Update salt to use latest Calico

2016-05-21 09:14:38 -07:00 · 2016-05-21 09:14:38 -07:00 · 35289c7649
parent 19be49124b
commit 35289c7649
15 changed files with 75 additions and 91 deletions
--- a/cluster/aws/config-default.sh
+++ b/cluster/aws/config-default.sh
@ -153,8 +153,5 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
 OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
 OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"

-# Network Policy plugin specific settings
-POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico
-
 # Optional: if set to true, kube-up will configure the cluster to run e2e tests.
 E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false}
--- a/cluster/aws/templates/configure-vm-aws.sh
+++ b/cluster/aws/templates/configure-vm-aws.sh
@ -91,7 +91,7 @@ EOF
  if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then
    cat <<EOF >>/etc/salt/minion.d/grains.conf
  kubelet_api_servers: '${KUBELET_APISERVER}'
-  cbr-cidr: 10.123.45.0/29
+  cbr-cidr: 10.123.45.0/30
 EOF
  else
    # If the kubelet is running disconnected from a master, give it a fixed
--- a/cluster/common.sh
+++ b/cluster/common.sh
@ -446,8 +446,19 @@ function yaml-quote {
 # Builds the RUNTIME_CONFIG var from other feature enable options (such as
 # features in alpha)
 function build-runtime-config() {
-  # There is nothing to do here for now. Just using this function as a placeholder.
-  :
+  # If a policy provider is specified, enable NetworkPolicy API.
+  if [[ -n "${NETWORK_POLICY_PROVIDER}" ]]; then
+    appends="extensions/v1beta1=true,extensions/v1beta1/networkpolicies=true"
+  fi
+
+  # Generate the RUNTIME_CONFIG.
+  if [[ -n ${appends} ]]; then
+    if [[ -n ${RUNTIME_CONFIG} ]]; then
+      RUNTIME_CONFIG="${RUNTIME_CONFIG},${appends}"
+    else 
+      RUNTIME_CONFIG="${appends}"
+    fi
+  fi
 }

 # Writes the cluster name into a temporary file.
@ -523,7 +534,7 @@ HAIRPIN_MODE: $(yaml-quote ${HAIRPIN_MODE:-})
 OPENCONTRAIL_TAG: $(yaml-quote ${OPENCONTRAIL_TAG:-})
 OPENCONTRAIL_KUBERNETES_TAG: $(yaml-quote ${OPENCONTRAIL_KUBERNETES_TAG:-})
 OPENCONTRAIL_PUBLIC_SUBNET: $(yaml-quote ${OPENCONTRAIL_PUBLIC_SUBNET:-})
-POLICY_PROVIDER: $(yaml-quote ${POLICY_PROVIDER:-})
+NETWORK_POLICY_PROVIDER: $(yaml-quote ${NETWORK_POLICY_PROVIDER:-})
 E2E_STORAGE_TEST_ENVIRONMENT: $(yaml-quote ${E2E_STORAGE_TEST_ENVIRONMENT:-})
 KUBE_IMAGE_TAG: $(yaml-quote ${KUBE_IMAGE_TAG:-})
 KUBE_DOCKER_REGISTRY: $(yaml-quote ${KUBE_DOCKER_REGISTRY:-})
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@ -132,7 +132,7 @@ OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
 OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"

 # Network Policy plugin specific settings.
-POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico
+NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico

 # How should the kubelet configure hairpin mode?
 HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@ -158,6 +158,9 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
 OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
 OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"

+# Network Policy plugin specific settings.
+NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico
+
 # How should the kubelet configure hairpin mode?
 HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none

