Fix k8s deployment when cluster_user_trust=False

At the moment, cluster deployment fails when cluster_user_trust=False.
This is because the entire SoftwareDeployment exits rather than a single
script fragment. This patch fixes this by scoping the remainder of the
script conditional on whether TRUST_ID is defined.

Finally, default `cloud_provider_enabled` to false when
`cluster_user_trust` is false. Raise an error when
`cloud_provider_enabled` is overridden to true when `cluster_user_trust`
is false. This ensures that the minion kubelet is correctly configured.

Change-Id: Ibd9270c87bfa5d2f490e2e226e33ca56696d9e81
Story: 2006531
Task: 36587
This commit is contained in:
Bharat Kunwar 2019-09-12 20:27:24 +00:00 committed by Feilong Wang
parent 41768e0ae1
commit eebcc9b7a1
4 changed files with 28 additions and 29 deletions

View File

@ -127,7 +127,7 @@ if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_ADMISSION_CONTROL="--admission-control=NodeRestriction,${ADMISSION_CONTROL_LIST}"
fi
if [ -n "$TRUST_ID" ] && [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
KUBE_API_ARGS="$KUBE_API_ARGS --cloud-provider=external"
fi
@ -181,7 +181,7 @@ if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --service-account-private-key-file=$CERT_DIR/service_account_private.key --root-ca-file=$CERT_DIR/ca.crt"
fi
if [ -n "$TRUST_ID" ] && [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-provider=external"
KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --external-cloud-volume-plugin=openstack --cloud-config=/etc/kubernetes/cloud-config"
fi
@ -205,7 +205,7 @@ KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=$
KUBELET_ARGS="${KUBELET_ARGS} --volume-plugin-dir=/var/lib/kubelet/volumeplugins"
KUBELET_ARGS="${KUBELET_ARGS} ${KUBELET_OPTIONS}"
if [ -n "$TRUST_ID" ] && [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
KUBELET_ARGS="${KUBELET_ARGS} --cloud-provider=external"
fi

View File

@ -151,7 +151,7 @@ kubectl -n kube-system create secret generic os-trustee \
--from-file=os-certAuthority=/etc/kubernetes/ca-bundle.crt
#TODO: add heat variables for master count to determine leaderelect true/False ?
if [ -n "${TRUST_ID}" ] && [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
occm_image="${CONTAINER_INFRA_PREFIX:-docker.io/k8scloudprovider/}openstack-cloud-controller-manager:${CLOUD_PROVIDER_TAG}"
OCCM=/srv/magnum/kubernetes/openstack-cloud-controller-manager.yaml

View File

@ -5,17 +5,14 @@ set +x
set -x
$ssh_cmd mkdir -p /etc/kubernetes/
if [ -z "${TRUST_ID}" ]; then
exit 0
fi
KUBE_OS_CLOUD_CONFIG=/etc/kubernetes/cloud-config
$ssh_cmd cp /etc/pki/tls/certs/ca-bundle.crt /etc/kubernetes/ca-bundle.crt
# Generate a the configuration for Kubernetes services
# to talk to OpenStack Neutron and Cinder
CLOUD_CONFIG=$(cat <<EOF
if [ -n "${TRUST_ID}" ]; then
KUBE_OS_CLOUD_CONFIG=/etc/kubernetes/cloud-config
# Generate a the configuration for Kubernetes services
# to talk to OpenStack Neutron and Cinder
cat > ${KUBE_OS_CLOUD_CONFIG} <<EOF
[Global]
auth-url=$AUTH_URL
user-id=$TRUSTEE_USER_ID
@ -33,24 +30,20 @@ monitor-max-retries=3
[BlockStorage]
bs-version=v2
EOF
)
cat > ${KUBE_OS_CLOUD_CONFIG} <<EOF
$CLOUD_CONFIG
EOF
# Provide optional region parameter if it's set.
if [ -n "${REGION_NAME}" ]; then
sed -i '/ca-file/a region='${REGION_NAME}'' $KUBE_OS_CLOUD_CONFIG
fi
# Provide optional region parameter if it's set.
if [ -n "${REGION_NAME}" ]; then
sed -i '/ca-file/a region='${REGION_NAME}'' $KUBE_OS_CLOUD_CONFIG
fi
# backwards compatibility, some apps may expect this file from previous magnum versions.
$ssh_cmd cp ${KUBE_OS_CLOUD_CONFIG} /etc/kubernetes/kube_openstack_config
# backwards compatibility, some apps may expect this file from previous magnum versions.
$ssh_cmd cp ${KUBE_OS_CLOUD_CONFIG} /etc/kubernetes/kube_openstack_config
# Append additional networking config to config file provided to openstack
# cloud controller manager (not supported by in-tree Cinder).
cat > ${KUBE_OS_CLOUD_CONFIG}-occm <<EOF
$CLOUD_CONFIG
# Append additional networking config to config file provided to openstack
# cloud controller manager (not supported by in-tree Cinder).
$ssh_cmd cp ${KUBE_OS_CLOUD_CONFIG} ${KUBE_OS_CLOUD_CONFIG}-occm
cat >> ${KUBE_OS_CLOUD_CONFIG}-occm <<EOF
[Networking]
internal-network-name=$CLUSTER_NETWORK_NAME
EOF
fi

View File

@ -110,7 +110,13 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
# check cloud provider and cinder options. If cinder is selected,
# the cloud provider needs to be enabled.
cloud_provider_enabled = cluster.labels.get(
'cloud_provider_enabled', 'true').lower()
'cloud_provider_enabled',
'true' if CONF.trust.cluster_user_trust else 'false').lower()
if (not CONF.trust.cluster_user_trust
and cloud_provider_enabled == 'true'):
raise exception.InvalidParameterValue(_(
'"cluster_user_trust" must be set to True in magnum.conf when '
'"cloud_provider_enabled" label is set to true.'))
if (cluster_template.volume_driver == 'cinder'
and cloud_provider_enabled == 'false'):
raise exception.InvalidParameterValue(_(