openstack
/
openstack-helm-infra
Code Issues Proposed changes

Remove kubeadm-aio 

As part of the move to helm v3, we migrated how we setup
deploying kubernetes from a series of playbooks to using
a bash script. This had the advantage of being easier to
follow and deploy locally, as well as easier to debug
when an issue arose. While the kubeadm-aio was very useful
in the past to help lower run-times, currently it appears
that optimizations in our jobs have seem to mitigate a lot
of the issues that were lessened with the AIO.

Change-Id: If0c6a97aed4083307a9b6f5beb4ec525e8103e01
This commit is contained in:
Gage Hugo 2022-03-31 16:58:03 -05:00
parent 1e56dd59ea
commit ad133069aa
52 changed files with 0 additions and 2574 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
roles/build-images/defaults/main.yml
View File

@ -1,32 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
version:
kubernetes: v1.19.15
helm: v2.17.0
cni: v0.8.5
proxy:
http: null
https: null
noproxy: null
images:
kubernetes:
kubeadm_aio: openstackhelm/kubeadm-aio:dev
url:
google_kubernetes_repo: https://storage.googleapis.com/kubernetes-release/release/{{ version.kubernetes }}/bin/linux/amd64
helm_repo: https://get.helm.sh
cni_repo: https://github.com/containernetworking/plugins/releases/download/{{ version.cni }}
...

98
roles/build-images/tasks/kubeadm-aio.yaml
View File

@ -1,98 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: set zuul_site_mirror_fqdn from env var if not defined
when: zuul_site_mirror_fqdn is not defined
ignore_errors: True
set_fact:
zuul_site_mirror_fqdn: "{{ lookup('env','zuul_site_mirror_fqdn') }}"
# NOTE(portdirect): Untill https://github.com/ansible/ansible/issues/21433 is
# reolved, we build with a shell script to make use of the host network.
- name: Kubeadm-AIO build
block:
# NOTE(portdirect): we do this to ensure we are feeding the docker build
# a clean path to work with.
- name: Kubeadm-AIO image build path
shell: cd "{{ work_dir }}"; pwd
register: kubeadm_aio_path
# - name: build the Kubeadm-AIO image
# docker_image:
# path: "{{ kubeadm_aio_path.stdout }}/"
# name: "{{ images.kubernetes.kubeadm_aio }}"
# dockerfile: "tools/images/kubeadm-aio/Dockerfile"
# force: yes
# pull: yes
# state: present
# rm: yes
# buildargs:
# KUBE_VERSION: "{{ version.kubernetes }}"
# CNI_VERSION: "{{ version.cni }}"
# HELM_VERSION: "{{ version.helm }}"
# CHARTS: "calico,flannel,tiller,kube-dns"
- name: Kubeadm-AIO image build path with proxy
when: proxy.http
shell: |-
set -e
docker build \
--network host \
--force-rm \
--tag "{{ images.kubernetes.kubeadm_aio }}" \
--file tools/images/kubeadm-aio/Dockerfile \
--build-arg KUBE_VERSION="{{ version.kubernetes }}" \
--build-arg CNI_VERSION="{{ version.cni }}" \
--build-arg HELM_VERSION="{{ version.helm }}" \
--build-arg CHARTS="calico,flannel,tiller,kube-dns,kubernetes-keystone-webhook" \
--build-arg GOOGLE_KUBERNETES_REPO_URL="{{ url.google_kubernetes_repo }}" \
--build-arg GOOGLE_HELM_REPO_URL="{{ url.helm_repo }}" \
--build-arg CNI_REPO_URL="{{ url.cni_repo }}" \
--build-arg HTTP_PROXY="{{ proxy.http }}" \
--build-arg HTTPS_PROXY="{{ proxy.https }}" \
--build-arg NO_PROXY="{{ proxy.noproxy }}" \
{% if zuul_site_mirror_fqdn is defined and zuul_site_mirror_fqdn %}
--build-arg UBUNTU_URL="http://{{ zuul_site_mirror_fqdn }}/ubuntu/" \
--build-arg ALLOW_UNAUTHENTICATED="true" \
--build-arg PIP_INDEX_URL="http://{{ zuul_site_mirror_fqdn }}/pypi/simple" \
--build-arg PIP_TRUSTED_HOST="{{ zuul_site_mirror_fqdn }}" \
{% endif %}
.
args:
chdir: "{{ kubeadm_aio_path.stdout }}/"
executable: /bin/bash
- name: Kubeadm-AIO image build path
when: not proxy.http
shell: |-
set -e
docker build \
--network host \
--force-rm \
--tag "{{ images.kubernetes.kubeadm_aio }}" \
--file tools/images/kubeadm-aio/Dockerfile \
--build-arg KUBE_VERSION="{{ version.kubernetes }}" \
--build-arg CNI_VERSION="{{ version.cni }}" \
--build-arg HELM_VERSION="{{ version.helm }}" \
--build-arg CHARTS="calico,flannel,tiller,kube-dns,kubernetes-keystone-webhook" \
--build-arg GOOGLE_KUBERNETES_REPO_URL="{{ url.google_kubernetes_repo }}" \
--build-arg GOOGLE_HELM_REPO_URL="{{ url.helm_repo }}" \
--build-arg CNI_REPO_URL="{{ url.cni_repo }}" \
{% if zuul_site_mirror_fqdn is defined and zuul_site_mirror_fqdn %}
--build-arg UBUNTU_URL="http://{{ zuul_site_mirror_fqdn }}/ubuntu/" \
--build-arg ALLOW_UNAUTHENTICATED="true" \
--build-arg PIP_INDEX_URL="http://{{ zuul_site_mirror_fqdn }}/pypi/simple" \
--build-arg PIP_TRUSTED_HOST="{{ zuul_site_mirror_fqdn }}" \
{% endif %}
.
args:
chdir: "{{ kubeadm_aio_path.stdout }}/"
executable: /bin/bash
...

15
roles/build-images/tasks/main.yaml
View File

@ -1,15 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- include: kubeadm-aio.yaml
...

55
roles/deploy-kubeadm-aio-common/defaults/main.yml
View File

@ -1,55 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
kubernetes_cluster_cni: calico
kubernetes_cluster_pod_subnet: 192.168.0.0/16
kubernetes_cluster_domain: cluster.local
kubernetes_network_default_device: null
kubernetes_selfhosted: false
kubernetes_keystone_auth: false
images:
kubernetes:
kubeadm_aio: openstackhelm/kubeadm-aio:dev
nodes:
labels:
primary:
- name: openstack-helm-node-class
value: primary
nodes:
- name: openstack-helm-node-class
value: general
all:
- name: openstack-control-plane
value: enabled
- name: openstack-compute-node
value: enabled
- name: openvswitch
value: enabled
- name: linuxbridge
value: enabled
- name: ceph-mon
value: enabled
- name: ceph-osd
value: enabled
- name: ceph-mds
value: enabled
- name: ceph-rgw
value: enabled
- name: ceph-mgr
value: enabled
gate_fqdn_test: false
gate_fqdn_tld: openstackhelm.test
...

69
roles/deploy-kubeadm-aio-common/tasks/clean-node.yaml
View File

@ -1,69 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: master
vars:
kubeadm_aio_action: clean-host
block:
- name: "kubeadm-aio performing action: {{ kubeadm_aio_action }}"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
image: "{{ images.kubernetes.kubeadm_aio }}"
state: started
detach: false
recreate: yes
pid_mode: host
network_mode: host
capabilities: SYS_ADMIN
volumes:
- /sys:/sys:rw
- /run:/run:rw
- /:/mnt/rootfs:rw
- /etc:/etc:rw
env:
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
ACTION="{{ kubeadm_aio_action }}"
KUBE_BIND_DEVICE="{{ kubernetes_default_device }}"
USER_UID="{{ playbook_user_id }}"
USER_GID="{{ playbook_group_id }}"
USER_HOME="{{ playbook_user_dir }}"
CNI_ENABLED="{{ kubernetes_cluster_cni }}"
PVC_SUPPORT_CEPH=true
PVC_SUPPORT_NFS=true
NET_SUPPORT_LINUXBRIDGE=true
KUBE_NET_POD_SUBNET="{{ kubernetes_cluster_pod_subnet }}"
KUBE_NET_DNS_DOMAIN="{{ kubernetes_cluster_domain }}"
CONTAINER_RUNTIME=docker
register: kubeadm_master_deploy
ignore_errors: True
rescue:
- name: getting logs from kubeadm-aio container
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
become: true
become_user: root
register: out
- name: dumping logs from kubeadm-aio container
debug:
var: out.stdout_lines
- name: exiting if the kubeadm deploy failed
command: exit 1
always:
- name: removing kubeadm-aio container
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
state: absent
...

