Merge pull request #37 from ansibl8s/apiserver_https

Apiserver https

inventory/group_vars/all.yml

@@ -68,7 +68,7 @@ dns_setup: true
 dns_domain: "{{ cluster_name }}"
 #
 # # Ip address of the kubernetes dns service
-dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(253)|ipaddr('address') }}"
+dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
 
 # For multi masters architecture:
 # kube-proxy doesn't support multiple apiservers for the time being so you'll need to configure your own loadbalancer

roles/apps/k8s-kube-logstash

@@ -1 +1 @@
-Subproject commit 256fa156e46d623ab0a7a60efdc7bac535cea8d7
+Subproject commit 340d1a5ec75e7b7c43783dc7a1c02aa7d5991dbe

roles/etcd/tasks/install.yml

@@ -15,3 +15,9 @@
 
 - name: Create etcd2 binary symlink
   file: src=/usr/local/bin/etcd dest=/usr/local/bin/etcd2 state=link
+
+- name: install required python module 'httplib2'
+  apt:
+    name: "python-httplib2"
+    state: present
+  when: inventory_hostname == groups['kube-master'][0] or inventory_hostname == groups['etcd'][0]

roles/etcd/templates/etcd2-environment.j2

@@ -15,6 +15,6 @@ ETCD_LISTEN_CLIENT_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default(
 ETCD_LISTEN_PEER_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address)  }}:2380"
 ETCD_NAME="{{ etcd.name }}"
 {% else  %}
-ETCD_INITIAL_CLUSTER="{% for host in groups['etcd'] %}master{{ loop.index|string }}=http://{{ host }}:2380{% if not loop.last %},{% endif %}{% endfor %}"
+ETCD_INITIAL_CLUSTER="{% for host in groups['etcd'] %}master{{ loop.index|string }}=http://{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}:2380{% if not loop.last %},{% endif %}{% endfor %}"
 ETCD_LISTEN_CLIENT_URLS="http://127.0.0.1:23799"
 {% endif %}

roles/kubernetes/master/tasks/main.yml

@@ -32,6 +32,7 @@
     - "{{ kube_cert_dir }}"
     - "{{ kube_users_dir }}"
   delegate_to: "{{ groups['kube-master'][0] }}"
+  when: inventory_hostname != "{{ groups['kube-master'][0] }}"
 
 # Write manifests
 - name: Write kube-apiserver manifest
@@ -48,12 +49,6 @@
     port: "{{kube_apiserver_insecure_port}}"
     delay: 10
 
-- name: install required python module 'httplib2'
-  apt:
-    name: "python-httplib2"
-    state: present
-  when: inventory_hostname == groups['kube-master'][0]
-
 - name: Create 'kube-system' namespace
   uri:
     url: http://127.0.0.1:{{ kube_apiserver_insecure_port }}/api/v1/namespaces

roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

@@ -10,7 +10,6 @@ spec:
     command:
     - /hyperkube
     - apiserver
-    - --insecure-bind-address=0.0.0.0
     - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}
 
     - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota

roles/kubernetes/node/files/kube-gen-token.sh

@@ -19,7 +19,10 @@ token_file="${token_dir}/known_tokens.csv"
 
 create_accounts=($@)
 
-touch "${token_file}"
+if [ ! -e "${token_file}" ]; then
+  touch "${token_file}"
+fi
+
 for account in "${create_accounts[@]}"; do
   if grep ",${account}," "${token_file}" ; then
     continue

roles/kubernetes/node/tasks/gen_tokens.yml

@@ -4,6 +4,7 @@
     src=kube-gen-token.sh
     dest={{ kube_script_dir }}
     mode=u+x
+  when: inventory_hostname == groups['kube-master'][0]
 
 - name: tokens | generate tokens for master components
   command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
@@ -14,6 +15,7 @@
     - "{{ groups['kube-master'] }}"
   register: gentoken
   changed_when: "'Added' in gentoken.stdout"
+  when: inventory_hostname == groups['kube-master'][0]
 
 - name: tokens | generate tokens for node components
   command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
@@ -24,3 +26,30 @@
     - "{{ groups['kube-node'] }}"
   register: gentoken
   changed_when: "'Added' in gentoken.stdout"
+  when: inventory_hostname == groups['kube-master'][0]
+
+- name: tokens | generate tokens for calico
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ kube_token_dir }}"
+  with_nested:
+    - [ "system:calico" ]
+    - "{{ groups['k8s-cluster'] }}"
+  register: gentoken
+  changed_when: "'Added' in gentoken.stdout"
+  when: kube_network_plugin == "calico"
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: tokens | get the calico token values
+  slurp:
+    src: "{{ kube_token_dir }}/system:calico-{{ inventory_hostname }}.token"
+  register: calico_token
+  when: kube_network_plugin == "calico"
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: tokens | Add KUBE_AUTH_TOKEN for calico
+  lineinfile:
+    regexp: "^KUBE_AUTH_TOKEN=.*$"
+    line: "KUBE_AUTH_TOKEN={{ calico_token.content|b64decode }}"
+    dest: "/etc/network-environment"
+  when: kube_network_plugin == "calico"

roles/kubernetes/node/tasks/secrets.yml

@@ -18,8 +18,6 @@
   when: inventory_hostname == groups['kube-master'][0]
 
