Merge pull request #37 from ansibl8s/apiserver_https

Apiserver https
This commit is contained in:
Antoine Legrand 2015-12-28 13:00:46 +01:00
commit b45747ec86
12 changed files with 93 additions and 22 deletions

View file

@ -68,7 +68,7 @@ dns_setup: true
dns_domain: "{{ cluster_name }}" dns_domain: "{{ cluster_name }}"
# #
# # Ip address of the kubernetes dns service # # Ip address of the kubernetes dns service
dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(253)|ipaddr('address') }}" dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
# For multi masters architecture: # For multi masters architecture:
# kube-proxy doesn't support multiple apiservers for the time being so you'll need to configure your own loadbalancer # kube-proxy doesn't support multiple apiservers for the time being so you'll need to configure your own loadbalancer

@ -1 +1 @@
Subproject commit 256fa156e46d623ab0a7a60efdc7bac535cea8d7 Subproject commit 340d1a5ec75e7b7c43783dc7a1c02aa7d5991dbe

View file

@ -15,3 +15,9 @@
- name: Create etcd2 binary symlink - name: Create etcd2 binary symlink
file: src=/usr/local/bin/etcd dest=/usr/local/bin/etcd2 state=link file: src=/usr/local/bin/etcd dest=/usr/local/bin/etcd2 state=link
- name: install required python module 'httplib2'
apt:
name: "python-httplib2"
state: present
when: inventory_hostname == groups['kube-master'][0] or inventory_hostname == groups['etcd'][0]

View file

@ -15,6 +15,6 @@ ETCD_LISTEN_CLIENT_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default(
ETCD_LISTEN_PEER_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address) }}:2380" ETCD_LISTEN_PEER_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address) }}:2380"
ETCD_NAME="{{ etcd.name }}" ETCD_NAME="{{ etcd.name }}"
{% else %} {% else %}
ETCD_INITIAL_CLUSTER="{% for host in groups['etcd'] %}master{{ loop.index|string }}=http://{{ host }}:2380{% if not loop.last %},{% endif %}{% endfor %}" ETCD_INITIAL_CLUSTER="{% for host in groups['etcd'] %}master{{ loop.index|string }}=http://{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}:2380{% if not loop.last %},{% endif %}{% endfor %}"
ETCD_LISTEN_CLIENT_URLS="http://127.0.0.1:23799" ETCD_LISTEN_CLIENT_URLS="http://127.0.0.1:23799"
{% endif %} {% endif %}

View file

@ -32,6 +32,7 @@
- "{{ kube_cert_dir }}" - "{{ kube_cert_dir }}"
- "{{ kube_users_dir }}" - "{{ kube_users_dir }}"
delegate_to: "{{ groups['kube-master'][0] }}" delegate_to: "{{ groups['kube-master'][0] }}"
when: inventory_hostname != "{{ groups['kube-master'][0] }}"
# Write manifests # Write manifests
- name: Write kube-apiserver manifest - name: Write kube-apiserver manifest
@ -48,12 +49,6 @@
port: "{{kube_apiserver_insecure_port}}" port: "{{kube_apiserver_insecure_port}}"
delay: 10 delay: 10
- name: install required python module 'httplib2'
apt:
name: "python-httplib2"
state: present
when: inventory_hostname == groups['kube-master'][0]
- name: Create 'kube-system' namespace - name: Create 'kube-system' namespace
uri: uri:
url: http://127.0.0.1:{{ kube_apiserver_insecure_port }}/api/v1/namespaces url: http://127.0.0.1:{{ kube_apiserver_insecure_port }}/api/v1/namespaces

View file

@ -10,7 +10,6 @@ spec:
command: command:
- /hyperkube - /hyperkube
- apiserver - apiserver
- --insecure-bind-address=0.0.0.0
- --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %} - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}
- --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota

View file

@ -19,7 +19,10 @@ token_file="${token_dir}/known_tokens.csv"
create_accounts=($@) create_accounts=($@)
touch "${token_file}" if [ ! -e "${token_file}" ]; then
touch "${token_file}"
fi
for account in "${create_accounts[@]}"; do for account in "${create_accounts[@]}"; do
if grep ",${account}," "${token_file}" ; then if grep ",${account}," "${token_file}" ; then
continue continue

