diff options
25 files changed, 700 insertions, 21 deletions
diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index a29072c5..37ae4e39 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -31,6 +31,15 @@ all: #ip of the node that it uses for communication with k8s cluster. cluster_ip: 10.8.8.19 + # This is a group of hosts that are to be used as kubernetes control plane nodes. + # This means they host kubernetes api server, controller manager and scheduler. + # This example uses infra for this purpose, however note that any + # other host could be used including kubernetes nodes. + # cluster_ip needs to be set for hosts used as control planes. + kubernetes-control-plane: + hosts: + infrastructure-server + nfs-server: hosts: kubernetes-node-1 diff --git a/ansible/rke.yml b/ansible/rke.yml new file mode 100644 index 00000000..e0d6dcf1 --- /dev/null +++ b/ansible/rke.yml @@ -0,0 +1,28 @@ +--- +- name: Gather facts for all hosts + hosts: all + +- name: Configure kubernetes cluster (RKE) + hosts: infrastructure + roles: + - role: rke + vars: + mode: config + +- name: Prepare kubernetes nodes (RKE) + hosts: + - kubernetes + - kubernetes-control-plane + roles: + - role: rke + vars: + mode: node + +- name: Deploy kubernetes cluster (RKE) + hosts: infrastructure + roles: + - role: rke + vars: + mode: deploy + - kubectl + - helm diff --git a/ansible/roles/application/.gitignore b/ansible/roles/application/.gitignore new file mode 100644 index 00000000..155cbb20 --- /dev/null +++ b/ansible/roles/application/.gitignore @@ -0,0 +1 @@ +application/ diff --git a/ansible/roles/application/.yamllint b/ansible/roles/application/.yamllint new file mode 100644 index 00000000..ad0be760 --- /dev/null +++ b/ansible/roles/application/.yamllint @@ -0,0 +1,11 @@ +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + truthy: disable diff --git a/ansible/roles/application/molecule/default/Dockerfile.j2 b/ansible/roles/application/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..e6aa95d3 --- /dev/null +++ b/ansible/roles/application/molecule/default/Dockerfile.j2 @@ -0,0 +1,14 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/ansible/roles/application/molecule/default/molecule.yml b/ansible/roles/application/molecule/default/molecule.yml new file mode 100644 index 00000000..8f19d7ff --- /dev/null +++ b/ansible/roles/application/molecule/default/molecule.yml @@ -0,0 +1,60 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint +platforms: + - name: instance + image: centos:7 +provisioner: + name: ansible + env: + ANSIBLE_ROLES_PATH: ../../../../test/roles + inventory: + group_vars: + all: + app_name: moleculetestapp + app_data_path: "/opt/{{ app_name }}" + app_helm_release_name: "{{ app_name }}" + app_kubernetes_namespace: "{{ app_name }}" + app_helm_charts_install_directory: application/helm_charts + app_helm_plugins_directory: "{{ app_helm_charts_install_directory}}/helm/plugins/" + app_helm_charts_infra_directory: "{{ app_data_path }}/helm_charts" + helm_bin_dir: /usr/local/bin + app_helm_build_targets: + - all + - onap + app_helm_chart_name: "{{ app_name }}" + application_pre_install_role: + application_post_install_role: + lint: + name: ansible-lint +scenario: + name: default + test_sequence: + - lint + - cleanup + - destroy + - dependency + - syntax + - create + - prepare + - converge + # - idempotence + # --> Action: 'idempotence' + # ERROR: Idempotence test failed because of the following tasks: + # * [instance] => application : Get helm dir + # * [instance] => application : Helm init and upgrade + # * [instance] => application : Helm Serve + # * [instance] => application : Helm Add Repo + # * [instance] => application : Helm Install application moleculetestapp + - side_effect + - verify + - cleanup + - destroy +verifier: + name: testinfra + lint: + name: flake8 diff --git a/ansible/roles/application/molecule/default/playbook.yml b/ansible/roles/application/molecule/default/playbook.yml new file mode 100644 index 00000000..4121f124 --- /dev/null +++ b/ansible/roles/application/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Helm charts available + hosts: all + roles: + - application diff --git a/ansible/roles/application/molecule/default/prepare.yml b/ansible/roles/application/molecule/default/prepare.yml new file mode 100644 index 00000000..8a5288dd --- /dev/null +++ b/ansible/roles/application/molecule/default/prepare.yml @@ -0,0 +1,5 @@ +--- +- name: Prepare infra + hosts: all + roles: + - prepare-application diff --git a/ansible/roles/application/molecule/default/tests/test_default.py b/ansible/roles/application/molecule/default/tests/test_default.py new file mode 100644 index 00000000..3e0cbb42 --- /dev/null +++ b/ansible/roles/application/molecule/default/tests/test_default.py @@ -0,0 +1,29 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') + + +def test_helm_commands(host): + fc = host.file('/tmp/helm_simu_output').content_string + expected_content = """home +init --upgrade --skip-refresh +version --tiller-connection-timeout 10 +repo list +serve +repo list +repo add local http://127.0.0.1:8879 +install --name moleculetestapp local/moleculetestapp --namespace \ +moleculetestapp -f /opt/moleculetestapp/override.yaml""" + assert fc == expected_content + + +def test_helm_override_file(host): + fc = host.file('/opt/moleculetestapp/override.yaml').content_string + expected_content = """global: + cacert: 'this is dummy server certificate value + + '""" + assert fc == expected_content diff --git a/ansible/roles/application/tasks/install.yml b/ansible/roles/application/tasks/install.yml index 103ecc8b..cdc7ced0 100644 --- a/ansible/roles/application/tasks/install.yml +++ b/ansible/roles/application/tasks/install.yml @@ -4,7 +4,7 @@ {{ helm_bin_dir }}/helm init --upgrade --skip-refresh - changed_when: true # init is always changed type of action + changed_when: true # init is always changed type of action # A correct way to implement this would be using --wait option in helm init invocation. # However, it does not work due to https://github.com/helm/helm/issues/4031 (fixed in newer helm release) @@ -14,29 +14,29 @@ until: result.rc == 0 delay: 10 retries: 12 - changed_when: false # for idempotency + changed_when: false # for idempotency - name: Get all helm repos command: "{{ helm_bin_dir }}/helm repo list" register: repos - changed_when: false # for idempotency + changed_when: false # for idempotency - name: Remove stable repo command: "{{ helm_bin_dir }}/helm repo remove stable" - changed_when: true # when executed its a changed type of action + changed_when: true # when executed its a changed type of action when: "'stable' in repos.stdout" - name: Helm Serve shell: "{{ helm_bin_dir }}/helm serve &" async: 45 - poll: 3 # wait 3sec to get a chance for some stderr + poll: 3 # wait 3sec to get a chance for some stderr register: helm_serve changed_when: "'address already in use' not in helm_serve.stderr" - name: List helm repos command: "{{ helm_bin_dir }}/helm repo list" register: helm_repo_list - changed_when: false # for idempotency + changed_when: false # for idempotency failed_when: - helm_repo_list.rc > 0 - "'Error: no repositories to show' not in helm_repo_list.stderr" @@ -44,7 +44,7 @@ - name: Helm Add Repo command: "{{ helm_bin_dir }}/helm repo add {{ helm_repository_name | mandatory }} {{ helm_repository_url | mandatory }}" when: "'local' not in helm_repo_list.stdout" - changed_when: true # when executed its a changed type