--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -445,7 +445,7 @@ hairpin_mode: '$(echo "$HAIRPIN_MODE" | sed -e "s/'/''/g")'
 opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")'
 opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG")'
 opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET")'
-policy_provider: '$(echo "$POLICY_PROVIDER" | sed -e "s/'/''/g")'
+network_policy_provider: '$(echo "$NETWORK_POLICY_PROVIDER" | sed -e "s/'/''/g")'
 enable_manifest_url: '$(echo "${ENABLE_MANIFEST_URL:-}" | sed -e "s/'/''/g")'
 manifest_url: '$(echo "${MANIFEST_URL:-}" | sed -e "s/'/''/g")'
 manifest_url_header: '$(echo "${MANIFEST_URL_HEADER:-}" | sed -e "s/'/''/g")'
@ -645,6 +645,7 @@ users:
 clusters:
 - name: local
  cluster:
+    server: https://kubernetes-master
    certificate-authority-data: ${KUBELET_CA_CERT}
 contexts:
 - context:
@ -860,7 +861,7 @@ EOF
  if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then
    cat <<EOF >>/etc/salt/minion.d/grains.conf
  kubelet_api_servers: '${KUBELET_APISERVER}'
-  cbr-cidr: 10.123.45.0/29
+  cbr-cidr: 10.123.45.0/30
 EOF
  else
    # If the kubelet is running disconnected from a master, give it a fixed
--- a/cluster/saltbase/salt/calico/10-calico.conf
+++ b/cluster/saltbase/salt/calico/10-calico.conf
@ -1,16 +1,16 @@
 {
-    "name": "calico-k8s-network",
+    "name": "k8s-pod-network",
    "type": "calico",
    "etcd_authority": "{{ grains.api_servers }}:6666",
    "log_level": "info",
    "ipam": {
        "type": "host-local",
-        "subnet": "CBR0_CIDR"
+        "subnet": "usePodCidr"
    },
    "policy": {
-        "type": "k8s",
-        "k8s_api_root": "https://{{ grains.api_servers }}:443/api/v1",
-        "k8s_client_certificate": "/path/to/client/cert",
-        "k8s_client_key": "/path/to/client/key"
+        "type": "k8s"
+    },
+    "kubernetes": {
+        "kubeconfig": "/var/lib/kubelet/kubeconfig"
    }
 }
--- a/cluster/saltbase/salt/calico/calico-policy-agent.manifest
+++ b/cluster/saltbase/salt/calico/calico-policy-agent.manifest
@ -1,20 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: calico-policy-agent
-  namespace: calico-system
-  labels:
-    version: latest
-    projectcalico.org/app: "policy-agent"
-spec:
-  hostNetwork: true
-  containers:
-    - name: policycontroller
-      image: caseydavenport/calico-policy-controller:latest
-      env:
-      - name: ETCD_AUTHORITY
-        value: "127.0.0.1:6666"
-      - name: K8S_API
-        value: "http://127.0.0.1:8080"
-      - name: LOG_LEVEL
-        value: "info"
--- a/cluster/saltbase/salt/calico/calico-policy-controller.manifest
+++ b/cluster/saltbase/salt/calico/calico-policy-controller.manifest
@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: calico-policy-controller
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    k8s-app: calico-policy
+spec:
+  hostNetwork: true
+  containers:
+    - name: policy-controller
+      image: calico/kube-policy-controller:v0.2.0
+      env:
+      - name: ETCD_AUTHORITY
+        value: "127.0.0.1:6666"
+      - name: K8S_API
+        value: "http://127.0.0.1:8080"
+    - name: calico-etcd
+      image: gcr.io/google_containers/etcd:2.2.1
+      command:
+        - /usr/local/bin/etcd
+        - --name=calico
+        - --data-dir=/var/etcd/calico-data
+        - --advertise-client-urls=http://{{ grains.id }}:6666
+        - --listen-client-urls=http://0.0.0.0:6666
+        - --listen-peer-urls=http://0.0.0.0:6667
+        - --initial-advertise-peer-urls=http://{{ grains.id }}:6667
+        - --initial-cluster=calico=http://{{ grains.id }}:6667
+      volumeMounts:
+        - name: varetcd
+          mountPath: /var/etcd
+  volumes:
+    - name: varetcd
+      hostPath:
+        path: /var/calico/etcd
--- a/cluster/saltbase/salt/calico/master.sls
+++ b/cluster/saltbase/salt/calico/master.sls
@ -1,32 +1,9 @@
-{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}

-calicoctl:
+calico-policy-controller:
  file.managed:
-    - name: /usr/bin/calicoctl
-    - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl
-    - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96
-    - makedirs: True
-    - mode: 744
-
-calico-etcd:
-  cmd.run:
-    - unless: docker ps | grep calico-etcd
-    - name: >
-               docker run --name calico-etcd -d --restart=always -p 6666:6666
-               -v /varetcd:/var/etcd
-               gcr.io/google_containers/etcd:2.2.1
-               /usr/local/bin/etcd --name calico
-               --data-dir /var/etcd/calico-data
-               --advertise-client-urls http://{{ grains.id }}:6666
-               --listen-client-urls http://0.0.0.0:6666
-               --listen-peer-urls http://0.0.0.0:6667
-               --initial-advertise-peer-urls http://{{ grains.id }}:6667
-               --initial-cluster calico=http://{{ grains.id }}:6667
-
-calico-policy-agent:
-  file.managed:
-    - name: /etc/kubernetes/manifests/calico-policy-agent.manifest
-    - source: salt://calico/calico-policy-agent.manifest
+    - name: /etc/kubernetes/manifests/calico-policy-controller.manifest
+    - source: salt://calico/calico-policy-controller.manifest
    - template: jinja
    - user: root
    - group: root
@ -38,6 +15,5 @@ calico-policy-agent:
    - require:
      - service: docker
      - service: kubelet
-      - cmd: calico-etcd

