Added seed code for caas-install.
Change-Id: Ic654b4f0704d373948d7a5c9e08facc94dbec7bf
Signed-off-by: Szekeres, Balazs (Nokia - HU/Budapest) <balazs.szekeres@nokia.com>
--- /dev/null
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+
--- /dev/null
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+%define COMPONENT infra-charts
+%define RPM_NAME caas-%{COMPONENT}
+%define RPM_MAJOR_VERSION 1.0.0
+%define RPM_MINOR_VERSION 1
+%define CHART_DIR /var/lib/caas/infra-charts/
+
+Name: %{RPM_NAME}
+Version: %{RPM_MAJOR_VERSION}
+Release: %{RPM_MINOR_VERSION}%{?dist}
+Summary: Containers as a Service helm charts
+License: %{_platform_license}
+BuildArch: x86_64
+Vendor: %{_platform_vendor}
+Source0: %{name}-%{version}.tar.gz
+
+%description
+This rpm contains the necessary helm charts to deploy the caas subsystem.
+
+%prep
+%autosetup
+
+%build
+
+%install
+mkdir -p %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/install_caas_infra.yaml %{buildroot}/%{_playbooks_path}/
+
+mkdir -p %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/install_caas_infra %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/pre_install_caas_infra %{buildroot}/%{_roles_path}/
+
+mkdir -p %{buildroot}/%{CHART_DIR}/
+rsync -av infra-charts/* %{buildroot}/%{CHART_DIR}/
+
+%files
+%{_playbooks_path}/*
+%{_roles_path}/*
+%{CHART_DIR}/*
+
+
+%preun
+
+%post
+mkdir -p %{_postconfig_path}/
+ln -sf %{_playbooks_path}/install_caas_infra.yaml %{_postconfig_path}/
+
+
+%postun
+if [ $1 -eq 0 ]; then
+ rm -f %{_postconfig_path}/install_caas_infra.yaml
+fi
+
+%clean
+rm -rf ${buildroot}
--- /dev/null
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+%define COMPONENT instantiate
+%define RPM_NAME caas-%{COMPONENT}
+%define RPM_MAJOR_VERSION 1.0.0
+%define RPM_MINOR_VERSION 1
+
+Name: %{RPM_NAME}
+Version: %{RPM_MAJOR_VERSION}
+Release: %{RPM_MINOR_VERSION}%{?dist}
+Summary: Containers as a Service instantiate playbooks
+License: %{_platform_license}
+BuildArch: x86_64
+Vendor: %{_platform_vendor}
+Source0: %{name}-%{version}.tar.gz
+
+%description
+This rpm contains the necessary playbooks to instantiate the caas subsystem.
+
+%prep
+%autosetup
+
+%build
+
+%install
+mkdir -p %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/app_install.yaml %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/caas_cleanup.yaml %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/cloud_admin_user.yaml %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/common.yaml %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/docker.yaml %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/image_push.yaml %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/openrc_hack.yaml %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/pre_config_all.yaml %{buildroot}/%{_playbooks_path}/
+
+mkdir -p %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/app_install %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/caas_cleanup %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/cloud_admin_user %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/common_tasks %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/docker %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/docker_image_load %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/docker_image_push %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/manifests %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/nodeconf %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/pre_config_all %{buildroot}/%{_roles_path}/
+
+mkdir -p %{buildroot}%_platform_etc_path/playbooks/bootstrapping/
+
+mkdir -p %{buildroot}%/etc/lcm/playbooks/installation/provisioning/
+
+mkdir -p %{buildroot}/etc/ansible/roles/plugins/filter/
+rsync -av ansible/filter_plugins/* %{buildroot}/etc/ansible/roles/plugins/filter/
+
+mkdir -p %{buildroot}/etc/ansible/roles/plugins/library/
+rsync -av ansible/library/* %{buildroot}/etc/ansible/roles/plugins/library/
+
+mkdir -p %{buildroot}/etc/cmframework/config
+rsync -av cm_config/caas.yaml %{buildroot}/etc/cmframework/config/caas.yaml
+
+
+%files
+%{_playbooks_path}/*
+%{_roles_path}/*
+/etc/ansible/roles/plugins/filter/*
+/etc/ansible/roles/plugins/library/*
+/etc/cmframework/config/*
+
+
+%preun
+
+%post
+mkdir -p %{_postconfig_path}/
+ln -sf %{_playbooks_path}/app_install.yaml %{_postconfig_path}/
+ln -sf %{_playbooks_path}/cloud_admin_user.yaml %{_postconfig_path}/
+ln -sf %{_playbooks_path}/common.yaml %{_postconfig_path}/
+ln -sf %{_playbooks_path}/docker.yaml %{_postconfig_path}/
+ln -sf %{_playbooks_path}/image_push.yaml %{_postconfig_path}/
+ln -sf %{_playbooks_path}/openrc_hack.yaml %{_postconfig_path}/
+ln -sf %{_playbooks_path}/pre_config_all.yaml %{_postconfig_path}/
+
+mkdir -p %{_finalize_path}/
+ln -sf %{_playbooks_path}/caas_cleanup.yaml %{_finalize_path}/
+
+%postun
+if [ $1 -eq 0 ]; then
+ rm -f %{_postconfig_path}/app_install.yaml
+ rm -f %{_postconfig_path}/cloud_admin_user.yaml
+ rm -f %{_postconfig_path}/common.yaml
+ rm -f %{_postconfig_path}/docker.yaml
+ rm -f %{_postconfig_path}/image_push.yaml
+ rm -f %{_postconfig_path}/openrc_hack.yaml
+ rm -f %{_postconfig_path}/pre_config_all.yaml
+ rm -f %{_finalize_path}/caas_cleanup.yaml
+fi
+
+%clean
+rm -rf ${buildroot}
--- /dev/null
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+%define COMPONENT utils
+%define RPM_NAME caas-%{COMPONENT}
+%define RPM_MAJOR_VERSION 1.0.0
+%define RPM_MINOR_VERSION 1
+%define LIBEXEC_DIR /usr/libexec/nokia/
+%define KUBELET_PLUGINS_LOGDIR /var/log/kubelet-plugins/
+
+Name: %{RPM_NAME}
+Version: %{RPM_MAJOR_VERSION}
+Release: %{RPM_MINOR_VERSION}%{?dist}
+Summary: Containers as a Service supplementary utils
+License: %{_platform_license}
+BuildArch: x86_64
+Vendor: %{_platform_vendor}
+Source0: %{name}-%{version}.tar.gz
+
+Requires: initscripts
+
+%description
+This rpm contains the supplementary utils for caas subsystem.
+
+%prep
+
+%autosetup
+
+%build
+
+%install
+mkdir -p %{buildroot}/%{LIBEXEC_DIR}/
+# --------------------------- LOG
+mkdir -p %{buildroot}/etc/logrotate.d/
+install -m 0640 utils/log/kubelet-plugins %{buildroot}/etc/logrotate.d/
+sed -i -e 's|{{ kubelet_plugings_log_dir }}|%{KUBELET_PLUGINS_LOGDIR}|g' %{buildroot}/etc/logrotate.d/kubelet-plugins
+# --------------------------- DEPLOY
+install -m 0700 utils/deploy/merge_image.sh %{buildroot}/%{LIBEXEC_DIR}/
+mkdir -p %{buildroot}/etc/systemd/system/
+# --------------------------- COMMON
+mkdir -p %{buildroot}/etc/profile.d/
+install -m 0644 utils/common/aliases.sh %{buildroot}/etc/profile.d/
+
+%files
+%{LIBEXEC_DIR}/merge_image.sh
+/etc/profile.d/aliases.sh
+/etc/logrotate.d/kubelet-plugins
+%exclude %{LIBEXEC_DIR}/*pyc
+%exclude %{LIBEXEC_DIR}/*pyo
+
+%preun
+
+%post
+# --------------------------- LOG
+mkdir -p %{KUBELET_PLUGINS_LOGDIR}/
+grep "#CaaS CUSTOM BEGIN" /etc/logrotate.d/syslog > /dev/null;
+if [ $? -eq 0 ]; then
+ sed -i -e '/#CaaS CUSTOM BEGIN/,/#CaaS CUSTOM END/d' /etc/logrotate.d/syslog
+ fi
+sed -i.bak -e '/.*missingok/i #CaaS CUSTOM BEGIN\n hourly\n size 50\n#CaaS CUSTOM END' /etc/logrotate.d/syslog
+# --------------------------- DEPLOY
+find /usr/lib/debug/usr/ -xtype l -exec rm -f {} \;
+# --------------------------- COMMON
+
+%postun
+# If not upgrade, revert all CaaS related cusotmization
+if [ $1 == 0 ]; then
+
+# --------------------------- LOG
+ sed -i -e '/#CaaS CUSTOM BEGIN/,/#CaaS CUSTOM END/d' /etc/logrotate.d/syslog
+/usr/bin/systemctl daemon-reload
+# --------------------------- DEPLOY
+# --------------------------- COMMON
+ rm -rf /etc/profile.d/aliases.sh
+
+fi
+
+
+%clean
+rm -rf ${buildroot}
--- /dev/null
+#!/usr/bin/python
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from ansible.errors import AnsibleError
+
+
+class FilterModule(object):
+ def filters(self):
+ return {
+ 'get_kube_options': get_kube_options,
+ }
+
+
+def get_kube_options(options):
+ if not isinstance(options, dict):
+ raise AnsibleError("Invalid type {}. Options must be dictionary!".format(type(options)))
+
+ option_template = "{}={}"
+ formated_options = [option_template.format(option, str(value))
+ for option, value in options.iteritems()]
+ return ",".join(formated_options)
--- /dev/null
+#!/usr/bin/python
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import re
+import subprocess
+
+from ansible.module_utils.basic import AnsibleModule
+
+DOCUMENTATION = '''
+---
+module: kubectl
+version_added: "2.4"
+short_description: Simply module to manage Kubernetes objects via manifest files
+description:
+- "Simply module to manage Kubernetes objects via manifest files"
+options:
+ manifest:
+ description:
+ - Path of manifest file describing Kubernetes object(s)
+ required: true
+ type: str
+ kubeconfig:
+ description:
+ - Path of kubeconfig file used to connect apiserver
+ required: false
+ type: str
+ default: ~/.kube/config
+ timeout:
+ description:
+ - Max reauest timeout in seconds
+ required: false
+ type: int
+ default: 5
+ state:
+ required: false
+ default: present
+ choices: ['present', 'absent']
+author:
+ - krisztian.lengyel@nokia.com
+'''
+
+EXAMPLES = '''
+# Create a pod in Kubernetes
+- name: Create pod
+ kubectl:
+ manifest: /home/kube_manifests/some-useful-pod.yaml
+ state: present
+
+# Delete some service
+- name: Delete Kubernetes service
+ kubectl:
+ manifest: /home/kube_manifests/some-useless-svc.yaml
+ kubeconfig: /home/admin-kubeconfig.yaml
+ state: present
+
+# Create many object from a single file
+- name: Create stuffs
+ kubectl:
+ manifest: /home/kube_manifests/so-many-stuff.yaml
+ timeout: 30
+ state: present
+'''
+
+RETURN = '''
+message:
+ description: The output (stdout & stderr) of kubectl command
+'''
+
+STATE_MAPPING = {
+ "present": "create",
+ "absent": "delete"
+}
+
+ALREADY_EXIST_PATTERN = r'Error from server \(AlreadyExists\): error when creating .+ already exists'
+SVC_IP_ALREADY_ALLOCATED_PATTERN = r'The Service .+ is invalid: .+ provided IP is already allocated'
+NOT_FOUND_PATTERN = r'Error from server \(NotFound\): .+ not found'
+
+KUBECONFIG_PATH = ".kube/config"
+
+
+class KubectlExecutionError(Exception):
+ pass
+
+
+def main():
+ module = _build_initialized_module()
+
+ _add_defaults_to_params(module.params)
+
+ try:
+ result = _handle_module_result(*_execute_kubectl(module.params))
+ module.exit_json(**result)
+ except KubectlExecutionError as ex:
+ module.fail_json(msg=str(ex))
+
+
+def _build_initialized_module():
+ module_args = dict(
