diff --git a/magnum/common/nova.py b/magnum/common/nova.py new file mode 100644 index 0000000000..f5bf6b2f36 --- /dev/null +++ b/magnum/common/nova.py @@ -0,0 +1,30 @@ +# Copyright 2019 Catalyst Cloud Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from oslo_config import cfg +from oslo_log import log as logging + +from magnum.common import clients + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + + +def get_ssh_key(context, key_name): + try: + n_client = clients.OpenStackClients(context).nova() + keypair = n_client.keypairs.get(key_name) + return keypair.public_key.strip() + except Exception: + return "" diff --git a/magnum/drivers/heat/k8s_coreos_template_def.py b/magnum/drivers/heat/k8s_coreos_template_def.py index f6038a5da6..3dbf5a4067 100644 --- a/magnum/drivers/heat/k8s_coreos_template_def.py +++ b/magnum/drivers/heat/k8s_coreos_template_def.py @@ -149,6 +149,8 @@ class CoreOSK8sTemplateDefinition(k8s_template_def.K8sTemplateDefinition): encoded_openstack_ca = base64.b64encode(plain_openstack_ca.encode()) extra_params['openstack_ca_coreos'] = encoded_openstack_ca.decode() + extra_params['project_id'] = cluster.project_id + return super(CoreOSK8sTemplateDefinition, self).get_params(context, cluster_template, cluster, extra_params=extra_params, diff --git a/magnum/drivers/heat/template_def.py b/magnum/drivers/heat/template_def.py index d203cb1e49..acc50e5ba2 100755 --- a/magnum/drivers/heat/template_def.py +++ b/magnum/drivers/heat/template_def.py @@ -105,7 +105,8 @@ class OutputMapping(object): Magnum understands. """ - def __init__(self, heat_output, cluster_attr=None): + def __init__(self, heat_output, cluster_attr=None, nodegroup_attr=None, + nodegroup_uuid=None, is_stack_param=False): self.cluster_attr = cluster_attr self.heat_output = heat_output diff --git a/magnum/drivers/k8s_fedora_coreos_v1/__init__.py b/magnum/drivers/k8s_fedora_coreos_v1/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/magnum/drivers/k8s_fedora_coreos_v1/driver.py b/magnum/drivers/k8s_fedora_coreos_v1/driver.py new file mode 100644 index 0000000000..3e01153fbf --- /dev/null +++ b/magnum/drivers/k8s_fedora_coreos_v1/driver.py @@ -0,0 +1,30 @@ +# Copyright 2016 Rackspace Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from magnum.drivers.heat import driver +from magnum.drivers.k8s_fedora_coreos_v1 import template_def + + +class Driver(driver.KubernetesDriver): + + @property + def provides(self): + return [ + {'server_type': 'vm', + 'os': 'fedora-coreos', + 'coe': 'kubernetes'}, + ] + + def get_template_definition(self): + return template_def.FedoraCoreOSK8sTemplateDefinition() diff --git a/magnum/drivers/k8s_fedora_coreos_v1/template_def.py b/magnum/drivers/k8s_fedora_coreos_v1/template_def.py new file mode 100644 index 0000000000..a1f24ca37f --- /dev/null +++ b/magnum/drivers/k8s_fedora_coreos_v1/template_def.py @@ -0,0 +1,44 @@ +# Copyright 2016 Rackspace Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +import os + +from magnum.common import nova +import magnum.conf +from magnum.drivers.heat import k8s_coreos_template_def as kctd + + +CONF = magnum.conf.CONF + + +class FedoraCoreOSK8sTemplateDefinition(kctd.CoreOSK8sTemplateDefinition): + """Kubernetes template for a Fedora CoreOS VM.""" + + @property + def driver_module_path(self): + return __name__[:__name__.rindex('.')] + + @property + def template_path(self): + return os.path.join(os.path.dirname(os.path.realpath(__file__)), + 'templates/kubecluster.yaml') + + def get_params(self, context, cluster_template, cluster, **kwargs): + extra_params = kwargs.pop('extra_params', {}) + extra_params["ssh_key_value"] = nova.get_ssh_key(context, + cluster.keypair) + + return super(FedoraCoreOSK8sTemplateDefinition, + self).get_params(context, cluster_template, cluster, + extra_params=extra_params, + **kwargs) diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/COPYING b/magnum/drivers/k8s_fedora_coreos_v1/templates/COPYING new file mode 100644 index 0000000000..d645695673 --- /dev/null +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/COPYING @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/fragments/configure-agent.ign b/magnum/drivers/k8s_fedora_coreos_v1/templates/fragments/configure-agent.ign new file mode 100644 index 0000000000..b734cb1730 --- /dev/null +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/fragments/configure-agent.ign @@ -0,0 +1,77 @@ +{ + "ignition": { + "config": { + "replace": { + "source": null, + "verification": {} + } + }, + "security": { + "tls": {} + }, + "timeouts": {}, + "version": "3.0.0" + }, + "passwd": { + "users": [ + { + "name": "core", + "sshAuthorizedKeys": [ + "$SSH_KEY_VALUE" + ] + } + ] + }, + "storage": { + "directories":[ + { + "path": "/var/lib/cloud/data", + "group": {"name": "root"}, + "user": {"name": "root"}, + "mode": 644 + } + ], + "files": [ + { + "filesystem": "root", + "path": "/etc/hostname", + "mode": 420, + "contents": { "source": "data:,$HOSTNAME" } + }, + { + "filesystem": "root", + "group": {"name": "root"}, + "path": "/etc/ssl/certs/openstack-ca.pem", + "user": {"name": "root"}, + "contents": { + "source": "data:,$OPENSTACK_CA", + "verification": {} + }, + "mode": 644 + }, + { + "filesystem": "root", + "path": "/usr/local/bin/configure-heat-container-agent.sh", + "contents": { + "source": "data:,%23!%2Fbin%2Fbash%0Aset%20%2Bx%0Adocker%20run%20--detach%20$CONTAINER_INFRA_PREFIXheat-container-agent%3A$HEAT_CONTAINER_AGENT_TAG%0A", + "verification": {} + }, + "mode": 777 + } + ] + }, + "systemd": { + "units": [ + { + "name": "configure-openstack-ca.service", + "enabled": true, + "contents": "[Unit]\nDescription=Install custom CA certificates\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/update-ca-trust\n[Install]\nWantedBy=multi-user.target" + }, + { + "name": "configure-heat-container-agent.service", + "enabled": true, + "contents": "[Unit]\nDescription=Install heat container agent\n\n[Service]\nType=oneshot\nExecStart=/usr/local/bin/configure-heat-container-agent.sh\n[Install]\nWantedBy=multi-user.target" + } + ] + } +} diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/fragments/write-heat-params-master.sh b/magnum/drivers/k8s_fedora_coreos_v1/templates/fragments/write-heat-params-master.sh new file mode 100644 index 0000000000..8bb28c0569 --- /dev/null +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/fragments/write-heat-params-master.sh @@ -0,0 +1,116 @@ +#!/bin/sh + +echo "START: write-heat-params" + +HEAT_PARAMS=/etc/sysconfig/heat-params +[ -f ${HEAT_PARAMS} ] || { + echo "Writing File: $HEAT_PARAMS" + mkdir -p "$(dirname ${HEAT_PARAMS})" + cat > ${HEAT_PARAMS} < + This template will boot a Kubernetes cluster with one or more + minions (as specified by the number_of_minions parameter, which + defaults to 1). + +parameters: + + octavia_enabled: + type: string + default: true + + ssh_key_name: + type: string + description: name of ssh key to be provisioned on our server + default: "" + + external_network: + type: string + description: uuid/name of a network to use for floating ip addresses + default: public + + fixed_network_name: + type: string + description: Network from which to allocate fixed addresses. + default: "private" + + fixed_network: + type: string + description: uuid/name of an existing network to use to provision machines + default: "" + + fixed_subnet: + type: string + description: uuid/name of an existing subnet to use to provision machines + default: "" + + server_image: + type: string + description: glance image used to boot the server + + master_flavor: + type: string + default: m1.small + description: flavor to use when booting the server for master nodes + + minion_flavor: + type: string + default: m1.small + description: flavor to use when booting the server for minions + + prometheus_monitoring: + type: boolean + default: false + description: > + whether or not to have the grafana-prometheus-cadvisor monitoring setup + + grafana_admin_passwd: + type: string + default: admin + hidden: true + description: > + admin user password for the Grafana monitoring interface + + dns_nameserver: + type: comma_delimited_list + description: address of a DNS nameserver reachable in your environment + default: 8.8.8.8 + + number_of_masters: + type: number + description: how many kubernetes masters to spawn + default: 1 + + number_of_minions: + type: number + description: how many kubernetes minions to spawn + default: 1 + + fixed_network_cidr: + type: string + description: network range for fixed ip network + default: 10.0.0.0/24 + + portal_network_cidr: + type: string + description: > + address range used by kubernetes for service portals + default: 10.254.0.0/16 + + network_driver: + type: string + description: network driver to use for instantiating container networks + default: flannel + + flannel_network_cidr: + type: string + description: network range for flannel overlay network + default: 10.100.0.0/16 + + flannel_network_subnetlen: + type: number + description: size of subnet assigned to each minion + default: 24 + + flannel_backend: + type: string + description: > + specify the backend for flannel, default udp backend + default: "udp" + constraints: + - allowed_values: ["udp", "vxlan", "host-gw"] + + system_pods_initial_delay: + type: number + description: > + health check, time to wait for system pods (podmaster, scheduler) to boot + (in seconds) + default: 30 + + system_pods_timeout: + type: number + description: > + health check, timeout for system pods (podmaster, scheduler) to answer. + (in seconds) + default: 5 + + admission_control_list: + type: string + description: > + List of admission control plugins to activate + default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" + + kube_allow_priv: + type: string + description: > + whether or not kubernetes should permit privileged containers. + default: "true" + constraints: + - allowed_values: ["true", "false"] + + etcd_volume_size: + type: number + description: > + size of the cinder volume for etcd storage + default: 0 + + docker_volume_size: + type: number + description: > + size of a cinder volume to allocate to docker for container/image + storage + default: 0 + + docker_volume_type: + type: string + description: > + type of a cinder volume to allocate to docker for container/image + storage + + docker_storage_driver: + type: string + description: docker storage driver name + default: "devicemapper" + + wait_condition_timeout: + type: number + description: > + timeout for the Wait Conditions + default: 6000 + + minions_to_remove: + type: comma_delimited_list + description: > + List of minions to be removed when doing an update. Individual minion may + be referenced several ways: (1) The resource name (e.g. ['1', '3']), + (2) The private IP address ['10.0.0.4', '10.0.0.6']. Note: the list should + be empty when doing an create. + default: [] + + discovery_url: + type: string + description: > + Discovery URL used for bootstrapping the etcd cluster. + + registry_enabled: + type: boolean + description: > + Indicates whether the docker registry is enabled. + default: false + + registry_port: + type: number + description: port of registry service + default: 5000 + + swift_region: + type: string + description: region of swift service + default: "" + + registry_container: + type: string + description: > + name of swift container which docker registry stores images in + default: "container" + + registry_insecure: + type: boolean + description: > + indicates whether to skip TLS verification between registry and backend storage + default: true + + registry_chunksize: + type: number + description: > + size fo the data segments for the swift dynamic large objects + default: 5242880 + + volume_driver: + type: string + description: volume driver to use for container storage + default: "" + + region_name: + type: string + description: A logically separate section of the cluster + + username: + type: string + description: > + user account + + password: + type: string + description: > + user password, not set in current implementation, only used to + fill in for Kubernetes config file + default: + ChangeMe + hidden: true + + loadbalancing_protocol: + type: string + description: > + The protocol which is used for load balancing. If you want to change + tls_disabled option to 'True', please change this to "HTTP". + default: TCP + constraints: + - allowed_values: ["TCP", "HTTP"] + + tls_disabled: + type: boolean + description: whether or not to disable TLS + default: False + + kube_dashboard_enabled: + type: boolean + description: whether or not to enable kubernetes dashboard + default: True + + influx_grafana_dashboard_enabled: + type: boolean + description: Enable influxdb with grafana dashboard for data from heapster + default: False + + verify_ca: + type: boolean + description: whether or not to validate certificate authority + + kubernetes_port: + type: number + description: > + The port which are used by kube-apiserver to provide Kubernetes + service. + default: 6443 + + cluster_uuid: + type: string + description: identifier for the cluster this template is generating + + magnum_url: + type: string + description: endpoint to retrieve TLS certs from + + http_proxy: + type: string + description: http proxy address for docker + default: "" + + https_proxy: + type: string + description: https proxy address for docker + default: "" + + no_proxy: + type: string + description: no proxies for docker + default: "" + + trustee_domain_id: + type: string + description: domain id of the trustee + + trustee_user_id: + type: string + description: user id of the trustee + + trustee_username: + type: string + description: username of the trustee + + trustee_password: + type: string + description: password of the trustee + hidden: true + + trust_id: + type: string + description: id of the trust which is used by the trustee + hidden: true + + auth_url: + type: string + description: url for keystone + + kube_tag: + type: string + description: tag of the k8s containers used to provision the kubernetes cluster + default: v1.9.3 + + etcd_tag: + type: string + description: tag of the etcd system container + default: v3.2.7 + + coredns_tag: + type: string + description: tag for coredns + default: 1.3.1 + + flannel_tag: + type: string + description: tag of the flannel system containers + default: v0.9.0 + + kube_version: + type: string + description: version of kubernetes used for kubernetes cluster + default: v1.10.3_coreos.0 + + kube_dashboard_version: + type: string + description: version of kubernetes dashboard used for kubernetes cluster + default: v1.8.3 + + hyperkube_image: + type: string + description: > + Docker registry used for hyperkube image + default: quay.io/coreos/hyperkube + + insecure_registry_url: + type: string + description: insecure registry url + default: "" + + container_infra_prefix: + type: string + description: > + prefix of container images used in the cluster, kubernetes components, + kubernetes-dashboard, coredns etc + constraints: + - allowed_pattern: "^$|.