387 lines
13 KiB
YAML
387 lines
13 KiB
YAML
---
|
|
#
|
|
# Copyright (c) 2019 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# SUB-TASKS DESCRIPTION:
|
|
# Bring up Kubernetes master
|
|
# - Update iptables
|
|
# - Create manifest directory
|
|
# - Enable kubelet service (with default/custom registry)
|
|
# - Run kubeadm init
|
|
# - Prepare admin.conf
|
|
# - Set k8s environment variable for new shell
|
|
# - Prepare Calico config and activate Calico networking
|
|
# - Prepare Multus config and activate Multus networking
|
|
# - Prepare SRIOV config and activate SRIOV networking
|
|
# - Prepare SRIOV device plugin config and activate SRIOV device plugin
|
|
# - Restore Helm charts if the host is bootstrapped in restore mode
|
|
# - Prepare and apply coredns config
|
|
# - Restrict coredns to master node and set anti-affnity (duplex system)
|
|
# - Restrict coredns to 1 pod (simplex system)
|
|
# - Remove taint from master node
|
|
# - Add kubelet service override
|
|
# - Register kubelet with pmond
|
|
# - Reload systemd
|
|
#
|
|
|
|
- name: Setup iptables for Kubernetes
|
|
lineinfile:
|
|
path: /etc/sysctl.d/k8s.conf
|
|
line: "{{ item }}"
|
|
create: yes
|
|
with_items:
|
|
- net.bridge.bridge-nf-call-ip6tables = 1
|
|
- net.bridge.bridge-nf-call-iptables = 1
|
|
- net.ipv4.ip_forward = 1
|
|
- net.ipv4.conf.default.rp_filter = 0
|
|
- net.ipv4.conf.all.rp_filter = 0
|
|
- net.ipv6.conf.all.forwarding = 1
|
|
|
|
- name: Update kernel parameters for iptables
|
|
command: sysctl --system &>/dev/null
|
|
|
|
- name: Create manifests directory required by kubelet
|
|
file:
|
|
path: /etc/kubernetes/manifests
|
|
state: directory
|
|
mode: 0700
|
|
|
|
- name: Clear pki directory for kubernetes certificates
|
|
file:
|
|
path: "{{ kubeadm_pki_dir }}"
|
|
state: absent
|
|
|
|
- name: Setup dictionary of kubernetes certificates to install
|
|
set_fact:
|
|
k8s_pki_files: { ca.crt: "{{k8s_root_ca_cert}}", ca.key: "{{k8s_root_ca_key}}" }
|
|
when: (k8s_root_ca_cert)
|
|
|
|
- block:
|
|
- name: Create pki directory for kubernetes certificates
|
|
file:
|
|
path: "{{ kubeadm_pki_dir }}"
|
|
state: directory
|
|
mode: 0700
|
|
|
|
- name: Copy kubernetes certificates
|
|
copy:
|
|
src: "{{ item.value }}"
|
|
dest: "{{ kubeadm_pki_dir }}/{{item.key}}"
|
|
with_dict: "{{ k8s_pki_files }}"
|
|
|
|
when: k8s_pki_files is defined and mode == 'bootstrap'
|
|
|
|
- name: Set kubelet node configuration
|
|
set_fact:
|
|
node_ip: "{{ controller_0_cluster_host }}"
|
|
|
|
- name: Create kubelet override config file
|
|
template:
|
|
src: "kubelet.conf.j2"
|
|
dest: /etc/sysconfig/kubelet
|
|
|
|
- name: Enable kubelet
|
|
systemd:
|
|
name: kubelet
|
|
enabled: yes
|
|
|
|
- name: Create kube api server encryption provider config file
|
|
vars:
|
|
aescbc_keys:
|
|
- name: key1
|
|
secret: "{{ lookup('password', '/dev/null chars=ascii_letters length=16') | b64encode }}"
|
|
template:
|
|
src: "encryption-provider.yaml.j2"
|
|
dest: "{{ encryption_provider_config }}"
|
|
mode: 0600
|
|
when: mode == 'bootstrap'
|
|
|
|
- name: Create Kube admin yaml
|
|
copy:
|
|
src: roles/common/files/kubeadm.yaml.erb
|
|
dest: /etc/kubernetes/kubeadm.yaml
|
|
|
|
- name: Set loopback ip for kubeadm configuration
|
|
set_fact:
|
|
loopback_ip: "{{ '127.0.0.1' if ipv6_addressing == False else '::1' }}"
|
|
|
|
- name: Set apiserver SAN list
|
|
set_fact:
|
|
apiserver_cert_list: "{{ [ cluster_floating_address, loopback_ip ] + apiserver_cert_sans + OAM_addresses}}"
|
|
|
|