+ manifest=dict(required=True, type='str'),
+ kubeconfig=dict(required=False, type='str'),
+ timeout=dict(required=False, type='int', default=5),
+ state=dict(required=False, choices=['present', 'absent'], type='str', default="present")
+ )
+
+ return AnsibleModule(
+ argument_spec=module_args,
+ supports_check_mode=False
+ )
+
+
+def _add_defaults_to_params(params):
+ if not params['kubeconfig']:
+ params['kubeconfig'] = _get_default_kubeconfig_path()
+
+
+def _get_default_kubeconfig_path():
+ return "{}/{}".format(
+ os.environ.get('HOME', ''),
+ KUBECONFIG_PATH)
+
+
+def _execute_kubectl(params):
+ kubectl_command = STATE_MAPPING[params['state']]
+ kubectl_cmd = ("/usr/bin/kubectl", kubectl_command) + _get_kubectl_flags(params)
+ ansible_process = subprocess.Popen(kubectl_cmd,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+ return ansible_process.communicate()
+
+
+def _get_kubectl_flags(flags):
+ return ("--kubeconfig={}".format(flags['kubeconfig']),
+ "--filename={}".format(flags['manifest']),
+ "--request-timeout={}s".format(flags['timeout']))
+
+
+def _handle_module_result(output, error):
+ changed = _is_changed(error)
+ if changed and error:
+ raise KubectlExecutionError("Error: {}".format(error))
+
+ return {
+ 'changed': changed,
+ 'message': output + error
+ }
+
+
+def _is_changed(message):
+ if (re.search(ALREADY_EXIST_PATTERN, message)
+ or re.search(SVC_IP_ALREADY_ALLOCATED_PATTERN, message)
+ or re.search(NOT_FOUND_PATTERN, message)):
+ return False
+ return True
+
+
+if __name__ == '__main__':
+ main()
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: fluentd.yaml
+- hosts: installation_controller:&caas_master
+ strategy: linear
+ become: true
+ become_user: "{{ users.admin_user_name }}"
+ roles:
+ - role: app_install
+ when: ( caas.chart_name is defined ) and ( caas.chart_name != "" ) and ( caas.chart_name is not none )
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- hosts: caas_nodes
+ strategy: free
+ become: true
+ become_user: "{{ users.admin_user_name }}"
+ roles:
+ - caas_cleanup
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: ntpdate.yaml
+- hosts: caas_nodes
+ strategy: free
+ become: true
+ become_user: "root"
+ roles:
+ - role: cloud_admin_user
+
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: cloud_admin_user.yaml
+- hosts: caas_nodes
+ strategy: free
+ become: true
+ become_user: "root"
+ roles:
+ - role: nodeconf
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: bare_lvm_backend.yml,common.yaml
+- hosts: caas_nodes
+ strategy: free
+ become: true
+ become_user: "{{ users.admin_user_name }}"
+ roles:
+ - docker
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: registry.yaml
+- hosts: installation_controller:&caas_master
+ strategy: free
+ become: true
+ become_user: "{{ users.admin_user_name }}"
+ roles:
+ - role: docker_image_push
+ wait_for_registry: true
+ images:
+ - hyperkube
+ - etcd
+ - kubedns
+ - flannel
+ - swift
+ - registry
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: helm.yaml
+- hosts: caas_master
+ strategy: free
+ become: true
+ become_user: "{{ users.admin_user_name }}"
+ roles:
+ - pre_install_caas_infra
+
+- hosts: installation_controller:&caas_master
+ strategy: free
+ become: true
+ become_user: "{{ users.admin_user_name }}"
+ roles:
+ - install_caas_infra
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: app_install.yaml
+- name: Create mandatory openrc file for finalize plays
+ hosts: installation_controller:&caas_master
+ strategy: free
+ become: true
+ become_user: "{{ users.admin_user_name }}"
+ tasks:
+ - name: Create mandatory openrc file for finalize plays
+ file:
+ path: "/home/{{ users.admin_user_name }}/openrc"
+ owner: "{{ users.admin_user_name }}"
+ group: "{{ users.admin_user_name }}"
+ state: touch
+
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: pre_config_OS.yaml
+- hosts: caas_nodes
+ strategy: free
+ become: true
+ become_user: "{{ users.admin_user_name }}"
+ roles:
+ - pre_config_all
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Get nodes ip
+ shell: 'kubectl get no -o jsonpath="[{range .items[*]}{.metadata.name},{end}]"'
+ register: node_ips
+
+- name: helm-list
+ shell: HELM_HOST={{ caas.tiller_ip }}:{{ caas.tiller_port }} helm list --all | grep -c {{ name|lower }}
+ register: list_result
+ ignore_errors: yes
+ when: caas.chart_name is defined and caas.chart_name != ""
+
+- name: set helm install parameters
+ set_fact:
+ helm_install_set: ""
+
+- name: set helm flags parameter
+ set_fact:
+ helm_flags: ""
+
+- name: set helm flags parameter
+ set_fact:
+ helm_flags: "{{ helm_flags }} --version={{ caas.chart_version }}"
+ when: (caas.chart_version is defined) and (caas.chart_version is not none) and (caas.chart_version != "")
+
+- name: create values.yaml if needed
+ copy:
+ content: |
+ {{ caas.helm_parameters | to_nice_yaml }}
+ dest: /tmp/Values.yaml
+ owner: "{{ users.admin_user_name }}"
+ group: "{{ users.admin_user_name }}"
+ mode: 0644
+ force: yes
+ when: (caas.helm_parameters is defined) and (caas.helm_parameters is not none) and (caas.helm_parameters != "")
+
+- name: set helm flags parameters if needed
+ set_fact:
+ helm_flags: "{{ helm_flags }} --values /tmp/Values.yaml"
+ when: (caas.helm_parameters is defined) and (caas.helm_parameters is not none) and (caas.helm_parameters != "")
+
+- name: helm-install
+ shell: |
+ ansible-playbook -i /opt/openstack-ansible/inventory /opt/nokia/caas_lcm/deploy/playbook_helm_install.yml --become-user={{ users.admin_user_name }} -e "chart_name={{ caas.chart_name }} helm_flags='{{ helm_flags }}' release_name={{ name }} helm_operation_timeout={{ caas.helm_operation_timeout }} cbam=false helm_install_set='{{ helm_install_set }}'"
+ when: list_result is defined and list_result.rc == 1
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Enable ntpd service
+ service:
+ name: ntpd
+ enabled: yes
+ become_user: "root"
+
+- name: removing docker image tar files
+ file:
+ state: absent
+ path: "{{ caas.infra_containers_directory }}"
+ become_user: "root"
+
+- name: remove ca.pem.enc
+ file:
+ state: absent
+ path: "/etc/openssl/ca.pem.enc"
+ no_log: True
+ become_user: "root"
+
+- name: remove ca-key.pem.enc
+ file:
+ state: absent
+ path: "/etc/openssl/ca-key.pem.enc"
+ no_log: True
+ become_user: "root"
+
+- name: adding acl for cloud_admin_user to read /var/log
+ acl:
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ path: "/var/log"
+ permissions: "rx"
+ recursive: yes
+ state: present
+ become_user: "root"
+ ignore_errors: yes
+ no_log: True
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: copy the /etc/skel to {{ users.admin_user_name }}
+ copy:
+ src: /etc/skel/
+ dest: "/home/{{ users.admin_user_name }}"
+ group: "{{ users.admin_user_name }}"
+ owner: "{{ users.admin_user_name }}"
+ mode: 0640
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: retrieve filesystem
+ shell: file -Ls {{device}} | grep "filesystem"
+ register: filesystem_tmp
+ failed_when: filesystem_tmp.rc != 0 and filesystem_tmp.rc != 1
+ become: true
+ become_user: "root"
+
+- debug:
+ msg: "Filesystem not found on device {{device}}!"
+ when: filesystem_tmp.rc == 1
+
+- name: set filesystem variable
+ set_fact:
+ filesystem: "{{ filesystem_tmp }}"
+
+- name: retrieve filesystem_type
+ shell: file -Ls "{{device}}" | awk -F" filesystem " '{print($1)}' | awk -F" " '{print($NF)}'
+ register: filesystem_type_tmp
+ when: filesystem_tmp.rc == 0
+ become: true
+ become_user: "root"
+
+- name: set filesystem type variable
+ set_fact:
+ filesystem_type: "{{ filesystem_type_tmp }}"
+ when: filesystem_tmp.rc == 0
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ container_images_fact_file: "/etc/ansible/facts.d/ncir_container_images.fact"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - role: creategroup
+ _name: kube
+ _gid: "{{ caas.uid.kube }}"
+ become: true
+ become_user: "root"
+
+ - role: createuser
+ _name: kube
+ _group: kube
+ _groups: ''
+ _shell: /sbin/nologin
+ _home: /
+ _uid: "{{ caas.uid.kube }}"
+ become: true
+ become_user: "root"
+
+ - role: cert
+ instance: "docker{{ nodeindex }}"
+ cert_path: /etc/docker
+ become: true
+ become_user: "root"
+
+ - role: cert
+ cert_name: "cert.pem"
+ key_name: "key.pem"
+ instance: "docker"
+ cert_path: /etc/docker
+ alt_names:
+ ip:
+ - "{{ ansible_host }}"
+ become: true
+ become_user: "root"
+
+ - role: cert
+ instance: "client{{ nodeindex }}"
+ cert_path: /etc/docker
+ add_users:
+ - kube
+ become: true
+ become_user: "root"
+
+ - role: creategroup
+ _name: docker
+ _gid: "{{ caas.uid.docker }}"
+ become: true
+ become_user: "root"
+
+ - role: createuser
+ _name: docker
+ _group: docker
+ _groups: ''
+ _shell: /sbin/nologin
+ _home: "{{ caas.docker_directory }}"
+ _uid: "{{ caas.uid.docker }}"
+ become: true
+ become_user: "root"
+
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: template docker env files
+ template:
+ src: "{{ item }}"
+ dest: "/etc/sysconfig/{{ item }}"
+ with_items:
+ - docker-storage
+
+- name: template docker socket file
+ template:
+ src: docker.socket
+ dest: /etc/systemd/system/docker.socket
+
+- name: template docker service file
+ template:
+ src: docker.service
+ dest: /etc/systemd/system/docker.service
+
+- name: copying ca file to trusted sources
+ copy:
+ src: /etc/openssl/ca.pem
+ dest: /etc/pki/ca-trust/source/anchors/ca.pem
+ mode: 0400
+
+- name: reloading trusted certificates
+ shell: update-ca-trust
+
+- name: make env vars permanent
+ lineinfile:
+ dest: /etc/environment
+ state: present
+ line: "{{ item }}"
+ regexp: "{{ item }}"
+ with_items:
+ - "DOCKER_HOST=tcp://{{ networking.infra_internal.ip }}:2375"
+ - "DOCKER_TLS_VERIFY=1"
+ - "DOCKER_CERT_PATH=/etc/docker"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- import_tasks: configure_docker.yml
+ become_user: "root"
+
+- name: daemon reload
+ command: /usr/bin/systemctl daemon-reload
+ become_user: "root"
+
+- name: restart docker
+ service:
+ name: docker
+ state: started
+ enabled: yes
+ become_user: "root"
+
+- name: restart docker socket
+ service:
+ name: docker.socket
+ state: started
+ become_user: "root"
+
+- name: make env vars permanent
+ lineinfile:
+ dest: /etc/profile
+ state: present
+ line: "{{ item }}"
+ regexp: "{{ item }}"
+ with_items:
+ - "export DOCKER_HOST=tcp://{{ networking.infra_internal.ip }}:2375"
+ - "export DOCKER_TLS_VERIFY='1'"
+ - "export DOCKER_CERT_PATH=/etc/docker"