of action + changed_when: true # when executed its a changed type of action - name: Build local helm repository make: @@ -72,6 +72,6 @@ {{ helm_repository_name }}/{{ app_helm_chart_name }} --namespace {{ app_kubernetes_namespace }} {{ '' if app_skip_helm_override else '-f ' + app_helm_override_file }} - changed_when: true # when executed its a changed type of action + changed_when: true # when executed its a changed type of action register: helm_install failed_when: helm_install.stderr diff --git a/ansible/roles/kubectl/defaults/main.yml b/ansible/roles/kubectl/defaults/main.yml index 78c15c75..b922fb58 100644 --- a/ansible/roles/kubectl/defaults/main.yml +++ b/ansible/roles/kubectl/defaults/main.yml @@ -1,5 +1,2 @@ --- kubectl_bin_dir: /usr/local/bin -kube_directory: ~/.kube -# Defaulting to rancher setup -kube_server: "https://{{ ansible_host }}:8080/r/projects/{{ k8s_env_id | mandatory }}/kubernetes:6443"
\ No newline at end of file diff --git a/ansible/roles/kubectl/tasks/main.yml b/ansible/roles/kubectl/tasks/main.yml index 9ecb5c44..7c77c3c5 100644 --- a/ansible/roles/kubectl/tasks/main.yml +++ b/ansible/roles/kubectl/tasks/main.yml @@ -5,13 +5,3 @@ dest: "{{ kubectl_bin_dir }}/kubectl" remote_src: true mode: 0755 - -- name: Ensure .kube directory exists - file: - path: "{{ kube_directory }}" - state: directory - -- name: Create kube config - template: - src: kube_config.j2 - dest: "{{ kube_directory }}/config" diff --git a/ansible/roles/rancher/defaults/main.yml b/ansible/roles/rancher/defaults/main.yml index 6d354e6e..e4e12d23 100644 --- a/ansible/roles/rancher/defaults/main.yml +++ b/ansible/roles/rancher/defaults/main.yml @@ -4,6 +4,8 @@ rancher_remove_other_env: true rancher_redeploy_k8s_env: true rancher_cluster_health_state: healthy rancher_cluster_health_check_retries: 30 +kube_directory: ~/.kube +kube_server: "https://{{ ansible_host }}:8080/r/projects/{{ k8s_env_id | mandatory }}/kubernetes:6443" rancher: # The following variables can be set via the UI under advanced/settings. # All of these affect tables in the cattle db and are uninteresting diff --git a/ansible/roles/rancher/tasks/rancher_server.yml b/ansible/roles/rancher/tasks/rancher_server.yml index a0893b0b..f467ff3f 100644 --- a/ansible/roles/rancher/tasks/rancher_server.yml +++ b/ansible/roles/rancher/tasks/rancher_server.yml @@ -93,3 +93,13 @@ data: option: audit_log.purge.after.seconds value: "{{ rancher.audit_log_purge_after_seconds }}" + +- name: Ensure .kube directory exists + file: + path: "{{ kube_directory }}" + state: directory + +- name: Create kube config + template: + src: kube_config.j2 + dest: "{{ kube_directory }}/config" diff --git a/ansible/roles/kubectl/templates/kube_config.j2 b/ansible/roles/rancher/templates/kube_config.j2 index 586c59d4..586c59d4 100644 --- a/ansible/roles/kubectl/templates/kube_config.j2 +++ b/ansible/roles/rancher/templates/kube_config.j2 diff --git a/ansible/roles/rke/defaults/main.yml b/ansible/roles/rke/defaults/main.yml new file mode 100644 index 00000000..88216857 --- /dev/null +++ b/ansible/roles/rke/defaults/main.yml @@ -0,0 +1,37 @@ +--- +rke_binary: rke +rke_username: rke +rke_bin_dir: /usr/local/bin +kube_config_dir: "{{ ansible_env.HOME }}/.kube" +cluster_config_dir: "{{ app_data_path }}/cluster" +# Whether dashboard is exposed. +rke_dashboard_exposed: true +rke: + # rke (rancher) images + etcd: rancher/coreos-etcd:v3.2.24-rancher1 + alpine: rancher/rke-tools:v0.1.27 + nginx_proxy: rancher/rke-tools:v0.1.27 + cert_downloader: rancher/rke-tools:v0.1.27 + kubernetes_services_sidecar: rancher/rke-tools:v0.1.27 + kubedns: rancher/k8s-dns-kube-dns:1.15.0 + dnsmasq: rancher/k8s-dns-dnsmasq-nanny:1.15.0 + kubedns_sidecar: rancher/k8s-dns-sidecar:1.15.0 + kubedns_autoscaler: rancher/cluster-proportional-autoscaler:1.0.0 + coredns: coredns/coredns:1.2.6 + coredns_autoscaler: rancher/cluster-proportional-autoscaler:1.0.0 + kubernetes: rancher/hyperkube:v1.13.5-rancher1 + flannel: rancher/coreos-flannel:v0.10.0-rancher1 + flannel_cni: rancher/flannel-cni:v0.3.0-rancher1 + calico_node: rancher/calico-node:v3.4.0 + calico_cni: rancher/calico-cni:v3.4.0 + calico_controllers: "" + calico_ctl: rancher/calico-ctl:v2.0.0 + canal_node: rancher/calico-node:v3.4.0 + canal_cni: rancher/calico-cni:v3.4.0 + canal_flannel: rancher/coreos-flannel:v0.10.0 + weave_node: weaveworks/weave-kube:2.5.0 + weave_cni: weaveworks/weave-npc:2.5.0 + pod_infra_container: rancher/pause:3.1 + ingress: rancher/nginx-ingress-controller:0.21.0-rancher3 + ingress_backend: rancher/nginx-ingress-controller-defaultbackend:1.4-rancher1 + metrics_server: rancher/metrics-server:v0.3.1 diff --git a/ansible/roles/rke/tasks/main.yml b/ansible/roles/rke/tasks/main.yml new file mode 100644 index 00000000..2f832973 --- /dev/null +++ b/ansible/roles/rke/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include_tasks: "rke_{{ mode }}.yml" diff --git a/ansible/roles/rke/tasks/rke_config.yml b/ansible/roles/rke/tasks/rke_config.yml new file mode 100644 index 00000000..4112e107 --- /dev/null +++ b/ansible/roles/rke/tasks/rke_config.yml @@ -0,0 +1,56 @@ +--- +- name: "Ensure the .ssh directory exists" + file: + path: "{{ ansible_env.HOME }}/.ssh" + mode: 0700 + state: directory + +- name: Add kubernetes nodes host keys to known_hosts file + known_hosts: + name: "{{ hostvars[item].cluster_ip }}" + key: "{{ hostvars[item].cluster_ip }} ssh-rsa {{ hostvars[item].ansible_ssh_host_key_rsa_public }}" + hash_host: true + state: present + loop: "{{ groups['kubernetes'] }}" + +- name: "Ensure {{ cluster_config_dir }} is present" + file: + path: "{{ cluster_config_dir }}" + state: directory + mode: 0755 + +- name: Generate cluster wide ssh key pair + command: "ssh-keygen -q -b 4096 -t rsa -N '' -f {{ cluster_config_dir }}/cluster_key" + args: + creates: "{{ cluster_config_dir }}/cluster_key" + +- name: Get ssh public key + slurp: + src: "{{ cluster_config_dir }}/cluster_key.pub" + register: cluster_public_key_out + +- name: Decode ssh public key + set_fact: + cluster_public_key: "{{ cluster_public_key_out.content | b64decode }}" + +- name: Prepare rke cluster.yml + template: + src: cluster.yml.j2 + dest: "{{ cluster_config_dir }}/cluster.yml" + +- name: Prepare rke addon manifest (dashboard) + template: + src: kubernetes-dashboard.yaml.j2 + dest: "{{ cluster_config_dir }}/kubernetes-dashboard.yml" + +- name: Prepare rke addon manifest (dashboard user) + template: + src: k8s-dashboard-user.yml.j2 + dest: "{{ cluster_config_dir }}/k8s-dashboard-user.yml" + +- name: Install rke cli tool + copy: + src: "{{ app_data_path }}/downloads/{{ rke_binary }}" + dest: "{{ rke_bin_dir }}/rke" + remote_src: true + mode: 0755 diff --git a/ansible/roles/rke/tasks/rke_deploy.yml b/ansible/roles/rke/tasks/rke_deploy.yml new file mode 100644 index 00000000..9983d08a --- /dev/null +++ b/ansible/roles/rke/tasks/rke_deploy.yml @@ -0,0 +1,17 @@ +--- +- name: Run rke up + command: "{{ rke_bin_dir }}/rke up --config cluster.yml" + args: + chdir: "{{ cluster_config_dir }}" + +- name: Ensure .kube directory is present + file: + path: "{{ kube_config_dir }}" + state: directory + +- name: Setup kubeconfig + copy: + src: "{{ cluster_config_dir }}/kube_config_cluster.yml" + dest: "{{ kube_config_dir }}/config" + remote_src: true + mode: 0755 diff --git a/ansible/roles/rke/tasks/rke_node.yml b/ansible/roles/rke/tasks/rke_node.yml new file mode 100644 index 00000000..9ec9f073 --- /dev/null +++ b/ansible/roles/rke/tasks/rke_node.yml @@ -0,0 +1,11 @@ +--- +- name: Create a rke user on the node + user: + name: "{{ rke_username }}" + groups: docker + password_lock: yes + +- name: Distribute rke user ssh public key + authorized_key: + user: "{{ rke_username }}" + key: "{{ hostvars[groups['infrastructure'][0]].cluster_public_key }}" diff --git a/ansible/roles/rke/templates/cluster.yml.j2 b/ansible/roles/rke/templates/cluster.yml.j2 new file mode 100644 index 00000000..64508e6f --- /dev/null +++ b/ansible/roles/rke/templates/cluster.yml.j2 @@ -0,0 +1,147 @@ +nodes: +{# Note that we iterate through all nodes in relevant groups. +We check which groups they belong to exactly later to determine roles. #} +{% for node in groups['kubernetes'] | union(groups['kubernetes-control-plane']) %} +- address: "{{ hostvars[node].cluster_ip }}" + port: "22" + internal_address: "{{ hostvars[node].cluster_ip }}" + role: +{% if node in groups['kubernetes-control-plane'] %} + - controlplane +{% endif %} +{% if node in groups['kubernetes'] %} + - worker + - etcd +{% endif %} + hostname_override: "" + user: "{{ rke_username }}" + docker_socket: /var/run/docker.sock + ssh_key: "" + ssh_key_path: "{{ cluster_config_dir }}/cluster_key" + ssh_cert: "" + ssh_cert_path: "" + labels: {} +{% endfor %} +services: + etcd: + image: "" + extra_args: {} + extra_binds: [] + extra_env: [] + external_urls: [] + ca_cert: "" + cert: "" + key: "" + path: "" + snapshot: null + retention: "" + creation: "" + backup_config: null + kube-api: + image: "" + extra_args: {} + extra_binds: [] + extra_env: [] + service_cluster_ip_range: 10.43.0.0/16 + service_node_port_range: "" + pod_security_policy: false + always_pull_images: false + kube-controller: + image: "" + extra_args: {} + extra_binds: [] + extra_env: [] + cluster_cidr: 10.42.0.0/16 + service_cluster_ip_range: 10.43.0.0/16 + scheduler: + image: "" + extra_args: {} + extra_binds: [] + extra_env: [] + kubelet: + image: "" + extra_args: {} + extra_binds: [] + extra_env: [] + cluster_domain: cluster.local + infra_container_image: "" + cluster_dns_server: 10.43.0.10 + fail_swap_on: false + kubeproxy: + image: "" + extra_args: {} + extra_binds: [] + extra_env: [] +network: + plugin: canal + options: {} +authentication: + strategy: x509 + sans: [] + webhook: null +addons: "" +addons_include: +- "{{ cluster_config_dir }}/kubernetes-dashboard.yml" +- "{{ cluster_config_dir }}/k8s-dashboard-user.yml" +system_images: + etcd: "{{ rke.etcd }}" + alpine: "{{ rke.alpine }}" + nginx_proxy: "{{ rke.nginx_proxy }}" + cert_downloader: "{{ rke.cert_downloader }}" + kubernetes_services_sidecar: "{{ rke.kubernetes_services_sidecar }}" + kubedns: "{{ rke.kubedns }}" + dnsmasq: "{{ rke.dnsmasq }}" + kubedns_sidecar: "{{ rke.kubedns_sidecar }}" + kubedns_autoscaler: "{{ rke.kubedns_autoscaler }}" + coredns: "{{ rke.coredns }}" + coredns_autoscaler: "{{ rke.coredns_autoscaler }}" + kubernetes: "{{ rke.kubernetes }}" + flannel: "{{ rke.flannel }}" + flannel_cni: "{{ rke.flannel_cni }}" + calico_node: "{{ rke.calico_node }}" + calico_cni: "{{ rke.calico_cni }}" + calico_controllers: "" + calico_ctl: "{{ rke.calico_ctl }}" + canal_node: "{{ rke.canal_node }}" + canal_cni: "{{ rke.canal_cni }}" + canal_flannel: "{{ rke.canal_flannel }}" + weave_node: "{{ rke.weave_node }}" + weave_cni: "{{ rke.weave_cni }}" + pod_infra_container: "{{ rke.pod_infra_container }}" + ingress: "{{ rke.ingress }}" + ingress_backend: "{{ rke.ingress_backend }}" + metrics_server: "{{ rke.metrics_server }}" +ssh_key_path: "{{ cluster_config_dir }}/cluster_key" +ssh_cert_path: "" +ssh_agent_auth: false +authorization: + mode: none + options: {} +ignore_docker_version: false +kubernetes_version: "" +private_registries: [] +ingress: + provider: "" + options: {} + node_selector: {} + extra_args: {} +cluster_name: "" +cloud_provider: + name: "" +prefix_path: "" +addon_job_timeout: 0 +bastion_host: + address: "" + port: "" + user: "" + ssh_key: "" + ssh_key_path: "" + ssh_cert: "" + ssh_cert_path: "" +monitoring: + provider: "" + options: {} +restore: + restore: false + snapshot_name: "" +dns: null diff --git a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 new file mode 100644 index 00000000..9031553c --- /dev/null +++ b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: admin-user + namespace: kube-system
\ No newline at end of file diff --git a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 new file mode 100644 index 00000000..4458628a --- /dev/null +++ b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 @@ -0,0 +1,178 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ------------------- Dashboard Secrets ------------------- # + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kube-system +type: Opaque + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-csrf + namespace: kube-system +type: Opaque +data: + csrf: "" + +--- +# ------------------- Dashboard Service Account ------------------- # + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Role & Role Binding ------------------- # + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +rules: + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics from heapster. +- apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster"] + verbs: ["proxy"] +- apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard-minimal +subjects: +- kind: ServiceAccount + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Deployment ------------------- # + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- +# ------------------- Dashboard Service ------------------- # + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard +{% if rke_dashboard_exposed %} + type: NodePort +{% endif %} diff --git a/ansible/test/roles/prepare-application/defaults/main.yml b/ansible/test/roles/prepare-application/defaults/main.yml new file mode 100644 index 00000000..227bd4f0 --- /dev/null +++ b/ansible/test/roles/prepare-application/defaults/main.yml @@ -0,0 +1,4 @@ +--- +simulate_helm: true +app_helm_charts_install_directory: application/helm_charts +helm_simulation_output_file: /tmp/helm_simu_output
\ No newline at end of file diff --git a/ansible/test/roles/prepare-application/tasks/main.yml b/ansible/test/roles/prepare-application/tasks/main.yml new file mode 100644 index 00000000..2f143a07 --- /dev/null +++ b/ansible/test/roles/prepare-application/tasks/main.yml @@ -0,0 +1,47 @@ +--- +- name: Create Application helm charts directory + file: + path: "{{ app_helm_charts_install_directory }}" + state: directory + delegate_to: localhost + +- name: Create Makefile to simulate helm charts dir and make building + copy: + content: | + all: + onap: + dest: "{{ app_helm_charts_install_directory }}/Makefile" + delegate_to: localhost + when: simulate_helm + +- name: Clean previous simulation output file + file: + path: "{{ helm_simulation_output_file }}" + state: absent + +- name: simulate helm binary + copy: + content: | + #!/bin/bash + echo "$@" >> {{ helm_simulation_output_file }} + dest: "{{ helm_bin_dir }}/helm" + mode: 0755 + when: simulate_helm + +- name: Install make + package: + name: make + state: present + +- name: Create local certs dir for dummy certs + file: + path: certs + state: directory + delegate_to: localhost + +- name: Create dummy cert file to simulate offline server certificates in helm install with override.yml file + copy: + content: | + this is dummy server certificate value + dest: certs/rootCA.crt + delegate_to: localhost |