*/" + default: "docker.io/openstackmagnum/" + + dns_service_ip: + type: string + description: > + address used by Kubernetes DNS service + default: 10.254.0.10 + + dns_cluster_domain: + type: string + description: > + domain name for cluster DNS + default: "cluster.local" + + etcd_volume_size: + type: number + description: > + size of the cinder volume for etcd storage + default: 0 + + openstack_ca: + type: string + hidden: true + description: The OpenStack CA certificate to install on the node. + + openstack_ca_coreos: + type: string + hidden: true + description: The OpenStack CA certificate to install on the node. + + nodes_affinity_policy: + type: string + description: > + affinity policy for nodes server group + constraints: + - allowed_values: ["affinity", "anti-affinity", "soft-affinity", + "soft-anti-affinity"] + + availability_zone: + type: string + description: > + availability zone for master and nodes + default: "" + + cert_manager_api: + type: boolean + description: true if the kubernetes cert api manager should be enabled + default: false + + ca_key: + type: string + description: key of internal ca for the kube certificate api manager + default: "" + hidden: true + + calico_tag: + type: string + description: tag of the calico containers used to provision the calico node + default: v2.6.7 + + calico_cni_tag: + type: string + description: tag of the cni used to provision the calico node + default: v1.11.2 + + calico_kube_controllers_tag: + type: string + description: tag of the kube_controllers used to provision the calico node + default: v1.0.3 + + calico_ipv4pool: + type: string + description: Configure the IP pool from which Pod IPs will be chosen + default: "192.168.0.0/16" + + pods_network_cidr: + type: string + description: Configure the IP pool/range from which pod IPs will be chosen + + ingress_controller: + type: string + description: > + ingress controller backend to use + default: "" + + ingress_controller_role: + type: string + description: > + node role where the ingress controller backend should run + default: "ingress" + + kubelet_options: + type: string + description: > + additional options to be passed to the kubelet + default: "" + + kubeapi_options: + type: string + description: > + additional options to be passed to the api + default: "" + + kubecontroller_options: + type: string + description: > + additional options to be passed to the controller manager + default: "" + + kubeproxy_options: + type: string + description: > + additional options to be passed to the kube proxy + default: "" + + kubescheduler_options: + type: string + description: > + additional options to be passed to the scheduler + default: "" + + container_runtime: + type: string + description: > + Container runtime to use with Kubernetes. + default: "docker" + constraints: + - allowed_values: ["docker"] + + octavia_ingress_controller_tag: + type: string + description: Octavia ingress controller docker image tag. + default: "1.13.2-alpha" + + master_kube_tag: + type: string + description: tag of the k8s containers used to provision the kubernetes cluster + default: v1.14.3 + + minion_kube_tag: + type: string + description: tag of the k8s containers used to provision the kubernetes cluster + default: v1.14.3 + + heat_container_agent_tag: + type: string + description: tag of the heat_container_agent system container + default: train-dev + + ssh_key_value: + type: string + description: public key of ssh key to be provisioned on the server + + project_id: + type: string + description: > + project id of current project + + +resources: + + ###################################################################### + # + # network resources. allocate a network and router for our server. + # Important: the Load Balancer feature in Kubernetes requires that + # the name for the fixed_network must be "private" for the + # address lookup in Kubernetes to work properly + # + + network: + type: ../../common/templates/network.yaml + properties: + existing_network: {get_param: fixed_network} + existing_subnet: {get_param: fixed_subnet} + private_network_cidr: {get_param: fixed_network_cidr} + dns_nameserver: {get_param: dns_nameserver} + external_network: {get_param: external_network} + private_network_name: {get_param: fixed_network_name} + + + api_lb: + type: ../../common/templates/lb_api.yaml + properties: + fixed_subnet: {get_attr: [network, fixed_subnet]} + external_network: {get_param: external_network} + protocol: {get_param: loadbalancing_protocol} + port: {get_param: kubernetes_port} + + etcd_lb: + type: ../../common/templates/lb_etcd.yaml + properties: + fixed_subnet: {get_attr: [network, fixed_subnet]} + protocol: {get_param: loadbalancing_protocol} + port: 2379 + + ###################################################################### + # + # security groups. we need to permit network traffic of various + # sorts. + # + + secgroup_kube_master: + type: OS::Neutron::SecurityGroup + properties: + rules: + - protocol: icmp + - protocol: tcp + port_range_min: 22 + port_range_max: 22 + - protocol: tcp + port_range_min: 7080 + port_range_max: 7080 + - protocol: tcp + port_range_min: 8080 + port_range_max: 8080 + - protocol: tcp + port_range_min: 2379 + port_range_max: 2379 + - protocol: tcp + port_range_min: 2380 + port_range_max: 2380 + - protocol: tcp + port_range_min: 6443 + port_range_max: 6443 + - protocol: tcp + port_range_min: 30000 + port_range_max: 32767 + + secgroup_kube_minion: + type: OS::Neutron::SecurityGroup + properties: + rules: + - protocol: icmp + - protocol: tcp + - protocol: udp + + ###################################################################### + # + # resources that expose the IPs of either the kube master or a given + # LBaaS pool depending on whether LBaaS is enabled for the cluster. + # + + api_address_lb_switch: + type: Magnum::ApiGatewaySwitcher + properties: + pool_public_ip: {get_attr: [api_lb, floating_address]} + pool_private_ip: {get_attr: [api_lb, address]} + master_public_ip: {get_attr: [kube_masters, resource.0.kube_master_external_ip]} + master_private_ip: {get_attr: [kube_masters, resource.0.kube_master_ip]} + + etcd_address_lb_switch: + type: Magnum::ApiGatewaySwitcher + properties: + pool_private_ip: {get_attr: [etcd_lb, address]} + master_private_ip: {get_attr: [kube_masters, resource.0.kube_master_ip]} + + ###################################################################### + # + # resources that expose the IPs of either floating ip or a given + # fixed ip depending on whether FloatingIP is enabled for the cluster. + # + + api_address_floating_switch: + type: Magnum::FloatingIPAddressSwitcher + properties: + public_ip: {get_attr: [api_address_lb_switch, public_ip]} + private_ip: {get_attr: [api_address_lb_switch, private_ip]} + + ###################################################################### + # + # resources that expose one server group for each master and worker nodes + # separately. + # + + master_nodes_server_group: + type: OS::Nova::ServerGroup + properties: + policies: [{get_param: nodes_affinity_policy}] + + worker_nodes_server_group: + type: OS::Nova::ServerGroup + properties: + policies: [{get_param: nodes_affinity_policy}] + + ###################################################################### + # + # kubernetes masters. This is a resource group that will create + # masters. + # + + kube_masters: + type: OS::Heat::ResourceGroup + depends_on: + - network + properties: + count: {get_param: number_of_masters} + resource_def: + type: kubemaster.yaml + properties: + name: + list_join: + - '-' + - [{ get_param: 'OS::stack_name' }, 'master', '%index%'] + prometheus_monitoring: {get_param: prometheus_monitoring} + grafana_admin_passwd: {get_param: grafana_admin_passwd} + api_public_address: {get_attr: [api_lb, floating_address]} + api_private_address: {get_attr: [api_lb, address]} + ssh_key_name: {get_param: ssh_key_name} + ssh_key_value: {get_param: ssh_key_value} + server_image: {get_param: server_image} + master_flavor: {get_param: master_flavor} + external_network: {get_param: external_network} + kube_allow_priv: {get_param: kube_allow_priv} + etcd_volume_size: {get_param: etcd_volume_size} + docker_volume_size: {get_param: docker_volume_size} + docker_volume_type: {get_param: docker_volume_type} + docker_storage_driver: {get_param: docker_storage_driver} + wait_condition_timeout: {get_param: wait_condition_timeout} + network_driver: {get_param: network_driver} + flannel_network_cidr: {get_param: flannel_network_cidr} + flannel_network_subnetlen: {get_param: flannel_network_subnetlen} + flannel_backend: {get_param: flannel_backend} + system_pods_initial_delay: {get_param: system_pods_initial_delay} + system_pods_timeout: {get_param: system_pods_timeout} + portal_network_cidr: {get_param: portal_network_cidr} + admission_control_list: {get_param: admission_control_list} + discovery_url: {get_param: discovery_url} + cluster_uuid: {get_param: cluster_uuid} + magnum_url: {get_param: magnum_url} + volume_driver: {get_param: volume_driver} + fixed_network_name: {get_param: fixed_network_name} + fixed_network: {get_attr: [network, fixed_network]} + fixed_subnet: {get_attr: [network, fixed_subnet]} + api_pool_id: {get_attr: [api_lb, pool_id]} + etcd_pool_id: {get_attr: [etcd_lb, pool_id]} + username: {get_param: username} + password: {get_param: password} + kubernetes_port: {get_param: kubernetes_port} + tls_disabled: {get_param: tls_disabled} + kube_dashboard_enabled: {get_param: kube_dashboard_enabled} + influx_grafana_dashboard_enabled: {get_param: influx_grafana_dashboard_enabled} + verify_ca: {get_param: verify_ca} + secgroup_kube_master_id: {get_resource: secgroup_kube_master} + http_proxy: {get_param: http_proxy} + https_proxy: {get_param: https_proxy} + no_proxy: {get_param: no_proxy} + kube_tag: {get_param: kube_tag} + kube_version: {get_param: kube_version} + etcd_tag: {get_param: etcd_tag} + coredns_tag: {get_param: coredns_tag} + kube_dashboard_version: {get_param: kube_dashboard_version} + trustee_user_id: {get_param: trustee_user_id} + trustee_password: {get_param: trustee_password} + trust_id: {get_param: trust_id} + auth_url: {get_param: auth_url} + hyperkube_image: {get_param: hyperkube_image} + insecure_registry_url: {get_param: insecure_registry_url} + container_runtime: {get_param: container_runtime} + container_infra_prefix: {get_param: container_infra_prefix} + etcd_lb_vip: {get_attr: [etcd_lb, address]} + dns_service_ip: {get_param: dns_service_ip} + dns_cluster_domain: {get_param: dns_cluster_domain} + openstack_ca: {get_param: openstack_ca_coreos} + nodes_server_group_id: {get_resource: master_nodes_server_group} + availability_zone: {get_param: availability_zone} + ca_key: {get_param: ca_key} + cert_manager_api: {get_param: cert_manager_api} + calico_tag: {get_param: calico_tag} + calico_cni_tag: {get_param: calico_cni_tag} + calico_kube_controllers_tag: {get_param: calico_kube_controllers_tag} + calico_ipv4pool: {get_param: calico_ipv4pool} + pods_network_cidr: {get_param: pods_network_cidr} + ingress_controller: {get_param: ingress_controller} + ingress_controller_role: {get_param: ingress_controller_role} + kubelet_options: {get_param: kubelet_options} + kubeapi_options: {get_param: kubeapi_options} + kubeproxy_options: {get_param: kubeproxy_options} + kubecontroller_options: {get_param: kubecontroller_options} + kubescheduler_options: {get_param: kubescheduler_options} + project_id: {get_param: project_id} + region_name: {get_param: region_name} + + ###################################################################### + # + # kubernetes minions. This is an resource group that will initially + # create minions, and needs to be manually scaled. + # + + kube_minions: + type: OS::Heat::ResourceGroup + depends_on: + - network + properties: + count: {get_param: number_of_minions} + removal_policies: [{resource_list: {get_param: minions_to_remove}}] + resource_def: + type: kubeminion.yaml + properties: + name: + list_join: + - '-' + - [{ get_param: 'OS::stack_name' }, 'minion', '%index%'] + prometheus_monitoring: {get_param: prometheus_monitoring} + ssh_key_name: {get_param: ssh_key_name} + server_image: {get_param: server_image} + minion_flavor: {get_param: minion_flavor} + fixed_network: {get_attr: [network, fixed_network]} + fixed_subnet: {get_attr: [network, fixed_subnet]} + network_driver: {get_param: network_driver} + flannel_network_cidr: {get_param: flannel_network_cidr} + kube_master_ip: {get_attr: [api_address_lb_switch, private_ip]} + etcd_server_ip: {get_attr: [etcd_address_lb_switch, private_ip]} + external_network: {get_param: external_network} + kube_allow_priv: {get_param: kube_allow_priv} + docker_volume_size: {get_param: docker_volume_size} + docker_volume_type: {get_param: docker_volume_type} + docker_storage_driver: {get_param: docker_storage_driver} + wait_condition_timeout: {get_param: wait_condition_timeout} + registry_enabled: {get_param: registry_enabled} + registry_port: {get_param: registry_port} + swift_region: {get_param: swift_region} + registry_container: {get_param: registry_container} + registry_insecure: {get_param: registry_insecure} + registry_chunksize: {get_param: registry_chunksize} + cluster_uuid: {get_param: cluster_uuid} + magnum_url: {get_param: magnum_url} + volume_driver: {get_param: volume_driver} + region_name: {get_param: region_name} + auth_url: {get_param: auth_url} + hyperkube_image: {get_param: hyperkube_image} + username: {get_param: username} + password: {get_param: password} + kubernetes_port: {get_param: kubernetes_port} + tls_disabled: {get_param: tls_disabled} + verify_ca: {get_param: verify_ca} + secgroup_kube_minion_id: {get_resource: secgroup_kube_minion} + http_proxy: {get_param: http_proxy} + https_proxy: {get_param: https_proxy} + no_proxy: {get_param: no_proxy} + kube_tag: {get_param: kube_tag} + kube_version: {get_param: kube_version} + flannel_tag: {get_param: flannel_tag} + trustee_user_id: {get_param: trustee_user_id} + trustee_username: {get_param: trustee_username} + trustee_password: {get_param: trustee_password} + trustee_domain_id: {get_param: trustee_domain_id} + trust_id: {get_param: trust_id} + insecure_registry_url: {get_param: insecure_registry_url} + container_runtime: {get_param: container_runtime} + container_infra_prefix: {get_param: container_infra_prefix} + dns_service_ip: {get_param: dns_service_ip} + dns_cluster_domain: {get_param: dns_cluster_domain} + openstack_ca: {get_param: openstack_ca_coreos} + nodes_server_group_id: {get_resource: worker_nodes_server_group} + availability_zone: {get_param: availability_zone} + pods_network_cidr: {get_param: pods_network_cidr} + kubelet_options: {get_param: kubelet_options} + kubeproxy_options: {get_param: kubeproxy_options} + +outputs: + + api_address: + value: + str_replace: + template: api_ip_address + params: + api_ip_address: {get_attr: [api_address_floating_switch, ip_address]} + description: > + This is the API endpoint of the Kubernetes cluster. Use this to access + the Kubernetes API. + + registry_address: + value: + str_replace: + template: localhost:port + params: + port: {get_param: registry_port} + description: + This is the url of docker registry server where you can store docker + images. + + kube_masters_private: + value: {get_attr: [kube_masters, kube_master_ip]} + description: > + This is a list of the "private" IP addresses of all the Kubernetes masters. + + kube_masters: + value: {get_attr: [kube_masters, kube_master_external_ip]} + description: > + This is a list of the "public" IP addresses of all the Kubernetes masters. + Use these IP addresses to log in to the Kubernetes masters via ssh. + + kube_minions_private: + value: {get_attr: [kube_minions, kube_minion_ip]} + description: > + This is