27
roles/deploy-kubeadm-aio-common/tasks/deploy-kubelet.yaml
View File

@ -1,27 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: setting node labels
vars:
kubeadm_kubelet_labels_node:
- "{% if nodes.labels.all is defined %}{% set comma = joiner(\",\") %}{% for item in nodes.labels.all %}{{ comma() }}{{ item.name }}={{ item.value }}{% endfor %}{% else %}\"\"{% endif %}"
- "{% set comma = joiner(\",\") %}{% for group in group_names %}{% if nodes.labels[group] is defined %}{% for item in nodes.labels[group] %}{{ comma() }}{{ item.name }}={{ item.value }}{% endfor %}{% else %}\"\"{% endif %}{% endfor %}"
set_fact:
kubeadm_kubelet_labels: "{% set comma = joiner(\",\") %}{% for item in kubeadm_kubelet_labels_node %}{{ comma() }}{{ item }}{% endfor %}"
- name: deploy-kubelet
vars:
kubeadm_aio_action: deploy-kubelet
include: util-kubeadm-aio-run.yaml
...

36
roles/deploy-kubeadm-aio-common/tasks/main.yaml
View File

@ -1,36 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: setting playbook facts
set_fact:
playbook_user_id: "{{ ansible_user_uid }}"
playbook_group_id: "{{ ansible_user_gid }}"
playbook_user_dir: "{{ ansible_user_dir }}"
kubernetes_default_device: "{{ ansible_default_ipv4.alias }}"
kubernetes_default_address: null
primary_node_default_ip: "{{ hostvars[(groups['primary'][0])]['ansible_default_ipv4']['address'] }}"
- name: if we have defined a custom interface for kubernetes use that
when: kubernetes_network_default_device is defined and kubernetes_network_default_device
set_fact:
kubernetes_default_device: "{{ kubernetes_network_default_device }}"
- name: if we are in openstack infra use the private IP for kubernetes
when: (nodepool is defined) and (nodepool.private_ipv4 is defined)
set_fact:
kubernetes_default_address: "{{ nodepool.private_ipv4 }}"
- include: clean-node.yaml
- include: deploy-kubelet.yaml
...

83
roles/deploy-kubeadm-aio-common/tasks/util-kubeadm-aio-run.yaml
View File

@ -1,83 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Run Kubeadm-AIO container
vars:
kubeadm_aio_action: null
kubeadm_kubelet_labels: ""
block:
- name: "performing {{ kubeadm_aio_action }} action"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
image: "{{ images.kubernetes.kubeadm_aio }}"
state: started
detach: false
recreate: yes
pid_mode: host
network_mode: host
capabilities: SYS_ADMIN
volumes:
- /sys:/sys:rw
- /run:/run:rw
- /:/mnt/rootfs:rw
- /etc:/etc:rw
env:
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
ACTION="{{ kubeadm_aio_action }}"
KUBE_BIND_DEVICE="{{ kubernetes_default_device }}"
KUBE_BIND_ADDR="{{ kubernetes_default_address }}"
USER_UID="{{ playbook_user_id }}"
USER_GID="{{ playbook_group_id }}"
USER_HOME="{{ playbook_user_dir }}"
CNI_ENABLED="{{ kubernetes_cluster_cni }}"
PVC_SUPPORT_CEPH=true
PVC_SUPPORT_NFS=true
NET_SUPPORT_LINUXBRIDGE=true
KUBE_NET_POD_SUBNET="{{ kubernetes_cluster_pod_subnet }}"
KUBE_NET_DNS_DOMAIN="{{ kubernetes_cluster_domain }}"
CONTAINER_RUNTIME=docker
KUBELET_NODE_LABELS="{{ kubeadm_kubelet_labels }}"
KUBE_SELF_HOSTED="{{ kubernetes_selfhosted }}"
KUBE_KEYSTONE_AUTH="{{ kubernetes_keystone_auth }}"
GATE_FQDN_TEST="{{ gate_fqdn_test }}"
GATE_FQDN_TLD="{{ gate_fqdn_tld }}"
GATE_INGRESS_IP="{{ primary_node_default_ip }}"
register: kubeadm_master_deploy
rescue:
- name: "getting logs for {{ kubeadm_aio_action }} action"
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
become: true
become_user: root
register: out
- name: "dumping logs for {{ kubeadm_aio_action }} action"
debug:
var: out.stdout_lines
- name: "exiting if {{ kubeadm_aio_action }} action failed"
command: exit 1
always:
- name: "removing container for {{ kubeadm_aio_action }} action"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
state: absent
- name: add labels to namespaces
command: kubectl label --overwrite namespace {{ item }} name={{ item }}
with_items:
- default
- kube-system
- kube-public
ignore_errors: True
...

31
roles/deploy-kubeadm-aio-master/tasks/main.yaml
View File

@ -1,31 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: setting playbook user info facts before escalating privileges
set_fact:
playbook_user_id: "{{ ansible_user_uid }}"
playbook_group_id: "{{ ansible_user_gid }}"
playbook_user_dir: "{{ ansible_user_dir }}"
- name: deploying kubelet and support assets to node
include_role:
name: deploy-kubeadm-aio-common
tasks_from: main
- name: deploying kubernetes on master node
vars:
kubeadm_aio_action: deploy-kube
include_role:
name: deploy-kubeadm-aio-common
tasks_from: util-kubeadm-aio-run
...

17
roles/deploy-kubeadm-aio-node/defaults/main.yml
View File

@ -1,17 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
images:
kubernetes:
kubeadm_aio: openstackhelm/kubeadm-aio:dev
...

51
roles/deploy-kubeadm-aio-node/tasks/main.yaml
View File

@ -1,51 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: setting playbook user info facts before escalating privileges
set_fact:
playbook_user_id: "{{ ansible_user_uid }}"
playbook_group_id: "{{ ansible_user_gid }}"
playbook_user_dir: "{{ ansible_user_dir }}"
kube_master: "{{ groups['primary'][0] }}"
kube_worker: "{{ inventory_hostname }}"
kube_node_hostname: "{{ ansible_fqdn }}"
- name: deploying kubelet and support assets to node
include_role:
name: deploy-kubeadm-aio-common
tasks_from: main
- name: generating the kubeadm join command for the node
include: util-generate-join-command.yaml
delegate_to: "{{ kube_master }}"
- name: joining node to kubernetes cluster
vars:
kubeadm_aio_action: join-kube
kubeadm_aio_join_command: "{{ kubeadm_cluster_join_command }}"
include: util-run-join-command.yaml
# FIXME(portdirect): running as root for now to unblock the gates, though this
# runs ok under ansible 2.5.4 locally without privileges
- name: waiting for node to be ready
delegate_to: "{{ kube_master }}"
become: true
become_user: root
shell: kubectl get node "{{ kube_node_hostname }}" -o jsonpath="{$.status.conditions[?(@.reason=='KubeletReady')]['type']}" || echo "Not registered yet"
environment:
KUBECONFIG: '/etc/kubernetes/admin.conf'
register: task_result
until: task_result.stdout == 'Ready'
retries: 120
delay: 5
...

56
roles/deploy-kubeadm-aio-node/tasks/util-generate-join-command.yaml
View File

@ -1,56 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: generate the kubeadm join command for nodes
vars:
kubeadm_aio_action: generate-join-cmd
kubeadm_cluster_join_ttl: 30m
kube_worker: null
block:
- name: "deploying kubeadm {{ kubeadm_aio_action }} container"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
image: "{{ images.kubernetes.kubeadm_aio }}"
state: started
detach: false
recreate: yes
network_mode: host
volumes:
- /etc/kubernetes:/etc/kubernetes:ro
env:
ACTION=generate-join-cmd
TTL="{{ kubeadm_cluster_join_ttl }}"
register: kubeadm_generate_join_command
- name: "getting logs for {{ kubeadm_aio_action }} action"
command: "docker logs kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
become: true
become_user: root
register: kubeadm_aio_action_logs
- name: storing cluster join command
set_fact: kubeadm_cluster_join_command="{{ kubeadm_aio_action_logs.stdout | regex_search('kubeadm join.*') }}"
rescue:
- name: "dumping logs for {{ kubeadm_aio_action }} action"
debug:
var: kubeadm_aio_action_logs.stdout_lines
- name: "exiting if {{ kubeadm_aio_action }} action failed"
command: exit 1
always:
- name: "removing container for {{ kubeadm_aio_action }} action"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
state: absent
...

