# SPDX-FileCopyrightText: 2021 Intel Corporation. # # SPDX-License-Identifier: Apache-2.0 --- - name: install dependencies include_role: name: install_dependencies - name: clone CMK repository git: repo: "{{ cmk_git_url }}" dest: "{{ cmk_dir }}" version: "{{ cmk_version }}" force: yes - name: patch CMK dockerfile (1/3) lineinfile: path: "{{ cmk_dir }}/Dockerfile" regexp: '^FROM clearlinux' line: 'FROM centos/python-36-centos7:latest' - name: patch CMK dockerfile (2/3) lineinfile: path: "{{ cmk_dir }}/Dockerfile" insertafter: '^FROM centos' line: 'USER root' state: present - name: patch CMK dockerfile (3/3) lineinfile: path: "{{ cmk_dir }}/Dockerfile" state: absent regexp: '^RUN swupd' - name: build CMK image make: chdir: "{{ cmk_dir }}" when: container_runtime == "docker" # NOTE(przemeklal): this fixes problem in CMK with ImagePullPolicy hardcoded to Never and the pod is scheduled on controller node - name: tag CMK image command: docker tag cmk:{{ cmk_img_version }} {{ registry_local_address }}/cmk:{{ cmk_img_version }} changed_when: true when: container_runtime == "docker" - name: push CMK image to local registry command: docker push {{ registry_local_address }}/cmk:{{ cmk_img_version }} changed_when: true when: - container_runtime == "docker" - inventory_hostname == groups['kube-node'][0] - name: build and tag CMK image command: podman build -f Dockerfile -t {{ registry_local_address }}/cmk:{{ cmk_img_version }} args: chdir: "{{ cmk_dir }}" changed_when: true when: '"docker" not in container_runtime' - name: push CMK image to local registry command: podman push {{ registry_local_address }}/cmk:{{ cmk_img_version }} changed_when: true when: - inventory_hostname == groups['kube-node'][0] - '"docker" not in container_runtime' - name: clean up any pre-existing certs/key/CSR files file: path=/etc/ssl/cmk state=absent when: inventory_hostname == groups['kube-master'][0] failed_when: false become: yes - name: delete any pre-existing certs/key/CSR from Kubernetes command: kubectl delete csr cmk-webhook-{{ item }}.{{ cmk_namespace }} when: inventory_hostname == groups['kube-master'][0] failed_when: false with_items: - "client" - "server" - name: create directory for CMK cert and key generation become: yes file: path: /etc/ssl/cmk state: directory mode: 0700 owner: root group: root - name: populate CMK CSR template template: src: "webhook_{{ item }}_csr.json.j2" dest: "/etc/ssl/cmk/cmk-webhook-{{ item }}-csr.json" force: yes mode: preserve become: yes with_items: - "client" - "server" when: - inventory_hostname == groups['kube-master'][0] - name: get GOPATH command: go env GOPATH register: gopath when: - inventory_hostname == groups['kube-master'][0] - name: generate key and CSR shell: "set -o pipefail \ && {{ gopath.stdout }}/bin/cfssl genkey cmk-webhook-{{ item }}-csr.json | {{ gopath.stdout }}/bin/cfssljson -bare cmk-webhook-{{ item }}" args: chdir: "/etc/ssl/cmk/" executable: /bin/bash with_items: - "client" - "server" when: - inventory_hostname == groups['kube-master'][0] become: yes - name: read generated server key command: cat cmk-webhook-server-key.pem args: chdir: "/etc/ssl/cmk/" register: server_key when: - inventory_hostname == groups['kube-master'][0] - name: read generated client key command: cat cmk-webhook-client-key.pem args: chdir: "/etc/ssl/cmk/" register: client_key when: - inventory_hostname == groups['kube-master'][0] - name: load generated server key set_fact: cmk_webhook_server_key: "{{ server_key.stdout | b64encode }}" when: - inventory_hostname == groups['kube-master'][0] - name: load generated client key set_fact: cmk_webhook_client_key: "{{ client_key.stdout | b64encode }}" when: - inventory_hostname == groups['kube-master'][0] - name: read generated client csr command: cat cmk-webhook-client.csr args: chdir: "/etc/ssl/cmk/" register: client_csr when: - inventory_hostname == groups['kube-master'][0] - name: load generated client csr set_fact: cmk_webhook_client_csr: "{{ client_csr.stdout | b64encode }}" when: - inventory_hostname == groups['kube-master'][0] - name: read generated server csr command: cat cmk-webhook-server.csr args: chdir: "/etc/ssl/cmk/" register: server_csr when: - inventory_hostname == groups['kube-master'][0] - name: load generated server csr set_fact: cmk_webhook_server_csr: "{{ server_csr.stdout | b64encode }}" when: - inventory_hostname == groups['kube-master'][0] - name: populate CMK Kubernetes CA CSR template template: src: "kube_{{ item }}_csr.yml.j2" dest: "/etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml" force: yes mode: preserve with_items: - "client" - "server" when: - inventory_hostname == groups['kube-master'][0] - name: send CSR to the Kubernetes API Server command: kubectl apply -f /etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml with_items: - "client" - "server" when: - inventory_hostname == groups['kube-master'][0] - name: approve request command: kubectl certificate approve cmk-webhook-{{ item }}.