From bd85bad919d30ae606578a99caade559501b35cc Mon Sep 17 00:00:00 2001 From: intlabs Date: Sun, 22 Oct 2017 09:55:18 -0500 Subject: [PATCH] Zuul V3 gate This PS sets up the V3 gate for openstack-helm-infra. Change-Id: I07ffa591cb5e08f5e2f1f5cbc94e810c3aa1f97b --- .gitignore | 73 ++++++ .zuul.yaml | 67 ++++++ Makefile | 53 +++++ calico/Chart.yaml | 25 +++ .../clusterrole-calico-cni-plugin.yaml | 29 +++ .../clusterrole-calico-policy-controller.yaml | 33 +++ .../clusterrolebinding-calico-cni-plugin.yaml | 30 +++ ...rrolebinding-calico-policy-controller.yaml | 30 +++ calico/templates/configmap-calico-config.yaml | 52 +++++ calico/templates/daemonset-calico-etcd.yaml | 66 ++++++ calico/templates/daemonset-calico-node.yaml | 165 ++++++++++++++ .../deployment-calico-policy-controller.yaml | 72 ++++++ calico/templates/service-calico-etcd.yaml | 35 +++ .../serviceaccount-calico-cni-plugin.yaml | 22 ++ ...rviceaccount-calico-policy-controller.yaml | 22 ++ calico/values.yaml | 31 +++ flannel/Chart.yaml | 25 +++ flannel/templates/clusterrole-flannel.yaml | 42 ++++ .../templates/clusterrolebinding-flannel.yaml | 30 +++ .../templates/configmap-kube-flannel-cfg.yaml | 41 ++++ .../templates/daemonset-kube-flannel-ds.yaml | 78 +++++++ flannel/templates/serviceaccount-flannel.yaml | 22 ++ flannel/values.yaml | 22 ++ kube-dns/Chart.yaml | 25 +++ kube-dns/templates/configmap-kube-dns.yaml | 24 ++ kube-dns/templates/deployment-kube-dns.yaml | 189 ++++++++++++++++ kube-dns/templates/service-kube-dns.yaml | 41 ++++ .../templates/serviceaccount-kube-dns.yaml | 25 +++ kube-dns/values.yaml | 25 +++ tiller/Chart.yaml | 24 ++ .../templates/clusterrolebinding-tiller.yaml | 30 +++ tiller/templates/deployment-tiller.yaml | 85 +++++++ tiller/templates/service-tiller-deploy.yaml | 36 +++ tiller/templates/serviceaccount-tiller.yaml | 22 ++ tools/gate/devel/local-inventory.yaml | 20 ++ tools/gate/devel/local-vars.yaml | 19 ++ tools/gate/devel/multinode-inventory.yaml | 32 +++ tools/gate/devel/multinode-vars.yaml | 19 ++ tools/gate/devel/start.sh | 74 +++++++ .../build-images/tasks/kubeadm-aio.yaml | 23 ++ .../playbooks/build-images/tasks/main.yaml | 15 ++ .../tasks/deploy-ansible-docker-support.yaml | 68 ++++++ .../playbooks/deploy-docker/tasks/main.yaml | 52 +++++ .../templates/centos-docker.service.j2 | 31 +++ .../templates/fedora-docker.service.j2 | 29 +++ .../tasks/clean-node.yaml | 69 ++++++ .../tasks/deploy-kubelet.yaml | 18 ++ .../deploy-kubeadm-aio-common/tasks/main.yaml | 35 +++ .../tasks/util-kubeadm-aio-run.yaml | 69 ++++++ .../deploy-kubeadm-aio-master/tasks/main.yaml | 31 +++ .../deploy-kubeadm-aio-node/tasks/main.yaml | 44 ++++ .../tasks/util-generate-join-command.yaml | 56 +++++ .../tasks/util-run-join-command.yaml | 59 +++++ .../playbooks/deploy-package/tasks/dist.yaml | 46 ++++ .../playbooks/deploy-package/tasks/pip.yaml | 23 ++ .../deploy-python-pip/tasks/main.yaml | 44 ++++ .../playbooks/deploy-python/tasks/main.yaml | 16 ++ .../playbooks/pull-images/tasks/main.yaml | 18 ++ .../playbooks/setup-firewall/tasks/main.yaml | 29 +++ tools/gate/playbooks/vars.yaml | 26 +++ tools/gate/playbooks/zuul-pre.yaml | 55 +++++ tools/gate/playbooks/zuul-run.yaml | 33 +++ tools/images/kubeadm-aio/Dockerfile | 68 ++++++ tools/images/kubeadm-aio/assets/entrypoint.sh | 119 ++++++++++ .../assets/opt/charts/.placeholder | 0 .../assets/opt/playbooks/inventory.ini | 2 + .../opt/playbooks/kubeadm-aio-clean.yaml | 19 ++ .../playbooks/kubeadm-aio-deploy-kubelet.yaml | 19 ++ .../playbooks/kubeadm-aio-deploy-master.yaml | 18 ++ .../playbooks/kubeadm-aio-deploy-node.yaml | 18 ++ .../roles/clean-host/tasks/main.yaml | 56 +++++ .../deploy-kubeadm-master/tasks/helm-cni.yaml | 92 ++++++++ .../tasks/helm-deploy.yaml | 84 +++++++ .../deploy-kubeadm-master/tasks/helm-dns.yaml | 70 ++++++ .../deploy-kubeadm-master/tasks/main.yaml | 209 ++++++++++++++++++ .../tasks/wait-for-kube-system-namespace.yaml | 21 ++ .../templates/cluster-info.yaml.j2 | 18 ++ .../templates/kubeadm-conf.yaml.j2 | 46 ++++ .../roles/deploy-kubeadm-node/tasks/main.yaml | 40 ++++ .../roles/deploy-kubelet/tasks/hostname.yaml | 35 +++ .../roles/deploy-kubelet/tasks/kubelet.yaml | 162 ++++++++++++++ .../roles/deploy-kubelet/tasks/main.yaml | 19 ++ .../roles/deploy-kubelet/tasks/setup-dns.yaml | 49 ++++ .../tasks/support-packages.yaml | 71 ++++++ .../deploy-kubelet/templates/0-crio.conf.j2 | 2 + .../templates/10-kubeadm.conf.j2 | 11 + .../templates/kubelet-resolv.conf.j2 | 3 + .../templates/kubelet.service.j2 | 13 ++ .../deploy-kubelet/templates/resolv.conf.j2 | 6 + .../roles/deploy-package/tasks/dist.yaml | 38 ++++ .../roles/deploy-package/tasks/pip.yaml | 7 + .../assets/opt/playbooks/vars.yaml | 48 ++++ .../assets/usr/bin/test-kube-api.py | 21 ++ .../assets/usr/bin/test-kube-pods-ready | 33 +++ tools/pull-images.sh | 37 ++++ 95 files changed, 4098 insertions(+) create mode 100644 .gitignore create mode 100644 .zuul.yaml create mode 100644 Makefile create mode 100644 calico/Chart.yaml create mode 100644 calico/templates/clusterrole-calico-cni-plugin.yaml create mode 100644 calico/templates/clusterrole-calico-policy-controller.yaml create mode 100644 calico/templates/clusterrolebinding-calico-cni-plugin.yaml create mode 100644 calico/templates/clusterrolebinding-calico-policy-controller.yaml create mode 100644 calico/templates/configmap-calico-config.yaml create mode 100644 calico/templates/daemonset-calico-etcd.yaml create mode 100644 calico/templates/daemonset-calico-node.yaml create mode 100644 calico/templates/deployment-calico-policy-controller.yaml create mode 100644 calico/templates/service-calico-etcd.yaml create mode 100644 calico/templates/serviceaccount-calico-cni-plugin.yaml create mode 100644 calico/templates/serviceaccount-calico-policy-controller.yaml create mode 100644 calico/values.yaml create mode 100644 flannel/Chart.yaml create mode 100644 flannel/templates/clusterrole-flannel.yaml create mode 100644 flannel/templates/clusterrolebinding-flannel.yaml create mode 100644 flannel/templates/configmap-kube-flannel-cfg.yaml create mode 100644 flannel/templates/daemonset-kube-flannel-ds.yaml create mode 100644 flannel/templates/serviceaccount-flannel.yaml create mode 100644 flannel/values.yaml create mode 100644 kube-dns/Chart.yaml create mode 100644 kube-dns/templates/configmap-kube-dns.yaml create mode 100644 kube-dns/templates/deployment-kube-dns.yaml create mode 100644 kube-dns/templates/service-kube-dns.yaml create mode 100644 kube-dns/templates/serviceaccount-kube-dns.yaml create mode 100644 kube-dns/values.yaml create mode 100644 tiller/Chart.yaml create mode 100644 tiller/templates/clusterrolebinding-tiller.yaml create mode 100644 tiller/templates/deployment-tiller.yaml create mode 100644 tiller/templates/service-tiller-deploy.yaml create mode 100644 tiller/templates/serviceaccount-tiller.yaml create mode 100644 tools/gate/devel/local-inventory.yaml create mode 100644 tools/gate/devel/local-vars.yaml create mode 100644 tools/gate/devel/multinode-inventory.yaml create mode 100644 tools/gate/devel/multinode-vars.yaml create mode 100755 tools/gate/devel/start.sh create mode 100644 tools/gate/playbooks/build-images/tasks/kubeadm-aio.yaml create mode 100644 tools/gate/playbooks/build-images/tasks/main.yaml create mode 100644 tools/gate/playbooks/deploy-docker/tasks/deploy-ansible-docker-support.yaml create mode 100644 tools/gate/playbooks/deploy-docker/tasks/main.yaml create mode 100644 tools/gate/playbooks/deploy-docker/templates/centos-docker.service.j2 create mode 100644 tools/gate/playbooks/deploy-docker/templates/fedora-docker.service.j2 create mode 100644 tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/clean-node.yaml create mode 100644 tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/deploy-kubelet.yaml create mode 100644 tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/main.yaml create mode 100644 tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/util-kubeadm-aio-run.yaml create mode 100644 tools/gate/playbooks/deploy-kubeadm-aio-master/tasks/main.yaml create mode 100644 tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/main.yaml create mode 100644 tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-generate-join-command.yaml create mode 100644 tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-run-join-command.yaml create mode 100644 tools/gate/playbooks/deploy-package/tasks/dist.yaml create mode 100644 tools/gate/playbooks/deploy-package/tasks/pip.yaml create mode 100644 tools/gate/playbooks/deploy-python-pip/tasks/main.yaml create mode 100644 tools/gate/playbooks/deploy-python/tasks/main.yaml create mode 100644 tools/gate/playbooks/pull-images/tasks/main.yaml create mode 100644 tools/gate/playbooks/setup-firewall/tasks/main.yaml create mode 100644 tools/gate/playbooks/vars.yaml create mode 100644 tools/gate/playbooks/zuul-pre.yaml create mode 100644 tools/gate/playbooks/zuul-run.yaml create mode 100644 tools/images/kubeadm-aio/Dockerfile create mode 100755 tools/images/kubeadm-aio/assets/entrypoint.sh create mode 100644 tools/images/kubeadm-aio/assets/opt/charts/.placeholder create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/inventory.ini create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-clean.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-kubelet.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-master.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-node.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/clean-host/tasks/main.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-cni.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-deploy.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-dns.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/main.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/wait-for-kube-system-namespace.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/cluster-info.yaml.j2 create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/kubeadm-conf.yaml.j2 create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-node/tasks/main.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/hostname.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/kubelet.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/main.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/setup-dns.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/support-packages.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/0-crio.conf.j2 create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/10-kubeadm.conf.j2 create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet-resolv.conf.j2 create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet.service.j2 create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/resolv.conf.j2 create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/dist.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/pip.yaml create mode 100644 tools/images/kubeadm-aio/assets/opt/playbooks/vars.yaml create mode 100755 tools/images/kubeadm-aio/assets/usr/bin/test-kube-api.py create mode 100755 tools/images/kubeadm-aio/assets/usr/bin/test-kube-pods-ready create mode 100755 tools/pull-images.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..77095eb5a --- /dev/null +++ b/.gitignore @@ -0,0 +1,73 @@ +*.py[cod] + +# C extensions +*.so + +# Packages +*.egg* +*.egg-info +dist +build +eggs +parts +var +sdist +develop-eggs +.installed.cfg +lib +lib64 + +# Installer logs +pip-log.txt + +# Unit test / coverage reports +cover/ +.coverage* +!.coveragerc +.tox +nosetests.xml +.testrepository +.venv + +# Translations +*.mo + +# Mr Developer +.mr.developer.cfg +.project +.pydevproject + +# Complexity +output/*.html +output/*/index.html + +# Sphinx +doc/build + +# pbr generates these +AUTHORS +ChangeLog + +# Editors +*~ +.*.swp +.*sw? + +# Files created by releasenotes build +releasenotes/build + +# Dev tools +.idea/ +**/.vagrant +**/*.log + +# Helm internals +*.lock +*/*.lock +*.tgz +**/*.tgz +**/_partials.tpl +**/_globals.tpl + +# Gate and Check Logs +logs/ diff --git a/.zuul.yaml b/.zuul.yaml new file mode 100644 index 000000000..cab7eb2f7 --- /dev/null +++ b/.zuul.yaml @@ -0,0 +1,67 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- project: + name: openstack/openstack-helm-infra + check: + jobs: + - openstack-helm-infra-ubuntu + - openstack-helm-infra-centos + +- nodeset: + name: openstack-helm-ubuntu + nodes: + - name: primary + label: ubuntu-xenial + - name: node-1 + label: ubuntu-xenial + - name: node-2 + label: ubuntu-xenial + groups: + - name: primary + nodes: + - primary + - name: nodes + nodes: + - node-1 + - node-2 + +- nodeset: + name: openstack-helm-centos + nodes: + - name: primary + label: centos-7 + - name: node-1 + label: centos-7 + - name: node-2 + label: centos-7 + groups: + - name: primary + nodes: + - primary + - name: nodes + nodes: + - node-1 + - node-2 +- job: + name: openstack-helm-infra-ubuntu + pre-run: tools/gate/playbooks/zuul-pre + run: tools/gate/playbooks/zuul-run + nodeset: openstack-helm-ubuntu + +- job: + name: openstack-helm-infra-centos + pre-run: tools/gate/playbooks/zuul-pre + run: tools/gate/playbooks/zuul-run + nodeset: openstack-helm-centos diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..599b1a354 --- /dev/null +++ b/Makefile @@ -0,0 +1,53 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# It's necessary to set this because some environments don't link sh -> bash. +SHELL := /bin/bash + +HELM := helm +TASK := build + +EXCLUDES := helm-toolkit doc tests tools logs +CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.))) + +all: $(CHARTS) + +$(CHARTS): + @echo + @echo "===== Processing [$@] chart =====" + @make $(TASK)-$@ + +init-%: + if [ -f $*/Makefile ]; then make -C $*; fi + if [ -f $*/requirements.yaml ]; then helm dep up $*; fi + +lint-%: init-% + if [ -d $* ]; then $(HELM) lint $*; fi + +build-%: lint-% + if [ -d $* ]; then $(HELM) package $*; fi + +clean: + @echo "Removed .b64, _partials.tpl, and _globals.tpl files" + rm -f helm-toolkit/secrets/*.b64 + rm -f */templates/_partials.tpl + rm -f */templates/_globals.tpl + rm -f *tgz */charts/*tgz + rm -f */requirements.lock + -rmdir -p */charts + +pull-all-images: + @./tools/pull-images.sh + +.PHONY: $(EXCLUDES) $(CHARTS) diff --git a/calico/Chart.yaml b/calico/Chart.yaml new file mode 100644 index 000000000..3901e11a3 --- /dev/null +++ b/calico/Chart.