From 7eae11323bd3dfc857a66e8fd1049c103a4eac22 Mon Sep 17 00:00:00 2001
From: "Michael S. Pedersen" <michaelx.pedersen@intel.com>
Date: Fri, 15 Jan 2021 09:59:13 +0000
Subject: Fix a set of issues with K8s deployment

[KUB-37] BMRA v2.0 fails to install on Centos 8.3
[KUB-38] [BMRA] Helm repo is unreachable
[KUB-39] [BMRA] CMK binary doesn't run on Centos 8
[KUB-40] [BMRA] CMK isn't installed on host
[KUB-41] [Equinix Metal] Unexpected GRUB settings on CentOS

Signed-off-by: Michael S. Pedersen <michaelx.pedersen@intel.com>
Change-Id: Ie7deb0517cda02352936420a9d36348238caa467
Reviewed-on: https://gerrit.opnfv.org/gerrit/c/kuberef/+/71784
Tested-by: jenkins-ci <jenkins-opnfv-ci@opnfv.org>
Reviewed-by: Rihab Banday <rihab.banday@ericsson.com>
---
 sw_config/bmra/patched_cmk_build.yml | 376 +++++++++++++++++++++++++++++++++++
 1 file changed, 376 insertions(+)
 create mode 100644 sw_config/bmra/patched_cmk_build.yml

(limited to 'sw_config/bmra/patched_cmk_build.yml')

diff --git a/sw_config/bmra/patched_cmk_build.yml b/sw_config/bmra/patched_cmk_build.yml
new file mode 100644
index 0000000..ae0c94d
--- /dev/null
+++ b/sw_config/bmra/patched_cmk_build.yml
@@ -0,0 +1,376 @@
+##
+##   Copyright (c) 2020 Intel Corporation.
+##
+##   Licensed under the Apache License, Version 2.0 (the "License");
+##   you may not use this file except in compliance with the License.
+##   You may obtain a copy of the License at
+##
+##       http://www.apache.org/licenses/LICENSE-2.0
+##
+##   Unless required by applicable law or agreed to in writing, software
+##   distributed under the License is distributed on an "AS IS" BASIS,
+##   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+##   See the License for the specific language governing permissions and
+##   limitations under the License.
+##
+---
+- name: install epel-release on Red Hat based OS
+  package: name=epel-release
+  when: ansible_os_family == 'RedHat'
+
+# note: on Ubuntu, pip is installed via install_dependencies
+- name: install pip
+  package:
+    name: python-pip
+  when:
+    - ansible_distribution in ["RedHat", "CentOS"]
+    - ansible_distribution_version < '8'
+
+- name: install pip
+  package:
+    name: python3-pip
+  when:
+    - ansible_distribution in ["RedHat", "CentOS"]
+    - ansible_distribution_version >= '8'
+
+- name: install dependencies
+  include_role:
+    name: install_dependencies
+
+- name: install Python dependencies
+  pip:
+    name:
+      - setuptools
+      - docker
+
+- name: clone CMK repository
+  git:
+    repo: "{{ cmk_git_url }}"
+    dest: "{{ cmk_dir }}"
+    version: "{{ cmk_version }}"
+    force: yes
+
+- name: patch CMK dockerfile (1/3)
+  lineinfile:
+    path: "{{ cmk_dir }}/Dockerfile"
+    regexp: '^FROM clearlinux'
+    line: 'FROM centos/python-36-centos7:latest'
+
+- name: patch CMK dockerfile (2/3)
+  lineinfile:
+    path: "{{ cmk_dir }}/Dockerfile"
+    insertafter: '^FROM centos'
+    line: 'USER root'
+    state: present
+
+- name: patch CMK dockerfile (3/3)
+  lineinfile:
+    path: "{{ cmk_dir }}/Dockerfile"
+    state: absent
+    regexp: '^RUN swupd'
+
+- name: build CMK image
+  make:
+    chdir: "{{ cmk_dir }}"
+
+# NOTE(przemeklal): this fixes problem in CMK with ImagePullPolicy hardcoded to Never and the pod is scheduled on controller node
+- name: tag CMK image
+  command: docker tag cmk:{{ cmk_img_version }} {{ registry_local_address }}/cmk:{{ cmk_img_version }}
+  changed_when: true
+
+- name: push CMK image to local registry
+  command: docker push {{ registry_local_address }}/cmk:{{ cmk_img_version }}
+  when:
+    - inventory_hostname == groups['kube-node'][0]
+  changed_when: true
+
+- name: clean up any preexisting certs/key/CSR files
+  file: path=/etc/ssl/cmk state=absent
+  when: inventory_hostname == groups['kube-master'][0]
+  failed_when: false
+  become: yes
+
+- name: delete any preexisting certs/key/CSR from Kubernetes