 - include: gen_tokens.yml
-  run_once: true
-  when: inventory_hostname == groups['kube-master'][0]
 
 # Sync certs between nodes
 - user:
@@ -50,3 +48,4 @@
     - "{{ kube_cert_dir}}/node.pem"
     - "{{ kube_cert_dir}}/node-key.pem"
   delegate_to: "{{ groups['kube-master'][0] }}"
+  when: inventory_hostname not in "{{ groups['kube-master'] }}"

roles/network_plugin/tasks/calico.yml

@@ -1,18 +1,46 @@
 ---
 - name: Calico | Install calicoctl bin
   copy:
-     src={{ local_release_dir }}/calico/bin/calicoctl
-     dest={{ bin_dir }}
-     mode=0755
+    src: "{{ local_release_dir }}/calico/bin/calicoctl"
+    dest: "{{ bin_dir }}"
+    mode: 0755
   notify: restart calico-node
 
 - name: Calico | Create calicoctl symlink (needed by kubelet)
-  file: src=/usr/local/bin/calicoctl dest=/usr/bin/calicoctl state=link
+  file:
+    src: /usr/local/bin/calicoctl
+    dest: /usr/bin/calicoctl
+    state: link
 
-- name: Calico | Configure calico-node desired pool
+- name: Calico | Check if calico network pool has already been configured
+  uri:
+    url: "http://127.0.0.1:2379/v2/keys/calico/v1/ipam/v4/pool"
+    return_content: yes
+    status_code: 200,404
+  register: calico_conf
+  run_once: true
+  delegate_to: "{{ groups['etcd'][0] }}"
+
+- name: Calico | Configure calico network pool
   shell: calicoctl pool add {{ kube_pods_subnet }}
-  environment:
-     ETCD_AUTHORITY: "{{ groups['etcd'][0] }}:2379"
+  run_once: true
+  when: calico_conf.status == 404
+  delegate_to: "{{ groups['etcd'][0] }}"
+
+- name: Calico | Get calico configuration from etcd
+  uri:
+    url: "http://127.0.0.1:2379/v2/keys/calico/v1/ipam/v4/pool"
+    return_content: yes
+  register: calico_pools
+  run_once: true
+  delegate_to: "{{ groups['etcd'][0] }}"
+
+- name: Calico | Check if calico pool is properly configured
+  fail:
+    msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}.
+    Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")'
+  when: ( calico_pools.json['node']['nodes'] | length > 1 ) or 
+        ( not calico_pools.json['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") )
   run_once: true
   delegate_to: "{{ groups['etcd'][0] }}"
 
@@ -33,9 +61,13 @@
 
 - name: Calico | Disable node mesh
   shell: calicoctl bgp node-mesh off
+  environment:
+     ETCD_AUTHORITY: "{{ groups['etcd'][0] }}:2379"
   when: peer_with_router|default(false) and inventory_hostname in groups['kube-node']
 
 - name: Calico | Configure peering with router(s)
   shell: calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }}
+  environment:
+     ETCD_AUTHORITY: "{{ groups['etcd'][0] }}:2379"
   with_items: peers
   when: peer_with_router|default(false) and inventory_hostname in groups['kube-node']

roles/network_plugin/tasks/main.yml

@@ -5,7 +5,7 @@
         kube_network_plugin is not defined 
 
 - name: Write network-environment
-  template: src=network-environment.j2 dest=/etc/network-environment mode=u+x
+  template: src=network-environment.j2 dest=/etc/network-environment mode=640
 
 - include: flannel.yml
   when: kube_network_plugin == "flannel"

roles/network_plugin/templates/network-environment.j2

@@ -5,7 +5,11 @@ CALICO_IPAM=true
 DEFAULT_IPV4={{ip | default(ansible_default_ipv4.address) }}
 
 # The kubernetes master IP
+{% if loadbalancer_apiserver is defined and apiserver_loadbalancer_domain_name is defined %}
+KUBERNETES_MASTER=https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port }}
+{% else %}
 KUBERNETES_MASTER={{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}
+{% endif %}
 
 # Location of etcd cluster used by Calico.  By default, this uses the etcd
 # instance running on the Kubernetes Master
@@ -16,7 +20,11 @@ ETCD_AUTHORITY="127.0.0.1:23799"
 {% endif %}
 
 # The kubernetes-apiserver location - used by the calico plugin
-KUBE_API_ROOT=http://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{kube_apiserver_insecure_port}}/api/v1/
+{% if loadbalancer_apiserver is defined and apiserver_loadbalancer_domain_name is defined %}
+KUBE_API_ROOT=https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port }}/api/v1/
+{% else %}
+KUBE_API_ROOT=https://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{kube_apiserver_port}}/api/v1/
+{% endif %}
 {% else %}
 FLANNEL_ETCD_PREFIX="--etcd-prefix=/{{ cluster_name }}/network"
 {% endif %}