diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml index a30055367..7380f1ab7 100644 --- a/inventory/group_vars/all.yml +++ b/inventory/group_vars/all.yml @@ -1,5 +1,5 @@ # Valid bootstrap options (required): ubuntu, coreos, centos, none -bootstrap_os: none +bootstrap_os: ubuntu #Directory where etcd data stored etcd_data_dir: /var/lib/etcd diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml index ef5e363dc..7528288ad 100644 --- a/inventory/group_vars/k8s-cluster.yml +++ b/inventory/group_vars/k8s-cluster.yml @@ -69,7 +69,14 @@ kube_users: # Choose network plugin (calico, weave or flannel) # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing -kube_network_plugin: calico +kube_network_plugin: weave + +# weave's network password for encryption +# if null then no network encryption +weave_password: ~t94S:mweJN}32-K + +# Set true for use weave's seed mode +mode_seed: false # Enable kubernetes network policies enable_network_policy: false diff --git a/inventory/group_vars/k8s-fede.yml b/inventory/group_vars/k8s-fede.yml new file mode 100644 index 000000000..1ef9a2d76 --- /dev/null +++ b/inventory/group_vars/k8s-fede.yml @@ -0,0 +1,7 @@ +# This file is use to save seed and peers values for weave's seed mode +# This two variable are automatically changed by the weave's role +# For reset values : +# seed: unset +# peers: unset +seed: unset +peers: unset diff --git a/inventory/inventory.example b/inventory/inventory.example index 13cc3612e..c52df6223 100644 --- a/inventory/inventory.example +++ b/inventory/inventory.example @@ -29,3 +29,7 @@ # [k8s-cluster:children] # kube-node # kube-master + +# ## For weave in seed mode +# [k8s-fede:children] +# k8s-cluster \ No newline at end of file diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index de9e4c2cb..f290f1ba6 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -25,7 +25,7 @@ etcd_version: v3.0.17 calico_version: "v1.1.3" calico_cni_version: "v1.7.0" calico_policy_version: "v0.5.4" -weave_version: 2.1.1 +weave_version: 2.0.1 flannel_version: v0.6.2 pod_infra_version: 3.0 diff --git a/roles/network_plugin/weave/defaults/main.yml b/roles/network_plugin/weave/defaults/main.yml index fdd9d0af9..f4fa54397 100644 --- a/roles/network_plugin/weave/defaults/main.yml +++ b/roles/network_plugin/weave/defaults/main.yml @@ -4,3 +4,6 @@ weave_memory_limit: 400M weave_cpu_limit: 30m weave_memory_requests: 64M weave_cpu_requests: 10m + +# this variable is use in seed mode +weave_ip_current_cluster: '{% for host in groups["k8s-cluster"] %}{{ hostvars[host]["ansible_default_ipv4"]["address"] }}{% if not loop.last %} {% endif %}{% endfor %}' \ No newline at end of file diff --git a/roles/network_plugin/weave/tasks/main.yml b/roles/network_plugin/weave/tasks/main.yml index ed6ad62d5..2a02a3c59 100644 --- a/roles/network_plugin/weave/tasks/main.yml +++ b/roles/network_plugin/weave/tasks/main.yml @@ -1,6 +1,9 @@ --- - include: pre-upgrade.yml +- include: seed.yml + when: mode_seed == true + - name: Weave | enable br_netfilter module modprobe: name: br_netfilter diff --git a/roles/network_plugin/weave/tasks/seed.yml b/roles/network_plugin/weave/tasks/seed.yml new file mode 100644 index 000000000..43bdde6e1 --- /dev/null +++ b/roles/network_plugin/weave/tasks/seed.yml @@ -0,0 +1,49 @@ +- name: Weave seed | Set seed first time + set_fact: + weave_seed: '{% for host in groups["k8s-cluster"] %}{{ hostvars[host]["ansible_default_ipv4"]["macaddress"] }}{% if not loop.last %},{% endif %}{% endfor %}' + when: "seed == 'unset'" + run_once: true + tags: confweave + +- name: Weave seed | Set seed + set_fact: + weave_seed: '{{ seed }}' + when: "seed != 'unset'" + run_once: true + tags: confweave + +- name: Weave seed | Set peers fist time + set_fact: + weave_peers: '{{ weave_ip_current_cluster }}' + when: "peers == 'unset'" + run_once: true + tags: confweave + +- name: Weave seed | Set peers with existing peers + set_fact: + weave_peers: '{{ peers }}{% if weave_ip_current_cluster not in peers %} {{ weave_ip_current_cluster }}{% endif %}' + when: "peers != 'unset'" + run_once: true + tags: confweave + +- name: Weave seed | Save seed + lineinfile: + dest: "./inventory/group_vars/k8s-fede.yml" + state: present + regexp: '^seed:' + line: 'seed: {{ weave_seed }}' + become_user: $USER + delegate_to: 127.0.0.1 + run_once: true + tags: confweave + +- name: Weave seed | Save peers + lineinfile: + dest: "./inventory/group_vars/k8s-fede.yml" + state: present + regexp: '^peers:' + line: 'peers: {{ weave_peers }}' + become_user: $USER + delegate_to: 127.0.0.1 + run_once: true + tags: confweave \ No newline at end of file diff --git a/roles/network_plugin/weave/templates/weave-net.yml.j2 b/roles/network_plugin/weave/templates/weave-net.yml.j2 index 93b95346d..eacf96661 100644 --- a/roles/network_plugin/weave/templates/weave-net.yml.j2 +++ b/roles/network_plugin/weave/templates/weave-net.yml.j2 @@ -1,104 +1,154 @@ --- -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - name: weave-net - namespace: {{ system_namespace }} - labels: - version: {{ weave_version }} -spec: - template: +apiVersion: v1 +kind: List +items: + - apiVersion: v1 + kind: ServiceAccount metadata: + name: weave-net labels: name: weave-net - annotations: - scheduler.alpha.kubernetes.io/tolerations: | - [ - { - "key": "dedicated", - "operator": "Equal", - "value": "master", - "effect": "NoSchedule" - } - ] + namespace: {{ system_namespace }} + - apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + name: weave-net + labels: + name: weave-net + rules: + - apiGroups: + - '' + resources: + - pods + - namespaces + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: weave-net + labels: + name: weave-net + roleRef: + kind: ClusterRole + name: weave-net + apiGroup: rbac.authorization.k8s.io + subjects: + - kind: ServiceAccount + name: weave-net + namespace: kube-system + - apiVersion: extensions/v1beta1 + kind: DaemonSet + metadata: + name: weave-net + labels: + name: weave-net + version: {{ weave_version }} + namespace: {{ system_namespace }} spec: - hostNetwork: true - hostPID: true - containers: - - name: weave - image: {{ weave_kube_image_repo }}:{{ weave_kube_image_tag }} - imagePullPolicy: Always - command: - - /home/weave/launch.sh - env: - - name: IPALLOC_RANGE - value: {{ kube_pods_subnet }} -{% if weave_checkpoint_disable is defined %} - - name: CHECKPOINT_DISABLE - value: {{ weave_checkpoint_disable }} + template: + metadata: + labels: + name: weave-net + spec: + containers: + - name: weave +{% if mode_seed == true %} + command: ["/bin/sh","-c","export EXTRA_ARGS=--name=$(cat /sys/class/net/{{ ansible_default_ipv4['interface'] }}/address) && /home/weave/launch.sh"] +{% else %} + command: + - /home/weave/launch.sh {% endif %} -{% if weave_expect_npc is