From a93415b7bf66c9a1feabbf43443c072071c7a07a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Dulko?= Date: Mon, 11 Dec 2017 21:42:17 +0100 Subject: [PATCH] Use K8s 1.8 with Hyperkube This commit does necessary changes to allow using K8s 1.8 in our DevStack plugin. In particular: * Contents of missing setup-files.sh are introduced into the DevStack plugin directly. * Deprecated and removed `--api-servers` option of kubelet is replaced by `--kubeconfig= --require-kubeconfig` * Switches default value of KURYR_HYPERKUBE_VERSION to point to latest 1.8. In long term we should probably move to kubeadm along with splitting the K8s DevStack plugin out of Kuryr repo. This is short term solution to using ancient kubernetes version in upstream testing. Closes-Bug: 1734834 Change-Id: I0598109152cf353b0a23a225bb8f290da0069d96 --- devstack/plugin.sh | 40 ++++++++++++++++++++++++++++------------ devstack/settings | 2 +- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 39f772265..3c14ede7b 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -346,10 +346,13 @@ function get_hyperkube_container_cacert_setup_dir { esac } +function create_token() { + echo $(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null) +} + function prepare_kubernetes_files { # Sets up the base configuration for the Kubernetes API Server and the # Controller Manager. - local mountpoint local service_cidr local k8s_api_clusterip @@ -358,15 +361,24 @@ function prepare_kubernetes_files { subnet show "$KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET"\ -c cidr -f value) k8s_api_clusterip=$(_cidr_range "$service_cidr" | cut -f1) - mountpoint=$(get_hyperkube_container_cacert_setup_dir "$KURYR_HYPERKUBE_VERSION") - docker run \ - --name devstack-k8s-setup-files \ - --detach \ - --volume "${KURYR_HYPERKUBE_DATA_DIR}:${mountpoint}:rw" \ - "${KURYR_HYPERKUBE_IMAGE}:${KURYR_HYPERKUBE_VERSION}" \ - /setup-files.sh \ - "IP:${HOST_IP},IP:${k8s_api_clusterip},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local" + # It's not prettiest, but the file haven't changed since 1.6, so it's safe to download it like that. + curl -o /tmp/make-ca-cert.sh https://raw.githubusercontent.com/kubernetes/kubernetes/release-1.8/cluster/saltbase/salt/generate-cert/make-ca-cert.sh + chmod +x /tmp/make-ca-cert.sh + + # Create HTTPS certificates + sudo groupadd -f -r kube-cert + + # hostname -I gets the ip of the node + sudo CERT_DIR=${KURYR_HYPERKUBE_DATA_DIR} /tmp/make-ca-cert.sh $(hostname -I | awk '{print $1}') "IP:${HOST_IP},IP:${k8s_api_clusterip},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local" + + # Create basic token authorization + sudo bash -c "echo 'admin,admin,admin' > $KURYR_HYPERKUBE_DATA_DIR/basic_auth.csv" + + # Create known tokens for service accounts + sudo bash -c "echo '$(create_token),admin,admin' >> ${KURYR_HYPERKUBE_DATA_DIR}/known_tokens.csv" + sudo bash -c "echo '$(create_token),kubelet,kubelet' >> ${KURYR_HYPERKUBE_DATA_DIR}/known_tokens.csv" + sudo bash -c "echo '$(create_token),kube_proxy,kube_proxy' >> ${KURYR_HYPERKUBE_DATA_DIR}/known_tokens.csv" # FIXME(ivc): replace 'sleep' with a strict check (e.g. wait_for_files) # 'kubernetes-api' fails if started before files are generated. @@ -517,8 +529,8 @@ function run_k8s_kubelet { sudo mkdir -p "${KURYR_HYPERKUBE_DATA_DIR}/"{kubelet,kubelet.cert} command="$KURYR_HYPERKUBE_BINARY kubelet\ + --kubeconfig=${HOME}/.kube/config --require-kubeconfig \ --allow-privileged=true \ - --api-servers=$KURYR_K8S_API_URL \ --v=2 \ --address=0.0.0.0 \ --enable-server \ @@ -527,6 +539,12 @@ function run_k8s_kubelet { --cni-conf-dir=$CNI_CONF_DIR \ --cert-dir=${KURYR_HYPERKUBE_DATA_DIR}/kubelet.cert \ --root-dir=${KURYR_HYPERKUBE_DATA_DIR}/kubelet" + + # Kubernetes 1.8 requires additional option to work in the gate. + if [[ ${KURYR_HYPERKUBE_VERSION} == v1.8* ]]; then + command="$command --fail-swap-on=false" + fi + wait_for "Kubernetes API Server" "$KURYR_K8S_API_URL" if [[ "$USE_SYSTEMD" = "True" ]]; then # If systemd is being used, proceed as normal @@ -694,8 +712,6 @@ if [[ "$1" == "unstack" ]]; then $KURYR_HYPERKUBE_BINARY kubectl delete nodes ${HOSTNAME} fi stop_process kuryr-daemon - docker kill devstack-k8s-setup-files - docker rm devstack-k8s-setup-files if is_service_enabled kubernetes-controller-manager; then stop_container kubernetes-controller-manager diff --git a/devstack/settings b/devstack/settings index daba36ca3..f402fb5d5 100644 --- a/devstack/settings +++ b/devstack/settings @@ -31,7 +31,7 @@ KURYR_ETCD_LISTEN_PEER_URL=${KURYR_ETCD_LISTEN_PEER_URL:-http://0.0.0.0:2380} # HYPERKUBE KURYR_HYPERKUBE_IMAGE=${KURYR_HYPERKUBE_IMAGE:-gcr.io/google_containers/hyperkube-amd64} -KURYR_HYPERKUBE_VERSION=${KURYR_HYPERKUBE_VERSION:-v1.6.2} +KURYR_HYPERKUBE_VERSION=${KURYR_HYPERKUBE_VERSION:-v1.8.5} KURYR_HYPERKUBE_DATA_DIR=${KURYR_HYPERKUBE_DATA_DIR:-${DATA_DIR}/hyperkube} KURYR_HYPERKUBE_BINARY=${KURYR_HYPERKUBE_BINARY:-/usr/local/bin/hyperkube}