C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add new addon Istio (#1744)

Browse source 
* add istio addon

* add addons to a ci job
This commit is contained in:
Matthew Mosesohn 2017-10-13 15:42:54 +01:00 committed by GitHub
parent dc515e5ac5
commit ef47a73382
12 changed files with 1495 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
.gitlab-ci.yml
View file

@ -61,6 +61,7 @@ before_script:
KUBELET_DEPLOYMENT: "host" KUBELET_DEPLOYMENT: "host"
VAULT_DEPLOYMENT: "docker" VAULT_DEPLOYMENT: "docker"
WEAVE_CPU_LIMIT: "100m" WEAVE_CPU_LIMIT: "100m"
EXTRA_SETTINGS: "{}"
MAGIC: "ci check this" MAGIC: "ci check this"
.gce: &gce .gce: &gce
@ -132,6 +133,7 @@ before_script:
-e weave_cpu_requests=${WEAVE_CPU_LIMIT} -e weave_cpu_requests=${WEAVE_CPU_LIMIT}
-e weave_cpu_limit=${WEAVE_CPU_LIMIT} -e weave_cpu_limit=${WEAVE_CPU_LIMIT}
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}" -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
-e "${EXTRA_SETTINGS}"
--limit "all:!fake_hosts" --limit "all:!fake_hosts"
cluster.yml cluster.yml
@ -161,6 +163,7 @@ before_script:
-e weave_cpu_requests=${WEAVE_CPU_LIMIT} -e weave_cpu_requests=${WEAVE_CPU_LIMIT}
-e weave_cpu_limit=${WEAVE_CPU_LIMIT} -e weave_cpu_limit=${WEAVE_CPU_LIMIT}
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}" -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
-e "${EXTRA_SETTINGS}"
--limit "all:!fake_hosts" --limit "all:!fake_hosts"
$PLAYBOOK; $PLAYBOOK;
fi fi
@ -198,6 +201,7 @@ before_script:
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}" -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
-e weave_cpu_requests=${WEAVE_CPU_LIMIT} -e weave_cpu_requests=${WEAVE_CPU_LIMIT}
-e weave_cpu_limit=${WEAVE_CPU_LIMIT} -e weave_cpu_limit=${WEAVE_CPU_LIMIT}
-e "${EXTRA_SETTINGS}"
--limit "all:!fake_hosts" --limit "all:!fake_hosts"
cluster.yml; cluster.yml;
fi fi
@ -246,6 +250,7 @@ before_script:
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}" -e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
-e weave_cpu_requests=${WEAVE_CPU_LIMIT} -e weave_cpu_requests=${WEAVE_CPU_LIMIT}
-e weave_cpu_limit=${WEAVE_CPU_LIMIT} -e weave_cpu_limit=${WEAVE_CPU_LIMIT}
-e "${EXTRA_SETTINGS}"
--limit "all:!fake_hosts" --limit "all:!fake_hosts"
cluster.yml; cluster.yml;
fi fi
@ -323,13 +328,17 @@ before_script:
CLUSTER_MODE: default CLUSTER_MODE: default
STARTUP_SCRIPT: "" STARTUP_SCRIPT: ""
.centos7_flannel_variables: &centos7_flannel_variables .centos7_flannel_addons_variables: &centos7_flannel_addons_variables
# stage: deploy-gce-part2 # stage: deploy-gce-part2
KUBE_NETWORK_PLUGIN: flannel KUBE_NETWORK_PLUGIN: flannel
CLOUD_IMAGE: centos-7 CLOUD_IMAGE: centos-7
CLOUD_REGION: us-west1-a CLOUD_REGION: us-west1-a
CLOUD_MACHINE_TYPE: "n1-standard-1" CLOUD_MACHINE_TYPE: "n1-standard-1"
CLUSTER_MODE: default CLUSTER_MODE: default
EXTRA_SETTINGS: >-
{ helm_enabled: true,
istio_enabled: true,
efk_enabled: true }
STARTUP_SCRIPT: "" STARTUP_SCRIPT: ""
.debian8_calico_variables: &debian8_calico_variables .debian8_calico_variables: &debian8_calico_variables
@ -440,24 +449,24 @@ coreos-calico-sep-triggers:
when: on_success when: on_success
only: ['triggers'] only: ['triggers']
centos7-flannel: centos7-flannel-addons:
stage: deploy-gce-part2 stage: deploy-gce-part2
<<: *job <<: *job
<<: *gce <<: *gce
variables: variables:
<<: *gce_variables <<: *gce_variables
<<: *centos7_flannel_variables <<: *centos7_flannel_addons_variables
when: on_success when: on_success
except: ['triggers'] except: ['triggers']
only: [/^pr-.*$/] only: [/^pr-.*$/]
centos7-flannel-triggers: centos7-flannel-addons-triggers:
stage: deploy-gce-part1 stage: deploy-gce-part1
<<: *job <<: *job
<<: *gce <<: *gce
variables: variables:
<<: *gce_variables <<: *gce_variables
<<: *centos7_flannel_variables <<: *centos7_flannel_addons_variables
when: on_success when: on_success
only: ['triggers'] only: ['triggers']

