openstack
/
magnum
Code Issues Proposed changes

Enable TLS support for k8s CoreOS 

* Add cloud-init to generate TLS certificates in each node.
* Modify coreos fragments to point to the path of certificates.
* Add support for "--tls-disabled" to turn off TLS.
* Use Keystone trust to retrieve TLS certificates.

Implements: blueprint tls-for-coreos-bay
Change-Id: I66842f9374abe5a9bbf275fa130c0eae3e6065ab
This commit is contained in:
Hongbin Lu 2016-02-08 00:26:46 -05:00
parent c3956ac9f4
commit bb05385b58
14 changed files with 489 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/dev/quickstart.rst
View File

@ -315,8 +315,7 @@ baymodel, except for pointing to a different image::
--dns-nameserver 8.8.8.8 \
--flavor-id m1.small \
--network-driver flannel \
--coe kubernetes \
--tls-disabled
--coe kubernetes
Create a CoreOS Kubernetes bay. Use the CoreOS baymodel as a template for bay
creation::

17
magnum/conductor/template_definition.py
View File

@ -459,6 +459,9 @@ class K8sTemplateDefinition(BaseTemplateDefinition):
required=True)
self.add_parameter('registry_enabled',
baymodel_attr='registry_enabled')
self.add_parameter('bay_uuid',
bay_attr='uuid',
param_type=str)
self.add_output('api_address',
bay_attr='api_address',
@ -481,6 +484,12 @@ class K8sTemplateDefinition(BaseTemplateDefinition):
scale_mgr.get_removal_nodes(hosts))
extra_params['discovery_url'] = self.get_discovery_url(bay)
osc = clients.OpenStackClients(context)
extra_params['magnum_url'] = osc.magnum_url()
if baymodel.tls_disabled:
extra_params['loadbalancing_protocol'] = 'HTTP'
extra_params['kubernetes_port'] = 8080
label_list = ['flannel_network_cidr', 'flannel_backend',
'flannel_network_subnetlen']
@ -509,9 +518,6 @@ class AtomicK8sTemplateDefinition(K8sTemplateDefinition):
def __init__(self):
super(AtomicK8sTemplateDefinition, self).__init__()
self.add_parameter('bay_uuid',
bay_attr='uuid',
param_type=str)
self.add_parameter('docker_volume_size',
baymodel_attr='docker_volume_size')
@ -521,13 +527,8 @@ class AtomicK8sTemplateDefinition(K8sTemplateDefinition):
extra_params['username'] = context.user_name
extra_params['tenant_name'] = context.tenant
osc = clients.OpenStackClients(context)
extra_params['magnum_url'] = osc.magnum_url()
extra_params['region_name'] = osc.cinder_region_name()
if baymodel.tls_disabled:
extra_params['loadbalancing_protocol'] = 'HTTP'
extra_params['kubernetes_port'] = 8080
return super(AtomicK8sTemplateDefinition,
self).get_params(context, baymodel, bay,
extra_params=extra_params,

22
magnum/templates/kubernetes/fragments/enable-kube-apiserver-coreos.yaml
View File

@ -24,16 +24,24 @@ write_files:
myip=$(ip addr show eth0 |
awk '$1 == "inet" {print $2}' | cut -f1 -d/)
# TODO(hongbin): enable TLS
TLS_CERT_FILE=
TLS_PRIVATE_KEY_FILE=
CLIENT_CA_FILE=
INSECURE_PORT=${KUBE_API_PORT}
SECURE_PORT=0
BIND_ADDRESS_CMD="--insecure-bind-address=0.0.0.0"
KUBE_CERTS_PATH=/etc/kubernetes/ssl
HOST_CERTS_PATH=/usr/share/ca-certificates
TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
INSECURE_PORT=8080
SECURE_PORT=${KUBE_API_PORT}
BIND_ADDRESS_CMD="--bind-address=0.0.0.0"
if [ "${TLS_DISABLED}" == "True" ]; then
TLS_CERT_FILE=
TLS_PRIVATE_KEY_FILE=
CLIENT_CA_FILE=
INSECURE_PORT=${KUBE_API_PORT}
SECURE_PORT=0
BIND_ADDRESS_CMD="--insecure-bind-address=0.0.0.0"
fi
TEMPLATE=/etc/kubernetes/manifests/kube-apiserver.yaml
mkdir -p $(dirname ${TEMPLATE})
cat > $TEMPLATE <<EOF