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm BootStrap Calico +name: calico +version: 0.1.0 +home: https://github.com/projectcalico/calico +icon: https://camo.githubusercontent.com/64c8b5ed6ac97553ae367348e8a59a24e2ed5bdc/687474703a2f2f646f63732e70726f6a65637463616c69636f2e6f72672f696d616765732f66656c69782e706e67 +sources: + - https://github.com/projectcalico/calico + - https://git.openstack.org/cgit/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors diff --git a/calico/templates/clusterrole-calico-cni-plugin.yaml b/calico/templates/clusterrole-calico-cni-plugin.yaml new file mode 100644 index 000000000..5d08e5eb4 --- /dev/null +++ b/calico/templates/clusterrole-calico-cni-plugin.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + verbs: + - get diff --git a/calico/templates/clusterrole-calico-policy-controller.yaml b/calico/templates/clusterrole-calico-policy-controller.yaml new file mode 100644 index 000000000..f43f2fdd2 --- /dev/null +++ b/calico/templates/clusterrole-calico-policy-controller.yaml @@ -0,0 +1,33 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-policy-controller +rules: + - apiGroups: + - "" + - extensions + resources: + - pods + - namespaces + - networkpolicies + verbs: + - watch + - list diff --git a/calico/templates/clusterrolebinding-calico-cni-plugin.yaml b/calico/templates/clusterrolebinding-calico-cni-plugin.yaml new file mode 100644 index 000000000..a22971bd6 --- /dev/null +++ b/calico/templates/clusterrolebinding-calico-cni-plugin.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: {{ .Release.Namespace }} diff --git a/calico/templates/clusterrolebinding-calico-policy-controller.yaml b/calico/templates/clusterrolebinding-calico-policy-controller.yaml new file mode 100644 index 000000000..eac2437d8 --- /dev/null +++ b/calico/templates/clusterrolebinding-calico-policy-controller.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-policy-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-policy-controller +subjects: +- kind: ServiceAccount + name: calico-policy-controller + namespace: {{ .Release.Namespace }} diff --git a/calico/templates/configmap-calico-config.yaml b/calico/templates/configmap-calico-config.yaml new file mode 100644 index 000000000..e20d9c619 --- /dev/null +++ b/calico/templates/configmap-calico-config.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +# This ConfigMap is used to configure a self-hosted Calico installation. +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-config +data: + # The location of your etcd cluster. This uses the Service clusterIP + # defined below. + etcd_endpoints: "http://10.96.232.136:6666" + + # Configure the Calico backend to use. + calico_backend: "bird" + + # The CNI network configuration to install on each node. + cni_network_config: |- + { + "name": "k8s-pod-network", + "cniVersion": "0.1.0", + "type": "calico", + "etcd_endpoints": "__ETCD_ENDPOINTS__", + "log_level": "info", + "mtu": 1500, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s", + "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", + "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__" + } + } diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml new file mode 100644 index 000000000..e9a8d81d1 --- /dev/null +++ b/calico/templates/daemonset-calico-etcd.yaml @@ -0,0 +1,66 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet +# to force it to run on the master even when the master isn't schedulable, and uses +# nodeSelector to ensure it only runs on the master. +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: calico-etcd + labels: + k8s-app: calico-etcd +spec: + template: + metadata: + labels: + k8s-app: calico-etcd + annotations: + # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler + # reserves resources for critical add-on pods so that they can be rescheduled after + # a failure. This annotation works in tandem with the toleration below. + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + # Only run this pod on the master. + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. + # This, along with the annotation above marks this pod as a critical add-on. + - key: CriticalAddonsOnly + operator: Exists + nodeSelector: + node-role.kubernetes.io/master: "" + hostNetwork: true + containers: + - name: calico-etcd + image: {{ .Values.images.tags.calico_etcd }} + env: + - name: CALICO_ETCD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: ["/bin/sh","-c"] + args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"] + volumeMounts: + - name: var-etcd + mountPath: /var/etcd + volumes: + - name: var-etcd + hostPath: + path: /var/etcd diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml new file mode 100644 index 000000000..094c8f33f --- /dev/null +++ b/calico/templates/daemonset-calico-node.yaml @@ -0,0 +1,165 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +# This manifest installs the calico/node container, as well +# as the Calico CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: extensions/v1beta1 +metadata: + name: calico-node + namespace: kube-system + labels: + k8s-app: calico-node +spec: + selector: + matchLabels: + k8s-app: calico-node + template: + metadata: + labels: + k8s-app: calico-node + annotations: + # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler + # reserves resources for critical add-on pods so that they can be rescheduled after + # a failure. This annotation works in tandem with the toleration below. + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + hostNetwork: true + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. + # This, along with the annotation above marks this pod as a critical add-on. + - key: CriticalAddonsOnly + operator: Exists + serviceAccountName: calico-cni-plugin + containers: + # Runs calico/node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: {{ .Values.images.tags.calico_node }} + env: + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: calico-config + key: etcd_endpoints + # Enable BGP. Disable to enforce policy only. + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "kubeadm,bgp" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + # Configure the IP Pool from which Pod IPs will be chosen. + - name: CALICO_IPV4POOL_CIDR + value: "{{ .Values.networking.podSubnet }}" + - name: CALICO_IPV4POOL_IPIP + value: "always" + # Disable IPv6 on Kubernetes. + - name: FELIX_IPV6SUPPORT + value: "false" + # Set MTU for tunnel device used if ipip is enabled + - name: FELIX_IPINIPMTU + value: "1440" + # Set Felix logging to "info" + - name: FELIX_LOGSEVERITYSCREEN + value: "info" + - name: FELIX_HEALTHENABLED + value: "true" + # Set Felix experimental Prometheus metrics server + - name: FELIX_PROMETHEUSMETRICSENABLED + value: "true" + - name: FELIX_PROMETHEUSMETRICSPORT + value: "9091" + # Auto-detect the BGP IP address. + - name: IP + value: "" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + livenessProbe: + httpGet: + path: /liveness + port: 9099 + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + readinessProbe: + httpGet: + path: /readiness + port: 9099 + periodSeconds: 10 + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + # This container installs the Calico CNI binaries + # and CNI network config file on each node. + - name: install-cni + image: {{ .Values.images.tags.calico_cni }} + command: ["/install-cni.sh"] + env: + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: calico-config + key: etcd_endpoints + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: calico-config + key: cni_network_config + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + volumes: + # Used by calico/node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d diff --git a/calico/templates/deployment-calico-policy-controller.yaml b/calico/templates/deployment-calico-policy-controller.yaml new file mode 100644 index 000000000..d00bb82ed --- /dev/null +++ b/calico/templates/deployment-calico-policy-controller.yaml @@ -0,0 +1,72 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +# This manifest deploys the Calico policy controller on Kubernetes. +# See https://github.com/projectcalico/k8s-policy +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: calico-policy-controller + labels: + k8s-app: calico-policy +spec: + # The policy controller can only have a single active instance. + replicas: 1 + strategy: + type: Recreate + template: + metadata: + name: calico-policy-controller + labels: + k8s-app: calico-policy-controller + annotations: + # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler + # reserves resources for critical add-on pods so that they can be rescheduled after + # a failure. This annotation works in tandem with the toleration below. + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + # The policy controller must run in the host network namespace so that + # it isn't governed by policy that would prevent it from working. + hostNetwork: true + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode. + # This, along with the annotation above marks this pod as a critical add-on. + - key: CriticalAddonsOnly + operator: Exists + serviceAccountName: calico-policy-controller + containers: + - name: calico-policy-controller + image: {{ .Values.images.tags.calico_kube_policy_controller }} + env: + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: calico-config + key: etcd_endpoints + # The location of the Kubernetes API. Use the default Kubernetes + # service for API access. + - name: K8S_API + value: "https://kubernetes.default:443" + # Since we're running in the host namespace and might not have KubeDNS + # access, configure the container's /etc/hosts to resolve + # kubernetes.default to the correct service clusterIP. + - name: CONFIGURE_ETC_HOSTS + value: "true" diff --git a/calico/templates/service-calico-etcd.yaml b/calico/templates/service-calico-etcd.yaml new file mode 100644 index 000000000..2e2879c56 --- /dev/null +++ b/calico/templates/service-calico-etcd.yaml @@ -0,0 +1,35 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +# This manifest installs the Service which gets traffic to the Calico +# etcd. +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: calico-etcd + name: calico-etcd +spec: + # Select the calico-etcd pod running on the master. + selector: + k8s-app: calico-etcd + # This ClusterIP needs to be known in advance, since we cannot rely + # on DNS to get access to etcd. + clusterIP: 10.96.232.136 + ports: + - port: 6666 diff --git a/calico/templates/serviceaccount-calico-cni-plugin.yaml b/calico/templates/serviceaccount-calico-cni-plugin.yaml new file mode 100644 index 000000000..3d1c94957 --- /dev/null +++ b/calico/templates/serviceaccount-calico-cni-plugin.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin diff --git a/calico/templates/serviceaccount-calico-policy-controller.yaml b/calico/templates/serviceaccount-calico-policy-controller.yaml new file mode 100644 index 000000000..e65be437e --- /dev/null +++ b/calico/templates/serviceaccount-calico-policy-controller.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-policy-controller diff --git a/calico/values.yaml b/calico/values.yaml new file mode 100644 index 000000000..5dae057e6 --- /dev/null +++ b/calico/values.yaml @@ -0,0 +1,31 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# http://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml +# Calico Version v2.4.1 +# https://docs.projectcalico.org/v2.4/releases#v2.4.1 +# This manifest includes the following component versions: +# calico/node:v2.4.1 +# calico/cni:v1.10.0 +# calico/kube-policy-controller:v0.7.0 + +images: + tags: + calico_etcd: quay.io/coreos/etcd:v3.1.10 + calico_node: quay.io/calico/node:v2.4.1 + calico_cni: quay.io/calico/cni:v1.10.0 + calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0 + +networking: + podSubnet: 192.168.0.0/16 diff --git a/flannel/Chart.yaml b/flannel/Chart.yaml new file mode 100644 index 000000000..b162bcb0c --- /dev/null +++ b/flannel/Chart.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm BootStrap Flannel +name: flannel +version: 0.1.0 +home: https://github.com/coreos/flannel +icon: https://raw.githubusercontent.com/coreos/flannel/master/logos/flannel-horizontal-color.png +sources: + - https://github.com/coreos/flannel + - https://git.openstack.org/cgit/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors diff --git a/flannel/templates/clusterrole-flannel.yaml b/flannel/templates/clusterrole-flannel.yaml new file mode 100644 index 000000000..c6a314381 --- /dev/null +++ b/flannel/templates/clusterrole-flannel.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: flannel +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch diff --git a/flannel/templates/clusterrolebinding-flannel.yaml b/flannel/templates/clusterrolebinding-flannel.yaml new file mode 100644 index 000000000..ada0db445 --- /dev/null +++ b/flannel/templates/clusterrolebinding-flannel.