||||
kubeadm_bootstrap_token: "{{ kubeadm_bootstrap_token.stdout }}"
|
|
||||||
- name: kubelet | copying config to host
|
|
||||||
template:
|
|
||||||
src: kubeadm-conf.yaml.j2
|
|
||||||
dest: /etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
mode: 416
|
|
||||||
|
|
||||||
- name: generating certs
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: master | deploy | certs | etcd-ca
|
|
||||||
command: kubeadm init phase certs etcd-ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | etcd-server
|
|
||||||
command: kubeadm init phase certs etcd-server --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | etcd-peer
|
|
||||||
command: kubeadm init phase certs etcd-peer --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | etcd-healthcheck-client
|
|
||||||
command: kubeadm init phase certs etcd-healthcheck-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | ca
|
|
||||||
command: kubeadm init phase certs ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | apiserver
|
|
||||||
command: kubeadm init phase certs apiserver --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | apiserver-etcd-client
|
|
||||||
command: kubeadm init phase certs apiserver-etcd-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | apiserver-kubelet-client
|
|
||||||
command: kubeadm init phase certs apiserver-kubelet-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | sa
|
|
||||||
command: kubeadm init phase certs sa
|
|
||||||
- name: master | deploy | certs | front-proxy-ca
|
|
||||||
command: kubeadm init phase certs front-proxy-ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | certs | front-proxy-client
|
|
||||||
command: kubeadm init phase certs front-proxy-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
|
|
||||||
- name: generating kubeconfigs
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: master | deploy | kubeconfig | admin
|
|
||||||
command: kubeadm init phase kubeconfig admin --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | kubeconfig | kubelet
|
|
||||||
command: kubeadm init phase kubeconfig kubelet --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | kubeconfig | controller-manager
|
|
||||||
command: kubeadm init phase kubeconfig controller-manager --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | kubeconfig | scheduler
|
|
||||||
command: kubeadm init phase kubeconfig scheduler --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
|
|
||||||
- name: generating etcd static manifest
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: kubeadm init phase etcd local --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
|
|
||||||
- name: generating controlplane static manifests
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: master | deploy | controlplane | apiserver
|
|
||||||
command: kubeadm init phase control-plane apiserver --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | controlplane | controller-manager
|
|
||||||
command: kubeadm init phase control-plane controller-manager --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
- name: master | deploy | controlplane | scheduler
|
|
||||||
command: kubeadm init phase control-plane scheduler --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
|
|
||||||
- name: wait for kube components
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: wait for kube api
|
|
||||||
shell: python3 /usr/bin/test-kube-api.py
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
environment:
|
|
||||||
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
- name: wait for node to come online
|
|
||||||
shell: kubectl get node "{{ kubeadm_node_hostname }}" --no-headers | gawk '{ print $2 }' | grep -q '\(^Ready\)\|\(^NotReady\)'
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
environment:
|
|
||||||
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
- include_tasks: wait-for-kube-system-namespace.yaml
|
|
||||||
|
|
||||||
- name: deploying kube-proxy
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: kubeadm init phase addon kube-proxy --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
|
|
||||||
- include_tasks: helm-cni.yaml
|
|
||||||
|
|
||||||
- name: wait for kube components
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: wait for node to be ready
|
|
||||||
shell: kubectl get node "{{ kubeadm_node_hostname }}" --no-headers | gawk '{ print $2 }' | grep -q '^Ready'
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
environment:
|
|
||||||
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
- include_tasks: wait-for-kube-system-namespace.yaml
|
|
||||||
|
|
||||||
- include_tasks: helm-dns.yaml
|
|
||||||
- include_tasks: helm-keystone-auth.yaml
|
|
||||||
when: k8s.keystoneAuth|bool == true
|
|
||||||
- include_tasks: helm-deploy.yaml
|
|
||||||
|
|
||||||
- name: uploading kubeadm config
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: kubeadm init phase upload-config kubeadm --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
