Enable TLS support for k8s CoreOS
* Add cloud-init to generate TLS certificates in each node. * Modify coreos fragments to point to the path of certificates. * Add support for "--tls-disabled" to turn off TLS. * Use Keystone trust to retrieve TLS certificates. Implements: blueprint tls-for-coreos-bay Change-Id: I66842f9374abe5a9bbf275fa130c0eae3e6065ab
This commit is contained in:
parent
c3956ac9f4
commit
bb05385b58
|
@ -315,8 +315,7 @@ baymodel, except for pointing to a different image::
|
|||
--dns-nameserver 8.8.8.8 \
|
||||
--flavor-id m1.small \
|
||||
--network-driver flannel \
|
||||
--coe kubernetes \
|
||||
--tls-disabled
|
||||
--coe kubernetes
|
||||
|
||||
Create a CoreOS Kubernetes bay. Use the CoreOS baymodel as a template for bay
|
||||
creation::
|
||||
|
|
|
@ -459,6 +459,9 @@ class K8sTemplateDefinition(BaseTemplateDefinition):
|
|||
required=True)
|
||||
self.add_parameter('registry_enabled',
|
||||
baymodel_attr='registry_enabled')
|
||||
self.add_parameter('bay_uuid',
|
||||
bay_attr='uuid',
|
||||
param_type=str)
|
||||
|
||||
self.add_output('api_address',
|
||||
bay_attr='api_address',
|
||||
|
@ -481,6 +484,12 @@ class K8sTemplateDefinition(BaseTemplateDefinition):
|
|||
scale_mgr.get_removal_nodes(hosts))
|
||||
|
||||
extra_params['discovery_url'] = self.get_discovery_url(bay)
|
||||
osc = clients.OpenStackClients(context)
|
||||
extra_params['magnum_url'] = osc.magnum_url()
|
||||
|
||||
if baymodel.tls_disabled:
|
||||
extra_params['loadbalancing_protocol'] = 'HTTP'
|
||||
extra_params['kubernetes_port'] = 8080
|
||||
|
||||
label_list = ['flannel_network_cidr', 'flannel_backend',
|
||||
'flannel_network_subnetlen']
|
||||
|
@ -509,9 +518,6 @@ class AtomicK8sTemplateDefinition(K8sTemplateDefinition):
|
|||
|
||||
def __init__(self):
|
||||
super(AtomicK8sTemplateDefinition, self).__init__()
|
||||
self.add_parameter('bay_uuid',
|
||||
bay_attr='uuid',
|
||||
param_type=str)
|
||||
self.add_parameter('docker_volume_size',
|
||||
baymodel_attr='docker_volume_size')
|
||||
|
||||
|
@ -521,13 +527,8 @@ class AtomicK8sTemplateDefinition(K8sTemplateDefinition):
|
|||
extra_params['username'] = context.user_name
|
||||
extra_params['tenant_name'] = context.tenant
|
||||
osc = clients.OpenStackClients(context)
|
||||
extra_params['magnum_url'] = osc.magnum_url()
|
||||
extra_params['region_name'] = osc.cinder_region_name()
|
||||
|
||||
if baymodel.tls_disabled:
|
||||
extra_params['loadbalancing_protocol'] = 'HTTP'
|
||||
extra_params['kubernetes_port'] = 8080
|
||||
|
||||
return super(AtomicK8sTemplateDefinition,
|
||||
self).get_params(context, baymodel, bay,
|
||||
extra_params=extra_params,
|
||||
|
|
|
@ -24,16 +24,24 @@ write_files:
|
|||
myip=$(ip addr show eth0 |
|
||||
awk '$1 == "inet" {print $2}' | cut -f1 -d/)
|
||||
|
||||
# TODO(hongbin): enable TLS
|
||||
TLS_CERT_FILE=
|
||||
TLS_PRIVATE_KEY_FILE=
|
||||
CLIENT_CA_FILE=
|
||||
INSECURE_PORT=${KUBE_API_PORT}
|
||||
SECURE_PORT=0
|
||||
BIND_ADDRESS_CMD="--insecure-bind-address=0.0.0.0"
|
||||
KUBE_CERTS_PATH=/etc/kubernetes/ssl
|
||||
HOST_CERTS_PATH=/usr/share/ca-certificates
|
||||
|
||||
TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