 {% endif -%}
--- a/cluster/saltbase/salt/calico/node.sls
+++ b/cluster/saltbase/salt/calico/node.sls
@ -1,4 +1,4 @@
-{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}

 calicoctl:
  file.managed:
@ -24,8 +24,8 @@ calico-node:
 calico-cni:
  file.managed:
    - name: /opt/cni/bin/calico
-    - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.0/calico
-    - source_hash: sha256=2f65616cfca7d7b8967a62f179508d30278bcc72cef9d122ce4a5f6689fc6577
+    - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.1/calico 
+    - source_hash: sha256=ac05cb9254b5aaa5822cf10325983431bd25489147f2edf9dec7e43d99c43e77
    - makedirs: True
    - mode: 744

@ -37,22 +37,6 @@ calico-cni-config:
    - mode: 644
    - template: jinja

-calico-update-cbr0:
-  cmd.run:
-    - name: sed -i "s#CBR0_CIDR#$(ip addr list cbr0 | grep -o 'inet [^ ]*' | awk '{print $2}')#" /etc/cni/net.d/10-calico.conf
-    - require:
-      - file: calico-cni
-      - file: calico-cni-config
-      - cmd: calico-node
-      - service: kubelet
-      - service: docker
-
-calico-restart-kubelet:
-  cmd.run:
-    - name: service kubelet restart
-    - require:
-      - cmd: calico-update-cbr0
-
 ip6_tables:
  kmod.present

--- a/cluster/saltbase/salt/kubelet/default
+++ b/cluster/saltbase/salt/kubelet/default
@ -151,7 +151,7 @@
  {% set network_plugin = "--network-plugin=opencontrail" %}
 {% elif pillar.get('network_provider', '').lower() == 'cni' %}
  {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %}
-{%elif pillar.get('policy_provider', '').lower() == 'calico' and grains['roles'][0] != 'kubernetes-master' -%}
+{%elif pillar.get('network_policy_provider', '').lower() == 'calico' and grains['roles'][0] != 'kubernetes-master' -%}
  {% set network_plugin = "--network-plugin=cni --network-plugin-dir=/etc/cni/net.d/" %}
 {% elif pillar.get('network_provider', '').lower() == 'kubenet' %}
  {% set network_plugin = "--network-plugin=kubenet" -%}
--- a/cluster/saltbase/salt/top.sls
+++ b/cluster/saltbase/salt/top.sls
@ -16,7 +16,7 @@ base:
 {% if pillar.get('network_provider', '').lower() == 'flannel' %}
    - flannel
 {% endif %}
-{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
    - cni
 {% elif pillar.get('network_provider', '').lower() == 'kubenet' %}
    - cni
@ -47,7 +47,7 @@ base:
 {% endif %}
    - logrotate
    - supervisor
-{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
    - calico.node
 {% endif %}

@ -94,6 +94,6 @@ base:
 {% if pillar.get('enable_node_autoscaler', '').lower() == 'true' %}
    - cluster-autoscaler
 {% endif %}
-{% if pillar.get('policy_provider', '').lower() == 'calico' %}
+{% if pillar.get('network_policy_provider', '').lower() == 'calico' %}
    - calico.master
 {% endif %}
--- a/cluster/vagrant/config-default.sh
+++ b/cluster/vagrant/config-default.sh
@ -110,9 +110,6 @@ OPENCONTRAIL_TAG="${OPENCONTRAIL_TAG:-R2.20}"
 OPENCONTRAIL_KUBERNETES_TAG="${OPENCONTRAIL_KUBERNETES_TAG:-master}"
 OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}"

-# Network Policy plugin specific settings
-POLICY_PROVIDER="${POLICY_PROVIDER:-none}" # calico
-
 # Optional: if set to true, kube-up will configure the cluster to run e2e tests.
 E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false}

--- a/cluster/vagrant/provision-utils.sh
+++ b/cluster/vagrant/provision-utils.sh
@ -67,7 +67,6 @@ cluster_cidr: '$(echo "$CLUSTER_IP_RANGE" | sed -e "s/'/''/g")'
 opencontrail_tag: '$(echo "$OPENCONTRAIL_TAG" | sed -e "s/'/''/g")'
 opencontrail_kubernetes_tag: '$(echo "$OPENCONTRAIL_KUBERNETES_TAG" | sed -e "s/'/''/g")'
 opencontrail_public_subnet: '$(echo "$OPENCONTRAIL_PUBLIC_SUBNET" | sed -e "s/'/''/g")'
-policy_provider: '$(echo "$POLICY_PROVIDER" | sed -e "s/'/''/g")'
 e2e_storage_test_environment: '$(echo "$E2E_STORAGE_TEST_ENVIRONMENT" | sed -e "s/'/''/g")'
 EOF