|
|
||||||
- name: uploading kubelet config
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: kubeadm init phase upload-config kubelet --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
|
|
||||||
- name: generating bootstrap-token objects
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: master | deploy | bootstrap-token
|
|
||||||
command: kubeadm init phase bootstrap-token --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf
|
|
||||||
|
|
||||||
- name: generating bootstrap-token objects
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
block:
|
|
||||||
- name: check if kube-public namespace exists
|
|
||||||
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf get ns kube-public
|
|
||||||
register: kube_public_ns_exists
|
|
||||||
ignore_errors: True
|
|
||||||
- name: create kube-public namespace if required
|
|
||||||
when: kube_public_ns_exists is failed
|
|
||||||
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf create ns kube-public
|
|
||||||
- name: sourcing kube cluster admin credentials
|
|
||||||
include_vars: /etc/kubernetes/admin.conf
|
|
||||||
- name: creating cluster-info configmap manifest on host
|
|
||||||
template:
|
|
||||||
src: cluster-info.yaml.j2
|
|
||||||
dest: /etc/kubernetes/cluster-info.yaml
|
|
||||||
mode: 420
|
|
||||||
- name: removing any pre-existing cluster-info configmap
|
|
||||||
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf delete -f /etc/kubernetes/cluster-info.yaml --ignore-not-found
|
|
||||||
- name: creating cluster-info configmap
|
|
||||||
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf create -f /etc/kubernetes/cluster-info.yaml
|
|
||||||
- name: removing cluster-info configmap manifest from host
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
with_items:
|
|
||||||
- /etc/kubernetes/cluster-info.yaml
|
|
||||||
|
|
||||||
- name: check if kube-public configmap role exists
|
|
||||||
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public get role system:bootstrap-signer-clusterinfo
|
|
||||||
register: kube_public_configmap_role_exists
|
|
||||||
ignore_errors: True
|
|
||||||
- name: create kube-public configmap role if required
|
|
||||||
when: kube_public_configmap_role_exists is failed
|
|
||||||
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public create role system:bootstrap-signer-clusterinfo --verb get --resource configmaps
|
|
||||||
|
|
||||||
- name: check if kube-public configmap rolebinding exists
|
|
||||||
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public get rolebinding kubeadm:bootstrap-signer-clusterinfo
|
|
||||||
register: kube_public_configmap_rolebinding_exists
|
|
||||||
ignore_errors: True
|
|
||||||
- name: create kube-public configmap rolebinding if required
|
|
||||||
when: kube_public_configmap_rolebinding_exists is failed
|
|
||||||
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public create rolebinding kubeadm:bootstrap-signer-clusterinfo --role system:bootstrap-signer-clusterinfo --user system:anonymous
|
|
||||||
|
|
||||||
- name: adding labels to namespace to support network policy
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: kubectl --kubeconfig=/mnt/rootfs/etc/kubernetes/admin.conf label --overwrite namespace {{ item }} name={{ item }}
|
|
||||||
with_items:
|
|
||||||
- default
|
|
||||||
- kube-system
|
|
||||||
- kube-public
|
|
||||||
|
|
||||||
- name: converting the cluster to be selfhosted
|
|
||||||
when: k8s.selfHosted|bool == true
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
command: kubeadm init phase selfhosting convert-from-staticpods --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
|
|
||||||
|
|
||||||
- name: setting up kubectl client and kubeadm on host
|
|
||||||
block:
|
|
||||||
- name: kubectl | copying kubectl binary to host
|
|
||||||
copy:
|
|
||||||
src: "/usr/bin/{{ item }}"
|
|
||||||
dest: "/usr/bin/{{ item }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 365
|
|
||||||
with_items:
|
|
||||||
- kubectl
|
|
||||||
- kubeadm
|
|
||||||
- name: kubectl | master | ensure kube config directory exists for user
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- "{{ vars.user.home }}/.kube"
|
|
||||||
- name: kubectl | master | deploy kube config file for user
|
|
||||||
copy:
|
|
||||||
src: /mnt/rootfs/etc/kubernetes/admin.conf
|
|
||||||
dest: "{{ vars.user.home }}/.kube/config"
|
|
||||||
owner: "{{ vars.user.uid }}"
|
|
||||||
group: "{{ vars.user.gid }}"
|
|
||||||
mode: 384
|
|
||||||
...
|
|
@ -1,25 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: wait for kube pods to all be running in kube-system namespace
|
|
||||||
delegate_to: 127.0.0.1
|
|
||||||
shell: /usr/bin/test-kube-pods-ready kube-system
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
environment:
|
|
||||||
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
...
|
|
@ -1,35 +0,0 @@
|
|||||||
{
|
|
||||||
"signing": {
|
|
||||||
"default": {
|
|
||||||
"expiry": "8760h"
|
|
||||||
},
