aboutsummaryrefslogtreecommitdiffstats
path: root/ansible/roles
diff options
context:
space:
mode:
authorPaul McGoldrick <paul.mcgoldrick@att.com>2017-09-28 10:03:38 -0700
committerPaul McGoldrick <paul.mcgoldrick@att.com>2017-09-28 10:14:09 -0700
commitf52ddcb67f75aeb6bd72fecfd4a133ae1eb56666 (patch)
tree898aca33908fa491bfe541ba8f3b40124562d147 /ansible/roles
parent066d65126779abf924dd9175da56d2d43991dbff (diff)
initial seed code commit VVP-3
Change-Id: I6c9fede9b75ebaf1bcba2ad14f09f021fea63d21 Signed-off-by: Paul McGoldrick <paul.mcgoldrick@att.com>
Diffstat (limited to 'ansible/roles')
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/.gitignore2
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/.travis.yml64
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/defaults/main.yml39
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/files/iceundionly.kpxebin0 -> 64340 bytes
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/meta/.galaxy_install_info39
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/meta/main.yml38
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml103
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/tasks/main.yml183
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml137
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/tasks/tls.yml150
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j273
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/groups/group.json.j273
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/groups/install.json.j251
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2872
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/ignition/coreos-install.yaml.j2107
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2397
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/kubeconfig.j256
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/openssl.config.j273
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/profiles/controller.json.j256
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/profiles/install-reboot.json.j255
-rwxr-xr-xansible/roles/ansible-vvp-bootstrap/templates/profiles/worker.json.j256
21 files changed, 2624 insertions, 0 deletions
diff --git a/ansible/roles/ansible-vvp-bootstrap/.gitignore b/ansible/roles/ansible-vvp-bootstrap/.gitignore
new file mode 100755
index 0000000..5109f81
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/.gitignore
@@ -0,0 +1,2 @@
+*.swp
+.sw*
diff --git a/ansible/roles/ansible-vvp-bootstrap/.travis.yml b/ansible/roles/ansible-vvp-bootstrap/.travis.yml
new file mode 100755
index 0000000..1b9ad49
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/.travis.yml
@@ -0,0 +1,64 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+ apt:
+ packages:
+ - python-pip
+
+install:
+ # Install ansible
+ - pip install ansible
+
+ # Check ansible version
+ - ansible --version
+
+ # Create ansible.cfg with correct roles_path
+ - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+ # Basic role syntax check
+ - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
diff --git a/ansible/roles/ansible-vvp-bootstrap/defaults/main.yml b/ansible/roles/ansible-vvp-bootstrap/defaults/main.yml
new file mode 100755
index 0000000..9d39136
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/defaults/main.yml
@@ -0,0 +1,39 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+sysdig_access_key: "{{ vault_sysdig_access_key | default('') }}"
diff --git a/ansible/roles/ansible-vvp-bootstrap/files/iceundionly.kpxe b/ansible/roles/ansible-vvp-bootstrap/files/iceundionly.kpxe
new file mode 100755
index 0000000..ccda67b
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/files/iceundionly.kpxe
Binary files differ
diff --git a/ansible/roles/ansible-vvp-bootstrap/meta/.galaxy_install_info b/ansible/roles/ansible-vvp-bootstrap/meta/.galaxy_install_info
new file mode 100755
index 0000000..0b7735f
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/meta/.galaxy_install_info
@@ -0,0 +1,39 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+{install_date: 'Thu Jul 20 18:38:57 2017', version: develop}
diff --git a/ansible/roles/ansible-vvp-bootstrap/meta/main.yml b/ansible/roles/ansible-vvp-bootstrap/meta/main.yml
new file mode 100755
index 0000000..6b0bfdd
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/meta/main.yml
@@ -0,0 +1,38 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml
new file mode 100755
index 0000000..48dad1c
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml
@@ -0,0 +1,103 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+- name: Install nf_conntrack_tftp
+ modprobe:
+ name: nf_conntrack_tftp
+ state: present
+
+- name: Copy our pxe client
+ copy: src=iceundionly.kpxe dest="{{files_dir}}/iceundionly.kpxe"
+ when: pxe_chainload
+
+- name: Create DNSMASQ leases file
+ file: path="{{files_dir}}/leases" mode=0644 state=touch
+
+- name: DROP DNS, tftp requests from public
+ shell: iptables -I INPUT 1 -p udp --dport {{item}} -i {{ops_public_interface}} -j DROP
+ with_items:
+ - 53
+ - 69
+
+- name: DROP DNS, tftp requests to public
+ shell: iptables -I OUTPUT 1 -p udp --sport {{item}} -o {{ops_public_interface}} -j DROP
+ with_items:
+ - 53
+ - 69
+
+- name: Allow Inbound UDP DHCP Requests
+ shell: iptables -A INPUT -p udp --dport {{item}} -j ACCEPT
+ with_items:
+ - 53
+ - 67:69
+
+- name: Allow Outbound UDP DNS, DHCP
+ shell: iptables -A OUTPUT -p udp --sport {{item}} -j ACCEPT
+ with_items:
+ - 53
+ - 67:69
+
+- name: Allow TFTP file transfers on arbitrary ports.
+ shell: 'iptables -A OUTPUT -p udp -o {{ ops_management_interface }} --sport 1023: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT'
+
+- name: Allow TFTP file transfers on arbitrary ports.
+ shell: 'iptables -A INPUT -p udp -i {{ops_management_interface}} --dport 1023: -m state --state ESTABLISHED,RELATED -j ACCEPT'
+
+- name: Render DNSMASQ configuration
+ template:
+ src: dnsmasq.conf.j2
+ dest: "{{files_dir}}/dnsmasq.conf"
+
+- name: Is dnsmasq already running?
+ shell: docker ps | grep dnsmasq | awk '{ print $1 }'
+ register: dnsmasq_id
+
+- name: Kill dnsmasq!
+ shell: docker kill "{{dnsmasq_id.stdout}}"
+ when: dnsmasq_id.stdout != ""
+
+- name: Start DNSMASQ
+ command: "docker run -d
+ --net=host
+ --cap-add=NET_ADMIN
+ -v {{files_dir}}/leases:/var/lib/misc/dnsmasq.leases:Z
+ -v {{files_dir}}/dnsmasq.conf:/etc/dnsmasq.conf:Z
+{% if pxe_chainload %}
+ -v {{files_dir}}/iceundionly.kpxe:/var/lib/tftpboot/iceundionly.kpxe:Z
+{% endif %}
+ quay.io/coreos/dnsmasq -d -q"
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
new file mode 100755
index 0000000..48b545e
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
@@ -0,0 +1,183 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+- name: install packages
+ yum:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - docker
+ tags:
+ - bootstrap
+
+- name: Is our management IP set?