- name: Update Kube admin yaml with network info
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e 's|<%= @apiserver_advertise_address %>|'$APISERVER_ADVERTISE_ADDRESS'|g' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e 's|<%= @controlplane_endpoint %>|'$CONTROLPLANE_ENDPOINT'|g' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e 's|<%= @etcd_endpoint %>|'$ETCD_ENDPOINT'|g' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e 's|<%= @service_domain %>|'cluster.local'|g' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e 's|<%= @pod_network_cidr %>|'$POD_NETWORK_CIDR'|g' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e 's|<%= @service_network_cidr %>|'$SERVICE_NETWORK_CIDR'|g' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e 's|<%= @ctrl_mgr_flex_vol_plugin_dir %>|'$VOLUME_PLUGIN_DIR'|g' /etc/kubernetes/kubeadm.yaml"
|
|
environment:
|
|
APISERVER_ADVERTISE_ADDRESS: "{{ controller_0_cluster_host }}"
|
|
CONTROLPLANE_ENDPOINT: "{{ cluster_floating_address }}"
|
|
ETCD_ENDPOINT: "http://{{ cluster_floating_address | ipwrap }}:2379"
|
|
POD_NETWORK_CIDR: "{{ cluster_pod_subnet }}"
|
|
SERVICE_NETWORK_CIDR: "{{ cluster_service_subnet }}"
|
|
VOLUME_PLUGIN_DIR: "{{ kubelet_vol_plugin_dir }}"
|
|
|
|
- name: Add apiserver certificate SANs to kubeadm
|
|
replace:
|
|
path: /etc/kubernetes/kubeadm.yaml
|
|
regexp: "^<% @apiserver_certsans(.*[\n])*?<% end -%>"
|
|
replace: "{{ apiserver_cert_list | to_nice_yaml(width=512) | indent(2, indentfirst=True) }}"
|
|
|
|
- name: Update Kube admin yaml with OpenID Connect client-id, issuer-url, and username-claim
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e 's|<%= @apiserver_oidc_client_id %>|'$OIDC_CLIENT_ID'|g' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e 's|<%= @apiserver_oidc_issuer_url %>|'$OIDC_ISSUER_URL'|g' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e 's|<%= @apiserver_oidc_username_claim %>|'$OIDC_USERNAME_CLAIM'|g' /etc/kubernetes/kubeadm.yaml"
|
|
environment:
|
|
OIDC_CLIENT_ID: "{{ apiserver_oidc.client_id }}"
|
|
OIDC_ISSUER_URL: "{{ apiserver_oidc.issuer_url }}"
|
|
OIDC_USERNAME_CLAIM: "{{ apiserver_oidc.username_claim }}"
|
|
when: apiserver_oidc | length == 3 or apiserver_oidc | length == 4
|
|
|
|
- name: Update Kube admin yaml with OpenID Connect client-id, issuer-url, and username-claim
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e 's|<%= @apiserver_oidc_groups_claim %>|'$OIDC_GROUPS_CLAIM'|g' /etc/kubernetes/kubeadm.yaml"
|
|
environment:
|
|
OIDC_GROUPS_CLAIM: "{{ apiserver_oidc.groups_claim }}"
|
|
when: apiserver_oidc | length == 4
|
|
|
|
- name: Delete Kube admin yaml OpenID Connect entries if required config parameters are not present
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e '/<%= @apiserver_oidc_client_id %>/d' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e '/<%= @apiserver_oidc_issuer_url %>/d' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e '/<%= @apiserver_oidc_username_claim %>/d' /etc/kubernetes/kubeadm.yaml"
|
|
- "sed -i -e '/<%= @apiserver_oidc_groups_claim %>/d' /etc/kubernetes/kubeadm.yaml"
|
|
when: apiserver_oidc | length == 0
|
|
|
|
- name: Delete Kube admin yaml Dex entries if required config parameters are not present
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e '/<%= @apiserver_oidc_groups_claim %>/d' /etc/kubernetes/kubeadm.yaml"
|
|
when: apiserver_oidc | length == 3
|
|
|
|
- name: Update Kube admin yaml with encryption provider config flag