+  command: kubectl delete csr cmk-webhook-{{ item }}.{{ cmk_namespace }}
+  when: inventory_hostname == groups['kube-master'][0]
+  failed_when: false
+  with_items:
+    - "client"
+    - "server"
+
+- name: create directory for CMK cert and key generation
+  become: yes
+  file:
+    path: /etc/ssl/cmk
+    state: directory
+    mode: 0700
+    owner: root
+    group: root
+
+- name: populate CMK CSR template
+  template:
+    src: "webhook_{{ item }}_csr.json.j2"
+    dest: "/etc/ssl/cmk/cmk-webhook-{{ item }}-csr.json"
+    force: yes
+    mode: preserve
+  become: yes
+  with_items:
+    - "client"
+    - "server"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: get GOPATH
+  command: go env GOPATH
+  register: gopath
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: generate key and CSR
+  shell: "set -o pipefail \
+         && {{ gopath.stdout }}/bin/cfssl genkey cmk-webhook-{{ item }}-csr.json | {{ gopath.stdout }}/bin/cfssljson -bare cmk-webhook-{{ item }}"
+  args:
+    chdir: "/etc/ssl/cmk/"
+    executable: /bin/bash
+  with_items:
+    - "client"
+    - "server"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+  become: yes
+
+- name: read generated server key
+  command: cat cmk-webhook-server-key.pem
+  args:
+    chdir: "/etc/ssl/cmk/"
+  register: server_key
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: read generated client key
+  command: cat cmk-webhook-client-key.pem
+  args:
+    chdir: "/etc/ssl/cmk/"
+  register: client_key
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated server key
+  set_fact:
+    cmk_webhook_server_key: "{{ server_key.stdout | b64encode }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated client key
+  set_fact:
+    cmk_webhook_client_key: "{{ client_key.stdout | b64encode }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: read generated client csr
+  command: cat cmk-webhook-client.csr
+  args:
+    chdir: "/etc/ssl/cmk/"
+  register: client_csr
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated client csr
+  set_fact:
+    cmk_webhook_client_csr: "{{ client_csr.stdout | b64encode }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: read generated server csr
+  command: cat cmk-webhook-server.csr
+  args:
+    chdir: "/etc/ssl/cmk/"
+  register: server_csr
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated server csr
+  set_fact:
+    cmk_webhook_server_csr: "{{ server_csr.stdout | b64encode }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: populate CMK Kubernetes CA CSR template
+  template:
+    src: "kube_{{ item }}_csr.yml.j2"
+    dest: "/etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml"
+    force: yes
+    mode: preserve
+  with_items:
+    - "client"
+    - "server"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: send CSR to the Kubernetes API Server
+  command: kubectl apply -f /etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml
+  with_items:
+    - "client"
+    - "server"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: approve request
+  command: kubectl certificate approve cmk-webhook-{{ item }}.{{ cmk_namespace }}
+  with_items:
+    - "client"
+    - "server"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: get approved server  certificate
+  shell: kubectl get csr cmk-webhook-server.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
+  args:
+    chdir: "/etc/ssl/cmk/"
+  register: server_cert
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+  retries: 30
+  delay: 1
+  until: server_cert.rc == 0
+
+- name: get approved client certificate
+  shell: kubectl get csr cmk-webhook-client.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
+  args:
+    chdir: "/etc/ssl/cmk/"
+  register: client_cert
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+  retries: 30
+  delay: 1
+  until: client_cert.rc == 0
+
+- name: load generated server cert
