ciscocloud / kubernetes-ansible Goto Github PK

View Code? Open in Web Editor NEW

82.0 50.0 37.0 7.6 MB

Install and configure Google Kubernetes on OpenStack

License: Apache License 2.0

Python 19.99% Shell 4.02% HCL 13.20% Ruby 62.79%

kubernetes-ansible's Introduction

Install and configure Kubernetes on OpenStack using ansible and terraform

Main goals

Install etcd server
Install docker
Install flanneld and put config in etcd
Install Kubernetes package
Configure Kubernetes master
Configure Kubernetes minion
Install kube-dns service discovery and DNS resolution pod

Available Addons

DNS for Service Discovery
Kubernetes UI
Logging Service for containers

NOTE

Each addon is enabled by default but can be disabled by changing the options within group_vars/all.yml All of the addons depend on the DNS addon for Service Discovery.

Provision Openstack environment

Install terraform

  # change 0.6.9 to the desired version
  wget -q -O terraform.zip https://dl.bintray.com/mitchellh/terraform/terraform_0.6.9_linux_amd64.zip
  unzip terraform.zip -d /usr/local/bin

Install pip package (CentOS/RedHat)

  # yum install python-devel python-pip

Install the OpenStack command-line clients

When following the instructions in this section, replace PROJECT with the lowercase name of the client to install, such as nova. Repeat for each client. The following values are valid:

    - barbican - Key Manager Service API
    - ceilometer - Telemetry API
    - cinder - Block Storage API and extensions
    - glance - Image service API
    - heat - Orchestration API
    - magnum - Containers service API
    - manila - Shared file systems API
    - mistral - Workflow service API
    - murano - Application catalog API
    - neutron - Networking API
    - nova - Compute API and extensions
    - sahara - Data Processing API
    - swift - Object Storage API
    - trove - Database service API
    - tuskar - Deployment service API
    - openstack - Common OpenStack client supporting multiple services

    # How to install with pip:
    pip install python-PROJECTclient
    (Replace PROJECT with the lowercase name of the client)

    # How to update with pip:
    pip install --upgrade python-PROJECTclient
    (Replace PROJECT with the lowercase name of the client)

    # To remove the client, run the pip uninstall command:
    pip uninstall python-PROJECTclient
    (Replace PROJECT with the lowercase name of the client)

Additional OpenStack CLI information here

Download Openstack RC file from Openstack Project Web Interface(Access & Security --> API Access)
```
  source openrc.sh
  # prompted for your password for the Openstack Project
```

Provide configurations for Openstack (From GitHub branch https://github.com/CiscoCloud/kubernetes-ansible/tree/master/terraform)

  cp terraform/openstack.sample.tf openstack.tf
  cp terraform/terraform.tfvars terraform.tfvars

  # edit the terraform.tfvars file by providing the following

  - auth_url (found within *openrc.sh)
  - tenant_id (found within *openrc.sh)
  - tenant_name (found within *openrc.sh)
  - location of ssh public key and a unique name
  - VM Flavor for Master node (*nova flavor-list)
  - VM Flavor for Worker node (*nova flavor-list)
  - Network ID (*nova net-list)
  - OS Image Name (*nova image-list)
  - Number of worker nodes
  - size (GB) of storage for kubernetes master to use

  *nova - example if you using NOVA Compute API and extensions
  *openrc.sh - Openstack Project Web Interface

Note: You must use image with pre-installed cloud-init.

Provision Environment

  terraform get (Get modules)
  terraform plan (Checking configuration)
  terraform apply (Apply )

Verify SSH access to the hosts
```
  ansible -m ping all
```

Firewall notice

If you are running on a cloud provider make sure that firewall configuration permits traffic between nodes. If you used terraform to provision environment then a security group has already been created for you.

Port list on roles: TBD

Prepare environment

There is 3 main roles:

etcd server
kubernetes master
kubernetes node (minion)

You can safely combine etcd and kubernetes master on one host, eventually you can run kubernetes minion on that host also.

For this setup you will need 1 host that would be kubernetes master and 2 or more hosts as minions. At least 2 minion nodes are needed to use flannel or any other networking for kubernetes.

If you already have prepared hosts you can provide simple ansible inventory (sample is in root of project).

Run ansible playbooks

Use Getting started with Ansible if you are not familiar with ansible.