+ shell: "ip addr show {{ops_management_interface}} | grep {{ops_management_ip}}"
+ register: mgmt_ip
+ tags:
+ - bootstrap
+ ignore_errors: True
+
+- name: Set interface address
+ command: ip addr add {{ops_management_ip}}/24 dev {{ops_management_interface}}
+ when: mgmt_ip.stdout == ""
+ tags:
+ - bootstrap
+
+- name: Temporarily allow all INPUT
+ shell: iptables -P INPUT ACCEPT
+ tags:
+ - always
+
+- name: Temporarily allow all OUTPUT
+ shell: iptables -P OUTPUT ACCEPT
+ tags:
+ - always
+
+- name: Flush all IPTables Rules (non nat)
+ shell: iptables -F
+ tags:
+ - always
+
+- name: Allow SSH for development environments
+ shell: iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
+ when: ice_environment == "development"
+ tags:
+ - always
+
+- name: Allow SSH out for development environments
+ shell: iptables -A OUTPUT -p tcp -o eth0 --sport 22 -j ACCEPT
+ when: ice_environment == "development"
+ tags:
+ - always
+
+- name: Allow SSH out for development environments
+ shell: iptables -A OUTPUT -p tcp -o {{ops_management_interface}} --sport 22 -j ACCEPT
+ when: ice_environment != "development"
+ tags:
+ - always
+
+- name: Allow SSH for non-development environments
+ shell: iptables -A INPUT -p tcp -i {{ops_management_interface}} --dport 22 -j ACCEPT
+ when: ice_environment != "development"
+ tags:
+ - always
+
+- name: Allow Outbound UDP DNS
+ shell: iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+
+- name: Allow Inbound UDP DNS replies
+ shell: iptables -A INPUT -p udp --sport 53 -j ACCEPT
+
+- name: Allow Outbound Web Requests
+ shell: iptables -A OUTPUT -p tcp --dport {{item}} -j ACCEPT
+ with_items:
+ - 443
+ - 80
+
+- name: Allow Inbound Web Replies
+ shell: iptables -A INPUT -p tcp --sport {{item}} -m state --state ESTABLISHED,RELATED -j ACCEPT
+ with_items:
+ - 443
+ - 80
+- name: Drop INPUT
+ shell: iptables -P INPUT DROP
+ tags:
+ - always
+
+- name: Drop OUTPUT
+ shell: iptables -P OUTPUT DROP
+ tags:
+ - always
+
+- name: Drop FORWARD
+ shell: iptables -P FORWARD DROP
+ tags:
+ - always
+
+- name: set additional interfaces ip
+ command: ip addr add {{item.value}} dev {{item.key}}
+ when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address'])
+ with_dict: "{{ additional_interfaces }}"
+
+- name: Bring additional interfaces up
+ command: ifup {{item.key}}
+ when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address'])
+ with_dict: "{{ additional_interfaces }}"
+
+- name: Add self to resolv.conf
+ lineinfile:
+ dest: /etc/resolv.conf
+ line: "nameserver {{ops_management_ip}}"
+ insertbefore: BOF
+
+- name: start docker
+ command: systemctl restart docker
+ tags:
+ - always
+
+- name: Disable Forwarding
+ command: "echo 0 > /proc/sys/net/ipv4/ip_forward"
+ tags:
+ - bootstrap
+
+#########################
+# FILESYSTEM
+#
+- name: Create files DIR
+ file: state=directory path="{{files_dir}}" mode=0755
+ tags:
+ - bootstrap
+ - tls
+
+- include: matchbox.yml
+ tags:
+ - bootstrap
+ - matchbox
+
+
+- include: tls.yml
+ tags:
+ - bootstrap
+ - tls
+
+- include: dnsmasq.yml
+ tags:
+ - bootstrap
+ - dnsmasq
+
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml
new file mode 100755
index 0000000..7e4ea87
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml
@@ -0,0 +1,137 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+- name: Create assets directory
+ file: path="{{coreos_assets_dir}}" state=directory mode="0755"
+ tags:
+ - bootstrap
+ - matchbox
+
+- name: Download PXE image
+ get_url: url="http://{{coreos_channel}}.release.core-os.net/amd64-usr/{{coreos_version}}/{{item}}" dest="{{coreos_assets_dir}}/{{item}}"
+ with_items:
+ - "coreos_production_pxe.vmlinuz"
+ - "coreos_production_pxe.vmlinuz.sig"
+ - "coreos_production_pxe_image.cpio.gz"
+ - "coreos_production_pxe_image.cpio.gz.sig"
+ - "coreos_production_image.bin.bz2"
+ - "coreos_production_image.bin.bz2.sig"
+ tags:
+ - bootstrap
+ - matchbox
+
+- name: Retrieve the signing key
+ get_url: url="https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc" dest="{{coreos_assets_dir}}/CoreOS_Image_Signing_Key.asc"
+ tags:
+ - bootstrap
+ - matchbox
+
+- name: Import signing key
+ command: "gpg --import {{coreos_assets_dir}}/CoreOS_Image_Signing_Key.asc"
+ tags:
+ - bootstrap
+ - matchbox
+
+- name: Adding trust for CoreOS Signing key
+ command: 'echo "04126D0BFABEC8871FFB2CCE50E0885593D2DCB4:6:" | gpg --import-ownertrust'
+ tags:
+ - bootstrap
+ - matchbox
+
+- name: Verifying vmlinuz
+ command: "gpg --verify {{coreos_assets_dir}}/{{item}}"
+ with_items:
+ - "coreos_production_pxe.vmlinuz.sig"
+ - "coreos_production_pxe_image.cpio.gz.sig"
+ tags:
+ - bootstrap
+ - matchbox
+
+
+- name: Create matchbox directory
+ file: path="{{matchbox_dir}}" state=directory mode=0754
+ tags:
+ - bootstrap
+ - matchbox
+
+- name: Create groups, profiles and ignition directories
+ file: path="{{matchbox_dir}}/{{item}}" state=directory mode=0754
+ with_items:
+ - groups
+ - profiles
+ - ignition
+
+- name: matchbox k7 groups templates
+ template:
+ src: "groups/group.json.j2"
+ dest: "{{matchbox_dir}}/groups/{{item.name}}.json"
+ with_items: "{{hosts}}"
+ when: item.os == "coreos"
+
+- name: Allow Inbound 8080 web requests
+ shell: iptables -A INPUT -p udp --dport 8080 -i {{ops_management_interface}} -j ACCEPT
+
+- name: Allow Outbound 8080 web replies
+ shell: iptables -A OUTPUT -p udp --sport 8080 -o {{ops_management_interface}} -j ACCEPT
+
+- name: Create TLS assets directory
+ file: path="{{assets_dir}}/tls" state=directory mode=643
+
+- name: matchbox k8 other templates
+ template:
+ src: "{{item}}.j2"
+ dest: "{{matchbox_dir}}/{{item}}"
+ with_items:
+ - groups/install.json
+ - profiles/controller.json
+ - profiles/worker.json
+ - profiles/install-reboot.json
+ - ignition/controller.yaml
+ - ignition/coreos-install.yaml
+ - ignition/worker.yaml
+
+- name: Is matchbox already running?
+ shell: docker ps | grep matchbox | awk '{ print $1 }'
+ register: matchbox_id
+
+- name: Kill matchbox!
+ shell: docker kill {{matchbox_id.stdout}}
+ when: matchbox_id.stdout != ""
+
+- name: matchbox docker
+ command: docker run -d -p {{ops_management_ip}}:8080:8080 -v {{assets_dir}}:/assets:Z -v {{matchbox_dir}}:/var/lib/matchbox:Z quay.io/coreos/matchbox:v0.5.0 -address=0.0.0.0:8080 -log-level=debug -assets-path=/assets
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml
new file mode 100755
index 0000000..e0346cf
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml
@@ -0,0 +1,150 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+- name: create TLS dir
+ file:
+ state: directory
+ path: "{{files_dir}}/tls"
+ mode: 0755
+ tags:
+ - bootstrap
+ - tls
+
+- name: create TLS dir
+ file:
+ state: directory
+ path: "{{assets_dir}}/tls"
+ mode: 0755
+ tags:
+ - bootstrap
+ - tls
+
+- stat: path="{{files_dir}}/tls/ca-key.pem"
+ register: ca_key
+
+- name: create root CA
+ shell: openssl genrsa -out {{files_dir}}/tls/ca-key.pem 2048
+ when: not ca_key.stat.exists
+
+- stat: path="{{files_dir}}/tls/ca.pem"
+ register: ca
+
+- name: create self signed cert
+ shell: openssl req -x509 -new -nodes -key {{files_dir}}/tls/ca-key.pem -days 10000 -out {{files_dir}}/tls/ca.pem -subj "/CN=kube-ca"
+ when: not ca.stat.exists
+
+- name: Generate Config File
+ template:
+ src: openssl.config.j2
+ dest: "{{files_dir}}/tls/{{item}}-openssl.config"
+ with_items:
+ - admin
+ - apiserver
+ - worker
+
+- stat: path={{files_dir}}/tls/{{item}}-key.pem
+ register: keyfiles
+ with_items:
+ - admin
+ - apiserver
+ - worker
+
+- name: create keyfile
+ shell: openssl genrsa -out {{files_dir}}/tls/{{item.item}}-key.pem 2048
+ with_items: "{{keyfiles.results}}"
+ when: not item.stat.exists
+
+- stat: path={{files_dir}}/tls/{{item}}.csr
+ register: csr_files
+ with_items:
+ - admin
+ - apiserver
+ - worker
+
+- name: Create csr
+ shell: openssl req -new -key {{files_dir}}/tls/{{item.item}}-key.pem -out {{files_dir}}/tls/{{item.item}}.csr -subj "/CN=kube-{{item.item}}" -config {{files_dir}}/tls/{{item.item}}-openssl.config
+ with_items: "{{csr_files.results}}"
+ when: not item.stat.exists
+
+- stat: path={{files_dir}}/tls/{{item}}.pem
+ register: pem_files
+ with_items:
+ - admin
+ - apiserver
+ - worker
+
+- name: Create pemfile
+ shell: openssl x509 -req -in {{files_dir}}/tls/{{item.item}}.csr -CA {{files_dir}}/tls/ca.pem -CAkey {{files_dir}}/tls/ca-key.pem -CAcreateserial -out {{files_dir}}/tls/{{item.item}}.pem -days 365 -extensions v3_req -extfile {{files_dir}}/tls/{{item.item}}-openssl.config