+ become_user: "root"
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+DOCKER_STORAGE_OPTIONS="--storage-driver overlay2 --storage-opt overlay2.size={{ caas.docker_size_quota }}"
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=network.target docker.socket
+Requires=docker.socket
+Before=kubelet.service
+Wants=kubelet.service
+BindsTo=containerd.service
+
+[Service]
+Slice=podruntime.slice
+MemoryAccounting=true
+CPUAccounting=true
+BlockIOAccounting=true
+TasksAccounting=true
+Type=notify
+EnvironmentFile=-/etc/sysconfig/docker-storage
+EnvironmentFile=-/etc/sysconfig/docker-proxy
+ExecStart=/usr/bin/dockerd -H fd:// \
+ -H tcp://{{ ansible_host }}:2375 \
+ --max-concurrent-downloads 10 \
+ --max-concurrent-uploads 10 \
+ --data-root {{ caas.docker_directory }} \
+ --tlsverify \
+ --tlscacert=/etc/docker/ca.pem \
+ --tlscert=/etc/docker/cert.pem \
+ --tlskey=/etc/docker/key.pem \
+ --log-driver=json-file \
+ --log-opt max-size=1g \
+ --log-opt max-file=4 \
+ --ip-forward=false \
+ --live-restore=true \
+ --bip={{ caas.docker0_cidr | default('172.17.0.1/16', true) }} \
+ --exec-opt native.cgroupdriver=cgroupfs \
+ $DOCKER_STORAGE_OPTIONS
+MountFlags=shared
+LimitNOFILE=1048576
+LimitNPROC=1048576
+LimitCORE=infinity
+TimeoutStartSec=0
+Restart=on-failure
+RestartSec=1s
+Environment=DOCKER_HOST=tcp://{{ hostname|lower }}:2375
+Environment=DOCKER_TLS_VERIFY=1
+Environment=DOCKER_CERT_PATH=/etc/docker
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+[Unit]
+Description=Docker Socket for the API
+PartOf=docker.service
+
+[Socket]
+ListenStream=/var/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+docker_environment:
+ DOCKER_HOST: "tcp://{{ networking.infra_internal.ip }}:2375"
+ DOCKER_TLS_VERIFY: "1"
+ DOCKER_CERT_PATH: "/etc/docker"
+
+image_file_extension: .tar
+image_directory: "{{ caas.infra_containers_directory }}"
+registry: "{{ caas.registry_url }}:{{ caas.registry_port }}"
+registry_repo: "{{ caas.registry_repo }}"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# TODO: these should be changed to use docker image module. However, the name and the tag should be stored and replaced separately in Ansible dictionary to be able to do that
+- name: import docker containers
+ shell: "/usr/bin/docker load -q -i {{ image_directory }}/{{ item }}*{{ image_file_extension }}"
+ register: loaded_containers
+ with_items: "{{ images | mandatory }}"
+ environment: "{{ docker_environment }}"
+
+- name: parse loaded images' full name
+ register: parsed_containers_full_names
+ set_fact:
+ image_full_name: "{{ item.stdout | regex_replace('Loaded image: (?P<image>[\\w\\.\\-:\\/_]+)', '\\g<image>') }}"
+ with_items:
+ "{{ loaded_containers.results }}"
+
+- name: parse loaded images' base name
+ set_fact:
+ # getting the name of image, then strip the repo path and the tag from it
+ image_base_name: "{{ item.stdout | regex_replace('Loaded image: ([\\w\\.\\:]+/)?(?P<name>[\\w\\.\\-:\\/_]+)', '\\g<name>') | regex_replace('(:[\\w\\-_\\.]+)$', '') | basename }}"
+ register: parsed_image_base_names
+ with_items:
+ "{{ loaded_containers.results }}"
+
+- name: parse loaded images' tag
+ set_fact:
+ # getting the name of image
+ image_tag: "{{ item.stdout | regex_replace('Loaded image: ([\\w\\.\\:]+/)?(?P<name>[\\w\\.\\-\\/_]+)', '\\g<name>') | regex_replace('.*:([\\w\\-_\\.]+)$', '\\1') }}"
+ register: parsed_image_tags
+ with_items:
+ "{{ loaded_containers.results }}"
+
+- name: save the parsed infra image names
+ set_fact:
+ loaded_images: "{{ parsed_containers_full_names.results | map(attribute='ansible_facts.image_full_name') | list }}"
+ loaded_base_images: "{{ parsed_image_base_names.results | map(attribute='ansible_facts.image_base_name') | list }}"
+ loaded_image_tags: "{{ parsed_image_tags.results | map(attribute='ansible_facts.image_tag') | list }}"
+
+- name: assemble new image names
+ set_fact:
+ image_name: "{{ registry }}/{{ registry_repo }}/{{ item.0 }}:{{ item.1 }}"
+ register: assembled_new_images
+ with_together:
+ - "{{ loaded_base_images }}"
+ - "{{ loaded_image_tags }}"
+
+- name: save retagged infra image names
+ set_fact:
+ retagged_images: "{{ assembled_new_images.results | map(attribute='ansible_facts.image_name') | list }}"
+
+- name: retag loaded images
+ shell: "/usr/bin/docker tag {{ item.0 }} {{ item.1 }}"
+ with_together:
+ - "{{ loaded_images }}"
+ - "{{ retagged_images }}"
+ environment: "{{ docker_environment }}"
+
+- name: delete loaded image's tag
+ shell: "/usr/bin/docker image rm {{ item }}"
+ with_items: "{{ loaded_images }}"
+ when: item not in retagged_images
+ environment: "{{ docker_environment }}"
+
+# TODO: Save container images as a dictionary
+- name: save the parsed image names
+ set_fact:
+ container_image_names: "{{ container_image_names | default([]) }} + {{ retagged_images }}"
+
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+docker_environment:
+ DOCKER_HOST: "tcp://{{ networking.infra_internal.ip }}:2375"
+ DOCKER_TLS_VERIFY: "1"
+ DOCKER_CERT_PATH: "/etc/docker"
+
+registry: "{{ caas.registry_url }}:{{ caas.registry_port }}"
+registry_repo: "{{ caas.registry_repo }}"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- block:
+ - name: wait for registry endpoints
+ shell: "kubectl get endpoints registry --namespace=kube-system | grep -o ':{{ caas.registry_port }}' | wc -l"
+ register: result
+ until: result.stdout|int == groups.caas_master|length|int
+ retries: "{{ caas.container_wait_timeout }}"
+ delay: 1
+
+ - name: get registry containers ip and port
+ shell: "kubectl get endpoints registry --namespace=kube-system -o 'jsonpath={.subsets[*].addresses[*].ip}'"
+ register: registry_ep_ips
+
+ - name: wait for registry containers to start
+ wait_for:
+ host: "{{ item }}"
+ port: "{{ caas.registry_port }}"
+ state: started
+ timeout: "{{ caas.container_wait_timeout }}"
+ with_items: '{{ registry_ep_ips.stdout.split(" ") }}'
+ when: wait_for_registry | default(False)
+
+- name: get full image name
+ shell: "docker images --filter='reference={{ registry }}/{{ registry_repo }}/{{ item }}*' --format='{{ '{{.Repository}}:{{.Tag}}' }}'"
+ environment: "{{ docker_environment }}"
+ register: full_image_name
+ with_items: "{{ images }}"
+
+- name: save full image names
+ set_fact:
+ images_to_push: "{{ full_image_name.results | map(attribute='stdout') | list }}"
+
+# TODO: these should be changed to use docker image module. However, the name and the tag should be stored and replaced separately in Ansible dictionary to be able to do that
+- name: push images
+ shell: 'docker push "{{ item }}"'
+ environment: "{{ docker_environment }}"
+ with_items: "{{ images_to_push }}"
+ register: push_result
+ until: push_result.rc == 0
+ retries: 5
+ delay: 1
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+infra_chart_images:
+ - cpupooler
+ - custom_metrics
+ - elasticsearch
+ - metrics_server
+ - prometheus
+ - sriovdp
+ - svcwatcher
+ - netwatcher
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - role: docker_image_load
+ images: "{{ infra_chart_images }}"
+
+ - role: docker_image_push
+ images: "{{ infra_chart_images }}"
+ when: nodename | search("caas_master1")
+
+ - role: creategroup
+ _name: elasticsearch
+ _gid: "{{ caas.uid.elasticsearch }}"
+ become: true
+ become_user: "root"
+
+ - role: createuser
+ _name: elasticsearch
+ _group: elasticsearch
+ _groups: ''
+ _shell: /sbin/nologin
+ _home: /home/elasticsearch
+ _uid: "{{ caas.uid.elasticsearch }}"
+ become: true
+ become_user: "root"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: template values.yaml in helm dir
+ template:
+ src: "{{ caas.caas_chart_path }}/values.yaml.j2"
+ dest: "{{ caas.caas_chart_path }}/values.yaml"
+
+- set_fact:
+ infra_chart_name: "caas-infra"
+
+- set_fact:
+ chart_file: "{{ lookup('file', '{{ caas.caas_chart_path}}/Chart.yaml') | from_yaml }}"
+
+- name: create chart tgz
+ shell: "tar -C {{ caas.caas_chart_path | dirname }} -cvzf {{ infra_chart_name }}-{{ chart_file.version }}.tgz {{ caas.caas_chart_path | basename }}"
+
+- name: upload individual charts to chart repo
+ shell: "curl -sS -XPOST -H 'Content-Type: application/gzip' --data-binary @{{ infra_chart_name }}-{{ chart_file.version }}.tgz {{ caas.chart_repo }}/charts/{{ infra_chart_name }}-{{ chart_file.version }}.tgz"
+
+- name: update helm repo
+ shell: HELM_HOST={{ caas.tiller_ip }}:{{ caas.tiller_port }} helm repo update
+
+- name: helm-list
+ shell: HELM_HOST={{ caas.tiller_ip }}:{{ caas.tiller_port }} helm get {{ infra_chart_name }}
+ register: crf_list_result
+ failed_when: "( crf_list_result.rc != 0 ) and ( not (crf_list_result.stderr | search('Error: release')) )"
+
+- block:
+ - name: Install infra_chart with helm
+ shell: HELM_HOST={{ caas.tiller_ip }}:{{ caas.tiller_port }} helm install --wait --timeout {{ caas.helm_operation_timeout }} --name {{ infra_chart_name }} default/{{ infra_chart_name }}
+ when: "crf_list_result is defined and ( ( crf_list_result.stderr | search('Error: release:') ) or ( crf_list_result.stdout == '' ) )"
+
+ rescue:
+ - name: Delete the crf_infra_chart
+ shell: HELM_HOST={{ caas.tiller_ip }}:{{ caas.tiller_port }} helm delete --purge {{ infra_chart_name }}
+
+ - name: fail the current playbook run, because helm install failed
+ fail:
+ msg: "ERROR: helm install {{ infra_chart_name }} failed"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: create the manifest directory
+ file:
+ path: "{{ caas.manifests_directory }}"
+ state: directory
+ recurse: yes
+ become: true
+ become_user: root
+
+- name: allowing users.admin_user_name to access docker directory infra
+ acl:
+ name: "{{ caas.manifests_directory }}"
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ permissions: rwx
+ state: present
+ become: true
+ become_user: root
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ - name: decrypt ca and ca-key
+ command: "{{ item }}"
+ with_items:
+ - "/usr/bin/openssl enc -d -aes-256-cbc -a -in ca-key.pem.enc -pass pass:{{ caas.salt }} -out ca-key.pem"
+ - "/usr/bin/openssl enc -d -aes-256-cbc -a -in ca.pem.enc -pass pass:{{ caas.salt }} -out ca.pem"
+ args:
+ chdir: "/etc/openssl"
+ no_log: True
+
+ - name: chmod 555 ca.pem
+ file:
+ path: /etc/openssl/ca.pem
+ mode: 0555 # Certs are public. And read by other parties indeed: swift and kubernetes
+ no_log: True
+
+ - name: chmod 000 ca-key.pem
+ file:
+ path: /etc/openssl/ca-key.pem
+ mode: 0000 # Used only when signing cert by root.