a list of the "private" IP addresses of all the Kubernetes minions. + + kube_minions: + value: {get_attr: [kube_minions, kube_minion_external_ip]} + description: > + This is a list of the "public" IP addresses of all the Kubernetes minions. + Use these IP addresses to log in to the Kubernetes minions via ssh. diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml new file mode 100644 index 0000000000..abd52f054e --- /dev/null +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml @@ -0,0 +1,664 @@ +heat_template_version: 2014-10-16 + +description: > + This is a nested stack that defines a single Kubernetes master, This stack is + included by an ResourceGroup resource in the parent template + (kubecluster.yaml). + +parameters: + + name: + type: string + description: server name + + server_image: + type: string + description: glance image used to boot the server + + master_flavor: + type: string + description: flavor to use when booting the server + + ssh_key_name: + type: string + description: name of ssh key to be provisioned on our server + + external_network: + type: string + description: uuid/name of a network to use for floating ip addresses + + portal_network_cidr: + type: string + description: > + address range used by kubernetes for service portals + + kube_allow_priv: + type: string + description: > + whether or not kubernetes should permit privileged containers. + constraints: + - allowed_values: ["true", "false"] + + etcd_volume_size: + type: number + description: > + size of a cinder volume to allocate for etcd storage + + docker_volume_size: + type: number + description: > + size of a cinder volume to allocate to docker for container/image + storage + + docker_volume_type: + type: string + description: > + type of a cinder volume to allocate to docker for container/image + storage + + docker_storage_driver: + type: string + description: docker storage driver name + default: "devicemapper" + + volume_driver: + type: string + description: volume driver to use for container storage + + flannel_network_cidr: + type: string + description: network range for flannel overlay network + + flannel_network_subnetlen: + type: number + description: size of subnet assigned to each master + + flannel_backend: + type: string + description: > + specify the backend for flannel, default udp backend + constraints: + - allowed_values: ["udp", "vxlan", "host-gw"] + + system_pods_initial_delay: + type: number + description: > + health check, time to wait for system pods (podmaster, scheduler) to boot + (in seconds) + default: 30 + + system_pods_timeout: + type: number + description: > + health check, timeout for system pods (podmaster, scheduler) to answer. + (in seconds) + default: 5 + + admission_control_list: + type: string + description: > + List of admission control plugins to activate + + discovery_url: + type: string + description: > + Discovery URL used for bootstrapping the etcd cluster. + + tls_disabled: + type: boolean + description: whether or not to enable TLS + + kube_dashboard_enabled: + type: boolean + description: whether or not to disable kubernetes dashboard + + influx_grafana_dashboard_enabled: + type: boolean + description: Enable influxdb with grafana dashboard for data from heapster + + verify_ca: + type: boolean + description: whether or not to validate certificate authority + + kubernetes_port: + type: number + description: > + The port which are used by kube-apiserver to provide Kubernetes + service. + + cluster_uuid: + type: string + description: identifier for the cluster this template is generating + + magnum_url: + type: string + description: endpoint to retrieve TLS certs from + + prometheus_monitoring: + type: boolean + description: > + whether or not to have prometheus and grafana deployed + + grafana_admin_passwd: + type: string + hidden: true + description: > + admin user password for the Grafana monitoring interface + + api_public_address: + type: string + description: Public IP address of the Kubernetes master server. + default: "" + + api_private_address: + type: string + description: Private IP address of the Kubernetes master server. + default: "" + + fixed_network_name: + type: string + description: Network from which to allocate fixed addresses. + + fixed_network: + type: string + description: Network from which to allocate fixed addresses. + + fixed_subnet: + type: string + description: Subnet from which to allocate fixed addresses. + + network_driver: + type: string + description: network driver to use for instantiating container networks + + wait_condition_timeout: + type: number + description : > + timeout for the Wait Conditions + + secgroup_kube_master_id: + type: string + description: ID of the security group for kubernetes master. + + api_pool_id: + type: string + description: ID of the load balancer pool of k8s API server. + + etcd_pool_id: + type: string + description: ID of the load balancer pool of etcd server. + + auth_url: + type: string + description: > + url for kubernetes to authenticate + + username: + type: string + description: > + user account + + password: + type: string + description: > + user password + + http_proxy: + type: string + description: http proxy address for docker + + https_proxy: + type: string + description: https proxy address for docker + + no_proxy: + type: string + description: no proxies for docker + + kube_tag: + type: string + description: tag of the k8s containers used to provision the kubernetes cluster + + etcd_tag: + type: string + description: tag of the etcd system container + + coredns_tag: + type: string + description: tag for coredns + + kube_version: + type: string + description: version of kubernetes used for kubernetes cluster + + kube_dashboard_version: + type: string + description: version of kubernetes dashboard used for kubernetes cluster + + trustee_user_id: + type: string + description: user id of the trustee + + trustee_password: + type: string + description: password of the trustee + hidden: true + + trust_id: + type: string + description: id of the trust which is used by the trustee + hidden: true + + insecure_registry_url: + type: string + description: insecure registry url + + container_infra_prefix: + type: string + description: > + prefix of container images used in the cluster, kubernetes components, + kubernetes-dashboard, coredns etc + + etcd_lb_vip: + type: string + description: > + etcd lb vip private used to generate certs on master. + default: "" + + dns_service_ip: + type: string + description: > + address used by Kubernetes DNS service + + dns_cluster_domain: + type: string + description: > + domain name for cluster DNS + + openstack_ca: + type: string + description: The OpenStack CA certificate to install on the node. + + nodes_server_group_id: + type: string + description: ID of the server group for kubernetes cluster nodes. + + availability_zone: + type: string + description: > + availability zone for master and nodes + default: "" + + ca_key: + type: string + description: key of internal ca for the kube certificate api manager + hidden: true + + cert_manager_api: + type: boolean + description: true if the kubernetes cert api manager should be enabled + default: false + + calico_tag: + type: string + description: tag of the calico containers used to provision the calico node + + calico_cni_tag: + type: string + description: tag of the cni used to provision the calico node + + calico_kube_controllers_tag: + type: string + description: tag of the kube_controllers used to provision the calico node + + calico_ipv4pool: + type: string + description: Configure the IP pool from which Pod IPs will be chosen + + pods_network_cidr: + type: string + description: Configure