59
roles/deploy-kubeadm-aio-node/tasks/util-run-join-command.yaml
View File

@ -1,59 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: master
vars:
kubeadm_aio_action: join-kube
kubeadm_aio_join_command: null
block:
- name: "deploying kubeadm {{ kubeadm_aio_action }} container"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
image: "{{ images.kubernetes.kubeadm_aio }}"
state: started
detach: false
recreate: yes
pid_mode: host
network_mode: host
capabilities: SYS_ADMIN
volumes:
- /sys:/sys:rw
- /run:/run:rw
- /:/mnt/rootfs:rw
- /etc:/etc:rw
env:
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
ACTION="{{ kubeadm_aio_action }}"
KUBEADM_JOIN_COMMAND="{{ kubeadm_aio_join_command }}"
register: kubeadm_aio_join_container
rescue:
- name: "getting logs for {{ kubeadm_aio_action }} action"
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
become: true
become_user: root
register: kubeadm_aio_join_container_output
- name: "dumping logs for {{ kubeadm_aio_action }} action"
debug:
msg: "{{ kubeadm_aio_join_container_output.stdout_lines }}"
- name: "exiting if {{ kubeadm_aio_action }} action failed"
command: exit 1
always:
- name: "removing container for {{ kubeadm_aio_action }} action"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
state: absent
...

119
tools/images/kubeadm-aio/Dockerfile
View File

@ -1,119 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM docker.io/ubuntu:bionic
MAINTAINER pete.birley@att.com
ARG UBUNTU_URL=http://archive.ubuntu.com/ubuntu/
ARG ALLOW_UNAUTHENTICATED=false
ARG PIP_INDEX_URL=https://pypi.python.org/simple/
ARG PIP_TRUSTED_HOST=pypi.python.org
ENV PIP_INDEX_URL=${PIP_INDEX_URL}
ENV PIP_TRUSTED_HOST=${PIP_TRUSTED_HOST}
COPY ./tools/images/kubeadm-aio/sources.list /etc/apt/
RUN sed -i \
-e "s|%%UBUNTU_URL%%|${UBUNTU_URL}|g" \
/etc/apt/sources.list ;\
echo "APT::Get::AllowUnauthenticated \"${ALLOW_UNAUTHENTICATED}\";\n\
Acquire::AllowInsecureRepositories \"${ALLOW_UNAUTHENTICATED}\";\n\
Acquire::AllowDowngradeToInsecureRepositories \"${ALLOW_UNAUTHENTICATED}\";" \
>> /etc/apt/apt.conf.d/allow-unathenticated
ARG GOOGLE_KUBERNETES_REPO_URL=https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/bin/linux/amd64
ENV GOOGLE_KUBERNETES_REPO_URL ${GOOGLE_KUBERNETES_REPO_URL}
ARG HELM_REPO_URL=https://get.helm.sh
ENV HELM_REPO_URL ${HELM_REPO_URL}
ARG KUBE_VERSION="v1.19.15"
ENV KUBE_VERSION ${KUBE_VERSION}
ARG CNI_VERSION="v0.8.5"
ENV CNI_VERSION ${CNI_VERSION}
ARG CNI_REPO_URL=https://github.com/containernetworking/plugins/releases/download/$CNI_VERSION
ENV CNI_REPO_URL ${CNI_REPO_URL}
ARG HELM_VERSION="v2.17.0"
ENV HELM_VERSION ${HELM_VERSION}
ARG CHARTS="calico,flannel,tiller,kube-dns,kubernetes-keystone-webhook"
ENV CHARTS ${CHARTS}
ARG HTTP_PROXY=""
ENV HTTP_PROXY ${HTTP_PROXY}
ENV http_proxy ${HTTP_PROXY}
ARG HTTPS_PROXY=""
ENV HTTPS_PROXY ${HTTPS_PROXY}
ENV https_proxy ${HTTPS_PROXY}
ARG NO_PROXY="127.0.0.1,localhost,.svc.cluster.local"
ENV NO_PROXY ${NO_PROXY}
ENV no_proxy ${NO_PROXY}
ENV container="docker" \
DEBIAN_FRONTEND="noninteractive" \
CNI_BIN_DIR="/opt/cni/bin"
RUN set -ex ;\
apt-get update ;\
apt-get upgrade -y ;\
apt-get install -y --no-install-recommends \
bash \
ca-certificates \
curl \
jq \
python3-pip \
gawk ;\
pip3 --no-cache-dir install --upgrade pip==21.0.1 ;\
hash -r ;\
pip3 --no-cache-dir install --upgrade setuptools ;\
# NOTE(srwilkers): Pinning ansible to 2.5.5, as pip installs 2.6 by default.
# 2.6 introduces a new command flag (init) for the docker_container module
# that is incompatible with what we have currently. 2.5.5 ensures we match
# what's deployed in the gates
pip3 --no-cache-dir install --upgrade \
requests \
docker \
kubernetes \
"ansible==2.5.5" ;\
for BINARY in kubectl kubeadm; do \
curl -sSL -o /usr/bin/${BINARY} \
${GOOGLE_KUBERNETES_REPO_URL}/${BINARY} ;\
chmod +x /usr/bin/${BINARY} ;\
done ;\
mkdir -p /opt/assets/usr/bin ;\
curl -sSL -o /opt/assets/usr/bin/kubelet \
${GOOGLE_KUBERNETES_REPO_URL}/kubelet ;\
chmod +x /opt/assets/usr/bin/kubelet ;\
mkdir -p /opt/assets${CNI_BIN_DIR} ;\
curl -sSL ${CNI_REPO_URL}/cni-plugins-linux-amd64-$CNI_VERSION.tgz | \
tar -zxv --strip-components=1 -C /opt/assets${CNI_BIN_DIR} ;\
TMP_DIR=$(mktemp -d) ;\
curl -sSL ${HELM_REPO_URL}/helm-${HELM_VERSION}-linux-amd64.tar.gz | tar -zxv --strip-components=1 -C ${TMP_DIR} ;\
mv ${TMP_DIR}/helm /usr/bin/helm ;\
rm -rf ${TMP_DIR} ;\
apt-get purge -y --auto-remove \
curl ;\
rm -rf /var/lib/apt/lists/* /tmp/* /root/.cache
COPY ./ /tmp/source
RUN set -ex ;\
cp -rfav /tmp/source/tools/images/kubeadm-aio/assets/* / ;\
IFS=','; for CHART in $CHARTS; do \
mv -v /tmp/source/${CHART} /opt/charts/; \
done ;\
rm -rf /tmp/source
ENTRYPOINT ["/entrypoint.sh"]