8
magnum/templates/kubernetes/fragments/enable-kube-controller-manager-coreos.yaml
View File

@ -22,10 +22,16 @@ write_files:
. /etc/sysconfig/heat-params
# TODO(hongbin): enable TLS
KUBE_CERTS_PATH=/etc/kubernetes/ssl
HOST_CERTS_PATH=/usr/share/ca-certificates
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
ROOT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
if [ "${TLS_DISABLED}" == "True" ]; then
SERVICE_ACCOUNT_PRIVATE_KEY_FILE=
ROOT_CA_FILE=
fi
TEMPLATE=/srv/kubernetes/manifests/kube-controller-manager.yaml
mkdir -p $(dirname ${TEMPLATE})

1
magnum/templates/kubernetes/fragments/enable-kube-proxy-master-coreos.yaml
View File

@ -24,7 +24,6 @@ write_files:
myip=$(ip addr show eth0 |
awk '$1 == "inet" {print $2}' | cut -f1 -d/)
# TODO(hongbin): enable TLS
HOST_CERTS_PATH=/usr/share/ca-certificates
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml

18
magnum/templates/kubernetes/fragments/enable-kube-proxy-minion-coreos.yaml
View File

@ -24,11 +24,16 @@ write_files:
myip=$(ip addr show eth0 |
awk '$1 == "inet" {print $2}' | cut -f1 -d/)
# TODO(hongbin): enable TLS
HOST_CERTS_PATH=/usr/share/ca-certificates
KUBE_CERTS_PATH=/etc/kubernetes/ssl
KUBE_PROTOCOL="http"
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
KUBE_CONFIG_PATH=/etc/kubernetes/config
KUBE_PROTOCOL="https"
KUBE_CONFIG="${KUBE_CONFIG_PATH}/worker-kubeconfig.yaml"
if [ "${TLS_DISABLED}" == "True" ]; then
KUBE_PROTOCOL="http"
KUBE_CONFIG=
fi
KUBE_MASTER_URI="${KUBE_PROTOCOL}://${KUBE_MASTER_IP}:${KUBE_API_PORT}"
TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
mkdir -p $(dirname ${TEMPLATE})
@ -47,6 +52,7 @@ write_files:
- /hyperkube
- proxy
- --master=${KUBE_MASTER_URI}
- --kubeconfig=${KUBE_CONFIG}
- --logtostderr=true
- --v=0
securityContext:
@ -54,6 +60,9 @@ write_files:
volumeMounts:
- mountPath: /etc/ssl/certs
name: "ssl-certs"
- mountPath: /etc/kubernetes/config
name: "kubeconfig"
readOnly: true
- mountPath: /etc/kubernetes/ssl
name: "etc-kube-ssl"
readOnly: true
@ -61,6 +70,9 @@ write_files:
- name: "ssl-certs"
hostPath:
path: ${HOST_CERTS_PATH}
- name: "kubeconfig"
hostPath:
path: ${KUBE_CONFIG_PATH}
- name: "etc-kube-ssl"
hostPath:
path: ${KUBE_CERTS_PATH}

19
magnum/templates/kubernetes/fragments/enable-kubelet-minion-coreos.yaml
View File