defined %} - - name: EXPECT_NPC - value: {{ weave_expect_npc }} + env: + - name: HOSTNAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: IPALLOC_RANGE + value: {{ kube_pods_subnet }} +{% if mode_seed == true %} + - name: KUBE_PEERS + value: {{ weave_peers }} + - name: IPALLOC_INIT + value: seed={{ weave_seed }} {% endif %} -{% if weave_kube_peers is defined %} - - name: KUBE_PEERS - value: {{ weave_kube_peers }} -{% endif %} -{% if weave_ipalloc_init is defined %} - - name: IPALLOC_INIT - value: {{ weave_ipalloc_init }} -{% endif %} -{% if weave_expose_ip is defined %} - - name: WEAVE_EXPOSE_IP - value: {{ weave_expose_ip }} -{% endif %} - livenessProbe: - initialDelaySeconds: 60 - httpGet: - host: 127.0.0.1 - path: /status - port: 6784 + - name: WEAVE_PASSWORD + value: {{ weave_password }} + image: {{ weave_kube_image_repo }}:{{ weave_kube_image_tag }} + imagePullPolicy: Always + livenessProbe: + httpGet: + host: 127.0.0.1 + path: /status + port: 6784 + initialDelaySeconds: 30 + resources: + requests: + cpu: 10m + securityContext: + privileged: true + volumeMounts: + - name: weavedb + mountPath: /weavedb + - name: cni-bin + mountPath: /host/opt + - name: cni-bin2 + mountPath: /host/home + - name: cni-conf + mountPath: /host/etc + - name: dbus + mountPath: /host/var/lib/dbus + - name: lib-modules + mountPath: /lib/modules + - name: weave-npc + image: {{ weave_npc_image_repo }}:{{ weave_npc_image_tag }} + imagePullPolicy: Always + resources: + requests: + cpu: {{ weave_cpu_requests }} + memory: {{ weave_memory_requests }} + limits: + cpu: {{ weave_cpu_limit }} + memory: {{ weave_memory_limit }} + securityContext: + privileged: true + hostNetwork: true + hostPID: true + restartPolicy: Always securityContext: - privileged: true - volumeMounts: + seLinuxOptions: {} + serviceAccountName: weave-net + tolerations: + - effect: NoSchedule + operator: Exists + volumes: - name: weavedb - mountPath: /weavedb + hostPath: + path: /var/lib/weave - name: cni-bin - mountPath: /opt + hostPath: + path: /opt - name: cni-bin2 - mountPath: /host_home + hostPath: + path: /home - name: cni-conf - mountPath: /etc - resources: - requests: - cpu: {{ weave_cpu_requests }} - memory: {{ weave_memory_requests }} - limits: - cpu: {{ weave_cpu_limit }} - memory: {{ weave_memory_limit }} - - name: weave-npc - image: {{ weave_npc_image_repo }}:{{ weave_npc_image_tag }} - imagePullPolicy: Always - resources: - requests: - cpu: {{ weave_cpu_requests }} - memory: {{ weave_memory_requests }} - limits: - cpu: {{ weave_cpu_limit }} - memory: {{ weave_memory_limit }} - securityContext: - privileged: true - restartPolicy: Always - volumes: - - name: weavedb - emptyDir: {} - - name: cni-bin - hostPath: - path: /opt - - name: cni-bin2 - hostPath: - path: /home - - name: cni-conf - hostPath: - path: /etc + hostPath: + path: /etc + - name: dbus + hostPath: + path: /var/lib/dbus + - name: lib-modules + hostPath: + path: /lib/modules \ No newline at end of file diff --git a/roles/uploads/defaults/main.yml b/roles/uploads/defaults/main.yml index 3d974d26e..303a2d050 100644 --- a/roles/uploads/defaults/main.yml +++ b/roles/uploads/defaults/main.yml @@ -5,7 +5,7 @@ local_release_dir: /tmp etcd_version: v3.0.17 calico_version: v0.23.0 calico_cni_version: v1.5.6 -weave_version: v2.1.1 +weave_version: v2.0.1 # Download URL's etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"