|
||||
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
|
||||
CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
|
||||
INSECURE_PORT=8080
|
||||
SECURE_PORT=${KUBE_API_PORT}
|
||||
BIND_ADDRESS_CMD="--bind-address=0.0.0.0"
|
||||
if [ "${TLS_DISABLED}" == "True" ]; then
|
||||
TLS_CERT_FILE=
|
||||
TLS_PRIVATE_KEY_FILE=
|
||||
CLIENT_CA_FILE=
|
||||
INSECURE_PORT=${KUBE_API_PORT}
|
||||
SECURE_PORT=0
|
||||
BIND_ADDRESS_CMD="--insecure-bind-address=0.0.0.0"
|
||||
fi
|
||||
|
||||
TEMPLATE=/etc/kubernetes/manifests/kube-apiserver.yaml
|
||||
mkdir -p $(dirname ${TEMPLATE})
|
||||
cat > $TEMPLATE <<EOF
|
||||
|
|
|
@ -22,10 +22,16 @@ write_files:
|
|||
|
||||
. /etc/sysconfig/heat-params
|
||||
|
||||
# TODO(hongbin): enable TLS
|
||||
KUBE_CERTS_PATH=/etc/kubernetes/ssl
|
||||
HOST_CERTS_PATH=/usr/share/ca-certificates
|
||||
|
||||
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
|
||||
ROOT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
|
||||
if [ "${TLS_DISABLED}" == "True" ]; then
|
||||
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=
|
||||
ROOT_CA_FILE=
|
||||
fi
|
||||
|
||||
TEMPLATE=/srv/kubernetes/manifests/kube-controller-manager.yaml
|
||||
mkdir -p $(dirname ${TEMPLATE})
|
||||
|
||||
|
|
|
@ -24,7 +24,6 @@ write_files:
|
|||
myip=$(ip addr show eth0 |
|
||||
awk '$1 == "inet" {print $2}' | cut -f1 -d/)
|
||||
|
||||
# TODO(hongbin): enable TLS
|
||||
HOST_CERTS_PATH=/usr/share/ca-certificates
|
||||
|
||||
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
|
||||
|
|
|
@ -24,11 +24,16 @@ write_files:
|
|||
myip=$(ip addr show eth0 |
|
||||
awk '$1 == "inet" {print $2}' | cut -f1 -d/)
|
||||
|
||||
# TODO(hongbin): enable TLS
|
||||
HOST_CERTS_PATH=/usr/share/ca-certificates
|
||||
KUBE_CERTS_PATH=/etc/kubernetes/ssl
|
||||
KUBE_PROTOCOL="http"
|
||||
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
|
||||
KUBE_CONFIG_PATH=/etc/kubernetes/config
|
||||
KUBE_PROTOCOL="https"
|
||||
KUBE_CONFIG="${KUBE_CONFIG_PATH}/worker-kubeconfig.yaml"
|
||||
if [ "${TLS_DISABLED}" == "True" ]; then
|
||||
KUBE_PROTOCOL="http"
|
||||
KUBE_CONFIG=
|
||||
fi
|
||||
KUBE_MASTER_URI="${KUBE_PROTOCOL}://${KUBE_MASTER_IP}:${KUBE_API_PORT}"
|
||||
|
||||
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
|
||||
mkdir -p $(dirname ${TEMPLATE})
|
||||
|
@ -47,6 +52,7 @@ write_files:
|
|||
- /hyperkube
|
||||
- proxy
|
||||
- --master=${KUBE_MASTER_URI}
|
||||
- --kubeconfig=${KUBE_CONFIG}
|
||||
- --logtostderr=true
|
||||
- --v=0
|
||||
securityContext:
|
||||
|
@ -54,6 +60,9 @@ write_files:
|
|||
volumeMounts:
|
||||
- mountPath: /etc/ssl/certs
|
||||
name: "ssl-certs"
|
||||
- mountPath: /etc/kubernetes/config
|
||||
name: "kubeconfig"
|
||||
readOnly: true
|
||||
- mountPath: /etc/kubernetes/ssl
|
||||
name: "etc-kube-ssl"
|
||||
readOnly: true
|
||||
|
@ -61,6 +70,9 @@ write_files:
|
|||
- name: "ssl-certs"
|
||||
hostPath:
|
||||
path: ${HOST_CERTS_PATH}
|
||||
- name: "kubeconfig"
|
||||
hostPath:
|
||||
path: ${KUBE_CONFIG_PATH}
|
||||
- name: "etc-kube-ssl"
|
||||
hostPath:
|
||||
path: ${KUBE_CERTS_PATH}
|
||||
|
|
|
@ -24,7 +24,17 @@ write_files:
|
|||
myip=$(ip addr show eth0 |