Verify that ansible can reach your hosts.

ansible -m ping all

Validate the global configurations found in group_vars/all.yml and update as needed.

To run ansible on hosts you prepared run:

ansible-playbook -i inventory setup.yml

If you used Terraform to provision your hosts, a plugin is provided that dynamically extracts the inventory from .tfstate file.

ansible-playbook setup.yml

The same plugin can be used to either print out a lists of hosts or to add those hosts to your local /etc/hosts file so that you can reference the hosts by name.

The following command will append the hosts to your /etc/hosts file.

./plugins/inventory/terraform.py --hostfile >> /etc/hosts

Validate Ansible playbooks

Install Serverspec environment :

bundle install --path vendor/bundle

Run Serverspec test for all nodes and specs in parallel (using 8 threads), print short summary in JSON format and provide 0 exit code for succeed validation of Ansible playbooks :

bundle exec rake -m -j 8

Run Serverspec tests for different plays in parallel :

bundle exec rake spec:play:All -m -j 8
bundle exec rake spec:play:Master -m -j 8
bundle exec rake spec:play:Node -m -j 8

Show all available Rake-tasks :

bundle exec rake -T

To use different RSpec output formats (json is default one) :

FORMAT=documentation bundle exec rake spec:play:All -m -j 8
FORMAT=json bundle exec rake spec:play:All -m -j 8
FORMAT=progress bundle exec rake spec:play:All -m -j 8

JSON output format

When using FORMAT=json (default) the output will contain tests summary only :

{
  "succeed": true,
  "example_count": 490,
  "failure_count": 0
}

Detailed results could be found inside serverspec_results.json file at project root directory :

[
  {
    "name": "docker::k-master-01",
    "exit_code": 0,
    "output": {
      "version": "3.4.0",
      "examples": [
        {
          "description": "should be installed",
          "full_description": "docker : Main | Package \"docker\" should be installed",
          "status": "passed",
          "file_path": "./roles/docker/spec/main_spec.rb",
          "line_number": 5,
          "run_time": 3.202775,
          "pending_message": null
        },
        {
          "description": "should be enabled",
          "full_description": "docker : Main | Service \"docker\" should be enabled",
          "status": "passed",
          "file_path": "./roles/docker/spec/main_spec.rb",
          "line_number": 9,
          "run_time": 0.443939,
          "pending_message": null
        }
      ],
      "summary": {
        "duration": 4.07774,
        "example_count": 3,
        "failure_count": 0,
        "pending_count": 0
      },
      "summary_line": "3 examples, 0 failures"
    }
  },
  {
    "name": "flannel::k-master-01",
    "exit_code": 0,
    "output": {
      "version": "3.4.0",
      "examples": [
        {
          "description": "should be installed",
          "full_description": "flannel : Main |  Service | Package \"flannel\" should be installed",
          "status": "passed",
          "file_path": "./roles/flannel/spec/main_spec.rb",
          "line_number": 6,
          "run_time": 3.253822,
          "pending_message": null
        }
      ],
      "summary": {
        "duration": 6.399068,
        "example_count": 10,
        "failure_count": 0,
        "pending_count": 0
      },
      "summary_line": "10 examples, 0 failures"
    }
  }
]

Check cluster deployment

Validate Control

Check if all nodes are ready
```
  kubectl get nodes -o wide
```
Check if all Pods, Replication Controllers and Services are running
```
  kubectl get rc,svc,po --all-namespaces -o wide
```

Check status of Kubernetes processes

  sudo systemctl status etcd kube-apiserver kube-controller-manager kube-scheduler -l

View logs of Kubernetes processes

  sudo journalctl -u etcd
  sudo journalctl -u kube-apiserver
  sudo journalctl -u kube-controller-manager
  sudo journalctl -u kube-scheduler

Verify DNS working

  # https://github.com/GoogleCloudPlatform/kubernetes/tree/v1.0.1/cluster/addons/dns
  # busybox.yaml
  apiVersion: v1
  kind: Pod
  metadata:
    name: busybox
    namespace: default
  spec:
    containers:
    - image: busybox
      command:
        - sleep
        - "3600"
      imagePullPolicy: IfNotPresent
      name: busybox
    restartPolicy: Always


  kubectl create -f busybox.yaml
  kubectl get pods busybox
  kubectl exec busybox -- nslookup kubernetes

