Add federation support

Includes CoreDNS with etcd pod for its backend.
2017-03-06 19:39:34 +03:00 · 2017-03-06 19:39:34 +03:00 · cff4c5db4a
commit cff4c5db4a
parent b4a1ba828a
14 changed files with 296 additions and 3 deletions
--- a/cluster.yml
+++ b/cluster.yml
@ -89,3 +89,4 @@
  roles:
    - { role: kargo-defaults}
    - { role: kubernetes-apps, tags: apps }
+    - { role: kubernetes/federation, tags: federation }
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@ -110,8 +110,9 @@ resolvconf_mode: docker_dns
 # Deploy netchecker app to verify DNS resolve as an HTTP service
 deploy_netchecker: false
 # Ip address of the kubernetes skydns service
-skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
 dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
+skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
+coredns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(4)|ipaddr('address') }}"
 dns_domain: "{{ cluster_name }}"

 # Path used to store Docker data
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -31,10 +31,12 @@ pod_infra_version: 3.0

 # Download URL's
 etcd_download_url: "https://storage.googleapis.com/kargo/{{etcd_version}}_etcd"
+kubernetes_client_download_url: "https://dl.k8s.io/v1.6.0-beta.1/kubernetes-client-linux-amd64.tar.gz"
+#kubernetes_client_download_url: "https://dl.k8s.io/{{kube_version}}/kubernetes-client-linux-amd64.tar.gz"

