Fix k8s deployment when cluster_user_trust=False
At the moment, cluster deployment fails when cluster_user_trust=False.
This is because the entire SoftwareDeployment exits rather than a single
script fragment. This patch fixes this by scoping the remainder of the
script conditional on whether TRUST_ID is defined.
Finally, default `cloud_provider_enabled` to false when
`cluster_user_trust` is false. Raise an error when
`cloud_provider_enabled` is overridden to true when `cluster_user_trust`
is false. This ensures that the minion kubelet is correctly configured.
Change-Id: Ibd9270c87bfa5d2f490e2e226e33ca56696d9e81
Story: 2006531
Task: 36587
(cherry picked from commit eebcc9b7a1
)
This commit is contained in:
parent
fcc0213a58
commit
ba1cca121d
|
@ -112,7 +112,7 @@ if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
|
|||
KUBE_ADMISSION_CONTROL="--admission-control=NodeRestriction,${ADMISSION_CONTROL_LIST}"
|
||||
fi
|
||||
|
||||
if [ -n "$TRUST_ID" ] && [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
|
||||
if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
|
||||
KUBE_API_ARGS="$KUBE_API_ARGS --cloud-provider=external"
|
||||
fi
|
||||
|
||||
|
@ -166,7 +166,7 @@ if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
|
|||
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --service-account-private-key-file=$CERT_DIR/service_account_private.key --root-ca-file=$CERT_DIR/ca.crt"
|
||||
fi
|
||||
|
||||
if [ -n "$TRUST_ID" ] && [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
|
||||
if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
|
||||
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-provider=external"
|
||||
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --external-cloud-volume-plugin=openstack --cloud-config=/etc/kubernetes/cloud-config"
|
||||
fi
|
||||
|
@ -191,7 +191,7 @@ KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=$
|
|||
KUBELET_ARGS="${KUBELET_ARGS} --volume-plugin-dir=/var/lib/kubelet/volumeplugins"
|
||||
KUBELET_ARGS="${KUBELET_ARGS} ${KUBELET_OPTIONS}"
|
||||
|
||||
if [ -n "$TRUST_ID" ] && [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
|
||||
if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
|
||||
KUBELET_ARGS="${KUBELET_ARGS} --cloud-provider=external"
|
||||
fi
|
||||
|
||||
|
|
|
@ -90,7 +90,7 @@ kubectl -n kube-system create secret generic os-trustee \
|
|||
--from-file=os-certAuthority=/etc/kubernetes/ca-bundle.crt
|
||||
|
||||
#TODO: add heat variables for master count to determine leaderelect true/False ?
|
||||
if [ -n "${TRUST_ID}" ] && [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
|
||||
if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
|
||||
occm_image="${CONTAINER_INFRA_PREFIX:-docker.io/k8scloudprovider/}openstack-cloud-controller-manager:${CLOUD_PROVIDER_TAG}"
|
||||
OCCM=/srv/magnum/kubernetes/openstack-cloud-controller-manager.yaml
|
||||
|
||||
|
|
|
@ -3,17 +3,14 @@
|
|||
. /etc/sysconfig/heat-params
|
||||
|
||||
mkdir -p /etc/kubernetes/
|
||||
|
||||
if [ -z "${TRUST_ID}" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
KUBE_OS_CLOUD_CONFIG=/etc/kubernetes/cloud-config
|
||||
cp /etc/pki/tls/certs/ca-bundle.crt /etc/kubernetes/ca-bundle.crt
|
||||
|
||||
# Generate a the configuration for Kubernetes services
|
||||
# to talk to OpenStack Neutron and Cinder
|
||||
cat > $KUBE_OS_CLOUD_CONFIG <<EOF
|
||||
if [ -n "${TRUST_ID}" ]; then
|
||||
KUBE_OS_CLOUD_CONFIG=/etc/kubernetes/cloud-config
|
||||
|
||||
# Generate a the configuration for Kubernetes services
|
||||
# to talk to OpenStack Neutron and Cinder
|
||||
cat > ${KUBE_OS_CLOUD_CONFIG} <<EOF
|
||||
[Global]
|
||||
auth-url=$AUTH_URL
|
||||
user-id=$TRUSTEE_USER_ID
|
||||
|
@ -32,10 +29,11 @@ monitor-max-retries=3
|
|||
bs-version=v2
|
||||
EOF
|
||||
|
||||
# Provide optional region parameter if it's set.
|
||||
if [ -n ${REGION_NAME} ]; then
|
||||
sed -i '/ca-file/a region='${REGION_NAME}'' $KUBE_OS_CLOUD_CONFIG
|
||||
fi
|
||||
# Provide optional region parameter if it's set.
|
||||
if [ -n "${REGION_NAME}" ]; then
|
||||
sed -i '/ca-file/a region='${REGION_NAME}'' $KUBE_OS_CLOUD_CONFIG
|
||||
fi
|
||||
|
||||
# backwards compatibility, some apps may expect this file from previous magnum versions.
|
||||
cp ${KUBE_OS_CLOUD_CONFIG} /etc/kubernetes/kube_openstack_config
|
||||
# backwards compatibility, some apps may expect this file from previous magnum versions.
|
||||
cp ${KUBE_OS_CLOUD_CONFIG} /etc/kubernetes/kube_openstack_config
|
||||
fi
|
||||
|
|
|
@ -97,7 +97,13 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
|
|||
# check cloud provider and cinder options. If cinder is selected,
|
||||
# the cloud provider needs to be enabled.
|
||||
cloud_provider_enabled = cluster.labels.get(
|
||||
'cloud_provider_enabled', 'true').lower()
|
||||
'cloud_provider_enabled',
|
||||
'true' if CONF.trust.cluster_user_trust else 'false').lower()
|
||||
if (not CONF.trust.cluster_user_trust
|
||||
and cloud_provider_enabled == 'true'):
|
||||
raise exception.InvalidParameterValue(_(
|
||||
'"cluster_user_trust" must be set to True in magnum.conf when '
|
||||
'"cloud_provider_enabled" label is set to true.'))
|
||||
if (cluster_template.volume_driver == 'cinder'
|
||||
and cloud_provider_enabled == 'false'):
|
||||
raise exception.InvalidParameterValue(_(
|
||||
|
|
Loading…
Reference in New Issue