+ no_log: True
+
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: template resolv.conf
+ template:
+ src: resolv.conf
+ dest: /etc/resolv.conf
+
+- name: insert host shortcuts
+ lineinfile:
+ path: /etc/hosts
+ line: '\1 {{ caas.apiserver_in_hosts }}\2'
+ regexp: '(.*){{ item }}(.*)'
+ backrefs: yes
+ register: result
+ with_items:
+ "{{ groups.caas_master }}"
+
+
+- name: template host shortcuts if needed
+ template:
+ src: hosts
+ dest: /etc/hosts
+ mode: 0644
+ when: not result.changed
+
+
+- import_tasks: load_cacert.yml
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
+
+{{ ansible_host }} {{ hostname|lower }}
+
+{% for host in groups['caas_master']%}
+{{ hostvars[host]['networking']['infra_internal']['ip'] }} controller-{{loop.index}} {{ caas.apiserver_in_hosts }}
+{% endfor %}
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+# Generated by Ansible
+{% for host in groups['caas_master']%}
+nameserver {{ hostvars[host]['networking']['infra_internal']['ip'] }}
+{% endfor %}
+{% if groups['caas_master']|length|int > 1 %}
+options rotate
+{% endif%}
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: create nokia directory
+ file:
+ path: /usr/libexec/nokia/tmp
+ state: directory
+ mode: 0700
+ become: true
+ become_user: "root"
+
+- name: create the /etc/openssl directory
+ file:
+ path: "/etc/openssl"
+ state: directory
+ become: true
+ become_user: "root"
+ no_log: True
+
+- name: create /var/lib/docker directory
+ file:
+ path: "/var/lib/docker"
+ state: directory
+ become: true
+ become_user: "root"
+
+- name: create /srv/node/swift directory
+ file:
+ path: "/srv/node/swift"
+ state: directory
+ become_user: "root"
+
+- name: template enc file1
+ copy:
+ content: "{{ caas.encrypted_ca[0] | replace(' ', '\n')}}"
+ dest: /etc/openssl/ca.pem.enc
+ become_user: "root"
+ no_log: True
+
+- name: template enc file2
+ copy:
+ content: "{{ caas.encrypted_ca_key[0] | replace(' ', '\n')}}"
+ dest: /etc/openssl/ca-key.pem.enc
+ become_user: "root"
+ no_log: True
+
+- name: template podruntime slice file
+ template:
+ src: podruntime.slice
+ dest: /usr/lib/systemd/system/podruntime.slice
+ become_user: "root"
+
+- name: adding acl for cloud_admin_user for /usr/bin/helm
+ acl:
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ path: "/usr/bin/helm"
+ permissions: "rx"
+ recursive: yes
+ state: present
+ become_user: "root"
+
+- name: adding acl for cloud_admin_user for /usr/bin/kubectl
+ acl:
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ path: "/usr/bin/kubectl"
+ permissions: "rx"
+ recursive: yes
+ state: present
+ become_user: "root"
+
+- name: adding acl for cloud_admin_user for /usr/libexec/nokia/merge_image.sh
+ acl:
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ path: "/usr/libexec/nokia/merge_image.sh"
+ permissions: "rx"
+ recursive: yes
+ state: present
+ become_user: "root"
+
+- name: adding acl for cloud_admin_user to read /var/log
+ acl:
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ path: "/var/log"
+ permissions: "rx"
+ recursive: yes
+ state: present
+ become_user: "root"
+
+- name: adding default for cloud_admin_user, /var/log
+ acl:
+ default: yes
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ path: "/var/log"
+ permissions: "rx"
+ recursive: yes
+ state: present
+ become_user: "root"
+
+- name: adding acl for cloud_admin_user to access caas_chart_path
+ acl:
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ path: "{{ caas.caas_chart_path }}"
+ permissions: "rwx"
+ recursive: yes
+ state: present
+ become_user: "root"
+
+- name: adding default for cloud_admin_user to access caas_chart_path
+ acl:
+ default: yes
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ path: "{{ caas.caas_chart_path }}"
+ permissions: "rwx"
+ recursive: yes
+ state: present
+ become_user: "root"
+
+- name: modify the kernel parameters for elasticsearch
+ shell: 'sysctl -w vm.max_map_count=262144'
+ when: nodetype | search('caas_master')
+ become_user: "root"
+
+- name: create /var/log/elasticsearch directory
+ file:
+ path: /var/log/elasticsearch
+ recurse: yes
+ owner: "{{ caas.uid.elasticsearch }}"
+ group: "{{ caas.uid.elasticsearch }}"
+ state: directory
+ become_user: "root"
+ when: (nodetype is defined) and (nodetype | search('caas_master'))
+
+- name: update bash-completion for kubernetes
+ shell: "kubectl completion bash > /etc/bash_completion.d/kubectl-bash"
+ become: true
+ become_user: "root"
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+[Unit]
+Description=Limited resources slice for Kubernetes services
+Documentation=man:systemd.special(7)
+DefaultDependencies=no
+Before=slices.target
+Requires=-.slice
+After=-.slice
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - role: cert
+ instance: "cpuwebhook"
+ cert_name: "cpuwebhook.crt"
+ key_name: "cpuwebhook.key"
+ cert_path: /etc/kubernetes/ssl
+ alt_names:
+ dns:
+ - "cpu-dev-pod-mutator-svc.kube-system.svc.nokia.net"
+ - "cpu-dev-pod-mutator-svc.kube-system.svc"
+ become: true
+ become_user: "root"
+
+ - role: cert
+ instance: "prometheus"
+ cert_name: "prometheus.crt"
+ key_name: "prometheus.key"
+ common_name: "prometheus"
+ cert_path: /etc/kubernetes/ssl
+ alt_names:
+ dns:
+ - "{{ caas.prometheus_url }}"
+ become: true
+ become_user: "root"
+
+ - role: cert
+ instance: "metrics-server"
+ cert_name: "metrics-server.crt"
+ key_name: "metrics-server.key"
+ common_name: "metrics-server"
+ cert_path: /etc/metrics-server/ssl
+ alt_names:
+ dns:
+ - metrics-server.kube-system.svc.nokia.net
+ - metrics-server.kube-system.svc
+ become: true
+ become_user: "root"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ - name: prepare cpupooler
+ import_tasks: prepare_cpupooler.yaml
+
+ - name: prepare metrics
+ import_tasks: prepare_metrics.yaml
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: get ca bundle
+ shell: "cat /etc/openssl/ca.pem | base64 | tr -d '\n'"
+ register: temp_webhook_ca_bundle
+ become_user: "root"
+ no_log: true
+
+- name: set cpu_ca_bundle
+ set_fact:
+ webhooks_ca: "{{ temp_webhook_ca_bundle.stdout }}"
+ no_log: true
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: read metrics cert as base64 string
+ shell: "cat /etc/kubernetes/ssl/metrics.crt | base64 -w 0"
+ register: metrics_cert_content
+
+- name: read metrics cert key as base64 string
+ shell: "cat /etc/kubernetes/ssl/metrics.key | base64 -w 0"
+ register: metrics_cert_key_content
+
+- name: set b64 metrics cert variable
+ set_fact:
+ metrics_cert_b64: "{{ metrics_cert_content.stdout }}"
+ metrics_cert_key_b64: "{{ metrics_cert_key_content.stdout }}"
+
+- name: read prometheus cert as base64 string
+ shell: "cat /etc/kubernetes/ssl/prometheus.crt | base64 -w 0"
+ register: prometheus_cert_content
+ become_user: "root"
+
+- name: read prometheus cert key as base64 string
+ shell: "cat /etc/kubernetes/ssl/prometheus.key | base64 -w 0"
+ register: prometheus_cert_key_content
+ become_user: "root"
+
+- name: set b64 prometheus cert variable
+ set_fact:
+ prometheus_cert_b64: "{{ prometheus_cert_content.stdout }}"
+ prometheus_cert_key_b64: "{{ prometheus_cert_key_content.stdout }}"
+
+- name: remove prometheus key and cert
+ file: path='{{ item }}' state=absent
+ with_items:
+ - /etc/kubernetes/ssl/prometheus.key
+ - /etc/kubernetes/ssl/prometheus.crt
+ become_user: "root"
+
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+salt: malaise68Adroitness44Gradate45Probe41Settle46Newsweek93restrict8Thirsty35abused9Pluperfect
+max_login_time: 30
+max_parallel_session: 15
+ansible_success: 'Ansible deploy END success'
+docker_directory: /var/lib/docker
+cert_directory: /etc/docker
+caas_base_directory: "/var/lib/caas"
+infra_containers_directory: "{{ caas_base_directory }}/images"
+manifests_directory: "{{ caas_base_directory }}/manifests"
+registry_directory: /var/lib/registry
+apiserver_in_hosts: apiserver.nokia.net
+etcd_api_port: 4111
+etcd_peer_port: 4112
+kubernetes_component_label: ncrf-image
+swift_url: swift.kube-system.svc.nokia.net
+swift_port: 8084
+swift: https://{{ swift_url }}:{{ swift_port }}
+swift_update_url: swift-update.kube-system.svc.nokia.net
+swift_memcached_port: 11222
+update_swift_port: 8091
+swift_update: https://{{ swift_update_url }}:{{ update_swift_port }}
+chart_repo_ip: 10.254.210.229
+chart_repo_url: chart-repo.kube-system.svc.nokia.net
+chart_repo_port: 8088
+chart_repo: https://{{ chart_repo_url }}:{{ chart_repo_port }}
+tiller_ip: 10.254.165.237
+tiller_url: tiller.kube-system.svc.nokia.net
+tiller_port: 44134
+tiller: https://{{ tiller_url }}:{{ tiller_port }}
+registry_url: registry.kube-system.svc.nokia.net
+registry_port: 5555
+registry: https://{{ registry_url }}:{{ registry_port }}
+registry_repo: "caas"
+update_registry_url: registry-update.kube-system.svc.nokia.net
+update_registry_port: 5556
+update_registry: https://{{ update_registry_url }}:{{ update_registry_port }}
+elasticsearch_url: elasticsearch-logging.kube-system.svc.nokia.net
+elasticsearch_port: 9200
+elasticsearch_memory_request: 1Gi
+elasticsearch_memory_limit: 2Gi
+elasticsearch_java_heap_request: 800m
+elasticsearch_java_heap_max: 800m
+elasticsearch_port_for_cluster_communication: 9300
+elasticsearch: https://{{ elasticsearch_url }}:{{ elasticsearch_port }}
+internal_flannel_interface: eth0
+container_wait_timeout: 120
+ldap_master_url: master.infraldap-server.nokia.net
+ldap_slave_url: infraldap-server-slave.kube-system.svc.nokia.net
+apiserver_secure_port: 6443
+apiserver_svc_port: 443
+default_partition_size: 16
+danmnet_default_name: flannel
+danmnet_default_namespace: kube-system
+danmnet_default_network_id: flannel
+danmnet_default_network_type: flannel
+caas_chart_path: "{{ caas_base_directory }}/infra-charts"
+caas_policy_directory: "{{ caas_base_directory }}/policies"
+kubernetes_service_url: kubernetes.default.svc
+prometheus_port: 9090
+prometheus_url: prometheus.kube-system.svc.nokia.net
+prometheus: https://{{ prometheus_url }}:{{ prometheus_port }}
+custom_metrics_api_port: 6443
+custom_metrics_api_serviceport: 443
+metrics_server_port: 443
+token_filename: token
+tokenscsv_filename: tokens.csv
+cert_path: /etc/kubernetes/ssl
+_secrets_conf: secrets.conf
+kubernetes_secret_users: kube
+service_cluster_ip_cidr: "10.254.0.0/16"
+apiserver_svc_ip: "10.254.0.1"
+dns_svc_ip: "10.254.0.254"
+apiserver_service_name: "kubernetes.default.svc.nokia.net"
+rbac_manifests_directory: "{{ caas_base_directory }}/rbac_manifests"
+webhook_port: 443
+root_partition: "/dev/vda"
+uid:
+ docker: 142
+ caas_etcd: 143
+ kube: 144
+ kubedns: 145
+ swift: 146
+ danm: 147
+ dockerreg: 149
+ chartrepo: 150
+ elasticsearch: 202
+ flannel: 666