134
tools/images/kubeadm-aio/assets/entrypoint.sh
View File

@ -1,134 +0,0 @@
#!/usr/bin/env bash
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
if [ "x${ACTION}" == "xgenerate-join-cmd" ]; then
: ${TTL:="10m"}
DISCOVERY_TOKEN="$(kubeadm token --kubeconfig /etc/kubernetes/admin.conf create --ttl ${TTL} --usages signing,authentication --groups '')"
DISCOVERY_TOKEN_CA_HASH="$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* /sha256:/')"
API_SERVER=$(cat /etc/kubernetes/admin.conf | python3 -c "import sys, yaml; print(yaml.safe_load(sys.stdin)['clusters'][0]['cluster']['server'].split(\"//\",1).pop())")
exec echo "kubeadm join \
--token ${DISCOVERY_TOKEN} \
--discovery-token-ca-cert-hash ${DISCOVERY_TOKEN_CA_HASH} \
${API_SERVER}"
elif [ "x${ACTION}" == "xjoin-kube" ]; then
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-node.yaml \
--inventory=/opt/playbooks/inventory.ini \
--extra-vars="kubeadm_join_command=\"${KUBEADM_JOIN_COMMAND}\""
fi
: ${ACTION:="deploy-kube"}
: ${CONTAINER_NAME:="null"}
: ${CONTAINER_RUNTIME:="docker"}
: ${CNI_ENABLED:="calico"}
: ${CNI_HOST_IP:="10.96.232.136"}
: ${NET_SUPPORT_LINUXBRIDGE:="true"}
: ${PVC_SUPPORT_CEPH:="false"}
: ${PVC_SUPPORT_NFS:="false"}
: ${HELM_TILLER_IMAGE:="ghcr.io/helm/tiller:${HELM_VERSION}"}
: ${KUBE_VERSION:="${KUBE_VERSION}"}
: ${KUBE_IMAGE_REPO:="k8s.gcr.io"}
: ${KUBE_API_BIND_PORT:="6443"}
: ${KUBE_NET_DNS_DOMAIN:="cluster.local"}
: ${KUBE_NET_POD_SUBNET:="192.168.0.0/16"}
: ${KUBE_NET_SUBNET_SUBNET:="10.96.0.0/12"}
: ${KUBE_BIND_DEVICE:=""}
: ${KUBE_BIND_ADDR:=""}
: ${KUBE_API_BIND_DEVICE:="${KUBE_BIND_DEVICE}"}
: ${KUBE_API_BIND_ADDR:="${KUBE_BIND_ADDR}"}
: ${KUBE_CERTS_DIR:="/etc/kubernetes/pki"}
: ${KUBE_SELF_HOSTED:="false"}
: ${KUBE_KEYSTONE_AUTH:="false"}
: ${KUBELET_NODE_LABELS:=""}
: ${GATE_FQDN_TEST:="false"}
: ${GATE_INGRESS_IP:="127.0.0.1"}
: ${GATE_FQDN_TLD:="openstackhelm.test"}
PLAYBOOK_VARS="{
\"my_container_name\": \"${CONTAINER_NAME}\",
\"user\": {
\"uid\": ${USER_UID},
\"gid\": ${USER_GID},
\"home\": \"${USER_HOME}\"
},
\"cluster\": {
\"cni\": \"${CNI_ENABLED}\",
\"cni_host_ip\": \"${CNI_HOST_IP}\"
},
\"kubelet\": {
\"container_runtime\": \"${CONTAINER_RUNTIME}\",
\"net_support_linuxbridge\": ${NET_SUPPORT_LINUXBRIDGE},
\"pv_support_nfs\": ${PVC_SUPPORT_NFS},
\"pv_support_ceph\": ${PVC_SUPPORT_CEPH}
},
\"helm\": {
\"tiller_image\": \"${HELM_TILLER_IMAGE}\"
},
\"k8s\": {
\"kubernetesVersion\": \"${KUBE_VERSION}\",
\"imageRepository\": \"${KUBE_IMAGE_REPO}\",
\"certificatesDir\": \"${KUBE_CERTS_DIR}\",
\"selfHosted\": \"${KUBE_SELF_HOSTED}\",
\"keystoneAuth\": \"${KUBE_KEYSTONE_AUTH}\",
\"api\": {
\"bindPort\": ${KUBE_API_BIND_PORT}
},
\"networking\": {
\"dnsDomain\": \"${KUBE_NET_DNS_DOMAIN}\",
\"podSubnet\": \"${KUBE_NET_POD_SUBNET}\",
\"serviceSubnet\": \"${KUBE_NET_SUBNET_SUBNET}\"
}
},
\"gate\": {
\"fqdn_testing\": \"${GATE_FQDN_TEST}\",
\"ingress_ip\": \"${GATE_INGRESS_IP}\",
\"fqdn_tld\": \"${GATE_FQDN_TLD}\"
}
}"
set -x
if [ "x${ACTION}" == "xdeploy-kubelet" ]; then
if [ "x${KUBE_BIND_ADDR}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_addr\": \"${KUBE_BIND_ADDR}\"}")
elif [ "x${KUBE_BIND_DEVICE}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_device\": \"${KUBE_BIND_DEVICE}\"}")
fi
if [ "x${KUBELET_NODE_LABELS}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"kubelet_labels\": \"${KUBELET_NODE_LABELS}\"}")
fi
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-kubelet.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
elif [ "x${ACTION}" == "xdeploy-kube" ]; then
if [ "x${KUBE_API_BIND_ADDR}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddress\": \"${KUBE_API_BIND_ADDR}\"}")
elif [ "x${KUBE_API_BIND_DEVICE}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddressDevice\": \"${KUBE_API_BIND_DEVICE}\"}")
fi
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-master.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
elif [ "x${ACTION}" == "xclean-host" ]; then
exec ansible-playbook /opt/playbooks/kubeadm-aio-clean.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
else
exec ${ACTION}
fi

0
tools/images/kubeadm-aio/assets/opt/charts/.placeholder
View File

2
tools/images/kubeadm-aio/assets/opt/playbooks/inventory.ini
View File

@ -1,2 +0,0 @@
[node]
/mnt/rootfs ansible_connection=chroot

21
tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-clean.yaml
View File

@ -1,21 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
gather_facts: True
become: yes
roles:
- clean-host
tags:
- clean-host
...

21
tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-kubelet.yaml
View File

@ -1,21 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
gather_facts: True
become: yes
roles:
- deploy-kubelet
tags:
- deploy-kubelet
...

20
tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-master.yaml
View File

@ -1,20 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
become: yes
roles:
- deploy-kubeadm-master
tags:
- deploy-kubeadm-master
...

20
tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-node.yaml
View File

@ -1,20 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
become: yes
roles:
- deploy-kubeadm-node
tags:
- deploy-kubeadm-node
...

62
tools/images/kubeadm-aio/assets/opt/playbooks/roles/clean-host/tasks/main.yaml
View File

@ -1,62 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: clean | kube | remove config
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/kubernetes
- name: clean | kube | stop kubelet service
ignore_errors: yes
systemd:
name: kubelet
state: stopped
enabled: no
masked: no
- name: clean | kube | removing any old docker containers
ignore_errors: yes
shell: MY_CONTAINER_ID=$(docker inspect --format {% raw %}'{{ .Id }}'{% endraw %} "{{ my_container_name }}"); docker ps --all --no-trunc --quiet | awk '!'"/${MY_CONTAINER_ID}/ { print \$1 }" | xargs -r -l1 -P16 docker rm -f
args:
executable: /bin/bash
- name: clean | kube | remove any mounts
ignore_errors: yes
shell: |-
for MOUNT in $(findmnt --df --output TARGET | grep "^/var/lib/kubelet"); do
umount --force $MOUNT
done
args:
executable: /bin/bash
- name: clean | kube | remove dirs
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/kubernetes
- /etc/cni/net.d
- /etc/systemd/system/kubelet.service
- /etc/systemd/system/kubelet.service.d
- /var/lib/kubelet
- /var/lib/etcd
- /var/etcd
- /opt/cni/bin
- name: clean | kube | reload systemd
systemd:
daemon_reload: yes
...

142
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-cni.yaml
View File

@ -1,142 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
- name: setting up bootstrap tiller
block:
- name: pull the helm tiller Image
become: true
become_user: root
docker_image:
pull: true
name: "{{ helm.tiller_image }}"
- name: deploying bootstrap tiller
become: true
become_user: root
docker_container:
name: "helm-tiller"
image: "{{ helm.tiller_image }}"
state: started
detach: true
recreate: yes
network_mode: host
user: root
volumes:
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
env:
KUBECONFIG=/etc/kubernetes/admin.conf
register: kubeadm_aio_tiller_container
ignore_errors: True
- name: wait for tiller to be ready
delegate_to: 127.0.0.1
command: helm version --server
environment:
HELM_HOST: 'localhost:44134'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- name: kubeadm | cni | get default mtu
block:
- name: getting default route device mtu
shell: echo $(cat /sys/class/net/$(sudo ip -4 route list 0/0 | awk '{ print $5; exit }')/mtu)
args:
executable: /bin/bash
register: cni_default_device_mtu
- name: Generate self-signed certificates
when: cluster.cni == 'calico'
delegate_to: 127.0.0.1
block:
- name: Get cfssl
get_url:
url: "https://pkg.cfssl.org/R1.2/{{ item }}_linux-amd64"
dest: "/usr/local/bin/{{ item }}"
mode: 744
with_items:
- cfssl
- cfssljson
- name: Add ca-config
template:
src: ca-config.json.j2
dest: /etc/kubernetes/pki/calico/ca-config.json
- name: Copy CA
copy:
src: /etc/kubernetes/pki/{{ item }}
dest: /etc/kubernetes/pki/calico/{{ item }}
with_items:
- ca.crt
- ca.key
- name: Prepare certificates for Calico
shell: |
echo '{"CN":"server","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=server -hostname="{{ cluster.cni_host_ip }},127.0.0.1,localhost" - | cfssljson -bare server
echo '{"CN":"client","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.crt -ca-key=ca.key -config=ca-config.json -profile=client - | cfssljson -bare client
args:
chdir: /etc/kubernetes/pki/calico
executable: /bin/bash
- name: Add script file
template:
src: certs.py.j2
dest: /etc/kubernetes/pki/calico/certs.py
- name: Create yaml file
shell: python3 /etc/kubernetes/pki/calico/certs.py
args:
executable: /bin/bash
chdir: /etc/kubernetes/pki/calico
- name: kubeadm | cni | calico
when: cluster.cni == 'calico'
delegate_to: 127.0.0.1
block:
- name: kubeadm | cni | calico | label node
command: kubectl label --overwrite nodes {{ kubeadm_node_hostname }} node-role.kubernetes.io/master=
environment:
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
- name: kubeadm | cni | calico
command: helm install /opt/charts/calico --name calico --namespace kube-system --set networking.podSubnet="{{ k8s.networking.podSubnet }}" --set conf.node.IP_AUTODETECTION_METHOD="can-reach={% if k8s.api.advertiseAddress is defined %}{{ k8s.api.advertiseAddress }}{% else %}{% if k8s.api.advertiseAddressDevice is defined %}{{ hostvars[inventory_hostname]['ansible_'+k8s.api.advertiseAddressDevice].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %}" --set networking.mtu="{{ cni_default_device_mtu.stdout }}" --values="/etc/kubernetes/pki/calico/calico_certs.yaml" --set monitoring.prometheus.calico_node.port="{{ calico.prometheus_port }}" --wait --timeout=600
environment:
HELM_HOST: 'localhost:44134'
- name: kubeadm | cni | calico
command: helm status calico
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_cni_status
- name: kubeadm | cni | status
debug:
msg: "{{ kubeadm_helm_cni_status.stdout_lines }}"
- name: kubeadm | cni | flannel
when: cluster.cni == 'flannel'
delegate_to: 127.0.0.1
block:
- name: kubeadm | cni | flannel
command: helm install /opt/charts/flannel --name flannel --namespace kube-system --set networking.podSubnet="{{ k8s.networking.podSubnet }}" --wait --timeout=600
environment:
HELM_HOST: 'localhost:44134'
- name: kubeadm | cni | flannel
command: helm status flannel
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_cni_status
- name: kubeadm | cni | status
debug:
msg: "{{ kubeadm_helm_cni_status.stdout_lines }}"
- name: "removing bootstrap tiller container"
become: true
become_user: root
docker_container:
name: "helm-tiller"
state: absent
...

