github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add new policy_provider option to Salt; supporting Calico installation

pull/6/head
Matt Dupre 2016-05-04 10:54:57 -07:00 committed by Casey Davenport
parent a00dbea133
commit 19be49124b
13 changed files with 167 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cluster/aws/config-default.sh
View File

@ -153,5 +153,8 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"
# Network Policy plugin specific settings
POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico
# Optional: if set to true, kube-up will configure the cluster to run e2e tests. # Optional: if set to true, kube-up will configure the cluster to run e2e tests.
E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false} E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false}

2
cluster/aws/templates/configure-vm-aws.sh
View File

@ -91,7 +91,7 @@ EOF
if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then
cat <<EOF >>/etc/salt/minion.d/grains.conf cat <<EOF >>/etc/salt/minion.d/grains.conf
kubelet_api_servers: '${KUBELET_APISERVER}' kubelet_api_servers: '${KUBELET_APISERVER}'
cbr-cidr: 10.123.45.0/30 cbr-cidr: 10.123.45.0/29
EOF EOF
else else
# If the kubelet is running disconnected from a master, give it a fixed # If the kubelet is running disconnected from a master, give it a fixed

1
cluster/common.sh
View File

@ -523,6 +523,7 @@ HAIRPIN_MODE: $(yaml-quote ${HAIRPIN_MODE:-})
OPENCONTRAIL_TAG: $(yaml-quote ${OPENCONTRAIL_TAG:-}) OPENCONTRAIL_TAG: $(yaml-quote ${OPENCONTRAIL_TAG:-})
OPENCONTRAIL_KUBERNETES_TAG: $(yaml-quote ${OPENCONTRAIL_KUBERNETES_TAG:-}) OPENCONTRAIL_KUBERNETES_TAG: $(yaml-quote ${OPENCONTRAIL_KUBERNETES_TAG:-})
OPENCONTRAIL_PUBLIC_SUBNET: $(yaml-quote ${OPENCONTRAIL_PUBLIC_SUBNET:-}) OPENCONTRAIL_PUBLIC_SUBNET: $(yaml-quote ${OPENCONTRAIL_PUBLIC_SUBNET:-})
POLICY_PROVIDER: $(yaml-quote ${POLICY_PROVIDER:-})
E2E_STORAGE_TEST_ENVIRONMENT: $(yaml-quote ${E2E_STORAGE_TEST_ENVIRONMENT:-}) E2E_STORAGE_TEST_ENVIRONMENT: $(yaml-quote ${E2E_STORAGE_TEST_ENVIRONMENT:-})
KUBE_IMAGE_TAG: $(yaml-quote ${KUBE_IMAGE_TAG:-}) KUBE_IMAGE_TAG: $(yaml-quote ${KUBE_IMAGE_TAG:-})
KUBE_DOCKER_REGISTRY: $(yaml-quote ${KUBE_DOCKER_REGISTRY:-}) KUBE_DOCKER_REGISTRY: $(yaml-quote ${KUBE_DOCKER_REGISTRY:-})

3
cluster/gce/config-default.sh
View File

@ -131,6 +131,9 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"
# Network Policy plugin specific settings.
POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico
# How should the kubelet configure hairpin mode? # How should the kubelet configure hairpin mode?
HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none
# Optional: if set to true, kube-up will configure the cluster to run e2e tests. # Optional: if set to true, kube-up will configure the cluster to run e2e tests.

