openstack
/
magnum
Code Issues Proposed changes

Merge "Drop k8s_coreos_v1 driver"

This commit is contained in:
Zuul 2024-02-21 23:50:02 +00:00 committed by Gerrit Code Review
parent 0c82bb57a1 5c0c27807a
commit 007c0cd73d
44 changed files with 54 additions and 4325 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
magnum/api/controllers/v1/cluster_template.py
View File

@ -266,11 +266,6 @@ class ClusterTemplatesController(base.Controller):
"different storage driver, such as overlay2. overlay2 will be set "
"as the default storage driver from Victoria cycle in Magnum.")
_coreos_deprecation_note = (
"The coreos driver is deprecated in favor of the fedora_coreos "
"driver. Please migrate to the fedora_coreos driver. coreos "
"driver will be removed in a future Magnum version.")
_fedora_atomic_deprecation_note = (
"The fedora_atomic driver is deprecated in favor of the fedora_coreos "
"driver. Please migrate to the fedora_coreos driver. fedora_atomic "

30
magnum/drivers/k8s_coreos_v1/driver.py
View File

@ -1,30 +0,0 @@
# Copyright 2016 Rackspace Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from magnum.drivers.heat import driver
from magnum.drivers.k8s_coreos_v1 import template_def
class Driver(driver.KubernetesDriver):
@property
def provides(self):
return [
{'server_type': 'vm',
'os': 'coreos',
'coe': 'kubernetes'},
]
def get_template_definition(self):
return template_def.CoreOSK8sTemplateDefinition()

32
magnum/drivers/k8s_coreos_v1/template_def.py
View File

@ -1,32 +0,0 @@
# Copyright 2016 Rackspace Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
import magnum.conf
from magnum.drivers.heat import k8s_coreos_template_def as kctd
CONF = magnum.conf.CONF
class CoreOSK8sTemplateDefinition(kctd.CoreOSK8sTemplateDefinition):
"""Kubernetes template for a CoreOS Container Linux VM."""
@property
def driver_module_path(self):
return __name__[:__name__.rindex('.')]
@property
def template_path(self):
return os.path.join(os.path.dirname(os.path.realpath(__file__)),
'templates/kubecluster.yaml')

202
magnum/drivers/k8s_coreos_v1/templates/COPYING
View File

@ -1,202 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

38
magnum/drivers/k8s_coreos_v1/templates/fragments/add-ext-ca-certs.yaml
View File

@ -1,38 +0,0 @@
#cloud-config
merge_how: dict(recurse_array)+list(append)
write_files:
- path: /etc/systemd/system/add-ext-ca-certs.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Install custom CA certificates
[Service]
Type=oneshot
ExecStart=/etc/sysconfig/add-ext-ca-certs.sh
[Install]
WantedBy=multi-user.target
- path: /etc/ssl/certs/openstack-ca.pem
owner: "root:root"
permissions: "0644"
encoding: b64
content: |
$OPENSTACK_CA
- path: /etc/sysconfig/add-ext-ca-certs.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
CERT_FILE=/etc/ssl/certs/openstack-ca.pem
if [ -f "$CERT_FILE" ]
then
chmod 0644 ${CERT_FILE}
chown root:root ${CERT_FILE}
update-ca-certificates
fi

72
magnum/drivers/k8s_coreos_v1/templates/fragments/add-proxy.yaml
View File

@ -1,72 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/add-proxy.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Configure proxy
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/add-proxy.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/add-proxy.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
DOCKER_HTTP_PROXY_CONF=/etc/systemd/system/docker.service.d/http_proxy.conf
DOCKER_HTTPS_PROXY_CONF=/etc/systemd/system/docker.service.d/https_proxy.conf
DOCKER_NO_PROXY_CONF=/etc/systemd/system/docker.service.d/no_proxy.conf
DOCKER_RESTART=0
ENVIRONMENT=/etc/environment
mkdir -p /etc/systemd/system/docker.service.d
if [ -n "$HTTP_PROXY" ]; then
cat <<EOF | sed "s/^ *//" > $DOCKER_HTTP_PROXY_CONF
[Service]
Environment=HTTP_PROXY=$HTTP_PROXY
EOF
DOCKER_RESTART=1
echo "http_proxy=$HTTP_PROXY" >> $ENVIRONMENT
fi
if [ -n "$HTTPS_PROXY" ]; then
cat <<EOF | sed "s/^ *//" > $DOCKER_HTTPS_PROXY_CONF
[Service]
Environment=HTTPS_PROXY=$HTTPS_PROXY
EOF
DOCKER_RESTART=1
echo "https_proxy=$HTTPS_PROXY" >> $ENVIRONMENT
fi
if [ -n "$NO_PROXY" ]; then
cat <<EOF | sed "s/^ *//" > $DOCKER_NO_PROXY_CONF
[Service]
Environment=NO_PROXY=$NO_PROXY
EOF
DOCKER_RESTART=1
echo "no_proxy=$NO_PROXY" >> $ENVIRONMENT
fi
if [ "$DOCKER_RESTART" -eq 1 ]; then
systemctl daemon-reload
systemctl --no-block restart docker.service
fi

51
magnum/drivers/k8s_coreos_v1/templates/fragments/configure-docker.yaml
View File

@ -1,51 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/var-lib-docker.mount
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Mount ephemeral to /var/lib/docker
[Mount]
What=/dev/vdb
Where=/var/lib/docker
Type=ext4
[Install]
WantedBy=local-fs.target
- path: /etc/systemd/system/configure-docker.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Configure Docker
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/configure-docker.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/configure-docker.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
DOCKER_OPTS="--insecure-registry ${INSECURE_REGISTRY_URL}"
fi
TEMPLATE=/etc/systemd/system/docker.service.d/docker-opts.conf
mkdir -p $(dirname ${TEMPLATE})
cat << EOF > $TEMPLATE
[Service]
Environment=DOCKER_OPTS=$DOCKER_OPTS
EOF
systemctl daemon-reload
systemctl --no-block restart docker.service

68
magnum/drivers/k8s_coreos_v1/templates/fragments/configure-etcd.yaml
View File

@ -1,68 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/configure-etcd.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Configure etcd
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/configure-etcd.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/configure-etcd.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
if [ -z "${KUBE_NODE_IP}" ]; then
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
DROP_IN_FILE=/etc/systemd/system/etcd-member.service.d/20-configure-etcd.conf
mkdir -p $(dirname $DROP_IN_FILE)
protocol="https"
if [ "$TLS_DISABLED" = "True" ]; then
protocol="http"
fi
cat > $DROP_IN_FILE <<EOF
[Service]
EnvironmentFile=/etc/environment
Environment=ETCD_NAME=$KUBE_NODE_IP
Environment=ETCD_DATA_DIR=/var/lib/etcd/default.etcd
Environment=ETCD_LISTEN_CLIENT_URLS=$protocol://$KUBE_NODE_IP:2379,http://127.0.0.1:2379
Environment=ETCD_LISTEN_PEER_URLS=$protocol://$KUBE_NODE_IP:2380
Environment=ETCD_ADVERTISE_CLIENT_URLS=$protocol://$KUBE_NODE_IP:2379,http://127.0.0.1:2379
Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=$protocol://$KUBE_NODE_IP:2380
Environment=ETCD_DISCOVERY=$ETCD_DISCOVERY_URL
EOF
if [ "$TLS_DISABLED" = "False" ]; then
cat >> $DROP_IN_FILE <<EOF
Environment=ETCD_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
Environment=ETCD_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
Environment=ETCD_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
Environment=ETCD_PEER_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
Environment=ETCD_PEER_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
Environment=ETCD_PEER_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
Environment="RKT_RUN_ARGS=--volume ssl,kind=host,source=${KUBE_CERTS_PATH} \
--mount volume=ssl,target=${KUBE_CERTS_PATH}"
EOF
fi
if [ -n "$HTTP_PROXY" ]; then
echo "Environment=ETCD_DISCOVERY_PROXY=$HTTP_PROXY" >> $DROP_IN_FILE
fi
systemctl enable etcd-member
systemctl --no-block start etcd-member

44
magnum/drivers/k8s_coreos_v1/templates/fragments/create-kube-namespace.yaml
View File

@ -1,44 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/create-kube-namespace.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
After=kubelet.service
Requires=kubelet.service
Description=Create kube-system namespace
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/create-kube-namespace.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/create-kube-namespace.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
until curl -sf "http://127.0.0.1:8080/healthz"
do
echo "Waiting for Kubernetes API..."
sleep 5
done
KUBE_SYSTEM_JSON=/srv/kubernetes/kube-system-namespace.json
mkdir -p $(dirname ${KUBE_SYSTEM_JSON})
cat > ${KUBE_SYSTEM_JSON} <<EOF
{
"apiVersion": "v1",
"kind": "Namespace",
"metadata": {
"name": "kube-system"
}
}
EOF
curl -XPOST -d@${KUBE_SYSTEM_JSON} "http://127.0.0.1:8080/api/v1/namespaces"

162
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-coredns.yaml
View File

@ -1,162 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-coredns.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Configure Kubernetes CoreDNS Addon
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-coredns.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-coredns.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
TEMPLATE=/etc/kubernetes/addons/coredns-sa.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > $TEMPLATE <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
EOF
TEMPLATE=/etc/kubernetes/addons/coredns-cm.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > $TEMPLATE <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
Corefile: |
.:53 {
errors
log
health
kubernetes ${DNS_CLUSTER_DOMAIN} {
cidrs ${PORTAL_NETWORK_CIDR}
}
proxy . /etc/resolv.conf
cache 30
}
EOF
TEMPLATE=/etc/kubernetes/addons/coredns-svc.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > $TEMPLATE <<EOF
apiVersion: v1
kind: Service
metadata:
name: kube-dns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: coredns
clusterIP: ${DNS_SERVICE_IP}
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
protocol: TCP
- name: metrics
port: 9153
protocol: TCP
EOF
TEMPLATE=/etc/kubernetes/addons/coredns-de.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > $TEMPLATE <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "CoreDNS"
spec:
replicas: 1
selector:
matchLabels:
k8s-app: coredns
template:
metadata:
labels:
k8s-app: coredns
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
spec:
serviceAccountName: coredns
containers:
- name: coredns
image: coredns/coredns:007
imagePullPolicy: IfNotPresent
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
EOF
echo "Waiting for Kubernetes API..."
until curl --silent "http://127.0.0.1:8080/version"
do
sleep 5
done
curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /etc/kubernetes/addons/coredns-sa.yaml)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/serviceaccounts" > /dev/null
curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /etc/kubernetes/addons/coredns-cm.yaml)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/configmaps" > /dev/null
curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /etc/kubernetes/addons/coredns-de.yaml)" "http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments" > /dev/null
curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /etc/kubernetes/addons/coredns-svc.yaml)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/services" > /dev/null

52
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-docker-mount.yaml
View File

@ -1,52 +0,0 @@
#cloud-config
write_files:
- path: /etc/sytemd/system/var-lib-docker.mount
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Mount ephemeral to /var/lib/docker
[Mount]
What=/dev/vdb
Where=/var/lib/docker
Type=ext4
[Install]
WantedBy=local-fs.target
- path: /etc/sysconfig/enable-docker-mount.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
if [ -n "$DOCKER_VOLUME_SIZE" ] && [ "$DOCKER_VOLUME_SIZE" -gt 0 ]; then
if [[ $(blkid -o value -s TYPE /dev/vdb) ]]; then
systemctl daemon-reload
systemctl start var-lib-docker.mount
systemctl enable var-lib-docker.mount
else
mkfs -t ext4 /dev/vdb
systemctl daemon-reload
systemctl start var-lib-docker.mount
systemctl enable var-lib-docker.mount
fi
fi
- path: /etc/systemd/system/enable-docker-mount.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Mount docker volume
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-docker-mount.sh
[Install]
RequiredBy=multi-user.target

92
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml
View File

@ -1,92 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-kube-apiserver.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Configure Kubernetes API Server
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-kube-apiserver.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-kube-apiserver.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
KUBE_ADMISSION_CONTROL=""
if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_ADMISSION_CONTROL="- --admission-control=${ADMISSION_CONTROL_LIST}"
fi
TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
INSECURE_PORT=8080
SECURE_PORT=${KUBE_API_PORT}
BIND_ADDRESS_CMD="--bind-address=0.0.0.0"
if [ "${TLS_DISABLED}" == "True" ]; then
TLS_CERT_FILE=
TLS_PRIVATE_KEY_FILE=
CLIENT_CA_FILE=
INSECURE_PORT=${KUBE_API_PORT}
SECURE_PORT=0
BIND_ADDRESS_CMD="--insecure-bind-address=0.0.0.0"
fi
TEMPLATE=/etc/kubernetes/manifests/kube-apiserver.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > $TEMPLATE <<EOF
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-apiserver
image: ${HYPERKUBE_IMAGE_REPO}:${KUBE_VERSION}
command:
- /hyperkube
- apiserver
- ${BIND_ADDRESS_CMD}
- --etcd-servers=http://127.0.0.1:2379
- --allow-privileged=${KUBE_ALLOW_PRIV}
- --service-cluster-ip-range=${PORTAL_NETWORK_CIDR}
- --secure-port=${SECURE_PORT}
- --insecure-port=${INSECURE_PORT}
- --tls-cert-file=${TLS_CERT_FILE}
- --tls-private-key-file=${TLS_PRIVATE_KEY_FILE}
- --client-ca-file=${CLIENT_CA_FILE}
- --service-account-key-file=${TLS_PRIVATE_KEY_FILE}
${KUBE_ADMISSION_CONTROL}
ports:
- containerPort: 6443
hostPort: 6443
name: https
- containerPort: 8080
hostPort: 8080
name: local
volumeMounts:
- mountPath: ${KUBE_CERTS_PATH}
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: ${KUBE_CERTS_PATH}
name: ssl-certs-kubernetes
- hostPath:
path: ${HOST_CERTS_PATH}
name: ssl-certs-host
EOF