|
|
||||||
"profiles": {
|
|
||||||
"server": {
|
|
||||||
"expiry": "8760h",
|
|
||||||
"usages": [
|
|
||||||
"signing",
|
|
||||||
"key encipherment",
|
|
||||||
"server auth",
|
|
||||||
"client auth"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"client": {
|
|
||||||
"expiry": "8760h",
|
|
||||||
"usages": [
|
|
||||||
"signing",
|
|
||||||
"key encipherment",
|
|
||||||
"client auth"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"peer": {
|
|
||||||
"expiry": "8760h",
|
|
||||||
"usages": [
|
|
||||||
"signing",
|
|
||||||
"key encipherment",
|
|
||||||
"server auth",
|
|
||||||
"client auth"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,28 +0,0 @@
|
|||||||
#!/usr/bin/python
|
|
||||||
|
|
||||||
import yaml
|
|
||||||
|
|
||||||
data = {'server': '',
|
|
||||||
'server-key': '',
|
|
||||||
'client': '',
|
|
||||||
'client-key': ''}
|
|
||||||
|
|
||||||
for i in data.keys():
|
|
||||||
with open('{}.pem'.format(i)) as f:
|
|
||||||
data[i] = f.read()
|
|
||||||
with open('ca.crt') as f:
|
|
||||||
data['ca'] = f.read()
|
|
||||||
|
|
||||||
res = {'endpoints': {'etcd': {'auth': {'client': {'tls': ''}},
|
|
||||||
'scheme': {'default': 'https'}}},
|
|
||||||
'conf': {'etcd': {'credentials': ''}}}
|
|
||||||
|
|
||||||
res['endpoints']['etcd']['auth']['client']['tls'] = {'ca': data['ca'],
|
|
||||||
'key': data['client-key'],
|
|
||||||
'crt': data['client']}
|
|
||||||
res['conf']['etcd']['credentials'] = {'ca': data['ca'],
|
|
||||||
'key': data['server-key'],
|
|
||||||
'certificate': data['server']}
|
|
||||||
|
|
||||||
with open('calico_certs.yaml', 'w') as f:
|
|
||||||
yaml.dump(res, f, default_style='|')
|
|
@ -1,18 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: cluster-info
|
|
||||||
namespace: kube-public
|
|
||||||
data:
|
|
||||||
kubeconfig: |
|
|
||||||
apiVersion: v1
|
|
||||||
clusters:
|
|
||||||
- cluster:
|
|
||||||
certificate-authority-data: {{ clusters[0].cluster['certificate-authority-data'] }}
|
|
||||||
server: {{ clusters[0].cluster['server'] }}
|
|
||||||
name: ""
|
|
||||||
contexts: []
|
|
||||||
current-context: ""
|
|
||||||
kind: Config
|
|
||||||
preferences: {}
|
|
||||||
users: []
|
|
@ -1,34 +0,0 @@
|
|||||||
#jinja2: trim_blocks:False
|
|
||||||
apiVersion: kubeadm.k8s.io/v1beta2
|
|
||||||
kind: ClusterConfiguration
|
|
||||||
kubernetesVersion: {{ k8s.kubernetesVersion }}
|
|
||||||
imageRepository: {{ k8s.imageRepository }}
|
|
||||||
networking:
|
|
||||||
dnsDomain: {{ k8s.networking.dnsDomain }}
|
|
||||||
podSubnet: {{ k8s.networking.podSubnet }}
|
|
||||||
serviceSubnet: {{ k8s.networking.serviceSubnet }}
|
|
||||||
controllerManager:
|
|
||||||
extraArgs:
|
|
||||||
address: "0.0.0.0"
|
|
||||||
port: "10252"
|
|
||||||
feature-gates: "PodShareProcessNamespace=true"
|
|
||||||
scheduler:
|
|
||||||
extraArgs:
|
|
||||||
address: "0.0.0.0"
|
|
||||||
port: "10251"
|
|
||||||
feature-gates: "PodShareProcessNamespace=true"
|
|
||||||
certificatesDir: {{ k8s.certificatesDir }}
|
|
||||||
---
|
|
||||||
apiVersion: kubeadm.k8s.io/v1beta2
|
|
||||||
localAPIEndpoint:
|
|
||||||
advertiseAddress: {% if k8s.api.advertiseAddress is defined %}{{ k8s.api.advertiseAddress }}{% else %}{% if k8s.api.advertiseAddressDevice is defined %}{{ hostvars[inventory_hostname]['ansible_'+k8s.api.advertiseAddressDevice].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %}
|
|
||||||
bindPort: {{ k8s.api.bindPort }}
|
|
||||||
bootstrapTokens:
|
|
||||||
- groups:
|
|
||||||
- system:bootstrappers:kubeadm:default-node-token
|
|
||||||
token: {{ kubeadm_bootstrap_token }}
|
|
||||||
ttl: 24h0m0s
|
|
||||||
usages:
|
|
||||||
- signing
|
|
||||||
- authentication
|
|
||||||
kind: InitConfiguration
|
|
@ -1,16 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
clusters:
|
|
||||||
- cluster:
|
|
||||||
insecure-skip-tls-verify: true
|
|
||||||
server: https://k8sksauth-api.kube-system.svc.cluster.local:8443/webhook
|
|
||||||
name: webhook
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: webhook
|
|
||||||
user: webhook
|
|
||||||
name: webhook
|
|
||||||
current-context: webhook
|
|
||||||
kind: Config
|
|
||||||
preferences: {}
|
|
||||||
users:
|
|
||||||
- name: webhook
|
|
@ -1,40 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- block:
|
|
||||||
- name: base kubeadm deploy
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- /etc/kubernetes/
|
|
||||||
- /etc/systemd/system/kubelet.service.d/
|
|
||||||
- /var/lib/kubelet/
|
|
||||||
- name: copying kubeadm binary to host
|
|
||||||
copy:
|
|
||||||
src: /usr/bin/kubeadm
|
|
||||||
dest: /usr/bin/kubeadm
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 365
|
|
||||||
- debug:
|
|
||||||
msg: "{{ kubeadm_join_command }}"
|
|
||||||
- name: running kubeadm join command
|
|
||||||
command: "{{ kubeadm_join_command }}"
|
|
||||||
- name: base kubeadm deploy
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
with_items:
|
|
||||||
- /usr/bin/kubeadm
|
|
||||||
...