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: caas-infra
+version: 1.0.0
+description: CaaS infra package
+maintainers:
+ - name: Balint Varga
+ email: balint.varga@nokia.com
+
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.custom_metrics_api.required }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: cm-adapter-serving-certs
+ namespace: kube-system
+data:
+ metrics.crt: {{ .Values.custom_metrics_api.server_cert }}
+ metrics.key: {{ .Values.custom_metrics_api.server_key }}
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.cpupooler.required }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: cpu-device-plugin
+ namespace: kube-system
+ labels:
+ {{ .Values.kubernetes_component_label }}: cpu-device-plugin
+spec:
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: cpu-device-plugin
+ template:
+ metadata:
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ labels:
+ {{ .Values.kubernetes_component_label }}: cpu-device-plugin
+ spec:
+ containers:
+ - name: cpu-device-plugin
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/cpupooler:{{ .Values.cpupooler.container_version }}
+ imagePullPolicy: IfNotPresent
+ command: [ "/cpu-device-plugin", "-logtostderr" ]
+ volumeMounts:
+ - mountPath: /etc/cpu-pooler
+ name: cpu-pooler-config
+ - mountPath: /var/lib/kubelet/device-plugins/
+ name: devicesock
+ readOnly: false
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ volumes:
+ - name: devicesock
+ hostPath:
+ # directory location on host
+ path: /var/lib/kubelet/device-plugins/
+ - name: cpu-pooler-config
+ configMap:
+ name: cpu-pooler-configmap
+ serviceAccountName: cpu-device-plugin
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.cpupooler.required }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cpu-pooler-configmap
+ namespace: kube-system
+data:
+{{ range $hostname, $poolconfig := .Values.cpupooler.cpu_poolconfigs }}
+ poolconfig-{{ $hostname }}.yaml: |
+{{ $poolconfig | toYaml | indent 4 }}
+{{- end }}
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.cpupooler.required }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: cpu-setter
+ namespace: kube-system
+ labels:
+ {{ .Values.kubernetes_component_label }}: cpu-setter
+spec:
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: cpu-setter
+ template:
+ metadata:
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ labels:
+ {{ .Values.kubernetes_component_label }}: cpu-setter
+ spec:
+ containers:
+ - name: cpu-device-plugin
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/cpupooler:{{ .Values.cpupooler.container_version }}
+ imagePullPolicy: IfNotPresent
+ command: [ "/cpu-setter", "--poolconfigs=/etc/cpu-pooler", "--cpusetroot=/sys/fs/cgroup/cpuset/kubepods/" ]
+ volumeMounts:
+ - mountPath: /etc/cpu-pooler
+ name: cpu-pooler-config
+ - mountPath: /var/lib/kubelet/device-plugins/kubelet_internal_checkpoint
+ name: checkpointfile
+ readOnly: false
+ env:
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ volumes:
+ - name: checkpointfile
+ hostPath:
+ path: /var/lib/kubelet/device-plugins/kubelet_internal_checkpoint
+ - name: cpu-pooler-config
+ configMap:
+ name: cpu-pooler-configmap
+ serviceAccountName: cpu-setter
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.custom_metrics_api.required }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: adapter-config
+ namespace: kube-system
+data:
+ config.yaml: |
+ rules:
+ - seriesQuery: '{__name__=~"^container_.*",container_name!="POD",namespace!="",pod_name!=""}'
+ seriesFilters: []
+ resources:
+ overrides:
+ namespace:
+ resource: namespace
+ pod_name:
+ resource: pod
+ name:
+ matches: ^container_(.*)_seconds_total$
+ as: ""
+ metricsQuery: sum(rate(<<.Series>>{<<.LabelMatchers>>,container_name!="POD"}[5m]))
+ by (<<.GroupBy>>)
+ - seriesQuery: '{__name__=~"^container_.*",container_name!="POD",namespace!="",pod_name!=""}'
+ seriesFilters:
+ - isNot: ^container_.*_seconds_total$
+ resources:
+ overrides:
+ namespace:
+ resource: namespace
+ pod_name:
+ resource: pod
+ name:
+ matches: ^container_(.*)_total$
+ as: ""
+ metricsQuery: sum(rate(<<.Series>>{<<.LabelMatchers>>,container_name!="POD"}[5m]))
+ by (<<.GroupBy>>)
+ - seriesQuery: '{__name__=~"^container_.*",container_name!="POD",namespace!="",pod_name!=""}'
+ seriesFilters:
+ - isNot: ^container_.*_total$
+ resources:
+ overrides:
+ namespace:
+ resource: namespace
+ pod_name:
+ resource: pod
+ name:
+ matches: ^container_(.*)$
+ as: ""
+ metricsQuery: sum(<<.Series>>{<<.LabelMatchers>>,container_name!="POD"}) by (<<.GroupBy>>)
+ - seriesQuery: '{namespace!="",__name__!~"^container_.*"}'
+ seriesFilters:
+ - isNot: .*_total$
+ resources:
+ template: <<.Resource>>
+ name:
+ matches: ""
+ as: ""
+ metricsQuery: sum(<<.Series>>{<<.LabelMatchers>>}) by (<<.GroupBy>>)
+ - seriesQuery: '{namespace!="",__name__!~"^container_.*"}'
+ seriesFilters:
+ - isNot: .*_seconds_total
+ resources:
+ template: <<.Resource>>
+ name:
+ matches: ^(.*)_total$
+ as: ""
+ metricsQuery: sum(rate(<<.Series>>{<<.LabelMatchers>>}[5m])) by (<<.GroupBy>>)
+ - seriesQuery: '{namespace!="",__name__!~"^container_.*"}'
+ seriesFilters: []
+ resources:
+ template: <<.Resource>>
+ name:
+ matches: ^(.*)_seconds_total$
+ as: ""
+ metricsQuery: sum(rate(<<.Series>>{<<.LabelMatchers>>}[5m])) by (<<.GroupBy>>)
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.custom_metrics_api.required }}
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ labels:
+ {{ .Values.kubernetes_component_label }}: custom-metrics-apiserver
+ name: custom-metrics-apiserver
+ namespace: kube-system
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: custom-metrics-apiserver
+ template:
+ metadata:
+ labels:
+ {{ .Values.kubernetes_component_label }}: custom-metrics-apiserver
+ name: custom-metrics-apiserver
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ spec:
+ nodeSelector:
+ nodetype: caas_master
+ serviceAccountName: custom-metrics-apiserver
+ containers:
+ - name: custom-metrics-apiserver
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/custom_metrics:{{ .Values.custom_metrics_api.container_version }}
+ args:
+ - /adapter
+ - --secure-port={{ .Values.custom_metrics_api.port }}
+ - --tls-cert-file=/var/run/serving-cert/metrics.crt
+ - --tls-private-key-file=/var/run/serving-cert/metrics.key
+ - --logtostderr=true
+ - --prometheus-url={{ .Values.prometheus.prometheus_url }}
+ - --metrics-relist-interval=30s
+ - --discovery-interval=5m
+ - --v=1
+ - --config=/etc/adapter/config.yaml
+ ports:
+ - containerPort: {{ .Values.custom_metrics_api.port }}
+ volumeMounts:
+ - mountPath: /var/run/serving-cert
+ name: volume-serving-cert
+ readOnly: true
+ - name: secrets
+ mountPath: /etc/kubernetes/ssl
+ readOnly: true
+ - name: secret-root-ca
+ mountPath: /etc/ssl/certs/ca.pem
+ readOnly: true
+ - name: auth
+ mountPath: /config
+ readOnly: true
+ - mountPath: /etc/adapter/
+ name: config
+ readOnly: true
+ volumes:
+ - name: volume-serving-cert
+ secret:
+ secretName: cm-adapter-serving-certs
+ - name: secrets
+ hostPath:
+ path: /etc/kubernetes/ssl
+ - name: secret-root-ca
+ hostPath:
+ path: /etc/openssl/ca.pem
+ - name: auth
+ hostPath:
+ path: /etc/kubernetes/kubeconfig
+ - name: config
+ configMap:
+ name: adapter-config
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.custom_metrics_api.required }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: custom-metrics-apiserver
+ namespace: kube-system
+spec:
+ ports:
+ - port: {{ .Values.custom_metrics_api.serviceport }}
+ targetPort: {{ .Values.custom_metrics_api.port }}
+ selector:
+ {{ .Values.kubernetes_component_label }}: custom-metrics-apiserver
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.custom_metrics_api.required }}
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+ name: v1beta1.custom.metrics.k8s.io
+spec:
+ service:
+ name: custom-metrics-apiserver
+ namespace: kube-system
+ group: custom.metrics.k8s.io
+ version: v1beta1
+ insecureSkipTLSVerify: true
+ groupPriorityMinimum: 100
+ versionPriority: 100
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.elasticsearch.required }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: elasticsearch
+ namespace: kube-system
+ labels:
+ app: elasticsearch
+data:
+ elasticsearch.yml: |-
+ cluster.name: {{ .Values.elasticsearch.cluster.name }}
+
+ node.data: ${NODE_DATA:true}
+ node.master: ${NODE_MASTER:true}
+ node.ingest: ${NODE_INGEST:true}
+ node.name: ${HOSTNAME}
+
+ network.host: 0.0.0.0
+ bootstrap.memory_lock: ${BOOTSTRAP_MEMORY_LOCK:false}
+
+ discovery:
+ zen:
+ ping.unicast.hosts: ${DISCOVERY_SERVICE:}
+ minimum_master_nodes: ${MINIMUM_MASTER_NODES:2}
+
+ processors: ${PROCESSORS:}
+
+ # avoid split-brain w/ a minimum consensus of 3 masters plus 3 data nodes
+ gateway.expected_master_nodes: ${EXPECTED_MASTER_NODES:3}
+ gateway.expected_data_nodes: ${EXPECTED_DATA_NODES:3}
+ gateway.recover_after_time: ${RECOVER_AFTER_TIME:5m}
+ gateway.recover_after_master_nodes: ${RECOVER_AFTER_MASTER_NODES:3}
+ gateway.recover_after_data_nodes: ${RECOVER_AFTER_DATA_NODES:3}
+
+ log4j2.properties: |-
+ status = error
+ appender.console.type = Console
+ appender.console.name = console
+ appender.console.layout.type = PatternLayout
+ appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
+ rootLogger.level = info
+ rootLogger.appenderRef.console.ref = console
+ logger.searchguard.name = com.floragunn
+ logger.searchguard.level = info
+
+ supervisord.conf: |
+ [unix_http_server]
+ file=/run/supervisord.sock ; (the path to the socket file)
+ chmod = 0770
+ chown = root:root
+ username = dummy
+ password = dummy
+
+ ;[inet_http_server] ; inet (TCP) server disabled by default
+
+ [supervisord]
+ user=root
+ logfile=/dev/null
+ logfile_maxbytes=0
+ loglevel=info
+ pidfile=/var/run/supervisor/supervisord.pid
+ nodaemon=true
+ minfds=1024
+ minprocs=200
+
+ [supervisorctl]
+ serverurl=unix:///run/supervisord.sock
+ username = dummy
+ password = dummy
+
+ [rpcinterface:supervisor]
+ supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+ [program:elasticsearch]
+ command=/usr/share/elasticsearch/bin/elasticsearch
+ user= {{ .Values.elasticsearch.es_uid }}
+ startsecs=3
+ startretries=1
+ stopwaitsecs = 3
+ priority = 1
+ redirect_stderr=true
+ stdout_logfile=/dev/stdout
+ stdout_logfile_maxbytes=0
+
+ [program:crond]
+ command=/usr/sbin/crond -n -s
+ startsecs=3
+ startretries=1
+ stopwaitsecs = 3
+ priority = 2
+ redirect_stderr=true
+ stdout_logfile=/dev/stdout
+ stdout_logfile_maxbytes=0
+
+ [program:setindex]
+ command=/usr/share/elasticsearch/elasticsearch-setindex
+ startsecs=3
+ startretries=1
+ stopwaitsecs = 3
+ priority = 2
+ redirect_stderr=true