81
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-controller-manager.yaml
View File

@ -1,81 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-kube-controller-manager.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Enable Kubernetes Controller Manager
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-kube-controller-manager.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-kube-controller-manager.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
SYSCONFIG_PATH=/etc/sysconfig
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
ROOT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
if [ "${TLS_DISABLED}" == "True" ]; then
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=
ROOT_CA_FILE=
fi
TEMPLATE=/etc/kubernetes/manifests/kube-controller-manager.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > ${TEMPLATE} <<EOF
apiVersion: v1
kind: Pod
metadata:
name: kube-controller-manager
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-controller-manager
image: ${HYPERKUBE_IMAGE_REPO}:${KUBE_VERSION}
command:
- /hyperkube
- controller-manager
- --master=http://127.0.0.1:8080
- --leader-elect=true
- --service-account-private-key-file=${SERVICE_ACCOUNT_PRIVATE_KEY_FILE}
- --root-ca-file=${ROOT_CA_FILE}
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 10252
initialDelaySeconds: ${SYSTEM_PODS_INITIAL_DELAY}
timeoutSeconds: ${SYSTEM_PODS_TIMEOUT}
volumeMounts:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /etc/sysconfig
name: sysconfig
readOnly: true
volumes:
- hostPath:
path: ${KUBE_CERTS_PATH}
name: ssl-certs-kubernetes
- hostPath:
path: ${HOST_CERTS_PATH}
name: ssl-certs-host
- hostPath:
path: ${SYSCONFIG_PATH}
name: sysconfig
EOF

97
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-dashboard.yaml
View File

@ -1,97 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-kube-dashboard.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Configure Kubernetes Dashboard
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-kube-dashboard.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-kube-dashboard.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
TEMPLATE=/etc/kubernetes/addons/kubedash-svc.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > $TEMPLATE <<EOF
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
spec:
selector:
app: kubernetes-dashboard
ports:
- port: 80
targetPort: 9090
EOF
TEMPLATE=/etc/kubernetes/addons/kubedash-rc.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > $TEMPLATE <<EOF
apiVersion: v1
kind: ReplicationController
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
spec:
replicas: 1
selector:
app: kubernetes-dashboard
template:
metadata:
labels:
app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
spec:
containers:
- name: kubernetes-dashboard
image: gcr.io/google_containers/kubernetes-dashboard-amd64:${KUBE_DASHBOARD_VERSION}
resources:
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 100m
memory: 50Mi
ports:
- containerPort: 9090
livenessProbe:
httpGet:
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
EOF
echo "Waiting for Kubernetes API..."
until curl --silent "http://127.0.0.1:8080/version"
do
sleep 5
done
if [ "$(echo $KUBE_DASHBOARD_ENABLED | tr '[:upper:]' '[:lower:]')" == "true" ]; then
echo "Setup K8S Dasboard"
curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /etc/kubernetes/addons/kubedash-svc.yaml)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/services" > /dev/null
curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /etc/kubernetes/addons/kubedash-rc.yaml)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/replicationcontrollers" > /dev/null
fi

60
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-master.yaml
View File

@ -1,60 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-kube-proxy.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Configure Kubernetes Proxy
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-kube-proxy-master.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-kube-proxy-master.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > ${TEMPLATE} <<EOF
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: ${HYPERKUBE_IMAGE_REPO}:${KUBE_VERSION}
command:
- /hyperkube
- proxy
- --master=http://127.0.0.1:8080
- --cluster-cidr=${FLANNEL_NETWORK_CIDR}
- --logtostderr=true
- --v=0
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /var/run/dbus
name: dbus
readOnly: false
volumes:
- hostPath:
path: ${HOST_CERTS_PATH}
name: ssl-certs-host
- hostPath:
path: /var/run/dbus
name: dbus
EOF

82
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-proxy-minion.yaml
View File

@ -1,82 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-kube-proxy.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Configure Kubernetes Proxy
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-kube-proxy-minion.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-kube-proxy-minion.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
KUBE_CONFIG_PATH=/etc/kubernetes/config
KUBE_PROTOCOL="https"
KUBE_CONFIG="${KUBE_CONFIG_PATH}/worker-kubeconfig.yaml"
if [ "${TLS_DISABLED}" == "True" ]; then
KUBE_PROTOCOL="http"
KUBE_CONFIG=
fi
KUBE_MASTER_URI="${KUBE_PROTOCOL}://${KUBE_MASTER_IP}:${KUBE_API_PORT}"
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > ${TEMPLATE} <<EOF
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: ${HYPERKUBE_IMAGE_REPO}:${KUBE_VERSION}
command:
- /hyperkube
- proxy
- --master=${KUBE_MASTER_URI}
- --kubeconfig=${KUBE_CONFIG}
- --cluster-cidr=${FLANNEL_NETWORK_CIDR}
- --logtostderr=true
- --v=0
securityContext:
privileged: true
volumeMounts:
- mountPath: ${KUBE_CONFIG_PATH}
name: kubeconfig
readOnly: true
- mountPath: ${KUBE_CERTS_PATH}
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /var/run/dbus
name: dbus
readOnly: false
volumes:
- name: kubeconfig
hostPath:
path: ${KUBE_CONFIG_PATH}
- name: ssl-certs-kubernetes
hostPath:
path: ${KUBE_CERTS_PATH}
- hostPath:
path: ${HOST_CERTS_PATH}
name: ssl-certs-host
- hostPath:
path: /var/run/dbus
name: dbus
EOF

50
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-scheduler.yaml
View File

@ -1,50 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-kube-scheduler.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Enable Kubernetes Scheduler
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-kube-scheduler.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-kube-scheduler.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
TEMPLATE=/etc/kubernetes/manifests/kube-scheduler.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > ${TEMPLATE} <<EOF
apiVersion: v1
kind: Pod
metadata:
name: kube-scheduler
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-scheduler
image: ${HYPERKUBE_IMAGE_REPO}:${KUBE_VERSION}
command:
- /hyperkube
- scheduler
- --master=http://127.0.0.1:8080
- --leader-elect=true
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 10251
initialDelaySeconds: ${SYSTEM_PODS_INITIAL_DELAY}
timeoutSeconds: ${SYSTEM_PODS_TIMEOUT}
EOF

93
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-master.yaml
View File

@ -1,93 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-kubelet.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Enable Kubelet
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-kubelet-master.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-kubelet-master.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
if [ -z "${KUBE_NODE_IP}" ]; then
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
INSECURE_REGISTRY_ARGS="--pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:3.0"
else
INSECURE_REGISTRY_ARGS=""
fi
uuid_file="/var/run/kubelet-pod.uuid"
CONF_FILE=/etc/systemd/system/kubelet.service
cat > $CONF_FILE <<EOF
[Service]
EnvironmentFile=/etc/environment
Environment=KUBELET_IMAGE_TAG=${KUBE_VERSION}
Environment=KUBELET_IMAGE_REPO=${HYPERKUBE_IMAGE_REPO}
Environment="RKT_RUN_ARGS=--uuid-file-save=${uuid_file} \
--volume dns,kind=host,source=/etc/resolv.conf \
--mount volume=dns,target=/etc/resolv.conf \
--volume rkt,kind=host,source=/opt/bin/host-rkt \
--mount volume=rkt,target=/usr/bin/rkt \
--volume var-lib-rkt,kind=host,source=/var/lib/rkt \
--mount volume=var-lib-rkt,target=/var/lib/rkt \
--volume stage,kind=host,source=/tmp \
--mount volume=stage,target=/tmp \
--volume var-log,kind=host,source=/var/log \
--mount volume=var-log,target=/var/log"
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
ExecStartPre=/usr/bin/mkdir -p /opt/cni/bin
ExecStartPre=/usr/bin/mkdir -p /var/log/containers
ExecStartPre=-/usr/bin/rkt rm --uuid-file=${uuid_file}
ExecStart=/usr/lib/coreos/kubelet-wrapper \
--kubeconfig=/etc/kubernetes/master-kubeconfig.yaml \
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--network-plugin=cni \
--hostname-override=${INSTANCE_NAME} \
--container-runtime=${CONTAINER_RUNTIME} \
--register-with-taints=node.alpha.kubernetes.io/role=master:NoSchedule \
--allow-privileged=true \
--pod-manifest-path=/etc/kubernetes/manifests \
--logtostderr=true \
--v=0 \
--cluster_dns=${DNS_SERVICE_IP} \
--cluster_domain=${DNS_CLUSTER_DOMAIN} \
${INSECURE_REGISTRY_ARGS}
ExecStop=-/usr/bin/rkt stop --uuid-file=${uuid_file}
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF
TEMPLATE=/opt/bin/host-rkt
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
#!/bin/sh
# This is bind mounted into the kubelet rootfs and all rkt shell-outs go
# through this rkt wrapper. It essentially enters the host mount namespace
# (which it is already in) only for the purpose of breaking out of the chroot
# before calling rkt. It makes things like rkt gc work and avoids bind mounting
# in certain rkt filesystem dependancies into the kubelet rootfs. This can
# eventually be obviated when the write-api stuff gets upstream and rkt gc is
# through the api-server. Related issue:
# https://github.com/coreos/rkt/issues/2878
exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "\$@"
EOF
systemctl enable kubelet
systemctl --no-block start kubelet

107
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kubelet-minion.yaml
View File

@ -1,107 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-kubelet.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Enable Kubelet
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-kubelet-minion.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-kubelet-minion.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
if [ -z "${KUBE_NODE_IP}" ]; then
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
INSECURE_REGISTRY_ARGS="--pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:3.0"
else
INSECURE_REGISTRY_ARGS=""
fi
TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
KUBE_PROTOCOL="https"
KUBE_CONFIG="/etc/kubernetes/config/worker-kubeconfig.yaml"
if [ "$TLS_DISABLED" == "True" ]; then
TLS_CERT_FILE=
TLS_PRIVATE_KEY_FILE=
KUBE_PROTOCOL="http"
KUBE_CONFIG=
fi
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
uuid_file="/var/run/kubelet-pod.uuid"
CONF_FILE=/etc/systemd/system/kubelet.service
cat > $CONF_FILE <<EOF
[Service]
EnvironmentFile=/etc/environment
Environment=KUBELET_VERSION=${KUBE_VERSION}
Environment=KUBELET_ACI=${HYPERKUBE_IMAGE_REPO}
Environment="RKT_OPTS=--uuid-file-save=${uuid_file} \
--volume dns,kind=host,source=/etc/resolv.conf \
--mount volume=dns,target=/etc/resolv.conf \
--volume rkt,kind=host,source=/opt/bin/host-rkt \
--mount volume=rkt,target=/usr/bin/rkt \
--volume var-lib-rkt,kind=host,source=/var/lib/rkt \
--mount volume=var-lib-rkt,target=/var/lib/rkt \
--volume stage,kind=host,source=/tmp \
--mount volume=stage,target=/tmp \
--volume var-log,kind=host,source=/var/log \
--mount volume=var-log,target=/var/log"
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
ExecStartPre=/usr/bin/mkdir -p /opt/cni/bin
ExecStartPre=/usr/bin/mkdir -p /var/log/containers
ExecStartPre=-/usr/bin/rkt rm --uuid-file=${uuid_file}
ExecStart=/usr/lib/coreos/kubelet-wrapper \
--cni-conf-dir=/etc/kubernetes/cni/net.d \
--network-plugin=cni \
--hostname-override=${INSTANCE_NAME} \
--container-runtime=${CONTAINER_RUNTIME} \
--allow-privileged=true \
--pod-manifest-path=/etc/kubernetes/manifests \
--logtostderr=true \
--v=0 \
--cadvisor-port=4194 \
--kubeconfig=${KUBE_CONFIG} \
--tls-cert-file=${TLS_CERT_FILE} \
--tls-private-key-file=${TLS_PRIVATE_KEY_FILE} \
--cluster_dns=${DNS_SERVICE_IP} \
--cluster_domain=${DNS_CLUSTER_DOMAIN} \
${INSECURE_REGISTRY_ARGS}
Restart=always
RestartSec=10
ExecStop=-/usr/bin/rkt stop --uuid-file=${uuid_file}
[Install]
WantedBy=multi-user.target
EOF
TEMPLATE=/opt/bin/host-rkt
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
#!/bin/sh
# This is bind mounted into the kubelet rootfs and all rkt shell-outs go
# through this rkt wrapper. It essentially enters the host mount namespace
# (which it is already in) only for the purpose of breaking out of the chroot
# before calling rkt. It makes things like rkt gc work and avoids bind mounting
# in certain rkt filesystem dependancies into the kubelet rootfs. This can
# eventually be obviated when the write-api stuff gets upstream and rkt gc is
# through the api-server. Related issue:
# https://github.com/coreos/rkt/issues/2878
exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "\$@"
EOF
systemctl enable kubelet
systemctl --no-block start kubelet

