kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enable HA deploy of kubeadm (#1658) 

* Enable HA deploy of kubeadm

* raise delay to 60s for starting gce hosts
pull/1668/head
Matthew Mosesohn 2017-09-15 22:28:15 +01:00 committed by GitHub
parent b294db5aed
commit 8e731337ba
10 changed files with 88 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitlab-ci.yml
View File

@ -168,7 +168,9 @@ before_script:
# Tests Cases # Tests Cases
## Test Master API ## Test Master API
- ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/010_check-apiserver.yml $LOG_LEVEL - >
ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/010_check-apiserver.yml $LOG_LEVEL
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
## Ping the between 2 pod ## Ping the between 2 pod
- ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/030_check-network.yml $LOG_LEVEL - ansible-playbook -i inventory/inventory.ini -e ansible_python_interpreter=${PYPATH} -u $SSH_USER -e ansible_ssh_user=$SSH_USER $SSH_ARGS -b --become-user=root --limit "all:!fake_hosts" tests/testcases/030_check-network.yml $LOG_LEVEL
@ -301,7 +303,7 @@ before_script:
CLOUD_IMAGE: ubuntu-1604-xenial CLOUD_IMAGE: ubuntu-1604-xenial
CLOUD_MACHINE_TYPE: "n1-standard-2" CLOUD_MACHINE_TYPE: "n1-standard-2"
CLOUD_REGION: europe-west1-b CLOUD_REGION: europe-west1-b
CLUSTER_MODE: default CLUSTER_MODE: ha
KUBEADM_ENABLED: "true" KUBEADM_ENABLED: "true"
STARTUP_SCRIPT: "" STARTUP_SCRIPT: ""

5
roles/download/defaults/main.yml
View File

@ -19,7 +19,8 @@ download_always_pull: False
# Versions # Versions
kube_version: v1.7.5 kube_version: v1.7.5
kubeadm_version: "{{ kube_version }}" # Change to kube_version after v1.8.0 release
kubeadm_version: "v1.8.0-beta.1"
etcd_version: v3.2.4 etcd_version: v3.2.4
# TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
# after migration to container download # after migration to container download
@ -38,7 +39,7 @@ kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release
# Checksums # Checksums
etcd_checksum: "274c46a7f8d26f7ae99d6880610f54933cbcf7f3beafa19236c52eb5df8c7a0b" etcd_checksum: "274c46a7f8d26f7ae99d6880610f54933cbcf7f3beafa19236c52eb5df8c7a0b"
kubeadm_checksum: "378e6052f8b178f8e6a38e8637681c72d389443b66b78b51b8ddc9a162c655c3" kubeadm_checksum: "ddd5949699d6bdbc0b90b379e7e534f137b1058db1acc8f26cc54843f017ffbf"
# Containers # Containers
# Possible values: host, docker # Possible values: host, docker

13
roles/kubernetes/kubeadm/tasks/main.yml
View File

@ -10,6 +10,11 @@
when: not is_kube_master when: not is_kube_master
tags: facts tags: facts
- name: Check if kubelet.conf exists
stat:
path: "{{ kube_config_dir }}/kubelet.conf"
register: kubelet_conf
- name: Create kubeadm client config - name: Create kubeadm client config
template: template:
src: kubeadm-client.conf.j2 src: kubeadm-client.conf.j2
@ -21,7 +26,13 @@
- name: Join to cluster if needed - name: Join to cluster if needed
command: kubeadm join --config {{ kube_config_dir}}/kubeadm-client.conf --skip-preflight-checks command: kubeadm join --config {{ kube_config_dir}}/kubeadm-client.conf --skip-preflight-checks
register: kubeadm_join register: kubeadm_join
when: not is_kube_master and kubeadm_client_conf.changed when: not is_kube_master and (kubeadm_client_conf.changed or not kubelet_conf.stat.exists)
- name: Wait for kubelet bootstrap to create config
wait_for:
path: "{{ kube_config_dir }}/kubelet.conf"
delay: 1
timeout: 60
- name: Update server field in kubelet kubeconfig - name: Update server field in kubelet kubeconfig
replace: replace:

53
roles/kubernetes/master/tasks/kubeadm-setup.yml
View File

@ -14,7 +14,7 @@
{{ apiserver_loadbalancer_domain_name }} {{ apiserver_loadbalancer_domain_name }}
{%- endif %} {%- endif %}
{%- for host in groups['kube-master'] -%} {%- for host in groups['kube-master'] -%}
{%- if hostvars[host]['access_ip'] is defined %}{{ hostvars[host]['access_ip'] }}{% endif -%} {%- if hostvars[host]['access_ip'] is defined %}{{ hostvars[host]['access_ip'] }}{% endif %}
{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }} {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
{%- endfor %} {%- endfor %}
tags: facts tags: facts
@ -29,7 +29,54 @@
dest: "{{ kube_config_dir }}/kubeadm-config.yaml" dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
register: kubeadm_config register: kubeadm_config
- name: kubeadm | Initialize cluster - name: Check if kubeadm has already run
stat:
path: "{{ kube_config_dir }}/admin.conf"
register: admin_conf
- name: kubeadm | Initialize first master
command: timeout -k 240s 240s kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --skip-preflight-checks command: timeout -k 240s 240s kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --skip-preflight-checks
register: kubeadm_init register: kubeadm_init
when: kubeadm_config.changed #Retry is because upload config sometimes fails
retries: 3
when: inventory_hostname == groups['kube-master']|first and (kubeadm_config.changed or not admin_conf.stat.exists)
- name: slurp kubeadm certs
slurp:
src: "{{ item }}"
with_items:
- "{{ kube_cert_dir }}/apiserver.crt"
- "{{ kube_cert_dir }}/apiserver.key"
- "{{ kube_cert_dir }}/apiserver-kubelet-client.crt"
- "{{ kube_cert_dir }}/apiserver-kubelet-client.key"
- "{{ kube_cert_dir }}/ca.crt"
- "{{ kube_cert_dir }}/ca.key"
- "{{ kube_cert_dir }}/front-proxy-ca.crt"
- "{{ kube_cert_dir }}/front-proxy-ca.key"
- "{{ kube_cert_dir }}/front-proxy-client.crt"
- "{{ kube_cert_dir }}/front-proxy-client.key"
- "{{ kube_cert_dir }}/sa.key"
- "{{ kube_cert_dir }}/sa.pub"
register: kubeadm_certs
delegate_to: "{{ groups['kube-master']|first }}"
run_once: true
- name: write out kubeadm certs
copy:
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
owner: root
group: root
mode: 0700
no_log: true
register: copy_kubeadm_certs
with_items: "{{ kubeadm_certs.results }}"
when: inventory_hostname != groups['kube-master']|first
- name: kubeadm | Initialize other masters
command: timeout -k 240s 240s kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --skip-preflight-checks
register: kubeadm_init
#Retry is because upload config sometimes fails
retries: 3
when: inventory_hostname != groups['kube-master']|first and (kubeadm_config.changed or not admin_conf.stat.exists or copy_kubeadm_certs.changed)

6
roles/kubernetes/master/tasks/main.yml
View File

@ -2,6 +2,12 @@
- include: pre-upgrade.yml - include: pre-upgrade.yml
tags: k8s-pre-upgrade tags: k8s-pre-upgrade
# upstream bug: https://github.com/kubernetes/kubeadm/issues/441
- name: Disable kube_basic_auth until kubeadm/441 is fixed
set_fact:
kube_basic_auth: false
when: kubeadm_enabled|bool|default(false)
- include: users-file.yml - include: users-file.yml
when: kube_basic_auth|default(true) when: kube_basic_auth|default(true)

