From 230ad3f2db0a5daa08696b109d39d716406ff243 Mon Sep 17 00:00:00 2001
From: Diogo Guerra <dy090.guerra@gmail.com>
Date: Fri, 1 Feb 2019 14:39:34 +0100
Subject: [PATCH] [k8s] helm install metrics service

* Add Folder specific for helm managed resources
* Add first use case of helm install script
* Install metrics-server with helm (parallel to heapster to allow back compatibility)
* Added extra ARGS to kube-apiserver to enable communication with metrics-server

Known Issues:
  * Tiller pod sometimes is presented as not active due to (possibly) Heartbeat/Healthz

story: 2004816
task: 28980
depends_on: I99d3a78085ba10030200f12bbfe58a72964e2326
Change-Id: I1b2432bc09ccde02e43124ed010120b99d853d65
Signed-off-by: Diogo Guerra <dy090.guerra@gmail.com>
---
 .../fragments/configure-kubernetes-master.sh  |  9 ++
 .../fragments/install-helm-modules.sh         | 29 +++++++
 .../kubernetes/helm/metrics-server.sh         | 83 +++++++++++++++++++
 .../templates/kubecluster.yaml                |  2 +
 ...tall-metrics-service-cd18be76c4ed0e5f.yaml |  8 ++
 5 files changed, 131 insertions(+)
 create mode 100644 magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh
 create mode 100755 magnum/drivers/common/templates/kubernetes/helm/metrics-server.sh
 create mode 100644 releasenotes/notes/helm-install-metrics-service-cd18be76c4ed0e5f.yaml

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
index ac7ffeab39..3a97b355c4 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -68,6 +68,15 @@ else
     KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=$CERT_DIR/ca.crt"
     KUBE_API_ARGS="$KUBE_API_ARGS --service-account-key-file=${CERT_DIR}/service_account.key"
     KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-certificate-authority=${CERT_DIR}/ca.crt --kubelet-client-certificate=${CERT_DIR}/server.crt --kubelet-client-key=${CERT_DIR}/server.key --kubelet-https=true"
+    # Allow for metrics-server/aggregator communication
+    KUBE_API_ARGS="${KUBE_API_ARGS} \
+        --proxy-client-cert-file=${CERT_DIR}/server.crt \
+        --proxy-client-key-file=${CERT_DIR}/server.key \
+        --requestheader-allowed-names=front-proxy-client,kube,kubernetes \
+        --requestheader-client-ca-file=${CERT_DIR}/ca.crt \
+        --requestheader-extra-headers-prefix=X-Remote-Extra- \
+        --requestheader-group-headers=X-Remote-Group \
+        --requestheader-username-headers=X-Remote-User"
 fi
 