100
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service-client.yaml
View File

@ -1,100 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-network-service.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Enable Network Service
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-network-service.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-network-service.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
if [ "$NETWORK_DRIVER" != "flannel" ]; then
exit 0
fi
if [ -z "${KUBE_NODE_IP}" ]; then
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
PROTOCOL=https
if [ "$TLS_DISABLED" = "True" ]; then
PROTOCOL=http
fi
ENV_FILE=/etc/flannel/options.env
mkdir -p $(dirname $ENV_FILE)
cat > $ENV_FILE <<EOF
FLANNELD_IFACE=${KUBE_NODE_IP}
FLANNELD_ETCD_ENDPOINTS=${PROTOCOL}://${ETCD_SERVER_IP}:2379
EOF
if [ "$TLS_DISABLED" = "False" ]; then
cat >> $ENV_FILE <<EOF
FLANNELD_ETCD_CAFILE=${KUBE_CERTS_PATH}/ca.pem
FLANNELD_ETCD_CERTFILE=${KUBE_CERTS_PATH}/worker.pem
FLANNELD_ETCD_KEYFILE=${KUBE_CERTS_PATH}/worker-key.pem
EOF
fi
DROP_IN_FILE=/etc/systemd/system/flanneld.service.d/40-ExecStartPre-symlink.conf
mkdir -p $(dirname $DROP_IN_FILE)
cat > $DROP_IN_FILE <<EOF
[Service]
Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
EOF
DROP_IN_FILE=/etc/systemd/system/flanneld.service.d/50-Environment.conf
mkdir -p $(dirname $DROP_IN_FILE)
cat > $DROP_IN_FILE <<EOF
[Service]
EnvironmentFile=/etc/environment
EOF
DOCKER_FLANNEL_CONF=/etc/systemd/system/docker.service.d/40-flannel.conf
mkdir -p $(dirname $DOCKER_FLANNEL_CONF)
cat > $DOCKER_FLANNEL_CONF <<EOF
[Unit]
Requires=flanneld.service
After=flanneld.service
[Service]
EnvironmentFile=/etc/kubernetes/cni/docker_opts_cni.env
EOF
CNI=/etc/kubernetes/cni/net.d/10-flannel.conf
mkdir -p $(dirname $CNI)
cat << EOF > $CNI
{
"name": "podnet",
"type": "flannel",
"delegate": {
"isDefaultGateway": true
}
}
EOF
DOCKER_FLANNEL_CONF=/etc/kubernetes/cni/docker_opts_cni.env
mkdir -p $(dirname $DOCKER_FLANNEL_CONF)
cat > $DOCKER_FLANNEL_CONF <<EOF
DOCKER_OPT_BIP=""
DOCKER_OPT_IPMASQ=""
EOF
systemctl enable flanneld
systemctl --no-block start flanneld

84
magnum/drivers/k8s_coreos_v1/templates/fragments/enable-network-service.yaml
View File

@ -1,84 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/enable-network-service.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Enable Network Service
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/enable-network-service.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/enable-network-service.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
if [ "$NETWORK_DRIVER" != "flannel" ]; then
exit 0
fi
if [ -z "${KUBE_NODE_IP}" ]; then
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
ENV_FILE=/etc/flannel/options.env
mkdir -p $(dirname $ENV_FILE)
cat > $ENV_FILE <<EOF
FLANNELD_IFACE=${KUBE_NODE_IP}
FLANNELD_ETCD_ENDPOINTS=http://127.0.0.1:2379
EOF
DROP_IN_FILE=/etc/systemd/system/flanneld.service.d/40-ExecStartPre-symlink.conf
mkdir -p $(dirname $DROP_IN_FILE)
cat > $DROP_IN_FILE <<EOF
[Service]
Environment=ETCD_SSL_DIR=${KUBE_CERTS_PATH}
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
EOF
DROP_IN_FILE=/etc/systemd/system/flanneld.service.d/50-Environment.conf
mkdir -p $(dirname $DROP_IN_FILE)
cat > $DROP_IN_FILE <<EOF
[Service]
EnvironmentFile=/etc/environment
EOF
DOCKER_FLANNEL_CONF=/etc/systemd/system/docker.service.d/40-flannel.conf
mkdir -p $(dirname $DOCKER_FLANNEL_CONF)
cat > $DOCKER_FLANNEL_CONF <<EOF
[Unit]
Requires=flanneld.service
After=flanneld.service
[Service]
EnvironmentFile=/etc/kubernetes/cni/docker_opts_cni.env
EOF
CNI=/etc/kubernetes/cni/net.d/10-flannel.conf
mkdir -p $(dirname $CNI)
cat << EOF > $CNI
{
"name": "podnet",
"type": "flannel",
"delegate": {
"isDefaultGateway": true
}
}
EOF
DOCKER_FLANNEL_CONF=/etc/kubernetes/cni/docker_opts_cni.env
mkdir -p $(dirname $DOCKER_FLANNEL_CONF)
cat > $DOCKER_FLANNEL_CONF <<EOF
DOCKER_OPT_BIP=""
DOCKER_OPT_IPMASQ=""
EOF
systemctl enable flanneld
systemctl --no-block start flanneld

137
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert-client.yaml
View File

@ -1,137 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/make-cert.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Make TLS certificates
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/make-cert.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/make-cert.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/bash
# Parse the JSON response that contains the TLS certificate, and print
# out the certificate content.
function parse_json_response {
json_response=$1
# {..,"pem": "ABCD",..} -> ABCD
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
# decode newline characters
key=$(echo "$key" | sed 's/\\n/\n/g')
echo "$key"
}
set -o errexit
set -o nounset
set -o pipefail
if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p ${cert_conf_dir}
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
CLIENT_CERT=${KUBE_CERTS_PATH}/worker.pem
CLIENT_CSR=${KUBE_CERTS_PATH}/worker.csr
CLIENT_KEY=${KUBE_CERTS_PATH}/worker-key.pem
if [ -f ${CLIENT_CERT} ] || [ -f ${CLIENT_KEY} ] || [ -f ${CLIENT_CSR} ]; then
exit 0
fi
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
},
"scope": {
"OS-TRUST:trust": {
"id": "$TRUST_ID"
}
}
}
}
EOF
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json
ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
parse_json_response "${ca_cert_json}" > ${CA_CERT}
# Create config for client's csr
cat > ${cert_conf_dir}/worker-openssl.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kubernetes.invalid
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
subjectAltName=dirName:kubelet,dirName:kubeproxy
[kubelet]
CN=kubelet
[kubeproxy]
CN=kube-proxy
EOF
# Generate client's private key and csr
openssl genrsa -out "${CLIENT_KEY}" 4096
chmod 400 "${CLIENT_KEY}"
openssl req -new -days 1000 \
-key "${CLIENT_KEY}" \
-out "${CLIENT_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/worker-openssl.conf"
# encode newline (\n) characters
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
client_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \
-d "$csr_req" \
$MAGNUM_URL/certificates)
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
chown root:root ${KUBE_CERTS_PATH}/*-key.pem

165
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
View File

@ -1,165 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/make-cert.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Make TLS certificates
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/make-cert.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/make-cert.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/bash
# Parse the JSON response that contains the TLS certificate, and print
# out the certificate content.
function parse_json_response {
json_response=$1
# {..,"pem": "ABCD",..} -> ABCD
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
# decode newline characters
key=$(echo "$key" | sed 's/\\n/\n/g')
echo "$key"
}
set -o errexit
set -o nounset
set -o pipefail
if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
if [[ -z "${KUBE_NODE_PUBLIC_IP}" ]]; then
KUBE_NODE_PUBLIC_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
fi
if [[ -z "${KUBE_NODE_IP}" ]]; then
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
sans="IP:${KUBE_NODE_PUBLIC_IP},IP:${KUBE_NODE_IP}"
if [ "${KUBE_NODE_PUBLIC_IP}" != "${KUBE_API_PUBLIC_ADDRESS}" ] \
&& [ -n "${KUBE_API_PUBLIC_ADDRESS}" ]; then
sans="${sans},IP:${KUBE_API_PUBLIC_ADDRESS}"
fi
if [ "${KUBE_NODE_IP}" != "${KUBE_API_PRIVATE_ADDRESS}" ] \
&& [ -n "${KUBE_API_PRIVATE_ADDRESS}" ]; then
sans="${sans},IP:${KUBE_API_PRIVATE_ADDRESS}"
fi
MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
if [[ -n "${MASTER_HOSTNAME}" ]]; then
sans="${sans},DNS:${MASTER_HOSTNAME}"
fi
sans="${sans},IP:127.0.0.1"
KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
sans="${sans},IP:${KUBE_SERVICE_IP}"
if [[ -n "${ETCD_LB_VIP}" ]]; then
sans="${sans},IP:${ETCD_LB_VIP}"
fi
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p ${cert_conf_dir}
CA_CERT=${KUBE_CERTS_PATH}/ca.pem
SERVER_CERT=${KUBE_CERTS_PATH}/apiserver.pem
SERVER_CSR=${KUBE_CERTS_PATH}/apiserver.pem
SERVER_KEY=${KUBE_CERTS_PATH}/apiserver-key.pem
if [ -f ${SERVER_CERT} ] || [ -f ${SERVER_KEY} ] || [ -f ${SERVER_CSR} ]; then
exit 0
fi
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
},
"scope": {
"OS-TRUST:trust": {
"id": "$TRUST_ID"
}
}
}
}
EOF
USER_TOKEN=`curl $VERIFY_CA -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}' | tr -d '\r'`
rm -rf auth.json
# Get CA certificate for this cluster
ca_cert_json=$(curl $VERIFY_CA -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
$MAGNUM_URL/certificates/$CLUSTER_UUID)
parse_json_response "${ca_cert_json}" > ${CA_CERT}
# Create config for server's csr
cat > ${cert_conf_dir}/openssl.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kube-apiserver
[req_ext]
subjectAltName = ${sans}
extendedKeyUsage = clientAuth,serverAuth
EOF
# Generate server's private key and csr
openssl genrsa -out "${SERVER_KEY}" 4096
chmod 400 "${SERVER_KEY}"
openssl req -new -days 10000 \
-key "${SERVER_KEY}" \
-out "${SERVER_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/openssl.cnf"
# encode newline (\n) characters
csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
server_cert_json=$(curl $VERIFY_CA -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "OpenStack-API-Version: container-infra latest" \
-H "Content-Type: application/json" \
-d "$csr_req" \
$MAGNUM_URL/certificates)
parse_json_response "${server_cert_json}" > ${SERVER_CERT}
chmod 600 ${KUBE_CERTS_PATH}/*-key.pem
# Certs will also be used by etcd service
chown -R etcd:etcd ${KUBE_CERTS_PATH}

30
magnum/drivers/k8s_coreos_v1/templates/fragments/wc-notify.yaml
View File

@ -1,30 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/wc-notify.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Notify Heat
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/wc-notify.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/wc-notify.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/bash -v
if [ "$VERIFY_CA" == "True" ]; then
VERIFY_CA=""
else
VERIFY_CA="-k"
fi
command="$WAIT_CURL $VERIFY_CA --data-binary '{\"status\": \"SUCCESS\"}'"
eval $(echo "$command")

52
magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml
View File

@ -1,52 +0,0 @@
#cloud-config
merge_how: dict(recurse_array)+list(append)
write_files:
- path: /etc/sysconfig/heat-params
owner: "root:root"
permissions: "0600"
content: |
KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
KUBE_API_PORT="$KUBE_API_PORT"
KUBE_NODE_PUBLIC_IP="$KUBE_NODE_PUBLIC_IP"
KUBE_NODE_IP="$KUBE_NODE_IP"
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
DOCKER_VOLUME="$DOCKER_VOLUME"
DOCKER_VOLUME_SIZE="$DOCKER_VOLUME_SIZE"
DOCKER_STORAGE_DRIVER="$DOCKER_STORAGE_DRIVER"
NETWORK_DRIVER="$NETWORK_DRIVER"
FLANNEL_NETWORK_CIDR="$FLANNEL_NETWORK_CIDR"
FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
FLANNEL_BACKEND="$FLANNEL_BACKEND"
PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
USERNAME="$USERNAME"
PASSWORD="$PASSWORD"
TENANT_NAME="$TENANT_NAME"
CLUSTER_SUBNET="$CLUSTER_SUBNET"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
HTTP_PROXY="$HTTP_PROXY"
HTTPS_PROXY="$HTTPS_PROXY"
NO_PROXY="$NO_PROXY"
WAIT_CURL="$WAIT_CURL"
KUBE_VERSION="$KUBE_VERSION"
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
TRUST_ID="$TRUST_ID"
AUTH_URL="$AUTH_URL"
INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
SYSTEM_PODS_INITIAL_DELAY="$SYSTEM_PODS_INITIAL_DELAY"
SYSTEM_PODS_TIMEOUT="$SYSTEM_PODS_TIMEOUT"
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
HOST_CERTS_PATH="$HOST_CERTS_PATH"
HYPERKUBE_IMAGE_REPO="$HYPERKUBE_IMAGE_REPO"
CONTAINER_RUNTIME="$CONTAINER_RUNTIME"
ETCD_LB_VIP="$ETCD_LB_VIP"
KUBE_DASHBOARD_ENABLED="$KUBE_DASHBOARD_ENABLED"
KUBE_DASHBOARD_VERSION="$KUBE_DASHBOARD_VERSION"
DNS_SERVICE_IP="$DNS_SERVICE_IP"
DNS_CLUSTER_DOMAIN="$DNS_CLUSTER_DOMAIN"