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e 's|<%= @apiserver_encryption_provider_config %>|'$ENCRYPTION_PROVIDER_CONFIG'|g'
|
|
/etc/kubernetes/kubeadm.yaml"
|
|
environment:
|
|
ENCRYPTION_PROVIDER_CONFIG: "{{ encryption_provider_config }}"
|
|
|
|
- name: Set Calico cluster configuration
|
|
set_fact:
|
|
cluster_network_ipv4: "{{ cluster_pod_subnet | ipv4 }}"
|
|
cluster_network_ipv6: "{{ cluster_pod_subnet | ipv6 }}"
|
|
|
|
- name: Create Calico config file
|
|
template:
|
|
src: "k8s-{{ kubernetes_version }}/calico-cni.yaml.j2"
|
|
dest: /etc/kubernetes/calico.yaml
|
|
|
|
- name: Create Multus config file
|
|
template:
|
|
src: "k8s-{{ kubernetes_version }}/multus-cni.yaml.j2"
|
|
dest: /etc/kubernetes/multus.yaml
|
|
|
|
- name: Create SRIOV Networking config file
|
|
template:
|
|
src: "k8s-{{ kubernetes_version }}/sriov-cni.yaml.j2"
|
|
dest: /etc/kubernetes/sriov-cni.yaml
|
|
|
|
- name: Create SRIOV device plugin config file
|
|
template:
|
|
src: "k8s-{{ kubernetes_version }}/sriov-plugin.yaml.j2"
|
|
dest: /etc/kubernetes/sriovdp-daemonset.yaml
|
|
|
|
- name: Create coredns config file
|
|
template:
|
|
src: "coredns.yaml.j2"
|
|
dest: /etc/kubernetes/coredns.yaml
|
|
|
|
- block:
|
|
- name: Restore kubernetes certificates
|
|
shell: tar -C / --overwrite -xpf {{ target_backup_dir }}/{{ backup_filename }} {{ item }}
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "{{ kubeadm_pki_dir | regex_replace('^\\/', '') }}"
|
|
become_user: root
|
|
|
|
- name: Restore encryption provider config
|
|
shell: tar -C / --overwrite -xpf {{ target_backup_dir }}/{{ backup_filename }} {{ item }}
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "{{ encryption_provider_config | regex_replace('^\\/', '') }}"
|
|
become_user: root
|
|
|
|
- name: Restore etcd database
|
|
import_tasks: restore_etcd.yml
|
|
|
|
when: mode == 'restore'
|
|
|
|
- name: Initializing Kubernetes master
|
|
command: kubeadm init --ignore-preflight-errors=DirAvailable--var-lib-etcd --config=/etc/kubernetes/kubeadm.yaml
|
|
|
|
- name: Update kube admin.conf file mode and owner
|
|
file:
|
|
path: /etc/kubernetes/admin.conf
|
|
mode: 0640
|
|
group: sys_protected
|
|
|
|
- name: Set up k8s environment variable
|
|
copy:
|
|
src: /usr/share/puppet/modules/platform/files/kubeconfig.sh
|
|
dest: /etc/profile.d/kubeconfig.sh
|
|
remote_src: yes
|
|
|
|
- block:
|
|
- name: Patch pull secret into kube-proxy service account
|
|
command: >
|
|
kubectl --kubeconfig=/etc/kubernetes/admin.conf patch serviceaccount
|
|
kube-proxy -p '{"imagePullSecrets": [{"name": "registry-local-secret"}]}' -n kube-system
|
|
|
|
- name: Find old local registry secret
|
|
shell: "kubectl --kubeconfig=/etc/kubernetes/admin.conf get secrets -n kube-system |
|
|
grep registry-local-secret | awk '{print $1}'"
|
|
register: old_local_registry_secret
|
|
|
|
- name: Delete old local registry secret
|
|
shell: "kubectl --kubeconfig=/etc/kubernetes/admin.conf delete secret -n kube-system registry-local-secret"
|
|
when: old_local_registry_secret.stdout
|
|
|
|
- name: Create local registry pull secret
|
|
command: "kubectl --kubeconfig=/etc/kubernetes/admin.conf create secret docker-registry registry-local-secret
|
|
--docker-server={{ local_registry }} --docker-username={{ local_registry_credentials['username'] }}
|
|
--docker-password={{ local_registry_credentials['password'] }} -n kube-system"
|
|
|
|
- name: Activate Calico Networking
|
|
command: "kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f /etc/kubernetes/calico.yaml"
|
|
|
|