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: flannel + namespace: {{ .Release.Namespace }} diff --git a/flannel/templates/configmap-kube-flannel-cfg.yaml b/flannel/templates/configmap-kube-flannel-cfg.yaml new file mode 100644 index 000000000..84e050e82 --- /dev/null +++ b/flannel/templates/configmap-kube-flannel-cfg.yaml @@ -0,0 +1,41 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: kube-flannel-cfg + labels: + tier: node + app: flannel +data: + cni-conf.json: | + { + "name": "cbr0", + "type": "flannel", + "delegate": { + "isDefaultGateway": true + } + } + net-conf.json: | + { + "Network": "{{ .Values.networking.podSubnet }}", + "Backend": { + "Type": "vxlan" + } + } diff --git a/flannel/templates/daemonset-kube-flannel-ds.yaml b/flannel/templates/daemonset-kube-flannel-ds.yaml new file mode 100644 index 000000000..07ffc3dc7 --- /dev/null +++ b/flannel/templates/daemonset-kube-flannel-ds.yaml @@ -0,0 +1,78 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: kube-flannel-ds + labels: + tier: node + app: flannel +spec: + template: + metadata: + labels: + tier: node + app: flannel + spec: + hostNetwork: true + nodeSelector: + beta.kubernetes.io/arch: amd64 + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + serviceAccountName: flannel + containers: + - name: kube-flannel + image: {{ .Values.images.tags.flannel }} + command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] + securityContext: + privileged: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: run + mountPath: /run + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + - name: install-cni + image: {{ .Values.images.tags.flannel }} + command: [ "/bin/sh", "-c", "set -e -x; cp -f /etc/kube-flannel/cni-conf.json /etc/cni/net.d/10-flannel.conf; while true; do sleep 3600; done" ] + volumeMounts: + - name: cni + mountPath: /etc/cni/net.d + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + volumes: + - name: run + hostPath: + path: /run + - name: cni + hostPath: + path: /etc/cni/net.d + - name: flannel-cfg + configMap: + name: kube-flannel-cfg diff --git a/flannel/templates/serviceaccount-flannel.yaml b/flannel/templates/serviceaccount-flannel.yaml new file mode 100644 index 000000000..558cf7842 --- /dev/null +++ b/flannel/templates/serviceaccount-flannel.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flannel diff --git a/flannel/values.yaml b/flannel/values.yaml new file mode 100644 index 000000000..b295f0608 --- /dev/null +++ b/flannel/values.yaml @@ -0,0 +1,22 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# https://raw.githubusercontent.com/coreos/flannel/v0.8.0/Documentation/kube-flannel.yml + +images: + tags: + flannel: quay.io/coreos/flannel:v0.8.0-amd64 + +networking: + podSubnet: 192.168.0.0/16 diff --git a/kube-dns/Chart.yaml b/kube-dns/Chart.yaml new file mode 100644 index 000000000..9aadd6efe --- /dev/null +++ b/kube-dns/Chart.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm Kube-DNS +name: kube-dns +version: 0.1.0 +home: https://github.com/coreos/flannel +icon: https://raw.githubusercontent.com/coreos/flannel/master/logos/flannel-horizontal-color.png +sources: + - https://github.com/coreos/flannel + - https://git.openstack.org/cgit/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors diff --git a/kube-dns/templates/configmap-kube-dns.yaml b/kube-dns/templates/configmap-kube-dns.yaml new file mode 100644 index 000000000..3d686d0b2 --- /dev/null +++ b/kube-dns/templates/configmap-kube-dns.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-dns + labels: + addonmanager.kubernetes.io/mode: EnsureExists diff --git a/kube-dns/templates/deployment-kube-dns.yaml b/kube-dns/templates/deployment-kube-dns.yaml new file mode 100644 index 000000000..6a0406a84 --- /dev/null +++ b/kube-dns/templates/deployment-kube-dns.yaml @@ -0,0 +1,189 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + k8s-app: kube-dns + name: kube-dns +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: kube-dns + strategy: + rollingUpdate: + maxSurge: 10% + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + k8s-app: kube-dns + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + containers: + - args: + - --domain={{ .Values.networking.dnsDomain }}. + - --dns-port=10053 + - --config-dir=/kube-dns-config + - --v=2 + env: + - name: PROMETHEUS_PORT + value: "10055" + image: {{ .Values.images.tags.kube_dns }} + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthcheck/kubedns + port: 10054 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: kubedns + ports: + - containerPort: 10053 + name: dns-local + protocol: UDP + - containerPort: 10053 + name: dns-tcp-local + protocol: TCP + - containerPort: 10055 + name: metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readiness + port: 8081 + scheme: HTTP + initialDelaySeconds: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /kube-dns-config + name: kube-dns-config + - args: + - -v=2 + - -logtostderr + - -configDir=/etc/k8s/dns/dnsmasq-nanny + - -restartDnsmasq=true + - -- + - -k + - --cache-size=1000 + - --log-facility=- + - --server=/{{ .Values.networking.dnsDomain }}/127.0.0.1#10053 + - --server=/in-addr.arpa/127.0.0.1#10053 + - --server=/ip6.arpa/127.0.0.1#10053 + image: {{ .Values.images.tags.kube_dns_nanny }} + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthcheck/dnsmasq + port: 10054 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: dnsmasq + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + resources: + requests: + cpu: 150m + memory: 20Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/k8s/dns/dnsmasq-nanny + name: kube-dns-config + - args: + - --v=2 + - --logtostderr + - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.{{ .Values.networking.dnsDomain }},5,A + - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.{{ .Values.networking.dnsDomain }},5,A + image: {{ .Values.images.tags.kube_dns_sidecar }} + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /metrics + port: 10054 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: sidecar + ports: + - containerPort: 10054 + name: metrics + protocol: TCP + resources: + requests: + cpu: 10m + memory: 20Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: Default + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: kube-dns + serviceAccountName: kube-dns + terminationGracePeriodSeconds: 30 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + volumes: + - configMap: + defaultMode: 420 + name: kube-dns + optional: true + name: kube-dns-config diff --git a/kube-dns/templates/service-kube-dns.yaml b/kube-dns/templates/service-kube-dns.yaml new file mode 100644 index 000000000..37fbf1ba0 --- /dev/null +++ b/kube-dns/templates/service-kube-dns.yaml @@ -0,0 +1,41 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: KubeDNS + name: kube-dns +spec: + clusterIP: {{ .Values.networking.dnsIP }} + ports: + - name: dns + port: 53 + protocol: UDP + targetPort: 53 + - name: dns-tcp + port: 53 + protocol: TCP + targetPort: 53 + selector: + k8s-app: kube-dns + sessionAffinity: None + type: ClusterIP diff --git a/kube-dns/templates/serviceaccount-kube-dns.yaml b/kube-dns/templates/serviceaccount-kube-dns.yaml new file mode 100644 index 000000000..a6d093a29 --- /dev/null +++ b/kube-dns/templates/serviceaccount-kube-dns.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-dns + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile diff --git a/kube-dns/values.yaml b/kube-dns/values.yaml new file mode 100644 index 000000000..824099837 --- /dev/null +++ b/kube-dns/values.yaml @@ -0,0 +1,25 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# https://raw.githubusercontent.com/coreos/flannel/v0.8.0/Documentation/kube-flannel.yml + +images: + tags: + kube_dns: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5 + kube_dns_nanny: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5 + kube_dns_sidecar: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5 + +networking: + dnsDomain: cluster.local + dnsIP: 10.96.0.10 diff --git a/tiller/Chart.yaml b/tiller/Chart.yaml new file mode 100644 index 000000000..3d2d10a1a --- /dev/null +++ b/tiller/Chart.yaml @@ -0,0 +1,24 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: OpenStack-Helm Tiller +name: tiller +version: 0.1.0 +home: https://github.com/kubernetes/helm +sources: + - https://github.com/kubernetes/helm + - https://git.openstack.org/cgit/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors diff --git a/tiller/templates/clusterrolebinding-tiller.yaml b/tiller/templates/clusterrolebinding-tiller.yaml new file mode 100644 index 000000000..aa33c61c8 --- /dev/null +++ b/tiller/templates/clusterrolebinding-tiller.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tiller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: tiller + namespace: {{ .Release.Namespace }} diff --git a/tiller/templates/deployment-tiller.yaml b/tiller/templates/deployment-tiller.yaml new file mode 100644 index 000000000..6a7744e90 --- /dev/null +++ b/tiller/templates/deployment-tiller.yaml @@ -0,0 +1,85 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: helm + name: tiller + name: tiller-deploy +spec: + replicas: 1 + selector: + matchLabels: + app: helm + name: tiller + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: helm + name: tiller + spec: + containers: + - env: + - name: TILLER_NAMESPACE + value: {{ .Release.Namespace }} + - name: TILLER_HISTORY_MAX + value: "0" + image: gcr.io/kubernetes-helm/tiller:v2.7.0-rc1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /liveness + port: 44135 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: tiller + ports: + - containerPort: 44134 + name: tiller + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readiness + port: 44135 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: tiller + serviceAccountName: tiller + terminationGracePeriodSeconds: 30 diff --git a/tiller/templates/service-tiller-deploy.yaml b/tiller/templates/service-tiller-deploy.yaml new file mode 100644 index 000000000..191ecceff --- /dev/null +++ b/tiller/templates/service-tiller-deploy.yaml @@ -0,0 +1,36 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: helm + name: tiller + name: tiller-deploy +spec: + ports: + - name: tiller + port: 44134 + protocol: TCP + targetPort: tiller + selector: + app: helm + name: tiller + sessionAffinity: None + type: ClusterIP diff --git a/tiller/templates/serviceaccount-tiller.yaml b/tiller/templates/serviceaccount-tiller.yaml new file mode 100644 index 000000000..4e0993314 --- /dev/null +++ b/tiller/templates/serviceaccount-tiller.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tiller diff --git a/tools/gate/devel/local-inventory.yaml b/tools/gate/devel/local-inventory.yaml new file mode 100644 index 000000000..c6d9c4848 --- /dev/null +++ b/tools/gate/devel/local-inventory.yaml @@ -0,0 +1,20 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +all: + children: + primary: + hosts: + local: + ansible_connection: local diff --git a/tools/gate/devel/local-vars.yaml b/tools/gate/devel/local-vars.yaml new file mode 100644 index 000000000..2048b605f --- /dev/null +++ b/tools/gate/devel/local-vars.yaml @@ -0,0 +1,19 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kubernetes: + network: + default_device: docker0 + cluster: + cni: calcio diff --git a/tools/gate/devel/multinode-inventory.yaml b/tools/gate/devel/multinode-inventory.yaml new file mode 100644 index 000000000..832132d93 --- /dev/null +++ b/tools/gate/devel/multinode-inventory.yaml @@ -0,0 +1,32 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +all: + children: + primary: + hosts: + jules: + ansible_port: 22 + ansible_host: 10.10.10.13 + ansible_user: ubuntu + ansible_ssh_private_key_file: /home/ubuntu/.ssh/insecure.pem + ansible_ssh_extra_args: -o StrictHostKeyChecking=no + nodes: + hosts: + verne: + ansible_port: 22 + ansible_host: 10.10.10.6 + ansible_user: ubuntu + ansible_ssh_private_key_file: /home/ubuntu/.ssh/insecure.pem + ansible_ssh_extra_args: -o StrictHostKeyChecking=no diff --git a/tools/gate/devel/multinode-vars.yaml b/tools/gate/devel/multinode-vars.yaml new file mode 100644 index 000000000..8c769abb0 --- /dev/null +++ b/tools/gate/devel/multinode-vars.yaml @@ -0,0 +1,19 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kubernetes: + network: + default_device: docker0 + cluster: + cni: calico diff --git a/tools/gate/devel/start.sh b/tools/gate/devel/start.sh new file mode 100755 index 000000000..133bb0b64 --- /dev/null +++ b/tools/gate/devel/start.sh @@ -0,0 +1,74 @@ +#!/usr/bin/env bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex +: ${WORK_DIR:="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/../../.."} +export MODE=${1:-"local"} + +function ansible_install { + cd /tmp + . /etc/os-release + HOST_OS=${HOST_OS:="${ID}"} + if [ "x$ID" == "xubuntu" ]; then + sudo apt-get update -y + sudo apt-get install -y --no-install-recommends \ + python-pip \ + libssl-dev \ + python-dev \ + build-essential + elif [ "x$ID" == "xcentos" ]; then + sudo yum install -y \ + epel-release + sudo yum install -y \ + python-pip \ + python-devel \ + redhat-rpm-config \ + gcc + elif [ "x$ID" == "xfedora" ]; then + sudo dnf install -y \ + python-devel \ + redhat-rpm-config \ + gcc + fi + + sudo -H pip install --no-cache-dir --upgrade pip + sudo -H pip install --no-cache-dir --upgrade setuptools + sudo -H pip install --no-cache-dir --upgrade pyopenssl + sudo -H pip install --no-cache-dir ansible + sudo -H pip install --no-cache-dir ara + sudo -H pip install --no-cache-dir yq +} +ansible_install + +cd ${WORK_DIR} +export ANSIBLE_CALLBACK_PLUGINS="$(python -c 'import os,ara; print(os.path.dirname(ara.