|
||||
awk '$1 == "inet" {print $2}' | cut -f1 -d/)
|
||||
|
||||
KUBE_PROTOCOL="http"
|
||||
KUBE_CERTS_PATH=/etc/kubernetes/ssl
|
||||
TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
|
||||
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
|
||||
KUBE_PROTOCOL="https"
|
||||
KUBE_CONFIG="/etc/kubernetes/config/worker-kubeconfig.yaml"
|
||||
if [ "$TLS_DISABLED" == "True" ]; then
|
||||
TLS_CERT_FILE=
|
||||
TLS_PRIVATE_KEY_FILE=
|
||||
KUBE_PROTOCOL="http"
|
||||
KUBE_CONFIG=
|
||||
fi
|
||||
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
|
||||
|
||||
CONF_FILE=/etc/systemd/system/kubelet.service
|
||||
|
@ -38,8 +48,11 @@ write_files:
|
|||
--config=/etc/kubernetes/manifests \
|
||||
--hostname-override=${myip} \
|
||||
--logtostderr=true \
|
||||
--v=0
|
||||
--cadvisor-port=4194
|
||||
--v=0 \
|
||||
--cadvisor-port=4194 \
|
||||
--kubeconfig=${KUBE_CONFIG} \
|
||||
--tls-cert-file=${TLS_CERT_FILE} \
|
||||
--tls-private-key-file=${TLS_PRIVATE_KEY_FILE}
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
[Install]
|
||||
|
|
|
@ -0,0 +1,130 @@
|
|||
#cloud-config
|
||||
write_files:
|
||||
- path: /etc/systemd/system/make-cert.service
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Make TLS certificates
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/etc/sysconfig/make-cert.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
- path: /etc/sysconfig/make-cert.sh
|
||||
owner: "root:root"
|
||||
permissions: "0755"
|
||||
content: |
|
||||
#!/bin/bash
|
||||
|
||||
# Parse the JSON response that contains the TLS certificate, and print
|
||||
# out the certificate content.
|
||||
function parse_json_response {
|
||||
json_response=$1
|
||||
# {..,"pem": "ABCD",..} -> ABCD
|
||||
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
|
||||
# decode newline characters
|
||||
key=$(echo "$key" | sed 's/\\n/\n/g')
|
||||
echo "$key"
|
||||
}
|
||||
|
||||
. /etc/sysconfig/heat-params
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
if [ "$TLS_DISABLED" == "True" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
cert_dir=/etc/kubernetes/ssl
|
||||
cert_conf_dir=${cert_dir}/conf
|
||||
|
||||
mkdir -p "$cert_dir"
|
||||
mkdir -p "$cert_conf_dir"
|
||||
|
||||
CA_CERT=$cert_dir/ca.pem
|
||||
CLIENT_CERT=$cert_dir/worker.pem
|
||||
CLIENT_CSR=$cert_dir/worker.csr
|
||||
CLIENT_KEY=$cert_dir/worker-key.pem
|
||||
|
||||
#Get a token by user credentials and trust
|
||||
cat > auth.json << EOF
|
||||
{
|
||||
"auth": {
|
||||
"identity": {
|
||||
"methods": [
|
||||
"password"
|
||||
],
|
||||
"password": {
|
||||
"user": {
|
||||
"id": "$TRUSTEE_USER_ID",
|
||||
"password": "$TRUSTEE_PASSWORD"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "$TRUST_ID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
#trust is introduced in Keystone v3 version
|
||||
AUTH_URL=${AUTH_URL/v2.0/v3}
|
||||
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
|
||||
|
||||
rm -rf auth.json
|
||||
|
||||
ca_cert_json=$(curl -X GET \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
$MAGNUM_URL/certificates/$BAY_UUID)
|
||||
parse_json_response "${ca_cert_json}" > ${CA_CERT}
|
||||
|
||||