+ with_items: "{{pem_files.results}}"
+ when: not item.stat.exists
+
+- name: Copy tls related files to assets
+ copy:
+ src: "{{files_dir}}/{{item}}"
+ dest: "{{assets_dir}}/{{item}}"
+ remote_src: yes
+ backup: yes
+ with_items:
+ - tls/apiserver-key.pem
+ - tls/apiserver.pem
+ - tls/ca.pem
+ - tls/worker-key.pem
+ - tls/worker.pem
+
+- name: Encode Admin Cert
+ shell: base64 -w 0 {{files_dir}}/tls/admin.pem
+ register: ADMIN_CERT_BASE64
+
+- name: Encode Admin Key
+ shell: base64 -w 0 {{files_dir}}/tls/admin-key.pem
+ register: ADMIN_KEY_BASE64
+
+- name: Encode CA Cert
+ shell: base64 -w 0 {{files_dir}}/tls/ca.pem
+ register: CA_CERT_BASE64
+
+- name: Render kubeconfig
+ template:
+ src: kubeconfig.j2
+ dest: "{{files_dir}}/kubeconfig"
+
+- name: Fetch the new kubeconfig
+ fetch:
+ src: "{{files_dir}}/kubeconfig"
+ dest: "{{inventory_dir}}/../k8/"
+ flat: yes
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2
new file mode 100755
index 0000000..2908165
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/dnsmasq.conf.j2
@@ -0,0 +1,73 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+domain={{domain}}
+{% for range in dhcp_ranges %}
+dhcp-range={{range}}
+{% endfor %}
+{% if ice_environment != 'development' %}
+dhcp-option={{ops_management_interface}},121,10.252.0.0/16,{{management_gateway}}
+dhcp-option=tag:#coreos,{{ops_management_interface}},3,{{management_gateway}}
+dhcp-option=tag:coreos,{{ops_management_interface}},3
+{% endif %}
+{% for interface in additional_gateways.keys() %}
+dhcp-option={{interface}},3{% if additional_gateways[interface] != '' %},{{additional_gateways[interface]}} {% endif %}
+
+dhcp-option=#{{ops_management_interface}},6
+{% endfor %}
+enable-tftp
+tftp-root=/var/lib/tftpboot
+{% if pxe_boot %}
+ {% if pxe_chainload %}
+dhcp-userclass=set:iceundi,ICEPXE
+dhcp-boot=tag:coreos,tag:#iceundi,iceundionly.kpxe
+ {% else %}
+dhcp-userclass=set:iceundi,iPXE
+dhcp-boot=tag:coreos,tag:#iceundi,undionly.kpxe
+ {% endif %}
+dhcp-boot=tag:iceundi,http://{{ops_management_ip}}:8080/boot.ipxe
+{% endif %}
+{% for host in hosts %}
+ {% for config in host.dnsmasq_config %}
+dhcp-host={{config}}
+ {% endfor %}
+{% endfor %}
+dhcp-ignore=tag:#known
+log-queries
+log-dhcp
+bogus-priv
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/groups/group.json.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/groups/group.json.j2
new file mode 100755
index 0000000..f7faa70
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/groups/group.json.j2
@@ -0,0 +1,73 @@
+{#
+-*- encoding: utf-8 -*-
+============LICENSE_START=======================================================
+org.onap.vvp/engagementmgr
+===================================================================
+Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+===================================================================
+
+Unless otherwise specified, all software contained herein is licensed
+under the Apache License, Version 2.0 (the “License”);
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+Unless otherwise specified, all documentation contained herein is licensed
+under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+you may not use this documentation except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://creativecommons.org/licenses/by/4.0/
+
+Unless required by applicable law or agreed to in writing, documentation
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+============LICENSE_END============================================
+
+ ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#}
+{
+ "id": "{{item.name}}",
+ "name": "k8s node",
+ "profile": "{{item.role}}",
+ "selector": {
+ "mac": "{{item.mac}}",
+ "os": "installed"
+ },
+ "metadata": {
+ "ssh_ip": "{{item.ssh_ip}}",
+ "k8s_flanneld_iface": "{{flanneld_interface}}",
+ "container_runtime": "{{container_runtime | default('rkt')}}",
+ "domain_name": "{{item.name}}.{{domain}}",
+ "etcd_initial_peers": "http://{{item.name}}.{{domain}}:2380",
+ "etcd_initial_cluster": "{% for host in hosts %}{% if host.etcd_role == "member" %}{{host.name}}=http://{{host.name}}.{{domain}}:2380,{% endif %}{% endfor %}",
+ "etcd_name": "{{item.name}}",
+ "k8s_version": "{{k8s_version}}",
+ "k8s_cert_endpoint": "http://{{ops_management_ip}}:8080/assets",
+ "k8s_dns_service_ip": "10.3.0.10",
+ "k8s_etcd_endpoints": "{% for host in hosts %}{% if host.etcd_role == "member" %}http://{{host.name}}.{{domain}}:2379,{% endif %}{% endfor %}",
+ "sysdig_access_key": "{{ sysdig_access_key| default('') }}",
+{% if item.role == "controller" %}
+ "k8s_apiserver_advertise_address": "{{k8s_apiserver_advertise_address}}",
+ "k8s_controller_port": "{{k8s_controller_port}}",
+ "k8s_pod_network": "10.2.0.0/16",
+ "k8s_service_ip_range": "10.3.0.0/24",
+{% else %}
+ "k8s_controller_endpoint": "https://{{(hosts|selectattr('role', 'equalto', 'controller')|first).name}}.{{domain}}:{{k8s_controller_port}}",
+{% endif %}
+ "ssh_authorized_keys": [{% for key in ssh_keys %}"{{key}}"{% if not loop.last %},{% endif %}{% endfor %}],
+ "ignition_endpoint": "http://{{ops_management_ip}}:8080/ignition"
+ }
+}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/groups/install.json.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/groups/install.json.j2
new file mode 100755
index 0000000..bf9284f
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/groups/install.json.j2
@@ -0,0 +1,51 @@
+{#
+-*- encoding: utf-8 -*-
+============LICENSE_START=======================================================
+org.onap.vvp/engagementmgr
+===================================================================
+Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+===================================================================
+
+Unless otherwise specified, all software contained herein is licensed
+under the Apache License, Version 2.0 (the “License”);
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+Unless otherwise specified, all documentation contained herein is licensed
+under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+you may not use this documentation except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://creativecommons.org/licenses/by/4.0/
+
+Unless required by applicable law or agreed to in writing, documentation
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+============LICENSE_END============================================
+
+ ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#}
+{
+ "id": "coreos-install",
+ "name": "CoreOS Install",
+ "profile": "install-reboot",
+ "metadata": {
+ "coreos_channel": "{{coreos_channel}}",
+ "coreos_version": "{{coreos_version}}",
+ "ignition_endpoint": "http://{{ops_management_ip}}:8080/ignition",
+ "ssh_authorized_keys": [{% for key in ssh_keys %}"{{key}}"{% if not loop.last %},{% endif %}{% endfor %}]
+ }
+}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2
new file mode 100755
index 0000000..ff8e0b8
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/controller.yaml.j2
@@ -0,0 +1,872 @@
+{#
+-*- encoding: utf-8 -*-
+============LICENSE_START=======================================================
+org.onap.vvp/engagementmgr
+===================================================================
+Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+===================================================================
+
+Unless otherwise specified, all software contained herein is licensed
+under the Apache License, Version 2.0 (the “License”);
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+Unless otherwise specified, all documentation contained herein is licensed
+under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+you may not use this documentation except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://creativecommons.org/licenses/by/4.0/
+
+Unless required by applicable law or agreed to in writing, documentation
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+============LICENSE_END============================================
+
+ ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#}
+---
+systemd:
+ units:
+{% for mount in mounts %}
+ - name: {{mount.name}}.mount
+ enable: true
+ contents: |
+ [Mount]
+ What={{mount.dev}}
+ Where={{mount.dest}}
+ Type={{mount.type}}
+ [Install]
+ WantedBy=local-fs.target
+{% endfor %}
+ - name: ice-filesystems.service
+ enable: true
+ contents: |
+ [Unit]
+ After=systemd-tmpfiles-setup.service