 # Checksums
 etcd_checksum: "385afd518f93e3005510b7aaa04d38ee4a39f06f5152cd33bb86d4f0c94c7485"
-
+kubernetes_client_checksum: "d13f3bede2beb1d7fbca7f01a2c0775938d9127073b0fa1cecba4fd152947eae"
 # Containers
 # Possible values: host, docker
 etcd_deployment_type: "docker"
@ -123,6 +125,14 @@ downloads:
    repo: "{{ hyperkube_image_repo }}"
    tag: "{{ hyperkube_image_tag }}"
    sha256: "{{ hyperkube_digest_checksum|default(None) }}"
+  kubernetes_client:
+    version: "{{ kube_version}}"
+    dest: "kubernetes_client/kubernetes-client-linux-amd64.tar.gz"
+    sha256: "{{ kubernetes_client_checksum }}"
+    url: "{{ kubernetes_client_download_url }}"
+    unarchive: true
+    owner: "kube"
+    mode: "0755"
  flannel:
    container: true
    repo: "{{ flannel_image_repo }}"
@ -230,8 +240,8 @@ download:
  dest: "{{ file.dest|default(None) }}"
  version: "{{ file.version|default(None) }}"
  sha256: "{{ file.sha256|default(None) }}"
-  source_url: "{{ file.source_url|default(None) }}"
  url: "{{ file.url|default(None) }}"
  unarchive: "{{ file.unarchive|default('false') }}"
  owner: "{{ file.owner|default('kube') }}"
  mode: "{{ file.mode|default(None) }}"
+
--- a/roles/kubernetes/federation/defaults/main.yml
+++ b/roles/kubernetes/federation/defaults/main.yml
@ -0,0 +1,11 @@
+# Common in master/child
+federation_name: "federation"
+federation_context: "{{ federation_name }}"
+federation_dns_zone: "federation"
+federation_namespace: "federation-system"
+
+# Federation master
+federation_master: true
+
+# Federation child
+#federation_master: false
--- a/roles/kubernetes/federation/meta/main.yml
+++ b/roles/kubernetes/federation/meta/main.yml
@ -0,0 +1,8 @@
+---
+dependencies:
+  - role: download
+    file: "{{ downloads.hyperkube }}"
+    tags: [download, hyperkube]
+  - role: download
+    file: "{{ downloads.kubernetes_client }}"
+    tags: [download, hyperkube]
--- a/roles/kubernetes/federation/tasks/coredns.yml
+++ b/roles/kubernetes/federation/tasks/coredns.yml
@ -0,0 +1,29 @@
+- name: Federation | coredns | Create coredns config
+  template:
+    src: federation-coredns.conf.j2
+    dest: "{{ kube_config_dir }}/federation-coredns.conf"
+  tags: coredns
+
+- name: Federation | coredns | Lay Down coredns Template
+  template:
+    src: "{{item.file}}"
+    dest: "{{kube_config_dir}}/{{item.file}}"
+  with_items:
+    - {name: coredns-etcd, file: etcd-pod.yml.j2, type: pod}
+    - {name: coredns-etcd, file: etcd-svc.yml.j2, type: svc}
+    - {name: coredns, file: coredns-deploy.yml.j2, type: deployment}
+    - {name: coredns, file: coredns-svc.yml.j2, type: svc}
+  register: manifests
+  tags: coredns
+
+- name: Federation | coredns | Start Resources
+  kube:
+    name: "{{item.item.name}}"
+    namespace: "{{ system_namespace }}"
+    kubectl: "{{bin_dir}}/kubectl"
+    resource: "{{item.item.type}}"
+    filename: "{{kube_config_dir}}/{{item.item.file}}"
+    state: "{{item.changed | ternary('latest','present') }}"
+  with_items: "{{ manifests.results }}"
+  tags: coredns
+
--- a/roles/kubernetes/federation/tasks/main.yml
+++ b/roles/kubernetes/federation/tasks/main.yml
@ -0,0 +1,68 @@
+---
+#TODO - name: See if federation is already started
+- name: fedstart
+  command: /bin/true
+
+- include: coredns.yml
+  when: federation_master|default(false)
+
+- name: Copy kubefed from releases dir
+  copy:
+    src: "{{ local_release_dir }}/kubernetes_client/kubernetes/client/bin/kubefed"
+    dest: "{{ bin_dir }}/kubefed"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Set up coredns federation config
+  template:
+    src: "federation-coredns.conf.j2"
+    dest: "{{ kube_config_dir }}/federation-coredns.conf"
+    owner: root
+    group: root
+    mode: 0640
+
+
+- name: See if namespace is created
+  command: "{{ bin_dir }}/kubectl get namespaces {{ federation_namespace }}"
+  register: federation_namespace_created
+  failed_when: false
+  when: federation_master|default(false)
+
+- name: Run kubefed init
+  command: >-
+    {{ bin_dir }}/kubefed init {{ federation_name }}
+    --host-cluster-context=kubelet-{{ cluster_name }}
+    --kubeconfig={{ kube_config_dir }}/node-kubeconfig.yaml
+    --federation-system-namespace={{ federation_namespace }}
+    --api-server-service-type=NodePort
+    --etcd-persistent-storage=false
+    --dns-provider=coredns
+    --dns-provider-config={{ kube_config_dir }}/federation-coredns.conf
+    --dns-zone-name={{ federation_dns_zone }}
+    --image={{ hyperkube_image_repo}}:{{ hyperkube_image_tag }}
+  when: federation_master|default(false) and federation_namespace_created.rc != 0
+
+#- name: Create federation context if necessary
+#  command: >-
+#    kubectl create config {{ federation_context }} blah blah
+#  when: not federation_master|default(false)
+
+- name: Run kubefed join
+  command: >-
+    {{ bin_dir }}/kubefed join {{ federation-name }}
+    --kubeconfig={{ kube_config_dir }}/node-kubeconfig.yaml
+    --host-cluster-context=kubelet-{{ cluster_name }}