# Create config for client's csr
|
||||
cat > ${cert_conf_dir}/worker-openssl.conf <<EOF
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = req_ext
|
||||
prompt = no
|
||||
[req_distinguished_name]
|
||||
CN = kubernetes.invalid
|
||||
[req_ext]
|
||||
keyUsage=critical,digitalSignature,keyEncipherment
|
||||
extendedKeyUsage=clientAuth
|
||||
subjectAltName=dirName:kubelet,dirName:kubeproxy
|
||||
[kubelet]
|
||||
CN=kubelet
|
||||
[kubeproxy]
|
||||
CN=kube-proxy
|
||||
EOF
|
||||
|
||||
# Generate client's private key and csr
|
||||
openssl genrsa -out "${CLIENT_KEY}" 4096
|
||||
chmod 400 "${CLIENT_KEY}"
|
||||
openssl req -new -days 1000 \
|
||||
-key "${CLIENT_KEY}" \
|
||||
-out "${CLIENT_CSR}" \
|
||||
-reqexts req_ext \
|
||||
-config "${cert_conf_dir}/worker-openssl.conf"
|
||||
|
||||
# encode newline (\n) characters
|
||||
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
|
||||
csr_req="{\"bay_uuid\": \"$BAY_UUID\", \"csr\": \"$csr\"}"
|
||||
# Send csr to Magnum to have it signed
|
||||
client_cert_json=$(curl -X POST \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "$csr_req" \
|
||||
$MAGNUM_URL/certificates)
|
||||
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
|
||||
|
||||
chmod 600 ${cert_dir}/*-key.pem
|
||||
chown root:root ${cert_dir}/*-key.pem
|
|
@ -0,0 +1,134 @@
|
|||
#cloud-config
|
||||
write_files:
|
||||
- path: /etc/systemd/system/make-cert.service
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Make TLS certificates
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/etc/sysconfig/make-cert.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
- path: /etc/sysconfig/make-cert.sh
|
||||
owner: "root:root"
|
||||
permissions: "0755"
|
||||
content: |
|
||||
#!/bin/bash
|
||||
|
||||
# Parse the JSON response that contains the TLS certificate, and print
|
||||
# out the certificate content.
|
||||
function parse_json_response {
|
||||
json_response=$1
|
||||
# {..,"pem": "ABCD",..} -> ABCD
|
||||
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
|
||||
# decode newline characters
|
||||
key=$(echo "$key" | sed 's/\\n/\n/g')
|
||||
echo "$key"
|
||||
}
|
||||
|
||||
. /etc/sysconfig/heat-params
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
if [ "$TLS_DISABLED" == "True" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
cert_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
|
||||
cert_private_ip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||
sans="IP:${cert_ip},IP:${cert_private_ip},IP:127.0.0.1"
|
||||
MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
|
||||
if [[ -n "${MASTER_HOSTNAME}" ]]; then
|
||||
sans="${sans},DNS:${MASTER_HOSTNAME}"
|
||||
fi
|
||||
|
||||
cert_dir=/etc/kubernetes/ssl
|
||||
cert_conf_dir=${cert_dir}/conf
|
||||
|
||||
mkdir -p "$cert_dir"
|
||||
mkdir -p "$cert_conf_dir"
|
||||
|
||||
CA_CERT=$cert_dir/ca.pem
|
||||
SERVER_CERT=$cert_dir/apiserver.pem
|
||||
SERVER_CSR=$cert_dir/apiserver.pem
|
||||
SERVER_KEY=$cert_dir/apiserver-key.pem
|
||||
|
||||
#Get a token by user credentials and trust
|
||||
cat > auth.json << EOF
|
||||
{
|
||||
"auth": {
|
||||
"identity": {
|
||||
"methods": [
|
||||
"password"
|
||||
],
|
||||