3
cluster/gce/configure-vm.sh
View File

@ -445,6 +445,7 @@ hairpin_mode: '$(echo "$HAIRPIN_MODE" | sed -e "s/'/''/g")'
opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")' opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")'
opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG")' opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG")'
opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET")' opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET")'
policy_provider: '$(echo "$POLICY_PROVIDER" | sed -e "s/'/''/g")'
enable_manifest_url: '$(echo "${ENABLE_MANIFEST_URL:-}" | sed -e "s/'/''/g")' enable_manifest_url: '$(echo "${ENABLE_MANIFEST_URL:-}" | sed -e "s/'/''/g")'
manifest_url: '$(echo "${MANIFEST_URL:-}" | sed -e "s/'/''/g")' manifest_url: '$(echo "${MANIFEST_URL:-}" | sed -e "s/'/''/g")'
manifest_url_header: '$(echo "${MANIFEST_URL_HEADER:-}" | sed -e "s/'/''/g")' manifest_url_header: '$(echo "${MANIFEST_URL_HEADER:-}" | sed -e "s/'/''/g")'
@ -859,7 +860,7 @@ EOF
if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then
cat <<EOF >>/etc/salt/minion.d/grains.conf cat <<EOF >>/etc/salt/minion.d/grains.conf
kubelet_api_servers: '${KUBELET_APISERVER}' kubelet_api_servers: '${KUBELET_APISERVER}'
cbr-cidr: 10.123.45.0/30 cbr-cidr: 10.123.45.0/29
EOF EOF
else else
# If the kubelet is running disconnected from a master, give it a fixed # If the kubelet is running disconnected from a master, give it a fixed

16
cluster/saltbase/salt/calico/10-calico.conf Normal file
View File

@ -0,0 +1,16 @@
{
"name": "calico-k8s-network",
"type": "calico",
"etcd_authority": "{{ grains.api_servers }}:6666",
"log_level": "info",
"ipam": {
"type": "host-local",
"subnet": "CBR0_CIDR"
},
"policy": {
"type": "k8s",
"k8s_api_root": "https://{{ grains.api_servers }}:443/api/v1",
"k8s_client_certificate": "/path/to/client/cert",
"k8s_client_key": "/path/to/client/key"
}
}

20
cluster/saltbase/salt/calico/calico-policy-agent.manifest Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: calico-policy-agent
namespace: calico-system
labels:
version: latest
projectcalico.org/app: "policy-agent"
spec:
hostNetwork: true
containers:
- name: policycontroller
image: caseydavenport/calico-policy-controller:latest
env:
- name: ETCD_AUTHORITY
value: "127.0.0.1:6666"
- name: K8S_API
value: "http://127.0.0.1:8080"
- name: LOG_LEVEL
value: "info"

43
cluster/saltbase/salt/calico/master.sls Normal file
View File

@ -0,0 +1,43 @@
{% if pillar.get('policy_provider', '').lower() == 'calico' %}
calicoctl:
file.managed:
- name: /usr/bin/calicoctl
- source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl
- source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96
- makedirs: True
- mode: 744
calico-etcd:
cmd.run:
- unless: docker ps | grep calico-etcd
- name: >
docker run --name calico-etcd -d --restart=always -p 6666:6666
-v /varetcd:/var/etcd
gcr.io/google_containers/etcd:2.2.1
/usr/local/bin/etcd --name calico
--data-dir /var/etcd/calico-data
--advertise-client-urls http://{{ grains.id }}:6666
--listen-client-urls http://0.0.0.0:6666
--listen-peer-urls http://0.0.0.0:6667
--initial-advertise-peer-urls http://{{ grains.id }}:6667
--initial-cluster calico=http://{{ grains.id }}:6667
calico-policy-agent:
file.managed:
- name: /etc/kubernetes/manifests/calico-policy-agent.manifest
- source: salt://calico/calico-policy-agent.manifest
- template: jinja
- user: root
- group: root
- mode: 644
- makedirs: true
- dir_mode: 755
- context:
cpurequest: '20m'
- require:
- service: docker
- service: kubelet
- cmd: calico-etcd
{% endif -%}

62
cluster/saltbase/salt/calico/node.sls Normal file
View File

@ -0,0 +1,62 @@
{% if pillar.get('policy_provider', '').lower() == 'calico' %}
calicoctl:
file.managed:
- name: /usr/bin/calicoctl
- source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl
- source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96
- makedirs: True
- mode: 744
calico-node:
cmd.run:
- name: calicoctl node
- unless: docker ps | grep calico-node
- env:
- ETCD_AUTHORITY: "{{ grains.api_servers }}:6666"
- CALICO_NETWORKING: "false"
- require:
- kmod: ip6_tables
- kmod: xt_set
- service: docker
- file: calicoctl
calico-cni:
file.managed:
- name: /opt/cni/bin/calico
- source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.0/calico
- source_hash: sha256=2f65616cfca7d7b8967a62f179508d30278bcc72cef9d122ce4a5f6689fc6577
- makedirs: True
- mode: 744
calico-cni-config:
file.managed:
- name: /etc/cni/net.d/10-calico.conf
- source: salt://calico/10-calico.conf
- makedirs: True
- mode: 644
- template: jinja
calico-update-cbr0:
cmd.run:
- name: sed -i "s#CBR0_CIDR#$(ip addr list cbr0 | grep -o 'inet [^ ]*' | awk '{print $2}')#" /etc/cni/net.d/10-calico.conf
- require:
- file: calico-cni
- file: calico-cni-config
- cmd: calico-node
- service: kubelet
- service: docker
calico-restart-kubelet:
cmd.run:
- name: service kubelet restart
- require:
- cmd: calico-update-cbr0
ip6_tables:
kmod.present
xt_set:
kmod.present
{% endif -%}