|
|
@ -1,37 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: DNS | Ensure node fully qualified hostname is set
|
|
||||||
lineinfile:
|
|
||||||
unsafe_writes: true
|
|
||||||
state: present
|
|
||||||
dest: /etc/hosts
|
|
||||||
line: "{% if kubelet.bind_device is defined %}{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %} {% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %} {{ ansible_hostname }}"
|
|
||||||
regexp: "^{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% if kubelet.bind_device is defined %}|{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% endif %}"
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: DNS | Ensure node localhost ipv4 hostname is set
|
|
||||||
lineinfile:
|
|
||||||
unsafe_writes: true
|
|
||||||
state: present
|
|
||||||
dest: /etc/hosts
|
|
||||||
line: "127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4"
|
|
||||||
regexp: "^127.0.0.1"
|
|
||||||
- name: DNS | Ensure node localhost ipv6 hostname is set
|
|
||||||
lineinfile:
|
|
||||||
unsafe_writes: true
|
|
||||||
state: present
|
|
||||||
dest: /etc/hosts
|
|
||||||
line: "::1 localhost6 localhost6.localdomain6"
|
|
||||||
regexp: "^::1"
|
|
||||||
...
|
|
@ -1,217 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: ubuntu or debian | installing kubelet support packages
|
|
||||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
|
||||||
apt:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: installed
|
|
||||||
with_items:
|
|
||||||
- ebtables
|
|
||||||
- ethtool
|
|
||||||
- iproute2
|
|
||||||
- iptables
|
|
||||||
- libmnl0
|
|
||||||
- libnfnetlink0
|
|
||||||
- libwrap0
|
|
||||||
- socat
|
|
||||||
|
|
||||||
- name: ubuntu xenial | installing kubelet support packages
|
|
||||||
when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial'
|
|
||||||
apt:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: installed
|
|
||||||
with_items:
|
|
||||||
- libxtables11
|
|
||||||
|
|
||||||
- name: debian and ubuntu bionic | installing kubelet support packages
|
|
||||||
when: ansible_distribution == 'Debian' or ( ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'bionic' )
|
|
||||||
apt:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: installed
|
|
||||||
with_items:
|
|
||||||
- libxtables12
|
|
||||||
|
|
||||||
- name: centos | installing kubelet support packages
|
|
||||||
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
|
|
||||||
yum:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: installed
|
|
||||||
with_items:
|
|
||||||
- ebtables
|
|
||||||
- ethtool
|
|
||||||
- tcp_wrappers-libs
|
|
||||||
- libmnl
|
|
||||||
- socat
|
|
||||||
|
|
||||||
- name: fedora | installing kubelet support packages
|
|
||||||
when: ansible_distribution == 'Fedora'
|
|
||||||
dnf:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: installed
|
|
||||||
with_items:
|
|
||||||
- ebtables
|
|
||||||
- ethtool
|
|
||||||
- tcp_wrappers-libs
|
|
||||||
- libmnl
|
|
||||||
- socat
|
|
||||||
|
|
||||||
- name: getting docker cgroup driver info
|
|
||||||
when: kubelet.container_runtime == 'docker'
|
|
||||||
block:
|
|
||||||
- name: docker | getting cgroup driver info
|
|
||||||
shell: docker info | awk '/^Cgroup Driver:/ { print $NF }'
|
|
||||||
register: docker_cgroup_driver
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
- name: setting kublet cgroup driver
|
|
||||||
set_fact:
|
|
||||||
kubelet_cgroup_driver: "{{ docker_cgroup_driver.stdout }}"
|
|
||||||
|
|
||||||
- name: setting kublet cgroup driver for CRI-O
|
|
||||||
when: kubelet.container_runtime == 'crio'
|
|
||||||
set_fact:
|
|
||||||
kubelet_cgroup_driver: "systemd"
|
|
||||||
|
|
||||||
- name: setting node hostname fact
|
|
||||||
set_fact:
|
|
||||||
kubelet_node_hostname: "{% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %}"
|
|
||||||
|
|
||||||
- name: base kubelet deploy
|
|
||||||
block:
|
|
||||||
- file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- /etc/kubernetes/
|
|
||||||
- /etc/systemd/system/kubelet.service.d/
|
|
||||||
- /var/lib/kubelet/
|
|
||||||
- name: copying kubelet binary to host
|
|
||||||
copy:
|
|
||||||
src: /opt/assets/usr/bin/kubelet