"password": {
|
||||
"user": {
|
||||
"id": "$TRUSTEE_USER_ID",
|
||||
"password": "$TRUSTEE_PASSWORD"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "$TRUST_ID"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
#trust is introduced in Keystone v3 version
|
||||
AUTH_URL=${AUTH_URL/v2.0/v3}
|
||||
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
|
||||
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
|
||||
|
||||
rm -rf auth.json
|
||||
|
||||
# Get CA certificate for this bay
|
||||
ca_cert_json=$(curl -X GET \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
$MAGNUM_URL/certificates/$BAY_UUID)
|
||||
parse_json_response "${ca_cert_json}" > ${CA_CERT}
|
||||
|
||||
# Create config for server's csr
|
||||
cat > ${cert_conf_dir}/openssl.cnf <<EOF
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
req_extensions = req_ext
|
||||
prompt = no
|
||||
[req_distinguished_name]
|
||||
CN = kube-apiserver
|
||||
[req_ext]
|
||||
subjectAltName = ${sans}
|
||||
extendedKeyUsage = clientAuth,serverAuth
|
||||
EOF
|
||||
|
||||
# Generate server's private key and csr
|
||||
openssl genrsa -out "${SERVER_KEY}" 4096
|
||||
chmod 400 "${SERVER_KEY}"
|
||||
openssl req -new -days 10000 \
|
||||
-key "${SERVER_KEY}" \
|
||||
-out "${SERVER_CSR}" \
|
||||
-reqexts req_ext \
|
||||
-config "${cert_conf_dir}/openssl.cnf"
|
||||
|
||||
# encode newline (\n) characters
|
||||
csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
|
||||
csr_req="{\"bay_uuid\": \"$BAY_UUID\", \"csr\": \"$csr\"}"
|
||||
# Send csr to Magnum to have it signed
|
||||
server_cert_json=$(curl -X POST \
|
||||
-H "X-Auth-Token: $USER_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "$csr_req" \
|
||||
$MAGNUM_URL/certificates)
|
||||
parse_json_response "${server_cert_json}" > ${SERVER_CERT}
|
||||
|
||||
chmod 600 ${cert_dir}/*-key.pem
|
||||
chown root:root ${cert_dir}/*-key.pem
|
|
@ -0,0 +1,24 @@
|
|||
#cloud-config
|
||||
merge_how: dict(recurse_array)+list(append)
|
||||
write_files:
|
||||
- path: /etc/kubernetes/config/worker-kubeconfig.yaml
|
||||
owner: "root:root"
|
||||
permissions: "0644"
|
||||
content: |
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
clusters:
|
||||
- name: local
|
||||
cluster:
|
||||
certificate-authority: /etc/kubernetes/ssl/ca.pem
|
||||
users:
|
||||
- name: kubelet
|
||||
user:
|
||||
client-certificate: /etc/kubernetes/ssl/worker.pem
|
||||
client-key: /etc/kubernetes/ssl/worker-key.pem
|
||||
contexts:
|
||||
- context:
|
||||
cluster: local
|
||||
user: kubelet
|
||||
name: kubelet-context
|
||||
current-context: kubelet-context
|
|
@ -107,12 +107,29 @@ parameters:
|
|||
description: whether or not to disable TLS
|
||||
default: False
|
||||
|
||||
loadbalancing_protocol:
|
||||
type: string
|
||||
description: >
|
||||
The protocol which is used for load balancing. If you want to change
|
||||
tls_disabled option to 'True', please change this to "HTTP".
|
||||
default: TCP
|
||||
constraints:
|
||||
- allowed_values: ["TCP", "HTTP"]
|
||||
|
||||
kubernetes_port:
|
||||
type: number
|
||||
description: >
|
||||
The port which are used by kube-apiserver to provide Kubernetes
|
||||
service.