3
inventory/group_vars/k8s-cluster.yml
View file

@ -151,6 +151,9 @@ efk_enabled: false
# Helm deployment # Helm deployment
helm_enabled: false helm_enabled: false
# Istio depoyment
istio_enabled: false
# Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts # Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
# kubeconfig_localhost: false # kubeconfig_localhost: false
# Download kubectl onto the host that runs Ansible in GITDIR/artifacts # Download kubectl onto the host that runs Ansible in GITDIR/artifacts

14
roles/download/defaults/main.yml
View file

@ -38,6 +38,11 @@ kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release
# Checksums # Checksums
kubeadm_checksum: "9f4b9cf255d5ef45481d5a1b20bfe84c1d633d67cd50eeaa5c8712fb8fc1bd5b" kubeadm_checksum: "9f4b9cf255d5ef45481d5a1b20bfe84c1d633d67cd50eeaa5c8712fb8fc1bd5b"
istio_version: "0.2.6"
istioctl_download_url: "https://storage.googleapis.com/istio-release/releases/{{ istio_version }}/istioctl/istioctl-linux"
istioctl_checksum: fd703063c540b8c0ab943f478c05ab257d88ae27224c746a27d0526ddbf7c370
# Containers # Containers
etcd_image_repo: "quay.io/coreos/etcd" etcd_image_repo: "quay.io/coreos/etcd"
etcd_image_tag: "{{ etcd_version }}" etcd_image_tag: "{{ etcd_version }}"
@ -132,6 +137,15 @@ downloads:
unarchive: false unarchive: false
owner: "root" owner: "root"
mode: "0755" mode: "0755"
istioctl:
version: "{{ istio_version }}"
dest: "istio/istioctl"
sha256: "{{ istioctl_checksum }}"
source_url: "{{ istioctl_download_url }}"
url: "{{ istioctl_download_url }}"
unarchive: false
owner: "root"
mode: "0755"
hyperkube: hyperkube:
container: true container: true
repo: "{{ hyperkube_image_repo }}" repo: "{{ hyperkube_image_repo }}"

32
roles/kubernetes-apps/istio/defaults/main.yml Normal file
View file

@ -0,0 +1,32 @@
---
istio_enabled: false
istio_namespace: istio-system
istio_version: "0.2.6"
istioctl_download_url: "https://storage.googleapis.com/istio-release/releases/{{ istio_version }}/istioctl/istioctl-linux"
istioctl_checksum: fd703063c540b8c0ab943f478c05ab257d88ae27224c746a27d0526ddbf7c370
istio_proxy_image_repo: docker.io/istio/proxy
istio_proxy_image_tag: "{{ istio_version }}"
istio_proxy_init_image_repo: docker.io/istio/proxy_init
istio_proxy_init_image_tag: "{{ istio_version }}"
istio_ca_image_repo: docker.io/istio/istio-ca
istio_ca_image_tag: "{{ istio_version }}"
istio_mixer_image_repo: docker.io/istio/mixer
istio_mixer_image_tag: "{{ istio_version }}"
istio_pilot_image_repo: docker.io/istio/pilot
istio_pilot_image_tag: "{{ istio_version }}"
istio_proxy_debug_image_repo: docker.io/istio/proxy_debug
istio_proxy_debug_image_tag: "{{ istio_version }}"
istio_sidecar_initializer_image_repo: docker.io/istio/sidecar_initializer
istio_sidecar_initializer_image_tag: "{{ istio_version }}"
istio_statsd_image_repo: prom/statsd-exporter
istio_statsd_image_tag: latest

4
roles/kubernetes-apps/istio/meta/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
dependencies:
- role: download
file: "{{ downloads.istioctl }}"

