4 files changed, 74 insertions, 46 deletions

diff --git a/xci/installer/kubespray/playbooks/configure-kubenet.yml b/xci/installer/kubespray/playbooks/configure-kubenet.yml
new file mode 100644
index 00000000..1c3740b2
--- /dev/null
+++ b/xci/installer/kubespray/playbooks/configure-kubenet.yml
@@ -0,0 +1,50 @@
+---
+# SPDX-license-identifier: Apache-2.0
+##############################################################################
+# Copyright (c) 2018 SUSE LINUX GmbH and others.
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+
+# NOTE(hwoarang) Kubenet expects networking to be prepared by the administrator so it's necessary
+# to do that as part of the node configuration. All we need is to add static routes on every node
+# so cbr0 interfaces can talk to each other.
+- name: Prepare networking for kubenet
+  hosts: k8s-cluster
+  gather_facts: True
+  become: yes
+  vars_files:
+    - "{{ xci_path }}/xci/var/opnfv.yml"
+  tasks:
+    - name: Configure static routes
+      block:
+        - name: Collect cbr0 information from the nodes
+          set_fact:
+            kubenet_xci_static_routes: |-
+              {% set static_routes = [] %}
+              {% for host in groups['k8s-cluster']|select("ne", inventory_hostname) %}
+              {%- set _ = static_routes.append(
+              {'network': (hostvars[host]['ansible_cbr0']['ipv4']['network']+'/'+
+               hostvars[host]['ansible_cbr0']['ipv4']['netmask'])|ipaddr('net'),
+               'gateway': hostvars[host]['ansible_default_ipv4']['address']}) -%}
+              {% endfor %}
+              {{ static_routes }}
+
+        - name: Add static routes on each node
+          shell: "ip route show | grep -q {{ item.network }} || ip route add {{ item.network }} via {{ item.gateway }}"
+          with_items: "{{ kubenet_xci_static_routes }}"
+          loop_control:
+            label: "{{ item.network }}"
+      when: deploy_scenario == 'k8-nosdn-nofeature'
+
+    - name: Ensure rp_filter is disabled on localhost
+      sysctl:
+        name: net.ipv4.conf.all.rp_filter
+        sysctl_set: yes
+        state: present
+        value: "{{ deploy_scenario == 'k8-nosdn-nofeature' | ternary(0, 1) }}"
+        reload: yes
+      delegate_to: localhost
+      run_once: True
diff --git a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
index a4bdbf07..ac8988da 100644
--- a/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
+++ b/xci/installer/kubespray/playbooks/configure-opnfvhost.yml
@@ -30,18 +30,6 @@
         recursive: yes
         delete: yes
 
-    - name: generate SSH keys
-      command: ssh-keygen -b 2048 -t rsa -f /root/.ssh/id_rsa -q -N ""
-      args:
-        creates: /root/.ssh/id_rsa
-    - name: add id_rsa.pub to authorized_keys
-      shell: cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
-      when:  xci_flavor == 'aio'
-    - name: fetch public key
-      fetch:
-        src: "{{ ansible_env.HOME }}/.ssh/id_rsa.pub"
-        dest: "{{ xci_path }}/xci/files/authorized_keys"
-        flat: yes
     - name: delete the opnfv_inventory directory
       file:
         path: "{{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory"
@@ -55,11 +43,7 @@
       file:
         path: "{{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory/group_vars"
         state: directory
-    - name: copy k8s_cluster.yml
-      command: "cp -rf {{ remote_xci_path }}/xci/installer/kubespray/files/k8s-cluster.yml \
-                     {{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory/group_vars"
-      args:
-        creates: "{{ remote_xci_path }}/.cache/repos/kubespray/opnfv_inventory/group_vars/k8s-cluster.yml"
+    - include: "{{ xci_path }}/xci/playbooks/bootstrap-scenarios.yml"
     - name: Install required packages
       package:
         name: "{{ kube_require_packages[ansible_pkg_mgr] }}"
@@ -73,17 +57,21 @@
         insertafter: 'targetPort'
         line: "  type: NodePort"
 
-    - name: pip install ansible
+    - name: pip install required packages
       pip:
-        name: ansible
-        version: "{{ xci_kube_ansible_pip_version }}"
+        name: "{{ item.name }}"
+        version: "{{ item.version | default(omit) }}"
+      with_items:
+        - { name: 'ansible', version: "{{ xci_kube_ansible_pip_version }}" }
+        - { name: 'netaddr' }
 
+    - name: Configure SSL certificates
+      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssl-certs.yml"
 
-- hosts: localhost
-  remote_user: root
-  vars_files:
-    - "{{ xci_path }}/xci/var/opnfv.yml"
-  tasks:
-    - name: Append public keys to authorized_keys
-      shell: "/bin/cat {{ ansible_env.HOME }}/.ssh/id_rsa.pub >> {{ xci_path }}/xci/files/authorized_keys"
-      changed_when: True
+    - name: fetch xci environment
+      copy:
+        src: "{{ xci_path }}/.cache/xci.env"
+        dest: /root/xci.env
+
+    - name: Manage SSH keys
+      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml"
diff --git a/xci/installer/kubespray/playbooks/configure-targethosts.yml b/xci/installer/kubespray/playbooks/configure-targethosts.yml
index d89cd334..c744eae6 100644
--- a/xci/installer/kubespray/playbooks/configure-targethosts.yml
+++ b/xci/installer/kubespray/playbooks/configure-targethosts.yml
@@ -1,14 +1,13 @@
 ---
-- hosts: all
+- hosts: k8s-cluster
   remote_user: root
   tasks:
-    - name: add public key to host
-      copy:
-        src: "{{ xci_path }}/xci/files/authorized_keys"
-        dest: /root/.ssh/authorized_keys
-    - name: Install required packages
+    - name: Manage SSH keys
+      include_tasks: "{{ xci_path }}/xci/playbooks/manage-ssh-keys.yml"
+
+    - name: Install dbus
       package:
-        name: "{{ kube_require_packages[ansible_pkg_mgr] }}"
+        name: "{{ (ansible_pkg_mgr == 'zypper') | ternary('dbus-1', 'dbus') }}"
         state: present
         update_cache: "{{ (ansible_pkg_mgr == 'apt') | ternary('yes', omit) }}"
 
@@ -25,4 +24,6 @@
       when:  xci_flavor == 'ha'
     - role: "haproxy_server"
       haproxy_service_configs: "{{ haproxy_default_services}}"
+      haproxy_user_ssl_cert: "/etc/ssl/certs/xci.crt"
+      haproxy_user_ssl_key: "/etc/ssl/private/xci.key"
       when:  xci_flavor == 'ha'
diff --git a/xci/installer/kubespray/playbooks/group_vars/all b/xci/installer/kubespray/playbooks/group_vars/all
index 87ed63bd..328f8dba 100644
--- a/xci/installer/kubespray/playbooks/group_vars/all
+++ b/xci/installer/kubespray/playbooks/group_vars/all
@@ -1,14 +1,3 @@
-kube_require_packages:
-  apt:
-    - python-netaddr
-    - dbus
-  yum:
-    - python-netaddr
-    - dbus
-  zypper:
-    - python-netaddr
-    - dbus-1
-
 keepalived_ubuntu_src: "uca"
 keepalived_uca_apt_repo_url: "{{ uca_apt_repo_url | default('http://ubuntu-cloud.archive.canonical.com/ubuntu') }}"