+  set_fact:
+    cmk_webhook_server_cert: "{{ server_cert.stdout }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: load generated client cert
+  set_fact:
+    cmk_webhook_client_cert: "{{ client_cert.stdout }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: populate cmk-webhook.conf file
+  template:
+    src: "cmk-webhook.conf.j2"
+    dest: "/etc/kubernetes/admission-control/cmk-webhook.conf"
+    force: yes
+    mode: preserve
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: add MutatingAdmissionWebhook to AdmissionConfiguration
+  blockinfile:
+    path: /etc/kubernetes/admission-control/config.yaml
+    insertafter: "plugins:"
+    block: |
+      - name: MutatingAdmissionWebhook
+        configuration:
+          apiVersion: apiserver.config.k8s.io/v1
+          kind: WebhookAdmissionConfiguration
+          kubeConfigFile: /etc/kubernetes/admission-control/cmk-webhook.conf
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+
+- name: restart kube-apiserver after updating admission control configuration
+  when: inventory_hostname == groups['kube-master'][0]
+  block:
+    - name: remove kube-apiserver Docker container
+      shell: docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f
+      args:
+        executable: /bin/bash
+      register: remove_apiserver_container
+      retries: 10
+      until: remove_apiserver_container.rc == 0
+      delay: 1
+    - name: wait for kube-apiserver to be up
+      uri:
+        url: "https://127.0.0.1:6443/healthz"
+        client_cert: "/etc/kubernetes/ssl/ca.crt"
+        client_key: "/etc/kubernetes/ssl/ca.key"
+        validate_certs: no
+      register: result
+      until: result.status == 200
+      retries: 120
+      delay: 1
+
+- name: create Helm charts directory if needed
+  file:
+    path: /usr/src/charts
+    state: directory
+    mode: 0755
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: copy CMK Helm chart to the controller node
+  copy:
+    src: "{{ role_path }}/charts/cpu-manager-for-kubernetes"
+    dest: "/usr/src/charts/"
+    mode: 0755
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+# adds all kube-nodes to the list of CMK nodes
+- name: build list of CMK hosts
+  set_fact:
+    cmk_hosts_list: "{{ groups['kube-node'] | join(',') }}"
+  when:
+    - not cmk_use_all_hosts
+    - (cmk_hosts_list is undefined) or (cmk_hosts_list | length == 0)
+
+- name: set values for CMK Helm chart values
+  set_fact:
+    cmk_image: "{{ registry_local_address }}/cmk"
+    cmk_tag: "{{ cmk_img_version }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: read ca cert
+  command: cat ca.crt
+  args:
+    chdir: "/etc/kubernetes/ssl/"
+  register: ca_cert
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: load ca cert
+  set_fact:
+    caBundle_cert: "{{ ca_cert.stdout | b64encode }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: populate CMK Helm chart values template and push to controller node
+  template:
+    src: "helm_values.yml.j2"
+    dest: "/usr/src/charts/cmk-values.yml"
+    force: yes
+    mode: preserve
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+# remove any preexisting configmaps before cmk redeployment
+- name: remove any preexisting configmaps before CMK deployment
+  command: kubectl delete cm cmk-config-{{ inventory_hostname }}
+  when:
+    - inventory_hostname in cmk_hosts_list.split(',')
+  delegate_to: "{{ groups['kube-master']|first }}"
+  failed_when: false
+
+- name: install CMK helm chart
+  command: helm upgrade --install cmk --namespace {{ cmk_namespace }} -f /usr/src/charts/cmk-values.yml /usr/src/charts/cpu-manager-for-kubernetes
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: clean up any certs/key/CSR files
+  file: path=/etc/ssl/cmk state=absent
+  when: inventory_hostname == groups['kube-master'][0]
+  failed_when: false
+  become: yes
-- 
cgit 1.2.3-korg