{{ cmk_namespace }} with_items: - "client" - "server" when: - inventory_hostname == groups['kube-master'][0] - name: get approved server certificate shell: kubectl get csr cmk-webhook-server.{{ cmk_namespace }} -o jsonpath='{.status.certificate}' args: chdir: "/etc/ssl/cmk/" register: server_cert when: - inventory_hostname == groups['kube-master'][0] retries: 30 delay: 1 until: server_cert.rc == 0 - name: get approved client certificate shell: kubectl get csr cmk-webhook-client.{{ cmk_namespace }} -o jsonpath='{.status.certificate}' args: chdir: "/etc/ssl/cmk/" register: client_cert when: - inventory_hostname == groups['kube-master'][0] retries: 30 delay: 1 until: client_cert.rc == 0 - name: load generated server cert set_fact: cmk_webhook_server_cert: "{{ server_cert.stdout }}" when: - inventory_hostname == groups['kube-master'][0] - name: load generated client cert set_fact: cmk_webhook_client_cert: "{{ client_cert.stdout }}" when: - inventory_hostname == groups['kube-master'][0] - name: populate cmk-webhook.conf file template: src: "cmk-webhook.conf.j2" dest: "/etc/kubernetes/admission-control/cmk-webhook.conf" force: yes mode: preserve when: - inventory_hostname == groups['kube-master'][0] - name: add MutatingAdmissionWebhook to AdmissionConfiguration blockinfile: path: /etc/kubernetes/admission-control/config.yaml insertafter: "plugins:" block: | - name: MutatingAdmissionWebhook configuration: apiVersion: apiserver.config.k8s.io/v1 kind: WebhookAdmissionConfiguration kubeConfigFile: /etc/kubernetes/admission-control/cmk-webhook.conf when: - inventory_hostname == groups['kube-master'][0] - name: restart kube-apiserver after updating admission control configuration when: inventory_hostname == groups['kube-master'][0] block: - name: remove kube-apiserver container # noqa 305 - shell is used intentionally here shell: >- {{ (container_runtime == 'docker') | ternary('docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f', 'crictl ps -a --name=kube-apiserver* -q | xargs --no-run-if-empty crictl rm -f') }} args: executable: /bin/bash register: remove_apiserver_container retries: 10 until: remove_apiserver_container.rc == 0 delay: 1 - name: wait for kube-apiserver to be up uri: url: "https://127.0.0.1:6443/healthz" client_cert: "/etc/kubernetes/ssl/ca.crt" client_key: "/etc/kubernetes/ssl/ca.key" validate_certs: no register: result until: result.status == 200 retries: 120 delay: 1 - name: create Helm charts directory if needed file: path: /usr/src/charts state: directory mode: 0755 when: - inventory_hostname == groups['kube-master'][0] - name: copy CMK Helm chart to the controller node copy: src: "{{ role_path }}/charts/cpu-manager-for-kubernetes" dest: "/usr/src/charts/" mode: 0755 when: - inventory_hostname == groups['kube-master'][0] # adds all kube-nodes to the list of CMK nodes - name: build list of CMK hosts set_fact: cmk_hosts_list: "{{ groups['kube-node'] | join(',') }}" when: - not cmk_use_all_hosts - (cmk_hosts_list is undefined) or (cmk_hosts_list | length == 0) - name: set values for CMK Helm chart values set_fact: cmk_image: "{{ registry_local_address }}/cmk" cmk_tag: "{{ cmk_img_version }}" when: - inventory_hostname == groups['kube-master'][0] - name: read ca cert command: cat ca.crt args: chdir: "/etc/kubernetes/ssl/" register: ca_cert when: - inventory_hostname == groups['kube-master'][0] - name: load ca cert set_fact: caBundle_cert: "{{ ca_cert.stdout | b64encode }}" when: - inventory_hostname == groups['kube-master'][0] - name: populate CMK Helm chart values template and push to controller node template: src: "helm_values.yml.j2" dest: "/usr/src/charts/cmk-values.yml" force: yes mode: preserve when: - inventory_hostname == groups['kube-master'][0] # remove any pre-existing configmaps before cmk redeployment - name: remove any pre-existing configmaps before CMK deployment command: kubectl delete cm cmk-config-{{ inventory_hostname }} when: - inventory_hostname in (cmk_hosts_list.split(',') if (cmk_hosts_list is defined and cmk_hosts_list | length > 0) else []) delegate_to: "{{ groups['kube-master']|first }}" failed_when: false - name: install CMK helm chart command: helm upgrade --install cmk --namespace {{ cmk_namespace }} -f /usr/src/charts/cmk-values.yml /usr/src/charts/cpu-manager-for-kubernetes when: - inventory_hostname == groups['kube-master'][0] - name: clean up any certs/key/CSR files file: path=/etc/ssl/cmk state=absent when: inventory_hostname == groups['kube-master'][0] failed_when: false become: yes