@ -24,7 +24,17 @@ write_files:
myip=$(ip addr show eth0 |
awk '$1 == "inet" {print $2}' | cut -f1 -d/)
KUBE_PROTOCOL="http"
KUBE_CERTS_PATH=/etc/kubernetes/ssl
TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
KUBE_PROTOCOL="https"
KUBE_CONFIG="/etc/kubernetes/config/worker-kubeconfig.yaml"
if [ "$TLS_DISABLED" == "True" ]; then
TLS_CERT_FILE=
TLS_PRIVATE_KEY_FILE=
KUBE_PROTOCOL="http"
KUBE_CONFIG=
fi
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
CONF_FILE=/etc/systemd/system/kubelet.service
@ -38,8 +48,11 @@ write_files:
--config=/etc/kubernetes/manifests \
--hostname-override=${myip} \
--logtostderr=true \
--v=0
--cadvisor-port=4194
--v=0 \
--cadvisor-port=4194 \
--kubeconfig=${KUBE_CONFIG} \
--tls-cert-file=${TLS_CERT_FILE} \
--tls-private-key-file=${TLS_PRIVATE_KEY_FILE}
Restart=always
RestartSec=10
[Install]

130
magnum/templates/kubernetes/fragments/make-cert-client-coreos.yaml Normal file
View File

@ -0,0 +1,130 @@
#cloud-config
write_files:
- path: /etc/systemd/system/make-cert.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Make TLS certificates
[Service]
Type=oneshot
ExecStart=/etc/sysconfig/make-cert.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/make-cert.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/bash
# Parse the JSON response that contains the TLS certificate, and print
# out the certificate content.
function parse_json_response {
json_response=$1
# {..,"pem": "ABCD",..} -> ABCD
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
# decode newline characters
key=$(echo "$key" | sed 's/\\n/\n/g')
echo "$key"
}
. /etc/sysconfig/heat-params
set -o errexit
set -o nounset
set -o pipefail
if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
cert_dir=/etc/kubernetes/ssl
cert_conf_dir=${cert_dir}/conf
mkdir -p "$cert_dir"
mkdir -p "$cert_conf_dir"
CA_CERT=$cert_dir/ca.pem
CLIENT_CERT=$cert_dir/worker.pem
CLIENT_CSR=$cert_dir/worker.csr
CLIENT_KEY=$cert_dir/worker-key.pem
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
},
"scope": {
"OS-TRUST:trust": {
"id": "$TRUST_ID"
}
}
}
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
rm -rf auth.json
ca_cert_json=$(curl -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
$MAGNUM_URL/certificates/$BAY_UUID)
parse_json_response "${ca_cert_json}" > ${CA_CERT}
# Create config for client's csr
cat > ${cert_conf_dir}/worker-openssl.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kubernetes.invalid
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
subjectAltName=dirName:kubelet,dirName:kubeproxy
[kubelet]
CN=kubelet
[kubeproxy]
CN=kube-proxy
EOF
# Generate client's private key and csr
openssl genrsa -out "${CLIENT_KEY}" 4096
chmod 400 "${CLIENT_KEY}"
openssl req -new -days 1000 \
-key "${CLIENT_KEY}" \
-out "${CLIENT_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/worker-openssl.conf"
# encode newline (\n) characters
csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"bay_uuid\": \"$BAY_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
client_cert_json=$(curl -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "Content-Type: application/json" \
-d "$csr_req" \
$MAGNUM_URL/certificates)
parse_json_response "${client_cert_json}" > ${CLIENT_CERT}
chmod 600 ${cert_dir}/*-key.pem
chown root:root ${cert_dir}/*-key.pem

134
magnum/templates/kubernetes/fragments/make-cert-coreos.yaml Normal file
View File