+ [Service]
+ Type=oneshot
+ {% if manually_grow_root %}
+ ExecStart=/usr/bin/cgpt resize /dev/sda9
+ ExecStart=/usr/sbin/xfs_growfs /dev/sda9
+ {% endif %}
+ ExecStart=/usr/bin/cp -r --preserve=all /usr/share/coreos /etc/coreos
+ ExecStart=/usr/bin/systemctl disable ice-filesystems.service
+ [Install]
+ WantedBy=multi-user.target {% raw %}
+ - name: sshd.socket
+ enable: true
+ contents: |
+ [Unit]
+ Description=OpenSSH Server Socket
+ Conflicts=sshd.service
+
+ [Socket]
+ ListenStream={{.ssh_ip}}:22
+ FreeBind=true
+ Accept=yes
+
+ [Install]
+ WantedBy=sockets.target
+ - name: etcd2.service
+ enable: true
+ dropins:
+ - name: 40-etcd-cluster.conf
+ contents: |
+ [Service]
+ Environment="ETCD_NAME={{.etcd_name}}"
+ Environment="ETCD_ADVERTISE_CLIENT_URLS=http://{{.domain_name}}:2379"
+ Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS={{.etcd_initial_peers}}"
+ Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
+ Environment="ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380"
+ Environment="ETCD_INITIAL_CLUSTER={{.etcd_initial_cluster}}"
+ Environment="ETCD_STRICT_RECONFIG_CHECK=true"
+ - name: flanneld.service
+ dropins:
+ - name: 40-ExecStartPre-symlink.conf
+ contents: |
+ [Service]
+ EnvironmentFile=-/etc/flannel/options.env
+ ExecStartPre=/opt/init-flannel
+ - name: docker.service
+ dropins:
+ - name: 40-flannel.conf
+ contents: |
+ [Unit]
+ Requires=flanneld.service
+ After=flanneld.service
+ [Service]
+ EnvironmentFile=/etc/kubernetes/cni/docker_opts_cni.env
+ - name: locksmithd.service
+ dropins:
+ - name: 40-etcd-lock.conf
+ contents: |
+ [Service]
+ Environment="REBOOT_STRATEGY=off"
+ - name: k8s-certs@.service
+ contents: |
+ [Unit]
+ Description=Fetch Kubernetes certificate assets
+ Requires=network-online.target
+ After=network-online.target
+ [Service]
+ ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/ssl
+ ExecStart=/usr/bin/bash -c "[ -f /etc/kubernetes/ssl/%i ] || curl {{.k8s_cert_endpoint}}/tls/%i -o /etc/kubernetes/ssl/%i"
+ - name: k8s-assets.target
+ contents: |
+ [Unit]
+ Description=Load Kubernetes Assets
+ Requires=k8s-certs@apiserver.pem.service
+ After=k8s-certs@apiserver.pem.service
+ Requires=k8s-certs@apiserver-key.pem.service
+ After=k8s-certs@apiserver-key.pem.service
+ Requires=k8s-certs@ca.pem.service
+ After=k8s-certs@ca.pem.service
+ - name: kubelet.service
+ enable: true
+ contents: |
+ [Unit]
+ Description=Kubelet via Hyperkube ACI
+ Wants=flanneld.service
+ Requires=k8s-assets.target
+ After=k8s-assets.target
+ [Service]
+ Environment=KUBELET_VERSION={{.k8s_version}}
+ Environment="RKT_OPTS=--uuid-file-save=/var/run/kubelet-pod.uuid \
+ --volume dns,kind=host,source=/etc/resolv.conf \
+ --mount volume=dns,target=/etc/resolv.conf \
+ {{ if eq .container_runtime "rkt" -}}
+ --volume rkt,kind=host,source=/opt/bin/host-rkt \
+ --mount volume=rkt,target=/usr/bin/rkt \
+ --volume var-lib-rkt,kind=host,source=/var/lib/rkt \
+ --mount volume=var-lib-rkt,target=/var/lib/rkt \
+ --volume stage,kind=host,source=/tmp \
+ --mount volume=stage,target=/tmp \
+ {{ end -}}
+ --volume modprobe,kind=host,source=/usr/sbin/modprobe \
+ --mount volume=modprobe,target=/usr/sbin/modprobe \
+ --volume lib-modules,kind=host,source=/lib/modules \
+ --mount volume=lib-modules,target=/lib/modules \
+ --volume mkfsxfs,kind=host,source=/usr/sbin/mkfs.xfs \
+ --mount volume=mkfsxfs,target=/usr/sbin/mkfs.xfs \
+ --volume libxfs,kind=host,source=/lib64/libxfs.so.0 \
+ --mount volume=libxfs,target=/lib64/libxfs.so.0 \
+ --volume var-log,kind=host,source=/var/log \
+ --mount volume=var-log,target=/var/log"
+ ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
+ ExecStartPre=/usr/bin/mkdir -p /var/log/containers
+ ExecStartPre=/usr/bin/systemctl is-active flanneld.service
+ ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/kubelet-pod.uuid
+ ExecStart=/usr/lib/coreos/kubelet-wrapper \
+ --api-servers=http://127.0.0.1:8080 \
+ --register-schedulable=true \
+ --cni-conf-dir=/etc/kubernetes/cni/net.d \
+ --network-plugin=cni \
+ --container-runtime={{.container_runtime}} \
+ --rkt-path=/usr/bin/rkt \
+ --rkt-stage1-image=coreos.com/rkt/stage1-coreos \
+ --allow-privileged=true \
+ --pod-manifest-path=/etc/kubernetes/manifests \
+ --hostname-override={{.domain_name}} \
+ --cluster_dns={{.k8s_dns_service_ip}} \
+ --cluster_domain=cluster.local
+ ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet-pod.uuid
+ Restart=always
+ RestartSec=10
+ [Install]
+ WantedBy=multi-user.target
+ - name: k8s-addons.service
+ enable: true
+ contents: |
+ [Unit]
+ Description=Kubernetes Addons
+ [Service]
+ Type=oneshot
+ ExecStart=/opt/k8s-addons
+ [Install]
+ WantedBy=multi-user.target
+ {{ if eq .container_runtime "rkt" }}
+ - name: rkt-api.service
+ enable: true
+ contents: |
+ [Unit]
+ Before=kubelet.service
+ [Service]
+ ExecStart=/usr/bin/rkt api-service
+ Restart=always
+ RestartSec=10
+ [Install]
+ RequiredBy=kubelet.service
+ - name: load-rkt-stage1.service
+ enable: true
+ contents: |
+ [Unit]
+ Description=Load rkt stage1 images
+ Documentation=http://github.com/coreos/rkt
+ Requires=network-online.target
+ After=network-online.target
+ Before=rkt-api.service
+ [Service]
+ Type=oneshot
+ RemainAfterExit=yes
+ ExecStart=/usr/bin/rkt fetch /usr/lib/rkt/stage1-images/stage1-coreos.aci /usr/lib/rkt/stage1-images/stage1-fly.aci --insecure-options=image
+ [Install]
+ RequiredBy=rkt-api.service
+ {{ end }}
+ {{if ne .sysdig_access_key "" }}
+ - name: sysdig.service
+ enable: true
+ contents: |
+ [Unit]
+ Description=Sysdig Cloud Agent
+ After=docker.service
+ Requires=docker.service
+ [Service]
+ TimeoutStartSec=0
+ ExecStartPre=-/usr/bin/docker kill sysdig-agent
+ ExecStartPre=-/usr/bin/docker rm sysdig-agent
+ ExecStartPre=-/usr/bin/docker rmi sysdig-agent
+ ExecStartPre=/usr/bin/docker pull sysdig/agent
+{% endraw %}
+ ExecStart=/usr/bin/docker run --name sysdig-agent --privileged --net host --pid host -e ADDITIONAL_CONF="app_checks:\n - name: nginx\n enabled: false" -e ACCESS_KEY={{sysdig_access_key}} -e TAGS=deploy_environment:staging -v /var/lib/rkt:/host/var/lib/rkt:ro -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro sysdig/agent {% raw %}
+ ExecStop=/usr/bin/docker stop sysdig-agent
+ [Install]
+ WantedBy=multi-user.target
+ RequiredBy=k8-addons.service
+ {{ end }}
+storage:
+ filesystems:
+{% endraw %}
+{% for fs in filesystems %}
+ - name: {{fs.device}}
+ mount:
+ device: {{fs.device}}
+ format: {{fs.format}}
+ create:
+ force: {{fs.create.force}}
+{% if "options" in fs.create.keys() %}
+ options:
+{% for option in fs.create.options %}
+ - {{option}}
+{% endfor %}
+{% endif %}
+{% endfor %}{% raw %}
+ files:
+ - path: /etc/kubernetes/cni/net.d/10-flannel.conf
+ filesystem: root
+ contents:
+ inline: |
+ {
+ "name": "podnet",
+ "type": "flannel",
+ "delegate": {
+ "isDefaultGateway": true
+ }
+ }
+ - path: /etc/kubernetes/cni/docker_opts_cni.env
+ filesystem: root
+ contents:
+ inline: |
+ DOCKER_OPT_BIP=""
+ DOCKER_OPT_IPMASQ=""
+ - path: /etc/sysctl.d/max-user-watches.conf
+ filesystem: root
+ contents:
+ inline: |
+ fs.inotify.max_user_watches=16184
+ - path: /etc/kubernetes/manifests/kube-proxy.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: kube-proxy
+ namespace: kube-system
+ annotations:
+ rkt.alpha.kubernetes.io/stage1-name-override: coreos.com/rkt/stage1-fly
+ spec:
+ hostNetwork: true
+ containers:
+ - name: kube-proxy
+ image: quay.io/coreos/hyperkube:{{.k8s_version}}
+ command:
+ - /hyperkube
+ - proxy
+ - --master=http://127.0.0.1:8080
+ - --cluster-cidr={{.k8s_service_ip_range}}
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - mountPath: /etc/ssl/certs
+ name: ssl-certs-host
+ readOnly: true
+ - mountPath: /var/run/dbus
+ name: dbus
+ readOnly: false
+ volumes:
+ - hostPath:
+ path: /usr/share/ca-certificates
+ name: ssl-certs-host
+ - hostPath:
+ path: /var/run/dbus
+ name: dbus
+ - path: /etc/kubernetes/manifests/kube-apiserver.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: kube-apiserver
+ namespace: kube-system
+ spec:
+ hostNetwork: true
+ containers:
+ - name: kube-apiserver
+ image: quay.io/coreos/hyperkube:{{.k8s_version}}
+ command:
+ - /hyperkube
+ - apiserver
+ - --bind-address=0.0.0.0
+ - --advertise-address={{.k8s_apiserver_advertise_address}}
+ - --etcd-servers={{.k8s_etcd_endpoints}}
+ - --allow-privileged=true
+ - --service-cluster-ip-range={{.k8s_service_ip_range}}
