From 0753fb921eb9e09c48eed98fddd056ea689e5411 Mon Sep 17 00:00:00 2001
From: Egor Guz <guz_egor@yahoo.com>
Date: Sat, 28 Nov 2015 14:25:11 -0800
Subject: [PATCH] Move Kubernetes proxy to the container

Move Kubernetes proxy to the container

Change-Id: Ia3503ba6087f6a18ffea5d9387388a6c42a16f86
Partially-Implements: blueprint run-kube-as-container
---
 .../fragments/configure-kubernetes-minion.sh  |  4 +-
 .../fragments/enable-kube-proxy-master.sh     | 41 ++++++++++++++
 .../fragments/enable-kube-proxy-minion.sh     | 56 +++++++++++++++++++
 .../fragments/enable-services-master.sh       |  2 +-
 .../fragments/enable-services-minion.sh       |  2 +-
 magnum/templates/kubernetes/kubemaster.yaml   |  7 +++
 magnum/templates/kubernetes/kubeminion.yaml   |  7 +++
 7 files changed, 115 insertions(+), 4 deletions(-)
 create mode 100644 magnum/templates/kubernetes/fragments/enable-kube-proxy-master.sh
 create mode 100644 magnum/templates/kubernetes/fragments/enable-kube-proxy-minion.sh

diff --git a/magnum/templates/kubernetes/fragments/configure-kubernetes-minion.sh b/magnum/templates/kubernetes/fragments/configure-kubernetes-minion.sh
index 00f9392c40..3901f0bc4f 100644
--- a/magnum/templates/kubernetes/fragments/configure-kubernetes-minion.sh
+++ b/magnum/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@@ -20,12 +20,12 @@ sed -i '
   /^KUBE_MASTER=/ s|=.*|="--master='"$KUBE_MASTER_URI"'"|
 ' /etc/kubernetes/config
 
-KUBELET_ARGS="--cadvisor-port=4194 $KUBE_CONFIG"
+KUBELET_ARGS="--config=/etc/kubernetes/manifests --cadvisor-port=4194 ${KUBE_CONFIG}"
 sed -i '
   /^KUBELET_ADDRESS=/ s/=.*/="--address=0.0.0.0"/
   /^KUBELET_HOSTNAME=/ s/=.*/=""/
   /^KUBELET_API_SERVER=/ s|=.*|="--api_servers='"$KUBE_MASTER_URI"'"|
-  /^KUBELET_ARGS=/ s|=.*|='"$KUBELET_ARGS"'|
+  /^KUBELET_ARGS=/ s|=.*|='"${KUBELET_ARGS}"'|
 ' /etc/kubernetes/kubelet
 
 sed -i '
diff --git a/magnum/templates/kubernetes/fragments/enable-kube-proxy-master.sh b/magnum/templates/kubernetes/fragments/enable-kube-proxy-master.sh
new file mode 100644
index 0000000000..096e34b64a
--- /dev/null
+++ b/magnum/templates/kubernetes/fragments/enable-kube-proxy-master.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+. /etc/sysconfig/heat-params
+
+function init_templates {
+    local TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
+    [ -f ${TEMPLATE} ] || {
+        echo "TEMPLATE: $TEMPLATE"
+        mkdir -p $(dirname ${TEMPLATE})
+        cat << EOF > ${TEMPLATE}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-proxy
+  namespace: kube-system
+spec:
+  hostNetwork: true
+  containers:
+  - name: kube-proxy
+    image: gcr.io/google_containers/hyperkube:v1.0.6
+    command:
+    - /hyperkube
+    - proxy
+    - --master=http://127.0.0.1:8080
+    - --logtostderr=true
+    - --v=0
+    securityContext:
+      privileged: true
+    volumeMounts:
+    - mountPath: /etc/ssl/certs
+      name: ssl-certs-host
+      readOnly: true
+  volumes:
+  - hostPath:
+      path: /etc/ssl/certs
+    name: ssl-certs-host
+EOF
+    }
+}
+
+init_templates
diff --git a/magnum/templates/kubernetes/fragments/enable-kube-proxy-minion.sh b/magnum/templates/kubernetes/fragments/enable-kube-proxy-minion.sh
new file mode 100644
index 0000000000..9b9f4c1c80
--- /dev/null
+++ b/magnum/templates/kubernetes/fragments/enable-kube-proxy-minion.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+. /etc/sysconfig/heat-params
+
+function init_templates {
+    local KUBE_PROTOCOL="https"
+    local KUBE_CONFIG="/srv/kubernetes/kubeconfig.yaml"
+    if [ "${TLS_DISABLED}" == "True" ]; then
+        KUBE_PROTOCOL="http"
+        KUBE_CONFIG=
+    fi
+
+    local MASTER="${KUBE_PROTOCOL}://${KUBE_MASTER_IP}:${KUBE_API_PORT}"
+    local TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
+    [ -f ${TEMPLATE} ] || {
+        echo "TEMPLATE: $TEMPLATE"
+        mkdir -p $(dirname ${TEMPLATE})
+        cat << EOF > ${TEMPLATE}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-proxy
+  namespace: kube-system
+spec:
+  hostNetwork: true
+  containers:
+  - name: kube-proxy
+    image: gcr.io/google_containers/hyperkube:v1.0.6
+    command:
+    - /hyperkube
+    - proxy
+    - --master=${MASTER}
+    - --kubeconfig=${KUBE_CONFIG}
+    - --logtostderr=true
+    - --v=0
+    securityContext:
+      privileged: true
+    volumeMounts:
+    - mountPath: /etc/ssl/certs
+      name: ssl-certs-host
+      readOnly: true
+    - mountPath: /srv/kubernetes
+      name: "srv-kube"
+      readOnly: true
+  volumes:
+  - hostPath:
+      path: /etc/ssl/certs
+    name: ssl-certs-host
+  - hostPath:
+        path: "/srv/kubernetes"
+    name: "srv-kube"
+EOF
+    }
+}
+
+init_templates
diff --git a/magnum/templates/kubernetes/fragments/enable-services-master.sh b/magnum/templates/kubernetes/fragments/enable-services-master.sh
index d80612e3db..cc13a02c15 100644
--- a/magnum/templates/kubernetes/fragments/enable-services-master.sh
+++ b/magnum/templates/kubernetes/fragments/enable-services-master.sh
@@ -4,7 +4,7 @@
 systemctl daemon-reload
 