- name: Activate Multus Networking
|
|
command: "kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f /etc/kubernetes/multus.yaml"
|
|
|
|
- name: Activate SRIOV Networking
|
|
command: "kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f /etc/kubernetes/sriov-cni.yaml"
|
|
|
|
- name: Activate SRIOV device plugin
|
|
command: "kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f /etc/kubernetes/sriovdp-daemonset.yaml"
|
|
|
|
- name: Apply coredns config
|
|
command: "kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f /etc/kubernetes/coredns.yaml"
|
|
|
|
# Restrict coredns to master node and use anti-affinity for core dns for duplex systems
|
|
- block:
|
|
- name: Restrict coredns to master node
|
|
command: >-
|
|
kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system patch deployment coredns -p
|
|
'{"spec":{"template":{"spec":{"nodeSelector":{"node-role.kubernetes.io/master":""}}}}}'
|
|
|
|
- name: Use anti-affinity for coredns pods
|
|
command: >-
|
|
kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system patch deployment coredns -p
|
|
'{"spec":{"template":{"spec":{"affinity":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchExpressions":[{"key":"k8s-app","operator":"In","values":["kube-dns"]}]},"topologyKey":"kubernetes.io/hostname"}]}}}}}}'
|
|
when: system_mode != 'simplex'
|
|
|
|
- name: Restrict coredns to 1 pod for simplex
|
|
command: kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system scale --replicas=1 deployment coredns
|
|
when: system_mode == 'simplex'
|
|
|
|
when: mode == 'bootstrap'
|
|
|
|
- name: Remove taint from master node
|
|
shell: "kubectl --kubeconfig=/etc/kubernetes/admin.conf taint node controller-0 node-role.kubernetes.io/master- || true"
|
|
|
|
- block:
|
|
- name: Applying kubernetes plugins
|
|
include_role:
|
|
name: bootstrap/plugins
|
|
tasks_from: "{{ item }}"
|
|
with_items: "{{ k8s_plugins }}"
|
|
|
|
- name: Create kube plugin list file
|
|
copy:
|
|
content: "{{ k8s_plugins }}"
|
|
dest: "{{ config_permdir }}/enabled_kube_plugins"
|
|
mode: 0640
|
|
group: sys_protected
|
|
when: k8s_plugins and mode == 'bootstrap'
|
|
|
|
- name: Add kubelet service override
|
|
copy:
|
|
src: "{{ kubelet_override_template }}"
|
|
dest: /etc/systemd/system/kubelet.service.d/kube-stx-override.conf
|
|
mode: preserve
|
|
remote_src: yes
|
|
|
|
- name: Register kubelet with pmond
|
|
copy:
|
|
src: "{{ kubelet_pmond_template }}"
|
|
dest: /etc/pmon.d/kubelet.conf
|
|
mode: preserve
|
|
remote_src: yes
|
|
|
|
- name: Reload systemd
|
|
command: systemctl daemon-reload
|
|
|
|
- name: Create persistent certificate directory
|
|
file:
|
|
path: "{{ config_permdir }}/kubernetes/pki/"
|
|
state: directory
|
|
mode: 0700
|
|
|
|
- name: Copy certificates
|
|
copy:
|
|
src: "{{ kubeadm_pki_dir }}/{{ item }}"
|
|
dest: "{{ config_permdir }}/kubernetes/pki/"
|
|
remote_src: yes
|
|
force: yes
|
|
mode: 0700
|
|
with_items:
|
|
- ca.crt
|
|
- ca.key
|
|
- sa.pub
|
|
- sa.key
|
|
- front-proxy-ca.crt
|
|
- front-proxy-ca.key
|
|
|
|
- name: Copy kube api server encryption provider config
|
|
copy:
|
|
src: "{{ encryption_provider_config }}"
|
|
dest: "{{ config_permdir }}/kubernetes/"
|
|
remote_src: yes
|
|
force: yes
|
|
mode: 0400
|
|
|
|
- name: Apply pod security policy
|
|
command: >
|
|
kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f
|
|
{{ psp_file }}
|
|
|
|
- name: Mark Kubernetes config complete
|
|
file:
|
|
path: /etc/platform/.initial_k8s_config_complete
|
|
state: touch
|