View file

@ -4,6 +4,7 @@
src=kube-gen-token.sh src=kube-gen-token.sh
dest={{ kube_script_dir }} dest={{ kube_script_dir }}
mode=u+x mode=u+x
when: inventory_hostname == groups['kube-master'][0]
- name: tokens | generate tokens for master components - name: tokens | generate tokens for master components
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
@ -14,6 +15,7 @@
- "{{ groups['kube-master'] }}" - "{{ groups['kube-master'] }}"
register: gentoken register: gentoken
changed_when: "'Added' in gentoken.stdout" changed_when: "'Added' in gentoken.stdout"
when: inventory_hostname == groups['kube-master'][0]
- name: tokens | generate tokens for node components - name: tokens | generate tokens for node components
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
@ -24,3 +26,30 @@
- "{{ groups['kube-node'] }}" - "{{ groups['kube-node'] }}"
register: gentoken register: gentoken
changed_when: "'Added' in gentoken.stdout" changed_when: "'Added' in gentoken.stdout"
when: inventory_hostname == groups['kube-master'][0]
- name: tokens | generate tokens for calico
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
environment:
TOKEN_DIR: "{{ kube_token_dir }}"
with_nested:
- [ "system:calico" ]
- "{{ groups['k8s-cluster'] }}"
register: gentoken
changed_when: "'Added' in gentoken.stdout"
when: kube_network_plugin == "calico"
delegate_to: "{{ groups['kube-master'][0] }}"
- name: tokens | get the calico token values
slurp:
src: "{{ kube_token_dir }}/system:calico-{{ inventory_hostname }}.token"
register: calico_token
when: kube_network_plugin == "calico"
delegate_to: "{{ groups['kube-master'][0] }}"
- name: tokens | Add KUBE_AUTH_TOKEN for calico
lineinfile:
regexp: "^KUBE_AUTH_TOKEN=.*$"
line: "KUBE_AUTH_TOKEN={{ calico_token.content|b64decode }}"
dest: "/etc/network-environment"
when: kube_network_plugin == "calico"

View file

@ -18,8 +18,6 @@
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
- include: gen_tokens.yml - include: gen_tokens.yml
run_once: true
when: inventory_hostname == groups['kube-master'][0]
# Sync certs between nodes # Sync certs between nodes
- user: - user:
@ -50,3 +48,4 @@
- "{{ kube_cert_dir}}/node.pem" - "{{ kube_cert_dir}}/node.pem"
- "{{ kube_cert_dir}}/node-key.pem" - "{{ kube_cert_dir}}/node-key.pem"
delegate_to: "{{ groups['kube-master'][0] }}" delegate_to: "{{ groups['kube-master'][0] }}"
when: inventory_hostname not in "{{ groups['kube-master'] }}"