89
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-deploy.yaml
View File

@ -1,89 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
- name: setting up bootstrap tiller
block:
- name: pull the helm tiller Image
become: true
become_user: root
docker_image:
pull: true
name: "{{ helm.tiller_image }}"
- name: deploying bootstrap tiller
become: true
become_user: root
docker_container:
name: "helm-tiller"
image: "{{ helm.tiller_image }}"
state: started
detach: true
recreate: yes
network_mode: host
user: root
volumes:
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
env:
KUBECONFIG: /etc/kubernetes/admin.conf
register: kubeadm_aio_tiller_container
ignore_errors: True
- name: wait for tiller to be ready
delegate_to: 127.0.0.1
command: helm version --server
environment:
HELM_HOST: 'localhost:44134'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- name: ensure tiller release installed
delegate_to: 127.0.0.1
block:
- name: install tiller release
command: helm install /opt/charts/tiller --name tiller --namespace kube-system --set monitoring.prometheus.enabled=true --wait
environment:
HELM_HOST: 'localhost:44134'
- name: get the status for tiller release
command: helm status tiller
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_cni_status
- name: display the status for tiller release
debug:
msg: "{{ kubeadm_helm_cni_status }}"
- name: "removing bootstrap tiller container"
become: true
become_user: root
docker_container:
name: "helm-tiller"
state: absent
- name: setting up helm client on host
block:
- name: copying helm binary to host
become: true
become_user: root
copy:
src: /usr/bin/helm
dest: /usr/bin/helm
owner: root
group: root
mode: 365
- name: setting up helm client for user
environment:
http_proxy: "{{ proxy.http }}"
https_proxy: "{{ proxy.https }}"
no_proxy: "{{ proxy.noproxy }}"
command: helm init --client-only --skip-refresh --stable-repo-url "https://charts.helm.sh/stable"
...

71
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-dns.yaml
View File

@ -1,71 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
- name: setting up bootstrap tiller
block:
- name: pull the helm tiller Image
become: true
become_user: root
docker_image:
pull: true
name: "{{ helm.tiller_image }}"
- name: deploying bootstrap tiller
become: true
become_user: root
docker_container:
name: "helm-tiller"
image: "{{ helm.tiller_image }}"
state: started
detach: true
recreate: yes
network_mode: host
user: root
volumes:
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
env:
KUBECONFIG=/etc/kubernetes/admin.conf
register: kubeadm_aio_tiller_container
ignore_errors: True
- name: wait for tiller to be ready
delegate_to: 127.0.0.1
command: helm version --server
environment:
HELM_HOST: 'localhost:44134'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- name: kubeadm | dns
delegate_to: 127.0.0.1
block:
- name: kubeadm | dns
command: "helm install /opt/charts/kube-dns --name kube-dns --namespace kube-system --set networking.dnsDomain={{ k8s.networking.dnsDomain }} --wait"
environment:
HELM_HOST: 'localhost:44134'
- name: kubeadm | dns
command: helm status kube-dns
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_dns_status
- name: kubeadm | dns
debug:
msg: "{{ kubeadm_helm_dns_status }}"
- name: "removing bootstrap tiller container"
become: true
become_user: root
docker_container:
name: "helm-tiller"
state: absent
...

102
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-keystone-auth.yaml
View File

@ -1,102 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
- name: setting up bootstrap tiller
block:
- name: pull the helm tiller Image
become: true
become_user: root
docker_image:
pull: true
name: "{{ helm.tiller_image }}"
- name: deploying bootstrap tiller
become: true
become_user: root
docker_container:
name: "helm-tiller"
image: "{{ helm.tiller_image }}"
state: started
detach: true
recreate: yes
network_mode: host
user: root
volumes:
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
env:
KUBECONFIG=/etc/kubernetes/admin.conf
register: kubeadm_aio_tiller_container
ignore_errors: True
- name: wait for tiller to be ready
delegate_to: 127.0.0.1
command: helm version --server
environment:
HELM_HOST: 'localhost:44134'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- name: kubeadm | get certs
block:
- name: kubeadm | get kubeapi cert
shell: cat /etc/kubernetes/pki/apiserver.crt
register: kubeadm_kubeapi_cert
- name: kubeadm | get kubeapi key
shell: cat /etc/kubernetes/pki/apiserver.key
register: kubeadm_kubeapi_key
- name: kubeadm | keystone auth
delegate_to: 127.0.0.1
block:
- name: kubeadm | keystone auth
command: "helm upgrade --install kubernetes-keystone-webhook /opt/charts/kubernetes-keystone-webhook --namespace=kube-system --set endpoints.identity.namespace=openstack --set endpoints.kubernetes.auth.api.tls.crt='{{ kubeadm_kubeapi_cert.stdout }}' --set endpoints.kubernetes.auth.api.tls.key='{{ kubeadm_kubeapi_key.stdout }}'"
environment:
HELM_HOST: 'localhost:44134'
- name: kubeadm | keystone auth
command: helm status kubernetes-keystone-webhook
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_keystone_status
- name: kubeadm | keystone auth
debug:
msg: "{{ kubeadm_helm_keystone_status }}"
- name: kubeadm | setup api server for keystone
block:
- name: kubeadm | copying webhook config to host
become: true
become_user: root
template:
src: webhook.kubeconfig.j2
dest: /etc/kubernetes/pki/webhook.kubeconfig
mode: 416
- name: kubeadm | configuring api server
become: true
become_user: root
shell: |
# TODO(lamt): Clean up this way of restarting the kube-apiserver. Preferably,
# the setting is in place when the kube-apiserver comes up. Currently, the
# kube-apiserver does not start whenever the webhook fails.
cat /etc/kubernetes/manifests/kube-apiserver.yaml > /tmp/kube-apiserver.yaml
sed -i '/etcd-keyfile/a \ \ \ \ -\ --authentication-token-webhook-config-file=/etc/kubernetes/pki/webhook.kubeconfig\n \ \ \ \- --authorization-webhook-config-file=/etc/kubernetes/pki/webhook.kubeconfig' /tmp/kube-apiserver.yaml
sed -i -e 's/Node,RBAC/Node,Webhook,RBAC/g' /tmp/kube-apiserver.yaml
sed -i '/hostNetwork: true/a\ \ dnsPolicy: ClusterFirstWithHostNet' /tmp/kube-apiserver.yaml
mv /tmp/kube-apiserver.yaml /etc/kubernetes/manifests/kube-apiserver.yaml
- name: "removing bootstrap tiller container"
become: true
become_user: root
docker_container:
name: "helm-tiller"
state: absent
...