__file__))')/plugins/callbacks" +rm -rf ${HOME}/.ara + +function dump_logs () { + # Setup the logging location: by default use the working dir as the root. + export LOGS_DIR=${LOGS_DIR:-"${WORK_DIR}/logs"} + set +e + rm -rf ${LOGS_DIR} || true + mkdir -p ${LOGS_DIR}/ara + ara generate html ${LOGS_DIR}/ara + exit $1 +} +trap 'dump_logs "$?"' ERR + +INVENTORY=${WORK_DIR}/tools/gate/devel/${MODE}-inventory.yaml +VARS=${WORK_DIR}/tools/gate/devel/${MODE}-vars.yaml +ansible-playbook ${WORK_DIR}/tools/gate/playbooks/zuul-pre.yaml -i ${INVENTORY} --extra-vars=@${VARS} --extra-vars "work_dir=${WORK_DIR}" +ansible-playbook ${WORK_DIR}/tools/gate/playbooks/zuul-run.yaml -i ${INVENTORY} --extra-vars=@${VARS} --extra-vars "work_dir=${WORK_DIR}" diff --git a/tools/gate/playbooks/build-images/tasks/kubeadm-aio.yaml b/tools/gate/playbooks/build-images/tasks/kubeadm-aio.yaml new file mode 100644 index 000000000..8cc2f9459 --- /dev/null +++ b/tools/gate/playbooks/build-images/tasks/kubeadm-aio.yaml @@ -0,0 +1,23 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: build the Kubeadm-AIO image + docker_image: + path: "{{ work_dir }}/" + name: "{{ images.kubernetes.kubeadm_aio }}" + dockerfile: "tools/images/kubeadm-aio/Dockerfile" + force: yes + pull: yes + state: present + rm: yes diff --git a/tools/gate/playbooks/build-images/tasks/main.yaml b/tools/gate/playbooks/build-images/tasks/main.yaml new file mode 100644 index 000000000..7e13f0ba1 --- /dev/null +++ b/tools/gate/playbooks/build-images/tasks/main.yaml @@ -0,0 +1,15 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- include: kubeadm-aio.yaml diff --git a/tools/gate/playbooks/deploy-docker/tasks/deploy-ansible-docker-support.yaml b/tools/gate/playbooks/deploy-docker/tasks/deploy-ansible-docker-support.yaml new file mode 100644 index 000000000..3e7a8e130 --- /dev/null +++ b/tools/gate/playbooks/deploy-docker/tasks/deploy-ansible-docker-support.yaml @@ -0,0 +1,68 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: ensuring SELinux is disabled on centos & fedora + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Fedora' + become: true + become_user: root + command: setenforce 0 + ignore_errors: True + +#NOTE(portdirect): See https://ask.openstack.org/en/question/110437/importerror-cannot-import-name-unrewindablebodyerror/ +- name: fix docker removal issue with ansible's docker_container on centos + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + block: + - name: remove requests and urllib3 pip packages to fix docker removal issue with ansible's docker_container on centos + become: true + become_user: root + include_role: + name: deploy-package + tasks_from: pip + vars: + state: absent + packages: + - requests + - urllib3 + - name: remove requests and urllib3 distro packages to fix docker removal issue with ansible's docker_container on centos + become: true + become_user: root + include_role: + name: deploy-package + tasks_from: dist + vars: + state: absent + packages: + rpm: + - python-urllib3 + - python-requests + - name: restore requests and urllib3 distro packages to fix docker removal issue with ansible's docker_container on centos + become: true + become_user: root + include_role: + name: deploy-package + tasks_from: dist + vars: + state: present + packages: + rpm: + - python-urllib3 + - python-requests + +- name: Ensure docker python packages deployed + include_role: + name: deploy-package + tasks_from: pip + vars: + packages: + - docker-py diff --git a/tools/gate/playbooks/deploy-docker/tasks/main.yaml b/tools/gate/playbooks/deploy-docker/tasks/main.yaml new file mode 100644 index 000000000..97ac3a797 --- /dev/null +++ b/tools/gate/playbooks/deploy-docker/tasks/main.yaml @@ -0,0 +1,52 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: check if docker deploy is needed + raw: which docker + register: need_docker + ignore_errors: True + +- name: deploy docker packages + when: need_docker | failed + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - docker.io + rpm: + - docker-latest + +- name: centos | moving systemd unit into place + when: ( ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' ) and ( need_docker | failed ) + template: + src: centos-docker.service.j2 + dest: /etc/systemd/system/docker.service + mode: 0640 + +- name: fedora | moving systemd unit into place + when: ( ansible_distribution == 'Fedora' ) and ( need_docker | failed ) + template: + src: fedora-docker.service.j2 + dest: /etc/systemd/system/docker.service + mode: 0640 + +- name: restarting docker + systemd: + state: restarted + daemon_reload: yes + name: docker + +- include: deploy-ansible-docker-support.yaml diff --git a/tools/gate/playbooks/deploy-docker/templates/centos-docker.service.j2 b/tools/gate/playbooks/deploy-docker/templates/centos-docker.service.j2 new file mode 100644 index 000000000..b1b313cd5 --- /dev/null +++ b/tools/gate/playbooks/deploy-docker/templates/centos-docker.service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=http://docs.docker.com +After=network.target +Wants=docker-latest-storage-setup.service + +[Service] +Type=notify +NotifyAccess=all +Environment=GOTRACEBACK=crash +Environment=DOCKER_HTTP_HOST_COMPAT=1 +Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin +ExecStart=/usr/bin/dockerd-latest \ + --add-runtime docker-runc=/usr/libexec/docker/docker-runc-latest \ + --default-runtime=docker-runc \ + --exec-opt native.cgroupdriver=systemd \ + --userland-proxy-path=/usr/libexec/docker/docker-proxy-latest \ + -g /var/lib/docker \ + --storage-driver=overlay \ + --log-driver=journald +ExecReload=/bin/kill -s HUP $MAINPID +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity +TimeoutStartSec=0 +Restart=on-abnormal +MountFlags=share +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/tools/gate/playbooks/deploy-docker/templates/fedora-docker.service.j2 b/tools/gate/playbooks/deploy-docker/templates/fedora-docker.service.j2 new file mode 100644 index 000000000..1337a95d5 --- /dev/null +++ b/tools/gate/playbooks/deploy-docker/templates/fedora-docker.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=http://docs.docker.com +After=network.target docker-latest-containerd.service +Wants=docker-latest-storage-setup.service +Requires=docker-latest-containerd.service + +[Service] +Type=notify +Environment=GOTRACEBACK=crash +ExecStart=/usr/bin/dockerd-latest \ + --add-runtime oci=/usr/libexec/docker/docker-runc-latest \ + --default-runtime=oci \ + --containerd /run/containerd.sock \ + --exec-opt native.cgroupdriver=systemd \ + --userland-proxy-path=/usr/libexec/docker/docker-proxy-latest \ + -g /var/lib/docker \ + --storage-driver=overlay2 \ + --log-driver=journald +ExecReload=/bin/kill -s HUP $MAINPID +TasksMax=8192 +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity +TimeoutStartSec=0 +Restart=on-abnormal + +[Install] +WantedBy=multi-user.target diff --git a/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/clean-node.yaml b/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/clean-node.yaml new file mode 100644 index 000000000..a3190de08 --- /dev/null +++ b/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/clean-node.yaml @@ -0,0 +1,69 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: master + vars: + kubeadm_aio_action: clean-host + block: + - name: "kubeadm-aio perfoming action: {{ kubeadm_aio_action }}" + become: true + become_user: root + docker_container: + name: "kubeadm-{{ kubeadm_aio_action }}" + image: "{{ images.kubernetes.kubeadm_aio }}" + state: started + detach: false + recreate: yes + pid_mode: host + network_mode: host + capabilities: SYS_ADMIN + volumes: + - /sys:/sys:rw + - /run:/run:rw + - /:/mnt/rootfs:rw + - /etc:/etc:rw + env: + CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}" + ACTION="{{ kubeadm_aio_action }}" + KUBE_BIND_DEVICE="{{ kubernetes_default_device }}" + USER_UID="{{ playbook_user_id }}" + USER_GID="{{ playbook_group_id }}" + USER_HOME="{{ playbook_user_dir }}" + CNI_ENABLED="{{ kubernetes.cluster.cni }}" + PVC_SUPPORT_CEPH=true + PVC_SUPPORT_NFS=true + NET_SUPPORT_LINUXBRIDGE=true + KUBE_NET_POD_SUBNET=192.168.0.0/16 + KUBE_NET_DNS_DOMAIN=cluster.local + CONTAINER_RUNTIME=docker + register: kubeadm_master_deploy + ignore_errors: True + rescue: + - name: getting logs from kubeadm-aio container + command: "docker logs kubeadm-{{ kubeadm_aio_action }}" + become: true + become_user: root + register: out + - name: dumping logs from kubeadm-aio container + debug: + var: out.stdout_lines + - name: exiting if the kubeadm deploy failed + command: exit 1 + always: + - name: removing kubeadm-aio container + become: true + become_user: root + docker_container: + name: "kubeadm-{{ kubeadm_aio_action }}" + state: absent diff --git a/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/deploy-kubelet.yaml b/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/deploy-kubelet.yaml new file mode 100644 index 000000000..91fb234e5 --- /dev/null +++ b/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/deploy-kubelet.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: master + vars: + kubeadm_aio_action: deploy-kubelet + include: util-kubeadm-aio-run.yaml diff --git a/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/main.yaml b/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/main.yaml new file mode 100644 index 000000000..65ac76089 --- /dev/null +++ b/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/main.yaml @@ -0,0 +1,35 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: setting playbook facts + set_fact: + playbook_user_id: "{{ ansible_user_uid }}" + playbook_group_id: "{{ ansible_user_gid }}" + playbook_user_dir: "{{ ansible_user_dir }}" + kubernetes_default_device: "{{ ansible_default_ipv4.alias }}" + kubernetes_default_address: null + +- name: if we have defined a custom interface for kubernetes use that + when: kubernetes.network.default_device is defined and kubernetes.network.default_device + set_fact: + kubernetes_default_device: "{{ kubernetes.network.default_device }}" + +- name: if we are in openstack infra use the private IP for kubernetes + when: (nodepool is defined) and (nodepool.private_ipv4 is defined) + set_fact: + kubernetes_default_address: "{{ nodepool.private_ipv4 }}" + +- include: clean-node.yaml + +- include: deploy-kubelet.yaml diff --git a/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/util-kubeadm-aio-run.yaml b/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/util-kubeadm-aio-run.yaml new file mode 100644 index 000000000..073a7ba57 --- /dev/null +++ b/tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/util-kubeadm-aio-run.yaml @@ -0,0 +1,69 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Run Kubeadm-AIO container + vars: + kubeadm_aio_action: null + block: + - name: "perfoming {{ kubeadm_aio_action }} action" + become: true + become_user: root + docker_container: + name: "kubeadm-{{ kubeadm_aio_action }}" + image: "{{ images.kubernetes.kubeadm_aio }}" + state: started + detach: false + recreate: yes + pid_mode: host + network_mode: host + capabilities: SYS_ADMIN + volumes: + - /sys:/sys:rw + - /run:/run:rw + - /:/mnt/rootfs:rw + - /etc:/etc:rw + env: + CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}" + ACTION="{{ kubeadm_aio_action }}" + KUBE_BIND_DEVICE="{{ kubernetes_default_device }}" + KUBE_BIND_ADDR="{{ kubernetes_default_address }}" + USER_UID="{{ playbook_user_id }}" + USER_GID="{{ playbook_group_id }}" + USER_HOME="{{ playbook_user_dir }}" + CNI_ENABLED="{{ kubernetes.cluster.cni }}" + PVC_SUPPORT_CEPH=true + PVC_SUPPORT_NFS=true + NET_SUPPORT_LINUXBRIDGE=true + KUBE_NET_POD_SUBNET=192.168.0.0/16 + KUBE_NET_DNS_DOMAIN=cluster.local + CONTAINER_RUNTIME=docker + register: kubeadm_master_deploy + rescue: + - name: "getting logs for {{ kubeadm_aio_action }} action" + command: "docker logs kubeadm-{{ kubeadm_aio_action }}" + become: true + become_user: root + register: out + - name: "dumping logs for {{ kubeadm_aio_action }} action" + debug: + var: out.stdout_lines + - name: "exiting if {{ kubeadm_aio_action }} action failed" + command: exit 1 + always: + - name: "removing container for {{ kubeadm_aio_action }} action" + become: true + become_user: root + docker_container: + name: "kubeadm-{{ kubeadm_aio_action }}" + state: absent diff --git a/tools/gate/playbooks/deploy-kubeadm-aio-master/tasks/main.yaml b/tools/gate/playbooks/deploy-kubeadm-aio-master/tasks/main.yaml new file mode 100644 index 000000000..294449c30 --- /dev/null +++ b/tools/gate/playbooks/deploy-kubeadm-aio-master/tasks/main.yaml @@ -0,0 +1,31 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: setting playbook user info facts before escalating privileges + set_fact: + playbook_user_id: "{{ ansible_user_uid }}" + playbook_group_id: "{{ ansible_user_gid }}" + playbook_user_dir: "{{ ansible_user_dir }}" + +- name: deploying kubelet and support assets to node + include_role: + name: deploy-kubeadm-aio-common + tasks_from: main + +- name: deploying kubernetes on master node + vars: + kubeadm_aio_action: deploy-kube + include_role: + name: deploy-kubeadm-aio-common + tasks_from: util-kubeadm-aio-run diff --git a/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/main.yaml b/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/main.yaml new file mode 100644 index 000000000..244d7db69 --- /dev/null +++ b/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/main.yaml @@ -0,0 +1,44 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: setting playbook user info facts before escalating privileges + set_fact: + playbook_user_id: "{{ ansible_user_uid }}" + playbook_group_id: "{{ ansible_user_gid }}" + playbook_user_dir: "{{ ansible_user_dir }}" + kube_master: "{{ groups['primary'][0] }}" + kube_worker: "{{ inventory_hostname }}" + +- name: deploying kubelet and support assets to node + include_role: + name: deploy-kubeadm-aio-common + tasks_from: main + +- name: generating the kubeadm join command for the node + include: util-generate-join-command.yaml + delegate_to: "{{ kube_master }}" + +- name: joining node to kubernetes cluster + vars: + kubeadm_aio_action: join-kube + kubeadm_aio_join_command: "{{ kubeadm_cluster_join_command }}" + include: util-run-join-command.yaml + +- name: waiting for node to be ready + delegate_to: "{{ kube_master }}" + command: kubectl get node "{{ ansible_fqdn }}" -o jsonpath="{$.status.conditions[?