View file

@ -1,18 +1,46 @@
--- ---
- name: Calico | Install calicoctl bin - name: Calico | Install calicoctl bin
copy: copy:
src={{ local_release_dir }}/calico/bin/calicoctl src: "{{ local_release_dir }}/calico/bin/calicoctl"
dest={{ bin_dir }} dest: "{{ bin_dir }}"
mode=0755 mode: 0755
notify: restart calico-node notify: restart calico-node
- name: Calico | Create calicoctl symlink (needed by kubelet) - name: Calico | Create calicoctl symlink (needed by kubelet)
file: src=/usr/local/bin/calicoctl dest=/usr/bin/calicoctl state=link file:
src: /usr/local/bin/calicoctl
dest: /usr/bin/calicoctl
state: link
- name: Calico | Configure calico-node desired pool - name: Calico | Check if calico network pool has already been configured
uri:
url: "http://127.0.0.1:2379/v2/keys/calico/v1/ipam/v4/pool"
return_content: yes
status_code: 200,404
register: calico_conf
run_once: true
delegate_to: "{{ groups['etcd'][0] }}"
- name: Calico | Configure calico network pool
shell: calicoctl pool add {{ kube_pods_subnet }} shell: calicoctl pool add {{ kube_pods_subnet }}
environment: run_once: true
ETCD_AUTHORITY: "{{ groups['etcd'][0] }}:2379" when: calico_conf.status == 404
delegate_to: "{{ groups['etcd'][0] }}"
- name: Calico | Get calico configuration from etcd
uri:
url: "http://127.0.0.1:2379/v2/keys/calico/v1/ipam/v4/pool"
return_content: yes
register: calico_pools
run_once: true
delegate_to: "{{ groups['etcd'][0] }}"
- name: Calico | Check if calico pool is properly configured
fail:
msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}.
Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")'
when: ( calico_pools.json['node']['nodes'] | length > 1 ) or
( not calico_pools.json['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") )
run_once: true run_once: true
delegate_to: "{{ groups['etcd'][0] }}" delegate_to: "{{ groups['etcd'][0] }}"
@ -33,9 +61,13 @@
- name: Calico | Disable node mesh - name: Calico | Disable node mesh
shell: calicoctl bgp node-mesh off shell: calicoctl bgp node-mesh off
environment:
ETCD_AUTHORITY: "{{ groups['etcd'][0] }}:2379"
when: peer_with_router|default(false) and inventory_hostname in groups['kube-node'] when: peer_with_router|default(false) and inventory_hostname in groups['kube-node']
- name: Calico | Configure peering with router(s) - name: Calico | Configure peering with router(s)
shell: calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }} shell: calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }}
environment:
ETCD_AUTHORITY: "{{ groups['etcd'][0] }}:2379"
with_items: peers with_items: peers
when: peer_with_router|default(false) and inventory_hostname in groups['kube-node'] when: peer_with_router|default(false) and inventory_hostname in groups['kube-node']

View file

@ -5,7 +5,7 @@
kube_network_plugin is not defined kube_network_plugin is not defined
- name: Write network-environment - name: Write network-environment
template: src=network-environment.j2 dest=/etc/network-environment mode=u+x template: src=network-environment.j2 dest=/etc/network-environment mode=640
- include: flannel.yml - include: flannel.yml
when: kube_network_plugin == "flannel" when: kube_network_plugin == "flannel"

View file

@ -5,7 +5,11 @@ CALICO_IPAM=true
DEFAULT_IPV4={{ip | default(ansible_default_ipv4.address) }} DEFAULT_IPV4={{ip | default(ansible_default_ipv4.address) }}
# The kubernetes master IP # The kubernetes master IP
{% if loadbalancer_apiserver is defined and apiserver_loadbalancer_domain_name is defined %}
KUBERNETES_MASTER=https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port }}
{% else %}
KUBERNETES_MASTER={{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }} KUBERNETES_MASTER={{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}
{% endif %}
# Location of etcd cluster used by Calico. By default, this uses the etcd # Location of etcd cluster used by Calico. By default, this uses the etcd
# instance running on the Kubernetes Master # instance running on the Kubernetes Master
@ -16,7 +20,11 @@ ETCD_AUTHORITY="127.0.0.1:23799"
{% endif %} {% endif %}
# The kubernetes-apiserver location - used by the calico plugin # The kubernetes-apiserver location - used by the calico plugin
KUBE_API_ROOT=http://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{kube_apiserver_insecure_port}}/api/v1/ {% if loadbalancer_apiserver is defined and apiserver_loadbalancer_domain_name is defined %}
KUBE_API_ROOT=https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port }}/api/v1/
{% else %}
KUBE_API_ROOT=https://{{ hostvars[groups['kube-master'][0]]['ip'] | default(hostvars[groups['kube-master'][0]]['ansible_default_ipv4']['address']) }}:{{kube_apiserver_port}}/api/v1/
{% endif %}
{% else %} {% else %}
FLANNEL_ETCD_PREFIX="--etcd-prefix=/{{ cluster_name }}/network" FLANNEL_ETCD_PREFIX="--etcd-prefix=/{{ cluster_name }}/network"
{% endif %} {% endif %}