|
|
||||||
dest: /usr/bin/kubelet
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 365
|
|
||||||
- name: copying base systemd unit to host
|
|
||||||
template:
|
|
||||||
src: kubelet.service.j2
|
|
||||||
dest: /etc/systemd/system/kubelet.service
|
|
||||||
mode: 416
|
|
||||||
- name: copying kubeadm drop-in systemd unit to host
|
|
||||||
template:
|
|
||||||
src: 10-kubeadm.conf.j2
|
|
||||||
dest: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
||||||
mode: 416
|
|
||||||
- name: copying kubelet DNS config to host
|
|
||||||
template:
|
|
||||||
src: kubelet-resolv.conf.j2
|
|
||||||
dest: /etc/kubernetes/kubelet-resolv.conf
|
|
||||||
mode: 416
|
|
||||||
|
|
||||||
- name: base cni support
|
|
||||||
block:
|
|
||||||
- file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- /etc/cni/net.d
|
|
||||||
- /opt/cni/bin
|
|
||||||
- name: copy cni binaries into place
|
|
||||||
copy:
|
|
||||||
src: /opt/assets/opt/cni/bin/{{ item }}
|
|
||||||
dest: /opt/cni/bin/{{ item }}
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 365
|
|
||||||
with_items:
|
|
||||||
- flannel
|
|
||||||
- ptp
|
|
||||||
- host-local
|
|
||||||
- portmap
|
|
||||||
- tuning
|
|
||||||
- vlan
|
|
||||||
# NOTE(aostapenko) absent with v0.8.5 cni
|
|
||||||
# - sample
|
|
||||||
- dhcp
|
|
||||||
- ipvlan
|
|
||||||
- macvlan
|
|
||||||
- loopback
|
|
||||||
- bridge
|
|
||||||
|
|
||||||
- name: CRI-O runtime config
|
|
||||||
when: kubelet.container_runtime == 'crio'
|
|
||||||
block:
|
|
||||||
- name: copying CRI-O drop-in systemd unit to host
|
|
||||||
template:
|
|
||||||
src: 0-crio.conf.j2
|
|
||||||
dest: /etc/systemd/system/kubelet.service.d/0-crio.conf
|
|
||||||
mode: 416
|
|
||||||
- name: CRI-O | ensure service is restarted and enabled
|
|
||||||
systemd:
|
|
||||||
name: crio
|
|
||||||
state: restarted
|
|
||||||
enabled: yes
|
|
||||||
masked: no
|
|
||||||
|
|
||||||
- name: Setup DNS redirector for fqdn testing
|
|
||||||
# NOTE(portdirect): This must be done before the K8S DNS pods attempt to
|
|
||||||
# start, so they use the dnsmasq instance to resolve upstream hostnames
|
|
||||||
when: gate.fqdn_testing|bool == true
|
|
||||||
block:
|
|
||||||
- name: Setup DNS redirector | Remove std kubelet resolv.conf
|
|
||||||
file:
|
|
||||||
path: "/etc/kubernetes/kubelet-resolv.conf"
|
|
||||||
state: absent
|
|
||||||
- name: Setup DNS redirector | Populating new kubelet resolv.conf
|
|
||||||
copy:
|
|
||||||
dest: "/etc/kubernetes/kubelet-resolv.conf"
|
|
||||||
mode: 416
|
|
||||||
content: |
|
|
||||||
nameserver 172.17.0.1
|
|
||||||
- name: Setup DNS redirector | Ensuring static manifests dir exists
|
|
||||||
file:
|
|
||||||
path: "/etc/kubernetes/manifests/"
|
|
||||||
state: directory
|
|
||||||
- name: Setup DNS redirector | check if an resolv-upstream.conf exists
|
|
||||||
stat:
|
|
||||||
path: /etc/resolv-upstream.conf
|
|
||||||
register: resolv_upstream_conf
|
|
||||||
- name: Setup DNS redirector | Placing pod manifest on host
|
|
||||||
when: resolv_upstream_conf.stat.exists == False
|
|
||||||
template:
|
|
||||||
src: resolv-upstream.conf.j2
|
|
||||||
dest: /etc/resolv-upstream.conf
|
|
||||||
mode: 436
|
|
||||||
- name: Setup DNS redirector | Placing pod manifest on host
|
|
||||||
template:
|
|
||||||
src: osh-dns-redirector.yaml.j2
|
|
||||||
dest: /etc/kubernetes/manifests/osh-dns-redirector.yaml
|
|
||||||
mode: 416
|
|
||||||
|
|
||||||
- name: docker | ensure service is started and enabled
|
|
||||||
when: kubelet.container_runtime == 'docker'
|
|
||||||
systemd:
|
|
||||||
name: docker
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
||||||
masked: no
|
|
||||||
|
|
||||||
- name: ensure service is restarted and enabled
|
|
||||||
systemd:
|
|
||||||
name: kubelet
|
|
||||||
state: restarted
|
|
||||||
daemon_reload: yes
|
|
||||||
enabled: yes
|
|
||||||
masked: no
|
|
||||||
...
|
|
@ -1,21 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- include_tasks: support-packages.yaml
|
|
||||||
|
|
||||||
- include_tasks: hostname.yaml
|
|
||||||
|
|
||||||
- include_tasks: setup-dns.yaml
|
|
||||||
|
|
||||||
- include_tasks: kubelet.yaml
|
|
||||||
...