(@.reason=='KubeletReady')]['type']}" + register: task_result + until: task_result.stdout == 'Ready' + retries: 120 + delay: 5 diff --git a/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-generate-join-command.yaml b/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-generate-join-command.yaml new file mode 100644 index 000000000..c00ba8e19 --- /dev/null +++ b/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-generate-join-command.yaml @@ -0,0 +1,56 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: generate the kubeadm join command for nodes + vars: + kubeadm_aio_action: generate-join-cmd + kubeadm_cluster_join_ttl: 30m + kube_worker: null + block: + - name: "deploying kubeadm {{ kubeadm_aio_action }} container" + become: true + become_user: root + docker_container: + name: "kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}" + image: "{{ images.kubernetes.kubeadm_aio }}" + state: started + detach: false + recreate: yes + network_mode: host + volumes: + - /etc/kubernetes:/etc/kubernetes:ro + env: + ACTION=generate-join-cmd + TTL="{{ kubeadm_cluster_join_ttl }}" + register: kubeadm_generate_join_command + - name: "getting logs for {{ kubeadm_aio_action }} action" + command: "docker logs kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}" + become: true + become_user: root + register: kubeadm_aio_action_logs + - name: storing cluster join command + set_fact: kubeadm_cluster_join_command="{{ kubeadm_aio_action_logs.stdout }}" + rescue: + - name: "dumping logs for {{ kubeadm_aio_action }} action" + debug: + var: kubeadm_aio_action_logs.stdout_lines + - name: "exiting if {{ kubeadm_aio_action }} action failed" + command: exit 1 + always: + - name: "removing container for {{ kubeadm_aio_action }} action" + become: true + become_user: root + docker_container: + name: "kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}" + state: absent diff --git a/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-run-join-command.yaml b/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-run-join-command.yaml new file mode 100644 index 000000000..83aca0d9a --- /dev/null +++ b/tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-run-join-command.yaml @@ -0,0 +1,59 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: master + vars: + kubeadm_aio_action: join-kube + kubeadm_aio_join_command: null + block: + - name: "deploying kubeadm {{ kubeadm_aio_action }} container" + become: true + become_user: root + docker_container: + name: "kubeadm-{{ kubeadm_aio_action }}" + image: "{{ images.kubernetes.kubeadm_aio }}" + state: started + detach: false + recreate: yes + pid_mode: host + network_mode: host + capabilities: SYS_ADMIN + volumes: + - /sys:/sys:rw + - /run:/run:rw + - /:/mnt/rootfs:rw + - /etc:/etc:rw + env: + CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}" + ACTION="{{ kubeadm_aio_action }}" + KUBEADM_JOIN_COMMAND="{{ kubeadm_aio_join_command }}" + register: kubeadm_aio_join_container + rescue: + - name: "getting logs for {{ kubeadm_aio_action }} action" + command: "docker logs kubeadm-{{ kubeadm_aio_action }}" + become: true + become_user: root + register: kubeadm_aio_join_container_output + - name: "dumping logs for {{ kubeadm_aio_action }} action" + debug: + msg: "{{ kubeadm_aio_join_container_output.stdout_lines }}" + - name: "exiting if {{ kubeadm_aio_action }} action failed" + command: exit 1 + always: + - name: "removing container for {{ kubeadm_aio_action }} action" + become: true + become_user: root + docker_container: + name: "kubeadm-{{ kubeadm_aio_action }}" + state: absent diff --git a/tools/gate/playbooks/deploy-package/tasks/dist.yaml b/tools/gate/playbooks/deploy-package/tasks/dist.yaml new file mode 100644 index 000000000..f9743d306 --- /dev/null +++ b/tools/gate/playbooks/deploy-package/tasks/dist.yaml @@ -0,0 +1,46 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: managing distro packages for ubuntu + become: true + become_user: root + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + vars: + state: present + apt: + name: "{{ item }}" + state: "{{ state }}" + with_items: "{{ packages.deb }}" + +- name: managing distro packages for centos + become: true + become_user: root + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + vars: + state: present + yum: + name: "{{ item }}" + state: "{{ state }}" + with_items: "{{ packages.rpm }}" + +- name: managing distro packages for fedora + become: true + become_user: root + when: ansible_distribution == 'Fedora' + vars: + state: present + dnf: + name: "{{ item }}" + state: "{{ state }}" + with_items: "{{ packages.rpm }}" diff --git a/tools/gate/playbooks/deploy-package/tasks/pip.yaml b/tools/gate/playbooks/deploy-package/tasks/pip.yaml new file mode 100644 index 000000000..f0c60206d --- /dev/null +++ b/tools/gate/playbooks/deploy-package/tasks/pip.yaml @@ -0,0 +1,23 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: managing pip packages + become: true + become_user: root + vars: + state: present + pip: + name: "{{ item }}" + state: "{{ state }}" + with_items: "{{ packages }}" diff --git a/tools/gate/playbooks/deploy-python-pip/tasks/main.yaml b/tools/gate/playbooks/deploy-python-pip/tasks/main.yaml new file mode 100644 index 000000000..109b636eb --- /dev/null +++ b/tools/gate/playbooks/deploy-python-pip/tasks/main.yaml @@ -0,0 +1,44 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: ensuring python pip package is present for ubuntu + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + apt: + name: python-pip + state: present + +- name: ensuring python pip package is present for centos + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + block: + - name: ensuring epel-release package is present for centos as python-pip is in the epel repo + yum: + name: epel-release + state: present + - name: ensuring python pip package is present for centos + yum: + name: python-pip + state: present + +- name: ensuring python pip package is present for fedora via the python-devel rpm + when: ansible_distribution == 'Fedora' + dnf: + name: python-devel + state: present + +- name: ensuring pip is the latest version + become: true + become_user: root + pip: + name: pip + state: latest diff --git a/tools/gate/playbooks/deploy-python/tasks/main.yaml b/tools/gate/playbooks/deploy-python/tasks/main.yaml new file mode 100644 index 000000000..02015673b --- /dev/null +++ b/tools/gate/playbooks/deploy-python/tasks/main.yaml @@ -0,0 +1,16 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: ensuring python2 is present on all hosts + raw: test -e /usr/bin/python || (sudo apt -y update && sudo apt install -y python-minimal) || (sudo yum install -y python) || (sudo dnf install -y python2) diff --git a/tools/gate/playbooks/pull-images/tasks/main.yaml b/tools/gate/playbooks/pull-images/tasks/main.yaml new file mode 100644 index 000000000..7271b8282 --- /dev/null +++ b/tools/gate/playbooks/pull-images/tasks/main.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: pull all images used in repo + make: + chdir: "{{ work_dir }}" + target: pull-all-images diff --git a/tools/gate/playbooks/setup-firewall/tasks/main.yaml b/tools/gate/playbooks/setup-firewall/tasks/main.yaml new file mode 100644 index 000000000..a98290d5c --- /dev/null +++ b/tools/gate/playbooks/setup-firewall/tasks/main.yaml @@ -0,0 +1,29 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#NOTE(portdirect): This needs refinement but drops the firewall on zuul nodes +- name: deploy iptables packages + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - iptables + rpm: + - iptables +- command: iptables -S +- command: iptables -F +- command: iptables -P INPUT ACCEPT +- command: iptables -S diff --git a/tools/gate/playbooks/vars.yaml b/tools/gate/playbooks/vars.yaml new file mode 100644 index 000000000..7962f639e --- /dev/null +++ b/tools/gate/playbooks/vars.yaml @@ -0,0 +1,26 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +images: + kubernetes: + kubeadm_aio: openstackhelm/kubeadm-aio:dev + +helm: + version: v2.7.0-rc1 + +kubernetes: + network: + default_device: null + cluster: + cni: calico diff --git a/tools/gate/playbooks/zuul-pre.yaml b/tools/gate/playbooks/zuul-pre.yaml new file mode 100644 index 000000000..f136f9beb --- /dev/null +++ b/tools/gate/playbooks/zuul-pre.yaml @@ -0,0 +1,55 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: all + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}" + gather_facts: False + become: yes + roles: + - deploy-python + tags: + - deploy-python + +- hosts: all + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}" + gather_facts: True + become: yes + roles: + - setup-firewall + - deploy-python-pip + - deploy-docker + tags: + - setup-firewall + - deploy-python-pip + - deploy-docker + +- hosts: all + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}" + gather_facts: False + become: yes + roles: + - pull-images + - build-images + tags: + - pull-images + - build-images diff --git a/tools/gate/playbooks/zuul-run.yaml b/tools/gate/playbooks/zuul-run.yaml new file mode 100644 index 000000000..14c3b8220 --- /dev/null +++ b/tools/gate/playbooks/zuul-run.yaml @@ -0,0 +1,33 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: primary + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}" + roles: + - deploy-kubeadm-aio-master + tags: + - deploy-kubeadm-aio-master + +- hosts: nodes + vars_files: + - vars.yaml + vars: + work_dir: "{{ zuul.project.src_dir }}" + roles: + - deploy-kubeadm-aio-node + tags: + - deploy-kubeadm-aio-node diff --git a/tools/images/kubeadm-aio/Dockerfile b/tools/images/kubeadm-aio/Dockerfile new file mode 100644 index 000000000..a9a8f87d1 --- /dev/null +++ b/tools/images/kubeadm-aio/Dockerfile @@ -0,0 +1,68 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#https://github.com/kubernetes/ingress-nginx/tree/master/images/ubuntu-slim +FROM gcr.io/google_containers/ubuntu-slim:0.14 +MAINTAINER pete.birley@att.com + +ENV KUBE_VERSION="v1.8.1" \ + CNI_VERSION="v0.6.0" \ + HELM_VERSION="v2.7.0-rc1" \ + container="docker" \ + DEBIAN_FRONTEND="noninteractive" \ + CNI_BIN_DIR="/opt/cni/bin" \ + CHARTS="calico,flannel,tiller,kube-dns" + +RUN set -ex ;\ + apt-get update ;\ + apt-get upgrade -y ;\ + apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + jq \ + python-pip \ + gawk ;\ + pip --no-cache-dir install --upgrade pip ;\ + pip --no-cache-dir install setuptools ;\ + pip --no-cache-dir install kubernetes ;\ + pip --no-cache-dir install ansible ;\ + for BINARY in kubectl kubeadm; do \ + curl -sSL -o /usr/bin/${BINARY} \ + https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/bin/linux/amd64/${BINARY} ;\ + chmod +x /usr/bin/${BINARY} ;\ + done ;\ + mkdir -p /opt/assets/usr/bin ;\ + curl -sSL -o /opt/assets/usr/bin/kubelet \ + https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/bin/linux/amd64/kubelet ;\ + chmod +x /opt/assets/usr/bin/kubelet ;\ + mkdir -p /opt/assets${CNI_BIN_DIR} ;\ + curl -sSL https://github.com/containernetworking/plugins/releases/download/$CNI_VERSION/cni-plugins-amd64-$CNI_VERSION.tgz | \ + tar -zxv --strip-components=1 -C /opt/assets${CNI_BIN_DIR} ;\ + TMP_DIR=$(mktemp -d) ;\ + curl -sSL https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz | tar -zxv --strip-components=1 -C ${TMP_DIR} ;\ + mv ${TMP_DIR}/helm /usr/bin/helm ;\ + rm -rf ${TMP_DIR} ;\ + apt-get purge -y --auto-remove \ + curl ;\ + rm -rf /var/lib/apt/lists/* /tmp/* /root/.cache + +COPY ./ /tmp/source +RUN set -ex ;\ + cp -rfav /tmp/source/tools/images/kubeadm-aio/assets/* / ;\ + IFS=','; for CHART in $CHARTS; do \ + mv -v /tmp/source/${CHART} /opt/charts/; \ + done ;\ + rm -rf /tmp/source + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/tools/images/kubeadm-aio/assets/entrypoint.sh b/tools/images/kubeadm-aio/assets/entrypoint.sh new file mode 100755 index 000000000..1edb2508e --- /dev/null +++ b/tools/images/kubeadm-aio/assets/entrypoint.sh @@ -0,0 +1,119 @@ +#!