240
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/main.yaml
View File

@ -1,240 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
- name: storing node hostname
set_fact:
kubeadm_node_hostname: "{% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %}"
- name: deploy config file and make dir structure
block:
- name: setup directorys on host
file:
path: "{{ item }}"
state: directory
with_items:
- /etc/kubernetes
- /etc/kubernetes/pki
- /etc/kubernetes/pki/calico
- name: generating initial admin token
delegate_to: 127.0.0.1
command: /usr/bin/kubeadm token generate
register: kubeadm_bootstrap_token
- name: storing initial admin token
set_fact:
kubeadm_bootstrap_token: "{{ kubeadm_bootstrap_token.stdout }}"
- name: kubelet | copying config to host
template:
src: kubeadm-conf.yaml.j2
dest: /etc/kubernetes/kubeadm-conf.yaml
mode: 416
- name: generating certs
delegate_to: 127.0.0.1
block:
- name: master | deploy | certs | etcd-ca
command: kubeadm init phase certs etcd-ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | etcd-server
command: kubeadm init phase certs etcd-server --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | etcd-peer
command: kubeadm init phase certs etcd-peer --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | etcd-healthcheck-client
command: kubeadm init phase certs etcd-healthcheck-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | ca
command: kubeadm init phase certs ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | apiserver
command: kubeadm init phase certs apiserver --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | apiserver-etcd-client
command: kubeadm init phase certs apiserver-etcd-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | apiserver-kubelet-client
command: kubeadm init phase certs apiserver-kubelet-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | sa
command: kubeadm init phase certs sa
- name: master | deploy | certs | front-proxy-ca
command: kubeadm init phase certs front-proxy-ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | front-proxy-client
command: kubeadm init phase certs front-proxy-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: generating kubeconfigs
delegate_to: 127.0.0.1
block:
- name: master | deploy | kubeconfig | admin
command: kubeadm init phase kubeconfig admin --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | kubeconfig | kubelet
command: kubeadm init phase kubeconfig kubelet --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | kubeconfig | controller-manager
command: kubeadm init phase kubeconfig controller-manager --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | kubeconfig | scheduler
command: kubeadm init phase kubeconfig scheduler --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: generating etcd static manifest
delegate_to: 127.0.0.1
command: kubeadm init phase etcd local --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: generating controlplane static manifests
delegate_to: 127.0.0.1
block:
- name: master | deploy | controlplane | apiserver
command: kubeadm init phase control-plane apiserver --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | controlplane | controller-manager
command: kubeadm init phase control-plane controller-manager --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | controlplane | scheduler
command: kubeadm init phase control-plane scheduler --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: wait for kube components
delegate_to: 127.0.0.1
block:
- name: wait for kube api
shell: python3 /usr/bin/test-kube-api.py
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
environment:
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
args:
executable: /bin/bash
- name: wait for node to come online
shell: kubectl get node "{{ kubeadm_node_hostname }}" --no-headers | gawk '{ print $2 }' | grep -q '\(^Ready\)\|\(^NotReady\)'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
environment:
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
args:
executable: /bin/bash
- include_tasks: wait-for-kube-system-namespace.yaml
- name: deploying kube-proxy
delegate_to: 127.0.0.1
command: kubeadm init phase addon kube-proxy --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- include_tasks: helm-cni.yaml
- name: wait for kube components
delegate_to: 127.0.0.1
block:
- name: wait for node to be ready
shell: kubectl get node "{{ kubeadm_node_hostname }}" --no-headers | gawk '{ print $2 }' | grep -q '^Ready'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
environment:
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
args:
executable: /bin/bash
- include_tasks: wait-for-kube-system-namespace.yaml
- include_tasks: helm-dns.yaml
- include_tasks: helm-keystone-auth.yaml
when: k8s.keystoneAuth|bool == true
- include_tasks: helm-deploy.yaml
- name: uploading kubeadm config
delegate_to: 127.0.0.1
command: kubeadm init phase upload-config kubeadm --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: uploading kubelet config
delegate_to: 127.0.0.1
command: kubeadm init phase upload-config kubelet --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: generating bootstrap-token objects
delegate_to: 127.0.0.1
block:
- name: master | deploy | bootstrap-token
command: kubeadm init phase bootstrap-token --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf
- name: generating bootstrap-token objects
delegate_to: 127.0.0.1
block:
- name: check if kube-public namespace exists
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf get ns kube-public
register: kube_public_ns_exists
ignore_errors: True
- name: create kube-public namespace if required
when: kube_public_ns_exists is failed
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf create ns kube-public
- name: sourcing kube cluster admin credentials
include_vars: /etc/kubernetes/admin.conf
- name: creating cluster-info configmap manifest on host
template:
src: cluster-info.yaml.j2
dest: /etc/kubernetes/cluster-info.yaml
mode: 420
- name: removing any pre-existing cluster-info configmap
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf delete -f /etc/kubernetes/cluster-info.yaml --ignore-not-found
- name: creating cluster-info configmap
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf create -f /etc/kubernetes/cluster-info.yaml
- name: removing cluster-info configmap manifest from host
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/kubernetes/cluster-info.yaml
- name: check if kube-public configmap role exists
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public get role system:bootstrap-signer-clusterinfo
register: kube_public_configmap_role_exists
ignore_errors: True
- name: create kube-public configmap role if required
when: kube_public_configmap_role_exists is failed
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public create role system:bootstrap-signer-clusterinfo --verb get --resource configmaps
- name: check if kube-public configmap rolebinding exists
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public get rolebinding kubeadm:bootstrap-signer-clusterinfo
register: kube_public_configmap_rolebinding_exists
ignore_errors: True
- name: create kube-public configmap rolebinding if required
when: kube_public_configmap_rolebinding_exists is failed
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public create rolebinding kubeadm:bootstrap-signer-clusterinfo --role system:bootstrap-signer-clusterinfo --user system:anonymous
- name: adding labels to namespace to support network policy
delegate_to: 127.0.0.1
command: kubectl --kubeconfig=/mnt/rootfs/etc/kubernetes/admin.conf label --overwrite namespace {{ item }} name={{ item }}
with_items:
- default
- kube-system
- kube-public
- name: converting the cluster to be selfhosted
when: k8s.selfHosted|bool == true
delegate_to: 127.0.0.1
command: kubeadm init phase selfhosting convert-from-staticpods --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: setting up kubectl client and kubeadm on host
block:
- name: kubectl | copying kubectl binary to host
copy:
src: "/usr/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
owner: root
group: root
mode: 365
with_items:
- kubectl
- kubeadm
- name: kubectl | master | ensure kube config directory exists for user
file:
path: "{{ item }}"
state: directory
with_items:
- "{{ vars.user.home }}/.kube"
- name: kubectl | master | deploy kube config file for user
copy:
src: /mnt/rootfs/etc/kubernetes/admin.conf
dest: "{{ vars.user.home }}/.kube/config"
owner: "{{ vars.user.uid }}"
group: "{{ vars.user.gid }}"
mode: 384
...

25
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/wait-for-kube-system-namespace.yaml
View File

@ -1,25 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
- name: wait for kube pods to all be running in kube-system namespace
delegate_to: 127.0.0.1
shell: /usr/bin/test-kube-pods-ready kube-system
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
environment:
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
args:
executable: /bin/bash
...

35
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/ca-config.json.j2
View File

@ -1,35 +0,0 @@
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"server": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}

28
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/certs.py.j2
View File

@ -1,28 +0,0 @@
#!/usr/bin/python
import yaml
data = {'server': '',
'server-key': '',
'client': '',
'client-key': ''}
for i in data.keys():
with open('{}.pem'.format(i)) as f:
data[i] = f.read()
with open('ca.crt') as f:
data['ca'] = f.read()
res = {'endpoints': {'etcd': {'auth': {'client': {'tls': ''}},
'scheme': {'default': 'https'}}},
'conf': {'etcd': {'credentials': ''}}}
res['endpoints']['etcd']['auth']['client']['tls'] = {'ca': data['ca'],
'key': data['client-key'],
'crt': data['client']}
res['conf']['etcd']['credentials'] = {'ca': data['ca'],
'key': data['server-key'],
'certificate': data['server']}
with open('calico_certs.yaml', 'w') as f:
yaml.dump(res, f, default_style='|')

18
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/cluster-info.yaml.j2
View File

@ -1,18 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-info
namespace: kube-public
data:
kubeconfig: |
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: {{ clusters[0].cluster['certificate-authority-data'] }}
server: {{ clusters[0].cluster['server'] }}
name: ""
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

34
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/kubeadm-conf.yaml.j2
View File

@ -1,34 +0,0 @@
#jinja2: trim_blocks:False
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: {{ k8s.kubernetesVersion }}
imageRepository: {{ k8s.imageRepository }}
networking:
dnsDomain: {{ k8s.networking.dnsDomain }}
podSubnet: {{ k8s.networking.podSubnet }}
serviceSubnet: {{ k8s.networking.serviceSubnet }}
controllerManager:
extraArgs:
address: "0.0.0.0"
port: "10252"
feature-gates: "PodShareProcessNamespace=true"
scheduler:
extraArgs:
address: "0.0.0.0"
port: "10251"
feature-gates: "PodShareProcessNamespace=true"
certificatesDir: {{ k8s.certificatesDir }}
---
apiVersion: kubeadm.k8s.io/v1beta2
localAPIEndpoint:
advertiseAddress: {% if k8s.api.advertiseAddress is defined %}{{ k8s.api.advertiseAddress }}{% else %}{% if k8s.api.advertiseAddressDevice is defined %}{{ hostvars[inventory_hostname]['ansible_'+k8s.api.advertiseAddressDevice].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %}
bindPort: {{ k8s.api.bindPort }}
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: {{ kubeadm_bootstrap_token }}
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration

16
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/webhook.kubeconfig.j2
View File

@ -1,16 +0,0 @@
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: https://k8sksauth-api.kube-system.svc.cluster.local:8443/webhook
name: webhook
contexts:
- context:
cluster: webhook
user: webhook
name: webhook
current-context: webhook
kind: Config
preferences: {}
users:
- name: webhook

40
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-node/tasks/main.yaml
View File

@ -1,40 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
- block:
- name: base kubeadm deploy
file:
path: "{{ item }}"
state: directory
with_items:
- /etc/kubernetes/
- /etc/systemd/system/kubelet.service.d/
- /var/lib/kubelet/
- name: copying kubeadm binary to host
copy:
src: /usr/bin/kubeadm
dest: /usr/bin/kubeadm
owner: root
group: root
mode: 365
- debug:
msg: "{{ kubeadm_join_command }}"
- name: running kubeadm join command
command: "{{ kubeadm_join_command }}"
- name: base kubeadm deploy
file:
path: "{{ item }}"
state: absent
with_items:
- /usr/bin/kubeadm
...

