Adding support for proxy w/ rkt kubelet

2017-02-09 23:34:43 -06:00 · 2017-02-09 23:34:43 -06:00 · 4c891b8bb0
commit 4c891b8bb0
parent 948d9bdadb
5 changed files with 56 additions and 31 deletions
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@ -1,26 +1,4 @@
 ---
 - name: Trust kubelet container
  command: >-
    /usr/bin/rkt trust
    --skip-fingerprint-review
    --root
    {{ item }}
  register: kubelet_rkt_trust_result
  until: kubelet_rkt_trust_result.rc == 0
  with_items:
    - "https://quay.io/aci-signing-key"
    - "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
  when: kubelet_deployment_type == "rkt"
 - name: create kubelet working directory
  file:
    state: directory
    path: /var/lib/kubelet
  when: kubelet_deployment_type == "rkt"
 - name: install | Set SSL CA directories
  set_fact:
    ssl_ca_dirs: "[
@ -35,11 +13,12 @@
    ]"
  tags: facts
 - include: "install_{{ kubelet_deployment_type }}.yml"
 - name: install | Write kubelet systemd init file
-  template: "src=kubelet.{{ kubelet_deployment_type }}.service.j2 dest=/etc/systemd/system/kubelet.service backup=yes"
+  template: 
    src: "kubelet.{{ kubelet_deployment_type }}.service.j2"
    dest: "/etc/systemd/system/kubelet.service"
    backup: "yes"
  notify: restart kubelet
 - name: install | Install kubelet launch script
  template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner=kube mode=0755 backup=yes
  notify: restart kubelet
  when: kubelet_deployment_type == "docker"
--- a/roles/kubernetes/node/tasks/install_docker.yml
+++ b/roles/kubernetes/node/tasks/install_docker.yml
@ -0,0 +1,9 @@
 ---
 - name: install | Install kubelet launch script
  template: 
    src: kubelet-container.j2 
    dest: "{{ bin_dir }}/kubelet" 
    owner: kube 
    mode: 0755 
    backup: yes
  notify: restart kubelet
--- a/roles/kubernetes/node/tasks/install_rkt.yml
+++ b/roles/kubernetes/node/tasks/install_rkt.yml
@ -0,0 +1,33 @@
 ---
 - name: Trust kubelet container
  command: >-
    /usr/bin/rkt trust
    --skip-fingerprint-review
    --root
    {{ item }}
  register: kubelet_rkt_trust_result
  until: kubelet_rkt_trust_result.rc == 0
  with_items:
    - "https://quay.io/aci-signing-key"
    - "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
 - name: create kubelet working directory
  file:
    state: directory
    path: /var/lib/kubelet
 - name: Create kubelet service systemd directory
  file: 
    path: /etc/systemd/system/kubelet.service.d 
    state: directory
 - name: Write kubelet proxy drop-in
  template:
    src: http-proxy.conf.j2
    dest: /etc/systemd/system/kubelet.service.d/http-proxy.conf
  when: http_proxy is defined or https_proxy is defined or no_proxy is defined
  notify: restart kubelet
--- a/roles/kubernetes/node/templates/http-proxy.conf.j2
+++ b/roles/kubernetes/node/templates/http-proxy.conf.j2
@ -0,0 +1,2 @@
 [Service]
 Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %}
--- a/roles/kubernetes/node/templates/kubelet.rkt.service.j2
+++ b/roles/kubernetes/node/templates/kubelet.rkt.service.j2
@ -21,11 +21,9 @@ EnvironmentFile={{kube_config_dir}}/kubelet.env
 # stage1-fly mounts /proc /sys /dev so no need to duplicate the mounts
 ExecStart=/usr/bin/rkt run \
        --volume dns,kind=host,source=/etc/resolv.conf \
        --volume etc-cni,kind=host,source=/etc/cni,readOnly=true \
        --volume etc-kubernetes,kind=host,source={{ kube_config_dir }},readOnly=false \
        --volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \
        --volume etcd-ssl,kind=host,source={{ etcd_config_dir }},readOnly=true \
        --volume opt-cni,kind=host,source=/opt/cni,readOnly=true \
        --volume run,kind=host,source=/run,readOnly=false \
        {% for dir in ssl_ca_dirs -%}
        --volume {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }},kind=host,source={{ dir }},readOnly=true \
@ -33,12 +31,16 @@ ExecStart=/usr/bin/rkt run \
        --volume var-lib-docker,kind=host,source={{ docker_daemon_graph }},readOnly=false \
        --volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
        --volume var-log,kind=host,source=/var/log \
-        --mount volume=dns,target=/etc/resolv.conf \
+{% if kube_network_plugin in ["calico", "weave", "canal"] %}
        --volume etc-cni,kind=host,source=/etc/cni,readOnly=true \
        --volume opt-cni,kind=host,source=/opt/cni,readOnly=true \
        --mount volume=etc-cni,target=/etc/cni \
        --mount volume=opt-cni,target=/opt/cni \
 {% endif %}
        --mount volume=dns,target=/etc/resolv.conf \
        --mount volume=etc-kubernetes,target={{ kube_config_dir }} \
        --mount volume=etc-ssl-certs,target=/etc/ssl/certs \
        --mount volume=etcd-ssl,target={{ etcd_config_dir }} \
        --mount volume=opt-cni,target=/opt/cni \
        --mount volume=run,target=/run \
        {% for dir in ssl_ca_dirs -%}
        --mount volume={{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }},target={{ dir }} \
		`@ -0,0 +1,2 @@`
							`[Service]`
							`Environment={% if http_proxy %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy %}"NO_PROXY={{ no_proxy }}"{% endif %}`