45
roles/kubernetes-apps/istio/tasks/main.yml Normal file
View file

@ -0,0 +1,45 @@
---
- name: istio | Create addon dir
file:
path: "{{ kube_config_dir }}/addons/istio"
owner: root
group: root
mode: 0755
recurse: yes
- name: istio | Lay out manifests
template:
src: "{{item.file}}.j2"
dest: "{{kube_config_dir}}/addons/istio/{{item.file}}"
with_items:
- {name: istio-mixer, file: istio.yml, type: deployment }
- {name: istio-initializer, file: istio-initializer.yml, type: deployment }
register: manifests
when: inventory_hostname == groups['kube-master'][0]
- name: istio | Copy istioctl binary from download dir
command: rsync -piu "{{ local_release_dir }}/istio/istioctl" "{{ bin_dir }}/istioctl"
changed_when: false
- name: istio | Set up bash completion
shell: "{{ bin_dir }}/istioctl completion >/etc/bash_completion.d/istioctl.sh"
when: ansible_os_family in ["Debian","RedHat"]
- name: istio | Set bash completion file
file:
path: /etc/bash_completion.d/istioctl.sh
owner: root
group: root
mode: 0755
when: ansible_os_family in ["Debian","RedHat"]
- name: istio | apply manifests
kube:
name: "{{item.item.name}}"
namespace: "{{ istio_namespace }}"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/addons/istio/{{item.item.file}}"
state: "latest"
with_items: "{{ manifests.results }}"
when: inventory_hostname == groups['kube-master'][0]

84
roles/kubernetes-apps/istio/templates/istio-initializer.yml.j2 Normal file
View file

@ -0,0 +1,84 @@
# GENERATED FILE. Use with Kubernetes 1.7+
# TO UPDATE, modify files in install/kubernetes/templates and run install/updateVersion.sh
################################
# Istio initializer
################################
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-inject
namespace: {{ istio_namespace }}
data:
config: |-
policy: "enabled"
namespaces: [""] # everything, aka v1.NamepsaceAll, aka cluster-wide
initializerName: "sidecar.initializer.istio.io"
params:
initImage: {{ istio_proxy_init_image_repo }}:{{ istio_proxy_init_image_tag }}
proxyImage: {{ istio_proxy_image_repo }}:{{ istio_proxy_image_tag }}
verbosity: 2
version: 0.2.6
meshConfigMapName: istio
imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-initializer-service-account
namespace: {{ istio_namespace }}
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: istio-initializer
namespace: {{ istio_namespace }}
annotations:
sidecar.istio.io/inject: "false"
initializers:
pending: []
labels:
istio: istio-initializer
spec:
replicas: 1
template:
metadata:
name: istio-initializer
labels:
istio: initializer
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-initializer-service-account
containers:
- name: initializer
image: {{ istio_sidecar_initializer_image_repo }}:{{ istio_sidecar_initializer_image_tag }}
imagePullPolicy: IfNotPresent
args:
- --port=8083
- --namespace={{ istio_namespace }}
- -v=2
volumeMounts:
- name: config-volume
mountPath: /etc/istio/config
volumes:
- name: config-volume
configMap:
name: istio
---
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: InitializerConfiguration
metadata:
name: istio-sidecar
initializers:
- name: sidecar.initializer.istio.io
rules:
- apiGroups:
- "*"
apiVersions:
- "*"
resources:
- deployments
- statefulsets
- jobs
- daemonsets
---

1285
roles/kubernetes-apps/istio/templates/istio.yml.j2 Normal file
View file

File diff suppressed because it is too large Load diff

5
roles/kubernetes-apps/meta/main.yml
View file

@ -34,3 +34,8 @@ dependencies:
tags: tags:
- apps - apps
- helm - helm
- role: kubernetes-apps/istio
when: istio_enabled
tags:
- apps
- istio

6
roles/kubernetes/master/defaults/main.yml
View file

@ -44,6 +44,12 @@ kube_apiserver_admission_control:
- ServiceAccount - ServiceAccount
- DefaultStorageClass - DefaultStorageClass
- ResourceQuota - ResourceQuota
- Initializers
- GenericAdmissionWebhook
# extra runtime config
kube_api_runtime_config:
- admissionregistration.k8s.io/v1alpha1
## Enable/Disable Kube API Server Authentication Methods ## Enable/Disable Kube API Server Authentication Methods
kube_basic_auth: true kube_basic_auth: true

2
roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
View file

@ -45,6 +45,8 @@ spec:
{% endif %} {% endif %}
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
- --proxy-client-cert-file={{ kube_cert_dir }}/apiserver.pem
- --proxy-client-key-file={{ kube_cert_dir }}/apiserver-key.pem
{% if kube_token_auth|default(true) %} {% if kube_token_auth|default(true) %}
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
{% endif %} {% endif %}

2
roles/kubespray-defaults/defaults/main.yaml
View file

@ -153,7 +153,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes or kubeadm_enabled }}"
## List of key=value pairs that describe feature gates for ## List of key=value pairs that describe feature gates for
## the k8s cluster. ## the k8s cluster.
kube_feature_gates: [] kube_feature_gates: ['Initializers=true']
# Vault data dirs. # Vault data dirs.
vault_base_dir: /etc/vault vault_base_dir: /etc/vault