|
|
@ -1,62 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: DNS | Check if NetworkManager is being used
|
|
||||||
raw: systemctl status NetworkManager --no-pager
|
|
||||||
register: network_manager_in_use
|
|
||||||
ignore_errors: True
|
|
||||||
|
|
||||||
- name: DNS | Check if NetworkManager is managing DNS
|
|
||||||
set_fact:
|
|
||||||
network_manager_manage_dns: "{{ lookup('ini', 'dns section=main file=/etc/NetworkManager/NetworkManager.conf') }}"
|
|
||||||
ignore_errors: True
|
|
||||||
|
|
||||||
- name: DNS | Disable network NetworkManager management of resolv.conf
|
|
||||||
when:
|
|
||||||
- network_manager_in_use is succeeded
|
|
||||||
- network_manager_manage_dns != "none"
|
|
||||||
ini_file:
|
|
||||||
path: /etc/NetworkManager/NetworkManager.conf
|
|
||||||
section: main
|
|
||||||
option: dns
|
|
||||||
value: none
|
|
||||||
|
|
||||||
- name: DNS | load new resolv.conf
|
|
||||||
template:
|
|
||||||
unsafe_writes: yes
|
|
||||||
src: resolv.conf.j2
|
|
||||||
dest: /etc/resolv.conf
|
|
||||||
|
|
||||||
- name: DNS | Restarting NetworkManager
|
|
||||||
when:
|
|
||||||
- network_manager_in_use is succeeded
|
|
||||||
- network_manager_manage_dns != "none"
|
|
||||||
block:
|
|
||||||
- name: DNS | Restarting NetworkManager Service
|
|
||||||
systemd:
|
|
||||||
name: NetworkManager
|
|
||||||
state: restarted
|
|
||||||
daemon_reload: yes
|
|
||||||
enabled: yes
|
|
||||||
masked: no
|
|
||||||
- pause:
|
|
||||||
seconds: 5
|
|
||||||
- name: DNS | Waiting for connectivity to be restored to outside world
|
|
||||||
shell: if ! [[ $(ip -4 route list 0/0 | head -c1 | wc -c) -ne 0 ]]; then exit 1; fi
|
|
||||||
register: task_result
|
|
||||||
until: task_result.rc == 0
|
|
||||||
retries: 120
|
|
||||||
delay: 5
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
...
|
|
@ -1,128 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: installing community ceph repository
|
|
||||||
when: kubelet.pv_support_ceph
|
|
||||||
block:
|
|
||||||
- name: ubuntu | ensure community ceph repository key is installed
|
|
||||||
when: ansible_distribution == "Ubuntu"
|
|
||||||
shell: wget -q -O- 'https://download.ceph.com/keys/release.asc' | sudo apt-key add -
|
|
||||||
|
|
||||||
- name: ubuntu | ensure community ceph repository exists
|
|
||||||
when: ansible_distribution == 'Ubuntu'
|
|
||||||
apt_repository:
|
|
||||||
repo: "deb https://download.ceph.com/debian-nautilus/ {{ ansible_lsb.codename }} main"
|
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
|
|
||||||
- name: centos | ensure community ceph repository exists
|
|
||||||
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
|
|
||||||
yum_repository:
|
|
||||||
name: ceph
|
|
||||||
description: "Ceph community packages for Redhat/Centos"
|
|
||||||
gpgkey: "https://download.ceph.com/keys/release.asc"
|
|
||||||
baseurl: "https://download.ceph.com/rpm-nautilus/el7/$basearch"
|
|
||||||
gpgcheck: yes
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: centos | installing epel-release
|
|
||||||
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
|
|
||||||
yum:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: installed
|
|
||||||
with_items:
|
|
||||||
- epel-release
|
|
||||||
|
|
||||||
- name: centos | installing SElinux support packages
|
|
||||||
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
|
|
||||||
yum:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: installed
|
|
||||||
with_items:
|
|
||||||
- libselinux-python
|
|
||||||
|
|
||||||
- name: fedora | installing SElinux support packages
|
|
||||||
when: ansible_distribution == 'Fedora'
|
|
||||||
dnf:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: installed
|
|
||||||
with_items:
|
|
||||||
- libselinux-python
|
|
||||||
|
|
||||||
- name: installing ceph support packages
|
|
||||||
when: kubelet.pv_support_ceph
|
|
||||||
block:
|
|
||||||
- name: ubuntu | installing packages
|
|
||||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
|
||||||
apt:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: latest
|
|
||||||
with_items:
|
|
||||||
- ceph-common
|
|
||||||
- rbd-nbd
|
|
||||||
|
|
||||||
- name: ubuntu | uninstall packages
|
|
||||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
|
||||||
apt:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: absent
|
|
||||||
with_items:
|
|
||||||
- ceph
|
|
||||||
|
|
||||||
- name: centos | installing packages
|
|
||||||
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
|
|
||||||
yum:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: latest
|
|
||||||
with_items:
|
|
||||||
- ceph-common
|
|
||||||
- rbd-nbd
|
|
||||||
|
|
||||||
- name: centos | installing packages
|
|
||||||
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
|
|
||||||
yum:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: absent
|
|
||||||
with_items:
|
|
||||||
- ceph
|
|
||||||
|
|
||||||
- name: blacklist kernel RBD driver module
|
|
||||||
when: kubelet.pv_support_ceph
|
|
||||||
copy:
|
|
||||||
dest: "/etc/modprobe.d/rbd.conf"
|
|
||||||
content: "install rbd /bin/true"
|
|
||||||
|
|
||||||
- when: kubelet.pv_support_nfs
|
|
||||||
name: installing NFS support packages
|
|
||||||
include_role:
|
|
||||||
name: deploy-package
|
|
||||||
tasks_from: dist
|
|
||||||
vars:
|
|
||||||
packages:
|
|
||||||
deb:
|
|
||||||
- nfs-common
|
|
||||||
rpm:
|
|
||||||
- nfs-utils
|
|
||||||
|
|
||||||
- name: installing LinuxBridge support
|
|
||||||
when: kubelet.net_support_linuxbridge
|
|
||||||
include_role:
|
|
||||||
name: deploy-package
|
|
||||||
tasks_from: dist
|
|
||||||
vars:
|
|
||||||
packages:
|
|
||||||
deb:
|
|
||||||
- bridge-utils
|
|
||||||
rpm:
|
|
||||||
- bridge-utils
|
|
||||||
...