2
cluster/saltbase/salt/kubelet/default
View File

@ -151,6 +151,8 @@
{% set network_plugin = "--network-plugin=opencontrail" %} {% set network_plugin = "--network-plugin=opencontrail" %}
{% elif pillar.get('network_provider', '').lower() == 'cni' %} {% elif pillar.get('network_provider', '').lower() == 'cni' %}
{% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %} {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %}
{%elif pillar.get('policy_provider', '').lower() == 'calico' and grains['roles'][0] != 'kubernetes-master' -%}
{% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %}
{% elif pillar.get('network_provider', '').lower() == 'kubenet' %} {% elif pillar.get('network_provider', '').lower() == 'kubenet' %}
{% set network_plugin = "--network-plugin=kubenet" -%} {% set network_plugin = "--network-plugin=kubenet" -%}
{% if reconcile_cidr_args == '' -%} {% if reconcile_cidr_args == '' -%}

9
cluster/saltbase/salt/top.sls
View File

@ -15,6 +15,9 @@ base:
- docker - docker
{% if pillar.get('network_provider', '').lower() == 'flannel' %} {% if pillar.get('network_provider', '').lower() == 'flannel' %}
- flannel - flannel
{% endif %}
{% if pillar.get('policy_provider', '').lower() == 'calico' %}
- cni
{% elif pillar.get('network_provider', '').lower() == 'kubenet' %} {% elif pillar.get('network_provider', '').lower() == 'kubenet' %}
- cni - cni
{% elif pillar.get('network_provider', '').lower() == 'cni' %} {% elif pillar.get('network_provider', '').lower() == 'cni' %}
@ -44,6 +47,9 @@ base:
{% endif %} {% endif %}
- logrotate - logrotate
- supervisor - supervisor
{% if pillar.get('policy_provider', '').lower() == 'calico' %}
- calico.node
{% endif %}
'roles:kubernetes-master': 'roles:kubernetes-master':
- match: grain - match: grain
@ -88,3 +94,6 @@ base:
{% if pillar.get('enable_node_autoscaler', '').lower() == 'true' %} {% if pillar.get('enable_node_autoscaler', '').lower() == 'true' %}
- cluster-autoscaler - cluster-autoscaler
{% endif %} {% endif %}
{% if pillar.get('policy_provider', '').lower() == 'calico' %}
- calico.master
{% endif %}

4
cluster/vagrant/config-default.sh
View File

@ -109,6 +109,10 @@ fi
OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}" OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}" OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"
# Network Policy plugin specific settings
POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico
# Optional: if set to true, kube-up will configure the cluster to run e2e tests. # Optional: if set to true, kube-up will configure the cluster to run e2e tests.
E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false} E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false}

1
cluster/vagrant/provision-utils.sh
View File

@ -67,6 +67,7 @@ cluster_cidr: '$(echo "$CLUSTER_IP_RANGE" | sed -e "s/'/''/g")'
opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")' opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")'
opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG" | sed -e "s/'/''/g")' opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG" | sed -e "s/'/''/g")'
opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET" | sed -e "s/'/''/g")' opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET" | sed -e "s/'/''/g")'
policy_provider: '$(echo "$POLICY_PROVIDER" | sed -e "s/'/''/g")'
e2e_storage_test_environment: '$(echo "$E2E_STORAGE_TEST_ENVIRONMENT" | sed -e "s/'/''/g")' e2e_storage_test_environment: '$(echo "$E2E_STORAGE_TEST_ENVIRONMENT" | sed -e "s/'/''/g")'
EOF EOF