openstack/openstack-helm-infra
Code Issues Proposed changes

Zuul V3 gate

Browse Source 
This PS sets up the V3 gate for openstack-helm-infra.

Change-Id: I07ffa591cb5e08f5e2f1f5cbc94e810c3aa1f97b
This commit is contained in:
intlabs 2017-10-22 09:55:18 -05:00
parent 366a175447
commit bd85bad919
95 changed files with 4098 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
.gitignore vendored Normal file
View File

@ -0,0 +1,73 @@
*.py[cod]
# C extensions
*.so
# Packages
*.egg*
*.egg-info
dist
build
eggs
parts
var
sdist
develop-eggs
.installed.cfg
lib
lib64
# Installer logs
pip-log.txt
# Unit test / coverage reports
cover/
.coverage*
!.coveragerc
.tox
nosetests.xml
.testrepository
.venv
# Translations
*.mo
# Mr Developer
.mr.developer.cfg
.project
.pydevproject
# Complexity
output/*.html
output/*/index.html
# Sphinx
doc/build
# pbr generates these
AUTHORS
ChangeLog
# Editors
*~
.*.swp
.*sw?
# Files created by releasenotes build
releasenotes/build
# Dev tools
.idea/
**/.vagrant
**/*.log
# Helm internals
*.lock
*/*.lock
*.tgz
**/*.tgz
**/_partials.tpl
**/_globals.tpl
# Gate and Check Logs
logs/

67
.zuul.yaml Normal file
View File

@ -0,0 +1,67 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- project:
name: openstack/openstack-helm-infra
check:
jobs:
- openstack-helm-infra-ubuntu
- openstack-helm-infra-centos
- nodeset:
name: openstack-helm-ubuntu
nodes:
- name: primary
label: ubuntu-xenial
- name: node-1
label: ubuntu-xenial
- name: node-2
label: ubuntu-xenial
groups:
- name: primary
nodes:
- primary
- name: nodes
nodes:
- node-1
- node-2
- nodeset:
name: openstack-helm-centos
nodes:
- name: primary
label: centos-7
- name: node-1
label: centos-7
- name: node-2
label: centos-7
groups:
- name: primary
nodes:
- primary
- name: nodes
nodes:
- node-1
- node-2
- job:
name: openstack-helm-infra-ubuntu
pre-run: tools/gate/playbooks/zuul-pre
run: tools/gate/playbooks/zuul-run
nodeset: openstack-helm-ubuntu
- job:
name: openstack-helm-infra-centos
pre-run: tools/gate/playbooks/zuul-pre
run: tools/gate/playbooks/zuul-run
nodeset: openstack-helm-centos

53
Makefile Normal file
View File

@ -0,0 +1,53 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# It's necessary to set this because some environments don't link sh -> bash.
SHELL := /bin/bash
HELM := helm
TASK := build
EXCLUDES := helm-toolkit doc tests tools logs
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
all: $(CHARTS)
$(CHARTS):
@echo
@echo "===== Processing [$@] chart ====="
@make $(TASK)-$@
init-%:
if [ -f $*/Makefile ]; then make -C $*; fi
if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
lint-%: init-%
if [ -d $* ]; then $(HELM) lint $*; fi
build-%: lint-%
if [ -d $* ]; then $(HELM) package $*; fi
clean:
@echo "Removed .b64, _partials.tpl, and _globals.tpl files"
rm -f helm-toolkit/secrets/*.b64
rm -f */templates/_partials.tpl
rm -f */templates/_globals.tpl
rm -f *tgz */charts/*tgz
rm -f */requirements.lock
-rmdir -p */charts
pull-all-images:
@./tools/pull-images.sh
.PHONY: $(EXCLUDES) $(CHARTS)

25
calico/Chart.yaml Normal file
View File

@ -0,0 +1,25 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: OpenStack-Helm BootStrap Calico
name: calico
version: 0.1.0
home: https://github.com/projectcalico/calico
icon: https://camo.githubusercontent.com/64c8b5ed6ac97553ae367348e8a59a24e2ed5bdc/687474703a2f2f646f63732e70726f6a65637463616c69636f2e6f72672f696d616765732f66656c69782e706e67
sources:
- https://github.com/projectcalico/calico
- https://git.openstack.org/cgit/openstack/openstack-helm
maintainers:
- name: OpenStack-Helm Authors

29
calico/templates/clusterrole-calico-cni-plugin.yaml Normal file
View File

@ -0,0 +1,29 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-cni-plugin
rules:
- apiGroups: [""]
resources:
- pods
- nodes
verbs:
- get

33
calico/templates/clusterrole-calico-policy-controller.yaml Normal file
View File

@ -0,0 +1,33 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-policy-controller
rules:
- apiGroups:
- ""
- extensions
resources:
- pods
- namespaces
- networkpolicies
verbs:
- watch
- list

30
calico/templates/clusterrolebinding-calico-cni-plugin.yaml Normal file
View File

@ -0,0 +1,30 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-cni-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-cni-plugin
subjects:
- kind: ServiceAccount
name: calico-cni-plugin
namespace: {{ .Release.Namespace }}

30
calico/templates/clusterrolebinding-calico-policy-controller.yaml Normal file
View File

@ -0,0 +1,30 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-policy-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-policy-controller
subjects:
- kind: ServiceAccount
name: calico-policy-controller
namespace: {{ .Release.Namespace }}

52
calico/templates/configmap-calico-config.yaml Normal file
View File

@ -0,0 +1,52 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
# This ConfigMap is used to configure a self-hosted Calico installation.
kind: ConfigMap
apiVersion: v1
metadata:
name: calico-config
data:
# The location of your etcd cluster. This uses the Service clusterIP
# defined below.
etcd_endpoints: "http://10.96.232.136:6666"
# Configure the Calico backend to use.
calico_backend: "bird"
# The CNI network configuration to install on each node.
cni_network_config: |-
{
"name": "k8s-pod-network",
"cniVersion": "0.1.0",
"type": "calico",
"etcd_endpoints": "__ETCD_ENDPOINTS__",
"log_level": "info",
"mtu": 1500,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s",
"k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
"k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
},
"kubernetes": {
"kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
}
}

66
calico/templates/daemonset-calico-etcd.yaml Normal file
View File

@ -0,0 +1,66 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
# to force it to run on the master even when the master isn't schedulable, and uses
# nodeSelector to ensure it only runs on the master.
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: calico-etcd
labels:
k8s-app: calico-etcd
spec:
template:
metadata:
labels:
k8s-app: calico-etcd
annotations:
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
# Only run this pod on the master.
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: ""
hostNetwork: true
containers:
- name: calico-etcd
image: {{ .Values.images.tags.calico_etcd }}
env:
- name: CALICO_ETCD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command: ["/bin/sh","-c"]
args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"]
volumeMounts:
- name: var-etcd
mountPath: /var/etcd
volumes:
- name: var-etcd
hostPath:
path: /var/etcd

165
calico/templates/daemonset-calico-node.yaml Normal file
View File

@ -0,0 +1,165 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
# This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: calico-node
namespace: kube-system
labels:
k8s-app: calico-node
spec:
selector:
matchLabels:
k8s-app: calico-node
template:
metadata:
labels:
k8s-app: calico-node
annotations:
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
hostNetwork: true
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
serviceAccountName: calico-cni-plugin
containers:
# Runs calico/node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
image: {{ .Values.images.tags.calico_node }}
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# Enable BGP. Disable to enforce policy only.
- name: CALICO_NETWORKING_BACKEND
valueFrom:
configMapKeyRef:
name: calico-config
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "kubeadm,bgp"
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
value: "ACCEPT"
# Configure the IP Pool from which Pod IPs will be chosen.
- name: CALICO_IPV4POOL_CIDR
value: "{{ .Values.networking.podSubnet }}"
- name: CALICO_IPV4POOL_IPIP
value: "always"
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
value: "1440"
# Set Felix logging to "info"
- name: FELIX_LOGSEVERITYSCREEN
value: "info"
- name: FELIX_HEALTHENABLED
value: "true"
# Set Felix experimental Prometheus metrics server
- name: FELIX_PROMETHEUSMETRICSENABLED
value: "true"
- name: FELIX_PROMETHEUSMETRICSPORT
value: "9091"
# Auto-detect the BGP IP address.
- name: IP
value: ""
securityContext:
privileged: true
resources:
requests:
cpu: 250m
livenessProbe:
httpGet:
path: /liveness
port: 9099
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
readinessProbe:
httpGet:
path: /readiness
port: 9099
periodSeconds: 10
volumeMounts:
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
# This container installs the Calico CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: {{ .Values.images.tags.calico_cni }}
command: ["/install-cni.sh"]
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: calico-config
key: cni_network_config
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
volumes:
# Used by calico/node.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run-calico
hostPath:
path: /var/run/calico
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d

72
calico/templates/deployment-calico-policy-controller.yaml Normal file
View File

@ -0,0 +1,72 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
# This manifest deploys the Calico policy controller on Kubernetes.
# See https://github.com/projectcalico/k8s-policy
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: calico-policy-controller
labels:
k8s-app: calico-policy
spec:
# The policy controller can only have a single active instance.
replicas: 1
strategy:
type: Recreate
template:
metadata:
name: calico-policy-controller
labels:
k8s-app: calico-policy-controller
annotations:
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
# The policy controller must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
serviceAccountName: calico-policy-controller
containers:
- name: calico-policy-controller
image: {{ .Values.images.tags.calico_kube_policy_controller }}
env:
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-config
key: etcd_endpoints
# The location of the Kubernetes API. Use the default Kubernetes
# service for API access.
- name: K8S_API
value: "https://kubernetes.default:443"
# Since we're running in the host namespace and might not have KubeDNS
# access, configure the container's /etc/hosts to resolve
# kubernetes.default to the correct service clusterIP.
- name: CONFIGURE_ETC_HOSTS
value: "true"