|
|
@ -1,2 +0,0 @@
|
|||||||
[Service]
|
|
||||||
Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m --image-service-endpoint /var/run/crio.sock --container-runtime-endpoint /var/run/crio.sock"
|
|
@ -1,13 +0,0 @@
|
|||||||
[Service]
|
|
||||||
User=root
|
|
||||||
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
|
|
||||||
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --cgroup-driver={{ kubelet_cgroup_driver }}"
|
|
||||||
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --node-ip={% if kubelet.bind_addr is defined %}{{ kubelet.bind_addr }}{% else %}{% if kubelet.bind_device is defined %}{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %} --hostname-override={{ kubelet_node_hostname }}"
|
|
||||||
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain={{ k8s.networking.dnsDomain }} --resolv-conf=/etc/kubernetes/kubelet-resolv.conf"
|
|
||||||
Environment="KUBELET_AUTHZ_ARGS=--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
|
|
||||||
Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
|
|
||||||
Environment="KUBELET_NODE_LABELS=--node-labels {{ kubelet.kubelet_labels }}"
|
|
||||||
Environment="KUBELET_EXTRA_ARGS=--max-pods=220 --pods-per-core=0 --feature-gates=PodShareProcessNamespace=true"
|
|
||||||
#ExecStartPre=-+/sbin/restorecon -v /usr/bin/kubelet #SELinux
|
|
||||||
ExecStart=
|
|
||||||
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_NODE_LABELS $KUBELET_EXTRA_ARGS
|
|
@ -1,3 +0,0 @@
|
|||||||
{% for nameserver in external_dns_nameservers %}
|
|
||||||
nameserver {{ nameserver }}
|
|
||||||
{% endfor %}
|
|
@ -1,15 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=kubelet: The Kubernetes Node Agent
|
|
||||||
Documentation=http://kubernetes.io/docs/
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStartPre=/sbin/swapoff -a
|
|
||||||
ExecStartPre=/bin/bash -cex "modprobe br_netfilter"
|
|
||||||
ExecStartPre=/bin/bash -cex "echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables"
|
|
||||||
ExecStart=/usr/bin/kubelet
|
|
||||||
Restart=always
|
|
||||||
StartLimitInterval=0
|
|
||||||
RestartSec=10
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
@ -1,36 +0,0 @@
|
|||||||
#jinja2: trim_blocks:False
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Pod
|
|
||||||
metadata:
|
|
||||||
name: osh-dns-redirector
|
|
||||||
namespace: kube-system
|
|
||||||
spec:
|
|
||||||
hostNetwork: true
|
|
||||||
containers:
|
|
||||||
- name: osh-dns-redirector
|
|
||||||
image: docker.io/openstackhelm/neutron:newton
|
|
||||||
securityContext:
|
|
||||||
capabilities:
|
|
||||||
add:
|
|
||||||
- NET_ADMIN
|
|
||||||
runAsUser: 0
|
|
||||||
command:
|
|
||||||
- dnsmasq
|
|
||||||
- --keep-in-foreground
|
|
||||||
- --no-hosts
|
|
||||||
- --bind-interfaces
|
|
||||||
- --all-servers
|
|
||||||
- --address
|
|
||||||
- /{{ gate.fqdn_tld }}/{{ gate.ingress_ip }}
|
|
||||||
# NOTE(portdirect): just listen on the docker0 interface
|
|
||||||
- --listen-address
|
|
||||||
- 172.17.0.1
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /etc/resolv.conf
|
|
||||||
name: resolv-conf
|
|
||||||
readOnly: true
|
|
||||||
volumes:
|
|
||||||
- name: resolv-conf
|
|
||||||
hostPath:
|
|
||||||
path: /etc/resolv-upstream.conf
|
|
||||||
type: FileOrCreate
|
|
@ -1,4 +0,0 @@
|
|||||||
{% for nameserver in external_dns_nameservers %}
|
|
||||||
nameserver {{ nameserver }}
|
|
||||||
{% endfor %}
|
|
||||||
options timeout:1 attempts:1
|
|
@ -1,6 +0,0 @@
|
|||||||
search svc.{{ k8s.networking.dnsDomain }} {{ k8s.networking.dnsDomain }}
|
|
||||||
nameserver 10.96.0.10
|
|
||||||
{% for nameserver in external_dns_nameservers %}
|
|
||||||
nameserver {{ nameserver }}
|
|
||||||
{% endfor %}
|
|
||||||
options ndots:5 timeout:1 attempts:1
|
|
@ -1,40 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: ubuntu | installing packages
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
|
||||||
apt:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: present
|
|
||||||
with_items: "{{ packages.deb }}"
|
|
||||||
|
|
||||||
- name: centos | installing packages
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
|
|
||||||
yum:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: present
|
|
||||||
with_items: "{{ packages.rpm }}"
|
|
||||||
|
|
||||||
- name: fedora | installing packages
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
when: ansible_distribution == 'Fedora'
|
|
||||||
dnf:
|
|
||||||
name: "{{item}}"
|
|
||||||
state: present
|
|
||||||
with_items: "{{ packages.rpm }}"
|
|
||||||
...