+ stdout_logfile=/dev/stdout
+ stdout_logfile_maxbytes=0
+
+ elasticsearch-logrotate: |
+ #!/bin/bash
+ # Copyright 2019 Nokia
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+
+ FS_LIMIT=80
+
+ declare -i pcent=100
+
+
+ while [ $pcent -ge $FS_LIMIT ]
+ do
+ pcent=`df --output=pcent /usr/share/elasticsearch/data | tail -n1 | tr -d '%'`
+ if [ $pcent -le $FS_LIMIT ]; then exit; fi
+ oldest=`curl -s -XGET 'localhost:9200/_cat/indices' | cut -d' ' -f3 | grep ^logstash | sort | head -n1`
+ curl -XDELETE "localhost:9200/$oldest" >/dev/null
+ done
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.elasticsearch.required }}
+---
+apiVersion: apps/v1beta1
+kind: StatefulSet
+metadata:
+ labels:
+ app: elasticsearch-data
+ component: "{{ .Values.elasticsearch.data.name }}"
+ name: elasticsearch-data
+ namespace: kube-system
+spec:
+ serviceName: elasticsearch-data
+ replicas: {{ .Values.elasticsearch.data.replicas }}
+ template:
+ metadata:
+ labels:
+ app: elasticsearch-data
+ component: "{{ .Values.elasticsearch.data.name }}"
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ spec:
+ affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - topologyKey: "kubernetes.io/hostname"
+ labelSelector:
+ matchLabels:
+ app: elasticsearch-data
+ component: "{{ .Values.elasticsearch.data.name }}"
+ nodeSelector:
+ nodetype: caas_master
+ containers:
+ - name: elasticsearch-data
+ env:
+ - name: NODE_MASTER
+ value: "false"
+ - name: DISCOVERY_SERVICE
+ value: elasticsearch-data.kube-system.svc.nokia.net
+ - name: PROCESSORS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: ES_JAVA_OPTS
+ value: "-Xms{{ .Values.elasticsearch.java_heap_request }} -Xmx{{ .Values.elasticsearch.java_heap_max }} -Dmapper.allow_dots_in_name=true"
+ {{- range $key, $value := .Values.elasticsearch.cluster.env }}
+ - name: {{ $key }}
+ value: {{ $value | quote }}
+ {{- end }}
+ image: {{ .Values.elasticsearch.image_name }}
+ command: ["/usr/bin/supervisord","-n","-c","/etc/supervisord.conf"]
+ ports:
+ - containerPort: {{ .Values.elasticsearch.port_for_cluster_communication }}
+ name: transport
+ resources:
+ limits:
+ cpu: "{{ .Values.elasticsearch.cpu_limit }}"
+ memory: "{{ .Values.elasticsearch.memory_limit }}"
+ requests:
+ memory: "{{ .Values.elasticsearch.memory_request }}"
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.elasticsearch.port }}
+ initialDelaySeconds: 5
+ volumeMounts:
+ - mountPath: /usr/share/elasticsearch/data
+ name: data
+ - mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
+ name: elasticsearch-config
+ subPath: elasticsearch.yml
+ - mountPath: /etc/supervisord.conf
+ name: supervisord-config
+ subPath: supervisord.conf
+ - mountPath: /etc/cron.hourly/elasticsearch-logrotate
+ name: elasticsearch-logrotate
+ subPath: elasticsearch-logrotate
+ terminationGracePeriodSeconds: {{ .Values.elasticsearch.data.terminationGracePeriodSeconds }}
+ volumes:
+ - name: elasticsearch-config
+ configMap:
+ name: elasticsearch
+ items:
+ - key: elasticsearch.yml
+ path: elasticsearch.yml
+ mode: 0644
+ - name: supervisord-config
+ configMap:
+ name: elasticsearch
+ items:
+ - key: supervisord.conf
+ path: supervisord.conf
+ mode: 0644
+ - name: elasticsearch-logrotate
+ configMap:
+ name: elasticsearch
+ items:
+ - key: elasticsearch-logrotate
+ path: elasticsearch-logrotate
+ mode: 0755
+ - name: data
+ hostPath:
+ path: /var/log/elasticsearch
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.elasticsearch.required }}
+---
+apiVersion: apps/v1beta1
+kind: StatefulSet
+metadata:
+ labels:
+ app: elasticsearch-master
+ component: "{{ .Values.elasticsearch.master.name }}"
+ name: elasticsearch-master
+ namespace: kube-system
+spec:
+ serviceName: elasticsearch-master
+ replicas: {{ .Values.elasticsearch.master.replicas }}
+ template:
+ metadata:
+ labels:
+ app: elasticsearch-master
+ component: "{{ .Values.elasticsearch.master.name }}"
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ spec:
+ affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - topologyKey: "kubernetes.io/hostname"
+ labelSelector:
+ matchLabels:
+ app: elasticsearch-master
+ component: "{{ .Values.elasticsearch.master.name }}"
+ nodeSelector:
+ nodetype: caas_master
+ containers:
+ - name: elasticsearch-master
+ env:
+ - name: NODE_DATA
+ value: "false"
+ - name: DISCOVERY_SERVICE
+ value: elasticsearch-data.kube-system.svc.nokia.net
+ - name: ES_JAVA_OPTS
+ value: "-Xms{{ .Values.elasticsearch.java_heap_request }} -Xmx{{ .Values.elasticsearch.java_heap_max }} -Dmapper.allow_dots_in_name=true"
+ {{- range $key, $value := .Values.elasticsearch.cluster.env }}
+ - name: {{ $key }}
+ value: {{ $value | quote }}
+ {{- end }}
+ resources:
+ limits:
+ memory: "{{ .Values.elasticsearch.memory_limit }}"
+ requests:
+ memory: "{{ .Values.elasticsearch.memory_request }}"
+ readinessProbe:
+ httpGet:
+ path: /_cluster/health?local=true
+ port: {{ .Values.elasticsearch.port }}
+ initialDelaySeconds: 5
+ image: {{ .Values.elasticsearch.image_name }}
+ command: ["/usr/bin/supervisord","-n","-c","/etc/supervisord.conf"]
+ ports:
+ - containerPort: {{ .Values.elasticsearch.port_for_cluster_communication }}
+ name: transport
+ - containerPort: {{ .Values.elasticsearch.port }}
+ name: http
+ volumeMounts:
+ - mountPath: /usr/share/elasticsearch/data
+ name: data
+ - mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
+ name: elasticsearch-config
+ subPath: elasticsearch.yml
+ - mountPath: /etc/supervisord.conf
+ name: supervisord-config
+ subPath: supervisord.conf
+ volumes:
+ - name: elasticsearch-config
+ configMap:
+ name: elasticsearch
+ items:
+ - key: elasticsearch.yml
+ path: elasticsearch.yml
+ mode: 0644
+ - name: supervisord-config
+ configMap:
+ name: elasticsearch
+ items:
+ - key: supervisord.conf
+ path: supervisord.conf
+ mode: 0644
+ - name: data
+ emptyDir: {}
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.elasticsearch.required }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: elasticsearch-data
+ component: "{{ .Values.elasticsearch.data.name }}"
+ name: elasticsearch-data
+ namespace: kube-system
+spec:
+ ports:
+ - port: {{ .Values.elasticsearch.port_for_cluster_communication }}
+ targetPort: transport
+ selector:
+ app: elasticsearch-data
+ component: "{{ .Values.elasticsearch.data.name }}"
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: elasticsearch-master
+ component: "{{ .Values.elasticsearch.master.name }}"
+ name: elasticsearch-logging
+ namespace: kube-system
+spec:
+ ports:
+ - port: {{ .Values.elasticsearch.port }}
+ targetPort: http
+ selector:
+ app: elasticsearch-master
+ component: "{{ .Values.elasticsearch.master.name }}"
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.metrics_server.required }}
+---
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+ name: v1beta1.metrics.k8s.io
+spec:
+ service:
+ name: metrics-server
+ namespace: kube-system
+ group: metrics.k8s.io
+ version: v1beta1
+ insecureSkipTLSVerify: true
+ groupPriorityMinimum: 100
+ versionPriority: 100
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.metrics_server.required }}
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ {{ .Values.kubernetes_component_label }}: metrics-server
+spec:
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: metrics-server
+ template:
+ metadata:
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ name: metrics-server
+ labels:
+ {{ .Values.kubernetes_component_label }}: metrics-server
+ spec:
+ nodeSelector:
+ nodetype: caas_master
+ serviceAccountName: metrics-apiserver
+ containers:
+ - name: metrics-server
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/metrics_server:{{ .Values.metrics_server.container_version }}
+ command:
+ - /metrics-server
+ - "--logtostderr"
+ - "--tls-cert-file=/etc/metrics-server/ssl/metrics-server.crt"
+ - "--tls-private-key-file=/etc/metrics-server/ssl/metrics-server.key"
+ volumeMounts:
+ - name: stuffs
+ mountPath: /etc/metrics-server
+ readOnly: true
+ volumes:
+ - name: stuffs
+ hostPath:
+ path: /etc/metrics-server
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.metrics_server.required }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: metrics-server
+ namespace: kube-system
+ labels:
+ kubernetes.io/name: "Metrics-server"
+spec:
+ selector:
+ {{ .Values.kubernetes_component_label }}: metrics-server
+ ports:
+ - port: {{ .Values.metrics_server.port }}
+ protocol: TCP
+ targetPort: {{ .Values.metrics_server.port }}
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+---
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+ name: netwatcher
+ namespace: kube-system
+spec:
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: netwatcher
+ template:
+ metadata:
+ labels:
+ {{ .Values.kubernetes_component_label }}: netwatcher
+ spec:
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ containers:
+ - name: netwatcher
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/netwatcher:{{ .Values.netwatcher.container_version }}
+ securityContext:
+ capabilities:
+ add:
+ - SYS_PTRACE
+ - SYS_ADMIN
+ - NET_ADMIN
+ - NET_RAW
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ terminationGracePeriodSeconds: 0
+ serviceAccountName: netwatcher
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.prometheus.required }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ labels:
+ {{ .Values.kubernetes_component_label }}: prometheus
+ name: prometheus-config
+ namespace: kube-system
+data:
+ prometheus.yml: |
+ # A scrape configuration for running Prometheus on a Kubernetes cluster.
+ # This uses separate scrape configs for cluster components (i.e. API server, node)
+ # and services to allow each to use different authentication configs.
+ #
+ # Kubernetes labels will be added as Prometheus labels on metrics via the
+ # `labelmap` relabeling action.
+ #
+ # If you are using Kubernetes 1.7.2 or earlier, please take note of the comments
+ # for the kubernetes-cadvisor job; you will need to edit or remove this job.
+
+ # Scrape config for API servers.
+ #
+ # Kubernetes exposes API servers as endpoints to the default/kubernetes
+ # service so this uses `endpoints` role and uses relabelling to only keep
+ # the endpoints associated with the default/kubernetes service using the
+ # default named port `https`. This works for single API server deployments as
+ # well as HA API server deployments.
+ global:
+ scrape_interval: 15s
+ scrape_timeout: 10s
+ evaluation_interval: 1m
+
+ scrape_configs:
+ - job_name: 'kubernetes-apiservers'
+
+ kubernetes_sd_configs:
+ - role: endpoints
+
+ # Default to scraping over https. If required, just disable this or change to
+ # `http`.