35
calico/templates/service-calico-etcd.yaml Normal file
View File

@ -0,0 +1,35 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
# This manifest installs the Service which gets traffic to the Calico
# etcd.
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: calico-etcd
name: calico-etcd
spec:
# Select the calico-etcd pod running on the master.
selector:
k8s-app: calico-etcd
# This ClusterIP needs to be known in advance, since we cannot rely
# on DNS to get access to etcd.
clusterIP: 10.96.232.136
ports:
- port: 6666

22
calico/templates/serviceaccount-calico-cni-plugin.yaml Normal file
View File

@ -0,0 +1,22 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-cni-plugin

22
calico/templates/serviceaccount-calico-policy-controller.yaml Normal file
View File

@ -0,0 +1,22 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-policy-controller

31
calico/values.yaml Normal file
View File

@ -0,0 +1,31 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# http://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml
# Calico Version v2.4.1
# https://docs.projectcalico.org/v2.4/releases#v2.4.1
# This manifest includes the following component versions:
# calico/node:v2.4.1
# calico/cni:v1.10.0
# calico/kube-policy-controller:v0.7.0
images:
tags:
calico_etcd: quay.io/coreos/etcd:v3.1.10
calico_node: quay.io/calico/node:v2.4.1
calico_cni: quay.io/calico/cni:v1.10.0
calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0
networking:
podSubnet: 192.168.0.0/16

25
flannel/Chart.yaml Normal file
View File

@ -0,0 +1,25 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: OpenStack-Helm BootStrap Flannel
name: flannel
version: 0.1.0
home: https://github.com/coreos/flannel
icon: https://raw.githubusercontent.com/coreos/flannel/master/logos/flannel-horizontal-color.png
sources:
- https://github.com/coreos/flannel
- https://git.openstack.org/cgit/openstack/openstack-helm
maintainers:
- name: OpenStack-Helm Authors

42
flannel/templates/clusterrole-flannel.yaml Normal file
View File

@ -0,0 +1,42 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch

30
flannel/templates/clusterrolebinding-flannel.yaml Normal file
View File

@ -0,0 +1,30 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: {{ .Release.Namespace }}

41
flannel/templates/configmap-kube-flannel-cfg.yaml Normal file
View File

@ -0,0 +1,41 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"type": "flannel",
"delegate": {
"isDefaultGateway": true
}
}
net-conf.json: |
{
"Network": "{{ .Values.networking.podSubnet }}",
"Backend": {
"Type": "vxlan"
}
}

78
flannel/templates/daemonset-kube-flannel-ds.yaml Normal file
View File

@ -0,0 +1,78 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: kube-flannel-ds
labels:
tier: node
app: flannel
spec:
template:
metadata:
labels:
tier: node
app: flannel
spec:
hostNetwork: true
nodeSelector:
beta.kubernetes.io/arch: amd64
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
serviceAccountName: flannel
containers:
- name: kube-flannel
image: {{ .Values.images.tags.flannel }}
command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ]
securityContext:
privileged: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: run
mountPath: /run
- name: flannel-cfg
mountPath: /etc/kube-flannel/
- name: install-cni
image: {{ .Values.images.tags.flannel }}
command: [ "/bin/sh", "-c", "set -e -x; cp -f /etc/kube-flannel/cni-conf.json /etc/cni/net.d/10-flannel.conf; while true; do sleep 3600; done" ]
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- name: run
hostPath:
path: /run
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg

22
flannel/templates/serviceaccount-flannel.yaml Normal file
View File

@ -0,0 +1,22 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel

22
flannel/values.yaml Normal file
View File

@ -0,0 +1,22 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# https://raw.githubusercontent.com/coreos/flannel/v0.8.0/Documentation/kube-flannel.yml
images:
tags:
flannel: quay.io/coreos/flannel:v0.8.0-amd64
networking:
podSubnet: 192.168.0.0/16

25
kube-dns/Chart.yaml Normal file
View File

@ -0,0 +1,25 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: OpenStack-Helm Kube-DNS
name: kube-dns
version: 0.1.0
home: https://github.com/coreos/flannel
icon: https://raw.githubusercontent.com/coreos/flannel/master/logos/flannel-horizontal-color.png
sources:
- https://github.com/coreos/flannel
- https://git.openstack.org/cgit/openstack/openstack-helm
maintainers:
- name: OpenStack-Helm Authors

24
kube-dns/templates/configmap-kube-dns.yaml Normal file
View File

@ -0,0 +1,24 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-dns
labels:
addonmanager.kubernetes.io/mode: EnsureExists

189
kube-dns/templates/deployment-kube-dns.yaml Normal file
View File

@ -0,0 +1,189 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
k8s-app: kube-dns
name: kube-dns
spec:
replicas: 1
selector:
matchLabels:
k8s-app: kube-dns
strategy:
rollingUpdate:
maxSurge: 10%
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
k8s-app: kube-dns
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
containers:
- args:
- --domain={{ .Values.networking.dnsDomain }}.
- --dns-port=10053
- --config-dir=/kube-dns-config
- --v=2
env:
- name: PROMETHEUS_PORT
value: "10055"
image: {{ .Values.images.tags.kube_dns }}
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthcheck/kubedns
port: 10054
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: kubedns
ports:
- containerPort: 10053
name: dns-local
protocol: UDP
- containerPort: 10053
name: dns-tcp-local
protocol: TCP
- containerPort: 10055
name: metrics
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 8081
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
memory: 170Mi
requests:
cpu: 100m
memory: 70Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /kube-dns-config
name: kube-dns-config
- args:
- -v=2
- -logtostderr
- -configDir=/etc/k8s/dns/dnsmasq-nanny
- -restartDnsmasq=true
- --
- -k
- --cache-size=1000
- --log-facility=-
- --server=/{{ .Values.networking.dnsDomain }}/127.0.0.1#10053
- --server=/in-addr.arpa/127.0.0.1#10053
- --server=/ip6.arpa/127.0.0.1#10053
image: {{ .Values.images.tags.kube_dns_nanny }}
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthcheck/dnsmasq
port: 10054
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: dnsmasq
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
resources:
requests:
cpu: 150m
memory: 20Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/k8s/dns/dnsmasq-nanny
name: kube-dns-config
- args:
- --v=2
- --logtostderr
- --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.{{ .Values.networking.dnsDomain }},5,A
- --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.{{ .Values.networking.dnsDomain }},5,A
image: {{ .Values.images.tags.kube_dns_sidecar }}
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
path: /metrics
port: 10054
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: sidecar
ports:
- containerPort: 10054
name: metrics
protocol: TCP
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: Default
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: kube-dns
serviceAccountName: kube-dns
terminationGracePeriodSeconds: 30
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- configMap:
defaultMode: 420
name: kube-dns
optional: true
name: kube-dns-config

41
kube-dns/templates/service-kube-dns.yaml Normal file
View File

@ -0,0 +1,41 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: KubeDNS
name: kube-dns
spec:
clusterIP: {{ .Values.networking.dnsIP }}
ports:
- name: dns
port: 53
protocol: UDP
targetPort: 53
- name: dns-tcp
port: 53
protocol: TCP
targetPort: 53
selector:
k8s-app: kube-dns
sessionAffinity: None
type: ClusterIP

25
kube-dns/templates/serviceaccount-kube-dns.yaml Normal file
View File

@ -0,0 +1,25 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-dns
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile

25
kube-dns/values.yaml Normal file
View File

@ -0,0 +1,25 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# https://raw.githubusercontent.com/coreos/flannel/v0.8.0/Documentation/kube-flannel.yml
images:
tags:
kube_dns: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5
kube_dns_nanny: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5
kube_dns_sidecar: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
networking:
dnsDomain: cluster.local
dnsIP: 10.96.0.10

24
tiller/Chart.yaml Normal file
View File

@ -0,0 +1,24 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: OpenStack-Helm Tiller
name: tiller
version: 0.1.0
home: https://github.com/kubernetes/helm
sources:
- https://github.com/kubernetes/helm
- https://git.openstack.org/cgit/openstack/openstack-helm
maintainers:
- name: OpenStack-Helm Authors

30
tiller/templates/clusterrolebinding-tiller.yaml Normal file
View File

@ -0,0 +1,30 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: {{ .Release.Namespace }}

85
tiller/templates/deployment-tiller.yaml Normal file
View File

@ -0,0 +1,85 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: helm
name: tiller
name: tiller-deploy
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: helm
name: tiller
spec:
containers:
- env:
- name: TILLER_NAMESPACE
value: {{ .Release.Namespace }}
- name: TILLER_HISTORY_MAX
value: "0"
image: gcr.io/kubernetes-helm/tiller:v2.7.0-rc1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
name: tiller
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: tiller
serviceAccountName: tiller
terminationGracePeriodSeconds: 30

36
tiller/templates/service-tiller-deploy.yaml Normal file
View File

@ -0,0 +1,36 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: v1
kind: Service
metadata:
labels:
app: helm
name: tiller
name: tiller-deploy
spec:
ports:
- name: tiller
port: 44134
protocol: TCP
targetPort: tiller
selector:
app: helm
name: tiller
sessionAffinity: None
type: ClusterIP

22
tiller/templates/serviceaccount-tiller.yaml Normal file
View File

@ -0,0 +1,22 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- $envAll := . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller

20
tools/gate/devel/local-inventory.yaml Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
all:
children:
primary:
hosts:
local:
ansible_connection: local

19
tools/gate/devel/local-vars.yaml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kubernetes:
network:
default_device: docker0
cluster:
cni: calcio

32
tools/gate/devel/multinode-inventory.yaml Normal file
View File

@ -0,0 +1,32 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
all:
children:
primary:
hosts:
jules:
ansible_port: 22
ansible_host: 10.10.10.13
ansible_user: ubuntu
ansible_ssh_private_key_file: /home/ubuntu/.ssh/insecure.pem
ansible_ssh_extra_args: -o StrictHostKeyChecking=no
nodes:
hosts:
verne:
ansible_port: 22
ansible_host: 10.10.10.6
ansible_user: ubuntu
ansible_ssh_private_key_file: /home/ubuntu/.ssh/insecure.pem
ansible_ssh_extra_args: -o StrictHostKeyChecking=no