7
roles/kubernetes/master/templates/kubeadm-config.yaml.j2
View File

@ -2,7 +2,7 @@ apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration kind: MasterConfiguration
api: api:
advertiseAddress: {{ ip | default(ansible_default_ipv4.address) }} advertiseAddress: {{ ip | default(ansible_default_ipv4.address) }}
bindPort: "{{ kube_apiserver_port }}" bindPort: {{ kube_apiserver_port }}
etcd: etcd:
endpoints: endpoints:
{% for endpoint in etcd_access_endpoint.split(',') %} {% for endpoint in etcd_access_endpoint.split(',') %}
@ -19,16 +19,18 @@ kubernetesVersion: {{ kube_version }}
cloudProvider: {{ cloud_provider|default('') }} cloudProvider: {{ cloud_provider|default('') }}
#TODO: cloud provider conf file #TODO: cloud provider conf file
authorizationModes: authorizationModes:
- Node
{% for mode in authorization_modes %} {% for mode in authorization_modes %}
- {{ mode }} - {{ mode }}
{% endfor %} {% endfor %}
token: {{ kubeadm_token }} token: {{ kubeadm_token }}
tokenTTL: {{ kubeadm_token_ttl }} tokenTTL: "{{ kubeadm_token_ttl }}"
selfHosted: false selfHosted: false
apiServerExtraArgs: apiServerExtraArgs:
insecure-bind-address: {{ kube_apiserver_insecure_bind_address }} insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
insecure-port: "{{ kube_apiserver_insecure_port }}" insecure-port: "{{ kube_apiserver_insecure_port }}"
admission-control: {{ kube_apiserver_admission_control | join(',') }} admission-control: {{ kube_apiserver_admission_control | join(',') }}
apiserver-count: "{{ kube_apiserver_count }}"
service-node-port-range: {{ kube_apiserver_node_port_range }} service-node-port-range: {{ kube_apiserver_node_port_range }}
{% if kube_basic_auth|default(true) %} {% if kube_basic_auth|default(true) %}
basic-auth-file: {{ kube_users_dir }}/known_users.csv basic-auth-file: {{ kube_users_dir }}/known_users.csv
@ -65,3 +67,4 @@ apiServerCertSANs:
- {{ san }} - {{ san }}
{% endfor %} {% endfor %}
certificatesDir: {{ kube_config_dir }}/ssl certificatesDir: {{ kube_config_dir }}/ssl
unifiedControlPlaneImage: "{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}"

3
roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
View File

@ -15,8 +15,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
{# Base kubelet args #} {# Base kubelet args #}
{% set kubelet_args_base -%} {% set kubelet_args_base -%}
{# start kubeadm specific settings #} {# start kubeadm specific settings #}
--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf \
--kubeconfig={{ kube_config_dir }}/kubelet.conf \ --kubeconfig={{ kube_config_dir }}/kubelet.conf \
--require-kubeconfig=true \ --require-kubeconfig \
--authorization-mode=Webhook \ --authorization-mode=Webhook \
--client-ca-file={{ kube_cert_dir }}/ca.crt \ --client-ca-file={{ kube_cert_dir }}/ca.crt \
--pod-manifest-path={{ kube_manifest_dir }} \ --pod-manifest-path={{ kube_manifest_dir }} \

1
roles/reset/tasks/main.yml
View File

@ -109,6 +109,7 @@
- "{{ bin_dir }}/etcdctl" - "{{ bin_dir }}/etcdctl"
- "{{ bin_dir }}/kubernetes-scripts" - "{{ bin_dir }}/kubernetes-scripts"
- "{{ bin_dir }}/kubectl" - "{{ bin_dir }}/kubectl"
- "{{ bin_dir }}/kubeadm"
- "{{ bin_dir }}/helm" - "{{ bin_dir }}/helm"
- "{{ bin_dir }}/calicoctl" - "{{ bin_dir }}/calicoctl"
- "{{ bin_dir }}/weave" - "{{ bin_dir }}/weave"

4
tests/cloud_playbooks/create-gce.yml
View File

@ -35,7 +35,7 @@
register: gce register: gce
- name: Add instances to host group - name: Add instances to host group
add_host: hostname={{item.name}} ansible_host={{item.public_ip}} groupname="waitfor_hosts" add_host: hostname={{item.public_ip}} groupname="waitfor_hosts"
with_items: '{{gce.instance_data}}' with_items: '{{gce.instance_data}}'
- name: Template the inventory - name: Template the inventory
@ -61,4 +61,4 @@
gather_facts: false gather_facts: false
tasks: tasks:
- name: Wait for SSH to come up. - name: Wait for SSH to come up.
local_action: wait_for host={{inventory_hostname}} port=22 delay=5 timeout=240 state=started local_action: wait_for host={{inventory_hostname}} port=22 delay=60 timeout=240 state=started

1
tests/testcases/010_check-apiserver.yml
View File

@ -9,3 +9,4 @@
password: "{{ lookup('password', '../../credentials/kube_user length=15 chars=ascii_letters,digits') }}" password: "{{ lookup('password', '../../credentials/kube_user length=15 chars=ascii_letters,digits') }}"
validate_certs: no validate_certs: no
status_code: 200 status_code: 200
when: not kubeadm_enabled|default(false)