summaryrefslogtreecommitdiffstats
path: root/sw_config/bmra/patched_cmk_build.yml
diff options
context:
space:
mode:
Diffstat (limited to 'sw_config/bmra/patched_cmk_build.yml')
-rw-r--r--sw_config/bmra/patched_cmk_build.yml376
1 files changed, 376 insertions, 0 deletions
diff --git a/sw_config/bmra/patched_cmk_build.yml b/sw_config/bmra/patched_cmk_build.yml
new file mode 100644
index 0000000..ae0c94d
--- /dev/null
+++ b/sw_config/bmra/patched_cmk_build.yml
@@ -0,0 +1,376 @@
+##
+## Copyright (c) 2020 Intel Corporation.
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+---
+- name: install epel-release on Red Hat based OS
+ package: name=epel-release
+ when: ansible_os_family == 'RedHat'
+
+# note: on Ubuntu, pip is installed via install_dependencies
+- name: install pip
+ package:
+ name: python-pip
+ when:
+ - ansible_distribution in ["RedHat", "CentOS"]
+ - ansible_distribution_version < '8'
+
+- name: install pip
+ package:
+ name: python3-pip
+ when:
+ - ansible_distribution in ["RedHat", "CentOS"]
+ - ansible_distribution_version >= '8'
+
+- name: install dependencies
+ include_role:
+ name: install_dependencies
+
+- name: install Python dependencies
+ pip:
+ name:
+ - setuptools
+ - docker
+
+- name: clone CMK repository
+ git:
+ repo: "{{ cmk_git_url }}"
+ dest: "{{ cmk_dir }}"
+ version: "{{ cmk_version }}"
+ force: yes
+
+- name: patch CMK dockerfile (1/3)
+ lineinfile:
+ path: "{{ cmk_dir }}/Dockerfile"
+ regexp: '^FROM clearlinux'
+ line: 'FROM centos/python-36-centos7:latest'
+
+- name: patch CMK dockerfile (2/3)
+ lineinfile:
+ path: "{{ cmk_dir }}/Dockerfile"
+ insertafter: '^FROM centos'
+ line: 'USER root'
+ state: present
+
+- name: patch CMK dockerfile (3/3)
+ lineinfile:
+ path: "{{ cmk_dir }}/Dockerfile"
+ state: absent
+ regexp: '^RUN swupd'
+
+- name: build CMK image
+ make:
+ chdir: "{{ cmk_dir }}"
+
+# NOTE(przemeklal): this fixes problem in CMK with ImagePullPolicy hardcoded to Never and the pod is scheduled on controller node
+- name: tag CMK image
+ command: docker tag cmk:{{ cmk_img_version }} {{ registry_local_address }}/cmk:{{ cmk_img_version }}
+ changed_when: true
+
+- name: push CMK image to local registry
+ command: docker push {{ registry_local_address }}/cmk:{{ cmk_img_version }}
+ when:
+ - inventory_hostname == groups['kube-node'][0]
+ changed_when: true
+
+- name: clean up any preexisting certs/key/CSR files
+ file: path=/etc/ssl/cmk state=absent
+ when: inventory_hostname == groups['kube-master'][0]
+ failed_when: false
+ become: yes
+
+- name: delete any preexisting certs/key/CSR from Kubernetes
+ command: kubectl delete csr cmk-webhook-{{ item }}.{{ cmk_namespace }}
+ when: inventory_hostname == groups['kube-master'][0]
+ failed_when: false
+ with_items:
+ - "client"
+ - "server"
+
+- name: create directory for CMK cert and key generation
+ become: yes
+ file:
+ path: /etc/ssl/cmk
+ state: directory
+ mode: 0700
+ owner: root
+ group: root
+
+- name: populate CMK CSR template
+ template:
+ src: "webhook_{{ item }}_csr.json.j2"
+ dest: "/etc/ssl/cmk/cmk-webhook-{{ item }}-csr.json"
+ force: yes
+ mode: preserve
+ become: yes
+ with_items:
+ - "client"
+ - "server"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: get GOPATH
+ command: go env GOPATH
+ register: gopath
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: generate key and CSR
+ shell: "set -o pipefail \
+ && {{ gopath.stdout }}/bin/cfssl genkey cmk-webhook-{{ item }}-csr.json | {{ gopath.stdout }}/bin/cfssljson -bare cmk-webhook-{{ item }}"
+ args:
+ chdir: "/etc/ssl/cmk/"
+ executable: /bin/bash
+ with_items:
+ - "client"
+ - "server"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+ become: yes
+
+- name: read generated server key
+ command: cat cmk-webhook-server-key.pem
+ args:
+ chdir: "/etc/ssl/cmk/"
+ register: server_key
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: read generated client key
+ command: cat cmk-webhook-client-key.pem
+ args:
+ chdir: "/etc/ssl/cmk/"
+ register: client_key
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated server key
+ set_fact:
+ cmk_webhook_server_key: "{{ server_key.stdout | b64encode }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated client key
+ set_fact:
+ cmk_webhook_client_key: "{{ client_key.stdout | b64encode }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: read generated client csr
+ command: cat cmk-webhook-client.csr
+ args:
+ chdir: "/etc/ssl/cmk/"
+ register: client_csr
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated client csr
+ set_fact:
+ cmk_webhook_client_csr: "{{ client_csr.stdout | b64encode }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: read generated server csr
+ command: cat cmk-webhook-server.csr
+ args:
+ chdir: "/etc/ssl/cmk/"
+ register: server_csr
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated server csr
+ set_fact:
+ cmk_webhook_server_csr: "{{ server_csr.stdout | b64encode }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: populate CMK Kubernetes CA CSR template