19
tools/gate/devel/multinode-vars.yaml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kubernetes:
network:
default_device: docker0
cluster:
cni: calico

74
tools/gate/devel/start.sh Executable file
View File

@ -0,0 +1,74 @@
#!/usr/bin/env bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
: ${WORK_DIR:="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/../../.."}
export MODE=${1:-"local"}
function ansible_install {
cd /tmp
. /etc/os-release
HOST_OS=${HOST_OS:="${ID}"}
if [ "x$ID" == "xubuntu" ]; then
sudo apt-get update -y
sudo apt-get install -y --no-install-recommends \
python-pip \
libssl-dev \
python-dev \
build-essential
elif [ "x$ID" == "xcentos" ]; then
sudo yum install -y \
epel-release
sudo yum install -y \
python-pip \
python-devel \
redhat-rpm-config \
gcc
elif [ "x$ID" == "xfedora" ]; then
sudo dnf install -y \
python-devel \
redhat-rpm-config \
gcc
fi
sudo -H pip install --no-cache-dir --upgrade pip
sudo -H pip install --no-cache-dir --upgrade setuptools
sudo -H pip install --no-cache-dir --upgrade pyopenssl
sudo -H pip install --no-cache-dir ansible
sudo -H pip install --no-cache-dir ara
sudo -H pip install --no-cache-dir yq
}
ansible_install
cd ${WORK_DIR}
export ANSIBLE_CALLBACK_PLUGINS="$(python -c 'import os,ara; print(os.path.dirname(ara.__file__))')/plugins/callbacks"
rm -rf ${HOME}/.ara
function dump_logs () {
# Setup the logging location: by default use the working dir as the root.
export LOGS_DIR=${LOGS_DIR:-"${WORK_DIR}/logs"}
set +e
rm -rf ${LOGS_DIR} || true
mkdir -p ${LOGS_DIR}/ara
ara generate html ${LOGS_DIR}/ara
exit $1
}
trap 'dump_logs "$?"' ERR
INVENTORY=${WORK_DIR}/tools/gate/devel/${MODE}-inventory.yaml
VARS=${WORK_DIR}/tools/gate/devel/${MODE}-vars.yaml
ansible-playbook ${WORK_DIR}/tools/gate/playbooks/zuul-pre.yaml -i ${INVENTORY} --extra-vars=@${VARS} --extra-vars "work_dir=${WORK_DIR}"
ansible-playbook ${WORK_DIR}/tools/gate/playbooks/zuul-run.yaml -i ${INVENTORY} --extra-vars=@${VARS} --extra-vars "work_dir=${WORK_DIR}"

23
tools/gate/playbooks/build-images/tasks/kubeadm-aio.yaml Normal file
View File

@ -0,0 +1,23 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: build the Kubeadm-AIO image
docker_image:
path: "{{ work_dir }}/"
name: "{{ images.kubernetes.kubeadm_aio }}"
dockerfile: "tools/images/kubeadm-aio/Dockerfile"
force: yes
pull: yes
state: present
rm: yes

15
tools/gate/playbooks/build-images/tasks/main.yaml Normal file
View File

@ -0,0 +1,15 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: kubeadm-aio.yaml

68
tools/gate/playbooks/deploy-docker/tasks/deploy-ansible-docker-support.yaml Normal file
View File

@ -0,0 +1,68 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: ensuring SELinux is disabled on centos & fedora
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Fedora'
become: true
become_user: root
command: setenforce 0
ignore_errors: True
#NOTE(portdirect): See https://ask.openstack.org/en/question/110437/importerror-cannot-import-name-unrewindablebodyerror/
- name: fix docker removal issue with ansible's docker_container on centos
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
block:
- name: remove requests and urllib3 pip packages to fix docker removal issue with ansible's docker_container on centos
become: true
become_user: root
include_role:
name: deploy-package
tasks_from: pip
vars:
state: absent
packages:
- requests
- urllib3
- name: remove requests and urllib3 distro packages to fix docker removal issue with ansible's docker_container on centos
become: true
become_user: root
include_role:
name: deploy-package
tasks_from: dist
vars:
state: absent
packages:
rpm:
- python-urllib3
- python-requests
- name: restore requests and urllib3 distro packages to fix docker removal issue with ansible's docker_container on centos
become: true
become_user: root
include_role:
name: deploy-package
tasks_from: dist
vars:
state: present
packages:
rpm:
- python-urllib3
- python-requests
- name: Ensure docker python packages deployed
include_role:
name: deploy-package
tasks_from: pip
vars:
packages:
- docker-py

52
tools/gate/playbooks/deploy-docker/tasks/main.yaml Normal file
View File

@ -0,0 +1,52 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: check if docker deploy is needed
raw: which docker
register: need_docker
ignore_errors: True
- name: deploy docker packages
when: need_docker | failed
include_role:
name: deploy-package
tasks_from: dist
vars:
packages:
deb:
- docker.io
rpm:
- docker-latest
- name: centos | moving systemd unit into place
when: ( ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' ) and ( need_docker | failed )
template:
src: centos-docker.service.j2
dest: /etc/systemd/system/docker.service
mode: 0640
- name: fedora | moving systemd unit into place
when: ( ansible_distribution == 'Fedora' ) and ( need_docker | failed )
template:
src: fedora-docker.service.j2
dest: /etc/systemd/system/docker.service
mode: 0640
- name: restarting docker
systemd:
state: restarted
daemon_reload: yes
name: docker
- include: deploy-ansible-docker-support.yaml

31
tools/gate/playbooks/deploy-docker/templates/centos-docker.service.j2 Normal file
View File

@ -0,0 +1,31 @@
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target
Wants=docker-latest-storage-setup.service
[Service]
Type=notify
NotifyAccess=all
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-latest \
--add-runtime docker-runc=/usr/libexec/docker/docker-runc-latest \
--default-runtime=docker-runc \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-latest \
-g /var/lib/docker \
--storage-driver=overlay \
--log-driver=journald
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
MountFlags=share
KillMode=process
[Install]
WantedBy=multi-user.target

29
tools/gate/playbooks/deploy-docker/templates/fedora-docker.service.j2 Normal file
View File

@ -0,0 +1,29 @@
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker-latest-containerd.service
Wants=docker-latest-storage-setup.service
Requires=docker-latest-containerd.service
[Service]
Type=notify
Environment=GOTRACEBACK=crash
ExecStart=/usr/bin/dockerd-latest \
--add-runtime oci=/usr/libexec/docker/docker-runc-latest \
--default-runtime=oci \
--containerd /run/containerd.sock \
--exec-opt native.cgroupdriver=systemd \
--userland-proxy-path=/usr/libexec/docker/docker-proxy-latest \
-g /var/lib/docker \
--storage-driver=overlay2 \
--log-driver=journald
ExecReload=/bin/kill -s HUP $MAINPID
TasksMax=8192
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
[Install]
WantedBy=multi-user.target

69
tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/clean-node.yaml Normal file
View File

@ -0,0 +1,69 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: master
vars:
kubeadm_aio_action: clean-host
block:
- name: "kubeadm-aio perfoming action: {{ kubeadm_aio_action }}"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
image: "{{ images.kubernetes.kubeadm_aio }}"
state: started
detach: false
recreate: yes
pid_mode: host
network_mode: host
capabilities: SYS_ADMIN
volumes:
- /sys:/sys:rw
- /run:/run:rw
- /:/mnt/rootfs:rw
- /etc:/etc:rw
env:
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
ACTION="{{ kubeadm_aio_action }}"
KUBE_BIND_DEVICE="{{ kubernetes_default_device }}"
USER_UID="{{ playbook_user_id }}"
USER_GID="{{ playbook_group_id }}"
USER_HOME="{{ playbook_user_dir }}"
CNI_ENABLED="{{ kubernetes.cluster.cni }}"
PVC_SUPPORT_CEPH=true
PVC_SUPPORT_NFS=true
NET_SUPPORT_LINUXBRIDGE=true
KUBE_NET_POD_SUBNET=192.168.0.0/16
KUBE_NET_DNS_DOMAIN=cluster.local
CONTAINER_RUNTIME=docker
register: kubeadm_master_deploy
ignore_errors: True
rescue:
- name: getting logs from kubeadm-aio container
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
become: true
become_user: root
register: out
- name: dumping logs from kubeadm-aio container
debug:
var: out.stdout_lines
- name: exiting if the kubeadm deploy failed
command: exit 1
always:
- name: removing kubeadm-aio container
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
state: absent

18
tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/deploy-kubelet.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: master
vars:
kubeadm_aio_action: deploy-kubelet
include: util-kubeadm-aio-run.yaml

35
tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/main.yaml Normal file
View File

@ -0,0 +1,35 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: setting playbook facts
set_fact:
playbook_user_id: "{{ ansible_user_uid }}"
playbook_group_id: "{{ ansible_user_gid }}"
playbook_user_dir: "{{ ansible_user_dir }}"
kubernetes_default_device: "{{ ansible_default_ipv4.alias }}"
kubernetes_default_address: null
- name: if we have defined a custom interface for kubernetes use that
when: kubernetes.network.default_device is defined and kubernetes.network.default_device
set_fact:
kubernetes_default_device: "{{ kubernetes.network.default_device }}"
- name: if we are in openstack infra use the private IP for kubernetes
when: (nodepool is defined) and (nodepool.private_ipv4 is defined)
set_fact:
kubernetes_default_address: "{{ nodepool.private_ipv4 }}"
- include: clean-node.yaml
- include: deploy-kubelet.yaml

69
tools/gate/playbooks/deploy-kubeadm-aio-common/tasks/util-kubeadm-aio-run.yaml Normal file
View File