@ -0,0 +1,134 @@
#cloud-config
write_files:
- path: /etc/systemd/system/make-cert.service
owner: "root:root"
permissions: "0644"
content: |
[Unit]
Description=Make TLS certificates
[Service]
Type=oneshot
ExecStart=/etc/sysconfig/make-cert.sh
[Install]
WantedBy=multi-user.target
- path: /etc/sysconfig/make-cert.sh
owner: "root:root"
permissions: "0755"
content: |
#!/bin/bash
# Parse the JSON response that contains the TLS certificate, and print
# out the certificate content.
function parse_json_response {
json_response=$1
# {..,"pem": "ABCD",..} -> ABCD
key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
# decode newline characters
key=$(echo "$key" | sed 's/\\n/\n/g')
echo "$key"
}
. /etc/sysconfig/heat-params
set -o errexit
set -o nounset
set -o pipefail
if [ "$TLS_DISABLED" == "True" ]; then
exit 0
fi
cert_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
cert_private_ip=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
sans="IP:${cert_ip},IP:${cert_private_ip},IP:127.0.0.1"
MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
if [[ -n "${MASTER_HOSTNAME}" ]]; then
sans="${sans},DNS:${MASTER_HOSTNAME}"
fi
cert_dir=/etc/kubernetes/ssl
cert_conf_dir=${cert_dir}/conf
mkdir -p "$cert_dir"
mkdir -p "$cert_conf_dir"
CA_CERT=$cert_dir/ca.pem
SERVER_CERT=$cert_dir/apiserver.pem
SERVER_CSR=$cert_dir/apiserver.pem
SERVER_KEY=$cert_dir/apiserver-key.pem
#Get a token by user credentials and trust
cat > auth.json << EOF
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "$TRUSTEE_USER_ID",
"password": "$TRUSTEE_PASSWORD"
}
}
},
"scope": {
"OS-TRUST:trust": {
"id": "$TRUST_ID"
}
}
}
}
EOF
#trust is introduced in Keystone v3 version
AUTH_URL=${AUTH_URL/v2.0/v3}
USER_TOKEN=`curl -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
$AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`
rm -rf auth.json
# Get CA certificate for this bay
ca_cert_json=$(curl -X GET \
-H "X-Auth-Token: $USER_TOKEN" \
$MAGNUM_URL/certificates/$BAY_UUID)
parse_json_response "${ca_cert_json}" > ${CA_CERT}
# Create config for server's csr
cat > ${cert_conf_dir}/openssl.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kube-apiserver
[req_ext]
subjectAltName = ${sans}
extendedKeyUsage = clientAuth,serverAuth
EOF
# Generate server's private key and csr
openssl genrsa -out "${SERVER_KEY}" 4096
chmod 400 "${SERVER_KEY}"
openssl req -new -days 10000 \
-key "${SERVER_KEY}" \
-out "${SERVER_CSR}" \
-reqexts req_ext \
-config "${cert_conf_dir}/openssl.cnf"
# encode newline (\n) characters
csr=$(cat $SERVER_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
csr_req="{\"bay_uuid\": \"$BAY_UUID\", \"csr\": \"$csr\"}"
# Send csr to Magnum to have it signed
server_cert_json=$(curl -X POST \
-H "X-Auth-Token: $USER_TOKEN" \
-H "Content-Type: application/json" \
-d "$csr_req" \
$MAGNUM_URL/certificates)
parse_json_response "${server_cert_json}" > ${SERVER_CERT}
chmod 600 ${cert_dir}/*-key.pem
chown root:root ${cert_dir}/*-key.pem

24
magnum/templates/kubernetes/fragments/write-kubeconfig-coreos.yaml Normal file
View File

@ -0,0 +1,24 @@
#cloud-config
merge_how: dict(recurse_array)+list(append)
write_files:
- path: /etc/kubernetes/config/worker-kubeconfig.yaml
owner: "root:root"
permissions: "0644"
content: |
apiVersion: v1
kind: Config
clusters:
- name: local
cluster:
certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/worker.pem
client-key: /etc/kubernetes/ssl/worker-key.pem
contexts:
- context:
cluster: local
user: kubelet
name: kubelet-context
current-context: kubelet-context