Verify NAT settings
```
  sudo iptables -t nat -L -n -v
```

Validate Nodes

Check status of Kubernetes processes

  sudo systemctl status kubelet kube-proxy flanneld docker -l

View logs of Kubernetes processes

  sudo journalctl -u kubelet
  sudo journalctl -u kube-proxy
  sudo journalctl -u flanneld
  sudo journalctl -u docker

Verify NAT settings
```
  sudo iptables -t nat -L -n -v
```

kubernetes-ansible's People

Contributors

Stargazers

Watchers

kubernetes-ansible's Issues

Help with guestbook example

I have the kubernetes cluster up, just can't seem to make the guestbook example reachable from the outside in the final step. It's likely user error on my part, any advice would be awesome.

Logging support

It's still an open question (in Mantl). We should take the following issues into account:

mantl/mantl#646
mantl/mantl#157
mantl/mantl#55
mantl/mantl#52
mantl/mantl#51
mantl/mantl#476

The idea is to provide the same logging functionality both for Mesos and Kubernetes (if possible). There was some work done for this Kubernetes project, so we'd need to come to a conlusion how we are going to sync this work with the Mantl project.

Integrate kubernetes-ansible into Mantl

We need to start the integration process as it was earlier discussed. The idea is to integrate Kubernetes into Mantl as an optional component. Users will have a choice to use either Mesos or Kubernetes.

We should freeze work on new features and/or concentrate on those features only that will be required and applicable in the Mantl project. Our goals are stability, clear, high-quality code and a lot of tests.

There are some subtasks that will require concentrated and distinct efforts:

Make all code consistent with the Mantl code base and write relevant documentation with some examples how to leverage Kubernetes.
Review all issues in the light of the discussed integration, as some of them may not have sense anymore, or we'd need to rethink them. For example, if we really need Sensu being supplied with Kubernetes or it should go as a separate project/role.
Calico vs. flannel (current implementation). Calico was merged into Mantl as an optional component. flannel is simpler to set up and already widely tested in this project. If we stay with Calico, update to the latest version might be required (right now we use calico-docker v0.4.9, latest version is v1.1.0).
Calico uses etcd and the appropriate role has been already merged. It might be a good idea to reuse that role.
Extend the Mantl deployment system adding functionality to deploy Kubernetes (the branch feature/mi-deploy).

Openstack (only) or Cloud Providers in general

The tag line on the repository says "Install and configure Google Kubernetes on OpenStack",
and the README refers to the terraform directory for provisioning an Openstack environment.

But within the terraform directory, there are the samples for AWS and GCE.

Are we planning to support just Openstack, and thus could probably remove the other files from terraform? Or is the plan to support Cloud Providers in general but our focus and primary use case is Openstack?

Probably best to be clear on objectives.

Alternative logging/monitoring

Make possible to forward logs and metrics in customer specific location

Multi-master setup

We need multi-master setup to provide reliable etcd cluster (#22) and persistent pod storage (#31, #32)

Make etcd more reliable

In terms of #15 we need to make etcd run in clustered mode. For this we need:

at least 3 nodes running etcd
make sure they can join cluster (discovery URL? public/private?)
address all the components to the etcd cluster (how k8s components doing failover to another etcd instance?)

Feel free to add yours

Command line tool

As a Tenant, I can create a Kubernetes cluster via the command line on CloudProvider (OpenStack) so that cluster creation can be automated

Move to Fedora

Since all the stuff we are deploying here is pretty bleeding-edge and almost everything is outdated for us in CentOS (like this #7) i propose swap underlying OS to Fedora (e.g. 22).

Kube-UI not reporting resources properly

CPU, memory and disk are not registering here.

CLI support to choose between Kubernetes and Mesos

The idea is to allow users to make a choice what kind of setup to proceed with: either the one based on Mesos with all corresponding roles or the Kubernetes setup.

mi-deploy has been recently merged: https://github.com/CiscoCloud/microservices-infrastructure/tree/master/mi-deploy which can serve as a starting point to provide such functionality.

Pod volume storage

Since we can attach volumes to nodes we can make it available via available k8s storage providers in our pod's. I think we can star from NFS as an easiest as a PoC.

Add Distributive health checks and tests

Distributive is the tool to run health checks and unit tests for Mantl: https://github.com/CiscoCloud/distributive
It's going to be integrated into CI (once it's properly designed and implemented).