@ -0,0 +1,69 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Run Kubeadm-AIO container
vars:
kubeadm_aio_action: null
block:
- name: "perfoming {{ kubeadm_aio_action }} action"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
image: "{{ images.kubernetes.kubeadm_aio }}"
state: started
detach: false
recreate: yes
pid_mode: host
network_mode: host
capabilities: SYS_ADMIN
volumes:
- /sys:/sys:rw
- /run:/run:rw
- /:/mnt/rootfs:rw
- /etc:/etc:rw
env:
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
ACTION="{{ kubeadm_aio_action }}"
KUBE_BIND_DEVICE="{{ kubernetes_default_device }}"
KUBE_BIND_ADDR="{{ kubernetes_default_address }}"
USER_UID="{{ playbook_user_id }}"
USER_GID="{{ playbook_group_id }}"
USER_HOME="{{ playbook_user_dir }}"
CNI_ENABLED="{{ kubernetes.cluster.cni }}"
PVC_SUPPORT_CEPH=true
PVC_SUPPORT_NFS=true
NET_SUPPORT_LINUXBRIDGE=true
KUBE_NET_POD_SUBNET=192.168.0.0/16
KUBE_NET_DNS_DOMAIN=cluster.local
CONTAINER_RUNTIME=docker
register: kubeadm_master_deploy
rescue:
- name: "getting logs for {{ kubeadm_aio_action }} action"
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
become: true
become_user: root
register: out
- name: "dumping logs for {{ kubeadm_aio_action }} action"
debug:
var: out.stdout_lines
- name: "exiting if {{ kubeadm_aio_action }} action failed"
command: exit 1
always:
- name: "removing container for {{ kubeadm_aio_action }} action"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
state: absent

31
tools/gate/playbooks/deploy-kubeadm-aio-master/tasks/main.yaml Normal file
View File

@ -0,0 +1,31 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: setting playbook user info facts before escalating privileges
set_fact:
playbook_user_id: "{{ ansible_user_uid }}"
playbook_group_id: "{{ ansible_user_gid }}"
playbook_user_dir: "{{ ansible_user_dir }}"
- name: deploying kubelet and support assets to node
include_role:
name: deploy-kubeadm-aio-common
tasks_from: main
- name: deploying kubernetes on master node
vars:
kubeadm_aio_action: deploy-kube
include_role:
name: deploy-kubeadm-aio-common
tasks_from: util-kubeadm-aio-run

44
tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/main.yaml Normal file
View File

@ -0,0 +1,44 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: setting playbook user info facts before escalating privileges
set_fact:
playbook_user_id: "{{ ansible_user_uid }}"
playbook_group_id: "{{ ansible_user_gid }}"
playbook_user_dir: "{{ ansible_user_dir }}"
kube_master: "{{ groups['primary'][0] }}"
kube_worker: "{{ inventory_hostname }}"
- name: deploying kubelet and support assets to node
include_role:
name: deploy-kubeadm-aio-common
tasks_from: main
- name: generating the kubeadm join command for the node
include: util-generate-join-command.yaml
delegate_to: "{{ kube_master }}"
- name: joining node to kubernetes cluster
vars:
kubeadm_aio_action: join-kube
kubeadm_aio_join_command: "{{ kubeadm_cluster_join_command }}"
include: util-run-join-command.yaml
- name: waiting for node to be ready
delegate_to: "{{ kube_master }}"
command: kubectl get node "{{ ansible_fqdn }}" -o jsonpath="{$.status.conditions[?(@.reason=='KubeletReady')]['type']}"
register: task_result
until: task_result.stdout == 'Ready'
retries: 120
delay: 5

56
tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-generate-join-command.yaml Normal file
View File

@ -0,0 +1,56 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: generate the kubeadm join command for nodes
vars:
kubeadm_aio_action: generate-join-cmd
kubeadm_cluster_join_ttl: 30m
kube_worker: null
block:
- name: "deploying kubeadm {{ kubeadm_aio_action }} container"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
image: "{{ images.kubernetes.kubeadm_aio }}"
state: started
detach: false
recreate: yes
network_mode: host
volumes:
- /etc/kubernetes:/etc/kubernetes:ro
env:
ACTION=generate-join-cmd
TTL="{{ kubeadm_cluster_join_ttl }}"
register: kubeadm_generate_join_command
- name: "getting logs for {{ kubeadm_aio_action }} action"
command: "docker logs kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
become: true
become_user: root
register: kubeadm_aio_action_logs
- name: storing cluster join command
set_fact: kubeadm_cluster_join_command="{{ kubeadm_aio_action_logs.stdout }}"
rescue:
- name: "dumping logs for {{ kubeadm_aio_action }} action"
debug:
var: kubeadm_aio_action_logs.stdout_lines
- name: "exiting if {{ kubeadm_aio_action }} action failed"
command: exit 1
always:
- name: "removing container for {{ kubeadm_aio_action }} action"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kube_worker }}-{{ kubeadm_aio_action }}"
state: absent

59
tools/gate/playbooks/deploy-kubeadm-aio-node/tasks/util-run-join-command.yaml Normal file
View File

@ -0,0 +1,59 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: master
vars:
kubeadm_aio_action: join-kube
kubeadm_aio_join_command: null
block:
- name: "deploying kubeadm {{ kubeadm_aio_action }} container"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
image: "{{ images.kubernetes.kubeadm_aio }}"
state: started
detach: false
recreate: yes
pid_mode: host
network_mode: host
capabilities: SYS_ADMIN
volumes:
- /sys:/sys:rw
- /run:/run:rw
- /:/mnt/rootfs:rw
- /etc:/etc:rw
env:
CONTAINER_NAME="kubeadm-{{ kubeadm_aio_action }}"
ACTION="{{ kubeadm_aio_action }}"
KUBEADM_JOIN_COMMAND="{{ kubeadm_aio_join_command }}"
register: kubeadm_aio_join_container
rescue:
- name: "getting logs for {{ kubeadm_aio_action }} action"
command: "docker logs kubeadm-{{ kubeadm_aio_action }}"
become: true
become_user: root
register: kubeadm_aio_join_container_output
- name: "dumping logs for {{ kubeadm_aio_action }} action"
debug:
msg: "{{ kubeadm_aio_join_container_output.stdout_lines }}"
- name: "exiting if {{ kubeadm_aio_action }} action failed"
command: exit 1
always:
- name: "removing container for {{ kubeadm_aio_action }} action"
become: true
become_user: root
docker_container:
name: "kubeadm-{{ kubeadm_aio_action }}"
state: absent

46
tools/gate/playbooks/deploy-package/tasks/dist.yaml Normal file
View File

@ -0,0 +1,46 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: managing distro packages for ubuntu
become: true
become_user: root
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
vars:
state: present
apt:
name: "{{ item }}"
state: "{{ state }}"
with_items: "{{ packages.deb }}"
- name: managing distro packages for centos
become: true
become_user: root
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
vars:
state: present
yum:
name: "{{ item }}"
state: "{{ state }}"
with_items: "{{ packages.rpm }}"
- name: managing distro packages for fedora
become: true
become_user: root
when: ansible_distribution == 'Fedora'
vars:
state: present
dnf:
name: "{{ item }}"
state: "{{ state }}"
with_items: "{{ packages.rpm }}"

23
tools/gate/playbooks/deploy-package/tasks/pip.yaml Normal file
View File

@ -0,0 +1,23 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: managing pip packages
become: true
become_user: root
vars:
state: present
pip:
name: "{{ item }}"
state: "{{ state }}"
with_items: "{{ packages }}"

44
tools/gate/playbooks/deploy-python-pip/tasks/main.yaml Normal file
View File

@ -0,0 +1,44 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: ensuring python pip package is present for ubuntu
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
apt:
name: python-pip
state: present
- name: ensuring python pip package is present for centos
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
block:
- name: ensuring epel-release package is present for centos as python-pip is in the epel repo
yum:
name: epel-release
state: present
- name: ensuring python pip package is present for centos
yum:
name: python-pip
state: present
- name: ensuring python pip package is present for fedora via the python-devel rpm
when: ansible_distribution == 'Fedora'
dnf:
name: python-devel
state: present
- name: ensuring pip is the latest version
become: true
become_user: root
pip:
name: pip
state: latest

16
tools/gate/playbooks/deploy-python/tasks/main.yaml Normal file
View File

@ -0,0 +1,16 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: ensuring python2 is present on all hosts
raw: test -e /usr/bin/python || (sudo apt -y update && sudo apt install -y python-minimal) || (sudo yum install -y python) || (sudo dnf install -y python2)

18
tools/gate/playbooks/pull-images/tasks/main.yaml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: pull all images used in repo
make:
chdir: "{{ work_dir }}"
target: pull-all-images

29
tools/gate/playbooks/setup-firewall/tasks/main.yaml Normal file
View File

@ -0,0 +1,29 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#NOTE(portdirect): This needs refinement but drops the firewall on zuul nodes
- name: deploy iptables packages
include_role:
name: deploy-package
tasks_from: dist
vars:
packages:
deb:
- iptables
rpm:
- iptables
- command: iptables -S
- command: iptables -F
- command: iptables -P INPUT ACCEPT
- command: iptables -S

26
tools/gate/playbooks/vars.yaml Normal file
View File

@ -0,0 +1,26 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
images:
kubernetes:
kubeadm_aio: openstackhelm/kubeadm-aio:dev
helm:
version: v2.7.0-rc1
kubernetes:
network:
default_device: null
cluster:
cni: calico

55
tools/gate/playbooks/zuul-pre.yaml Normal file
View File

@ -0,0 +1,55 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- hosts: all
vars_files:
- vars.yaml
vars:
work_dir: "{{ zuul.project.src_dir }}"
gather_facts: False
become: yes
roles:
- deploy-python
tags:
- deploy-python
- hosts: all
vars_files:
- vars.yaml
vars:
work_dir: "{{ zuul.project.src_dir }}"
gather_facts: True
become: yes
roles:
- setup-firewall
- deploy-python-pip
- deploy-docker
tags:
- setup-firewall
- deploy-python-pip
- deploy-docker
- hosts: all
vars_files:
- vars.yaml
vars:
work_dir: "{{ zuul.project.src_dir }}"
gather_facts: False
become: yes
roles:
- pull-images
- build-images
tags:
- pull-images
- build-images