50
magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params.yaml
View File

@ -1,50 +0,0 @@
#cloud-config
merge_how: dict(recurse_array)+list(append)
write_files:
- path: /etc/sysconfig/heat-params
owner: "root:root"
permissions: "0600"
content: |
KUBE_ALLOW_PRIV="$KUBE_ALLOW_PRIV"
KUBE_MASTER_IP="$KUBE_MASTER_IP"
KUBE_API_PORT="$KUBE_API_PORT"
KUBE_NODE_PUBLIC_IP="$KUBE_NODE_PUBLIC_IP"
KUBE_NODE_IP="$KUBE_NODE_IP"
ETCD_SERVER_IP="$ETCD_SERVER_IP"
DOCKER_VOLUME="$DOCKER_VOLUME"
DOCKER_VOLUME_SIZE="$DOCKER_VOLUME_SIZE"
DOCKER_STORAGE_DRIVER="$DOCKER_STORAGE_DRIVER"
NETWORK_DRIVER="$NETWORK_DRIVER"
REGISTRY_ENABLED="$REGISTRY_ENABLED"
REGISTRY_PORT="$REGISTRY_PORT"
SWIFT_REGION="$SWIFT_REGION"
REGISTRY_CONTAINER="$REGISTRY_CONTAINER"
REGISTRY_INSECURE="$REGISTRY_INSECURE"
REGISTRY_CHUNKSIZE="$REGISTRY_CHUNKSIZE"
TLS_DISABLED="$TLS_DISABLED"
VERIFY_CA="$VERIFY_CA"
CLUSTER_UUID="$CLUSTER_UUID"
MAGNUM_URL="$MAGNUM_URL"
AUTH_URL="$AUTH_URL"
USERNAME="$USERNAME"
PASSWORD="$PASSWORD"
VOLUME_DRIVER="$VOLUME_DRIVER"
REGION_NAME="$REGION_NAME"
TENANT_NAME="$TENANT_NAME"
HTTP_PROXY="$HTTP_PROXY"
HTTPS_PROXY="$HTTPS_PROXY"
NO_PROXY="$NO_PROXY"
WAIT_CURL="$WAIT_CURL"
KUBE_VERSION="$KUBE_VERSION"
TRUSTEE_USER_ID="$TRUSTEE_USER_ID"
TRUSTEE_USERNAME="$TRUSTEE_USERNAME"
TRUSTEE_PASSWORD="$TRUSTEE_PASSWORD"
TRUSTEE_DOMAIN_ID="$TRUSTEE_DOMAIN_ID"
TRUST_ID="$TRUST_ID"
INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
KUBE_CERTS_PATH="$KUBE_CERTS_PATH"
HOST_CERTS_PATH="$HOST_CERTS_PATH"
HYPERKUBE_IMAGE_REPO="$HYPERKUBE_IMAGE_REPO"
CONTAINER_RUNTIME="$CONTAINER_RUNTIME"
DNS_SERVICE_IP="$DNS_SERVICE_IP"
DNS_CLUSTER_DOMAIN="$DNS_CLUSTER_DOMAIN"

25
magnum/drivers/k8s_coreos_v1/templates/fragments/write-kubeconfig.yaml
View File

@ -1,25 +0,0 @@
#cloud-config
merge_how: dict(recurse_array)+list(append)
write_files:
- path: /etc/kubernetes/config/worker-kubeconfig.yaml
owner: "root:root"
permissions: "0644"
content: |
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
server: https://$KUBE_MASTER_IP:$KUBE_API_PORT
certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/worker.pem
client-key: /etc/kubernetes/ssl/worker-key.pem
contexts:
- context:
cluster: local
user: kubelet
name: kubelet-context
current-context: kubelet-context

21
magnum/drivers/k8s_coreos_v1/templates/fragments/write-master-kubeconfig.yaml
View File

@ -1,21 +0,0 @@
#cloud-config
merge_how: dict(recurse_array)+list(append)
write_files:
- path: /etc/kubernetes/master-kubeconfig.yaml
owner: "root:root"
permissions: "0644"
content: |
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
server: http://127.0.0.1:8080
users:
- name: kubelet
contexts:
- context:
cluster: local
user: kubelet
name: kubelet-context
current-context: kubelet-context

45
magnum/drivers/k8s_coreos_v1/templates/fragments/write-network-config.yaml
View File

@ -1,45 +0,0 @@
#cloud-config
write_files:
- path: /etc/systemd/system/write-network-config.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Write Network Config
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/heat-params
ExecStart=/etc/sysconfig/write-network-config.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/write-network-config.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/sh
if [ "$NETWORK_DRIVER" != "flannel" ]; then
exit 0
fi
FLANNEL_JSON=/etc/sysconfig/flannel-network.json
cat > $FLANNEL_JSON <<EOF
{
"Network": "$FLANNEL_NETWORK_CIDR",
"Subnetlen": $FLANNEL_NETWORK_SUBNETLEN,
"Backend": {
"Type": "$FLANNEL_BACKEND"
}
}
EOF
FLANNEL_ETCD="http://127.0.0.1:2379"
FLANNEL_ETCD_KEY="/coreos.com/network"
while ! curl -sf -L ${FLANNEL_ETCD}/v2/keys${FLANNEL_ETCD_KEY}/config \
-X PUT --data-urlencode value@${FLANNEL_JSON}; do
echo "waiting for etcd"
sleep 1
done