There are some ongoing discussions on this topic:
mantl/mantl#547
mantl/mantl#163

Since it's used for Mantl, we need the Kubernetes deployment to be fully covered with all the checks. Most likely, we will need to design some new checks and tests.

RBAC Plugin

Kismatic Kubernetes role-based access control (RBAC) plug-in

Kubernetes HA

As a tenant, I can deploy Kubernetes in an HA manner so that deployments are more reliable and production ready

upgrading environment fails because components not restarted

After the series of updates to etcd and the downstream dependencies within kubernetes components, the interactions with etcd would fail when running the updated ansible roles.

Basically the components were notified to restart but by the time they are used by other components they had not already been restarted and the previous configuration was not compatible.

Look at leveraging - meta: flush_handlers at certain points to make sure those handlers are executed prior to those services being consumed.

Because some of the changes are incompatible with existing installations, may need to teardown to clean up the kubernetes installation.

RPM Updated (missing requirement)

TASK: [master | install kubernetes master] ************************************
failed: [k8s-master-01] => {"changed": false, "failed": true, "rc": 1, "results": ["Loaded plugins: fastestmirror\nLoading mirror speeds from cached hostfile\n * base: linux.cc.lehigh.edu\n * epel: mirror.clarkson.edu\n * extras: mirror.trouble-free.net\n * updates: mirror.es.its.nyu.edu\nResolving Dependencies\n--> Running transaction check\n---> Package kubernetes.x86_64 0:1.1.0-0.12.gitb5a4a54.el7 will be installed\n--> Processing Dependency: kubernetes-node = 1.1.0-0.12.gitb5a4a54.el7 for package: kubernetes-1.1.0-0.12.gitb5a4a54.el7.x86_64\n--> Processing Dependency: kubernetes-master = 1.1.0-0.12.gitb5a4a54.el7 for package: kubernetes-1.1.0-0.12.gitb5a4a54.el7.x86_64\n--> Running transaction check\n---> Package kubernetes-master.x86_64 0:1.1.0-0.12.gitb5a4a54.el7 will be installed\n--> Processing Dependency: kubernetes-client = 1.1.0-0.12.gitb5a4a54.el7 for package: kubernetes-master-1.1.0-0.12.gitb5a4a54.el7.x86_64\n---> Package kubernetes-node.x86_64 0:1.1.0-0.12.gitb5a4a54.el7 will be installed\n--> Processing Dependency: socat for package: kubernetes-node-1.1.0-0.12.gitb5a4a54.el7.x86_64\n--> Processing Dependency: docker for package: kubernetes-node-1.1.0-0.12.gitb5a4a54.el7.x86_64\n--> Running transaction check\n---> Package docker.x86_64 1:1.8.1-2.git32b8b25.el7 will be installed\n--> Processing Dependency: selinux-policy >= 3.13.1-114 for package: 1:docker-1.8.1-2.git32b8b25.el7.x86_64\n--> Processing Dependency: docker-selinux >= 1:1.8.1-2.git32b8b25.el7 for package: 1:docker-1.8.1-2.git32b8b25.el7.x86_64\n--> Processing Dependency: lvm2 for package: 1:docker-1.8.1-2.git32b8b25.el7.x86_64\n---> Package kubernetes-client.x86_64 0:1.1.0-0.12.gitb5a4a54.el7 will be installed\n---> Package socat.x86_64 0:1.7.2.2-5.el7 will be installed\n--> Running transaction check\n---> Package docker.x86_64 1:1.8.1-2.git32b8b25.el7 will be installed\n--> Processing Dependency: selinux-policy >= 3.13.1-114 for package: 1:docker-1.8.1-2.git32b8b25.el7.x86_64\n---> Package docker-selinux.x86_64 1:1.8.1-2.git32b8b25.el7 will be installed\n--> Processing Dependency: policycoreutils-python-utils for package: 1:docker-selinux-1.8.1-2.git32b8b25.el7.x86_64\n---> Package lvm2.x86_64 7:2.02.115-3.el7_1.1 will be installed\n--> Processing Dependency: lvm2-libs = 7:2.02.115-3.el7_1.1 for package: 