the IP pool/range from which pod IPs will be chosen + + ingress_controller: + type: string + description: > + ingress controller backend to use + + ingress_controller_role: + type: string + description: > + node role where the ingress controller should run + + kubelet_options: + type: string + description: > + additional options to be passed to the kubelet + + kubeapi_options: + type: string + description: > + additional options to be passed to the api + + kubecontroller_options: + type: string + description: > + additional options to be passed to the controller manager + + kubeproxy_options: + type: string + description: > + additional options to be passed to the kube proxy + + kubescheduler_options: + type: string + description: > + additional options to be passed to the scheduler + + octavia_enabled: + type: boolean + description: > + whether or not to use Octavia for LoadBalancer type service. + default: False + + container_runtime: + type: string + description: > + Container runtime to use with Kubernetes. + + hyperkube_image: + type: string + description: > + Docker registry used for hyperkube image + + heat_container_agent_tag: + type: string + description: tag of the heat_container_agent system container + default: train-dev + + ssh_key_value: + type: string + description: public key of ssh key to be provisioned on the server + + project_id: + type: string + description: > + project id of current project + + region_name: + type: string + description: A logically separate section of the cluster + + +resources: + + master_wait_handle: + type: OS::Heat::WaitConditionHandle + + master_wait_condition: + type: OS::Heat::WaitCondition + depends_on: kube-master + properties: + handle: {get_resource: master_wait_handle} + timeout: {get_param: wait_condition_timeout} + + ###################################################################### + # + # resource that exposes the IPs of either the kube master or the API + # LBaaS pool depending on whether LBaaS is enabled for the cluster. + # + + api_address_switch: + type: Magnum::ApiGatewaySwitcher + properties: + pool_public_ip: {get_param: api_public_address} + pool_private_ip: {get_param: api_private_address} + master_public_ip: {get_attr: [kube_master_floating, floating_ip_address]} + master_private_ip: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]} + + ###################################################################### + # + # software configs. these are components that are combined into + # a multipart MIME user-data archive. + # + + agent_config: + type: OS::Heat::SoftwareConfig + properties: + group: ungrouped + config: + list_join: + - "\n" + - + - str_replace: + template: {get_file: fragments/configure-agent.ign} + params: + $SSH_KEY_VALUE: {get_param: ssh_key_value} + $HOSTNAME: {get_param: name} + $OPENSTACK_CA: {get_param: openstack_ca} + $CONTAINER_INFRA_PREFIX: {get_param: container_infra_prefix} + $HEAT_CONTAINER_AGENT_TAG: {get_param: heat_container_agent_tag} + + master_config: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: + list_join: + - "\n" + - + - str_replace: + template: {get_file: ../../common/templates/kubernetes/fragments/write-heat-params-master.sh} + params: + "$INSTANCE_NAME": {get_param: name} + "$PROMETHEUS_MONITORING": {get_param: prometheus_monitoring} + "$KUBE_API_PUBLIC_ADDRESS": {get_attr: [api_address_switch, public_ip]} + "$KUBE_API_PRIVATE_ADDRESS": {get_attr: [api_address_switch, private_ip]} + "$KUBE_API_PORT": {get_param: kubernetes_port} + "$KUBE_NODE_PUBLIC_IP": {get_attr: [kube_master_floating, floating_ip_address]} + "$KUBE_NODE_IP": {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]} + "$KUBE_ALLOW_PRIV": {get_param: kube_allow_priv} + "$ETCD_VOLUME": {get_resource: etcd_volume} + "$ETCD_VOLUME_SIZE": {get_param: etcd_volume_size} + "$DOCKER_VOLUME": {get_resource: docker_volume} + "$DOCKER_VOLUME_SIZE": {get_param: docker_volume_size} + "$DOCKER_STORAGE_DRIVER": {get_param: docker_storage_driver} + "$CGROUP_DRIVER": {get_param: cgroup_driver} + "$NETWORK_DRIVER": {get_param: network_driver} + "$FLANNEL_NETWORK_CIDR": {get_param: flannel_network_cidr} + "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen} + "$FLANNEL_BACKEND": {get_param: flannel_backend} + "$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay} + "$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout} + "$PODS_NETWORK_CIDR": {get_param: pods_network_cidr} + "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr} + "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list} + "$ETCD_DISCOVERY_URL": {get_param: discovery_url} + "$AUTH_URL": {get_param: auth_url} + "$USERNAME": {get_param: username} + "$PASSWORD": {get_param: password} + "$CLUSTER_NETWORK": {get_param: fixed_network} + "$CLUSTER_NETWORK_NAME": {get_param: fixed_network_name} + "$CLUSTER_SUBNET": {get_param: fixed_subnet} + "$TLS_DISABLED": {get_param: tls_disabled} + "$TRAEFIK_INGRESS_CONTROLLER_TAG": {get_param: traefik_ingress_controller_tag} + "$KUBE_DASHBOARD_ENABLED": {get_param: kube_dashboard_enabled} + "$INFLUX_GRAFANA_DASHBOARD_ENABLED": {get_param: influx_grafana_dashboard_enabled} + "$VERIFY_CA": {get_param: verify_ca} + "$CLUSTER_UUID": {get_param: cluster_uuid} + "$MAGNUM_URL": {get_param: magnum_url} + "$VOLUME_DRIVER": {get_param: volume_driver} + "$REGION_NAME": {get_param: region_name} + "$HTTP_PROXY": {get_param: http_proxy} + "$HTTPS_PROXY": {get_param: https_proxy} + "$NO_PROXY": {get_param: no_proxy} + "$KUBE_TAG": {get_param: kube_tag} + "$CLOUD_PROVIDER_TAG": {get_param: cloud_provider_tag} + "$CLOUD_PROVIDER_ENABLED": {get_param: cloud_provider_enabled} + "$ETCD_TAG": {get_param: etcd_tag} + "$COREDNS_TAG": {get_param: coredns_tag} + "$FLANNEL_TAG": {get_param: flannel_tag} + "$FLANNEL_CNI_TAG": {get_param: flannel_cni_tag} + "$KUBE_VERSION": {get_param: kube_version} + "$KUBE_DASHBOARD_VERSION": {get_param: kube_dashboard_version} + "$TRUSTEE_USER_ID": {get_param: trustee_user_id} + "$TRUSTEE_PASSWORD": {get_param: trustee_password} + "$TRUST_ID": {get_param: trust_id} + "$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url} + "$CONTAINER_INFRA_PREFIX": {get_param: container_infra_prefix} + "$ETCD_LB_VIP": {get_param: etcd_lb_vip} + "$DNS_SERVICE_IP": {get_param: dns_service_ip} + "$DNS_CLUSTER_DOMAIN": {get_param: dns_cluster_domain} + "$CERT_MANAGER_API": {get_param: cert_manager_api} + "$CA_KEY": {get_param: ca_key} + "$CALICO_TAG": {get_param: calico_tag} + "$CALICO_CNI_TAG": {get_param: calico_cni_tag} + "$CALICO_KUBE_CONTROLLERS_TAG": {get_param: calico_kube_controllers_tag} + "$CALICO_IPV4POOL": {get_param: calico_ipv4pool} + "$INGRESS_CONTROLLER": {get_param: ingress_controller} + "$INGRESS_CONTROLLER_ROLE": {get_param: ingress_controller_role} + "$OCTAVIA_INGRESS_CONTROLLER_TAG": {get_param: octavia_ingress_controller_tag} + "$KUBELET_OPTIONS": {get_param: kubelet_options} + "$KUBEAPI_OPTIONS": {get_param: kubeapi_options} + "$KUBECONTROLLER_OPTIONS": {get_param: kubecontroller_options} + "$KUBEPROXY_OPTIONS": {get_param: kubeproxy_options} + "$KUBESCHEDULER_OPTIONS": {get_param: kubescheduler_options} + "$OCTAVIA_ENABLED": {get_param: octavia_enabled} + "$KUBE_SERVICE_ACCOUNT_KEY": {get_param: kube_service_account_key} + "$KUBE_SERVICE_ACCOUNT_PRIVATE_KEY": {get_param: kube_service_account_private_key} + "$PROMETHEUS_TAG": {get_param: prometheus_tag} + "$GRAFANA_TAG": {get_param: grafana_tag} + "$HEAT_CONTAINER_AGENT_TAG": {get_param: heat_container_agent_tag} + "$KEYSTONE_AUTH_ENABLED": {get_param: keystone_auth_enabled} + "$K8S_KEYSTONE_AUTH_TAG": {get_param: k8s_keystone_auth_tag} + "$MONITORING_ENABLED": {get_param: monitoring_enabled} + "$PROMETHEUS_OPERATOR_CHART_TAG": {get_param: prometheus_operator_chart_tag} + "$PROJECT_ID": {get_param: project_id} + "$EXTERNAL_NETWORK_ID": {get_param: external_network} + "$TILLER_ENABLED": {get_param: tiller_enabled} + "$TILLER_TAG": {get_param: tiller_tag} + "$TILLER_NAMESPACE": {get_param: tiller_namespace} + "$NODE_PROBLEM_DETECTOR_TAG": {get_param: node_problem_detector_tag} + "$NGINX_INGRESS_CONTROLLER_TAG": {get_param: nginx_ingress_controller_tag} + "$AUTO_HEALING_ENABLED": {get_param: auto_healing_enabled} + "$AUTO_HEALING_CONTROLLER": {get_param: auto_healing_controller} + "$MAGNUM_AUTO_HEALER_TAG": {get_param: magnum_auto_healer_tag} + "$AUTO_SCALING_ENABLED": {get_param: auto_scaling_enabled} + "$DRAINO_TAG": {get_param: draino_tag} + "$AUTOSCALER_TAG": {get_param: autoscaler_tag} + "$MIN_NODE_COUNT": {get_param: min_node_count} + "$MAX_NODE_COUNT": {get_param: max_node_count} + "$NPD_ENABLED": {get_param: npd_enabled} + + master_config_deployment: + type: OS::Heat::SoftwareDeployment + properties: + signal_transport: HEAT_SIGNAL + config: {get_resource: master_config} + server: {get_resource: kube-master} + actions: ['CREATE'] + + ###################################################################### + # + # a single kubernetes master. + # + + # do NOT use "_" (underscore) in the Nova server name + # it creates a mismatch between the generated Nova name and its hostname + # which can lead to weird problems + kube-master: + type: OS::Nova::Server + properties: + name: {get_param: name} + image: {get_param: server_image} + flavor: {get_param: master_flavor} + user_data_format: SOFTWARE_CONFIG + software_config_transport: POLL_SERVER_HEAT + user_data: {get_resource: agent_config} + networks: + - port: {get_resource: kube_master_eth0} + scheduler_hints: { group: { get_param: nodes_server_group_id }} + availability_zone: {get_param: availability_zone} + + kube_master_eth0: + type: OS::Neutron::Port + properties: + network: {get_param: fixed_network} + security_groups: + - {get_param: secgroup_kube_master_id} + fixed_ips: + - subnet: {get_param: fixed_subnet} + allowed_address_pairs: + - ip_address: {get_param: flannel_network_cidr} + replacement_policy: AUTO + + kube_master_floating: + type: Magnum::Optional::KubeMaster::Neutron::FloatingIP + properties: + floating_network: {get_param: external_network} + port_id: {get_resource: kube_master_eth0} + + api_pool_member: + type: Magnum::Optional::Neutron::LBaaS::PoolMember + properties: + pool: {get_param: api_pool_id} + address: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]} + subnet: { get_param: fixed_subnet } + protocol_port: {get_param: kubernetes_port} + + etcd_pool_member: + type: Magnum::Optional::Neutron::LBaaS::PoolMember + properties: + pool: {get_param: etcd_pool_id} + address: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]} + subnet: { get_param: fixed_subnet } + protocol_port: 2379 + + ###################################################################### + # + # etcd storage. This allocates a cinder volume and attaches it + # to the master. + # + + etcd_volume: + type: Magnum::Optional::Etcd::Volume + properties: + size: {get_param: etcd_volume_size} + + etcd_volume_attach: + type: Magnum::Optional::Etcd::VolumeAttachment + properties: + instance_uuid: {get_resource: kube-master} + volume_id: {get_resource: etcd_volume} + mountpoint: /dev/vdc + + ###################################################################### + # + # docker storage. This allocates a cinder volume and attaches it + # to the minion. + # + + docker_volume: + type: Magnum::Optional::Cinder::Volume + properties: + size: {get_param: docker_volume_size} + volume_type: {get_param: docker_volume_type} + + docker_volume_attach: + type: Magnum::Optional::Cinder::VolumeAttachment + properties: + instance_uuid: {get_resource: kube-master} + volume_id: {get_resource: docker_volume} + mountpoint: /dev/vdb + + +outputs: + + kube_master_ip: + value: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]} + description: > + This is the "private" IP address of the Kubernetes master node. + + kube_master_external_ip: + value: {get_attr: [kube_master_floating, floating_ip_address]} + description: > + This is the "public" IP address of the Kubernetes master node. diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml new file mode 100644 index 0000000000..b2ace281d8 --- /dev/null +++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml @@ -0,0 +1,400 @@ +heat_template_version: 2014-10-16 + +description: > + This is a nested stack that defines a single Kubernetes minion, This stack is + included by an AutoScalingGroup resource in the parent template + (kubecluster.yaml). + +parameters: + + name: + type: string + description: server name + + server_image: + type: string + description: glance image used to boot the server + + minion_flavor: + type: string + description: flavor to use when booting the server + + ssh_key_name: + type: string + description: name of ssh key to be provisioned on our server + + external_network: + type: string + description: uuid/name of a network to use for floating ip addresses + + kube_allow_priv: + type: string + description: > + whether or not kubernetes should permit privileged containers. + constraints: + - allowed_values: ["true", "false"] + + docker_volume_size: + type: number + description: > + size of a cinder volume to allocate to docker for container/image + storage + + docker_volume_type: + type: string + description: > + type of a cinder volume to allocate to docker for container/image + storage + + docker_storage_driver: + type: string + description: docker storage driver name + default: "devicemapper" + + tls_disabled: + type: boolean + description: whether or not to enable TLS + + verify_ca: + type: boolean + description: whether or not to validate certificate authority + + kubernetes_port: + type: number + description: > + The port which are used by kube-apiserver to provide Kubernetes + service. + + cluster_uuid: + type: string + description: identifier for the cluster this template is generating + + magnum_url: + type: string + description: endpoint to retrieve TLS certs from + + prometheus_monitoring: + type: boolean + description: > + whether or not to have the node-exporter running on the node + + kube_master_ip: + type: string + description: IP address of the Kubernetes master server. + + etcd_server_ip: + type: string + description: IP address of the Etcd server. + + fixed_network: + type: string + description: Network from which to allocate fixed addresses. + + fixed_subnet: + type: string + description: Subnet from which to allocate fixed addresses. + + network_driver: + type: string + description: network driver to use for instantiating container networks + + flannel_network_cidr: + type: string + description: network range for flannel overlay network + + wait_condition_timeout: + type: number + description : > + timeout for the Wait Conditions + + registry_enabled: + type: boolean + description: > + Indicates whether the docker registry is enabled. + + registry_port: + type: number + description: port of registry service + + swift_region: + type: string + description: region of swift service + + registry_container: + type: string + description: > + name of swift container which docker registry stores images in + + registry_insecure: + type: boolean + description: > + indicates whether to skip TLS verification between registry and backend storage + + registry_chunksize: + type: number + description: > + size fo the data segments for the swift dynamic large objects + + secgroup_kube_minion_id: + type: string + description: ID of the security group for kubernetes minion. + + volume_driver: + type: string + description: volume driver to use for container storage + + region_name: + type: string + description: A logically separate section of the cluster + + username: + type: string + description: > + user account + + password: + type: string + description: > + user password, not set in current implementation, only used to + fill in for Kubernetes config file + hidden: true + + http_proxy: + type: string + description: http proxy address for docker + + https_proxy: + type: string + description: https proxy address for docker + + no_proxy: + type: string + description: no proxies for docker + + kube_tag: + type: string + description: tag of the k8s containers used to provision the kubernetes cluster + + flannel_tag: + type: string + description: tag of the flannel system containers + + kube_version: + type: string + description: version of kubernetes used for kubernetes cluster + + trustee_domain_id: + type: string + description: domain id of the trustee + + trustee_user_id: + type: string + description: user id of the trustee + + trustee_username: + type: string + description: username of the trustee + + trustee_password: + type: string + description: password of the trustee + hidden: true + + trust_id: + type: string + description: id of the trust which is used by the trustee + hidden: true + + auth_url: + type: string + description: > + url for keystone, must be v2 since k8s backend only support v2 + at this point + + insecure_registry_url: + type: string + description: insecure registry url + + container_infra_prefix: + type: string + description: > + prefix of container images used in the cluster, kubernetes components, + kubernetes-dashboard, coredns etc + + dns_service_ip: + type: string + description: > + address used by Kubernetes DNS service + + dns_cluster_domain: + type: string + description: > + domain name for cluster DNS + + openstack_ca: + type: string + description: The OpenStack CA certificate to install on the node. + + nodes_server_group_id: + type: string + description: ID of the server group for kubernetes cluster nodes. + + availability_zone: + type: string + description: > + availability zone for master and nodes + default: "" + + pods_network_cidr: + type: string + description: Configure the IP pool/range from which pod IPs will be chosen + + kubelet_options: + type: string + description: > + additional options to be passed to the kubelet + + kubeproxy_options: + type: string + description: > + additional options to be passed to the kube proxy + + octavia_enabled: + type: boolean + description: > + whether or not to use Octavia for LoadBalancer type service. + default: False + + container_runtime: + type: string + description: > + Container runtime to use with Kubernetes. + + hyperkube_image: + type: string + description: > + Docker registry used for hyperkube image + +resources: + + + minion_wait_handle: + type: OS::Heat::WaitConditionHandle + + minion_wait_condition: + type: OS::Heat::WaitCondition + depends_on: kube-minion + properties: + handle: {get_resource: minion_wait_handle} + timeout: {get_param: wait_condition_timeout} + + ###################################################################### + # + # software configs. these are components that are combined into + # a multipart MIME user-data archive. + # + + agent_config: + type: OS::Heat::SoftwareConfig + properties: + group: ungrouped + config: + list_join: + - "\n" + - + - str_replace: + template: {get_file: fragments/configure-agent.ign} + params: + $SSH_KEY_VALUE: {get_param: ssh_key_value} + $HOSTNAME: {get_param: name} + $OPENSTACK_CA: {get_param: openstack_ca} + $CONTAINER_INFRA_PREFIX: {get_param: container_infra_prefix} + $HEAT_CONTAINER_AGENT_TAG: {get_param: heat_container_agent_tag} + $TRUSTEE_USER_ID: {get_param: trustee_user_id} + $TRUSTEE_PASSWORD: {get_param: trustee_password} + $AUTH_URL: {get_param: auth_url} + $PROJECT_ID: {get_param: project_id} + $REGION_NAME: {get_param: region_name} + $RESOURCE_NAME: "kube_master" + $STACK_ID: "ID" + + # do NOT use "_" (underscore) in the Nova server name + # it creates a mismatch between the generated Nova name and its hostname + # which can lead to weird problems + kube-minion: + type: OS::Nova::Server + properties: + name: {get_param: name} + image: {get_param: server_image} + flavor: {get_param: minion_flavor} + key_name: {get_param: ssh_key_name} + user_data_format: RAW + user_data: {get_resource: agent_config} + networks: + - port: {get_resource: kube_minion_eth0} + scheduler_hints: { group: { get_param: nodes_server_group_id }} + + kube_minion_eth0: + type: OS::Neutron::Port + properties: + network: {get_param: fixed_network} + security_groups: + - {get_param: secgroup_kube_minion_id} + fixed_ips: + - subnet: {get_param: fixed_subnet} + allowed_address_pairs: + - ip_address: {get_param: flannel_network_cidr} + replacement_policy: AUTO + + kube_minion_floating: + type: Magnum::Optional::KubeMinion::Neutron::FloatingIP + properties: + floating_network: {get_param: external_network} + port_id: {get_resource: kube_minion_eth0} + + ###################################################################### + # + # docker storage. This allocates a cinder volume and attaches it + # to the minion. + # + + docker_volume: + type: Magnum::Optional::Cinder::Volume + properties: + size: {get_param: docker_volume_size} + volume_type: {get_param: docker_volume_type} + + docker_volume_attach: + type: Magnum::Optional::Cinder::VolumeAttachment + properties: + instance_uuid: {get_resource: kube-minion} + volume_id: {get_resource: docker_volume} + mountpoint: /dev/vdb + +outputs: + + kube_minion_ip: + value: {get_attr: [kube_minion_eth0, fixed_ips, 0, ip_address]} + description: > + This is the "public" IP address of the Kubernetes minion node. + + kube_minion_external_ip: + value: {get_attr: [kube_minion_floating, floating_ip_address]} + description: > + This is the "public" IP address of the Kubernetes minion node. + + ###################################################################### + # + # NOTE(flwang): Returning the minion node server ID here so that + # consumer can send API request to Heat to remove a particular + # node with removal_policies. Otherwise, the consumer (e.g. AutoScaler) + # has to use index to do the remove which is confusing out of the + # OpenStack world. + # https://storyboard.openstack.org/#!/story/2005054 + # + ###################################################################### + + OS::stack_id: + value: { get_resource: kube-minion } + description: > + This is the Nova server id of the node. diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/playbooks/configure-kubernetes-master.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/playbooks/configure-kubernetes-master.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/magnum/drivers/k8s_fedora_coreos_v1/version.py b/magnum/drivers/k8s_fedora_coreos_v1/version.py new file mode 100644 index 0000000000..b382039a7d --- /dev/null +++ b/magnum/drivers/k8s_fedora_coreos_v1/version.py @@ -0,0 +1,17 @@ +# Copyright 2016 - Rackspace Hosting +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version = '1.0.0' +driver = 'k8s_fedora_coreos_v1' +container_version = '1.11.2' diff --git a/setup.cfg b/setup.cfg index 27e715ea10..4de7d8975a 100644 --- a/setup.cfg +++ b/setup.cfg @@ -66,6 +66,7 @@ magnum.drivers = swarm_fedora_atomic_v2 = magnum.drivers.swarm_fedora_atomic_v2.driver:Driver mesos_ubuntu_v1 = magnum.drivers.mesos_ubuntu_v1.driver:Driver k8s_fedora_ironic_v1 = magnum.drivers.k8s_fedora_ironic_v1.driver:Driver + k8s_fedora_coreos_v1 = magnum.drivers.k8s_fedora_coreos_v1.driver:Driver magnum.database.migration_backend = sqlalchemy = magnum.db.sqlalchemy.migration