tripleo-heat-templates/extraconfig/services/kubernetes-master.yaml
Steve Baker 5ceb3c5ec7 Make ceph-ansible working dir owned by tripleo-admin
The ceph-ansible tasks are now invoked with the tripleo-admin user,
which doesn't by default have write access to /var/lib/mistral, but it
does have sudo access.

This change makes /var/lib/mistral/overcloud/ceph-ansible be owned by
the tripleo-admin user so that subsequent tasks can write to that
directory.

Related-Bug: #1813832
Change-Id: I98bb38078be84cbda3e9a9e338af0d054dc53420
2019-02-12 09:13:15 +05:30

184 lines
7.3 KiB
YAML

heat_template_version: rocky
description: Triggers a Mistral workflow for the deployment of Kubernetes
parameters:
RoleNetIpMap:
default: {}
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
KubesprayIgnoreAssertErrors:
default: false
description: Ignore kubespray pre-flight checks. Useful for deploying
on environments with swap enabled.
type: boolean
outputs:
role_data:
description: Role data for the Kubernetes Service
value:
service_name: kubernetes_master
config_settings:
tripleo::kubernetes_master::firewall_rules:
'200 kubernetes-master api':
dport: 6443
proto: tcp
'200 kubernetes-master etcd':
dport:
- 2379
- 2380
proto: tcp
'200 kubernetes-master flannel':
dport:
- 8285
- 8472
proto: udp
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
# FIXME: remove this block when kubespray is packaged
- name: kubernetes_master step 2 kubespray repository
when: step|int == 2
block:
- name: check kubespray directory existence
stat:
path: /usr/share/kubespray
register: kubespray_stat
- set_fact:
kubespray_dir: >-
{%- if kubespray_stat.stat.exists -%}
/usr/share/kubespray
{%- elif ansible_user_id == 'mistral' -%}
/var/lib/mistral/kubespray
{%- else -%}
{{ ansible_user_dir }}/kubespray
{%- endif -%}
- name: check cloned kubespray directory existence
stat:
path: "{{ kubespray_dir }}"
register: kubespray_cloned_stat
when: not kubespray_stat.stat.exists
- name: download kubespray source
shell: |
set -eux
mkdir '{{ kubespray_dir }}'
cd '{{ kubespray_dir }}'
curl -Lo kubespray.tar.gz 'https://github.com/kubernetes-incubator/kubespray/archive/master.tar.gz'
tar --strip-components 1 -xzvf kubespray.tar.gz
# do not overwrite existing contents
when: not kubespray_stat.stat.exists and not kubespray_cloned_stat.stat.exists
- name: kubernetes_master step 2
when: step|int == 2
block:
- name: create kubespray temp dirs
become: true
file:
path: "{{item}}"
state: directory
owner: "{{ ansible_user }}"
with_items:
- "{{playbook_dir}}/kubespray"
- "{{playbook_dir}}/kubespray/artifacts"
- name: generate kubespray inventory
copy:
dest: "{{playbook_dir}}/kubespray/inventory.yml"
content: |
kube-master:
hosts:
{% for host in groups['kubernetes_master'] -%}
{{ hostvars.raw_get(host)['ansible_hostname'] }}:
ansible_user: {{ hostvars.raw_get(host)['ansible_user'] | default(hostvars.raw_get(host)['ansible_ssh_user']) | default('root') }}
ansible_host: {{ hostvars.raw_get(host)['ansible_host'] | default(host) }}
ansible_become: true
{% endfor %}
kube-node:
hosts:
{% for host in groups['kubernetes_worker'] -%}
{{ hostvars.raw_get(host)['ansible_hostname'] }}:
ansible_user: {{ hostvars.raw_get(host)['ansible_user'] | default(hostvars.raw_get(host)['ansible_ssh_user']) | default('root') }}
ansible_host: {{ hostvars.raw_get(host)['ansible_host'] | default(host) }}
ansible_become: true
{% endfor %}
etcd:
children:
kube-master: {}
k8s-cluster:
children:
kube-master: {}
kube-node: {}
- name: generate kubespray global vars
copy:
dest: "{{playbook_dir}}/kubespray/global_vars.yml"
content:
str_replace:
template: |
kubeconfig_localhost: true
artifacts_dir: '{{playbook_dir}}/kubespray/artifacts'
ignore_assert_errors: IGNORE_ASSERT_ERRORS
kubelet_fail_swap_on: KUBELET_FAIL_SWAP_ON
params:
IGNORE_ASSERT_ERRORS: {get_param: KubesprayIgnoreAssertErrors}
KUBELET_FAIL_SWAP_ON:
yaql:
expression: not $.data
data: {get_param: KubesprayIgnoreAssertErrors}
- name: generate kubespray playbook
copy:
dest: "{{playbook_dir}}/kubespray/playbook.yml"
content: |
- import_playbook: {{ kubespray_dir|default('/usr/share/kubespray') }}/cluster.yml
- name: set kubespray command
set_fact:
# NOTE: We could let kubespray configure docker
# (remove --skip-tags docker) and run it in step 1
# when this RFE is implemented:
# https://github.com/kubernetes-incubator/kubespray/issues/1836
kubespray_command: >-
{%- if kubespray_command is defined -%}
{{kubespray_command}}
{%- else -%}
ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook
-i '{{playbook_dir}}/kubespray/inventory.yml'
--skip-tags docker,bastion-ssh-config
--extra-vars '@{{playbook_dir}}/kubespray/global_vars.yml'
{% if ansible_ssh_private_key_file is defined %}--private-key '{{ansible_ssh_private_key_file}}'{% endif %}
'{{playbook_dir}}/kubespray/playbook.yml'
{%- endif -%}
- name: print kubespray command
debug:
var: kubespray_command
- name: run kubespray (immediate log at {{playbook_dir}}/kubespray/playbook.log)
shell: |
{{kubespray_command}} 2>&1 | tee {{playbook_dir}}/kubespray/playbook.log
exit ${PIPESTATUS[0]}