7:lvm2-2.02.115-3.el7_1.1.x86_64\n--> Processing Dependency: device-mapper-persistent-data >= 0.3.2-1 for package: 7:lvm2-2.02.115-3.el7_1.1.x86_64\n--> Processing Dependency: liblvm2app.so.2.2(Base)(64bit) for package: 7:lvm2-2.02.115-3.el7_1.1.x86_64\n--> Processing Dependency: libdevmapper-event.so.1.02(Base)(64bit) for package: 7:lvm2-2.02.115-3.el7_1.1.x86_64\n--> Processing Dependency: liblvm2app.so.2.2()(64bit) for package: 7:lvm2-2.02.115-3.el7_1.1.x86_64\n--> Processing Dependency: libdevmapper-event.so.1.02()(64bit) for package: 7:lvm2-2.02.115-3.el7_1.1.x86_64\n--> Running transaction check\n---> Package device-mapper-event-libs.x86_64 7:1.02.93-3.el7_1.1 will be installed\n---> Package device-mapper-persistent-data.x86_64 0:0.4.1-2.el7 will be installed\n--> Processing Dependency: libaio.so.1(LIBAIO_0.4)(64bit) for package: device-mapper-persistent-data-0.4.1-2.el7.x86_64\n--> Processing Dependency: libaio.so.1(LIBAIO_0.1)(64bit) for package: device-mapper-persistent-data-0.4.1-2.el7.x86_64\n--> Processing Dependency: libaio.so.1()(64bit) for package: device-mapper-persistent-data-0.4.1-2.el7.x86_64\n---> Package docker.x86_64 1:1.8.1-2.git32b8b25.el7 will be installed\n--> Processing Dependency: selinux-policy >= 3.13.1-114 for package: 1:docker-1.8.1-2.git32b8b25.el7.x86_64\n---> Package docker-selinux.x86_64 1:1.8.1-2.git32b8b25.el7 will be installed\n--> Processing Dependency: policycoreutils-python-utils for package: 1:docker-selinux-1.8.1-2.git32b8b25.el7.x86_64\n---> Package lvm2-libs.x86_64 7:2.02.115-3.el7_1.1 will be installed\n--> Processing Dependency: device-mapper-event = 7:1.02.93-3.el7_1.1 for package: 7:lvm2-libs-2.02.115-3.el7_1.1.x86_64\n--> Running transaction check\n---> Package device-mapper-event.x86_64 7:1.02.93-3.el7_1.1 will be installed\n---> Package docker.x86_64 1:1.8.1-2.git32b8b25.el7 will be installed\n--> Processing Dependency: selinux-policy >= 3.13.1-114 for package: 1:docker-1.8.1-2.git32b8b25.el7.x86_64\n---> Package docker-selinux.x86_64 1:1.8.1-2.git32b8b25.el7 will be installed\n--> Processing Dependency: policycoreutils-python-utils for package: 1:docker-selinux-1.8.1-2.git32b8b25.el7.x86_64\n---> Package libaio.x86_64 0:0.3.109-12.el7 will be installed\n--> Finished Dependency Resolution\n You could try using --skip-broken to work around the problem\n You could try running: rpm -Va --nofiles --nodigest\n"]}
msg: Error: Package: 1:docker-selinux-1.8.1-2.git32b8b25.el7.x86_64 (virt7-docker-common-candidate)
           Requires: policycoreutils-python-utils
Error: Package: 1:docker-1.8.1-2.git32b8b25.el7.x86_64 (virt7-docker-common-candidate)
           Requires: selinux-policy >= 3.13.1-114
           Installed: selinux-policy-3.13.1-23.el7_1.8.noarch (installed)
               selinux-policy = 3.13.1-23.el7_1.8
           Available: selinux-policy-3.13.1-23.el7.noarch (base)
               selinux-policy = 3.13.1-23.el7
           Available: selinux-policy-3.13.1-23.el7_1.7.noarch (updates)
               selinux-policy = 3.13.1-23.el7_1.7
           Available: selinux-policy-3.13.1-23.el7_1.13.noarch (updates)
               selinux-policy = 3.13.1-23.el7_1.13

K8s-Guestbook-IP

As a tenant, when I run the guestbook example I can easily reach the guestbook itself so that the platform is easy to introduce to new tenants

Additional Info: Currently, this needs /etc/host modifications and other workarounds. It should be possible to enable a good experience

Sensu as monitoring system

We could use sensu as a monitoring system for core services. Also it can be used for metric shipping.