858
magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
View File

@ -1,858 +0,0 @@
heat_template_version: 2014-10-16
description: >
This template will boot a Kubernetes cluster with one or more
minions (as specified by the number_of_minions parameter, which
defaults to 1).
parameters:
is_cluster_stack:
type: boolean
default: false
master_role:
type: string
default: ""
worker_role:
type: string
default: ""
octavia_enabled:
type: string
default: true
ssh_key_name:
type: string
description: name of ssh key to be provisioned on our server
default: ""
ssh_public_key:
type: string
description: The public ssh key to add in all nodes
default: ""
external_network:
type: string
description: uuid/name of a network to use for floating ip addresses
default: public
fixed_network:
type: string
description: uuid/name of an existing network to use to provision machines
default: ""
fixed_subnet:
type: string
description: uuid/name of an existing subnet to use to provision machines
default: ""
master_image:
type: string
description: glance image used to boot the server
minion_image:
type: string
description: glance image used to boot the server
master_flavor:
type: string
default: m1.small
description: flavor to use when booting the server for master nodes
minion_flavor:
type: string
default: m1.small
description: flavor to use when booting the server for minions
master_nodegroup_name:
type: string
default: ""
description: the name of the nodegroup where the node belongs
worker_nodegroup_name:
type: string
default: ""
description: the name of the nodegroup where the node belongs
prometheus_monitoring:
type: boolean
default: false
description: >
whether or not to have the grafana-prometheus-cadvisor monitoring setup
grafana_admin_passwd:
type: string
default: admin
hidden: true
description: >
admin user password for the Grafana monitoring interface
dns_nameserver:
type: comma_delimited_list
description: address of a DNS nameserver reachable in your environment
default: 8.8.8.8
number_of_masters:
type: number
description: how many kubernetes masters to spawn
default: 1
number_of_minions:
type: number
description: how many kubernetes minions to spawn
default: 1
fixed_subnet_cidr:
type: string
description: network range for fixed ip network
default: 10.0.0.0/24
portal_network_cidr:
type: string
description: >
address range used by kubernetes for service portals
default: 10.254.0.0/16
network_driver:
type: string
description: network driver to use for instantiating container networks
default: flannel
flannel_network_cidr:
type: string
description: network range for flannel overlay network
default: 10.100.0.0/16
flannel_network_subnetlen:
type: number
description: size of subnet assigned to each minion
default: 24
flannel_backend:
type: string
description: >
specify the backend for flannel, default udp backend
default: "udp"
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
system_pods_initial_delay:
type: number
description: >
health check, time to wait for system pods (podmaster, scheduler) to boot
(in seconds)
default: 30
system_pods_timeout:
type: number
description: >
health check, timeout for system pods (podmaster, scheduler) to answer.
(in seconds)
default: 5
admission_control_list:
type: string
description: >
List of admission control plugins to activate
default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
kube_allow_priv:
type: string
description: >
whether or not kubernetes should permit privileged containers.
default: "true"
constraints:
- allowed_values: ["true", "false"]
etcd_volume_size:
type: number
description: >
size of the cinder volume for etcd storage
default: 0
docker_volume_size:
type: number
description: >
size of a cinder volume to allocate to docker for container/image
storage
default: 0
docker_volume_type:
type: string
description: >
type of a cinder volume to allocate to docker for container/image
storage
docker_storage_driver:
type: string
description: docker storage driver name
default: "devicemapper"
wait_condition_timeout:
type: number
description: >
timeout for the Wait Conditions
default: 6000
minions_to_remove:
type: comma_delimited_list
description: >
List of minions to be removed when doing an update. Individual minion may
be referenced several ways: (1) The resource name (e.g. ['1', '3']),
(2) The private IP address ['10.0.0.4', '10.0.0.6']. Note: the list should
be empty when doing an create.
default: []
discovery_url:
type: string
description: >
Discovery URL used for bootstrapping the etcd cluster.
registry_enabled:
type: boolean
description: >
Indicates whether the docker registry is enabled.
default: false
registry_port:
type: number
description: port of registry service
default: 5000
swift_region:
type: string
description: region of swift service
default: ""
registry_container:
type: string
description: >
name of swift container which docker registry stores images in
default: "container"
registry_insecure:
type: boolean
description: >
indicates whether to skip TLS verification between registry and backend storage
default: true
registry_chunksize:
type: number
description: >
size fo the data segments for the swift dynamic large objects
default: 5242880
volume_driver:
type: string
description: volume driver to use for container storage
default: ""
region_name:
type: string
description: A logically separate section of the cluster
username:
type: string
description: >
user account
password:
type: string
description: >
user password, not set in current implementation, only used to
fill in for Kubernetes config file
default:
ChangeMe
hidden: true
loadbalancing_protocol:
type: string
description: >
The protocol which is used for load balancing. If you want to change
tls_disabled option to 'True', please change this to "HTTP".
default: TCP
constraints:
- allowed_values: ["TCP", "HTTP"]
tls_disabled:
type: boolean
description: whether or not to disable TLS
default: False
kube_dashboard_enabled:
type: boolean
description: whether or not to enable kubernetes dashboard
default: True
influx_grafana_dashboard_enabled:
type: boolean
description: Enable influxdb with grafana dashboard for data from heapster
default: False
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
The port which are used by kube-apiserver to provide Kubernetes
service.
default: 6443
cluster_uuid:
type: string
description: identifier for the cluster this template is generating
magnum_url:
type: string
description: endpoint to retrieve TLS certs from
http_proxy:
type: string
description: http proxy address for docker
default: ""
https_proxy:
type: string
description: https proxy address for docker
default: ""
no_proxy:
type: string
description: no proxies for docker
default: ""
trustee_domain_id:
type: string
description: domain id of the trustee
trustee_user_id:
type: string
description: user id of the trustee
trustee_username:
type: string
description: username of the trustee
trustee_password:
type: string
description: password of the trustee
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
hidden: true
auth_url:
type: string
description: url for keystone
kube_tag:
type: string
description: tag of the k8s containers used to provision the kubernetes cluster
default: v1.9.3
etcd_tag:
type: string
description: tag of the etcd system container
default: v3.2.7
coredns_tag:
type: string
description: tag for coredns
default: 1.3.1
flannel_tag:
type: string
description: tag of the flannel system containers
default: v0.9.0
kube_version:
type: string
description: version of kubernetes used for kubernetes cluster
default: v1.10.3_coreos.0
kube_dashboard_version:
type: string
description: version of kubernetes dashboard used for kubernetes cluster
default: v1.8.3
hyperkube_image:
type: string
description: >
Docker registry used for hyperkube image
default: quay.io/coreos/hyperkube
insecure_registry_url:
type: string
description: insecure registry url
default: ""
container_infra_prefix:
type: string
description: >
prefix of container images used in the cluster, kubernetes components,
kubernetes-dashboard, coredns etc
constraints:
- allowed_pattern: "^$|.*/"
default: ""
dns_service_ip:
type: string
description: >
address used by Kubernetes DNS service
default: 10.254.0.10
dns_cluster_domain:
type: string
description: >
domain name for cluster DNS
default: "cluster.local"
openstack_ca:
type: string
hidden: true
description: The OpenStack CA certificate to install on the node.
openstack_ca_coreos:
type: string
hidden: true
description: The OpenStack CA certificate to install on the node.
nodes_affinity_policy:
type: string
description: >
affinity policy for nodes server group
constraints:
- allowed_values: ["affinity", "anti-affinity", "soft-affinity",
"soft-anti-affinity"]
availability_zone:
type: string
description: >
availability zone for master and nodes
default: ""
cert_manager_api:
type: boolean
description: true if the kubernetes cert api manager should be enabled
default: false
ca_key:
type: string
description: key of internal ca for the kube certificate api manager
default: ""
hidden: true
calico_tag:
type: string
description: tag of the calico containers used to provision the calico node
default: v2.6.7
calico_kube_controllers_tag:
type: string
description: tag of the kube_controllers used to provision the calico node
default: v1.0.3
calico_ipv4pool:
type: string
description: Configure the IP pool from which Pod IPs will be chosen
default: "10.100.0.0/16"
pods_network_cidr:
type: string
description: Configure the IP pool/range from which pod IPs will be chosen
ingress_controller:
type: string
description: >
ingress controller backend to use
default: ""
ingress_controller_role:
type: string
description: >
node role where the ingress controller backend should run
default: "ingress"
kubelet_options:
type: string
description: >
additional options to be passed to the kubelet
default: ""
kubeapi_options:
type: string
description: >
additional options to be passed to the api
default: ""
kubecontroller_options:
type: string
description: >
additional options to be passed to the controller manager
default: ""
kubeproxy_options:
type: string
description: >
additional options to be passed to the kube proxy
default: ""
kubescheduler_options:
type: string
description: >
additional options to be passed to the scheduler
default: ""
container_runtime:
type: string
description: >
Container runtime to use with Kubernetes.
default: "docker"
constraints:
- allowed_values: ["docker"]
resources:
######################################################################
#
# network resources. allocate a network and router for our server.
# Important: the Load Balancer feature in Kubernetes requires that
# the name for the fixed_network must be "private" for the
# address lookup in Kubernetes to work properly
#
network:
type: ../../common/templates/network.yaml
properties:
existing_network: {get_param: fixed_network}
existing_subnet: {get_param: fixed_subnet}
private_network_cidr: {get_param: fixed_subnet_cidr}
dns_nameserver: {get_param: dns_nameserver}
external_network: {get_param: external_network}
private_network_name: private
api_lb:
type: ../../common/templates/lb_api.yaml
properties:
fixed_subnet: {get_attr: [network, fixed_subnet]}
external_network: {get_param: external_network}
protocol: {get_param: loadbalancing_protocol}
port: {get_param: kubernetes_port}
etcd_lb:
type: ../../common/templates/lb_etcd.yaml
properties:
fixed_subnet: {get_attr: [network, fixed_subnet]}
protocol: {get_param: loadbalancing_protocol}
port: 2379
######################################################################
#
# security groups. we need to permit network traffic of various
# sorts.
#
secgroup_kube_master:
type: OS::Neutron::SecurityGroup
properties:
rules:
- protocol: icmp
- protocol: tcp
port_range_min: 22
port_range_max: 22
- protocol: tcp
port_range_min: 7080
port_range_max: 7080
- protocol: tcp
port_range_min: 8080
port_range_max: 8080
- protocol: tcp
port_range_min: 2379
port_range_max: 2379
- protocol: tcp
port_range_min: 2380
port_range_max: 2380
- protocol: tcp
port_range_min: 6443
port_range_max: 6443
- protocol: tcp
port_range_min: 30000
port_range_max: 32767
secgroup_kube_minion:
type: OS::Neutron::SecurityGroup
properties:
rules:
- protocol: icmp
- protocol: tcp
- protocol: udp
######################################################################
#
# resources that expose the IPs of either the kube master or a given
# LBaaS pool depending on whether LBaaS is enabled for the cluster.
#
api_address_lb_switch:
type: Magnum::ApiGatewaySwitcher
properties:
pool_public_ip: {get_attr: [api_lb, floating_address]}
pool_private_ip: {get_attr: [api_lb, address]}
master_public_ip: {get_attr: [kube_masters, resource.0.kube_master_external_ip]}
master_private_ip: {get_attr: [kube_masters, resource.0.kube_master_ip]}
etcd_address_lb_switch:
type: Magnum::ApiGatewaySwitcher
properties:
pool_private_ip: {get_attr: [etcd_lb, address]}
master_private_ip: {get_attr: [kube_masters, resource.0.kube_master_ip]}
######################################################################
#
# resources that expose the IPs of either floating ip or a given
# fixed ip depending on whether FloatingIP is enabled for the cluster.
#
api_address_floating_switch:
type: Magnum::FloatingIPAddressSwitcher
properties:
public_ip: {get_attr: [api_address_lb_switch, public_ip]}
private_ip: {get_attr: [api_address_lb_switch, private_ip]}
######################################################################
#
# resources that expose one server group for each master and worker nodes
# separately.
#
master_nodes_server_group:
type: OS::Nova::ServerGroup
properties:
policies: [{get_param: nodes_affinity_policy}]
worker_nodes_server_group:
type: OS::Nova::ServerGroup
properties:
policies: [{get_param: nodes_affinity_policy}]
######################################################################
#
# kubernetes masters. This is a resource group that will create
# <number_of_masters> masters.
#
kube_masters:
type: OS::Heat::ResourceGroup
depends_on:
- network
properties:
count: {get_param: number_of_masters}
resource_def:
type: kubemaster.yaml
properties:
name:
list_join:
- '-'
- [{ get_param: 'OS::stack_name' }, 'master', '%index%']
prometheus_monitoring: {get_param: prometheus_monitoring}
grafana_admin_passwd: {get_param: grafana_admin_passwd}
api_public_address: {get_attr: [api_lb, floating_address]}
api_private_address: {get_attr: [api_lb, address]}
ssh_key_name: {get_param: ssh_key_name}
server_image: {get_param: master_image}
master_flavor: {get_param: master_flavor}
external_network: {get_param: external_network}
kube_allow_priv: {get_param: kube_allow_priv}
etcd_volume_size: {get_param: etcd_volume_size}
docker_volume_size: {get_param: docker_volume_size}
docker_volume_type: {get_param: docker_volume_type}
docker_storage_driver: {get_param: docker_storage_driver}
wait_condition_timeout: {get_param: wait_condition_timeout}
network_driver: {get_param: network_driver}
flannel_network_cidr: {get_param: flannel_network_cidr}
flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
flannel_backend: {get_param: flannel_backend}
system_pods_initial_delay: {get_param: system_pods_initial_delay}
system_pods_timeout: {get_param: system_pods_timeout}
portal_network_cidr: {get_param: portal_network_cidr}
admission_control_list: {get_param: admission_control_list}
discovery_url: {get_param: discovery_url}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
volume_driver: {get_param: volume_driver}
fixed_network: {get_attr: [network, fixed_network]}
fixed_subnet: {get_attr: [network, fixed_subnet]}
api_pool_id: {get_attr: [api_lb, pool_id]}
etcd_pool_id: {get_attr: [etcd_lb, pool_id]}
username: {get_param: username}
password: {get_param: password}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
kube_dashboard_enabled: {get_param: kube_dashboard_enabled}
influx_grafana_dashboard_enabled: {get_param: influx_grafana_dashboard_enabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_master_id: {get_resource: secgroup_kube_master}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy}
kube_tag: {get_param: kube_tag}
kube_version: {get_param: kube_version}
etcd_tag: {get_param: etcd_tag}
coredns_tag: {get_param: coredns_tag}
kube_dashboard_version: {get_param: kube_dashboard_version}
trustee_user_id: {get_param: trustee_user_id}
trustee_password: {get_param: trustee_password}
trust_id: {get_param: trust_id}
auth_url: {get_param: auth_url}
hyperkube_image: {get_param: hyperkube_image}
insecure_registry_url: {get_param: insecure_registry_url}
container_runtime: {get_param: container_runtime}
container_infra_prefix: {get_param: container_infra_prefix}
etcd_lb_vip: {get_attr: [etcd_lb, address]}
dns_service_ip: {get_param: dns_service_ip}
dns_cluster_domain: {get_param: dns_cluster_domain}
openstack_ca: {get_param: openstack_ca_coreos}
nodes_server_group_id: {get_resource: master_nodes_server_group}
availability_zone: {get_param: availability_zone}
ca_key: {get_param: ca_key}
cert_manager_api: {get_param: cert_manager_api}
calico_tag: {get_param: calico_tag}
calico_kube_controllers_tag: {get_param: calico_kube_controllers_tag}
calico_ipv4pool: {get_param: calico_ipv4pool}
pods_network_cidr: {get_param: pods_network_cidr}
ingress_controller: {get_param: ingress_controller}
ingress_controller_role: {get_param: ingress_controller_role}
kubelet_options: {get_param: kubelet_options}
kubeapi_options: {get_param: kubeapi_options}
kubeproxy_options: {get_param: kubeproxy_options}
kubecontroller_options: {get_param: kubecontroller_options}
kubescheduler_options: {get_param: kubescheduler_options}
######################################################################
#
# kubernetes minions. This is an resource group that will initially
# create <number_of_minions> minions, and needs to be manually scaled.
#
kube_minions:
type: OS::Heat::ResourceGroup
depends_on:
- network
properties:
count: {get_param: number_of_minions}
removal_policies: [{resource_list: {get_param: minions_to_remove}}]
resource_def:
type: kubeminion.yaml
properties:
name:
list_join:
- '-'
- [{ get_param: 'OS::stack_name' }, 'minion', '%index%']
prometheus_monitoring: {get_param: prometheus_monitoring}
ssh_key_name: {get_param: ssh_key_name}
server_image: {get_param: minion_image}
minion_flavor: {get_param: minion_flavor}
fixed_network: {get_attr: [network, fixed_network]}
fixed_subnet: {get_attr: [network, fixed_subnet]}
network_driver: {get_param: network_driver}
flannel_network_cidr: {get_param: flannel_network_cidr}
kube_master_ip: {get_attr: [api_address_lb_switch, private_ip]}
etcd_server_ip: {get_attr: [etcd_address_lb_switch, private_ip]}
external_network: {get_param: external_network}
kube_allow_priv: {get_param: kube_allow_priv}
docker_volume_size: {get_param: docker_volume_size}
docker_volume_type: {get_param: docker_volume_type}
docker_storage_driver: {get_param: docker_storage_driver}
wait_condition_timeout: {get_param: wait_condition_timeout}
registry_enabled: {get_param: registry_enabled}
registry_port: {get_param: registry_port}
swift_region: {get_param: swift_region}
registry_container: {get_param: registry_container}
registry_insecure: {get_param: registry_insecure}
registry_chunksize: {get_param: registry_chunksize}
cluster_uuid: {get_param: cluster_uuid}
magnum_url: {get_param: magnum_url}
volume_driver: {get_param: volume_driver}
region_name: {get_param: region_name}
auth_url: {get_param: auth_url}
hyperkube_image: {get_param: hyperkube_image}
username: {get_param: username}
password: {get_param: password}
kubernetes_port: {get_param: kubernetes_port}
tls_disabled: {get_param: tls_disabled}
verify_ca: {get_param: verify_ca}
secgroup_kube_minion_id: {get_resource: secgroup_kube_minion}
http_proxy: {get_param: http_proxy}
https_proxy: {get_param: https_proxy}
no_proxy: {get_param: no_proxy}
kube_tag: {get_param: kube_tag}
kube_version: {get_param: kube_version}
flannel_tag: {get_param: flannel_tag}
trustee_user_id: {get_param: trustee_user_id}
trustee_username: {get_param: trustee_username}
trustee_password: {get_param: trustee_password}
trustee_domain_id: {get_param: trustee_domain_id}
trust_id: {get_param: trust_id}
insecure_registry_url: {get_param: insecure_registry_url}
container_runtime: {get_param: container_runtime}
container_infra_prefix: {get_param: container_infra_prefix}
dns_service_ip: {get_param: dns_service_ip}
dns_cluster_domain: {get_param: dns_cluster_domain}
openstack_ca: {get_param: openstack_ca_coreos}
nodes_server_group_id: {get_resource: worker_nodes_server_group}
availability_zone: {get_param: availability_zone}
pods_network_cidr: {get_param: pods_network_cidr}
kubelet_options: {get_param: kubelet_options}
kubeproxy_options: {get_param: kubeproxy_options}
outputs:
api_address:
value:
str_replace:
template: api_ip_address
params:
api_ip_address: {get_attr: [api_address_floating_switch, ip_address]}
description: >
This is the API endpoint of the Kubernetes cluster. Use this to access
the Kubernetes API.
registry_address:
value:
str_replace:
template: localhost:port
params:
port: {get_param: registry_port}
description:
This is the url of docker registry server where you can store docker
images.
kube_masters_private:
value: {get_attr: [kube_masters, kube_master_ip]}
description: >
This is a list of the "private" IP addresses of all the Kubernetes masters.
kube_masters:
value: {get_attr: [kube_masters, kube_master_external_ip]}
description: >
This is a list of the "public" IP addresses of all the Kubernetes masters.
Use these IP addresses to log in to the Kubernetes masters via ssh.
kube_minions_private:
value: {get_attr: [kube_minions, kube_minion_ip]}
description: >
This is a list of the "private" IP addresses of all the Kubernetes minions.
kube_minions:
value: {get_attr: [kube_minions, kube_minion_external_ip]}
description: >
This is a list of the "public" IP addresses of all the Kubernetes minions.
Use these IP addresses to log in to the Kubernetes minions via ssh.

