- This upgrade introduces a new component named `danm_webhook`.
- Previously statically templated DANM CRDs now also come form the repo
in build time.
- Use default tenant network on infra components
Change-Id: I923b5e7aab7841006567681b071ddb0d292209cc
Signed-off-by: Krisztian Lengyel <krisztian.lengyel@nokia.com>
%define COMPONENT infra-charts
%define RPM_NAME caas-%{COMPONENT}
%define RPM_MAJOR_VERSION 1.0.0
-%define RPM_MINOR_VERSION 16
+%define RPM_MINOR_VERSION 17
Name: %{RPM_NAME}
Version: %{RPM_MAJOR_VERSION}
%define COMPONENT instantiate
%define RPM_NAME caas-%{COMPONENT}
%define RPM_MAJOR_VERSION 1.0.0
-%define RPM_MINOR_VERSION 9
+%define RPM_MINOR_VERSION 10
Name: %{RPM_NAME}
Version: %{RPM_MAJOR_VERSION}
sed -ri '/^rbac_manifests_directory/{s|:.*|: %{_caas_rbac_manifests_path}|}' %{buildroot}/%{_cm_caas_config_file}
sed -ri '/^caas_chart_path/{s|:.*|: %{_caas_chart_path}|}' %{buildroot}/%{_cm_caas_config_file}
sed -ri '/^libexec_dir/{s|:.*|: %{_caas_libexec_path}|}' %{buildroot}/%{_cm_caas_config_file}
+sed -ri '/^danm_crd_dir/{s|:.*|: %{_caas_danm_crd_path}|}' %{buildroot}/%{_cm_caas_config_file}
%files
%{_playbooks_path}/*
# limitations under the License.
from ansible.errors import AnsibleError
+import itertools
class FilterModule(object):
def filters(self):
return {
+ 'extract_sriov_provider_network_interfaces': extract_sriov_provider_network_interfaces,
+ 'filter_network_profiles_by_type': filter_network_profiles_by_type,
+ 'filter_provider_networks_by_type': filter_provider_networks_by_type,
'get_kube_options': get_kube_options,
'get_mapped_key': get_mapped_key,
+ 'get_provider_networks': get_provider_networks,
}
-def get_kube_options(options):
- if not isinstance(options, dict):
- raise AnsibleError("Invalid type {}. Options must be dictionary!".format(type(options)))
+def extract_sriov_provider_network_interfaces(sriov_networks):
+ return list(itertools.chain.from_iterable(
+ [network.get('interfaces', [])
+ for network in sriov_networks.itervalues()]))
+
+
+def filter_network_profiles_by_type(profiles, key, type):
+ return {name: profile for name, profile in profiles.iteritems()
+ if key in profile and filter((lambda x: x.get('type', "") == type), profile[key].itervalues())}
+
+
+def filter_provider_networks_by_type(profile, type):
+ return {name: network for name, network in profile.iteritems()
+ if network.get('type', "") == type}
+
+def get_kube_options(options):
+ _validate_dict(options)
option_template = "{}={}"
formated_options = [option_template.format(option, str(value))
for option, value in options.iteritems()]
return key
+def get_provider_networks(network_interfaces):
+ return list(itertools.chain.from_iterable(
+ [interface.get('provider_networks', [])
+ for interface in network_interfaces.itervalues()]))
+
+
def _validate_dict(value):
if not isinstance(value, dict):
- raise AnsibleError("Invalid type {}. Options must be dictionary!".format(type(options)))
+ raise AnsibleError("Invalid type {}. Options must be dictionary!".format(type(value)))
- svcwatcher
- netwatcher
- fluentd
+ - danm-webhook
infra_chart_separated_values:
- fluentd
# limitations under the License.
dependencies:
+ - role: creategroup
+ _name: danm
+ _gid: "{{ caas.uid.danm }}"
+ become: true
+ become_user: "root"
+
+ - role: createuser
+ _name: danm
+ _group: danm
+ _groups: ''
+ _shell: /sbin/nologin
+ _home: /
+ _uid: "{{ caas.uid.danm }}"
+ become: true
+ become_user: "root"
+
- role: cert
instance: "cpuwebhook"
cert_name: "cpuwebhook.crt"
become: true
become_user: "root"
+ - role: cert
+ instance: "danm-webhook"
+ cert_name: "danm_webhook.crt"
+ key_name: "danm_webhook.key"
+ cert_path: /etc/kubernetes/ssl
+ common_name: "danm-webhook"
+ add_users:
+ - danm
+ alt_names:
+ dns:
+ - "danm-webhook-svc.kube-system.svc.{{ caas.dns_domain }}"
+ - "danm-webhook-svc.kube-system.svc"
+ become: true
+ become_user: "root"
+
- role: cert
instance: "prometheus"
cert_name: "prometheus.crt"
# See the License for the specific language governing permissions and
# limitations under the License.
- - name: prepare cpupooler
- import_tasks: prepare_cpupooler.yaml
+ - name: prepare ca bundle
+ import_tasks: prepare_ca_bundle.yaml
- name: prepare metrics
import_tasks: prepare_metrics.yaml
become_user: "root"
no_log: true
-- name: set cpu_ca_bundle
+- name: set ca_bundle
set_fact:
webhooks_ca: "{{ temp_webhook_ca_bundle.stdout }}"
no_log: true
apiserver_secure_port: 6443
apiserver_svc_port: 443
default_partition_size: 16
-danmnet_default_name: flannel
+danmnet_default_name: default
danmnet_default_namespace: kube-system
danmnet_default_network_id: flannel
danmnet_default_network_type: flannel
user: admin
tenant: admin
password: willbechanged
+danm_crd_dir: "{{ caas_base_directory }}/crds"
+danm_webhook_port: 443
+danm_webhook_target_port: 6443
{{ .Values.kubernetes_component_label }}: cpu-device-plugin
template:
metadata:
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
labels:
{{ .Values.kubernetes_component_label }}: cpu-device-plugin
spec:
{{ .Values.kubernetes_component_label }}: cpu-setter
template:
metadata:
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
labels:
{{ .Values.kubernetes_component_label }}: cpu-setter
spec:
labels:
{{ .Values.kubernetes_component_label }}: custom-metrics-apiserver
name: custom-metrics-apiserver
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
spec:
priorityClassName: "system-cluster-critical"
nodeSelector:
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.danm_webhook.required }}
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: danm-webhook-config
+ namespace: kube-system
+webhooks:
+ - name: danm-netvalidation.nokia.k8s.io
+ clientConfig:
+ service:
+ name: danm-webhook-svc
+ namespace: kube-system
+ path: "/netvalidation"
+ caBundle: "{{ .Values.danm_webhook.webhook_ca_bundle }}"
+ rules:
+ - operations: ["CREATE","UPDATE"]
+ apiGroups: ["danm.k8s.io"]
+ apiVersions: ["v1"]
+ resources: ["clusternetworks","tenantnetworks"]
+ failurePolicy: Fail
+ - name: danm-configvalidation.nokia.k8s.io
+ clientConfig:
+ service:
+ name: danm-webhook-svc
+ namespace: kube-system
+ path: "/confvalidation"
+ caBundle: "{{ .Values.danm_webhook.webhook_ca_bundle }}"
+ rules:
+ - operations: ["CREATE","UPDATE"]
+ apiGroups: ["danm.k8s.io"]
+ apiVersions: ["v1"]
+ resources: ["tenantconfigs"]
+ failurePolicy: Fail
+ - name: danm-netdeletion.nokia.k8s.io
+ clientConfig:
+ service:
+ name: danm-webhook-svc
+ namespace: kube-system
+ path: "/netdeletion"
+ caBundle: "{{ .Values.danm_webhook.webhook_ca_bundle }}"
+ rules:
+ - operations: ["DELETE"]
+ apiGroups: ["danm.k8s.io"]
+ apiVersions: ["v1"]
+ resources: ["tenantnetworks"]
+ failurePolicy: Fail
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.danm_webhook.required }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: danm-webhook-deployment
+ namespace: kube-system
+ labels:
+ {{ .Values.kubernetes_component_label }}: danm-webhook
+spec:
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: danm-webhook
+ template:
+ metadata:
+ name: danm-webhook
+ labels:
+ {{ .Values.kubernetes_component_label }}: danm-webhook
+ spec:
+ serviceAccountName: danm-webhook
+ nodeSelector:
+ nodetype: caas_master
+ containers:
+ - name: danm-webhook
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/danm-webhook:{{ .Values.danm_webhook.container_version }}
+ command: [ "/usr/local/bin/webhook", "-tls-cert-bundle=/etc/webhook/certs/danm_webhook.crt", "-tls-private-key-file=/etc/webhook/certs/danm_webhook.key", "-bind-port={{ .Values.danm_webhook.webhook_target_port }}" ]
+ imagePullPolicy: IfNotPresent
+ volumeMounts:
+ - name: webhook-certs
+ mountPath: /etc/webhook/certs
+ readOnly: true
+ volumes:
+ # TODO: make it a secret
+ - name: webhook-certs
+ hostPath:
+ path: /etc/kubernetes/ssl/
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.danm_webhook.required }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: danm-webhook-svc
+ namespace: kube-system
+ labels:
+ {{ .Values.kubernetes_component_label }}: danm-webhook
+spec:
+ ports:
+ - name: webhook
+ port: {{ .Values.danm_webhook.webhook_port }}
+ targetPort: {{ .Values.danm_webhook.webhook_target_port }}
+ selector:
+ {{ .Values.kubernetes_component_label }}: danm-webhook
+{{ end }}
labels:
app: elasticsearch-data
component: "{{ .Values.elasticsearch.data.name }}"
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
spec:
priorityClassName: "system-cluster-critical"
affinity:
labels:
app: elasticsearch-master
component: "{{ .Values.elasticsearch.master.name }}"
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
spec:
priorityClassName: "system-cluster-critical"
affinity:
metadata:
annotations:
config/timestamp: "{{ .Values.fluentd.config_timestamp }}"
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
labels:
{{ .Values.kubernetes_component_label }}: fluentd-logging
version: v1
{{ .Values.kubernetes_component_label }}: metrics-server
template:
metadata:
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
name: metrics-server
labels:
{{ .Values.kubernetes_component_label }}: metrics-server
{{ .Values.kubernetes_component_label }}: prometheus
annotations:
prometheus.io/scrape: 'false'
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
spec:
priorityClassName: "system-cluster-critical"
nodeSelector:
name: sriovdp
template:
metadata:
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
labels:
name: sriovdp
spec:
{{ .Values.kubernetes_component_label }}: svcwatcher
template:
metadata:
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
labels:
{{ .Values.kubernetes_component_label }}: svcwatcher
spec:
spec:
template:
metadata:
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
spec:
containers:
- name: webhook-cfg-updater
{{ .Values.kubernetes_component_label }}: cpu-dev-pod-mutator
template:
metadata:
- annotations:
- danm.k8s.io/interfaces: |
- [
- {
- "network":"flannel"
- }
- ]
name: cpu-dev-pod-mutator
labels:
{{ .Values.kubernetes_component_label }}: cpu-dev-pod-mutator
cpu_poolconfigs:
{{ ansible_local['cpu_pooler_config'] | default([]) | to_nice_yaml | indent(4) }}
+danm_webhook:
+ required: true
+ container_version: {{ container_image_names | select('search', '/danm-webhook') | list | last | regex_replace('.*:([\\w\\-_\\.]+)$', '\\1') }}
+ webhook_ca_bundle: {{ webhooks_ca }}
+ webhook_port: {{ caas.danm_webhook_port }}
+ webhook_target_port: {{ caas.danm_webhook_target_port }}
+
elasticsearch:
{% set clustermasternodes = [] -%}
{%- for masternumber in range(groups['caas_master']|length|int) -%}
{%- if clustermasternodes.append('elasticsearch-master-' + (masternumber|string)) -%}{%- endif -%}
{%- endfor %}
clustermasternodes: '{{ clustermasternodes|join(", ") }}'
-{% if caas.infra_log_store is defined and caas.infra_log_store != 'remote_syslog' %}
+{% if caas.infra_log_store is defined and caas.infra_log_store != 'remote_syslog' %}
required: true
{% endif %}
url: {{ caas.elasticsearch_url }}