Basic authentication

As a tenant, my kubernetes cluster has authentication so that people from the internet cannot schedule workloads on my cluster

Make k8s services reachable from hosts

To be able to interact with k8s sevices it would be great have a way to resolve their DNS names. For example we can put dnsmasq on hosts and forward k8s DNS zones to kube-dns which has static IP.
This can be useful for monitoring services, etc.

Consul integration

As a Tenant, I can find K8s services via Consul so that I may integrate my non container services easily with k8s

@saswatp explained this use case to me and it seemed compelling. Consul sounds useful as a one-source of truth for the application's services.

Does this overlap with K8s roadmap or featureset?
Are there possible gotcha's with this idea?

Rename repo 'mantl-kubernetes'

I propose renaming the repo to Mantl-kubernetes and explaining that this repo is upstream to https://github.com/CiscoCloud/microservices-infrastructure in the readme here. Let me know if this sounds like a crazy idea. @altvnk @stevendborrelli

Automated Load Balancer

As a tenant I can create a Load Balancer assignment to services via command line tool so that load balancers can be easily created

Refactor certificate distribution mechanism

When all master nodes trying to get certificates from master node in shared ssh session sshd fails and ansible provision fails due to connectivity issues. Possible way is archive certificates and transfer in single operation or transfer generated certs to ansible host and then push to nodes.

Test OpenStack integration code

Need to test OpenStack integration in k8s, at least find out does is able to create LB with external connectivity.

Provide cloud.cfg via Ansible and add relevant options to kube-apiserver, kube-scheduler
Decide the way how to provide cred's for OpenStack access:
- read user ENV's with Ansible
- fill out somewhere in Ansible variables
Check if k8s components can reach OpenStack API
Check service creation with external loadbalancer option enabled
Check OpenStack Cinder persistant volumes plugin

Add documentation

Add docs based on the system used in the Mantl project: https://microservices-infrastructure.readthedocs.org/en/latest/index.html
Besides that, we'll need to describe some use cases providing several examples how one could leverage Kubernetes.

service account default/default was not found

Issue

When trying to create busybox pod from the example, the following error is presented and no pods are created:
[root@rtmi-control-02 ~]# kubectl --server=http://localhost:8085 create -f ./busybox.yaml
Error from server: error when creating "./busybox.yaml": Pod "busybox" is forbidden: service account default/default was not found, retry after the service account is created

terraform apply fails with 404

From jump box in texas 3:

[email protected]

First time running after:

terraform get
terraform plan
terraform apply

terraform get
terraform plan -out david.plan
terraform apply -no-color -state-out=out.state -state=in.state david.plan

returns:


* openstack_compute_instance_v2.node.1: Error creating OpenStack server: Expected HTTP response code [201 202] when accessing [POST https://us-texas-3.cloud.cisco.com:8774/v2/723aafd28d964f95b4f9818ae90e41ac/servers], but got 403 instead

... repeated 3 times ...

I tried with terraform versions 0.6.3 and 0.6.6 because :

terraform --version 
Terraform v0.6.3

Your version of Terraform is out of date! The latest version
is 0.6.6. You can update by downloading from www.terraform.io

I got the same errors with either version.

If I re-run I get a new error.

Error applying plan:

1 error(s) occurred:

* openstack_compute_keypair_v2.keypair: Error creating OpenStack keypair: Expected HTTP response code [200] when accessing [POST https://us-texas-3.cloud.cisco.com:8774/v2/723aafd28d964f95b4f9818ae90e41ac/os-keypairs], but got 409 instead
{"conflictingRequest": {"message": "Key pair 'k8s-keypair' already exists.", "code": 409}}

After this trying:
check existing key pair, delete if the same name found
check existing volumes and security groups, delete if found.

Re-run, still fails with keypair error, but if the keypair is deleted it gets the 404 error.

Deleting the key pair and rerunning, deleting the security groups and volumes doesn't fix this either.

Each [partially successful] execution creates a new security group with the same name and a duplicate gluster image(s). The number of images depends on the number of master nodes specified.

The nodes aren't created.

commit in use:

commit 8b039e4b21f732cd652e8f67aa14458ee3b39c68
Merge: 6308a4d b7e8f8b
Author: Alexander Litvinenko <[email protected]>
Date:   Fri Oct 23 14:31:37 2015 +0300

    Merge pull request #92 from mor-sergei/master

    Kuberenetis-ansible-PR

commit b7e8f8b711bae9c2a5bd0b7a6d352939fb1f9762

Also note

It seems that either or both the keypair is created too late for authentication for the next steps and or it is created two or more times causing the subsequent attempt(s) to fail.