37
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/hostname.yaml
View File

@ -1,37 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: DNS | Ensure node fully qualified hostname is set
lineinfile:
unsafe_writes: true
state: present
dest: /etc/hosts
line: "{% if kubelet.bind_device is defined %}{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %} {% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %} {{ ansible_hostname }}"
regexp: "^{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% if kubelet.bind_device is defined %}|{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% endif %}"
- block:
- name: DNS | Ensure node localhost ipv4 hostname is set
lineinfile:
unsafe_writes: true
state: present
dest: /etc/hosts
line: "127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4"
regexp: "^127.0.0.1"
- name: DNS | Ensure node localhost ipv6 hostname is set
lineinfile:
unsafe_writes: true
state: present
dest: /etc/hosts
line: "::1 localhost6 localhost6.localdomain6"
regexp: "^::1"
...

217
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/kubelet.yaml
View File

@ -1,217 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: ubuntu or debian | installing kubelet support packages
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
apt:
name: "{{item}}"
state: installed
with_items:
- ebtables
- ethtool
- iproute2
- iptables
- libmnl0
- libnfnetlink0
- libwrap0
- socat
- name: ubuntu xenial | installing kubelet support packages
when: ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial'
apt:
name: "{{item}}"
state: installed
with_items:
- libxtables11
- name: debian and ubuntu bionic | installing kubelet support packages
when: ansible_distribution == 'Debian' or ( ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'bionic' )
apt:
name: "{{item}}"
state: installed
with_items:
- libxtables12
- name: centos | installing kubelet support packages
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: installed
with_items:
- ebtables
- ethtool
- tcp_wrappers-libs
- libmnl
- socat
- name: fedora | installing kubelet support packages
when: ansible_distribution == 'Fedora'
dnf:
name: "{{item}}"
state: installed
with_items:
- ebtables
- ethtool
- tcp_wrappers-libs
- libmnl
- socat
- name: getting docker cgroup driver info
when: kubelet.container_runtime == 'docker'
block:
- name: docker | getting cgroup driver info
shell: docker info | awk '/^Cgroup Driver:/ { print $NF }'
register: docker_cgroup_driver
args:
executable: /bin/bash
- name: setting kublet cgroup driver
set_fact:
kubelet_cgroup_driver: "{{ docker_cgroup_driver.stdout }}"
- name: setting kublet cgroup driver for CRI-O
when: kubelet.container_runtime == 'crio'
set_fact:
kubelet_cgroup_driver: "systemd"
- name: setting node hostname fact
set_fact:
kubelet_node_hostname: "{% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %}"
- name: base kubelet deploy
block:
- file:
path: "{{ item }}"
state: directory
with_items:
- /etc/kubernetes/
- /etc/systemd/system/kubelet.service.d/
- /var/lib/kubelet/
- name: copying kubelet binary to host
copy:
src: /opt/assets/usr/bin/kubelet
dest: /usr/bin/kubelet
owner: root
group: root
mode: 365
- name: copying base systemd unit to host
template:
src: kubelet.service.j2
dest: /etc/systemd/system/kubelet.service
mode: 416
- name: copying kubeadm drop-in systemd unit to host
template:
src: 10-kubeadm.conf.j2
dest: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
mode: 416
- name: copying kubelet DNS config to host
template:
src: kubelet-resolv.conf.j2
dest: /etc/kubernetes/kubelet-resolv.conf
mode: 416
- name: base cni support
block:
- file:
path: "{{ item }}"
state: directory
with_items:
- /etc/cni/net.d
- /opt/cni/bin
- name: copy cni binaries into place
copy:
src: /opt/assets/opt/cni/bin/{{ item }}
dest: /opt/cni/bin/{{ item }}
owner: root
group: root
mode: 365
with_items:
- flannel
- ptp
- host-local
- portmap
- tuning
- vlan
# NOTE(aostapenko) absent with v0.8.5 cni
# - sample
- dhcp
- ipvlan
- macvlan
- loopback
- bridge
- name: CRI-O runtime config
when: kubelet.container_runtime == 'crio'
block:
- name: copying CRI-O drop-in systemd unit to host
template:
src: 0-crio.conf.j2
dest: /etc/systemd/system/kubelet.service.d/0-crio.conf
mode: 416
- name: CRI-O | ensure service is restarted and enabled
systemd:
name: crio
state: restarted
enabled: yes
masked: no
- name: Setup DNS redirector for fqdn testing
# NOTE(portdirect): This must be done before the K8S DNS pods attempt to
# start, so they use the dnsmasq instance to resolve upstream hostnames
when: gate.fqdn_testing|bool == true
block:
- name: Setup DNS redirector | Remove std kubelet resolv.conf
file:
path: "/etc/kubernetes/kubelet-resolv.conf"
state: absent
- name: Setup DNS redirector | Populating new kubelet resolv.conf
copy:
dest: "/etc/kubernetes/kubelet-resolv.conf"
mode: 416
content: |
nameserver 172.17.0.1
- name: Setup DNS redirector | Ensuring static manifests dir exists
file:
path: "/etc/kubernetes/manifests/"
state: directory
- name: Setup DNS redirector | check if an resolv-upstream.conf exists
stat:
path: /etc/resolv-upstream.conf
register: resolv_upstream_conf
- name: Setup DNS redirector | Placing pod manifest on host
when: resolv_upstream_conf.stat.exists == False
template:
src: resolv-upstream.conf.j2
dest: /etc/resolv-upstream.conf
mode: 436
- name: Setup DNS redirector | Placing pod manifest on host
template:
src: osh-dns-redirector.yaml.j2
dest: /etc/kubernetes/manifests/osh-dns-redirector.yaml
mode: 416
- name: docker | ensure service is started and enabled
when: kubelet.container_runtime == 'docker'
systemd:
name: docker
state: started
enabled: yes
masked: no
- name: ensure service is restarted and enabled
systemd:
name: kubelet
state: restarted
daemon_reload: yes
enabled: yes
masked: no
...

21
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/main.yaml
View File

@ -1,21 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- include_tasks: support-packages.yaml
- include_tasks: hostname.yaml
- include_tasks: setup-dns.yaml
- include_tasks: kubelet.yaml
...

62
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/setup-dns.yaml
View File

@ -1,62 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: DNS | Check if NetworkManager is being used
raw: systemctl status NetworkManager --no-pager
register: network_manager_in_use
ignore_errors: True
- name: DNS | Check if NetworkManager is managing DNS
set_fact:
network_manager_manage_dns: "{{ lookup('ini', 'dns section=main file=/etc/NetworkManager/NetworkManager.conf') }}"
ignore_errors: True
- name: DNS | Disable network NetworkManager management of resolv.conf
when:
- network_manager_in_use is succeeded
- network_manager_manage_dns != "none"
ini_file:
path: /etc/NetworkManager/NetworkManager.conf
section: main
option: dns
value: none
- name: DNS | load new resolv.conf
template:
unsafe_writes: yes
src: resolv.conf.j2
dest: /etc/resolv.conf
- name: DNS | Restarting NetworkManager
when:
- network_manager_in_use is succeeded
- network_manager_manage_dns != "none"
block:
- name: DNS | Restarting NetworkManager Service
systemd:
name: NetworkManager
state: restarted
daemon_reload: yes
enabled: yes
masked: no
- pause:
seconds: 5
- name: DNS | Waiting for connectivity to be restored to outside world
shell: if ! [[ $(ip -4 route list 0/0 | head -c1 | wc -c) -ne 0 ]]; then exit 1; fi
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
args:
executable: /bin/bash
...