756
magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml
View File

@ -1,756 +0,0 @@
heat_template_version: 2014-10-16
description: >
This is a nested stack that defines a single Kubernetes master, This stack is
included by an ResourceGroup resource in the parent template
(kubecluster.yaml).
parameters:
name:
type: string
description: server name
server_image:
type: string
description: glance image used to boot the server
master_flavor:
type: string
description: flavor to use when booting the server
ssh_key_name:
type: string
description: name of ssh key to be provisioned on our server
external_network:
type: string
description: uuid/name of a network to use for floating ip addresses
portal_network_cidr:
type: string
description: >
address range used by kubernetes for service portals
kube_allow_priv:
type: string
description: >
whether or not kubernetes should permit privileged containers.
constraints:
- allowed_values: ["true", "false"]
etcd_volume_size:
type: number
description: >
size of a cinder volume to allocate for etcd storage
docker_volume_size:
type: number
description: >
size of a cinder volume to allocate to docker for container/image
storage
docker_volume_type:
type: string
description: >
type of a cinder volume to allocate to docker for container/image
storage
docker_storage_driver:
type: string
description: docker storage driver name
default: "devicemapper"
volume_driver:
type: string
description: volume driver to use for container storage
flannel_network_cidr:
type: string
description: network range for flannel overlay network
flannel_network_subnetlen:
type: number
description: size of subnet assigned to each master
flannel_backend:
type: string
description: >
specify the backend for flannel, default udp backend
constraints:
- allowed_values: ["udp", "vxlan", "host-gw"]
system_pods_initial_delay:
type: number
description: >
health check, time to wait for system pods (podmaster, scheduler) to boot
(in seconds)
default: 30
system_pods_timeout:
type: number
description: >
health check, timeout for system pods (podmaster, scheduler) to answer.
(in seconds)
default: 5
admission_control_list:
type: string
description: >
List of admission control plugins to activate
discovery_url:
type: string
description: >
Discovery URL used for bootstrapping the etcd cluster.
tls_disabled:
type: boolean
description: whether or not to enable TLS
kube_dashboard_enabled:
type: boolean
description: whether or not to disable kubernetes dashboard
influx_grafana_dashboard_enabled:
type: boolean
description: Enable influxdb with grafana dashboard for data from heapster
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
The port which are used by kube-apiserver to provide Kubernetes
service.
cluster_uuid:
type: string
description: identifier for the cluster this template is generating
magnum_url:
type: string
description: endpoint to retrieve TLS certs from
prometheus_monitoring:
type: boolean
description: >
whether or not to have prometheus and grafana deployed
grafana_admin_passwd:
type: string
hidden: true
description: >
admin user password for the Grafana monitoring interface
api_public_address:
type: string
description: Public IP address of the Kubernetes master server.
default: ""
api_private_address:
type: string
description: Private IP address of the Kubernetes master server.
default: ""
fixed_network:
type: string
description: Network from which to allocate fixed addresses.
fixed_subnet:
type: string
description: Subnet from which to allocate fixed addresses.
network_driver:
type: string
description: network driver to use for instantiating container networks
wait_condition_timeout:
type: number
description : >
timeout for the Wait Conditions
secgroup_kube_master_id:
type: string
description: ID of the security group for kubernetes master.
api_pool_id:
type: string
description: ID of the load balancer pool of k8s API server.
etcd_pool_id:
type: string
description: ID of the load balancer pool of etcd server.
auth_url:
type: string
description: >
url for kubernetes to authenticate
username:
type: string
description: >
user account
password:
type: string
description: >
user password
http_proxy:
type: string
description: http proxy address for docker
https_proxy:
type: string
description: https proxy address for docker
no_proxy:
type: string
description: no proxies for docker
kube_tag:
type: string
description: tag of the k8s containers used to provision the kubernetes cluster
etcd_tag:
type: string
description: tag of the etcd system container
coredns_tag:
type: string
description: tag for coredns
kube_version:
type: string
description: version of kubernetes used for kubernetes cluster
kube_dashboard_version:
type: string
description: version of kubernetes dashboard used for kubernetes cluster
trustee_user_id:
type: string
description: user id of the trustee
trustee_password:
type: string
description: password of the trustee
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
hidden: true
insecure_registry_url:
type: string
description: insecure registry url
container_infra_prefix:
type: string
description: >
prefix of container images used in the cluster, kubernetes components,
kubernetes-dashboard, coredns etc
etcd_lb_vip:
type: string
description: >
etcd lb vip private used to generate certs on master.
default: ""
dns_service_ip:
type: string
description: >
address used by Kubernetes DNS service
dns_cluster_domain:
type: string
description: >
domain name for cluster DNS
openstack_ca:
type: string
description: The OpenStack CA certificate to install on the node.
nodes_server_group_id:
type: string
description: ID of the server group for kubernetes cluster nodes.
availability_zone:
type: string
description: >
availability zone for master and nodes
default: ""
ca_key:
type: string
description: key of internal ca for the kube certificate api manager
hidden: true
cert_manager_api:
type: boolean
description: true if the kubernetes cert api manager should be enabled
default: false
calico_tag:
type: string
description: tag of the calico containers used to provision the calico node
calico_kube_controllers_tag:
type: string
description: tag of the kube_controllers used to provision the calico node
calico_ipv4pool:
type: string
description: Configure the IP pool from which Pod IPs will be chosen
pods_network_cidr:
type: string
description: Configure the IP pool/range from which pod IPs will be chosen
ingress_controller:
type: string
description: >
ingress controller backend to use
ingress_controller_role:
type: string
description: >
node role where the ingress controller should run
kubelet_options:
type: string
description: >
additional options to be passed to the kubelet
kubeapi_options:
type: string
description: >
additional options to be passed to the api
kubecontroller_options:
type: string
description: >
additional options to be passed to the controller manager
kubeproxy_options:
type: string
description: >
additional options to be passed to the kube proxy
kubescheduler_options:
type: string
description: >
additional options to be passed to the scheduler
octavia_enabled:
type: boolean
description: >
whether or not to use Octavia for LoadBalancer type service.
default: False
container_runtime:
type: string
description: >
Container runtime to use with Kubernetes.
hyperkube_image:
type: string
description: >
Docker registry used for hyperkube image
resources:
master_wait_handle:
type: OS::Heat::WaitConditionHandle
master_wait_condition:
type: OS::Heat::WaitCondition
depends_on: kube-master
properties:
handle: {get_resource: master_wait_handle}
timeout: {get_param: wait_condition_timeout}
######################################################################
#
# resource that exposes the IPs of either the kube master or the API
# LBaaS pool depending on whether LBaaS is enabled for the cluster.
#
api_address_switch:
type: Magnum::ApiGatewaySwitcher
properties:
pool_public_ip: {get_param: api_public_address}
pool_private_ip: {get_param: api_private_address}
master_public_ip: {get_attr: [kube_master_floating, floating_ip_address]}
master_private_ip: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
######################################################################
#
# software configs. these are components that are combined into
# a multipart MIME user-data archive.
#
write_heat_params:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config:
str_replace:
template: {get_file: fragments/write-heat-params-master.yaml}
params:
"$KUBE_API_PUBLIC_ADDRESS": {get_attr: [api_address_switch, public_ip]}
"$KUBE_API_PRIVATE_ADDRESS": {get_attr: [api_address_switch, private_ip]}
"$KUBE_NODE_PUBLIC_IP": {get_attr: [kube_master_floating, floating_ip_address]}
"$KUBE_NODE_IP": {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
"$KUBE_ALLOW_PRIV": {get_param: kube_allow_priv}
"$ETCD_VOLUME": {get_resource: etcd_volume}
"$ETCD_VOLUME_SIZE": {get_param: etcd_volume_size}
"$DOCKER_VOLUME": {get_resource: docker_volume}
"$DOCKER_VOLUME_SIZE": {get_param: docker_volume_size}
"$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr}
"$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
"$FLANNEL_BACKEND": {get_param: flannel_backend}
"$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
"$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
"$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
"$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
"$CLUSTER_SUBNET": {get_param: fixed_subnet}
"$ETCD_DISCOVERY_URL": {get_param: discovery_url}
"$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
"$NETWORK_DRIVER": {get_param: network_driver}
"$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled}
"$INFLUX_GRAFANA_DASHBOARD_ENABLED": {get_param: influx_grafana_dashboard_enabled}
"$KUBE_VERSION": {get_param: kube_version}
"$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version}
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$HTTP_PROXY": {get_param: http_proxy}
"$HTTPS_PROXY": {get_param: https_proxy}
"$NO_PROXY": {get_param: no_proxy}
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url}
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
"$HYPERKUBE_IMAGE_REPO":
str_replace:
template: insecure_registry_urlhyperkube_image
params:
insecure_registry_url: { get_param: insecure_registry_url }
hyperkube_image: { get_param: hyperkube_image }
"$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
"$CONTAINER_RUNTIME": {get_param: container_runtime}
"$ETCD_LB_VIP": {get_param: etcd_lb_vip}
"$DNS_SERVICE_IP": {get_param: dns_service_ip}
"$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
"$OCTAVIA_ENABLED": {get_param: octavia_enabled}
write_kubeconfig:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/write-master-kubeconfig.yaml}
enable_docker_mount:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-docker-mount.yaml}
add_ext_ca_certs:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config:
str_replace:
params:
$OPENSTACK_CA: {get_param: openstack_ca}
template: {get_file: fragments/add-ext-ca-certs.yaml}
configure_etcd:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/configure-etcd.yaml}
make_cert:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/make-cert.yaml}
write_network_config:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/write-network-config.yaml}
enable_network_service:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-network-service.yaml}
enable_kubelet:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-kubelet-master.yaml}
enable_kube_apiserver:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-kube-apiserver.yaml}
create_kube_namespace:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/create-kube-namespace.yaml}
enable_kube_proxy:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-kube-proxy-master.yaml}
enable_kube_controller_manager:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-kube-controller-manager.yaml}
enable_kube_scheduler:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-kube-scheduler.yaml}
enable_kube_dashboard:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-kube-dashboard.yaml}
wc_notify:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/wc-notify.yaml}
add_proxy:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/add-proxy.yaml}
configure_docker:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/configure-docker.yaml}
enable_coredns:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-coredns.yaml}
kube_master_init:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config:
str_replace:
template: |
$add_ext_ca_certs
$write_heat_params
$write_kubeconfig
$enable_docker_mount
$make_cert
$configure_docker
$add_proxy
$configure_etcd
$write_network_config
$enable_network_service
$enable_kubelet
$enable_kube_apiserver
$create_kube_namespace
$enable_kube_proxy
$enable_kube_controller_manager
$enable_kube_scheduler
$enable_kube_dashboard
$enable_coredns
$wc_notify
coreos:
units:
- name: "add-ext-ca-certs.service"
command: "start"
- name: "make-cert.service"
command: "start"
- name: "enable-docker-mount.service"
command: "start"
- name: "configure-docker.service"
command: "start"
- name: "add-proxy.service"
command: "start"
- name: "configure-etcd.service"
command: "start"
- name: "write-network-config.service"
command: "start"
- name: "enable-network-service.service"
command: "start"
- name: "enable-kubelet.service"
command: "start"
- name: "enable-kube-apiserver.service"
command: "start"
- name: "create-kube-namespace.service"
command: "start"
- name: "enable-kube-proxy.service"
command: "start"
- name: "enable-kube-controller-manager.service"
command: "start"
- name: "enable-kube-scheduler.service"
command: "start"
- name: "enable-kube-dashboard.service"
command: "start"
- name: "enable-coredns.service"
command: "start"
- name: "wc-notify.service"
command: "start"
params:
"$add_ext_ca_certs": {get_attr: [add_ext_ca_certs, config]}
"$write_heat_params": {get_attr: [write_heat_params, config]}
"$write_kubeconfig": {get_attr: [write_kubeconfig, config]}
"$enable_docker_mount": {get_attr: [enable_docker_mount, config]}
"$make_cert": {get_attr: [make_cert, config]}
"$configure_docker": {get_attr: [configure_docker, config]}
"$add_proxy": {get_attr: [add_proxy, config]}
"$configure_etcd": {get_attr: [configure_etcd, config]}
"$write_network_config": {get_attr: [write_network_config, config]}
"$enable_network_service": {get_attr: [enable_network_service, config]}
"$enable_kubelet": {get_attr: [enable_kubelet, config]}
"$enable_kube_apiserver": {get_attr: [enable_kube_apiserver, config]}
"$create_kube_namespace": {get_attr: [create_kube_namespace, config]}
"$enable_kube_proxy": {get_attr: [enable_kube_proxy, config]}
"$enable_kube_controller_manager": {get_attr: [enable_kube_controller_manager, config]}
"$enable_kube_scheduler": {get_attr: [enable_kube_scheduler, config]}
"$enable_kube_dashboard": {get_attr: [enable_kube_dashboard, config]}
"$enable_coredns": {get_attr: [enable_coredns, config]}
"$wc_notify": {get_attr: [wc_notify, config]}
######################################################################
#
# a single kubernetes master.
#
# do NOT use "_" (underscore) in the Nova server name
# it creates a mismatch between the generated Nova name and its hostname
# which can lead to weird problems
kube-master:
type: OS::Nova::Server
properties:
name: {get_param: name}
image: {get_param: server_image}
flavor: {get_param: master_flavor}
key_name: {get_param: ssh_key_name}
user_data_format: RAW
user_data: {get_resource: kube_master_init}
networks:
- port: {get_resource: kube_master_eth0}
scheduler_hints: { group: { get_param: nodes_server_group_id }}
kube_master_eth0:
type: OS::Neutron::Port
properties:
network: {get_param: fixed_network}
security_groups:
- {get_param: secgroup_kube_master_id}
fixed_ips:
- subnet: {get_param: fixed_subnet}
allowed_address_pairs:
- ip_address: {get_param: flannel_network_cidr}
replacement_policy: AUTO
kube_master_floating:
type: Magnum::Optional::KubeMaster::Neutron::FloatingIP
properties:
floating_network: {get_param: external_network}
port_id: {get_resource: kube_master_eth0}
api_pool_member:
type: Magnum::Optional::Neutron::LBaaS::PoolMember
properties:
pool: {get_param: api_pool_id}
address: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
subnet: { get_param: fixed_subnet }
protocol_port: {get_param: kubernetes_port}
etcd_pool_member:
type: Magnum::Optional::Neutron::LBaaS::PoolMember
properties:
pool: {get_param: etcd_pool_id}
address: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
subnet: { get_param: fixed_subnet }
protocol_port: 2379
######################################################################
#
# etcd storage. This allocates a cinder volume and attaches it
# to the master.
#
etcd_volume:
type: Magnum::Optional::Etcd::Volume
properties:
size: {get_param: etcd_volume_size}
etcd_volume_attach:
type: Magnum::Optional::Etcd::VolumeAttachment
properties:
instance_uuid: {get_resource: kube-master}
volume_id: {get_resource: etcd_volume}
mountpoint: /dev/vdc
######################################################################
#
# docker storage. This allocates a cinder volume and attaches it
# to the minion.
#
docker_volume:
type: Magnum::Optional::Cinder::Volume
properties:
size: {get_param: docker_volume_size}
volume_type: {get_param: docker_volume_type}
docker_volume_attach:
type: Magnum::Optional::Cinder::VolumeAttachment
properties:
instance_uuid: {get_resource: kube-master}
volume_id: {get_resource: docker_volume}
mountpoint: /dev/vdb
outputs:
kube_master_ip:
value: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
description: >
This is the "private" IP address of the Kubernetes master node.
kube_master_external_ip:
value: {get_attr: [kube_master_floating, floating_ip_address]}
description: >
This is the "public" IP address of the Kubernetes master node.