|
||||
default: 8080
|
||||
default: 6443
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
||||
magnum_url:
|
||||
type: string
|
||||
description: endpoint to retrieve TLS certs from
|
||||
|
||||
trustee_domain_id:
|
||||
type: string
|
||||
|
@ -234,6 +251,12 @@ resources:
|
|||
tls_disabled: {get_param: tls_disabled}
|
||||
kube_version: {get_param: kube_version}
|
||||
wait_condition_timeout: {get_param: wait_condition_timeout}
|
||||
bay_uuid: {get_param: bay_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
trustee_user_id: {get_param: trustee_user_id}
|
||||
trustee_password: {get_param: trustee_password}
|
||||
trust_id: {get_param: trust_id}
|
||||
auth_url: {get_param: auth_url}
|
||||
|
||||
######################################################################
|
||||
#
|
||||
|
@ -267,6 +290,12 @@ resources:
|
|||
kube_version: {get_param: kube_version}
|
||||
etcd_server_ip: {"Fn::Select": [0, {get_attr: [kube_master, kube_master_ip]}]}
|
||||
wait_condition_timeout: {get_param: wait_condition_timeout}
|
||||
bay_uuid: {get_param: bay_uuid}
|
||||
magnum_url: {get_param: magnum_url}
|
||||
trustee_user_id: {get_param: trustee_user_id}
|
||||
trustee_password: {get_param: trustee_password}
|
||||
trust_id: {get_param: trust_id}
|
||||
auth_url: {get_param: auth_url}
|
||||
|
||||
outputs:
|
||||
|
||||
|
|
|
@ -81,11 +81,41 @@ parameters:
|
|||
description: >
|
||||
The port which are used by kube-apiserver to provide Kubernetes
|
||||
service.
|
||||
default: 6443
|
||||
|
||||
kube_version:
|
||||
type: string
|
||||
description: version of kubernetes used for kubernetes cluster
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
||||
magnum_url:
|
||||
type: string
|
||||
description: endpoint to retrieve TLS certs from
|
||||
|
||||
trustee_user_id:
|
||||
type: string
|
||||
description: user id of the trustee
|
||||
default: ""
|
||||
|
||||
trustee_password:
|
||||
type: string
|
||||
description: password of the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
trust_id:
|
||||
type: string
|
||||
description: id of the trust which is used by the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
auth_url:
|
||||
type: string
|
||||
description: url for keystone
|
||||
|
||||
resources:
|
||||
|
||||
master_wait_handle:
|
||||
|
@ -159,6 +189,12 @@ resources:
|
|||
"$KUBE_API_PORT": {get_param: kubernetes_port}
|
||||
"$TLS_DISABLED": {get_param: tls_disabled}
|
||||
"$KUBE_VERSION": {get_param: kube_version}
|
||||
"$BAY_UUID": {get_param: bay_uuid}
|
||||
"$MAGNUM_URL": {get_param: magnum_url}
|
||||
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
|
||||
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
|
||||
"$TRUST_ID": {get_param: trust_id}
|
||||
"$AUTH_URL": {get_param: auth_url}
|
||||
|
||||
configure_etcd:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
@ -166,6 +202,12 @@ resources:
|
|||
group: ungrouped
|
||||
config: {get_file: fragments/configure-etcd-coreos.yaml}
|
||||
|
||||
make_cert:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config: {get_file: fragments/make-cert-coreos.yaml}
|
||||
|
||||
write_network_config:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
|
@ -234,6 +276,7 @@ resources:
|
|||
str_replace:
|
||||
template: |
|
||||
$write_heat_params
|
||||
$make_cert
|
||||
$configure_etcd
|
||||
$write_network_config
|
||||
$enable_network_service
|
||||
|
@ -247,6 +290,8 @@ resources:
|
|||
$wc_notify
|
||||
coreos:
|
||||
units:
|
||||
- name: "make-cert.service"
|
||||
command: "start"
|
||||
- name: "configure-etcd.service"
|
||||
command: "start"
|
||||
- name: "write-network-config.service"
|
||||
|
@ -271,6 +316,7 @@ resources:
|
|||
command: "start"
|
||||
params:
|
||||
"$write_heat_params": {get_attr: [write_heat_params, config]}
|
||||
"$make_cert": {get_attr: [make_cert, config]}
|
||||
"$configure_etcd": {get_attr: [configure_etcd, config]}
|
||||
"$write_network_config": {get_attr: [write_network_config, config]}
|
||||
"$enable_network_service": {get_attr: [enable_network_service, config]}
|
||||
|
|
|
@ -2,8 +2,8 @@ heat_template_version: 2013-05-23
|
|||
|
||||
description: >
|
||||
This is a nested stack that defines a single Kubernetes minion,
|
||||
based on a vanilla Fedora 20 cloud image. This stack is included by
|
||||
a ResourceGroup resource in the parent template (kubecluster-coreos.yaml).
|
||||
based on a CoreOS cloud image. This stack is included by a ResourceGroup
|
||||
resource in the parent template (kubecluster-coreos.yaml).