33
tools/gate/playbooks/zuul-run.yaml Normal file
View File

@ -0,0 +1,33 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- hosts: primary
vars_files:
- vars.yaml
vars:
work_dir: "{{ zuul.project.src_dir }}"
roles:
- deploy-kubeadm-aio-master
tags:
- deploy-kubeadm-aio-master
- hosts: nodes
vars_files:
- vars.yaml
vars:
work_dir: "{{ zuul.project.src_dir }}"
roles:
- deploy-kubeadm-aio-node
tags:
- deploy-kubeadm-aio-node

68
tools/images/kubeadm-aio/Dockerfile Normal file
View File

@ -0,0 +1,68 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#https://github.com/kubernetes/ingress-nginx/tree/master/images/ubuntu-slim
FROM gcr.io/google_containers/ubuntu-slim:0.14
MAINTAINER pete.birley@att.com
ENV KUBE_VERSION="v1.8.1" \
CNI_VERSION="v0.6.0" \
HELM_VERSION="v2.7.0-rc1" \
container="docker" \
DEBIAN_FRONTEND="noninteractive" \
CNI_BIN_DIR="/opt/cni/bin" \
CHARTS="calico,flannel,tiller,kube-dns"
RUN set -ex ;\
apt-get update ;\
apt-get upgrade -y ;\
apt-get install -y --no-install-recommends \
ca-certificates \
curl \
jq \
python-pip \
gawk ;\
pip --no-cache-dir install --upgrade pip ;\
pip --no-cache-dir install setuptools ;\
pip --no-cache-dir install kubernetes ;\
pip --no-cache-dir install ansible ;\
for BINARY in kubectl kubeadm; do \
curl -sSL -o /usr/bin/${BINARY} \
https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/bin/linux/amd64/${BINARY} ;\
chmod +x /usr/bin/${BINARY} ;\
done ;\
mkdir -p /opt/assets/usr/bin ;\
curl -sSL -o /opt/assets/usr/bin/kubelet \
https://storage.googleapis.com/kubernetes-release/release/${KUBE_VERSION}/bin/linux/amd64/kubelet ;\
chmod +x /opt/assets/usr/bin/kubelet ;\
mkdir -p /opt/assets${CNI_BIN_DIR} ;\
curl -sSL https://github.com/containernetworking/plugins/releases/download/$CNI_VERSION/cni-plugins-amd64-$CNI_VERSION.tgz | \
tar -zxv --strip-components=1 -C /opt/assets${CNI_BIN_DIR} ;\
TMP_DIR=$(mktemp -d) ;\
curl -sSL https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz | tar -zxv --strip-components=1 -C ${TMP_DIR} ;\
mv ${TMP_DIR}/helm /usr/bin/helm ;\
rm -rf ${TMP_DIR} ;\
apt-get purge -y --auto-remove \
curl ;\
rm -rf /var/lib/apt/lists/* /tmp/* /root/.cache
COPY ./ /tmp/source
RUN set -ex ;\
cp -rfav /tmp/source/tools/images/kubeadm-aio/assets/* / ;\
IFS=','; for CHART in $CHARTS; do \
mv -v /tmp/source/${CHART} /opt/charts/; \
done ;\
rm -rf /tmp/source
ENTRYPOINT ["/entrypoint.sh"]

119
tools/images/kubeadm-aio/assets/entrypoint.sh Executable file
View File

@ -0,0 +1,119 @@
#!/usr/bin/env bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
if [ "x${ACTION}" == "xgenerate-join-cmd" ]; then
: ${TTL:="10m"}
DISCOVERY_TOKEN="$(kubeadm token --kubeconfig /etc/kubernetes/admin.conf create --ttl ${TTL} --usages signing --groups '')"
TLS_BOOTSTRAP_TOKEN="$(kubeadm token --kubeconfig /etc/kubernetes/admin.conf create --ttl ${TTL} --usages authentication --groups \"system:bootstrappers:kubeadm:default-node-token\")"
DISCOVERY_TOKEN_CA_HASH="$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* /sha256:/')"
API_SERVER=$(cat /etc/kubernetes/admin.conf | python -c "import sys, yaml; print yaml.safe_load(sys.stdin)['clusters'][0]['cluster']['server'].split(\"//\",1).pop()")
exec echo "kubeadm join \
--tls-bootstrap-token ${TLS_BOOTSTRAP_TOKEN} \
--discovery-token ${DISCOVERY_TOKEN} \
--discovery-token-ca-cert-hash ${DISCOVERY_TOKEN_CA_HASH} \
${API_SERVER}"
elif [ "x${ACTION}" == "xjoin-kube" ]; then
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-node.yaml \
--inventory=/opt/playbooks/inventory.ini \
--extra-vars="kubeadm_join_command=\"${KUBEADM_JOIN_COMMAND}\""
fi
: ${ACTION:="deploy-kube"}
: ${CONTAINER_NAME:="null"}
: ${CONTAINER_RUNTIME:="docker"}
: ${CNI_ENABLED:="calico"}
: ${NET_SUPPORT_LINUXBRIDGE:="true"}
: ${PVC_SUPPORT_CEPH:="false"}
: ${PVC_SUPPORT_NFS:="false"}
: ${HELM_TILLER_IMAGE:="gcr.io/kubernetes-helm/tiller:${HELM_VERSION}"}
: ${KUBE_VERSION:="${KUBE_VERSION}"}
: ${KUBE_IMAGE_REPO:="gcr.io/google_containers"}
: ${KUBE_API_BIND_PORT:="6443"}
: ${KUBE_NET_DNS_DOMAIN:="cluster.local"}
: ${KUBE_NET_POD_SUBNET:="192.168.0.0/16"}
: ${KUBE_NET_SUBNET_SUBNET:="10.96.0.0/12"}
: ${KUBE_BIND_DEVICE:=""}
: ${KUBE_BIND_ADDR:=""}
: ${KUBE_API_BIND_DEVICE:="${KUBE_BIND_DEVICE}"}
: ${KUBE_API_BIND_ADDR:="${KUBE_BIND_ADDR}"}
: ${KUBE_CERTS_DIR:="/etc/kubernetes/pki"}
: ${KUBE_SELF_HOSTED:="false"}
PLAYBOOK_VARS="{
\"my_container_name\": \"${CONTAINER_NAME}\",
\"user\": {
\"uid\": ${USER_UID},
\"gid\": ${USER_GID},
\"home\": \"${USER_HOME}\"
},
\"cluster\": {
\"cni\": \"${CNI_ENABLED}\"
},
\"kubelet\": {
\"container_runtime\": \"${CONTAINER_RUNTIME}\",
\"net_support_linuxbridge\": ${NET_SUPPORT_LINUXBRIDGE},
\"pv_support_nfs\": ${PVC_SUPPORT_NFS},
\"pv_support_ceph\": ${PVC_SUPPORT_CEPH}
},
\"helm\": {
\"tiller_image\": \"${HELM_TILLER_IMAGE}\"
},
\"k8s\": {
\"kubernetesVersion\": \"${KUBE_VERSION}\",
\"imageRepository\": \"${KUBE_IMAGE_REPO}\",
\"certificatesDir\": \"${KUBE_CERTS_DIR}\",
\"selfHosted\": \"${KUBE_SELF_HOSTED}\",
\"api\": {
\"bindPort\": ${KUBE_API_BIND_PORT}
},
\"networking\": {
\"dnsDomain\": \"${KUBE_NET_DNS_DOMAIN}\",
\"podSubnet\": \"${KUBE_NET_POD_SUBNET}\",
\"serviceSubnet\": \"${KUBE_NET_SUBNET_SUBNET}\"
}
}
}"
set -x
if [ "x${ACTION}" == "xdeploy-kubelet" ]; then
if [ "x${KUBE_BIND_ADDR}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_addr\": \"${KUBE_BIND_ADDR}\"}")
elif [ "x${KUBE_BIND_DEVICE}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_device\": \"${KUBE_BIND_DEVICE}\"}")
fi
ansible-playbook /opt/playbooks/kubeadm-aio-deploy-kubelet.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
elif [ "x${ACTION}" == "xdeploy-kube" ]; then
if [ "x${KUBE_API_BIND_ADDR}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddress\": \"${KUBE_API_BIND_ADDR}\"}")
elif [ "x${KUBE_API_BIND_DEVICE}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddressDevice\": \"${KUBE_API_BIND_DEVICE}\"}")
fi
ansible-playbook /opt/playbooks/kubeadm-aio-deploy-master.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
elif [ "x${ACTION}" == "xclean-host" ]; then
ansible-playbook /opt/playbooks/kubeadm-aio-clean.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
else
exec ${ACTION}
fi

0
tools/images/kubeadm-aio/assets/opt/charts/.placeholder Normal file
View File

2
tools/images/kubeadm-aio/assets/opt/playbooks/inventory.ini Normal file
View File

@ -0,0 +1,2 @@
[node]
/mnt/rootfs ansible_connection=chroot

19
tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-clean.yaml Normal file
View File

@ -0,0 +1,19 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- hosts: all
gather_facts: True
become: yes
roles:
- clean-host
tags:
- clean-host

19
tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-kubelet.yaml Normal file
View File

@ -0,0 +1,19 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- hosts: all
gather_facts: True
become: yes
roles:
- deploy-kubelet
tags:
- deploy-kubelet

18
tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-master.yaml Normal file
View File

@ -0,0 +1,18 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- hosts: all
become: yes
roles:
- deploy-kubeadm-master
tags:
- deploy-kubeadm-master