 KUBE_ADMISSION_CONTROL=""
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh b/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh
new file mode 100644
index 0000000000..20d11c8d13
--- /dev/null
+++ b/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+step="install-helm-modules.sh"
+printf "Starting to run ${step}\n"
+
+. /etc/sysconfig/heat-params
+
+set -ex
+
+echo "Waiting for Kubernetes API..."
+until  [ "ok" = "$(curl --silent http://127.0.0.1:8080/healthz)" ]
+do
+    sleep 5
+done
+
+if [ "$(echo ${TILLER_ENABLED} | tr '[:upper:]' '[:lower:]')" != "true" ]; then
+    echo "Use --labels tiller_enabled=True to allow for tiller dependent resources to be installed"
+else
+    HELM_MODULES_PATH="/srv/magnum/kubernetes/helm"
+    chmod +x ${HELM_MODULES_PATH}/*
+    helm_modules=(${HELM_MODULES_PATH}/*)
+
+    for module in "${helm_modules[@]}"; do
+        echo ""
+        kubectl apply -f ${module}
+    done
+fi
+
+printf "Finished running ${step}\n"
diff --git a/magnum/drivers/common/templates/kubernetes/helm/metrics-server.sh b/magnum/drivers/common/templates/kubernetes/helm/metrics-server.sh
new file mode 100755
index 0000000000..bcd5b368a0
--- /dev/null
+++ b/magnum/drivers/common/templates/kubernetes/helm/metrics-server.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+set -ex
+
+CHART_NAME="metrics-server"
+CHART_VERSION="2.1.0"
+
+HELM_MODULE_CONFIG_FILE="/srv/magnum/kubernetes/helm/${CHART_NAME}.yaml"
+[ -f ${HELM_MODULE_CONFIG_FILE} ] || {
+    echo "Writing File: ${HELM_MODULE_CONFIG_FILE}"
+    mkdir -p $(dirname ${HELM_MODULE_CONFIG_FILE})
+    cat << EOF > ${HELM_MODULE_CONFIG_FILE}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: ${CHART_NAME}-config
+  namespace: magnum-tiller
+  labels:
+    app: helm
+data:
+  install-${CHART_NAME}.sh: |
+    #!/bin/bash
+    set -e
+    set -x
+    mkdir -p \${HELM_HOME}
+    cp /etc/helm/* \${HELM_HOME}
+
+    # HACK - Force wait because of bug https://github.com/helm/helm/issues/5170
+    until helm init --client-only --wait
+    do
+        sleep 5s
+    done
+    helm repo update
+
+    if [[ \$(helm history metrics-server | grep metrics-server) ]]; then
+        echo "${CHART_NAME} already installed on server. Continue..."
+        exit 0
+    else
+        helm install stable/${CHART_NAME} --namespace kube-system --name ${CHART_NAME} --version v${CHART_VERSION}
+    fi
+
+---
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: install-${CHART_NAME}-job
+  namespace: magnum-tiller
+spec:
+  backoffLimit: 5
+  template:
+    spec:
+      serviceAccountName: tiller
+      containers:
+      - name: config-helm
+        image: docker.io/openstackmagnum/helm-client:dev
+        command:
+        - bash
+        args:
+        - /opt/magnum/install-${CHART_NAME}.sh
+        env:
+        - name: HELM_HOME
+          value: /helm_home
+        - name: TILLER_NAMESPACE
+          value: magnum-tiller
+        - name: HELM_TLS_ENABLE
+          value: "true"
+        volumeMounts:
+        - name: install-${CHART_NAME}-config
+          mountPath: /opt/magnum/
+        - mountPath: /etc/helm
+          name: helm-client-certs
+      restartPolicy: Never
+      volumes:
+      - name: install-${CHART_NAME}-config
+        configMap:
+          name: ${CHART_NAME}-config
+      - name: helm-client-certs
+        secret:
+          secretName: helm-client-secret
+EOF
+}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index 97a4d35f2f..cd3ad8f3f0 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -808,6 +808,8 @@ resources:
             - get_file: ../../common/templates/kubernetes/fragments/core-dns-service.sh
             - get_file: ../../common/templates/kubernetes/fragments/calico-service.sh
             - get_file: ../../common/templates/kubernetes/fragments/enable-helm-tiller.sh
+            - get_file: ../../common/templates/kubernetes/helm/metrics-server.sh
+            - get_file: ../../common/templates/kubernetes/fragments/install-helm-modules.sh
             - str_replace:
                 template: {get_file: ../../common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh}
                 params:
diff --git a/releasenotes/notes/helm-install-metrics-service-cd18be76c4ed0e5f.yaml b/releasenotes/notes/helm-install-metrics-service-cd18be76c4ed0e5f.yaml
new file mode 100644
index 0000000000..892cac1e18
--- /dev/null
+++ b/releasenotes/notes/helm-install-metrics-service-cd18be76c4ed0e5f.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Installs the metrics-server service that is replacing kubernetes deprecated
+    heapster as a cluster wide metrics reporting service used by schedulling,
+    HPA and others. This service is installed and configured using helm and so
+    tiller_enabled flag must be True. Heapster service is maintained active to
+    allow compatibility.