+ - --secure-port={{.k8s_controller_port}}
+ - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
+ - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
+ - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
+ - --client-ca-file=/etc/kubernetes/ssl/ca.pem
+ - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
+ - --runtime-config=extensions/v1beta1/networkpolicies=true
+ - --anonymous-auth=false
+ livenessProbe:
+ httpGet:
+ host: 127.0.0.1
+ port: 8080
+ path: /healthz
+ initialDelaySeconds: 15
+ timeoutSeconds: 15
+ ports:
+ - containerPort: {{.k8s_controller_port}}
+ hostPort: {{.k8s_controller_port}}
+ name: https
+ - containerPort: 8080
+ hostPort: 8080
+ name: local
+ volumeMounts:
+ - mountPath: /etc/kubernetes/ssl
+ name: ssl-certs-kubernetes
+ readOnly: true
+ - mountPath: /etc/ssl/certs
+ name: ssl-certs-host
+ readOnly: true
+ volumes:
+ - hostPath:
+ path: /etc/kubernetes/ssl
+ name: ssl-certs-kubernetes
+ - hostPath:
+ path: /usr/share/ca-certificates
+ name: ssl-certs-host
+ - path: /etc/flannel/options.env
+ filesystem: root
+ contents:
+ inline: |
+ FLANNELD_ETCD_ENDPOINTS={{.k8s_etcd_endpoints}}
+ FLANNELD_IFACE={{.k8s_flanneld_iface}}
+ - path: /etc/kubernetes/manifests/kube-controller-manager.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: kube-controller-manager
+ namespace: kube-system
+ spec:
+ containers:
+ - name: kube-controller-manager
+ image: quay.io/coreos/hyperkube:{{.k8s_version}}
+ command:
+ - /hyperkube
+ - controller-manager
+ - --master=http://127.0.0.1:8080
+ - --leader-elect=true
+ - --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
+ - --root-ca-file=/etc/kubernetes/ssl/ca.pem
+ resources:
+ requests:
+ cpu: 200m
+ livenessProbe:
+ httpGet:
+ host: 127.0.0.1
+ path: /healthz
+ port: 10252
+ initialDelaySeconds: 15
+ timeoutSeconds: 15
+ volumeMounts:
+ - mountPath: /etc/kubernetes/ssl
+ name: ssl-certs-kubernetes
+ readOnly: true
+ - mountPath: /etc/ssl/certs
+ name: ssl-certs-host
+ readOnly: true
+ hostNetwork: true
+ volumes:
+ - hostPath:
+ path: /etc/kubernetes/ssl
+ name: ssl-certs-kubernetes
+ - hostPath:
+ path: /usr/share/ca-certificates
+ name: ssl-certs-host
+ - path: /etc/kubernetes/manifests/kube-scheduler.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: kube-scheduler
+ namespace: kube-system
+ spec:
+ hostNetwork: true
+ containers:
+ - name: kube-scheduler
+ image: quay.io/coreos/hyperkube:{{.k8s_version}}
+ command:
+ - /hyperkube
+ - scheduler
+ - --master=http://127.0.0.1:8080
+ - --leader-elect=true
+ resources:
+ requests:
+ cpu: 100m
+ livenessProbe:
+ httpGet:
+ host: 127.0.0.1
+ path: /healthz
+ port: 10251
+ initialDelaySeconds: 15
+ timeoutSeconds: 15
+ - path: /srv/kubernetes/manifests/kube-dns-deployment.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: extensions/v1beta1
+ kind: Deployment
+ metadata:
+ name: kube-dns
+ namespace: kube-system
+ labels:
+ k8s-app: kube-dns
+ kubernetes.io/cluster-service: "true"
+ spec:
+ strategy:
+ rollingUpdate:
+ maxSurge: 10%
+ maxUnavailable: 0
+ selector:
+ matchLabels:
+ k8s-app: kube-dns
+ template:
+ metadata:
+ labels:
+ k8s-app: kube-dns
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
+ spec:
+ containers:
+ - name: kubedns
+ image: gcr.io/google_containers/kubedns-amd64:1.9
+ livenessProbe:
+ httpGet:
+ path: /healthz-kubedns
+ port: 8080
+ scheme: HTTP
+ initialDelaySeconds: 60
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ httpGet:
+ path: /readiness
+ port: 8081
+ scheme: HTTP
+ initialDelaySeconds: 3
+ timeoutSeconds: 5
+ args:
+ - --domain=cluster.local
+ - --dns-port=10053
+ - --config-map=kube-dns
+ - --v=2
+ env:
+ - name: PROMETHEUS_PORT
+ value: "10055"
+ ports:
+ - containerPort: 10053
+ name: dns-local
+ protocol: UDP
+ - containerPort: 10053
+ name: dns-tcp-local
+ protocol: TCP
+ - containerPort: 10055
+ name: metrics
+ protocol: TCP
+ - name: dnsmasq
+ image: gcr.io/google_containers/kube-dnsmasq-amd64:1.4
+ livenessProbe:
+ httpGet:
+ path: /healthz-dnsmasq
+ port: 8080
+ scheme: HTTP
+ initialDelaySeconds: 60
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ args:
+ - --cache-size=1000
+ - --no-resolv
+ - --server=127.0.0.1#10053
+ - --log-facility=-
+ ports:
+ - containerPort: 53
+ name: dns
+ protocol: UDP
+ - containerPort: 53
+ name: dns-tcp
+ protocol: TCP
+ - name: dnsmasq-metrics
+ image: gcr.io/google_containers/dnsmasq-metrics-amd64:1.0
+ livenessProbe:
+ httpGet:
+ path: /metrics
+ port: 10054
+ scheme: HTTP
+ initialDelaySeconds: 60
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ args:
+ - --v=2
+ - --logtostderr
+ ports:
+ - containerPort: 10054
+ name: metrics
+ protocol: TCP
+ - name: healthz
+ image: gcr.io/google_containers/exechealthz-amd64:1.2
+ args:
+ - --cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1 >/dev/null
+ - --url=/healthz-dnsmasq
+ - --cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1:10053 >/dev/null
+ - --url=/healthz-kubedns
+ - --port=8080
+ - --quiet
+ ports:
+ - containerPort: 8080
+ protocol: TCP
+ dnsPolicy: Default
+ - path: /srv/kubernetes/manifests/kube-dns-svc.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: kube-dns
+ namespace: kube-system
+ labels:
+ k8s-app: kube-dns
+ kubernetes.io/cluster-service: "true"
+ kubernetes.io/name: "KubeDNS"
+ spec:
+ selector:
+ k8s-app: kube-dns
+ clusterIP: {{.k8s_dns_service_ip}}
+ ports:
+ - name: dns
+ port: 53
+ protocol: UDP
+ - name: dns-tcp
+ port: 53
+ protocol: TCP
+ - path: /srv/kubernetes/manifests/heapster-deployment.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: extensions/v1beta1
+ kind: Deployment
+ metadata:
+ name: heapster-v1.2.0
+ namespace: kube-system
+ labels:
+ k8s-app: heapster
+ kubernetes.io/cluster-service: "true"
+ version: v1.2.0
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ k8s-app: heapster
+ version: v1.2.0
+ template:
+ metadata:
+ labels:
+ k8s-app: heapster
+ version: v1.2.0
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
+ spec:
+ containers:
+ - image: gcr.io/google_containers/heapster:v1.2.0
+ name: heapster
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8082
+ scheme: HTTP
+ initialDelaySeconds: 180
+ timeoutSeconds: 5
+ command:
+ - /heapster
+ - --source=kubernetes.summary_api:''
+ - image: gcr.io/google_containers/addon-resizer:1.6
+ name: heapster-nanny
+ resources:
+ limits:
+ cpu: 50m
+ memory: 90Mi
+ requests:
+ cpu: 50m
+ memory: 90Mi
+ env:
+ - name: MY_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: MY_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ command:
+ - /pod_nanny
+ - --cpu=80m
+ - --extra-cpu=4m
+ - --memory=200Mi
+ - --extra-memory=4Mi
+ - --threshold=5
+ - --deployment=heapster-v1.2.0
+ - --container=heapster
+ - --poll-period=300000
+ - --estimator=exponential
+ - path: /srv/kubernetes/manifests/heapster-svc.yaml
+ filesystem: root
+ contents:
+ inline: |
+ kind: Service
+ apiVersion: v1
+ metadata:
+ name: heapster
+ namespace: kube-system
+ labels:
+ kubernetes.io/cluster-service: "true"
+ kubernetes.io/name: "Heapster"
+ spec:
+ ports:
+ - port: 80
+ targetPort: 8082
+ selector:
+ k8s-app: heapster
+ - path: /srv/kubernetes/manifests/kube-dashboard-deployment.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: extensions/v1beta1
+ kind: Deployment
+ metadata:
+ name: kubernetes-dashboard
+ namespace: kube-system
+ labels:
+ k8s-app: kubernetes-dashboard
+ kubernetes.io/cluster-service: "true"
+ spec:
+ selector:
+ matchLabels:
+ k8s-app: kubernetes-dashboard
+ template:
+ metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
+ spec:
+ containers:
+ - name: kubernetes-dashboard
+ image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.0
+ resources:
+ # keep request = limit to keep this container in guaranteed class
+ limits:
+ cpu: 100m
+ memory: 50Mi
+ requests:
+ cpu: 100m
+ memory: 50Mi
+ ports:
+ - containerPort: 9090
+ livenessProbe:
+ httpGet:
+ path: /
+ port: 9090
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+ - path: /srv/kubernetes/manifests/kube-dashboard-svc.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: kubernetes-dashboard
+ namespace: kube-system
+ labels:
+ k8s-app: kubernetes-dashboard
+ kubernetes.io/cluster-service: "true"
+ spec:
+ selector:
+ k8s-app: kubernetes-dashboard
+ ports:
+ - port: 80
+ targetPort: 9090
+ - path: /opt/init-flannel
+ filesystem: root
+ mode: 0544
+ contents:
+ inline: |
+ #!/bin/bash -ex
+ function init_flannel {
+ echo "Waiting for etcd..."