/usr/bin/env bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +if [ "x${ACTION}" == "xgenerate-join-cmd" ]; then +: ${TTL:="10m"} +DISCOVERY_TOKEN="$(kubeadm token --kubeconfig /etc/kubernetes/admin.conf create --ttl ${TTL} --usages signing --groups '')" +TLS_BOOTSTRAP_TOKEN="$(kubeadm token --kubeconfig /etc/kubernetes/admin.conf create --ttl ${TTL} --usages authentication --groups \"system:bootstrappers:kubeadm:default-node-token\")" +DISCOVERY_TOKEN_CA_HASH="$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* /sha256:/')" +API_SERVER=$(cat /etc/kubernetes/admin.conf | python -c "import sys, yaml; print yaml.safe_load(sys.stdin)['clusters'][0]['cluster']['server'].split(\"//\",1).pop()") +exec echo "kubeadm join \ +--tls-bootstrap-token ${TLS_BOOTSTRAP_TOKEN} \ +--discovery-token ${DISCOVERY_TOKEN} \ +--discovery-token-ca-cert-hash ${DISCOVERY_TOKEN_CA_HASH} \ +${API_SERVER}" +elif [ "x${ACTION}" == "xjoin-kube" ]; then + exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-node.yaml \ + --inventory=/opt/playbooks/inventory.ini \ + --extra-vars="kubeadm_join_command=\"${KUBEADM_JOIN_COMMAND}\"" +fi + +: ${ACTION:="deploy-kube"} +: ${CONTAINER_NAME:="null"} +: ${CONTAINER_RUNTIME:="docker"} +: ${CNI_ENABLED:="calico"} +: ${NET_SUPPORT_LINUXBRIDGE:="true"} +: ${PVC_SUPPORT_CEPH:="false"} +: ${PVC_SUPPORT_NFS:="false"} +: ${HELM_TILLER_IMAGE:="gcr.io/kubernetes-helm/tiller:${HELM_VERSION}"} +: ${KUBE_VERSION:="${KUBE_VERSION}"} +: ${KUBE_IMAGE_REPO:="gcr.io/google_containers"} +: ${KUBE_API_BIND_PORT:="6443"} +: ${KUBE_NET_DNS_DOMAIN:="cluster.local"} +: ${KUBE_NET_POD_SUBNET:="192.168.0.0/16"} +: ${KUBE_NET_SUBNET_SUBNET:="10.96.0.0/12"} +: ${KUBE_BIND_DEVICE:=""} +: ${KUBE_BIND_ADDR:=""} +: ${KUBE_API_BIND_DEVICE:="${KUBE_BIND_DEVICE}"} +: ${KUBE_API_BIND_ADDR:="${KUBE_BIND_ADDR}"} +: ${KUBE_CERTS_DIR:="/etc/kubernetes/pki"} +: ${KUBE_SELF_HOSTED:="false"} + +PLAYBOOK_VARS="{ + \"my_container_name\": \"${CONTAINER_NAME}\", + \"user\": { + \"uid\": ${USER_UID}, + \"gid\": ${USER_GID}, + \"home\": \"${USER_HOME}\" + }, + \"cluster\": { + \"cni\": \"${CNI_ENABLED}\" + }, + \"kubelet\": { + \"container_runtime\": \"${CONTAINER_RUNTIME}\", + \"net_support_linuxbridge\": ${NET_SUPPORT_LINUXBRIDGE}, + \"pv_support_nfs\": ${PVC_SUPPORT_NFS}, + \"pv_support_ceph\": ${PVC_SUPPORT_CEPH} + }, + \"helm\": { + \"tiller_image\": \"${HELM_TILLER_IMAGE}\" + }, + \"k8s\": { + \"kubernetesVersion\": \"${KUBE_VERSION}\", + \"imageRepository\": \"${KUBE_IMAGE_REPO}\", + \"certificatesDir\": \"${KUBE_CERTS_DIR}\", + \"selfHosted\": \"${KUBE_SELF_HOSTED}\", + \"api\": { + \"bindPort\": ${KUBE_API_BIND_PORT} + }, + \"networking\": { + \"dnsDomain\": \"${KUBE_NET_DNS_DOMAIN}\", + \"podSubnet\": \"${KUBE_NET_POD_SUBNET}\", + \"serviceSubnet\": \"${KUBE_NET_SUBNET_SUBNET}\" + } + } +}" + +set -x +if [ "x${ACTION}" == "xdeploy-kubelet" ]; then + if [ "x${KUBE_BIND_ADDR}" != "x" ]; then + PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_addr\": \"${KUBE_BIND_ADDR}\"}") + elif [ "x${KUBE_BIND_DEVICE}" != "x" ]; then + PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_device\": \"${KUBE_BIND_DEVICE}\"}") + fi + ansible-playbook /opt/playbooks/kubeadm-aio-deploy-kubelet.yaml \ + --inventory=/opt/playbooks/inventory.ini \ + --inventory=/opt/playbooks/vars.yaml \ + --extra-vars="${PLAYBOOK_VARS}" +elif [ "x${ACTION}" == "xdeploy-kube" ]; then + if [ "x${KUBE_API_BIND_ADDR}" != "x" ]; then + PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddress\": \"${KUBE_API_BIND_ADDR}\"}") + elif [ "x${KUBE_API_BIND_DEVICE}" != "x" ]; then + PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddressDevice\": \"${KUBE_API_BIND_DEVICE}\"}") + fi + ansible-playbook /opt/playbooks/kubeadm-aio-deploy-master.yaml \ + --inventory=/opt/playbooks/inventory.ini \ + --inventory=/opt/playbooks/vars.yaml \ + --extra-vars="${PLAYBOOK_VARS}" +elif [ "x${ACTION}" == "xclean-host" ]; then + ansible-playbook /opt/playbooks/kubeadm-aio-clean.yaml \ + --inventory=/opt/playbooks/inventory.ini \ + --inventory=/opt/playbooks/vars.yaml \ + --extra-vars="${PLAYBOOK_VARS}" +else + exec ${ACTION} +fi diff --git a/tools/images/kubeadm-aio/assets/opt/charts/.placeholder b/tools/images/kubeadm-aio/assets/opt/charts/.placeholder new file mode 100644 index 000000000..e69de29bb diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/inventory.ini b/tools/images/kubeadm-aio/assets/opt/playbooks/inventory.ini new file mode 100644 index 000000000..3d9caf368 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/inventory.ini @@ -0,0 +1,2 @@ +[node] +/mnt/rootfs ansible_connection=chroot diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-clean.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-clean.yaml new file mode 100644 index 000000000..ad76858db --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-clean.yaml @@ -0,0 +1,19 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: all + gather_facts: True + become: yes + roles: + - clean-host + tags: + - clean-host diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-kubelet.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-kubelet.yaml new file mode 100644 index 000000000..6b2db4bdb --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-kubelet.yaml @@ -0,0 +1,19 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: all + gather_facts: True + become: yes + roles: + - deploy-kubelet + tags: + - deploy-kubelet diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-master.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-master.yaml new file mode 100644 index 000000000..b303b4863 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-master.yaml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: all + become: yes + roles: + - deploy-kubeadm-master + tags: + - deploy-kubeadm-master diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-node.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-node.yaml new file mode 100644 index 000000000..fbdccd62e --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-node.yaml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: all + become: yes + roles: + - deploy-kubeadm-node + tags: + - deploy-kubeadm-node diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/clean-host/tasks/main.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/clean-host/tasks/main.yaml new file mode 100644 index 000000000..36297bbe6 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/clean-host/tasks/main.yaml @@ -0,0 +1,56 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +- name: clean | kube | remove config + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/kubernetes + +- name: clean | kube | stop kubelet service + ignore_errors: yes + systemd: + name: kubelet + state: stopped + enabled: no + masked: no + +- name: clean | kube | removing any old docker containers + ignore_errors: yes + shell: MY_CONTAINER_ID=$(docker inspect --format {% raw %}'{{ .Id }}'{% endraw %} "{{ my_container_name }}"); docker ps --all --no-trunc --quiet | awk '!'"/${MY_CONTAINER_ID}/ { print \$1 }" | xargs -r -l1 -P16 docker rm -f + +- name: clean | kube | remove any mounts + ignore_errors: yes + shell: |- + for MOUNT in $(findmnt --df --output TARGET | grep "^/var/lib/kubelet"); do + umount --force $MOUNT + done + +- name: clean | kube | remove dirs + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/kubernetes + - /etc/cni/net.d + - /etc/systemd/system/kubelet.service + - /etc/systemd/system/kubelet.service.d + - /var/lib/kubelet + - /var/lib/etcd + - /var/etcd + - /opt/cni/bin + +- name: clean | kube | reload systemd + systemd: + daemon_reload: yes diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-cni.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-cni.yaml new file mode 100644 index 000000000..8377b6858 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-cni.yaml @@ -0,0 +1,92 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: setting up bootstrap tiller + block: + - name: pull the helm tiller Image + become: true + become_user: root + docker_image: + pull: true + name: "{{ helm.tiller_image }}" + - name: deploying bootstrap tiller + become: true + become_user: root + docker_container: + name: "helm-tiller" + image: "{{ helm.tiller_image }}" + state: started + detach: true + recreate: yes + network_mode: host + volumes: + - /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro + env: + KUBECONFIG=/etc/kubernetes/admin.conf + register: kubeadm_aio_tiller_container + ignore_errors: True + - name: wait for tiller to be ready + delegate_to: 127.0.0.1 + command: helm version --server + environment: + HELM_HOST: 'localhost:44134' + register: task_result + until: task_result.rc == 0 + retries: 120 + delay: 5 + +- name: kubeadm | cni | calico + when: cluster.cni == 'calico' + delegate_to: 127.0.0.1 + block: + - name: kubeadm | cni | calico | label node + command: kubectl label --overwrite nodes {{ kubeadm_node_hostname }} node-role.kubernetes.io/master= + environment: + KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf' + - name: kubeadm | cni | calico + command: helm install /opt/charts/calico --name calico --namespace kube-system --set networking.podSubnet="{{ k8s.networking.podSubnet }}" --wait + environment: + HELM_HOST: 'localhost:44134' + - name: kubeadm | cni | calico + command: helm status calico + environment: + HELM_HOST: 'localhost:44134' + register: kubeadm_helm_cni_status + - name: kubeadm | cni | status + debug: + msg: "{{ kubeadm_helm_cni_status }}" + +- name: kubeadm | cni | flannel + when: cluster.cni == 'flannel' + delegate_to: 127.0.0.1 + block: + - name: kubeadm | cni | flannel + command: helm install /opt/charts/flannel --name flannel --namespace kube-system --set networking.podSubnet="{{ k8s.networking.podSubnet }}" --wait + environment: + HELM_HOST: 'localhost:44134' + - name: kubeadm | cni | flannel + command: helm status flannel + environment: + HELM_HOST: 'localhost:44134' + register: kubeadm_helm_cni_status + - name: kubeadm | cni | status + debug: + msg: "{{ kubeadm_helm_cni_status }}" + +- name: "removing bootstrap tiller container" + become: true + become_user: root + docker_container: + name: "helm-tiller" + state: absent diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-deploy.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-deploy.yaml new file mode 100644 index 000000000..ab86ec64f --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-deploy.yaml @@ -0,0 +1,84 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: setting up bootstrap tiller + block: + - name: pull the helm tiller Image + become: true + become_user: root + docker_image: + pull: true + name: "{{ helm.tiller_image }}" + - name: deploying bootstrap tiller + become: true + become_user: root + docker_container: + name: "helm-tiller" + image: "{{ helm.tiller_image }}" + state: started + detach: true + recreate: yes + network_mode: host + volumes: + - /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro + env: + KUBECONFIG=/etc/kubernetes/admin.conf + register: kubeadm_aio_tiller_container + ignore_errors: True + - name: wait for tiller to be ready + delegate_to: 127.0.0.1 + command: helm version --server + environment: + HELM_HOST: 'localhost:44134' + register: task_result + until: task_result.rc == 0 + retries: 120 + delay: 5 + +- name: kubeadm | helm | tiller + delegate_to: 127.0.0.1 + block: + - name: kubeadm | helm | tiller + command: helm install /opt/charts/tiller --name tiller --namespace kube-system --wait + environment: + HELM_HOST: 'localhost:44134' + - name: kubeadm | helm | tiller + command: helm status tiller + environment: + HELM_HOST: 'localhost:44134' + register: kubeadm_helm_cni_status + - name: kubeadm | helm | tiller + debug: + msg: "{{ kubeadm_helm_cni_status }}" + +- name: "removing bootstrap tiller container" + become: true + become_user: root + docker_container: + name: "helm-tiller" + state: absent + +- name: setting up helm client on host + block: + - name: copying helm binary to host + become: true + become_user: root + copy: + src: /usr/bin/helm + dest: /usr/bin/helm + owner: root + group: root + mode: 0555 + - name: setting up helm client for user + command: helm init --client-only diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-dns.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-dns.yaml new file mode 100644 index 000000000..c719ff9a7 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-dns.yaml @@ -0,0 +1,70 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: setting up bootstrap tiller + block: + - name: pull the helm tiller Image + become: true + become_user: root + docker_image: + pull: true + name: "{{ helm.tiller_image }}" + - name: deploying bootstrap tiller + become: true + become_user: root + docker_container: + name: "helm-tiller" + image: "{{ helm.tiller_image }}" + state: started + detach: true + recreate: yes + network_mode: host + volumes: + - /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro + env: + KUBECONFIG=/etc/kubernetes/admin.conf + register: kubeadm_aio_tiller_container + ignore_errors: True + - name: wait for tiller to be ready + delegate_to: 127.0.0.1 + command: helm version --server + environment: + HELM_HOST: 'localhost:44134' + register: task_result + until: task_result.rc == 0 + retries: 120 + delay: 5 + +- name: kubeadm | dns + delegate_to: 127.0.0.1 + block: + - name: kubeadm | dns + command: helm install /opt/charts/kube-dns --name kube-dns --namespace kube-system --wait + environment: + HELM_HOST: 'localhost:44134' + - name: kubeadm | dns + command: helm status kube-dns + environment: + HELM_HOST: 'localhost:44134' + register: kubeadm_helm_dns_status + - name: kubeadm | dns + debug: + msg: "{{ kubeadm_helm_dns_status }}" + +- name: "removing bootstrap tiller container" + become: true + become_user: root + docker_container: + name: "helm-tiller" + state: absent diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/main.