31
magnum/templates/kubernetes/kubecluster-coreos.yaml
View File

@ -107,12 +107,29 @@ parameters:
description: whether or not to disable TLS
default: False
loadbalancing_protocol:
type: string
description: >
The protocol which is used for load balancing. If you want to change
tls_disabled option to 'True', please change this to "HTTP".
default: TCP
constraints:
- allowed_values: ["TCP", "HTTP"]
kubernetes_port:
type: number
description: >
The port which are used by kube-apiserver to provide Kubernetes
service.
default: 8080
default: 6443
bay_uuid:
type: string
description: identifier for the bay this template is generating
magnum_url:
type: string
description: endpoint to retrieve TLS certs from
trustee_domain_id:
type: string
@ -234,6 +251,12 @@ resources:
tls_disabled: {get_param: tls_disabled}
kube_version: {get_param: kube_version}
wait_condition_timeout: {get_param: wait_condition_timeout}
bay_uuid: {get_param: bay_uuid}
magnum_url: {get_param: magnum_url}
trustee_user_id: {get_param: trustee_user_id}
trustee_password: {get_param: trustee_password}
trust_id: {get_param: trust_id}
auth_url: {get_param: auth_url}
######################################################################
#
@ -267,6 +290,12 @@ resources:
kube_version: {get_param: kube_version}
etcd_server_ip: {"Fn::Select": [0, {get_attr: [kube_master, kube_master_ip]}]}
wait_condition_timeout: {get_param: wait_condition_timeout}
bay_uuid: {get_param: bay_uuid}
magnum_url: {get_param: magnum_url}
trustee_user_id: {get_param: trustee_user_id}
trustee_password: {get_param: trustee_password}
trust_id: {get_param: trust_id}
auth_url: {get_param: auth_url}
outputs:

46
magnum/templates/kubernetes/kubemaster-coreos.yaml
View File

@ -81,11 +81,41 @@ parameters:
description: >
The port which are used by kube-apiserver to provide Kubernetes
service.
default: 6443
kube_version:
type: string
description: version of kubernetes used for kubernetes cluster
bay_uuid:
type: string
description: identifier for the bay this template is generating
magnum_url:
type: string
description: endpoint to retrieve TLS certs from
trustee_user_id:
type: string
description: user id of the trustee
default: ""
trustee_password:
type: string
description: password of the trustee
default: ""
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
default: ""
hidden: true
auth_url:
type: string
description: url for keystone
resources:
master_wait_handle:
@ -159,6 +189,12 @@ resources:
"$KUBE_API_PORT": {get_param: kubernetes_port}
"$TLS_DISABLED": {get_param: tls_disabled}
"$KUBE_VERSION": {get_param: kube_version}
"$BAY_UUID": {get_param: bay_uuid}
"$MAGNUM_URL": {get_param: magnum_url}
"$TRUSTEE_USER_ID": {get_param: trustee_user_id}
"$TRUSTEE_PASSWORD": {get_param: trustee_password}
"$TRUST_ID": {get_param: trust_id}
"$AUTH_URL": {get_param: auth_url}
configure_etcd:
type: OS::Heat::SoftwareConfig
@ -166,6 +202,12 @@ resources:
group: ungrouped
config: {get_file: fragments/configure-etcd-coreos.yaml}
make_cert:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/make-cert-coreos.yaml}
write_network_config:
type: OS::Heat::SoftwareConfig
properties:
@ -234,6 +276,7 @@ resources:
str_replace:
template: |
$write_heat_params
$make_cert
$configure_etcd
$write_network_config
$enable_network_service
@ -247,6 +290,8 @@ resources:
$wc_notify
coreos:
units:
- name: "make-cert.service"
command: "start"
- name: "configure-etcd.service"
command: "start"
- name: "write-network-config.service"
@ -271,6 +316,7 @@ resources:
command: "start"
params:
"$write_heat_params": {get_attr: [write_heat_params, config]}
"$make_cert": {get_attr: [make_cert, config]}
"$configure_etcd": {get_attr: [configure_etcd, config]}
"$write_network_config": {get_attr: [write_network_config, config]}
"$enable_network_service": {get_attr: [enable_network_service, config]}