+ while true
+ do
+ IFS=',' read -ra ES <<< "{{.k8s_etcd_endpoints}}"
+ for ETCD in "${ES[@]}"; do
+ echo "Trying: $ETCD"
+ if [ -n "$(curl --silent "$ETCD/v2/machines")" ]; then
+ local ACTIVE_ETCD=$ETCD
+ break
+ fi
+ sleep 1
+ done
+ if [ -n "$ACTIVE_ETCD" ]; then
+ break
+ fi
+ done
+ RES=$(curl --silent -X PUT -d "value={\"Network\":\"{{.k8s_pod_network}}\",\"Backend\":{\"Type\":\"vxlan\"}}" "$ACTIVE_ETCD/v2/keys/coreos.com/network/config?prevExist=false")
+ if [ -z "$(echo $RES | grep '"action":"create"')" ] && [ -z "$(echo $RES | grep 'Key already exists')" ]; then
+ echo "Unexpected error configuring flannel pod network: $RES"
+ fi
+ }
+ init_flannel
+ {{ if eq .container_runtime "rkt" }}
+ - path: /opt/bin/host-rkt
+ filesystem: root
+ mode: 0544
+ contents:
+ inline: |
+ #!/bin/sh
+ # This is bind mounted into the kubelet rootfs and all rkt shell-outs go
+ # through this rkt wrapper. It essentially enters the host mount namespace
+ # (which it is already in) only for the purpose of breaking out of the chroot
+ # before calling rkt. It makes things like rkt gc work and avoids bind mounting
+ # in certain rkt filesystem dependancies into the kubelet rootfs. This can
+ # eventually be obviated when the write-api stuff gets upstream and rkt gc is
+ # through the api-server. Related issue:
+ # https://github.com/coreos/rkt/issues/2878
+ exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "$@"
+ {{ end }}
+ - path: /opt/k8s-addons
+ filesystem: root
+ mode: 0544
+ contents:
+ inline: |
+ #!/bin/bash -ex
+ echo "Waiting for Kubernetes API..."
+ until curl --silent "http://127.0.0.1:8080/version"
+ do
+ sleep 5
+ done
+ echo "K8S: DNS addon"
+ curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /srv/kubernetes/manifests/kube-dns-deployment.yaml)" "http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments"
+ curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /srv/kubernetes/manifests/kube-dns-svc.yaml)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/services"
+ echo "K8S: Heapster addon"
+ curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /srv/kubernetes/manifests/heapster-deployment.yaml)" "http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments"
+ curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /srv/kubernetes/manifests/heapster-svc.yaml)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/services"
+ echo "K8S: Dashboard addon"
+ curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /srv/kubernetes/manifests/kube-dashboard-deployment.yaml)" "http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments"
+ curl --silent -H "Content-Type: application/yaml" -XPOST -d"$(cat /srv/kubernetes/manifests/kube-dashboard-svc.yaml)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/services"
+ - path: "/etc/modules-load.d/rbd.conf"
+ filesystem: root
+ contents:
+ inline: |
+ rbd
+ - path: "/opt/bin/ceph-rbdnamer"
+ filesystem: root
+ mode: 0755
+ contents:
+ inline: |
+ #!/bin/sh
+ DEV=$1
+ NUM=`echo $DEV | sed 's#p.*##g' | tr -d 'a-z'`
+ POOL=`cat /sys/devices/rbd/$NUM/pool`
+ IMAGE=`cat /sys/devices/rbd/$NUM/name`
+ SNAP=`cat /sys/devices/rbd/$NUM/current_snap`
+ if [ "$SNAP" = "-" ]; then
+ echo -n "$POOL $IMAGE"
+ else
+ echo -n "$POOL $IMAGE@$SNAP"
+ fi
+ - path: "/etc/udev/rules.d/50-rbd.rules"
+ filesystem: root
+ contents:
+ inline: |
+ KERNEL=="rbd[0-9]*", ENV{DEVTYPE}=="disk", PROGRAM="/opt/bin/ceph-rbdnamer %k", SYMLINK+="rbd/%c{1}/%c{2}"
+ KERNEL=="rbd[0-9]*", ENV{DEVTYPE}=="partition", PROGRAM="/opt/bin/ceph-rbdnamer %k", SYMLINK+="rbd/%c{1}/%c{2}-part%n"
+ - path: /etc/ssh/sshd_config
+ filesystem: root
+ mode: 0600
+ user:
+ id: 0
+ group:
+ id: 0
+ contents:
+ inline: |
+ UsePrivilegeSeparation sandbox
+ Subsystem sftp internal-sftp
+ ClientAliveInterval 180
+ UseDNS no
+ ListenAddress {{.ssh_ip}}
+{{ if index . "ssh_authorized_keys" }}
+passwd:
+ users:
+ - name: core
+ ssh_authorized_keys:
+ {{ range $element := .ssh_authorized_keys }}
+ - {{$element}}
+ {{end}}
+{{end}}{% endraw %}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/coreos-install.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/coreos-install.yaml.j2
new file mode 100755
index 0000000..30cd838
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/coreos-install.yaml.j2
@@ -0,0 +1,107 @@
+{#
+-*- encoding: utf-8 -*-
+============LICENSE_START=======================================================
+org.onap.vvp/engagementmgr
+===================================================================
+Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+===================================================================
+
+Unless otherwise specified, all software contained herein is licensed
+under the Apache License, Version 2.0 (the “License”);
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+Unless otherwise specified, all documentation contained herein is licensed
+under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+you may not use this documentation except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://creativecommons.org/licenses/by/4.0/
+
+Unless required by applicable law or agreed to in writing, documentation
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+============LICENSE_END============================================
+
+ ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#}
+---
+storage:
+ disks:
+{% for disk in disks %}
+ - device: {{disk.device}}
+ wipe_table: {{disk.wipe_table}}
+{% for partition in disk.partitions %}
+ partitions:
+ - label: {{partition.label}}
+ number: {{partition.number}}
+{% endfor %}
+{% endfor %}
+ filesystems:
+{% for fs in filesystems if not "sda" in fs.device %}
+ - name: {{fs.name}}
+ mount:
+ device: "{{fs.device}}"
+ format: "{{fs.format}}"
+ create:
+ force: {{fs.create.force}}
+{% if "options" in fs.create.keys() %}
+ options:
+{% for option in fs.create.options %}
+ - "{{option}}"
+{% endfor %}
+{% endif %}
+{% endfor %}
+systemd:
+ units:
+{% for mount in mounts %}
+ - name: {{mount.name}}.mount
+ enable: true
+ contents: |
+ [Mount]
+ What={{mount.dev}}
+ Where={{mount.dest}}
+ Type={{mount.type}}
+ [Install]
+ WantedBy=local-fs.target
+{% endfor %}
+ - name: install.service
+ enable: true
+ contents: |
+ [Unit]
+ Requires=network-online.target
+ After=network-online.target
+ Requires=systemd-networkd.socket
+ After=systemd-networkd.socket
+ [Service]
+ Type=oneshot
+ ExecStartPre=/usr/lib/systemd/systemd-networkd-wait-online {% raw %}
+ ExecStart=/usr/bin/curl {{.ignition_endpoint}}?{{.request.raw_query}}&os=installed -o ignition.json
+ ExecStart=/usr/bin/coreos-install -d /dev/sda -C {{.coreos_channel}} -V {{.coreos_version}} -b http://{% endraw %}{{ops_management_ip}}{% raw %}:8080/assets/coreos -i ignition.json
+ ExecStart=/usr/bin/udevadm settle
+ ExecStart=/usr/bin/systemctl reboot
+ [Install]
+ WantedBy=multi-user.target
+{{ if .ssh_authorized_keys }}
+passwd:
+ users:
+ - name: core
+ ssh_authorized_keys:
+ {{ range $element := .ssh_authorized_keys }}
+ - {{$element}}
+ {{end}}
+{{end}}
+{% endraw %}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2
new file mode 100755
index 0000000..701559b
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/ignition/worker.yaml.j2
@@ -0,0 +1,397 @@
+{#
+-*- encoding: utf-8 -*-
+============LICENSE_START=======================================================
+org.onap.vvp/engagementmgr
+===================================================================
+Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+===================================================================
+
+Unless otherwise specified, all software contained herein is licensed
+under the Apache License, Version 2.0 (the “License”);
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+Unless otherwise specified, all documentation contained herein is licensed
+under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+you may not use this documentation except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://creativecommons.org/licenses/by/4.0/
+
+Unless required by applicable law or agreed to in writing, documentation
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+============LICENSE_END============================================
+
+ ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#}
+---
+{% raw %}
+systemd:
+ units:
+ - name: sshd.socket
+ enable: true
+ contents: |
+ [Unit]
+ Description=OpenSSH Server Socket
+ Conflicts=sshd.service
+
+ [Socket]
+ ListenStream={{.ssh_ip}}:22
+ FreeBind=true
+ Accept=yes
+
+ [Install]
+ WantedBy=sockets.target
+ - name: etcd2.service
+ enable: true
+ dropins:
+ - name: 40-etcd-cluster.conf
+ contents: |
+ [Service]
+ Environment="ETCD_NAME={{.etcd_name}}"
+ Environment="ETCD_ADVERTISE_CLIENT_URLS=http://{{.domain_name}}:2379"
+ Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS={{.etcd_initial_peers}}"
+ Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
+ Environment="ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380"
+ Environment="ETCD_INITIAL_CLUSTER={{.etcd_initial_cluster}}"
+ Environment="ETCD_STRICT_RECONFIG_CHECK=true"
+ - name: flanneld.service
+ dropins:
+ - name: 40-add-options.conf
+ contents: |
+ [Service]