|
|
@ -1,11 +0,0 @@
|
|||||||
---
|
|
||||||
- name: "installing python {{ package }}"
|
|
||||||
become: true
|
|
||||||
become_user: root
|
|
||||||
environment:
|
|
||||||
http_proxy: "{{ proxy.http }}"
|
|
||||||
https_proxy: "{{ proxy.https }}"
|
|
||||||
no_proxy: "{{ proxy.noproxy }}"
|
|
||||||
pip:
|
|
||||||
name: "{{ package }}"
|
|
||||||
...
|
|
@ -1,57 +0,0 @@
|
|||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
all:
|
|
||||||
vars:
|
|
||||||
ansible_python_interpreter: python3
|
|
||||||
my_container_name: null
|
|
||||||
user:
|
|
||||||
uid: null
|
|
||||||
gid: null
|
|
||||||
home: null
|
|
||||||
external_dns_nameservers:
|
|
||||||
- 8.8.8.8
|
|
||||||
- 8.8.4.4
|
|
||||||
calico:
|
|
||||||
prometheus_port: 9091
|
|
||||||
cluster:
|
|
||||||
cni: calico
|
|
||||||
cni_host_ip: 10.96.232.136
|
|
||||||
kubelet:
|
|
||||||
container_runtime: docker
|
|
||||||
net_support_linuxbridge: true
|
|
||||||
pv_support_ceph: true
|
|
||||||
pv_support_nfs: true
|
|
||||||
bind_device: null
|
|
||||||
helm:
|
|
||||||
tiller_image: ghcr.io/helm/tiller:v2.17.0
|
|
||||||
k8s:
|
|
||||||
kubernetesVersion: v1.19.15
|
|
||||||
imageRepository: k8s.gcr.io
|
|
||||||
certificatesDir: /etc/kubernetes/pki
|
|
||||||
selfHosted: false
|
|
||||||
keystoneAuth: false
|
|
||||||
api:
|
|
||||||
bindPort: 6443
|
|
||||||
# NOTE(portdirect): The following is a custom key, which resolves the
|
|
||||||
# 'advertiseAddress' key dynamicly.
|
|
||||||
advertiseAddressDevice: null
|
|
||||||
networking:
|
|
||||||
dnsDomain: cluster.local
|
|
||||||
podSubnet: 192.168.0.0/16
|
|
||||||
serviceSubnet: 10.96.0.0/12
|
|
||||||
gate:
|
|
||||||
fqdn_testing: false
|
|
||||||
ingress_ip: 127.0.0.1
|
|
||||||
fqdn_tld: openstackhelm.test
|
|
||||||
...
|
|
@ -1,19 +0,0 @@
|
|||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
from kubernetes import client, config
|
|
||||||
config.load_kube_config()
|
|
||||||
# create an instance of the API class
|
|
||||||
api_instance = client.VersionApi()
|
|
||||||
api_instance.get_code()
|
|
@ -1,31 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
set -e
|
|
||||||
NAMESPACE=$1
|
|
||||||
|
|
||||||
kubectl get pods --namespace=${NAMESPACE} -o json | jq -r \
|
|
||||||
'.items[].status.phase' | grep Pending > /dev/null && \
|
|
||||||
PENDING=True || PENDING=False
|
|
||||||
|
|
||||||
query='.items[]|select(.status.phase=="Running")'
|
|
||||||
query="$query|.status.containerStatuses[].ready"
|
|
||||||
kubectl get pods --namespace=${NAMESPACE} -o json | jq -r "$query" | \
|
|
||||||
grep false > /dev/null && READY="False" || READY="True"
|
|
||||||
|
|
||||||
kubectl get jobs -o json --namespace=${NAMESPACE} | jq -r \
|
|
||||||
'.items[] | .spec.completions == .status.succeeded' | \
|
|
||||||
grep false > /dev/null && JOBR="False" || JOBR="True"
|
|
||||||
[ $PENDING == "False" -a $READY == "True" -a $JOBR == "True" ] && \
|
|
||||||
exit 0 || exit 1
|
|
@ -1,4 +0,0 @@
|
|||||||
deb %%UBUNTU_URL%% bionic main universe
|
|
||||||
deb %%UBUNTU_URL%% bionic-updates main universe
|
|
||||||
deb %%UBUNTU_URL%% bionic-backports main universe
|
|
||||||
deb %%UBUNTU_URL%% bionic-security main universe
|
|
Loading…
Reference in New Issue
Block a user