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/main.yaml new file mode 100644 index 000000000..8b16c132a --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/main.yaml @@ -0,0 +1,209 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: storing node hostname + set_fact: + kubeadm_node_hostname: "{% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %}" + +- name: deploy config file and make dir structure + block: + - name: setup directorys on host + file: + path: "{{ item }}" + state: directory + with_items: + - /etc/kubernetes + - /etc/kubernetes/pki + - name: generating initial admin token + delegate_to: 127.0.0.1 + command: /usr/bin/kubeadm token generate + register: kubeadm_bootstrap_token + - name: storing initial admin token + set_fact: + kubeadm_bootstrap_token: "{{ kubeadm_bootstrap_token.stdout }}" + - name: kubelet | copying config to host + template: + src: kubeadm-conf.yaml.j2 + dest: /etc/kubernetes/kubeadm-conf.yaml + mode: 0640 + +- name: generating certs + delegate_to: 127.0.0.1 + block: + - name: master | deploy | certs | ca + command: kubeadm alpha phase certs ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | certs | apiserver + command: kubeadm alpha phase certs apiserver --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | certs | apiserver-kubelet-client + command: kubeadm alpha phase certs apiserver-kubelet-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | certs | sa + command: kubeadm alpha phase certs sa --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | certs | front-proxy-ca + command: kubeadm alpha phase certs front-proxy-ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | certs | front-proxy-client + command: kubeadm alpha phase certs front-proxy-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + +- name: generating kubeconfigs + delegate_to: 127.0.0.1 + block: + - name: master | deploy | kubeconfig | admin + command: kubeadm alpha phase kubeconfig admin --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | kubeconfig | kubelet + command: kubeadm alpha phase kubeconfig kubelet --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | kubeconfig | controller-manager + command: kubeadm alpha phase kubeconfig controller-manager --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | kubeconfig | scheduler + command: kubeadm alpha phase kubeconfig scheduler --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + +- name: generating etcd static manifest + delegate_to: 127.0.0.1 + command: kubeadm alpha phase etcd local --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + +- name: generating controlplane static manifests + delegate_to: 127.0.0.1 + block: + - name: master | deploy | controlplane | apiserver + command: kubeadm alpha phase controlplane apiserver --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | controlplane | controller-manager + command: kubeadm alpha phase controlplane controller-manager --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + - name: master | deploy | controlplane | scheduler + command: kubeadm alpha phase controlplane scheduler --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + +- name: wait for kube components + delegate_to: 127.0.0.1 + block: + - name: wait for kube api + shell: export KUBECONFIG=/mnt/rootfs/etc/kubernetes/admin.conf; python /usr/bin/test-kube-api.py + register: task_result + until: task_result.rc == 0 + retries: 120 + delay: 5 + - name: wait for node to come online + shell: export KUBECONFIG=/mnt/rootfs/etc/kubernetes/admin.conf; kubectl get node "{{ kubeadm_node_hostname }}" --no-headers | gawk '{ print $2 }' | grep -q '\(^Ready\)\|\(^NotReady\)' + register: task_result + until: task_result.rc == 0 + retries: 120 + delay: 5 + - include_tasks: wait-for-kube-system-namespace.yaml + +- name: deploying kube-proxy + delegate_to: 127.0.0.1 + command: kubeadm alpha phase addon kube-proxy --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + +- include_tasks: helm-cni.yaml + +- name: wait for kube components + delegate_to: 127.0.0.1 + block: + - name: wait for node to be ready + shell: export KUBECONFIG=/mnt/rootfs/etc/kubernetes/admin.conf; kubectl get node "{{ kubeadm_node_hostname }}" --no-headers | gawk '{ print $2 }' | grep -q '^Ready' + register: task_result + until: task_result.rc == 0 + retries: 120 + delay: 5 + - include_tasks: wait-for-kube-system-namespace.yaml + +# - name: deploying kube-dns addon +# delegate_to: 127.0.0.1 +# block: +# - name: master | deploy | kube-dns +# command: kubeadm alpha phase addon kube-dns --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml +# - include_tasks: wait-for-kube-system-namespace.yaml + +- include_tasks: helm-dns.yaml +- include_tasks: helm-deploy.yaml + +- name: uploading cluster config to api + delegate_to: 127.0.0.1 + command: kubeadm alpha phase upload-config --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + +- name: generating bootstrap-token objects + delegate_to: 127.0.0.1 + block: + - name: master | deploy | bootstrap-token | allow-post-csrs + command: kubeadm --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf alpha phase bootstrap-token node allow-post-csrs + - name: master | deploy | bootstrap-token | allow-auto-approve + command: kubeadm --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf alpha phase bootstrap-token node allow-auto-approve + +- name: generating bootstrap-token objects + delegate_to: 127.0.0.1 + block: + - name: check if kube-public namespace exists + command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf get ns kube-public + register: kube_public_ns_exists + ignore_errors: True + - name: create kube-public namespace if required + when: kube_public_ns_exists | failed + command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf create ns kube-public + - name: sourcing kube cluster admin credentials + include_vars: /etc/kubernetes/admin.conf + - name: creating cluster-info configmap manifest on host + template: + src: cluster-info.yaml.j2 + dest: /etc/kubernetes/cluster-info.yaml + mode: 0644 + - name: removing any pre-existing cluster-info configmap + command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf delete -f /etc/kubernetes/cluster-info.yaml --ignore-not-found + - name: creating cluster-info configmap + command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf create -f /etc/kubernetes/cluster-info.yaml + - name: removing cluster-info configmap manifest from host + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/kubernetes/cluster-info.yaml + + - name: check if kube-public configmap role exists + command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public get role system:bootstrap-signer-clusterinfo + register: kube_public_configmap_role_exists + ignore_errors: True + - name: create kube-public configmap role if required + when: kube_public_configmap_role_exists | failed + command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public create role system:bootstrap-signer-clusterinfo --verb get --resource configmaps + + - name: check if kube-public configmap rolebinding exists + command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public get rolebinding kubeadm:bootstrap-signer-clusterinfo + register: kube_public_configmap_rolebinding_exists + ignore_errors: True + - name: create kube-public configmap rolebinding if required + when: kube_public_configmap_rolebinding_exists | failed + command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public create rolebinding kubeadm:bootstrap-signer-clusterinfo --role system:bootstrap-signer-clusterinfo --user system:anonymous + +- name: converting the cluster to be selfhosted + when: k8s.selfHosted|bool == true + delegate_to: 127.0.0.1 + command: kubeadm alpha phase selfhosting convert-from-staticpods --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml + +- name: setting up kubectl client on host + block: + - name: kubectl | copying kubectl binary to host + copy: + src: /usr/bin/kubectl + dest: /usr/bin/kubectl + owner: root + group: root + mode: 0555 + - name: kubectl | master | ensure kube config directory exists for user + file: + path: "{{ item }}" + state: directory + with_items: + - "{{ vars.user.home }}/.kube" + - name: kubectl | master | deploy kube config file for user + copy: + src: /mnt/rootfs/etc/kubernetes/admin.conf + dest: "{{ vars.user.home }}/.kube/config" + owner: "{{ vars.user.uid }}" + group: "{{ vars.user.gid }}" + mode: 0600 diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/wait-for-kube-system-namespace.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/wait-for-kube-system-namespace.yaml new file mode 100644 index 000000000..5b188c2db --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/wait-for-kube-system-namespace.yaml @@ -0,0 +1,21 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: wait for kube pods to all be running in kube-system namespace + delegate_to: 127.0.0.1 + shell: export KUBECONFIG=/mnt/rootfs/etc/kubernetes/admin.conf; /usr/bin/test-kube-pods-ready kube-system + register: task_result + until: task_result.rc == 0 + retries: 120 + delay: 5 diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/cluster-info.yaml.j2 b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/cluster-info.yaml.j2 new file mode 100644 index 000000000..8a92fc264 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/cluster-info.yaml.j2 @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-info + namespace: kube-public +data: + kubeconfig: | + apiVersion: v1 + clusters: + - cluster: + certificate-authority-data: {{ clusters[0].cluster['certificate-authority-data'] }} + server: {{ clusters[0].cluster['server'] }} + name: "" + contexts: [] + current-context: "" + kind: Config + preferences: {} + users: [] diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/kubeadm-conf.yaml.j2 b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/kubeadm-conf.yaml.j2 new file mode 100644 index 000000000..5e5a286ad --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/kubeadm-conf.yaml.j2 @@ -0,0 +1,46 @@ +#jinja2: trim_blocks:False +apiVersion: kubeadm.k8s.io/v1alpha1 +kind: MasterConfiguration +kubernetesVersion: {{ k8s.kubernetesVersion }} +imageRepository: {{ k8s.imageRepository }} +nodeName: {{ kubeadm_node_hostname }} +api: + advertiseAddress: {% if k8s.api.advertiseAddress is defined %}{{ k8s.api.advertiseAddress }}{% else %}{% if k8s.api.advertiseAddressDevice is defined %}{{ hostvars[inventory_hostname]['ansible_'+k8s.api.advertiseAddressDevice].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %} + bindPort: {{ k8s.api.bindPort }} +# etcd: +# endpoints: +# - +# - +# caFile: +# certFile: +# keyFile: +# dataDir: +# extraArgs: +# : +# : +# image: +networking: + dnsDomain: {{ k8s.networking.dnsDomain }} + podSubnet: {{ k8s.networking.podSubnet }} + serviceSubnet: {{ k8s.networking.serviceSubnet }} +#cloudProvider: +authorizationModes: +- Node +- RBAC +token: {{ kubeadm_bootstrap_token }} +tokenTTL: 24h0m0s +selfHosted: {{ k8s.selfHosted }} +apiServerExtraArgs: + runtime-config: "batch/v2alpha1=true" +# : +# controllerManagerExtraArgs: +# : +# : +# schedulerExtraArgs: +# : +# : +# apiServerCertSANs: +# - +# - +certificatesDir: {{ k8s.certificatesDir }} +#unifiedControlPlaneImage: diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-node/tasks/main.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-node/tasks/main.yaml new file mode 100644 index 000000000..bbca60f56 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-node/tasks/main.yaml @@ -0,0 +1,40 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- block: + - name: base kubeadm deploy + file: + path: "{{ item }}" + state: directory + with_items: + - /etc/kubernetes/ + - /etc/systemd/system/kubelet.service.d/ + - /var/lib/kubelet/ + - name: copying kubeadm binary to host + copy: + src: /usr/bin/kubeadm + dest: /usr/bin/kubeadm + owner: root + group: root + mode: 0555 + - debug: + msg: "{{ kubeadm_join_command }}" + - name: running kubeadm join command + command: "{{ kubeadm_join_command }}" + - name: base kubeadm deploy + file: + path: "{{ item }}" + state: absent + with_items: + - /usr/bin/kubeadm diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/hostname.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/hostname.yaml new file mode 100644 index 000000000..163ba2802 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/hostname.yaml @@ -0,0 +1,35 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: DNS | Ensure node fully qualified hostname is set + lineinfile: + unsafe_writes: true + state: present + dest: /etc/hosts + line: "{% if kubelet.bind_device is defined %}{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %} {% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %} {{ ansible_hostname }}" + regexp: "^{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% if kubelet.bind_device is defined %}|{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% endif %}" + +- block: + - name: DNS | Ensure node localhost ipv4 hostname is set + lineinfile: + unsafe_writes: true + state: present + dest: /etc/hosts + line: "127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4" + regexp: "^127.0.0.1" + - name: DNS | Ensure node localhost ipv6 hostname is set + lineinfile: + unsafe_writes: true + state: present + dest: /etc/hosts + line: "::1 localhost6 localhost6.localdomain6" + regexp: "^::1" diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/kubelet.