|
||||
|
||||
parameters:
|
||||
|
||||
|
@ -43,6 +43,15 @@ parameters:
|
|||
description: >
|
||||
The port which are used by kube-apiserver to provide Kubernetes
|
||||
service.
|
||||
default: 6443
|
||||
|
||||
bay_uuid:
|
||||
type: string
|
||||
description: identifier for the bay this template is generating
|
||||
|
||||
magnum_url:
|
||||
type: string
|
||||
description: endpoint to retrieve TLS certs from
|
||||
|
||||
kube_version:
|
||||
type: string
|
||||
|
@ -73,6 +82,27 @@ parameters:
|
|||
description: >
|
||||
timeout for the Wait Conditions
|
||||
|
||||
trustee_user_id:
|
||||
type: string
|
||||
description: user id of the trustee
|
||||
default: ""
|
||||
|
||||
trustee_password:
|
||||
type: string
|
||||
description: password of the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
trust_id:
|
||||
type: string
|
||||
description: id of the trust which is used by the trustee
|
||||
default: ""
|
||||
hidden: true
|
||||
|
||||
auth_url:
|
||||
type: string
|
||||
description: url for keystone
|
||||
|
||||
resources:
|
||||
|
||||
minion_wait_handle:
|
||||
|
@ -121,6 +151,24 @@ resources:
|
|||
$NETWORK_DRIVER: {get_param: network_driver}
|
||||
$ETCD_SERVER_IP: {get_param: etcd_server_ip}
|
||||
$KUBE_VERSION: {get_param: kube_version}
|
||||
$BAY_UUID: {get_param: bay_uuid}
|
||||
$MAGNUM_URL: {get_param: magnum_url}
|
||||
$TRUSTEE_USER_ID: {get_param: trustee_user_id}
|
||||
$TRUSTEE_PASSWORD: {get_param: trustee_password}
|
||||
$TRUST_ID: {get_param: trust_id}
|
||||
$AUTH_URL: {get_param: auth_url}
|
||||
|
||||
write_kubeconfig:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config: {get_file: fragments/write-kubeconfig-coreos.yaml}
|
||||
|
||||
make_cert:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: ungrouped
|
||||
config: {get_file: fragments/make-cert-client-coreos.yaml}
|
||||
|
||||
enable_network_service:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
|
@ -154,12 +202,16 @@ resources:
|
|||
str_replace:
|
||||
template: |
|
||||
$write_heat_params
|
||||
$write_kubeconfig
|
||||
$make_cert
|
||||
$enable_network_service
|
||||
$enable_kubelet
|
||||
$enable_kube_proxy
|
||||
$wc_notify
|
||||
coreos:
|
||||
units:
|
||||
- name: "make-cert.service"
|
||||
command: "start"
|
||||
- name: "enable-network-service.service"
|
||||
command: "start"
|
||||
- name: "enable-kubelet.service"
|
||||
|
@ -170,6 +222,8 @@ resources:
|
|||
command: "start"
|
||||
params:
|
||||
"$write_heat_params": {get_attr: [write_heat_params, config]}
|
||||
"$write_kubeconfig": {get_attr: [write_kubeconfig, config]}
|
||||
"$make_cert": {get_attr: [make_cert, config]}
|
||||
"$enable_network_service": {get_attr: [enable_network_service, config]}
|
||||
"$enable_kubelet": {get_attr: [enable_kubelet, config]}
|
||||
"$enable_kube_proxy": {get_attr: [enable_kube_proxy, config]}
|
||||
|
|
|
@ -255,7 +255,9 @@ class TestBayConductorWithK8s(base.TestCase):
|
|||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3'
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'bay_uuid': self.bay_dict['uuid'],
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
|
||||
|
@ -302,7 +304,9 @@ class TestBayConductorWithK8s(base.TestCase):
|
|||
'trustee_password': 'fake_trustee_password',
|
||||
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
|
||||
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
|
||||
'auth_url': 'http://192.168.10.10:5000/v3'
|
||||
'auth_url': 'http://192.168.10.10:5000/v3',
|
||||
'bay_uuid': self.bay_dict['uuid'],
|
||||
'magnum_url': self.mock_osc.magnum_url.return_value,
|
||||
}
|
||||
self.assertEqual(expected, definition)
|
||||
|
||||
|
|
Loading…
Reference in New Issue