+    --cluster-context={{ federation_context }}
+    --api-server-service-type=NodePort
+    --dns-zone-name={{ dns_domain }}
+  when: not federation_master|default(false)
+
+
+- name: Verify federation is enabled
+  command: "{{ bin_dir }}/kubectl --context={{ federation_name }} get clusters"
+  environment:
+    KUBECONFIG: "{{ kube_config_dir }}/node-kubeconfig.yaml"
+  retries: 12
+  delay: "{{ retry_stagger | random + 3 }}"
+
--- a/roles/kubernetes/federation/templates/coredns-deploy.yml.j2
+++ b/roles/kubernetes/federation/templates/coredns-deploy.yml.j2
@ -0,0 +1,84 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: {{ system_namespace }}
+data:
+  Corefile: |
+    .:53 {
+        etcd {{ federation_name }} {
+          stubzones
+          path /skydns
+          endpoint coredns-etcd.{{ system_namespace }}
+          # FIXME(mattymo): https://github.com/kubernetes/kubernetes/issues/42995
+          #endpoint {{ etcd_access_addresses }}
+          #tls {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem {{ etcd_cert_dir }}/node-{{inventory_hostname }}-key.pem {{ etcd_cert_dir }}/ca.pem
+        }
+        errors
+        log stdout
+        health
+        proxy . /etc/resolv.conf
+        cache 30
+    }
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: coredns
+  namespace: {{ system_namespace }}
+  labels:
+    k8s-app: coredns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "CoreDNS"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: coredns
+  template:
+    metadata:
+      labels:
+        k8s-app: coredns
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+        scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
+    spec:
+      containers:
+      - name: coredns
+        image: coredns/coredns:latest
+        imagePullPolicy: Always
+        args: [ "-conf", "/etc/coredns/Corefile" ]
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/coredns
+        - name: etcd-certs
+          mountPath: {{ etcd_cert_dir }}
+          readOnly: true
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+      dnsPolicy: Default
+      volumes:
+        - name: config-volume
+          configMap:
+            name: coredns
+            items:
+            - key: Corefile
+              path: Corefile
+        - hostPath:
+            path: {{ etcd_cert_dir }}
+          name: etcd-certs
+
--- a/roles/kubernetes/federation/templates/coredns-svc.yml.j2
+++ b/roles/kubernetes/federation/templates/coredns-svc.yml.j2
@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: coredns
+  namespace: {{ system_namespace }}
+  labels:
+    k8s-app: coredns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "coredns"
+spec:
+  selector:
+    k8s-app: coredns
+  clusterIP: {{ coredns_server }}
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
--- a/roles/kubernetes/federation/templates/etcd-pod.yml.j2
+++ b/roles/kubernetes/federation/templates/etcd-pod.yml.j2
@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: coredns-etcd
+  name: coredns-etcd
+spec:
+  containers:
+  - command:
+    - /usr/local/bin/etcd
+    - --name
+    - coredns-etcd
+    - --initial-advertise-peer-urls
+    - http://coredns-etcd:2380
+    - --listen-peer-urls
+    - http://0.0.0.0:2380
+    - --listen-client-urls
+    - http://0.0.0.0:2379
+    - --advertise-client-urls
+    - http://coredns-etcd:2379
+    - --initial-cluster
+    - coredns-etcd=http://127.0.0.1:2380
+    - --initial-cluster-state
+    - new
+    image: {{ etcd_image_repo }}:{{ etcd_image_tag }}
+    name: coredns-etcd
+    ports:
+    - containerPort: 2379
+      name: client
+      protocol: TCP
+    - containerPort: 2380
+      name: server
+      protocol: TCP
+  restartPolicy: Always
--- a/roles/kubernetes/federation/templates/etcd-svc.yml.j2
+++ b/roles/kubernetes/federation/templates/etcd-svc.yml.j2
@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: coredns-etcd
+  namespace: {{ system_namespace }}
+  labels:
+    k8s-app: coredns-etcd
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "coredns-etcd"
+spec:
+  selector:
+    k8s-app: coredns-etcd
+  ports:
+  - name: client
+    port: 2379
+    protocol: TCP
+    targetPort: 2379
+  - name: server
+    port: 2380
+    protocol: TCP
+    targetPort: 2380
--- a/roles/kubernetes/federation/templates/federation-coredns.conf.j2
+++ b/roles/kubernetes/federation/templates/federation-coredns.conf.j2
@ -0,0 +1,3 @@
+[Global]
+etcd-endpoints = http://coredns-etcd.{{ system_namespace }}:2379
+zones = {{ federation_name }}
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@ -24,6 +24,7 @@
    src: node-kubeconfig.yaml.j2
    dest: "{{ kube_config_dir }}/node-kubeconfig.yaml"
    backup: yes
+    force: "{% if federation_master|default(false) %}no{% else %}yes{% endif %}"
  notify: restart kubelet
  tags: kubelet

--- a/upgrade-cluster.yml
+++ b/upgrade-cluster.yml
@ -99,3 +99,4 @@
  roles:
    - { role: kargo-defaults}
    - { role: kubernetes-apps, tags: apps }
+    - { role: kubernetes/federation, tags: federation }