From 0ab7ff90c3fec546275fd35ffc13cb787c03721e Mon Sep 17 00:00:00 2001 From: Pawan Verma Date: Mon, 4 Oct 2021 18:44:20 +0530 Subject: Add support for Calico, Cilium, Contiv-VPP and Danm in k8scluster deployment scripts. This patch adds support for installing Calico, Cilium, Contiv-VPP and Danm in Kubernetes cluster deployment ansible scripts. Signed-off-by: Pawan Verma Change-Id: Ib76620fa0f63dd58e8496bbf31baf515f697bcde --- .../roles/clustermanager/defaults/main.yml | 4 +- .../clustermanager/files/danm-cni-plugins.yaml | 36 ++ .../files/danm-netwatcher-daemonset.yaml | 94 ++++ .../files/danm-webhook-create-signed-cert.sh | 121 +++++ .../files/kube-flannel-daemonset.yml | 486 +++------------------ .../roles/clustermanager/tasks/clear-calico.yaml | 10 + .../roles/clustermanager/tasks/clear-cilium.yaml | 7 + .../roles/clustermanager/tasks/clear-contiv.yaml | 11 + .../roles/clustermanager/tasks/clear-danm.yaml | 63 +++ .../roles/clustermanager/tasks/cni-pre-deploy.yml | 12 + .../roles/clustermanager/tasks/deploy-calico.yaml | 12 + .../roles/clustermanager/tasks/deploy-cilium.yaml | 19 + .../roles/clustermanager/tasks/deploy-contiv.yaml | 12 + .../roles/clustermanager/tasks/deploy-danm.yaml | 125 ++++++ .../k8scluster/roles/clustermanager/tasks/main.yml | 42 +- .../clustermanager/templates/danm-webhook.yaml | 128 ++++++ 16 files changed, 747 insertions(+), 435 deletions(-) create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml create mode 100755 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/tasks/clear-calico.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/tasks/clear-cilium.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/tasks/clear-contiv.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/tasks/clear-danm.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/tasks/deploy-calico.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/tasks/deploy-cilium.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/tasks/deploy-contiv.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/tasks/deploy-danm.yaml create mode 100644 tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/templates/danm-webhook.yaml (limited to 'tools/k8s/cluster-deployment/k8scluster/roles') diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/defaults/main.yml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/defaults/main.yml index 15f1f186..ab2ffc36 100644 --- a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/defaults/main.yml +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/defaults/main.yml @@ -25,4 +25,6 @@ token_file: $HOME/log_init.txt -PIP_executable_version: pip3.6 \ No newline at end of file +PIP_executable_version: pip3.6 +helm_version: v3.7.0 +openshift_version: 0.11.1 diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml new file mode 100644 index 00000000..1fe77cd6 --- /dev/null +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-cni-plugins.yaml @@ -0,0 +1,36 @@ +# +# cloned from https://github.com/nokia/danm/blob/v4.3.0/integration/manifests/cni_plugins/cni_plugins_ds.yaml +# +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: danm-cni + namespace: kube-system +spec: + selector: + matchLabels: + danm.k8s.io: danm-cni + template: + metadata: + labels: + danm.k8s.io: danm-cni + spec: + containers: + - name: danm-cni + image: danm-cni-plugins + imagePullPolicy: IfNotPresent + volumeMounts: + - name: host-cni + mountPath: /host/cni + - name: host-net-d + mountPath: /host/net.d + hostNetwork: true + terminationGracePeriodSeconds: 0 + volumes: + - name: host-cni + hostPath: + path: /opt/cni/bin + - name: host-net-d + hostPath: + path: /etc/cni/net.d diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml new file mode 100644 index 00000000..1b61a04a --- /dev/null +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-netwatcher-daemonset.yaml @@ -0,0 +1,94 @@ +# +# cloned from https://github.com/nokia/danm/tree/v4.3.0/integration/manifests/netwatcher +# +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: netwatcher + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:netwatcher +rules: +rules: +- apiGroups: + - danm.k8s.io + resources: + - danmnets + - clusternetworks + - tenantnetworks + verbs: + - get + - list + - watch + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:netwatcher +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:netwatcher +subjects: +- kind: ServiceAccount + namespace: kube-system + name: netwatcher +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: netwatcher + namespace: kube-system +spec: + selector: + matchLabels: + danm.k8s.io: netwatcher + template: + metadata: + labels: + danm.k8s.io: netwatcher + spec: + serviceAccountName: netwatcher + hostNetwork: true + dnsPolicy: ClusterFirst + hostIPC: true + hostPID: true + containers: + - name: netwatcher + image: netwatcher + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + add: + - SYS_PTRACE + - SYS_ADMIN + - NET_ADMIN + - NET_RAW + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + terminationGracePeriodSeconds: 0 diff --git a/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh new file mode 100755 index 00000000..d1486f62 --- /dev/null +++ b/tools/k8s/cluster-deployment/k8scluster/roles/clustermanager/files/danm-webhook-create-signed-cert.sh @@ -0,0 +1,121 @@ +#!/bin/sh + +set -e + +usage() { + cat <> ${tmpdir}/csr.conf +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name +[req_distinguished_name] +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = ${service} +DNS.2 = ${service}.${namespace} +DNS.3 = ${service}.${namespace}.svc +EOF + +openssl genrsa -out ${tmpdir}/server-key.pem 2048 +openssl req -new -key ${tmpdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf + +# clean-up any previously created CSR for our service. Ignore errors if not present. +kubectl delete csr ${csrName} 2>/dev/null || true + +# create server cert/key CSR and send to k8s API +cat <