+ template:
+ src: "kube_{{ item }}_csr.yml.j2"
+ dest: "/etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml"
+ force: yes
+ mode: preserve
+ with_items:
+ - "client"
+ - "server"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: send CSR to the Kubernetes API Server
+ command: kubectl apply -f /etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml
+ with_items:
+ - "client"
+ - "server"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: approve request
+ command: kubectl certificate approve cmk-webhook-{{ item }}.{{ cmk_namespace }}
+ with_items:
+ - "client"
+ - "server"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: get approved server certificate
+ shell: kubectl get csr cmk-webhook-server.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
+ args:
+ chdir: "/etc/ssl/cmk/"
+ register: server_cert
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+ retries: 30
+ delay: 1
+ until: server_cert.rc == 0
+
+- name: get approved client certificate
+ shell: kubectl get csr cmk-webhook-client.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
+ args:
+ chdir: "/etc/ssl/cmk/"
+ register: client_cert
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+ retries: 30
+ delay: 1
+ until: client_cert.rc == 0
+
+- name: load generated server cert
+ set_fact:
+ cmk_webhook_server_cert: "{{ server_cert.stdout }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated client cert
+ set_fact:
+ cmk_webhook_client_cert: "{{ client_cert.stdout }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: populate cmk-webhook.conf file
+ template:
+ src: "cmk-webhook.conf.j2"
+ dest: "/etc/kubernetes/admission-control/cmk-webhook.conf"
+ force: yes
+ mode: preserve
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: add MutatingAdmissionWebhook to AdmissionConfiguration
+ blockinfile:
+ path: /etc/kubernetes/admission-control/config.yaml
+ insertafter: "plugins:"
+ block: |
+ - name: MutatingAdmissionWebhook
+ configuration:
+ apiVersion: apiserver.config.k8s.io/v1
+ kind: WebhookAdmissionConfiguration
+ kubeConfigFile: /etc/kubernetes/admission-control/cmk-webhook.conf
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+
+- name: restart kube-apiserver after updating admission control configuration
+ when: inventory_hostname == groups['kube-master'][0]
+ block:
+ - name: remove kube-apiserver Docker container
+ shell: docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f
+ args:
+ executable: /bin/bash
+ register: remove_apiserver_container
+ retries: 10
+ until: remove_apiserver_container.rc == 0
+ delay: 1
+ - name: wait for kube-apiserver to be up
+ uri:
+ url: "https://127.0.0.1:6443/healthz"
+ client_cert: "/etc/kubernetes/ssl/ca.crt"
+ client_key: "/etc/kubernetes/ssl/ca.key"
+ validate_certs: no
+ register: result
+ until: result.status == 200
+ retries: 120
+ delay: 1
+
+- name: create Helm charts directory if needed
+ file:
+ path: /usr/src/charts
+ state: directory
+ mode: 0755
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: copy CMK Helm chart to the controller node
+ copy:
+ src: "{{ role_path }}/charts/cpu-manager-for-kubernetes"
+ dest: "/usr/src/charts/"
+ mode: 0755
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+# adds all kube-nodes to the list of CMK nodes
+- name: build list of CMK hosts
+ set_fact:
+ cmk_hosts_list: "{{ groups['kube-node'] | join(',') }}"
+ when:
+ - not cmk_use_all_hosts
+ - (cmk_hosts_list is undefined) or (cmk_hosts_list | length == 0)
+
+- name: set values for CMK Helm chart values
+ set_fact:
+ cmk_image: "{{ registry_local_address }}/cmk"
+ cmk_tag: "{{ cmk_img_version }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: read ca cert
+ command: cat ca.crt
+ args:
+ chdir: "/etc/kubernetes/ssl/"
+ register: ca_cert
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: load ca cert
+ set_fact:
+ caBundle_cert: "{{ ca_cert.stdout | b64encode }}"
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: populate CMK Helm chart values template and push to controller node
+ template:
+ src: "helm_values.yml.j2"
+ dest: "/usr/src/charts/cmk-values.yml"
+ force: yes
+ mode: preserve
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+# remove any preexisting configmaps before cmk redeployment
+- name: remove any preexisting configmaps before CMK deployment
+ command: kubectl delete cm cmk-config-{{ inventory_hostname }}
+ when:
+ - inventory_hostname in cmk_hosts_list.split(',')
+ delegate_to: "{{ groups['kube-master']|first }}"
+ failed_when: false
+
+- name: install CMK helm chart
+ command: helm upgrade --install cmk --namespace {{ cmk_namespace }} -f /usr/src/charts/cmk-values.yml /usr/src/charts/cpu-manager-for-kubernetes
+ when:
+ - inventory_hostname == groups['kube-master'][0]
+
+- name: clean up any certs/key/CSR files
+ file: path=/etc/ssl/cmk state=absent
+ when: inventory_hostname == groups['kube-master'][0]
+ failed_when: false
+ become: yes