58
magnum/templates/kubernetes/kubeminion-coreos.yaml
View File

@ -2,8 +2,8 @@ heat_template_version: 2013-05-23
description: >
This is a nested stack that defines a single Kubernetes minion,
based on a vanilla Fedora 20 cloud image. This stack is included by
a ResourceGroup resource in the parent template (kubecluster-coreos.yaml).
based on a CoreOS cloud image. This stack is included by a ResourceGroup
resource in the parent template (kubecluster-coreos.yaml).
parameters:
@ -43,6 +43,15 @@ parameters:
description: >
The port which are used by kube-apiserver to provide Kubernetes
service.
default: 6443
bay_uuid:
type: string
description: identifier for the bay this template is generating
magnum_url:
type: string
description: endpoint to retrieve TLS certs from
kube_version:
type: string
@ -73,6 +82,27 @@ parameters:
description: >
timeout for the Wait Conditions
trustee_user_id:
type: string
description: user id of the trustee
default: ""
trustee_password:
type: string
description: password of the trustee
default: ""
hidden: true
trust_id:
type: string
description: id of the trust which is used by the trustee
default: ""
hidden: true
auth_url:
type: string
description: url for keystone
resources:
minion_wait_handle:
@ -121,6 +151,24 @@ resources:
$NETWORK_DRIVER: {get_param: network_driver}
$ETCD_SERVER_IP: {get_param: etcd_server_ip}
$KUBE_VERSION: {get_param: kube_version}
$BAY_UUID: {get_param: bay_uuid}
$MAGNUM_URL: {get_param: magnum_url}
$TRUSTEE_USER_ID: {get_param: trustee_user_id}
$TRUSTEE_PASSWORD: {get_param: trustee_password}
$TRUST_ID: {get_param: trust_id}
$AUTH_URL: {get_param: auth_url}
write_kubeconfig:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/write-kubeconfig-coreos.yaml}
make_cert:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config: {get_file: fragments/make-cert-client-coreos.yaml}
enable_network_service:
type: OS::Heat::SoftwareConfig
@ -154,12 +202,16 @@ resources:
str_replace:
template: |
$write_heat_params
$write_kubeconfig
$make_cert
$enable_network_service
$enable_kubelet
$enable_kube_proxy
$wc_notify
coreos:
units:
- name: "make-cert.service"
command: "start"
- name: "enable-network-service.service"
command: "start"
- name: "enable-kubelet.service"
@ -170,6 +222,8 @@ resources:
command: "start"
params:
"$write_heat_params": {get_attr: [write_heat_params, config]}
"$write_kubeconfig": {get_attr: [write_kubeconfig, config]}
"$make_cert": {get_attr: [make_cert, config]}
"$enable_network_service": {get_attr: [enable_network_service, config]}
"$enable_kubelet": {get_attr: [enable_kubelet, config]}
"$enable_kube_proxy": {get_attr: [enable_kube_proxy, config]}

8
magnum/tests/unit/conductor/handlers/test_k8s_bay_conductor.py
View File

@ -255,7 +255,9 @@ class TestBayConductorWithK8s(base.TestCase):
'trustee_password': 'fake_trustee_password',
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
'auth_url': 'http://192.168.10.10:5000/v3'
'auth_url': 'http://192.168.10.10:5000/v3',
'bay_uuid': self.bay_dict['uuid'],
'magnum_url': self.mock_osc.magnum_url.return_value,
}
self.assertEqual(expected, definition)
@ -302,7 +304,9 @@ class TestBayConductorWithK8s(base.TestCase):
'trustee_password': 'fake_trustee_password',
'trustee_user_id': '7b489f04-b458-4541-8179-6a48a553e656',
'trust_id': 'bd11efc5-d4e2-4dac-bbce-25e348ddf7de',
'auth_url': 'http://192.168.10.10:5000/v3'
'auth_url': 'http://192.168.10.10:5000/v3',
'bay_uuid': self.bay_dict['uuid'],
'magnum_url': self.mock_osc.magnum_url.return_value,
}
self.assertEqual(expected, definition)