541
magnum/drivers/k8s_coreos_v1/templates/kubeminion.yaml
View File

@ -1,541 +0,0 @@
heat_template_version: 2014-10-16
description: >
This is a nested stack that defines a single Kubernetes minion, This stack is
included by an AutoScalingGroup resource in the parent template
(kubecluster.yaml).
parameters:
name:
type: string
description: server name
server_image:
type: string
description: glance image used to boot the server
minion_flavor:
type: string
description: flavor to use when booting the server
ssh_key_name:
type: string
description: name of ssh key to be provisioned on our server
external_network:
type: string
description: uuid/name of a network to use for floating ip addresses
kube_allow_priv:
type: string
description: >
whether or not kubernetes should permit privileged containers.
constraints:
- allowed_values: ["true", "false"]
docker_volume_size:
type: number
description: >
size of a cinder volume to allocate to docker for container/image
storage
docker_volume_type:
type: string
description: >
type of a cinder volume to allocate to docker for container/image
storage
docker_storage_driver:
type: string
description: docker storage driver name
default: "devicemapper"
tls_disabled:
type: boolean
description: whether or not to enable TLS
verify_ca:
type: boolean
description: whether or not to validate certificate authority
kubernetes_port:
type: number
description: >
The port which are used by kube-apiserver to provide Kubernetes
service.
cluster_uuid:
type: string
description: identifier for the cluster this template is generating
magnum_url:
type: string
description: endpoint to retrieve TLS certs from
prometheus_monitoring:
type: boolean
description: >
whether or not to have the node-exporter running on the node
kube_master_ip:
type: string
description: IP address of the Kubernetes master server.
etcd_server_ip:
type: string
description: IP address of the Etcd server.
fixed_network:
type: string
description: Network from which to allocate fixed addresses.
fixed_subnet:
type: string
description: Subnet from which to allocate fixed addresses.
network_driver:
type: string
description: network driver to use for instantiating container networks
flannel_network_cidr:
type: string
description: network range for flannel overlay network
wait_condition_timeout:
type: number
description : >
timeout for the Wait Conditions
registry_enabled:
type: boolean
description: >
Indicates whether the docker registry is enabled.
registry_port:
type: number
description: port of registry service
swift_region:
type: string
description: region of swift service
registry_container:
type: string
description: >
name of swift container which docker registry stores images in
registry_insecure:
type: boolean
description: >
indicates whether to skip TLS verification between registry and backend storage
registry_chunksize:
type: number
description: >
size fo the data segments for the swift dynamic large objects
secgroup_kube_minion_id:
type: string
description: ID of the security group for kubernetes minion.
volume_driver:
type: string
description: volume driver to use for container storage
region_name:
type: string
description: A logically separate section of the cluster
username:
type: string
description: >
user account
password:
type: string
description: >
user password, not set in current implementation, only used to
fill in for Kubernetes config file
hidden: true
http_proxy:
type: string
description: http proxy address for docker
https_proxy:
type: string
description: https proxy address for docker
no_proxy:
type: string
description: no proxies for docker
kube_tag:
type: string
description: tag of the k8s containers used to provision the kubernetes cluster
flannel_tag:
type: string
description: tag of the flannel system containers
kube_version:
type: string
description: version of kubernetes used for kubernetes cluster
trustee_domain_id:
type: string
description: domain id of the trustee
trustee_user_id:
type: string
description: user id of the trustee
trustee_username:
type: string
description: username of the trustee
trustee_password:
type: string
description: password of the trustee
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
hidden: true
auth_url:
type: string
description: >
url for keystone, must be v2 since k8s backend only support v2
at this point
insecure_registry_url:
type: string
description: insecure registry url
container_infra_prefix:
type: string
description: >
prefix of container images used in the cluster, kubernetes components,
kubernetes-dashboard, coredns etc
dns_service_ip:
type: string
description: >
address used by Kubernetes DNS service
dns_cluster_domain:
type: string
description: >
domain name for cluster DNS
openstack_ca:
type: string
description: The OpenStack CA certificate to install on the node.
nodes_server_group_id:
type: string
description: ID of the server group for kubernetes cluster nodes.
availability_zone:
type: string
description: >
availability zone for master and nodes
default: ""
pods_network_cidr:
type: string
description: Configure the IP pool/range from which pod IPs will be chosen
kubelet_options:
type: string
description: >
additional options to be passed to the kubelet
kubeproxy_options:
type: string
description: >
additional options to be passed to the kube proxy
octavia_enabled:
type: boolean
description: >
whether or not to use Octavia for LoadBalancer type service.
default: False
container_runtime:
type: string
description: >
Container runtime to use with Kubernetes.
hyperkube_image:
type: string
description: >
Docker registry used for hyperkube image
resources:
minion_wait_handle:
type: OS::Heat::WaitConditionHandle
minion_wait_condition:
type: OS::Heat::WaitCondition
depends_on: kube-minion
properties:
handle: {get_resource: minion_wait_handle}
timeout: {get_param: wait_condition_timeout}
######################################################################
#
# software configs. these are components that are combined into
# a multipart MIME user-data archive.
#
write_heat_params:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config:
str_replace:
template: {get_file: fragments/write-heat-params.yaml}
params:
"$KUBE_ALLOW_PRIV": {get_param: kube_allow_priv}
"$DOCKER_VOLUME": {get_resource: docker_volume}
"$DOCKER_VOLUME_SIZE": {get_param: docker_volume_size}
"$KUBE_MASTER_IP": {get_param: kube_master_ip}
"$KUBE_NODE_PUBLIC_IP": {get_attr: [kube_minion_floating, floating_ip_address]}
"$KUBE_NODE_IP": {get_attr: [kube_minion_eth0, fixed_ips, 0, ip_address]}
"$WAIT_CURL": {get_attr: [minion_wait_handle, curl_cli]}
"$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled}
"$VERIFY_CA": {get_param: verify_ca}
"$NETWORK_DRIVER": {get_param: network_driver}
"$ETCD_SERVER_IP": {get_param: etcd_server_ip}
"$KUBE_VERSION": {get_param: kube_version}
"$CLUSTER_UUID": {get_param: cluster_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$HTTP_PROXY": {get_param: http_proxy}
"$HTTPS_PROXY": {get_param: https_proxy}
"$NO_PROXY": {get_param: no_proxy}
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url}
"$KUBE_CERTS_PATH": "/etc/kubernetes/ssl"
"$HOST_CERTS_PATH": "/usr/share/ca-certificates"
"$HYPERKUBE_IMAGE_REPO":
str_replace:
template: insecure_registry_urlhyperkube_image
params:
insecure_registry_url: { get_param: insecure_registry_url }
hyperkube_image: { get_param: hyperkube_image }
"$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
"$CONTAINER_RUNTIME": {get_param: container_runtime}
"$DNS_SERVICE_IP": {get_param: dns_service_ip}
"$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain}
"$OCTAVIA_ENABLED": {get_param: octavia_enabled}
add_ext_ca_certs:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config:
str_replace:
params:
$OPENSTACK_CA: {get_param: openstack_ca}
template: {get_file: fragments/add-ext-ca-certs.yaml}
enable_docker_mount:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-docker-mount.yaml}
write_kubeconfig:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config:
str_replace:
template: {get_file: fragments/write-kubeconfig.yaml}
params:
"$KUBE_API_PORT": {get_param: kubernetes_port}
"$KUBE_MASTER_IP": {get_param: kube_master_ip}
make_cert:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/make-cert-client.yaml}
enable_network_service:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-network-service-client.yaml}
enable_kubelet:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-kubelet-minion.yaml}
enable_kube_proxy:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/enable-kube-proxy-minion.yaml}
wc_notify:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/wc-notify.yaml}
add_proxy:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/add-proxy.yaml}
configure_docker:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/configure-docker.yaml}
kube_minion_init:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config:
str_replace:
template: |
$add_ext_ca_certs
$write_heat_params
$enable_docker_mount
$write_kubeconfig
$make_cert
$configure_docker
$add_proxy
$enable_network_service
$enable_kubelet
$enable_kube_proxy
$wc_notify
coreos:
units:
- name: "add-ext-ca-certs.service"
command: "start"
- name: "make-cert.service"
command: "start"
- name: "enable-docker-mount.service"
command: "start"
- name: "configure-docker.service"
command: "start"
- name: "add-proxy.service"
command: "start"
- name: "enable-network-service.service"
command: "start"
- name: "enable-kubelet.service"
command: "start"
- name: "enable-kube-proxy.service"
command: "start"
- name: "wc-notify.service"
command: "start"
params:
"$add_ext_ca_certs": {get_attr: [add_ext_ca_certs, config]}
"$write_heat_params": {get_attr: [write_heat_params, config]}
"$write_kubeconfig": {get_attr: [write_kubeconfig, config]}
"$enable_docker_mount": {get_attr: [enable_docker_mount, config]}
"$make_cert": {get_attr: [make_cert, config]}
"$configure_docker": {get_attr: [configure_docker, config]}
"$add_proxy": {get_attr: [add_proxy, config]}
"$enable_network_service": {get_attr: [enable_network_service, config]}
"$enable_kubelet": {get_attr: [enable_kubelet, config]}
"$enable_kube_proxy": {get_attr: [enable_kube_proxy, config]}
"$wc_notify": {get_attr: [wc_notify, config]}
# do NOT use "_" (underscore) in the Nova server name
# it creates a mismatch between the generated Nova name and its hostname
# which can lead to weird problems
kube-minion:
type: OS::Nova::Server
properties:
name: {get_param: name}
image: {get_param: server_image}
flavor: {get_param: minion_flavor}
key_name: {get_param: ssh_key_name}
user_data_format: RAW
user_data: {get_resource: kube_minion_init}
networks:
- port: {get_resource: kube_minion_eth0}
scheduler_hints: { group: { get_param: nodes_server_group_id }}
kube_minion_eth0:
type: OS::Neutron::Port
properties:
network: {get_param: fixed_network}
security_groups:
- {get_param: secgroup_kube_minion_id}
fixed_ips:
- subnet: {get_param: fixed_subnet}
allowed_address_pairs:
- ip_address: {get_param: flannel_network_cidr}
replacement_policy: AUTO
kube_minion_floating:
type: Magnum::Optional::KubeMinion::Neutron::FloatingIP
properties:
floating_network: {get_param: external_network}
port_id: {get_resource: kube_minion_eth0}
######################################################################
#
# docker storage. This allocates a cinder volume and attaches it
# to the minion.
#
docker_volume:
type: Magnum::Optional::Cinder::Volume
properties:
size: {get_param: docker_volume_size}
volume_type: {get_param: docker_volume_type}
docker_volume_attach:
type: Magnum::Optional::Cinder::VolumeAttachment
properties:
instance_uuid: {get_resource: kube-minion}
volume_id: {get_resource: docker_volume}
mountpoint: /dev/vdb
outputs:
kube_minion_ip:
value: {get_attr: [kube_minion_eth0, fixed_ips, 0, ip_address]}
description: >
This is the "public" IP address of the Kubernetes minion node.
kube_minion_external_ip:
value: {get_attr: [kube_minion_floating, floating_ip_address]}
description: >
This is the "public" IP address of the Kubernetes minion node.
######################################################################
#
# NOTE(flwang): Returning the minion node server ID here so that
# consumer can send API request to Heat to remove a particular
# node with removal_policies. Otherwise, the consumer (e.g. AutoScaler)
# has to use index to do the remove which is confusing out of the
# OpenStack world.
# https://storyboard.openstack.org/#!/story/2005054
#
######################################################################
OS::stack_id:
value: { get_resource: kube-minion }
description: >
This is the Nova server id of the node.