+ scheme: https
+
+ # This TLS & bearer token file config is used to connect to the actual scrape
+ # endpoints for cluster components. This is separate to discovery auth
+ # configuration because discovery & scraping are two separate concerns in
+ # Prometheus. The discovery auth config is automatic if Prometheus runs inside
+ # the cluster. Otherwise, more config options have to be provided within the
+ # <kubernetes_sd_config>.
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ # If your node certificates are self-signed or use a different CA to the
+ # master CA, then disable certificate verification below. Note that
+ # certificate verification is an integral part of a secure infrastructure
+ # so this should only be disabled in a controlled environment. You can
+ # disable certificate verification by uncommenting the line below.
+ #
+ insecure_skip_verify: true
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+ # Keep only the default/kubernetes service endpoints for the https port. This
+ # will add targets for each API server which Kubernetes adds an endpoint to
+ # the default/kubernetes service.
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
+ action: keep
+ regex: default;kubernetes;https
+
+ # Scrape config for nodes (kubelet).
+ #
+ # Rather than connecting directly to the node, the scrape is proxied though the
+ # Kubernetes apiserver. This means it will work if Prometheus is running out of
+ # cluster, or can't connect to nodes for some other reason (e.g. because of
+ # firewalling).
+ - job_name: 'kubernetes-nodes'
+
+ # Default to scraping over https. If required, just disable this or change to
+ # `http`.
+ scheme: https
+
+ # This TLS & bearer token file config is used to connect to the actual scrape
+ # endpoints for cluster components. This is separate to discovery auth
+ # configuration because discovery & scraping are two separate concerns in
+ # Prometheus. The discovery auth config is automatic if Prometheus runs inside
+ # the cluster. Otherwise, more config options have to be provided within the
+ # <kubernetes_sd_config>.
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+ kubernetes_sd_configs:
+ - role: node
+
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics
+
+ # Scrape config for Kubelet cAdvisor.
+ #
+ # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
+ # (those whose names begin with 'container_') have been removed from the
+ # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
+ # retrieve those metrics.
+ #
+ # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
+ # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
+ # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
+ # the --cadvisor-port=0 Kubelet flag).
+ #
+ # This job is not necessary and should be removed in Kubernetes 1.6 and
+ # earlier versions, or it will cause the metrics to be scraped twice.
+ - job_name: 'kubernetes-cadvisor'
+
+ # Default to scraping over https. If required, just disable this or change to
+ # `http`.
+ scheme: https
+
+ # This TLS & bearer token file config is used to connect to the actual scrape
+ # endpoints for cluster components. This is separate to discovery auth
+ # configuration because discovery & scraping are two separate concerns in
+ # Prometheus. The discovery auth config is automatic if Prometheus runs inside
+ # the cluster. Otherwise, more config options have to be provided within the
+ # <kubernetes_sd_config>.
+ tls_config:
+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+ kubernetes_sd_configs:
+ - role: node
+
+ relabel_configs:
+ - action: labelmap
+ regex: __meta_kubernetes_node_label_(.+)
+ - target_label: __address__
+ replacement: kubernetes.default.svc:443
+ - source_labels: [__meta_kubernetes_node_name]
+ regex: (.+)
+ target_label: __metrics_path__
+ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
+
+ # Scrape config for service endpoints.
+ #
+ # The relabeling allows the actual service scrape endpoint to be configured
+ # via the following annotations:
+ #
+ # * `prometheus.io/scrape`: Only scrape services that have a value of `true`
+ # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
+ # to set this to `https` & most likely set the `tls_config` of the scrape config.
+ # * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+ # * `prometheus.io/port`: If the metrics are exposed on a different port to the
+ # service then set this appropriately.
+ - job_name: 'kubernetes-service-endpoints'
+
+ kubernetes_sd_configs:
+ - role: endpoints
+
+ relabel_configs:
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
+ action: replace
+ target_label: __scheme__
+ regex: (https?)
+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
+ action: replace
+ target_label: __address__
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ - action: labelmap
+ regex: __meta_kubernetes_service_label_(.+)
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: kubernetes_namespace
+ - source_labels: [__meta_kubernetes_service_name]
+ action: replace
+ target_label: kubernetes_name
+
+ # Example scrape config for pods
+ #
+ # The relabeling allows the actual pod scrape endpoint to be configured via the
+ # following annotations:
+ #
+ # * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
+ # * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
+ # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
+ # pod's declared ports (default is a port-free target if none are declared).
+ - job_name: 'kubernetes-pods'
+ # if you want to use metrics on jobs, set the below field to
+ # true to prevent Prometheus from setting the `job` label
+ # automatically.
+ honor_labels: false
+ kubernetes_sd_configs:
+ - role: pod
+ # skip verification so you can do HTTPS to pods
+ tls_config:
+ insecure_skip_verify: true
+ # make sure your labels are in order
+ relabel_configs:
+ # these labels tell Prometheus to automatically attach source
+ # pod and namespace information to each collected sample, so
+ # that they'll be exposed in the custom metrics API automatically.
+ - source_labels: [__meta_kubernetes_namespace]
+ action: replace
+ target_label: namespace
+ - source_labels: [__meta_kubernetes_pod_name]
+ action: replace
+ target_label: pod
+ # these labels tell Prometheus to look for
+ # prometheus.io/{scrape,path,port} annotations to configure
+ # how to scrape
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
+ action: keep
+ regex: true
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
+ action: replace
+ target_label: __metrics_path__
+ regex: (.+)
+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
+ action: replace
+ regex: ([^:]+)(?::\d+)?;(\d+)
+ replacement: $1:$2
+ target_label: __address__
+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
+ action: replace
+ target_label: __scheme__
+ regex: (.+)
+ nginx.conf: |
+ daemon off;
+ worker_processes auto;
+ error_log /dev/stderr;
+ pid /run/nginx.pid;
+ include /etc/nginx/modules/*.conf;
+ events {
+ worker_connections 1024;
+ }
+ http {
+ server {
+ listen {{ .Values.prometheus.port }} ssl;
+ ssl_certificate /var/run/serving-cert/prometheus.crt;
+ ssl_certificate_key /var/run/serving-cert/prometheus.key;
+ ssl_client_certificate /etc/openssl/ca.pem;
+ ssl_verify_client optional;
+ location / {
+ proxy_pass http://127.0.0.1:19090/;
+ }
+ }
+ }
+ supervisord.conf: |
+ [unix_http_server]
+ file=/run/supervisord.sock ; (the path to the socket file)
+ chmod = 0770
+ chown = root:root
+ username = dummy
+ password = dummy
+
+ ;[inet_http_server] ; inet (TCP) server disabled by default
+
+ [supervisord]
+ user=root
+ logfile=/dev/null
+ logfile_maxbytes=0
+ loglevel=info
+ pidfile=/var/run/supervisor/supervisord.pid
+ nodaemon=true
+ minfds=1024
+ minprocs=200
+
+ [supervisorctl]
+ serverurl=unix:///run/supervisord.sock
+ username = dummy
+ password = dummy
+
+ [rpcinterface:supervisor]
+ supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+ [program:prometheus]
+ command=/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.retention=1h --web.listen-address=127.0.0.1:19090
+ startsecs=3
+ startretries=1
+ stopwaitsecs = 3
+ priority = 1
+ redirect_stderr=true
+ stdout_logfile=/dev/stdout
+ stdout_logfile_maxbytes=0
+
+ [program:nginx]
+ command=/usr/sbin/nginx -c /etc/prometheus/nginx.conf
+ startsecs=3
+ startretries=1
+ stopwaitsecs = 3
+ priority = 2
+ redirect_stderr=true
+ stdout_logfile=/dev/stdout
+ stdout_logfile_maxbytes=0
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.prometheus.required }}
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: prometheus
+ namespace: kube-system
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: prometheus
+ template:
+ metadata:
+ labels:
+ {{ .Values.kubernetes_component_label }}: prometheus
+ annotations:
+ prometheus.io/scrape: 'false'
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ spec:
+ nodeSelector:
+ nodetype: caas_master
+ serviceAccountName: prometheus
+ containers:
+ - name: prometheus
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/prometheus:{{ .Values.prometheus.container_version }}
+ command:
+ - /usr/bin/supervisord
+ args:
+ - -c
+ - /etc/prometheus/supervisord.conf
+ ports:
+ - containerPort: {{ .Values.prometheus.port }}
+ protocol: TCP
+ resources:
+ limits:
+ memory: 2Gi
+ volumeMounts:
+ - mountPath: /var/run/serving-cert
+ name: prometheus-serving-cert
+ readOnly: true
+ - name: secret-root-ca
+ mountPath: /etc/openssl/ca.pem
+ readOnly: true
+ - mountPath: /etc/prometheus
+ name: prometheus-config
+ livenessProbe:
+ httpGet:
+ path: /api/v1/status/config
+ port: {{ .Values.prometheus.port }}
+ scheme: HTTPS
+ initialDelaySeconds: 3
+ timeoutSeconds: 5
+ volumes:
+ - name: prometheus-serving-cert
+ secret:
+ secretName: prometheus-serving-certs
+ - name: secret-root-ca
+ hostPath:
+ path: /etc/openssl/ca.pem
+ - name: prometheus-config
+ configMap:
+ name: prometheus-config
+ items:
+ - key: prometheus.yml
+ path: prometheus.yml
+ mode: 0644
+ - key: nginx.conf
+ path: nginx.conf
+ mode: 0644
+ - key: supervisord.conf
+ path: supervisord.conf
+ mode: 0644
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.prometheus.required }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: prometheus-serving-certs
+ namespace: kube-system
+data:
+ prometheus.crt: {{ .Values.prometheus.server_cert }}
+ prometheus.key: {{ .Values.prometheus.server_key }}
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.prometheus.required }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: prometheus
+ namespace: kube-system
+ labels:
+ {{ .Values.kubernetes_component_label }}: prometheus
+spec:
+ ports:
+ - port: {{ .Values.prometheus.port }}
+ targetPort: {{ .Values.prometheus.port }}
+ protocol: TCP
+ selector:
+ {{ .Values.kubernetes_component_label }}: prometheus
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.sriovdp.required }}
+---
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+ name: sriovdp-ds
+ namespace: kube-system
+ labels:
+ app: sriovdp-app
+spec:
+ selector:
+ matchLabels:
+ name: sriovdp
+ template:
+ metadata:
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ labels:
+ name: sriovdp
+ spec:
+ nodeSelector:
+ sriov: enabled
+ containers:
+ - name: sriovdp
+ image: {{ .Values.sriovdp.image_name }}
+ args:
+ - "-logtostderr"
+ - "-v=10"
+ - "-resource-prefix=nokia.k8s.io"
+ volumeMounts:
+ - mountPath: /var/lib/kubelet/device-plugins/
+ name: devicesock
+ readOnly: false
+ - mountPath: /sys/class/net/
+ name: sysfs
+ readOnly: true
+ - name: sriovdp-config
+ mountPath: /etc/pcidp/
+ readOnly: true
+ volumes:
+ - name: devicesock
+ hostPath:
+ path: /var/lib/kubelet/device-plugins/
+ - name: sysfs
+ hostPath:
+ path: /sys/class/net/
+ - name: sriovdp-config
+ hostPath:
+ path: /etc/pcidp/
+ terminationGracePeriodSeconds: 1
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.svcwatcher.required }}
+---
+apiVersion: apps/v1beta2
+kind: DaemonSet
+metadata:
+ name: svcwatcher
+ namespace: kube-system
+spec:
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: svcwatcher
+ template:
+ metadata:
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ labels:
+ {{ .Values.kubernetes_component_label }}: svcwatcher
+ spec:
+ dnsPolicy: ClusterFirst
+ nodeSelector:
+ nodetype: caas_master
+ containers:
+ - name: svcwatcher
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/svcwatcher:{{ .Values.svcwatcher.container_version }}
+ args:
+ - "--logtostderr"
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ terminationGracePeriodSeconds: 0
+ serviceAccountName: svcwatcher
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.cpupooler.required }}
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: cpu-device-pod-mutator-webhook-config
+ namespace: kube-system
+ annotations:
+ "helm.sh/hook": post-install
+ "helm.sh/hook-delete-policy": hook-failed, before-hook-creation
+webhooks:
+ - name: cpu-dev-mutator.nokia.k8s.io
+ clientConfig:
+ service:
+ name: cpu-dev-pod-mutator-svc
+ namespace: kube-system
+ path: "/mutating-pods"
+ caBundle: "{{ .Values.cpupooler.webhook_ca_bundle }}"
+ rules:
+ - operations: ["CREATE","UPDATE"]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods"]
+ failurePolicy: Fail
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.cpupooler.required }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: cpu-dev-pod-mutator-deployment
+ namespace: kube-system
+ labels:
+ {{ .Values.kubernetes_component_label }}: cpu-dev-pod-mutator
+spec:
+ selector:
+ matchLabels:
+ {{ .Values.kubernetes_component_label }}: cpu-dev-pod-mutator
+ template:
+ metadata:
+ annotations:
+ danm.k8s.io/interfaces: |
+ [
+ {
+ "network":"flannel"
+ }
+ ]
+ name: cpu-dev-pod-mutator
+ labels:
+ {{ .Values.kubernetes_component_label }}: cpu-dev-pod-mutator
+ spec:
+ nodeSelector:
+ nodetype: caas_master
+ containers:
+ - name: cpu-dev-pod-mutator
+ image: {{ .Values.registry_url }}/{{ .Values.registry_reponame }}/cpupooler:{{ .Values.cpupooler.container_version }}
+ command: [ "/cpu-device-webhook", "-tls-cert-file=/etc/webhook/certs/cpuwebhook.crt", "-tls-private-key-file=/etc/webhook/certs/cpuwebhook.key", "-alsologtostderr", "-v=4" ]
+ imagePullPolicy: IfNotPresent
+ volumeMounts:
+ - name: webhook-certs
+ mountPath: /etc/webhook/certs
+ readOnly: true
+ - name: cpu-pooler-config
+ mountPath: /etc/cpu-pooler
+ volumes:
+ # TODO: make it a secret
+ - name: webhook-certs
+ hostPath:
+ path: /etc/kubernetes/ssl/
+ - name: cpu-pooler-config
+ configMap:
+ name: cpu-pooler-configmap
+{{ end }}
--- /dev/null
+{{/*
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if .Values.cpupooler.required }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: cpu-dev-pod-mutator-svc
+ namespace: kube-system
+ labels:
+ {{ .Values.kubernetes_component_label }}: cpu-dev-pod-mutator
+spec:
+ ports:
+ - name: webhook
+ port: {{ .Values.cpupooler.webhook_port }}
+ selector:
+ {{ .Values.kubernetes_component_label }}: cpu-dev-pod-mutator
+{{ end }}
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+---
+kubernetes_component_label: {{ caas.kubernetes_component_label }}
+registry_url: {{ caas.registry_url }}:{{ caas.registry_port }}
+registry_reponame: "{{ caas.registry_repo }}"
+
+metrics_server:
+ required: true
+ port: {{ caas.metrics_server_port }}
+ container_version: {{ container_image_names | select('search', '/metrics_server') | list | last | regex_replace('.*:([\\w\\-_\\.]+)$', '\\1') }}
+
+prometheus:
+ required: true
+ port: {{ caas.prometheus_port }}
+ container_version: {{ container_image_names | select('search', '/prometheus') | list | last | regex_replace('.*:([\\w\\-_\\.]+)$', '\\1') }}
+ prometheus_url: {{ caas.prometheus }}
+ server_cert: {{ prometheus_cert_b64 }}
+ server_key: {{ prometheus_cert_key_b64 }}
+
+custom_metrics_api:
+ required: true
+ port: {{ caas.custom_metrics_api_port }}
+ serviceport: {{ caas.custom_metrics_api_serviceport }}
+ container_version: {{ container_image_names | select('search', '/custom_metrics') | list | last | regex_replace('.*:([\\w\\-_\\.]+)$', '\\1') }}
+ server_cert: {{ metrics_cert_b64 }}
+ server_key: {{ metrics_cert_key_b64 }}
+
+svcwatcher:
+ required: true
+ container_version: {{ container_image_names | select('search', '/svcwatcher') | list | last | regex_replace('.*:([\\w\\-_\\.]+)$', '\\1') }}
+
+netwatcher:
+ container_version: {{ container_image_names | select('search', '/netwatcher') | list | last | regex_replace('.*:([\\w\\-_\\.]+)$', '\\1') }}
+
+cpupooler:
+ required: true
+ container_version: {{ container_image_names | select('search', '/cpupooler') | list | last | regex_replace('.*:([\\w\\-_\\.]+)$', '\\1') }}
+ webhook_ca_bundle: {{ webhooks_ca }}
+ webhook_port: {{ caas.webhook_port }}
+ cpu_poolconfigs:
+ {{ ansible_local['ncir_cpu_pooler_config'] | default([]) | to_nice_yaml | indent(4) }}
+
+elasticsearch:
+ required: true
+ port: {{ caas.elasticsearch_port }}
+ image_name: {{ container_image_names | select('search', '/elasticsearch') | list | last }}
+ memory_limit: {{ caas.elasticsearch_memory_limit }}
+ cpu_limit: 1
+ memory_request: {{ caas.elasticsearch_memory_request }}
+ java_heap_request: {{ caas.elasticsearch_java_heap_request }}
+ java_heap_max: {{ caas.elasticsearch_java_heap_max }}
+ port_for_cluster_communication: {{ caas.elasticsearch_port_for_cluster_communication }}
+ es_uid: {{ caas.uid.elasticsearch }}
+ cluster:
+ name: "elasticsearch"
+ env:
+ MINIMUM_MASTER_NODES: "3"
+ master:
+ name: elasticsearch-master
+ replicas: 3
+ data:
+ name: elasticsearch-data
+ replicas: 3
+ terminationGracePeriodSeconds: 3600
+
+sriovdp:
+ required: true
+ image_name: {{ container_image_names | select('search', '/sriovdp') | list | last }}
--- /dev/null
+#!/bin/sh
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Swift
+function swiftauth { source /etc/swift/usr/admin/env_file; export SWIFT_AUTH_KEY=`curl --cacert /etc/swift/main/tls-proxy/ca.pem -XGET -i -H"X-Auth-User:${SWIFT_TENANT}:${SWIFT_USER}" -H"X-Auth-Key:${SWIFT_PASS}" https://swift.kube-system.svc.nokia.net:8084/auth/v1.0 | grep X-Auth-Token: | awk '{print $2;}'`; }
+function swiftget { curl --cacert /etc/swift/main/tls-proxy/ca.pem -XGET -H"X-Auth-Token: ${SWIFT_AUTH_KEY}" https://swift.kube-system.svc.nokia.net:8084/v1.0/AUTH_admin${1}; }
+function swiftput { curl --cacert /etc/swift/main/tls-proxy/ca.pem -XPUT -H"X-Auth-Token: ${SWIFT_AUTH_KEY}" -T ${1} https://swift.kube-system.svc.nokia.net:8084/v1.0/AUTH_admin${2}; }
--- /dev/null
+#!/bin/bash
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source /etc/profile
+
+CONC_MAX=4
+
+conc() {
+ local procs=(`jobs -p`)
+ local proc_count=${#procs[*]}
+
+ # Block until there is an open slot
+ if ((proc_count >= CONC_MAX)); then
+ wait ${procs[0]}
+ fi
+
+ # Start our task
+ (eval "$@") &
+}
+
+merge() {
+ TEMP=`getopt -o f:t:i: --long from-registry:,to-registry:,image-name: -- "$@"`
+ eval set -- "$TEMP"
+
+ while [ -n "$1" ]
+ do
+ case "$1" in
+ -f|--from-registry) from_registry=$2; shift 2;;
+ -t|--to-registry) to_registry=$2; shift 2;;
+ -i|--image-name) image_name=$2; shift 2;;
+ --) break ;;
+ *) echo $1,$2,$show_usage; break ;;
+ esac
+ done
+
+ d=`date`
+ echo "---$d: Merge $image_name from $from_registry to $to_registry"
+
+ # Get new image tag
+ image_tag=`curl --cert /etc/docker-update-registry/update-registry.pem --key /etc/docker-update-registry/update-registry-key.pem --cacert /etc/docker-update-registry/ca.pem https://$from_registry/v2/$image_name/tags/list | awk -F'[' '{print $2}' | awk -F'"' '{print $2}'`
+
+ echo "New image tag: $image_tag"
+
+ # Check whether the image exists in the internal registry
+ ret_existing_image_tags=`curl --cert /etc/docker-registry/registry1.pem --key /etc/docker-registry/registry1-key.pem --cacert /etc/docker-registry/ca.pem https://$to_registry/v2/$image_name/tags/list`
+
+ ret_key=`echo $ret_existing_image_tags | awk -F'"' '{print $2}'`
+ if [ $ret_key != "errors" ]; then
+ existing_image_tags=`echo $ret_existing_image_tags | awk -F'[' '{print $2}' | awk -F']' '{print $1}' | sed "s/\"//g"`
+ IFS=',' read -r -a existing_image_tag_list <<< "$existing_image_tags"
+ for existing_tag in ${existing_image_tag_list[@]}; do
+ if [ $existing_tag = $image_tag ]; then
+ echo "The image exists in registry. Skip."
+ exit 0
+ fi
+ done
+ fi
+
+ d=`date`
+ echo "---$d: Start to pull image"
+ docker pull $from_registry/$image_name:$image_tag
+ docker tag $from_registry/$image_name:$image_tag $to_registry/$image_name:$image_tag
+
+ d=`date`
+ echo "---$d: Start to push image"
+ docker push $to_registry/$image_name:$image_tag
+
+ d=`date`
+ echo "---$d: Start to clean local image"
+ docker rmi $from_registry/$image_name:$image_tag
+ docker rmi $to_registry/$image_name:$image_tag
+
+ d=`date`
+ echo "---$d: End merging"
+}
+
+IMGLIST=`sed "s/repositories:/""/g" <<< $3`
+IMGLIST=`sed "s/{/""/g" <<< $IMGLIST`
+IMGLIST=`sed "s/}/""/g" <<< $IMGLIST`
+IMGLIST=`sed "s/\[/""/g" <<< $IMGLIST`
+IMGLIST=`sed "s/\]/""/g" <<< $IMGLIST`
+IMGLIST=`sed "s/\,/ /g" <<< $IMGLIST`
+
+for a in $IMGLIST; do conc "merge $1 $2 --image-name=$a";done;wait;
--- /dev/null
+{{ kubelet_plugings_log_dir }}/*.log {
+ rotate 20
+ maxage 30
+ missingok
+ compress
+ }
+
+# TODO: clean up config when logrotate 3.10 is available https://superuser.com/questions/1059033/logrotate-wildcard-fails-on-missing-files-with-missingok-and-olddir
+# TODO: check /var/lib/kubelet/plugins/**/*.log with newer version of logrotate
+/var/lib/kubelet/plugins/*log /var/lib/kubelet/plugins/*/*log /var/lib/kubelet/plugins/*/*/*log /var/lib/kubelet/plugins/*/*/*/*log {
+ size 100M
+ missingok
+ copytruncate
+ sharedscripts
+ postrotate
+ rotated_logs="$(find /var/lib/kubelet/plugins -name '*.log.[1-20]')"
+ for file in $rotated_logs; do
+ log_file_name="$(basename $file | sed -r 's/.[0-9]+$//')"
+ mv $file {{ kubelet_plugings_log_dir }}/$log_file_name
+ done
+ endscript
+ }
+
+/var/log/plugin.log /var/log/danm.log {
+ size 15M
+ rotate 10
+ maxage 30
+ missingok
+ compress
+ copytruncate
+ dateext dateformat -%Y-%m-%d-%H-%s
+}