airship/maas
Code Issues Proposed changes

MAAS support for pod mobility

Browse Source 
Upgrades to the MAAS chart to allow for the Pods
running the rack and region services to work across
all control plane hosts.

Change-Id: I84c856599a1122a2b4a64242a7cea357887b0462
This commit is contained in:
Scott Hussey
2018-09-05 15:54:37 -05:00
committed by Crank, Daniel (dc6350)
parent d1d5b88d3d
commit 74af40376b
20 changed files with 633 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

221
charts/maas/templates/statefulset-rack.yaml
View File

@@ -16,9 +16,6 @@ limitations under the License.
*/}}
{{- if .Values.manifests.rack_deployment }}
{{- if empty .Values.conf.maas.url.maas_url -}}
{{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
{{- end -}}
{{- $envAll := . }}
{{- $serviceAccountName := "maas-rack" }}
{{- $mounts_maas_rack := .Values.pod.mounts.maas_rack }}
@@ -26,6 +23,125 @@ limitations under the License.
{{ tuple $envAll "rack_controller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- {{ printf "%s-maas-ingress" .Release.Name | quote }}
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- create
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
@@ -47,21 +163,107 @@ spec:
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "maas" "rack" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
{{- tuple $envAll "maas" "rack" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:
{{ .Values.labels.rack.node_selector_key }}: {{ .Values.labels.rack.node_selector_value }}
hostNetwork: true
dnsPolicy: ClusterFirst
dnsPolicy: ClusterFirstWithHostNet
initContainers:
{{ tuple $envAll "rack_controller" $mounts_maas_rack_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: maas-ingress-vip-init
image: {{ .Values.images.tags.ingress }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_MODULE'
runAsUser: 0
command:
- /tmp/maas-vip-configure.sh
- start
env:
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.maas_ingress | indent 12 }}
volumeMounts:
- mountPath: /tmp/maas-vip-configure.sh
name: maas-bin
subPath: maas-vip-configure
readOnly: true
- mountPath: /mnt/host-rootfs
name: host-rootfs
readOnly: true
containers:
- name: maas-ingress-vip
image: {{ .Values.images.tags.ingress }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_vip | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
capabilities:
add:
- 'NET_ADMIN'
runAsUser: 0
command:
- /tmp/maas-vip-configure.sh
- sleep
env:
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.maas_ingress | indent 12 }}
volumeMounts:
- mountPath: /tmp/maas-vip-configure.sh
name: maas-bin
subPath: maas-vip-configure
readOnly: true
lifecycle:
preStop:
exec:
command:
- /tmp/maas-vip-configure.sh
- stop
- name: maas-ingress
image: {{ .Values.images.tags.ingress }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.maas_ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
capabilities:
add:
- 'NET_BIND_SERVICE'
runAsUser: 0
command:
- /tmp/maas-ingress.sh
- start
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: RELEASE_NAME
value: {{ .Release.Name | quote }}
- name: HTTP_PORT
value: "8808"
- name: HTTPS_PORT
value: "8543"
- name: HEALTHZ_PORT
value: {{ tuple "maas_ingress" "podport" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: STATUS_PORT
value: {{ tuple "maas_ingress" "podport" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: ERROR_PAGE_SERVICE
value: {{ tuple "maas_ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
volumeMounts:
- mountPath: /tmp/maas-ingress.sh
name: maas-bin
subPath: maas-ingress
readOnly: true
- name: maas-rack
image: {{ .Values.images.tags.maas_rack }}
imagePullPolicy: {{ .Values.images.pull_policy }}
tty: true
env:
- name: MAAS_ENDPOINT
value: {{ .Values.conf.maas.url.maas_url }}
value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
- name: MAAS_REGION_SECRET
valueFrom:
secretKeyRef:
@@ -108,6 +310,10 @@ spec:
mountPath: /var/lib/maas
subPath: home
readOnly: false
- name: maas-etc
mountPath: /etc/nsswitch.conf
subPath: nsswitch.conf
readOnly: true
{{- if .Values.manifests.secret_ssh_key }}
- name: priv-key
subPath: PRIVATE_KEY
@@ -118,6 +324,9 @@ spec:
- name: host-sys-fs-cgroup
hostPath:
path: /sys/fs/cgroup
- name: host-rootfs
hostPath:
path: /
- name: pod-run
emptyDir: {}
- name: pod-run-lock