18
tools/images/kubeadm-aio/assets/opt/playbooks/kubeadm-aio-deploy-node.yaml Normal file
View File

@ -0,0 +1,18 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- hosts: all
become: yes
roles:
- deploy-kubeadm-node
tags:
- deploy-kubeadm-node

56
tools/images/kubeadm-aio/assets/opt/playbooks/roles/clean-host/tasks/main.yaml Normal file
View File

@ -0,0 +1,56 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: clean | kube | remove config
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/kubernetes
- name: clean | kube | stop kubelet service
ignore_errors: yes
systemd:
name: kubelet
state: stopped
enabled: no
masked: no
- name: clean | kube | removing any old docker containers
ignore_errors: yes
shell: MY_CONTAINER_ID=$(docker inspect --format {% raw %}'{{ .Id }}'{% endraw %} "{{ my_container_name }}"); docker ps --all --no-trunc --quiet | awk '!'"/${MY_CONTAINER_ID}/ { print \$1 }" | xargs -r -l1 -P16 docker rm -f
- name: clean | kube | remove any mounts
ignore_errors: yes
shell: |-
for MOUNT in $(findmnt --df --output TARGET | grep "^/var/lib/kubelet"); do
umount --force $MOUNT
done
- name: clean | kube | remove dirs
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/kubernetes
- /etc/cni/net.d
- /etc/systemd/system/kubelet.service
- /etc/systemd/system/kubelet.service.d
- /var/lib/kubelet
- /var/lib/etcd
- /var/etcd
- /opt/cni/bin
- name: clean | kube | reload systemd
systemd:
daemon_reload: yes

92
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-cni.yaml Normal file
View File

@ -0,0 +1,92 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: setting up bootstrap tiller
block:
- name: pull the helm tiller Image
become: true
become_user: root
docker_image:
pull: true
name: "{{ helm.tiller_image }}"
- name: deploying bootstrap tiller
become: true
become_user: root
docker_container:
name: "helm-tiller"
image: "{{ helm.tiller_image }}"
state: started
detach: true
recreate: yes
network_mode: host
volumes:
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
env:
KUBECONFIG=/etc/kubernetes/admin.conf
register: kubeadm_aio_tiller_container
ignore_errors: True
- name: wait for tiller to be ready
delegate_to: 127.0.0.1
command: helm version --server
environment:
HELM_HOST: 'localhost:44134'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- name: kubeadm | cni | calico
when: cluster.cni == 'calico'
delegate_to: 127.0.0.1
block:
- name: kubeadm | cni | calico | label node
command: kubectl label --overwrite nodes {{ kubeadm_node_hostname }} node-role.kubernetes.io/master=
environment:
KUBECONFIG: '/mnt/rootfs/etc/kubernetes/admin.conf'
- name: kubeadm | cni | calico
command: helm install /opt/charts/calico --name calico --namespace kube-system --set networking.podSubnet="{{ k8s.networking.podSubnet }}" --wait
environment:
HELM_HOST: 'localhost:44134'
- name: kubeadm | cni | calico
command: helm status calico
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_cni_status
- name: kubeadm | cni | status
debug:
msg: "{{ kubeadm_helm_cni_status }}"
- name: kubeadm | cni | flannel
when: cluster.cni == 'flannel'
delegate_to: 127.0.0.1
block:
- name: kubeadm | cni | flannel
command: helm install /opt/charts/flannel --name flannel --namespace kube-system --set networking.podSubnet="{{ k8s.networking.podSubnet }}" --wait
environment:
HELM_HOST: 'localhost:44134'
- name: kubeadm | cni | flannel
command: helm status flannel
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_cni_status
- name: kubeadm | cni | status
debug:
msg: "{{ kubeadm_helm_cni_status }}"
- name: "removing bootstrap tiller container"
become: true
become_user: root
docker_container:
name: "helm-tiller"
state: absent

84
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-deploy.yaml Normal file
View File

@ -0,0 +1,84 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: setting up bootstrap tiller
block:
- name: pull the helm tiller Image
become: true
become_user: root
docker_image:
pull: true
name: "{{ helm.tiller_image }}"
- name: deploying bootstrap tiller
become: true
become_user: root
docker_container:
name: "helm-tiller"
image: "{{ helm.tiller_image }}"
state: started
detach: true
recreate: yes
network_mode: host
volumes:
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
env:
KUBECONFIG=/etc/kubernetes/admin.conf
register: kubeadm_aio_tiller_container
ignore_errors: True
- name: wait for tiller to be ready
delegate_to: 127.0.0.1
command: helm version --server
environment:
HELM_HOST: 'localhost:44134'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- name: kubeadm | helm | tiller
delegate_to: 127.0.0.1
block:
- name: kubeadm | helm | tiller
command: helm install /opt/charts/tiller --name tiller --namespace kube-system --wait
environment:
HELM_HOST: 'localhost:44134'
- name: kubeadm | helm | tiller
command: helm status tiller
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_cni_status
- name: kubeadm | helm | tiller
debug:
msg: "{{ kubeadm_helm_cni_status }}"
- name: "removing bootstrap tiller container"
become: true
become_user: root
docker_container:
name: "helm-tiller"
state: absent
- name: setting up helm client on host
block:
- name: copying helm binary to host
become: true
become_user: root
copy:
src: /usr/bin/helm
dest: /usr/bin/helm
owner: root
group: root
mode: 0555
- name: setting up helm client for user
command: helm init --client-only

70
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/helm-dns.yaml Normal file
View File

@ -0,0 +1,70 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: setting up bootstrap tiller
block:
- name: pull the helm tiller Image
become: true
become_user: root
docker_image:
pull: true
name: "{{ helm.tiller_image }}"
- name: deploying bootstrap tiller
become: true
become_user: root
docker_container:
name: "helm-tiller"
image: "{{ helm.tiller_image }}"
state: started
detach: true
recreate: yes
network_mode: host
volumes:
- /etc/kubernetes/admin.conf:/etc/kubernetes/admin.conf:ro
env:
KUBECONFIG=/etc/kubernetes/admin.conf
register: kubeadm_aio_tiller_container
ignore_errors: True
- name: wait for tiller to be ready
delegate_to: 127.0.0.1
command: helm version --server
environment:
HELM_HOST: 'localhost:44134'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- name: kubeadm | dns
delegate_to: 127.0.0.1
block:
- name: kubeadm | dns
command: helm install /opt/charts/kube-dns --name kube-dns --namespace kube-system --wait
environment:
HELM_HOST: 'localhost:44134'
- name: kubeadm | dns
command: helm status kube-dns
environment:
HELM_HOST: 'localhost:44134'
register: kubeadm_helm_dns_status
- name: kubeadm | dns
debug:
msg: "{{ kubeadm_helm_dns_status }}"
- name: "removing bootstrap tiller container"
become: true
become_user: root
docker_container:
name: "helm-tiller"
state: absent

209
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/main.yaml Normal file
View File