128
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/support-packages.yaml
View File

@ -1,128 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: installing community ceph repository
when: kubelet.pv_support_ceph
block:
- name: ubuntu | ensure community ceph repository key is installed
when: ansible_distribution == "Ubuntu"
shell: wget -q -O- 'https://download.ceph.com/keys/release.asc' | sudo apt-key add -
- name: ubuntu | ensure community ceph repository exists
when: ansible_distribution == 'Ubuntu'
apt_repository:
repo: "deb https://download.ceph.com/debian-nautilus/ {{ ansible_lsb.codename }} main"
state: present
update_cache: yes
- name: centos | ensure community ceph repository exists
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum_repository:
name: ceph
description: "Ceph community packages for Redhat/Centos"
gpgkey: "https://download.ceph.com/keys/release.asc"
baseurl: "https://download.ceph.com/rpm-nautilus/el7/$basearch"
gpgcheck: yes
state: present
- name: centos | installing epel-release
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: installed
with_items:
- epel-release
- name: centos | installing SElinux support packages
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: installed
with_items:
- libselinux-python
- name: fedora | installing SElinux support packages
when: ansible_distribution == 'Fedora'
dnf:
name: "{{item}}"
state: installed
with_items:
- libselinux-python
- name: installing ceph support packages
when: kubelet.pv_support_ceph
block:
- name: ubuntu | installing packages
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
apt:
name: "{{item}}"
state: latest
with_items:
- ceph-common
- rbd-nbd
- name: ubuntu | uninstall packages
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
apt:
name: "{{item}}"
state: absent
with_items:
- ceph
- name: centos | installing packages
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: latest
with_items:
- ceph-common
- rbd-nbd
- name: centos | installing packages
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: absent
with_items:
- ceph
- name: blacklist kernel RBD driver module
when: kubelet.pv_support_ceph
copy:
dest: "/etc/modprobe.d/rbd.conf"
content: "install rbd /bin/true"
- when: kubelet.pv_support_nfs
name: installing NFS support packages
include_role:
name: deploy-package
tasks_from: dist
vars:
packages:
deb:
- nfs-common
rpm:
- nfs-utils
- name: installing LinuxBridge support
when: kubelet.net_support_linuxbridge
include_role:
name: deploy-package
tasks_from: dist
vars:
packages:
deb:
- bridge-utils
rpm:
- bridge-utils
...

2
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/0-crio.conf.j2
View File

@ -1,2 +0,0 @@
[Service]
Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m --image-service-endpoint /var/run/crio.sock --container-runtime-endpoint /var/run/crio.sock"

13
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/10-kubeadm.conf.j2
View File

@ -1,13 +0,0 @@
[Service]
User=root
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --cgroup-driver={{ kubelet_cgroup_driver }}"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --node-ip={% if kubelet.bind_addr is defined %}{{ kubelet.bind_addr }}{% else %}{% if kubelet.bind_device is defined %}{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %} --hostname-override={{ kubelet_node_hostname }}"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain={{ k8s.networking.dnsDomain }} --resolv-conf=/etc/kubernetes/kubelet-resolv.conf"
Environment="KUBELET_AUTHZ_ARGS=--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
Environment="KUBELET_NODE_LABELS=--node-labels {{ kubelet.kubelet_labels }}"
Environment="KUBELET_EXTRA_ARGS=--max-pods=220 --pods-per-core=0 --feature-gates=PodShareProcessNamespace=true"
#ExecStartPre=-+/sbin/restorecon -v /usr/bin/kubelet #SELinux
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_NODE_LABELS $KUBELET_EXTRA_ARGS

3
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet-resolv.conf.j2
View File

@ -1,3 +0,0 @@
{% for nameserver in external_dns_nameservers %}
nameserver {{ nameserver }}
{% endfor %}

15
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet.service.j2
View File

@ -1,15 +0,0 @@
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=http://kubernetes.io/docs/
[Service]
ExecStartPre=/sbin/swapoff -a
ExecStartPre=/bin/bash -cex "modprobe br_netfilter"
ExecStartPre=/bin/bash -cex "echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables"
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target

36
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/osh-dns-redirector.yaml.j2
View File

@ -1,36 +0,0 @@
#jinja2: trim_blocks:False
apiVersion: v1
kind: Pod
metadata:
name: osh-dns-redirector
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: osh-dns-redirector
image: docker.io/openstackhelm/neutron:newton
securityContext:
capabilities:
add:
- NET_ADMIN
runAsUser: 0
command:
- dnsmasq
- --keep-in-foreground
- --no-hosts
- --bind-interfaces
- --all-servers
- --address
- /{{ gate.fqdn_tld }}/{{ gate.ingress_ip }}
# NOTE(portdirect): just listen on the docker0 interface
- --listen-address
- 172.17.0.1
volumeMounts:
- mountPath: /etc/resolv.conf
name: resolv-conf
readOnly: true
volumes:
- name: resolv-conf
hostPath:
path: /etc/resolv-upstream.conf
type: FileOrCreate

4
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/resolv-upstream.conf.j2
View File

@ -1,4 +0,0 @@
{% for nameserver in external_dns_nameservers %}
nameserver {{ nameserver }}
{% endfor %}
options timeout:1 attempts:1

6
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/resolv.conf.j2
View File

@ -1,6 +0,0 @@
search svc.{{ k8s.networking.dnsDomain }} {{ k8s.networking.dnsDomain }}
nameserver 10.96.0.10
{% for nameserver in external_dns_nameservers %}
nameserver {{ nameserver }}
{% endfor %}
options ndots:5 timeout:1 attempts:1

40
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/dist.yaml
View File

@ -1,40 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: ubuntu | installing packages
become: true
become_user: root
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
apt:
name: "{{item}}"
state: present
with_items: "{{ packages.deb }}"
- name: centos | installing packages
become: true
become_user: root
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: present
with_items: "{{ packages.rpm }}"
- name: fedora | installing packages
become: true
become_user: root
when: ansible_distribution == 'Fedora'
dnf:
name: "{{item}}"
state: present
with_items: "{{ packages.rpm }}"
...

11
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/pip.yaml
View File

@ -1,11 +0,0 @@
---
- name: "installing python {{ package }}"
become: true
become_user: root
environment:
http_proxy: "{{ proxy.http }}"
https_proxy: "{{ proxy.https }}"
no_proxy: "{{ proxy.noproxy }}"
pip:
name: "{{ package }}"
...

57
tools/images/kubeadm-aio/assets/opt/playbooks/vars.yaml
View File

@ -1,57 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
---
all:
vars:
ansible_python_interpreter: python3
my_container_name: null
user:
uid: null
gid: null
home: null
external_dns_nameservers:
- 8.8.8.8
- 8.8.4.4
calico:
prometheus_port: 9091
cluster:
cni: calico
cni_host_ip: 10.96.232.136
kubelet:
container_runtime: docker
net_support_linuxbridge: true
pv_support_ceph: true
pv_support_nfs: true
bind_device: null
helm:
tiller_image: ghcr.io/helm/tiller:v2.17.0
k8s:
kubernetesVersion: v1.19.15
imageRepository: k8s.gcr.io
certificatesDir: /etc/kubernetes/pki
selfHosted: false
keystoneAuth: false
api:
bindPort: 6443
# NOTE(portdirect): The following is a custom key, which resolves the
# 'advertiseAddress' key dynamicly.
advertiseAddressDevice: null
networking:
dnsDomain: cluster.local
podSubnet: 192.168.0.0/16
serviceSubnet: 10.96.0.0/12
gate:
fqdn_testing: false
ingress_ip: 127.0.0.1
fqdn_tld: openstackhelm.test
...

19
tools/images/kubeadm-aio/assets/usr/bin/test-kube-api.py
View File

@ -1,19 +0,0 @@
#!/usr/bin/env python
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from kubernetes import client, config
config.load_kube_config()
# create an instance of the API class
api_instance = client.VersionApi()
api_instance.get_code()

31
tools/images/kubeadm-aio/assets/usr/bin/test-kube-pods-ready
View File

@ -1,31 +0,0 @@
#!/usr/bin/env bash
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
NAMESPACE=$1
kubectl get pods --namespace=${NAMESPACE} -o json | jq -r \
'.items[].status.phase' | grep Pending > /dev/null && \
PENDING=True || PENDING=False
query='.items[]|select(.status.phase=="Running")'
query="$query|.status.containerStatuses[].ready"
kubectl get pods --namespace=${NAMESPACE} -o json | jq -r "$query" | \
grep false > /dev/null && READY="False" || READY="True"
kubectl get jobs -o json --namespace=${NAMESPACE} | jq -r \
'.items[] | .spec.completions == .status.succeeded' | \
grep false > /dev/null && JOBR="False" || JOBR="True"
[ $PENDING == "False" -a $READY == "True" -a $JOBR == "True" ] && \
exit 0 || exit 1

4
tools/images/kubeadm-aio/sources.list
View File

@ -1,4 +0,0 @@
deb %%UBUNTU_URL%% bionic main universe
deb %%UBUNTU_URL%% bionic-updates main universe
deb %%UBUNTU_URL%% bionic-backports main universe
deb %%UBUNTU_URL%% bionic-security main universe