17
magnum/drivers/k8s_coreos_v1/version.py
View File

@ -1,17 +0,0 @@
# Copyright 2016 - Rackspace Hosting
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version = '1.0.0'
driver = 'k8s_coreos_v1'
container_version = '1.11.2'

4
magnum/tests/contrib/gate_hook.sh
View File

@ -41,9 +41,7 @@ if [[ -e /etc/ci/mirror_info.sh ]]; then
source /etc/ci/mirror_info.sh
fi
if [ "$coe" = "k8s-coreos" ]; then
export DEVSTACK_LOCAL_CONFIG+=$'\n'"MAGNUM_GUEST_IMAGE_URL=http://beta.release.core-os.net/amd64-usr/current/coreos_production_openstack_image.img.bz2"
elif [ "${coe}${special}" = "k8s-ironic" ]; then
if [ "${coe}${special}" = "k8s-ironic" ]; then
export DEVSTACK_LOCAL_CONFIG+=$'\n'"MAGNUM_GUEST_IMAGE_URL='https://fedorapeople.org/groups/magnum/fedora-kubernetes-ironic-latest.tar.gz'"
export DEVSTACK_LOCAL_CONFIG+=$'\n'"MAGNUM_IMAGE_NAME='fedora-kubernetes-ironic-latest'"

5
magnum/tests/contrib/post_test_hook.sh
View File

@ -29,10 +29,7 @@ function create_test_data {
coe=$1
special=$2
if [ $coe == 'k8s-coreos' ]; then
local image_name="coreos"
local container_format="bare"
elif [ "${coe}${special}" == 'k8s-ironic' ]; then
if [ "${coe}${special}" == 'k8s-ironic' ]; then
local bm_flavor_id=$(openstack flavor show baremetal -f value -c id)
die_if_not_set $LINENO bm_flavor_id "Failed to get id of baremetal flavor"
# NOTE(TheJulia): This issue was fixed in Feb 2018 as part of change

0
magnum/tests/functional/k8s_coreos/__init__.py
View File

0
magnum/drivers/k8s_coreos_v1/__init__.py → magnum/tests/functional/k8s_fcos/__init__.py
View File

0
magnum/tests/functional/k8s_coreos/test_k8s_python_client.py → magnum/tests/functional/k8s_fcos/test_k8s_python_client.py
View File

46
magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
View File

@ -16,8 +16,8 @@ from unittest import mock
from unittest.mock import patch
import magnum.conf
from magnum.drivers.k8s_coreos_v1 import driver as k8s_coreos_dr
from magnum.drivers.k8s_fedora_atomic_v1 import driver as k8s_dr
from magnum.drivers.k8s_fedora_coreos_v1 import driver as k8s_fcos_dr
from magnum import objects
from magnum.tests import base
@ -698,16 +698,21 @@ class TestClusterConductorWithK8s(base.TestCase):
@patch('magnum.objects.ClusterTemplate.get_by_uuid')
@patch('magnum.objects.NodeGroup.list')
@patch('magnum.drivers.common.driver.Driver.get_driver')
def test_extract_template_definition_coreos_with_disovery(
@patch('magnum.common.x509.operations.generate_csr_and_key')
def test_extract_template_definition_fcos_with_discovery(
self,
mock_generate_csr_and_key,
mock_driver,
mock_objects_nodegroup_list,
mock_objects_cluster_template_get_by_uuid,
mock_get,
mock_get_subnet):
self.cluster_template_dict['cluster_distro'] = 'coreos'
self.cluster_template_dict['cluster_distro'] = 'fedora-coreos'
cluster_template = objects.ClusterTemplate(
self.context, **self.cluster_template_dict)
mock_generate_csr_and_key.return_value = {'csr': 'csr',
'private_key': 'private_key',
'public_key': 'public_key'}
mock_objects_cluster_template_get_by_uuid.return_value = \
cluster_template
expected_result = str('{"action":"get","node":{"key":"test","value":'
@ -720,7 +725,7 @@ class TestClusterConductorWithK8s(base.TestCase):
worker_ng = objects.NodeGroup(self.context, **self.worker_ng_dict)
master_ng = objects.NodeGroup(self.context, **self.master_ng_dict)
mock_objects_nodegroup_list.return_value = [master_ng, worker_ng]
mock_driver.return_value = k8s_coreos_dr.Driver()
mock_driver.return_value = k8s_fcos_dr.Driver()
mock_get_subnet.return_value = self.fixed_subnet_cidr
(template_path,
@ -729,6 +734,16 @@ class TestClusterConductorWithK8s(base.TestCase):
cluster)
expected = {
'boot_volume_size': '60',
'boot_volume_type': 'lvmdriver-1',
'etcd_volume_type': '',
'max_node_count': 2,
'post_install_manifest_url': '',
'project_id': 'project_id',
'keystone_auth_default_policy': self.keystone_auth_default_policy,
'kube_service_account_key': 'public_key',
'kube_service_account_private_key': 'private_key',
'cloud_provider_enabled': 'false',
'ssh_key_name': 'keypair_id',
'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e',
'fixed_network': 'fixed_network',
@ -780,7 +795,6 @@ class TestClusterConductorWithK8s(base.TestCase):
'verify_ca': True,
'openstack_ca': '',
'ssh_public_key': 'ssh-rsa AAAAB3Nz',
'openstack_ca_coreos': '',
'cert_manager_api': 'False',
'ingress_controller': 'i-controller',
'ingress_controller_role': 'i-controller-role',
@ -818,27 +832,32 @@ class TestClusterConductorWithK8s(base.TestCase):
@patch('magnum.objects.ClusterTemplate.get_by_uuid')
@patch('magnum.objects.NodeGroup.list')
@patch('magnum.drivers.common.driver.Driver.get_driver')
def test_extract_template_definition_coreos_no_discoveryurl(
@patch('magnum.common.x509.operations.generate_csr_and_key')
def test_extract_template_definition_fcos_no_discoveryurl(
self,
mock_generate_csr_and_key,
mock_driver,
mock_objects_nodegroup_list,
mock_objects_cluster_template_get_by_uuid,
reqget,
mock_get_subnet):
self.cluster_template_dict['cluster_distro'] = 'coreos'
self.cluster_template_dict['cluster_distro'] = 'fedora-coreos'
self.cluster_dict['discovery_url'] = None
mock_req = mock.MagicMock(text='http://tokentest/h1/h2/h3',
status_code=200)
reqget.return_value = mock_req
cluster_template = objects.ClusterTemplate(
self.context, **self.cluster_template_dict)
mock_generate_csr_and_key.return_value = {'csr': 'csr',
'private_key': 'private_key',
'public_key': 'public_key'}
mock_objects_cluster_template_get_by_uuid.return_value = \
cluster_template
cluster = objects.Cluster(self.context, **self.cluster_dict)
worker_ng = objects.NodeGroup(self.context, **self.worker_ng_dict)
master_ng = objects.NodeGroup(self.context, **self.master_ng_dict)
mock_objects_nodegroup_list.return_value = [master_ng, worker_ng]
mock_driver.return_value = k8s_coreos_dr.Driver()
mock_driver.return_value = k8s_fcos_dr.Driver()
mock_get_subnet.return_value = self.fixed_subnet_cidr
(template_path,
@ -847,6 +866,16 @@ class TestClusterConductorWithK8s(base.TestCase):
cluster)
expected = {
'boot_volume_size': '60',
'boot_volume_type': 'lvmdriver-1',
'etcd_volume_type': '',
'max_node_count': 2,
'post_install_manifest_url': '',
'project_id': 'project_id',
'keystone_auth_default_policy': self.keystone_auth_default_policy,
'kube_service_account_key': 'public_key',
'kube_service_account_private_key': 'private_key',
'cloud_provider_enabled': 'false',
'ssh_key_name': 'keypair_id',
'availability_zone': 'az_1',
'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e',
@ -898,7 +927,6 @@ class TestClusterConductorWithK8s(base.TestCase):
'verify_ca': True,
'openstack_ca': '',
'ssh_public_key': 'ssh-rsa AAAAB3Nz',
'openstack_ca_coreos': '',
'cert_manager_api': 'False',
'ingress_controller': 'i-controller',
'ingress_controller_role': 'i-controller-role',

14
magnum/tests/unit/drivers/test_template_definition.py
View File

@ -20,10 +20,10 @@ from magnum.common import exception
import magnum.conf
from magnum.drivers.common import driver
from magnum.drivers.heat import template_def as cmn_tdef
from magnum.drivers.k8s_coreos_v1 import driver as k8s_coreos_dr
from magnum.drivers.k8s_coreos_v1 import template_def as k8s_coreos_tdef
from magnum.drivers.k8s_fedora_atomic_v1 import driver as k8sa_dr
from magnum.drivers.k8s_fedora_atomic_v1 import template_def as k8sa_tdef
from magnum.drivers.k8s_fedora_coreos_v1 import driver as k8s_fcos_dr
from magnum.drivers.k8s_fedora_coreos_v1 import template_def as k8s_fcos_tdef
from magnum.drivers.k8s_fedora_ironic_v1 import driver as k8s_i_dr
from magnum.drivers.k8s_fedora_ironic_v1 import template_def as k8si_tdef
from magnum.tests import base
@ -72,13 +72,15 @@ class TemplateDefinitionTestCase(base.TestCase):
k8si_tdef.FedoraK8sIronicTemplateDefinition)
@mock.patch('magnum.drivers.common.driver.Driver.get_driver')
def test_get_vm_coreos_kubernetes_definition(self, mock_driver):
mock_driver.return_value = k8s_coreos_dr.Driver()
cluster_driver = driver.Driver.get_driver('vm', 'coreos', 'kubernetes')
def test_get_vm_fcos_kubernetes_definition(self, mock_driver):
mock_driver.return_value = k8s_fcos_dr.Driver()
cluster_driver = driver.Driver.get_driver('vm',
'fedora-coreos',
'kubernetes')
definition = cluster_driver.get_template_definition()
self.assertIsInstance(definition,
k8s_coreos_tdef.CoreOSK8sTemplateDefinition)
k8s_fcos_tdef.FCOSK8sTemplateDefinition)
def test_get_driver_not_supported(self):
self.assertRaises(exception.ClusterTypeNotSupported,

4
releasenotes/notes/drop-k8s-coreos-9604dd23b0e884b6.yaml Normal file
View File

@ -0,0 +1,4 @@
---
upgrade:
- |
``k8s_coreos_v1`` driver has been dropped.

1
setup.cfg
View File

@ -53,7 +53,6 @@ oslo.policy.policies =
magnum.drivers =
k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
k8s_fedora_coreos_v1 = magnum.drivers.k8s_fedora_coreos_v1.driver:Driver
k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver
k8s_fedora_ironic_v1 = magnum.drivers.k8s_fedora_ironic_v1.driver:Driver
magnum.database.migration_backend =

4
tools/cover.sh
View File

@ -12,7 +12,7 @@
# License for the specific language governing permissions and limitations
# under the License.
ALLOWED_EXTRA_MISSING_PERCENT=1
ALLOWED_EXTRA_MISSING_PERCENT=5
show_diff () {
result=`diff -U 0 $1 $2 | sed 1,2d`
@ -50,7 +50,7 @@ coverage erase
find . -type f -name "*.pyc" -delete
stestr run --no-subunit-trace $*
coverage combine
coverage report --fail-under=90 > $current_report
coverage report --fail-under=89 > $current_report
cat $current_report
coverage html -d cover
coverage xml -o cover/coverage.xml

2
tox.ini
View File

@ -51,7 +51,7 @@ commands =
[testenv:functional-k8s-coreos]
sitepackages = True
setenv = {[testenv]setenv}
OS_TEST_PATH=./magnum/tests/functional/k8s_coreos
OS_TEST_PATH=./magnum/tests/functional/k8s_fcos
OS_TEST_TIMEOUT=7200
deps =
{[testenv]deps}