@ -0,0 +1,209 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: storing node hostname
set_fact:
kubeadm_node_hostname: "{% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %}"
- name: deploy config file and make dir structure
block:
- name: setup directorys on host
file:
path: "{{ item }}"
state: directory
with_items:
- /etc/kubernetes
- /etc/kubernetes/pki
- name: generating initial admin token
delegate_to: 127.0.0.1
command: /usr/bin/kubeadm token generate
register: kubeadm_bootstrap_token
- name: storing initial admin token
set_fact:
kubeadm_bootstrap_token: "{{ kubeadm_bootstrap_token.stdout }}"
- name: kubelet | copying config to host
template:
src: kubeadm-conf.yaml.j2
dest: /etc/kubernetes/kubeadm-conf.yaml
mode: 0640
- name: generating certs
delegate_to: 127.0.0.1
block:
- name: master | deploy | certs | ca
command: kubeadm alpha phase certs ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | apiserver
command: kubeadm alpha phase certs apiserver --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | apiserver-kubelet-client
command: kubeadm alpha phase certs apiserver-kubelet-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | sa
command: kubeadm alpha phase certs sa --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | front-proxy-ca
command: kubeadm alpha phase certs front-proxy-ca --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | certs | front-proxy-client
command: kubeadm alpha phase certs front-proxy-client --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: generating kubeconfigs
delegate_to: 127.0.0.1
block:
- name: master | deploy | kubeconfig | admin
command: kubeadm alpha phase kubeconfig admin --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | kubeconfig | kubelet
command: kubeadm alpha phase kubeconfig kubelet --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | kubeconfig | controller-manager
command: kubeadm alpha phase kubeconfig controller-manager --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | kubeconfig | scheduler
command: kubeadm alpha phase kubeconfig scheduler --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: generating etcd static manifest
delegate_to: 127.0.0.1
command: kubeadm alpha phase etcd local --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: generating controlplane static manifests
delegate_to: 127.0.0.1
block:
- name: master | deploy | controlplane | apiserver
command: kubeadm alpha phase controlplane apiserver --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | controlplane | controller-manager
command: kubeadm alpha phase controlplane controller-manager --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: master | deploy | controlplane | scheduler
command: kubeadm alpha phase controlplane scheduler --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: wait for kube components
delegate_to: 127.0.0.1
block:
- name: wait for kube api
shell: export KUBECONFIG=/mnt/rootfs/etc/kubernetes/admin.conf; python /usr/bin/test-kube-api.py
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- name: wait for node to come online
shell: export KUBECONFIG=/mnt/rootfs/etc/kubernetes/admin.conf; kubectl get node "{{ kubeadm_node_hostname }}" --no-headers | gawk '{ print $2 }' | grep -q '\(^Ready\)\|\(^NotReady\)'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- include_tasks: wait-for-kube-system-namespace.yaml
- name: deploying kube-proxy
delegate_to: 127.0.0.1
command: kubeadm alpha phase addon kube-proxy --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- include_tasks: helm-cni.yaml
- name: wait for kube components
delegate_to: 127.0.0.1
block:
- name: wait for node to be ready
shell: export KUBECONFIG=/mnt/rootfs/etc/kubernetes/admin.conf; kubectl get node "{{ kubeadm_node_hostname }}" --no-headers | gawk '{ print $2 }' | grep -q '^Ready'
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5
- include_tasks: wait-for-kube-system-namespace.yaml
# - name: deploying kube-dns addon
# delegate_to: 127.0.0.1
# block:
# - name: master | deploy | kube-dns
# command: kubeadm alpha phase addon kube-dns --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
# - include_tasks: wait-for-kube-system-namespace.yaml
- include_tasks: helm-dns.yaml
- include_tasks: helm-deploy.yaml
- name: uploading cluster config to api
delegate_to: 127.0.0.1
command: kubeadm alpha phase upload-config --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: generating bootstrap-token objects
delegate_to: 127.0.0.1
block:
- name: master | deploy | bootstrap-token | allow-post-csrs
command: kubeadm --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf alpha phase bootstrap-token node allow-post-csrs
- name: master | deploy | bootstrap-token | allow-auto-approve
command: kubeadm --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf alpha phase bootstrap-token node allow-auto-approve
- name: generating bootstrap-token objects
delegate_to: 127.0.0.1
block:
- name: check if kube-public namespace exists
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf get ns kube-public
register: kube_public_ns_exists
ignore_errors: True
- name: create kube-public namespace if required
when: kube_public_ns_exists | failed
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf create ns kube-public
- name: sourcing kube cluster admin credentials
include_vars: /etc/kubernetes/admin.conf
- name: creating cluster-info configmap manifest on host
template:
src: cluster-info.yaml.j2
dest: /etc/kubernetes/cluster-info.yaml
mode: 0644
- name: removing any pre-existing cluster-info configmap
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf delete -f /etc/kubernetes/cluster-info.yaml --ignore-not-found
- name: creating cluster-info configmap
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf create -f /etc/kubernetes/cluster-info.yaml
- name: removing cluster-info configmap manifest from host
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/kubernetes/cluster-info.yaml
- name: check if kube-public configmap role exists
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public get role system:bootstrap-signer-clusterinfo
register: kube_public_configmap_role_exists
ignore_errors: True
- name: create kube-public configmap role if required
when: kube_public_configmap_role_exists | failed
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public create role system:bootstrap-signer-clusterinfo --verb get --resource configmaps
- name: check if kube-public configmap rolebinding exists
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public get rolebinding kubeadm:bootstrap-signer-clusterinfo
register: kube_public_configmap_rolebinding_exists
ignore_errors: True
- name: create kube-public configmap rolebinding if required
when: kube_public_configmap_rolebinding_exists | failed
command: kubectl --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf -n kube-public create rolebinding kubeadm:bootstrap-signer-clusterinfo --role system:bootstrap-signer-clusterinfo --user system:anonymous
- name: converting the cluster to be selfhosted
when: k8s.selfHosted|bool == true
delegate_to: 127.0.0.1
command: kubeadm alpha phase selfhosting convert-from-staticpods --kubeconfig /mnt/rootfs/etc/kubernetes/admin.conf --config /mnt/rootfs/etc/kubernetes/kubeadm-conf.yaml
- name: setting up kubectl client on host
block:
- name: kubectl | copying kubectl binary to host
copy:
src: /usr/bin/kubectl
dest: /usr/bin/kubectl
owner: root
group: root
mode: 0555
- name: kubectl | master | ensure kube config directory exists for user
file:
path: "{{ item }}"
state: directory
with_items:
- "{{ vars.user.home }}/.kube"
- name: kubectl | master | deploy kube config file for user
copy:
src: /mnt/rootfs/etc/kubernetes/admin.conf
dest: "{{ vars.user.home }}/.kube/config"
owner: "{{ vars.user.uid }}"
group: "{{ vars.user.gid }}"
mode: 0600

21
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/tasks/wait-for-kube-system-namespace.yaml Normal file
View File

@ -0,0 +1,21 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: wait for kube pods to all be running in kube-system namespace
delegate_to: 127.0.0.1
shell: export KUBECONFIG=/mnt/rootfs/etc/kubernetes/admin.conf; /usr/bin/test-kube-pods-ready kube-system
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5

18
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/cluster-info.yaml.j2 Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-info
namespace: kube-public
data:
kubeconfig: |
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: {{ clusters[0].cluster['certificate-authority-data'] }}
server: {{ clusters[0].cluster['server'] }}
name: ""
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

46
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-master/templates/kubeadm-conf.yaml.j2 Normal file
View File

@ -0,0 +1,46 @@
#jinja2: trim_blocks:False
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
kubernetesVersion: {{ k8s.kubernetesVersion }}
imageRepository: {{ k8s.imageRepository }}
nodeName: {{ kubeadm_node_hostname }}
api:
advertiseAddress: {% if k8s.api.advertiseAddress is defined %}{{ k8s.api.advertiseAddress }}{% else %}{% if k8s.api.advertiseAddressDevice is defined %}{{ hostvars[inventory_hostname]['ansible_'+k8s.api.advertiseAddressDevice].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %}
bindPort: {{ k8s.api.bindPort }}
# etcd:
# endpoints:
# - <endpoint1|string>
# - <endpoint2|string>
# caFile: <path|string>
# certFile: <path|string>
# keyFile: <path|string>
# dataDir: <path|string>
# extraArgs:
# <argument>: <value|string>
# <argument>: <value|string>
# image: <string>
networking:
dnsDomain: {{ k8s.networking.dnsDomain }}
podSubnet: {{ k8s.networking.podSubnet }}
serviceSubnet: {{ k8s.networking.serviceSubnet }}
#cloudProvider: <string>
authorizationModes:
- Node
- RBAC
token: {{ kubeadm_bootstrap_token }}
tokenTTL: 24h0m0s
selfHosted: {{ k8s.selfHosted }}
apiServerExtraArgs:
runtime-config: "batch/v2alpha1=true"
# <argument>: <value|string>
# controllerManagerExtraArgs:
# <argument>: <value|string>
# <argument>: <value|string>
# schedulerExtraArgs:
# <argument>: <value|string>
# <argument>: <value|string>
# apiServerCertSANs:
# - <name1|string>
# - <name2|string>
certificatesDir: {{ k8s.certificatesDir }}
#unifiedControlPlaneImage: <string>

40
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubeadm-node/tasks/main.yaml Normal file
View File

@ -0,0 +1,40 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- block:
- name: base kubeadm deploy
file:
path: "{{ item }}"
state: directory
with_items:
- /etc/kubernetes/
- /etc/systemd/system/kubelet.service.d/
- /var/lib/kubelet/
- name: copying kubeadm binary to host
copy:
src: /usr/bin/kubeadm
dest: /usr/bin/kubeadm
owner: root
group: root
mode: 0555
- debug:
msg: "{{ kubeadm_join_command }}"
- name: running kubeadm join command
command: "{{ kubeadm_join_command }}"
- name: base kubeadm deploy
file:
path: "{{ item }}"
state: absent
with_items:
- /usr/bin/kubeadm

35
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/hostname.yaml Normal file
View File

@ -0,0 +1,35 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: DNS | Ensure node fully qualified hostname is set
lineinfile:
unsafe_writes: true
state: present
dest: /etc/hosts
line: "{% if kubelet.bind_device is defined %}{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %} {% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %} {{ ansible_hostname }}"
regexp: "^{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% if kubelet.bind_device is defined %}|{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% endif %}"
- block:
- name: DNS | Ensure node localhost ipv4 hostname is set
lineinfile:
unsafe_writes: true
state: present
dest: /etc/hosts
line: "127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4"
regexp: "^127.0.0.1"
- name: DNS | Ensure node localhost ipv6 hostname is set
lineinfile:
unsafe_writes: true
state: present
dest: /etc/hosts
line: "::1 localhost6 localhost6.localdomain6"
regexp: "^::1"

162
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/kubelet.yaml Normal file
View File

@ -0,0 +1,162 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: ubuntu | installing kubelet support packages
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
apt:
name: "{{item}}"
state: installed
with_items:
- ebtables
- ethtool
- iproute2
- iptables
- libmnl0
- libnfnetlink0
- libwrap0
- libxtables11
- socat
- name: centos | installing kubelet support packages
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: installed
with_items:
- ebtables
- ethtool
- tcp_wrappers-libs
- libmnl
- socat
- name: fedora | installing kubelet support packages
when: ansible_distribution == 'Fedora'
dnf:
name: "{{item}}"
state: installed
with_items:
- ebtables
- ethtool
- tcp_wrappers-libs
- libmnl
- socat
- name: getting docker cgroup driver info
when: kubelet.container_runtime == 'docker'
block:
- name: docker | getting cgroup driver info
shell: docker info | awk '/^Cgroup Driver:/ { print $NF }'
register: docker_cgroup_driver
- name: setting kublet cgroup driver
set_fact:
kubelet_cgroup_driver: "{{ docker_cgroup_driver.stdout }}"
- name: setting kublet cgroup driver for CRI-O
when: kubelet.container_runtime == 'crio'
set_fact:
kubelet_cgroup_driver: "systemd"
- name: setting node hostname fact
set_fact:
kubelet_node_hostname: "{% if ansible_domain is defined %}{{ ansible_fqdn }}{% else %}{{ ansible_hostname }}.node.{{ k8s.networking.dnsDomain }}{% endif %}"
- name: base kubelet deploy
block:
- file:
path: "{{ item }}"
state: directory
with_items:
- /etc/kubernetes/
- /etc/systemd/system/kubelet.service.d/
- /var/lib/kubelet/
- name: copying kubelet binary to host
copy:
src: /opt/assets/usr/bin/kubelet
dest: /usr/bin/kubelet
owner: root
group: root
mode: 0555
- name: copying base systemd unit to host
template:
src: kubelet.service.j2
dest: /etc/systemd/system/kubelet.service
mode: 0640
- name: copying kubeadm drop-in systemd unit to host
template:
src: 10-kubeadm.conf.j2
dest: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
mode: 0640
- name: copying kubelet DNS config to host
template:
src: kubelet-resolv.conf.j2
dest: /etc/kubernetes/kubelet-resolv.conf
mode: 0640
- name: base cni support
block:
- file:
path: "{{ item }}"
state: directory
with_items:
- /etc/cni/net.d
- /opt/cni/bin
- name: copy cni binaries into place
copy:
src: /opt/assets/opt/cni/bin/{{ item }}
dest: /opt/cni/bin/{{ item }}
owner: root
group: root
mode: 0555
with_items:
- flannel
- ptp
- host-local
- portmap
- tuning
- vlan
- sample
- dhcp
- ipvlan
- macvlan
- loopback
- bridge
- name: CRI-O runtime config
when: kubelet.container_runtime == 'crio'
block:
- name: copying CRI-O drop-in systemd unit to host
template:
src: 0-crio.conf.j2
dest: /etc/systemd/system/kubelet.service.d/0-crio.conf
mode: 0640
- name: CRI-O | ensure service is restarted and enabled
systemd:
name: crio
state: restarted
enabled: yes
masked: no
- name: docker | ensure service is started and enabled
when: kubelet.container_runtime == 'docker'
systemd:
name: docker
state: started
enabled: yes
masked: no
- name: ensure service is restarted and enabled
systemd:
name: kubelet
state: restarted
daemon_reload: yes
enabled: yes
masked: no