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/kubelet.yaml new file mode 100644 index 000000000..b7cea4731 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/kubelet.yaml @@ -0,0 +1,162 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: ubuntu | installing kubelet support packages + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + apt: + name: "{{item}}" + state: installed + with_items: + - ebtables + - ethtool + - iproute2 + - iptables + - libmnl0 + - libnfnetlink0 + - libwrap0 + - libxtables11 + - socat + +- name: centos | installing kubelet support packages + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + yum: + name: "{{item}}" + state: installed + with_items: + - ebtables + - ethtool + - tcp_wrappers-libs + - libmnl + - socat + +- name: fedora | installing kubelet support packages + when: ansible_distribution == 'Fedora' + dnf: + name: "{{item}}" + state: installed + with_items: + - ebtables + - ethtool + - tcp_wrappers-libs + - libmnl + - socat + +- name: getting docker cgroup driver info + when: kubelet.container_runtime == 'docker' + block: + - name: docker | getting cgroup driver info + shell: docker info | awk '/^Cgroup Driver:/ { print $NF }' + register: docker_cgroup_driver + - name: setting kublet cgroup driver + set_fact: + kubelet_cgroup_driver: "{{ docker_cgroup_driver.stdout }}" + +- name: setting kublet cgroup driver for CRI-O + when: kubelet.container_runtime == 'crio' + set_fact: + kubelet_cgroup_driver: "systemd" + +- name: setting node hostname fact + set_fact: + kubelet_node_hostname: "{% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %}" + +- name: base kubelet deploy + block: + - file: + path: "{{ item }}" + state: directory + with_items: + - /etc/kubernetes/ + - /etc/systemd/system/kubelet.service.d/ + - /var/lib/kubelet/ + - name: copying kubelet binary to host + copy: + src: /opt/assets/usr/bin/kubelet + dest: /usr/bin/kubelet + owner: root + group: root + mode: 0555 + - name: copying base systemd unit to host + template: + src: kubelet.service.j2 + dest: /etc/systemd/system/kubelet.service + mode: 0640 + - name: copying kubeadm drop-in systemd unit to host + template: + src: 10-kubeadm.conf.j2 + dest: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf + mode: 0640 + - name: copying kubelet DNS config to host + template: + src: kubelet-resolv.conf.j2 + dest: /etc/kubernetes/kubelet-resolv.conf + mode: 0640 + +- name: base cni support + block: + - file: + path: "{{ item }}" + state: directory + with_items: + - /etc/cni/net.d + - /opt/cni/bin + - name: copy cni binaries into place + copy: + src: /opt/assets/opt/cni/bin/{{ item }} + dest: /opt/cni/bin/{{ item }} + owner: root + group: root + mode: 0555 + with_items: + - flannel + - ptp + - host-local + - portmap + - tuning + - vlan + - sample + - dhcp + - ipvlan + - macvlan + - loopback + - bridge + +- name: CRI-O runtime config + when: kubelet.container_runtime == 'crio' + block: + - name: copying CRI-O drop-in systemd unit to host + template: + src: 0-crio.conf.j2 + dest: /etc/systemd/system/kubelet.service.d/0-crio.conf + mode: 0640 + - name: CRI-O | ensure service is restarted and enabled + systemd: + name: crio + state: restarted + enabled: yes + masked: no + +- name: docker | ensure service is started and enabled + when: kubelet.container_runtime == 'docker' + systemd: + name: docker + state: started + enabled: yes + masked: no + +- name: ensure service is restarted and enabled + systemd: + name: kubelet + state: restarted + daemon_reload: yes + enabled: yes + masked: no diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/main.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/main.yaml new file mode 100644 index 000000000..9302ce0db --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/main.yaml @@ -0,0 +1,19 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- include_tasks: support-packages.yaml + +- include_tasks: hostname.yaml + +- include_tasks: setup-dns.yaml + +- include_tasks: kubelet.yaml diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/setup-dns.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/setup-dns.yaml new file mode 100644 index 000000000..6eb0901e3 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/setup-dns.yaml @@ -0,0 +1,49 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: DNS | Check if NetworkManager is being used + raw: systemctl status NetworkManager --no-pager + register: network_manager_in_use + ignore_errors: True + +- name: DNS | Disable network NetworkManager management of resolv.conf + when: network_manager_in_use | succeeded + ini_file: + path: /etc/NetworkManager/NetworkManager.conf + section: main + option: dns + value: none + +- name: DNS | load new resolv.conf + template: + unsafe_writes: yes + src: resolv.conf.j2 + dest: /etc/resolv.conf + +- name: DNS | Restarting NetworkManager + when: network_manager_in_use | succeeded + block: + - name: DNS | Restarting NetworkManager Service + systemd: + name: NetworkManager + state: restarted + daemon_reload: yes + enabled: yes + masked: no + - pause: + seconds: 5 + - name: DNS | Waiting for connectivity to be restored to outside world + shell: if ! [[ $(ip -4 route list 0/0 | head -c1 | wc -c) -ne 0 ]]; then exit 1; fi + register: task_result + until: task_result.rc == 0 + retries: 120 + delay: 5 diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/support-packages.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/support-packages.yaml new file mode 100644 index 000000000..d2766bc04 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/support-packages.yaml @@ -0,0 +1,71 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: centos | installing epel-release + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + yum: + name: "{{item}}" + state: installed + with_items: + - epel-release + +- name: centos | installing SElinux support packages + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + yum: + name: "{{item}}" + state: installed + with_items: + - libselinux-python + +- name: fedora | installing SElinux support packages + when: ansible_distribution == 'Fedora' + dnf: + name: "{{item}}" + state: installed + with_items: + - libselinux-python + +- when: kubelet.pv_support_ceph + name: installing ceph support packages + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - ceph-common + rpm: + - ceph-common + +- when: kubelet.pv_support_nfs + name: installing NFS support packages + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - nfs-common + rpm: + - nfs-utils + +- name: installing LinuxBridge support + when: kubelet.net_support_linuxbridge + include_role: + name: deploy-package + tasks_from: dist + vars: + packages: + deb: + - bridge-utils + rpm: + - bridge-utils diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/0-crio.conf.j2 b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/0-crio.conf.j2 new file mode 100644 index 000000000..52500ed9c --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/0-crio.conf.j2 @@ -0,0 +1,2 @@ +[Service] +Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m --image-service-endpoint /var/run/crio.sock --container-runtime-endpoint /var/run/crio.sock" diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/10-kubeadm.conf.j2 b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/10-kubeadm.conf.j2 new file mode 100644 index 000000000..6a557fbf8 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/10-kubeadm.conf.j2 @@ -0,0 +1,11 @@ +[Service] +Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf" +Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true --cgroup-driver={{ kubelet_cgroup_driver }}" +Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --node-ip={% if kubelet.bind_addr is defined %}{{ kubelet.bind_addr }}{% else %}{% if kubelet.bind_device is defined %}{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %} --hostname-override={{ kubelet_node_hostname }}" +Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain={{ k8s.networking.dnsDomain }} --resolv-conf=/etc/kubernetes/kubelet-resolv.conf" +Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt" +Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0" +Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki" +#ExecStartPre=-+/sbin/restorecon -v /usr/bin/kubelet #SELinux +ExecStart= +ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet-resolv.conf.j2 b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet-resolv.conf.j2 new file mode 100644 index 000000000..671726faf --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet-resolv.conf.j2 @@ -0,0 +1,3 @@ +{% for nameserver in external_dns_nameservers %} +nameserver {{ nameserver }} +{% endfor %} diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet.service.j2 b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet.service.j2 new file mode 100644 index 000000000..eb4519758 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet.service.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=kubelet: The Kubernetes Node Agent +Documentation=http://kubernetes.io/docs/ + +[Service] +ExecStartPre=/sbin/swapoff -a +ExecStart=/usr/bin/kubelet +Restart=always +StartLimitInterval=0 +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/resolv.conf.j2 b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/resolv.conf.j2 new file mode 100644 index 000000000..517686a48 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/resolv.conf.j2 @@ -0,0 +1,6 @@ +search svc.{{ k8s.networking.dnsDomain }} {{ k8s.networking.dnsDomain }} +nameserver 10.96.0.10 +{% for nameserver in external_dns_nameservers %} +nameserver {{ nameserver }} +{% endfor %} +options ndots:5 timeout:1 attempts:1 diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/dist.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/dist.yaml new file mode 100644 index 000000000..fb721d56c --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/dist.yaml @@ -0,0 +1,38 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: ubuntu | installing packages + become: true + become_user: root + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + apt: + name: "{{item}}" + state: present + with_items: "{{ packages.deb }}" + +- name: centos | installing packages + become: true + become_user: root + when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' + yum: + name: "{{item}}" + state: present + with_items: "{{ packages.rpm }}" + +- name: fedora | installing packages + become: true + become_user: root + when: ansible_distribution == 'Fedora' + dnf: + name: "{{item}}" + state: present + with_items: "{{ packages.rpm }}" diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/pip.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/pip.yaml new file mode 100644 index 000000000..ff500c552 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/pip.yaml @@ -0,0 +1,7 @@ + + +- name: "installing python {{ package }}" + become: true + become_user: root + pip: + name: "{{ package }}" diff --git a/tools/images/kubeadm-aio/assets/opt/playbooks/vars.yaml b/tools/images/kubeadm-aio/assets/opt/playbooks/vars.yaml new file mode 100644 index 000000000..4fd6eba11 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/opt/playbooks/vars.yaml @@ -0,0 +1,48 @@ +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +all: + vars: + my_container_name: null + user: + uid: null + gid: null + home: null + external_dns_nameservers: + - 8.8.8.8 + - 8.8.4.4 + cluster: + cni: calico + kubelet: + container_runtime: docker + net_support_linuxbridge: true + pv_support_ceph: true + pv_support_nfs: true + bind_device: null + helm: + tiller_image: gcr.io/kubernetes-helm/tiller:v2.7.0-rc1 + k8s: + kubernetesVersion: v1.8.0 + imageRepository: gcr.io/google_containers + certificatesDir: /etc/kubernetes/pki + selfHosted: false + api: + bindPort: 6443 + #NOTE(portdirect): The following is a custom key, which resolves the + # 'advertiseAddress' key dynamicly. + advertiseAddressDevice: null + networking: + dnsDomain: cluster.local + podSubnet: 192.168.0.0/16 + serviceSubnet: 10.96.0.0/12 diff --git a/tools/images/kubeadm-aio/assets/usr/bin/test-kube-api.py b/tools/images/kubeadm-aio/assets/usr/bin/test-kube-api.py new file mode 100755 index 000000000..fe0b00d53 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/usr/bin/test-kube-api.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from kubernetes import client, config +config.load_kube_config() +# create an instance of the API class +api_instance = client.VersionApi() +api_instance.get_code() diff --git a/tools/images/kubeadm-aio/assets/usr/bin/test-kube-pods-ready b/tools/images/kubeadm-aio/assets/usr/bin/test-kube-pods-ready new file mode 100755 index 000000000..973703b63 --- /dev/null +++ b/tools/images/kubeadm-aio/assets/usr/bin/test-kube-pods-ready @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +NAMESPACE=$1 + +kubectl get pods --namespace=${NAMESPACE} -o json | jq -r \ + '.items[].status.phase' | grep Pending > /dev/null && \ + PENDING=True || PENDING=False + +query='.items[]|select(.status.phase=="Running")' +query="$query|.status.containerStatuses[].ready" +kubectl get pods --namespace=${NAMESPACE} -o json | jq -r "$query" | \ + grep false > /dev/null && READY="False" || READY="True" + +kubectl get jobs -o json --namespace=${NAMESPACE} | jq -r \ + '.items[] | .spec.completions == .status.succeeded' | \ + grep false > /dev/null && JOBR="False" || JOBR="True" +[ $PENDING == "False" -a $READY == "True" -a $JOBR == "True" ] && \ + exit 0 || exit 1 diff --git a/tools/pull-images.sh b/tools/pull-images.sh new file mode 100755 index 000000000..837333796 --- /dev/null +++ b/tools/pull-images.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -x +KUBE_VERSION=v1.8.1 +KUBE_IMAGES="gcr.io/google_containers/hyperkube-amd64:${KUBE_VERSION} +gcr.io/google_containers/kube-apiserver-amd64:${KUBE_VERSION} +gcr.io/google_containers/kube-controller-manager-amd64:${KUBE_VERSION} +gcr.io/google_containers/kube-proxy-amd64:${KUBE_VERSION} +gcr.io/google_containers/kube-scheduler-amd64:${KUBE_VERSION} +gcr.io/google_containers/pause-amd64:3.0 +gcr.io/google_containers/etcd-amd64:3.0.17" + +CHART_IMAGES="" +for CHART_DIR in ./*/ ; do + if [ -e ${CHART_DIR}values.yaml ]; then + CHART_IMAGES+=" $(cat ${CHART_DIR}values.yaml | yq '.images.tags | map(.) | join(" ")' | tr -d '"')" + fi +done +ALL_IMAGES="${KUBE_IMAGES} ${CHART_IMAGES}" + +for IMAGE in ${ALL_IMAGES}; do + docker inspect $IMAGE >/dev/null|| docker pull $IMAGE +done