+ EnvironmentFile=-/etc/flannel/options.env
+ - name: docker.service
+ dropins:
+ - name: 40-flannel.conf
+ contents: |
+ [Unit]
+ Requires=flanneld.service
+ After=flanneld.service
+ [Service]
+ EnvironmentFile=/etc/kubernetes/cni/docker_opts_cni.env
+ - name: locksmithd.service
+ dropins:
+ - name: 40-etcd-lock.conf
+ contents: |
+ [Service]
+ Environment="REBOOT_STRATEGY=off"
+ - name: k8s-certs@.service
+ contents: |
+ [Unit]
+ Description=Fetch Kubernetes certificate assets
+ Requires=network-online.target
+ After=network-online.target
+ [Service]
+ ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/ssl
+ ExecStart=/usr/bin/bash -c "[ -f /etc/kubernetes/ssl/%i ] || curl {{.k8s_cert_endpoint}}/tls/%i -o /etc/kubernetes/ssl/%i"
+ - name: k8s-assets.target
+ contents: |
+ [Unit]
+ Description=Load Kubernetes Assets
+ Requires=k8s-certs@worker.pem.service
+ After=k8s-certs@worker.pem.service
+ Requires=k8s-certs@worker-key.pem.service
+ After=k8s-certs@worker-key.pem.service
+ Requires=k8s-certs@ca.pem.service
+ After=k8s-certs@ca.pem.service
+ - name: kubelet.service
+ enable: true
+ contents: |
+ [Unit]
+ Description=Kubelet via Hyperkube ACI
+ Requires=k8s-assets.target
+ After=k8s-assets.target
+ [Service]
+ Environment=KUBELET_VERSION={{.k8s_version}}
+ Environment="RKT_OPTS=--uuid-file-save=/var/run/kubelet-pod.uuid \
+ --volume dns,kind=host,source=/etc/resolv.conf \
+ --mount volume=dns,target=/etc/resolv.conf \
+ {{ if eq .container_runtime "rkt" -}}
+ --volume rkt,kind=host,source=/opt/bin/host-rkt \
+ --mount volume=rkt,target=/usr/bin/rkt \
+ --volume var-lib-rkt,kind=host,source=/var/lib/rkt \
+ --mount volume=var-lib-rkt,target=/var/lib/rkt \
+ --volume stage,kind=host,source=/tmp \
+ --mount volume=stage,target=/tmp \
+ {{ end -}}
+ --volume modprobe,kind=host,source=/usr/sbin/modprobe \
+ --mount volume=modprobe,target=/usr/sbin/modprobe \
+ --volume lib-modules,kind=host,source=/lib/modules \
+ --mount volume=lib-modules,target=/lib/modules \
+ --volume mkfsxfs,kind=host,source=/usr/sbin/mkfs.xfs \
+ --mount volume=mkfsxfs,target=/usr/sbin/mkfs.xfs \
+ --volume libxfs,kind=host,source=/lib64/libxfs.so.0 \
+ --mount volume=libxfs,target=/lib64/libxfs.so.0 \
+ --volume var-log,kind=host,source=/var/log \
+ --mount volume=var-log,target=/var/log"
+ ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
+ ExecStartPre=/usr/bin/mkdir -p /var/log/containers
+ ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/kubelet-pod.uuid
+ ExecStart=/usr/lib/coreos/kubelet-wrapper \
+ --api-servers={{.k8s_controller_endpoint}} \
+ --cni-conf-dir=/etc/kubernetes/cni/net.d \
+ --network-plugin=cni \
+ --container-runtime={{.container_runtime}} \
+ --rkt-path=/usr/bin/rkt \
+ --rkt-stage1-image=coreos.com/rkt/stage1-coreos \
+ --register-node=true \
+ --allow-privileged=true \
+ --pod-manifest-path=/etc/kubernetes/manifests \
+ --hostname-override={{.domain_name}} \
+ --cluster_dns={{.k8s_dns_service_ip}} \
+ --cluster_domain=cluster.local \
+ --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \
+ --tls-cert-file=/etc/kubernetes/ssl/worker.pem \
+ --tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem
+ ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet-pod.uuid
+ Restart=always
+ RestartSec=10
+ [Install]
+ WantedBy=multi-user.target
+ {{ if eq .container_runtime "rkt" }}
+ - name: rkt-api.service
+ enable: true
+ contents: |
+ [Unit]
+ Before=kubelet.service
+ [Service]
+ ExecStart=/usr/bin/rkt api-service
+ Restart=always
+ RestartSec=10
+ [Install]
+ RequiredBy=kubelet.service
+ - name: load-rkt-stage1.service
+ enable: true
+ contents: |
+ [Unit]
+ Description=Load rkt stage1 images
+ Documentation=http://github.com/coreos/rkt
+ Requires=network-online.target
+ After=network-online.target
+ Before=rkt-api.service
+ [Service]
+ Type=oneshot
+ RemainAfterExit=yes
+ ExecStart=/usr/bin/rkt fetch /usr/lib/rkt/stage1-images/stage1-coreos.aci /usr/lib/rkt/stage1-images/stage1-fly.aci --insecure-options=image
+ [Install]
+ RequiredBy=rkt-api.service
+ {{ end }}
+ {{if ne .sysdig_access_key "" }}
+ - name: sysdig.service
+ enable: true
+ contents: |
+ [Unit]
+ Description=Sysdig Cloud Agent
+ After=docker.service
+ Requires=docker.service
+ [Service]
+ TimeoutStartSec=0
+ ExecStartPre=-/usr/bin/docker kill sysdig-agent
+ ExecStartPre=-/usr/bin/docker rm sysdig-agent
+ ExecStartPre=-/usr/bin/docker rmi sysdig-agent
+ ExecStartPre=/usr/bin/docker pull sysdig/agent
+{% endraw %}
+ ExecStart=/usr/bin/docker run --name sysdig-agent --privileged --net host --pid host -e ADDITIONAL_CONF="app_checks:\n - name: nginx\n enabled: false" -e ACCESS_KEY={{sysdig_access_key}} -e TAGS=deploy_environment:{{ice_environment}} -v /var/lib/rkt:/host/var/lib/rkt:ro -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro sysdig/agent {% raw %}
+ ExecStop=/usr/bin/docker stop sysdig-agent
+ [Install]
+ WantedBy=multi-user.target
+ RequiredBy=k8-addons.service
+ {{ end }}
+storage:
+ filesystems:
+{% endraw %}
+{% for fs in filesystems %}
+ - name: {{fs.device}}
+ mount:
+ device: {{fs.device}}
+ format: {{fs.format}}
+ create:
+ force: {{fs.create.force}}
+{% if "options" in fs.create.keys() %}
+ options:
+{% for option in fs.create.options %}
+ - {{option}}
+{% endfor %}
+{% endif %}
+{% endfor %}{% raw %}
+ files:
+ - path: /etc/kubernetes/cni/net.d/10-flannel.conf
+ filesystem: root
+ contents:
+ inline: |
+ {
+ "name": "podnet",
+ "type": "flannel",
+ "delegate": {
+ "isDefaultGateway": true
+ }
+ }
+ - path: /etc/kubernetes/cni/docker_opts_cni.env
+ filesystem: root
+ contents:
+ inline: |
+ DOCKER_OPT_BIP=""
+ DOCKER_OPT_IPMASQ=""
+ - path: /etc/sysctl.d/max-user-watches.conf
+ filesystem: root
+ contents:
+ inline: |
+ fs.inotify.max_user_watches=16184
+ - path: /etc/kubernetes/worker-kubeconfig.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: v1
+ kind: Config
+ clusters:
+ - name: local
+ cluster:
+ certificate-authority: /etc/kubernetes/ssl/ca.pem
+ users:
+ - name: kubelet
+ user:
+ client-certificate: /etc/kubernetes/ssl/worker.pem
+ client-key: /etc/kubernetes/ssl/worker-key.pem
+ contexts:
+ - context:
+ cluster: local
+ user: kubelet
+ name: kubelet-context
+ current-context: kubelet-context
+ - path: /etc/kubernetes/manifests/kube-proxy.yaml
+ filesystem: root
+ contents:
+ inline: |
+ apiVersion: v1
+ kind: Pod
+ metadata:
+ name: kube-proxy
+ namespace: kube-system
+ annotations:
+ rkt.alpha.kubernetes.io/stage1-name-override: coreos.com/rkt/stage1-fly
+ spec:
+ hostNetwork: true
+ containers:
+ - name: kube-proxy
+ image: quay.io/coreos/hyperkube:{{.k8s_version}}
+ command:
+ - /hyperkube
+ - proxy
+ - --master={{.k8s_controller_endpoint}}
+ - --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - mountPath: /etc/ssl/certs
+ name: "ssl-certs"
+ - mountPath: /etc/kubernetes/worker-kubeconfig.yaml
+ name: "kubeconfig"
+ readOnly: true
+ - mountPath: /etc/kubernetes/ssl
+ name: "etc-kube-ssl"
+ readOnly: true
+ - mountPath: /var/run/dbus
+ name: dbus
+ readOnly: false
+ volumes:
+ - name: "ssl-certs"
+ hostPath:
+ path: "/usr/share/ca-certificates"
+ - name: "kubeconfig"
+ hostPath:
+ path: "/etc/kubernetes/worker-kubeconfig.yaml"
+ - name: "etc-kube-ssl"
+ hostPath:
+ path: "/etc/kubernetes/ssl"
+ - hostPath:
+ path: /var/run/dbus
+ name: dbus
+ - path: /etc/flannel/options.env
+ filesystem: root
+ contents:
+ inline: |
+ FLANNELD_ETCD_ENDPOINTS={{.k8s_etcd_endpoints}}
+ FLANNELD_IFACE={{.k8s_flanneld_iface}}
+ {{ if eq .container_runtime "rkt" }}
+ - path: /opt/bin/host-rkt
+ filesystem: root
+ mode: 0544
+ contents:
+ inline: |
+ #!/bin/sh
+ # This is bind mounted into the kubelet rootfs and all rkt shell-outs go
+ # through this rkt wrapper. It essentially enters the host mount namespace
+ # (which it is already in) only for the purpose of breaking out of the chroot
+ # before calling rkt. It makes things like rkt gc work and avoids bind mounting
+ # in certain rkt filesystem dependancies into the kubelet rootfs. This can
+ # eventually be obviated when the write-api stuff gets upstream and rkt gc is
+ # through the api-server. Related issue:
+ # https://github.com/coreos/rkt/issues/2878
+ exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "$@"
+ {{ end }}
+ - path: "/etc/modules-load.d/rbd.conf"
+ filesystem: root
+ contents:
+ inline: |
+ rbd
+ - path: "/opt/bin/ceph-rbdnamer"
+ filesystem: root
+ mode: 0755
+ contents:
+ inline: |
+ #!/bin/sh
+ DEV=$1
+ NUM=`echo $DEV | sed 's#p.*##g' | tr -d 'a-z'`
+ POOL=`cat /sys/devices/rbd/$NUM/pool`
+ IMAGE=`cat /sys/devices/rbd/$NUM/name`
+ SNAP=`cat /sys/devices/rbd/$NUM/current_snap`
+ if [ "$SNAP" = "-" ]; then
+ echo -n "$POOL $IMAGE"
+ else
+ echo -n "$POOL $IMAGE@$SNAP"
+ fi
+ - path: "/etc/udev/rules.d/50-rbd.rules"
+ filesystem: root
+ contents:
+ inline: |
+ KERNEL=="rbd[0-9]*", ENV{DEVTYPE}=="disk", PROGRAM="/opt/bin/ceph-rbdnamer %k", SYMLINK+="rbd/%c{1}/%c{2}"
+ KERNEL=="rbd[0-9]*", ENV{DEVTYPE}=="partition", PROGRAM="/opt/bin/ceph-rbdnamer %k", SYMLINK+="rbd/%c{1}/%c{2}-part%n"
+ - path: /etc/ssh/sshd_config
+ filesystem: root
+ mode: 0600
+ user:
+ id: 0
+ group:
+ id: 0
+ contents:
+ inline: |
+ # Use most defaults for sshd configuration.