19
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/main.yaml Normal file
View File

@ -0,0 +1,19 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include_tasks: support-packages.yaml
- include_tasks: hostname.yaml
- include_tasks: setup-dns.yaml
- include_tasks: kubelet.yaml

49
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/setup-dns.yaml Normal file
View File

@ -0,0 +1,49 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: DNS | Check if NetworkManager is being used
raw: systemctl status NetworkManager --no-pager
register: network_manager_in_use
ignore_errors: True
- name: DNS | Disable network NetworkManager management of resolv.conf
when: network_manager_in_use | succeeded
ini_file:
path: /etc/NetworkManager/NetworkManager.conf
section: main
option: dns
value: none
- name: DNS | load new resolv.conf
template:
unsafe_writes: yes
src: resolv.conf.j2
dest: /etc/resolv.conf
- name: DNS | Restarting NetworkManager
when: network_manager_in_use | succeeded
block:
- name: DNS | Restarting NetworkManager Service
systemd:
name: NetworkManager
state: restarted
daemon_reload: yes
enabled: yes
masked: no
- pause:
seconds: 5
- name: DNS | Waiting for connectivity to be restored to outside world
shell: if ! [[ $(ip -4 route list 0/0 | head -c1 | wc -c) -ne 0 ]]; then exit 1; fi
register: task_result
until: task_result.rc == 0
retries: 120
delay: 5

71
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/tasks/support-packages.yaml Normal file
View File

@ -0,0 +1,71 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: centos | installing epel-release
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: installed
with_items:
- epel-release
- name: centos | installing SElinux support packages
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: installed
with_items:
- libselinux-python
- name: fedora | installing SElinux support packages
when: ansible_distribution == 'Fedora'
dnf:
name: "{{item}}"
state: installed
with_items:
- libselinux-python
- when: kubelet.pv_support_ceph
name: installing ceph support packages
include_role:
name: deploy-package
tasks_from: dist
vars:
packages:
deb:
- ceph-common
rpm:
- ceph-common
- when: kubelet.pv_support_nfs
name: installing NFS support packages
include_role:
name: deploy-package
tasks_from: dist
vars:
packages:
deb:
- nfs-common
rpm:
- nfs-utils
- name: installing LinuxBridge support
when: kubelet.net_support_linuxbridge
include_role:
name: deploy-package
tasks_from: dist
vars:
packages:
deb:
- bridge-utils
rpm:
- bridge-utils

2
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/0-crio.conf.j2 Normal file
View File

@ -0,0 +1,2 @@
[Service]
Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m --image-service-endpoint /var/run/crio.sock --container-runtime-endpoint /var/run/crio.sock"

11
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/10-kubeadm.conf.j2 Normal file
View File

@ -0,0 +1,11 @@
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true --cgroup-driver={{ kubelet_cgroup_driver }}"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --node-ip={% if kubelet.bind_addr is defined %}{{ kubelet.bind_addr }}{% else %}{% if kubelet.bind_device is defined %}{{ hostvars[inventory_hostname]['ansible_'+kubelet.bind_device].ipv4.address }}{% else %}{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}{% endif %}{% endif %} --hostname-override={{ kubelet_node_hostname }}"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain={{ k8s.networking.dnsDomain }} --resolv-conf=/etc/kubernetes/kubelet-resolv.conf"
Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
#ExecStartPre=-+/sbin/restorecon -v /usr/bin/kubelet #SELinux
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS

3
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet-resolv.conf.j2 Normal file
View File

@ -0,0 +1,3 @@
{% for nameserver in external_dns_nameservers %}
nameserver {{ nameserver }}
{% endfor %}

13
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/kubelet.service.j2 Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=http://kubernetes.io/docs/
[Service]
ExecStartPre=/sbin/swapoff -a
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target

6
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-kubelet/templates/resolv.conf.j2 Normal file
View File

@ -0,0 +1,6 @@
search svc.{{ k8s.networking.dnsDomain }} {{ k8s.networking.dnsDomain }}
nameserver 10.96.0.10
{% for nameserver in external_dns_nameservers %}
nameserver {{ nameserver }}
{% endfor %}
options ndots:5 timeout:1 attempts:1

38
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/dist.yaml Normal file
View File

@ -0,0 +1,38 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: ubuntu | installing packages
become: true
become_user: root
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
apt:
name: "{{item}}"
state: present
with_items: "{{ packages.deb }}"
- name: centos | installing packages
become: true
become_user: root
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
yum:
name: "{{item}}"
state: present
with_items: "{{ packages.rpm }}"
- name: fedora | installing packages
become: true
become_user: root
when: ansible_distribution == 'Fedora'
dnf:
name: "{{item}}"
state: present
with_items: "{{ packages.rpm }}"

7
tools/images/kubeadm-aio/assets/opt/playbooks/roles/deploy-package/tasks/pip.yaml Normal file
View File

@ -0,0 +1,7 @@
- name: "installing python {{ package }}"
become: true
become_user: root
pip:
name: "{{ package }}"

48
tools/images/kubeadm-aio/assets/opt/playbooks/vars.yaml Normal file
View File

@ -0,0 +1,48 @@
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
all:
vars:
my_container_name: null
user:
uid: null
gid: null
home: null
external_dns_nameservers:
- 8.8.8.8
- 8.8.4.4
cluster:
cni: calico
kubelet:
container_runtime: docker
net_support_linuxbridge: true
pv_support_ceph: true
pv_support_nfs: true
bind_device: null
helm:
tiller_image: gcr.io/kubernetes-helm/tiller:v2.7.0-rc1
k8s:
kubernetesVersion: v1.8.0
imageRepository: gcr.io/google_containers
certificatesDir: /etc/kubernetes/pki
selfHosted: false
api:
bindPort: 6443
#NOTE(portdirect): The following is a custom key, which resolves the
# 'advertiseAddress' key dynamicly.
advertiseAddressDevice: null
networking:
dnsDomain: cluster.local
podSubnet: 192.168.0.0/16
serviceSubnet: 10.96.0.0/12

21
tools/images/kubeadm-aio/assets/usr/bin/test-kube-api.py Executable file
View File

@ -0,0 +1,21 @@
#!/usr/bin/env python
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from kubernetes import client, config
config.load_kube_config()
# create an instance of the API class
api_instance = client.VersionApi()
api_instance.get_code()

33
tools/images/kubeadm-aio/assets/usr/bin/test-kube-pods-ready Executable file
View File

@ -0,0 +1,33 @@
#!/usr/bin/env bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
NAMESPACE=$1
kubectl get pods --namespace=${NAMESPACE} -o json | jq -r \
'.items[].status.phase' | grep Pending > /dev/null && \
PENDING=True || PENDING=False
query='.items[]|select(.status.phase=="Running")'
query="$query|.status.containerStatuses[].ready"
kubectl get pods --namespace=${NAMESPACE} -o json | jq -r "$query" | \
grep false > /dev/null && READY="False" || READY="True"
kubectl get jobs -o json --namespace=${NAMESPACE} | jq -r \
'.items[] | .spec.completions == .status.succeeded' | \
grep false > /dev/null && JOBR="False" || JOBR="True"
[ $PENDING == "False" -a $READY == "True" -a $JOBR == "True" ] && \
exit 0 || exit 1

37
tools/pull-images.sh Executable file
View File

@ -0,0 +1,37 @@
#!/usr/bin/env bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -x
KUBE_VERSION=v1.8.1
KUBE_IMAGES="gcr.io/google_containers/hyperkube-amd64:${KUBE_VERSION}
gcr.io/google_containers/kube-apiserver-amd64:${KUBE_VERSION}
gcr.io/google_containers/kube-controller-manager-amd64:${KUBE_VERSION}
gcr.io/google_containers/kube-proxy-amd64:${KUBE_VERSION}
gcr.io/google_containers/kube-scheduler-amd64:${KUBE_VERSION}
gcr.io/google_containers/pause-amd64:3.0
gcr.io/google_containers/etcd-amd64:3.0.17"
CHART_IMAGES=""
for CHART_DIR in ./*/ ; do
if [ -e ${CHART_DIR}values.yaml ]; then
CHART_IMAGES+=" $(cat ${CHART_DIR}values.yaml | yq '.images.tags | map(.) | join(" ")' | tr -d '"')"
fi
done
ALL_IMAGES="${KUBE_IMAGES} ${CHART_IMAGES}"
for IMAGE in ${ALL_IMAGES}; do
docker inspect $IMAGE >/dev/null|| docker pull $IMAGE
done