 echo "starting services"
-for service in etcd docker kube-apiserver kube-proxy kubelet; do
+for service in etcd docker kube-apiserver kubelet; do
     echo "activating service $service"
     systemctl enable $service
     systemctl --no-block start $service
diff --git a/magnum/templates/kubernetes/fragments/enable-services-minion.sh b/magnum/templates/kubernetes/fragments/enable-services-minion.sh
index 1622619ec8..0253a37351 100644
--- a/magnum/templates/kubernetes/fragments/enable-services-minion.sh
+++ b/magnum/templates/kubernetes/fragments/enable-services-minion.sh
@@ -10,7 +10,7 @@ ip link del docker0
 # make sure we pick up any modified unit files
 systemctl daemon-reload
 
-for service in docker kubelet kube-proxy; do
+for service in docker kubelet; do
     echo "activating service $service"
     systemctl enable $service
     systemctl --no-block start $service
diff --git a/magnum/templates/kubernetes/kubemaster.yaml b/magnum/templates/kubernetes/kubemaster.yaml
index a3f10222fa..6cefb0cfdb 100644
--- a/magnum/templates/kubernetes/kubemaster.yaml
+++ b/magnum/templates/kubernetes/kubemaster.yaml
@@ -275,6 +275,12 @@ resources:
       group: ungrouped
       config: {get_file: fragments/kube-ui-service.sh}
 
+  enable_kube_proxy:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/enable-kube-proxy-master.sh}
+
   master_wc_notify:
     type: OS::Heat::SoftwareConfig
     properties:
@@ -317,6 +323,7 @@ resources:
         - config: {get_resource: network_service}
         - config: {get_resource: kube_system_namespace_service}
         - config: {get_resource: enable_kube_podmaster}
+        - config: {get_resource: enable_kube_proxy}
         - config: {get_resource: kube_ui_service}
         - config: {get_resource: kube_examples}
         - config: {get_resource: master_wc_notify}
diff --git a/magnum/templates/kubernetes/kubeminion.yaml b/magnum/templates/kubernetes/kubeminion.yaml
index 94daa090e2..92e7bb8235 100644
--- a/magnum/templates/kubernetes/kubeminion.yaml
+++ b/magnum/templates/kubernetes/kubeminion.yaml
@@ -277,6 +277,12 @@ resources:
       group: ungrouped
       config: {get_file: fragments/enable-docker-registry.sh}
 
+  enable_kube_proxy:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/enable-kube-proxy-minion.sh}
+
   minion_wc_notify:
     type: OS::Heat::SoftwareConfig
     properties:
@@ -317,6 +323,7 @@ resources:
         - config: {get_resource: network_service}
         - config: {get_resource: add_proxy}
         - config: {get_resource: enable_services}
+        - config: {get_resource: enable_kube_proxy}
         - config: {get_resource: enable_docker_registry}
         - config: {get_resource: minion_wc_notify}