+ UsePrivilegeSeparation sandbox
+ Subsystem sftp internal-sftp
+ ClientAliveInterval 180
+ UseDNS no
+ ListenAddress {{.ssh_ip}}
+{{ if index . "ssh_authorized_keys" }}
+passwd:
+ users:
+ - name: core
+ ssh_authorized_keys:
+ {{ range $element := .ssh_authorized_keys }}
+ - {{$element}}
+ {{end}}
+{{end}}{% endraw %}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/kubeconfig.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/kubeconfig.j2
new file mode 100755
index 0000000..a8e03bf
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/kubeconfig.j2
@@ -0,0 +1,56 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+apiVersion: v1
+kind: Config
+users:
+- name: bootcfg-user
+ user:
+ client-certificate-data: {{ADMIN_CERT_BASE64.stdout}}
+ client-key-data: {{ADMIN_KEY_BASE64.stdout}}
+clusters:
+- name: bootcfg-cluster
+ cluster:
+ certificate-authority-data: {{CA_CERT_BASE64.stdout}}
+ server: https://{{(hosts|selectattr('role', 'equalto', 'controller')|first).name}}.{{domain}}:{{k8s_controller_port}}
+contexts:
+- context:
+ cluster: bootcfg-cluster
+ user: bootcfg-user
+ name: bootcfg-context
+current-context: bootcfg-context
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/openssl.config.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/openssl.config.j2
new file mode 100755
index 0000000..3d44c5b
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/openssl.config.j2
@@ -0,0 +1,73 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.101 = kubernetes
+DNS.102 = kubernetes.default
+DNS.103 = kubernetes.default.svc
+DNS.104 = kubernetes.default.svc.cluster.local
+{% if item == "apiserver" %}
+IP.200 = 10.3.0.1
+ {% for controller in hosts|selectattr('role', 'equalto', 'controller') %}
+ {%- set count = loop.index %}
+ {%- for entry in controller.dnsmasq_config %}
+IP.{{count}}{{loop.index}} = {{entry.split(',')[1]}}
+DNS.{{count}}{{loop.index}} = {{entry.split(',')[2]}}.{{domain}}
+{% endfor %}
+ {%- endfor %}
+{%- elif item == "worker" %}
+ {%- for worker in hosts|selectattr('role', 'equalto', 'worker') %}
+ {%- set count = loop.index %}
+ {%- for entry in worker.dnsmasq_config %}
+IP.{{count}}{{loop.index }} = {{entry.split(',')[1]}}
+DNS.{{count}}{{loop.index }} = {{entry.split(',')[2]}}.{{domain}}
+{% endfor %}
+ {%- endfor %}
+# workers
+{% endif %}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/profiles/controller.json.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/profiles/controller.json.j2
new file mode 100755
index 0000000..11b8cd0
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/profiles/controller.json.j2
@@ -0,0 +1,56 @@
+{#
+-*- encoding: utf-8 -*-
+============LICENSE_START=======================================================
+org.onap.vvp/engagementmgr
+===================================================================
+Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+===================================================================
+
+Unless otherwise specified, all software contained herein is licensed
+under the Apache License, Version 2.0 (the “License”);
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+Unless otherwise specified, all documentation contained herein is licensed
+under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+you may not use this documentation except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://creativecommons.org/licenses/by/4.0/
+
+Unless required by applicable law or agreed to in writing, documentation
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+============LICENSE_END============================================
+
+ ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#}
+{
+ "id": "controller",
+ "name": "Kubernetes Controller",
+ "boot": {
+ "kernel": "/assets/coreos/{{coreos_version}}/coreos_production_pxe.vmlinuz",
+ "initrd": ["/assets/coreos/{{coreos_version}}/coreos_production_pxe_image.cpio.gz"],
+ "cmdline": {
+ "root": "/dev/sda1",
+ "coreos.config.url": "http://{{ops_management_ip}}:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}&os=installed",
+ "coreos.autologin": "",
+ "coreos.first_boot": ""
+ }
+ },
+ "cloud_id": "",
+ "ignition_id": "controller.yaml"
+}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/profiles/install-reboot.json.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/profiles/install-reboot.json.j2
new file mode 100755
index 0000000..ed4d0df
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/profiles/install-reboot.json.j2
@@ -0,0 +1,55 @@
+{#
+-*- encoding: utf-8 -*-
+============LICENSE_START=======================================================
+org.onap.vvp/engagementmgr
+===================================================================
+Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+===================================================================
+
+Unless otherwise specified, all software contained herein is licensed
+under the Apache License, Version 2.0 (the “License”);
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+Unless otherwise specified, all documentation contained herein is licensed
+under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+you may not use this documentation except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://creativecommons.org/licenses/by/4.0/
+
+Unless required by applicable law or agreed to in writing, documentation
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+============LICENSE_END============================================
+
+ ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#}
+{
+ "id": "install-reboot",
+ "name": "Install CoreOS and Reboot",
+ "boot": {
+ "kernel": "/assets/coreos/{{coreos_version}}/coreos_production_pxe.vmlinuz",
+ "initrd": ["/assets/coreos/{{coreos_version}}/coreos_production_pxe_image.cpio.gz"],
+ "cmdline": {
+ "coreos.config.url": "http://{{ops_management_ip}}:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+ "coreos.autologin": "",
+ "coreos.first_boot": ""
+ }
+ },
+ "cloud_id": "",
+ "ignition_id": "coreos-install.yaml"
+}
diff --git a/ansible/roles/ansible-vvp-bootstrap/templates/profiles/worker.json.j2 b/ansible/roles/ansible-vvp-bootstrap/templates/profiles/worker.json.j2
new file mode 100755
index 0000000..6eb3f24
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/templates/profiles/worker.json.j2
@@ -0,0 +1,56 @@
+{#
+-*- encoding: utf-8 -*-
+============LICENSE_START=======================================================
+org.onap.vvp/engagementmgr
+===================================================================
+Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+===================================================================
+
+Unless otherwise specified, all software contained herein is licensed
+under the Apache License, Version 2.0 (the “License”);
+you may not use this software except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+
+Unless otherwise specified, all documentation contained herein is licensed
+under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+you may not use this documentation except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://creativecommons.org/licenses/by/4.0/
+
+Unless required by applicable law or agreed to in writing, documentation
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+============LICENSE_END============================================
+
+ ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#}
+{
+ "id": "worker",
+ "name": "Kubernetes Worker",
+ "boot": {
+ "kernel": "/assets/coreos/{{coreos_version}}/coreos_production_pxe.vmlinuz",
+ "initrd": ["/assets/coreos/{{coreos_version}}/coreos_production_pxe_image.cpio.gz"],
+ "cmdline": {
+ "root": "/dev/sda1",
+ "coreos.config.url": "http://{{ops_management_ip}}:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+ "coreos.autologin": "",
+ "coreos.first_boot": ""
+ }
+ },
+ "cloud_id": "",
+ "ignition_id": "worker.yaml"
+}