The complete first empty keypair run.

terraform apply -no-color -state-out=out.state -state=in.state david.plan
module.k8s-secgroup.openstack_compute_secgroup_v2.cluster: Creating...
  description:        "" => "Security Group for cluster.local1"
  name:               "" => "cluster.local1"
  region:             "" => "us-texas-3"
  rule.#:             "" => "3"
  rule.0.from_port:   "" => "1"
  rule.0.id:          "" => "<computed>"
  rule.0.ip_protocol: "" => "tcp"
  rule.0.self:        "" => "1"
  rule.0.to_port:     "" => "65535"
  rule.1.from_port:   "" => "1"
  rule.1.id:          "" => "<computed>"
  rule.1.ip_protocol: "" => "udp"
  rule.1.self:        "" => "1"
  rule.1.to_port:     "" => "65535"
  rule.2.cidr:        "" => "0.0.0.0/0"
  rule.2.from_port:   "" => "443"
  rule.2.id:          "" => "<computed>"
  rule.2.ip_protocol: "" => "tcp"
  rule.2.self:        "" => "0"
  rule.2.to_port:     "" => "443"
module.k8s-keypair.openstack_compute_keypair_v2.keypair: Creating...
  name:       "" => "k8s-keypair"
  public_key: "" => "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLBc78VNeigvu28a7J2H4p199NAI0RXPzPqTsohhSQPCLBSlIarVnNpRL+wXJpX5q8vV4OQ6gvVklDZzcEijnY4Uof97XAyedZ1UE9it35aCCEzIv9hEzPvIc/aRtggRxVG7r3E/JiKq9W/hDTHjrdhX0G+IgrYDAI9vhj9rEqM3l1O34xRlxETI9BoId1v00PVZG7salV0XLAkYJ09cpq4ArPXe+Un2VFBlz7oapRrbKDYSnytSvNY0rO8Y54DjZxueOpssBzMEQ3nbNpvmgLZFrBf7Iy7FSEnTXvdoKeGLHbnHP2FEd+HW3qVPafyfpLmBPYVCaX9sEI7hNF1WZX\n"
  region:     "" => "us-texas-3"
module.k8s-hosts.openstack_blockstorage_volume_v1.k8s-glusterfs: Creating...
  attachment.#:      "" => "<computed>"
  availability_zone: "" => "<computed>"
  description:       "" => "k8s-master-glusterfs-01"
  metadata.#:        "" => "1"
  metadata.usage:    "" => "container-volumes"
  name:              "" => "k8s-master-glusterfs-01"
  region:            "" => "us-texas-3"
  size:              "" => "1"
  volume_type:       "" => "<computed>"
module.k8s-keypair.openstack_compute_keypair_v2.keypair: Creation complete
module.k8s-secgroup.openstack_compute_secgroup_v2.cluster: Creation complete
module.k8s-hosts.openstack_compute_instance_v2.node.0: Creating...
  access_ip_v4:          "" => "<computed>"
  access_ip_v6:          "" => "<computed>"
  flavor_id:             "" => "<computed>"
  flavor_name:           "" => "GP2-Xlarge"
  image_id:              "" => "<computed>"
  image_name:            "" => "CentOS-71"
  key_pair:              "" => "k8s-keypair"
  metadata.#:            "" => "3"
  metadata.dc:           "" => "dc1"
  metadata.role:         "" => "node"
  metadata.ssh_user:     "" => "centos"
  name:                  "" => "k8s-node-01"
  network.#:             "" => "1"
  network.0.fixed_ip_v4: "" => "<computed>"
  network.0.fixed_ip_v6: "" => "<computed>"
  network.0.mac:         "" => "<computed>"
  network.0.name:        "" => "<computed>"
  network.0.port:        "" => "<computed>"
  network.0.uuid:        "" => "8f3508a9-d4f5-4f9c-a5da-fd7f04059303"
  region:                "" => "us-texas-3"
  security_groups.#:     "" => "2"
  security_groups.0:     "" => "cluster.local1"
  security_groups.1:     "" => "default"
module.k8s-hosts.openstack_compute_instance_v2.node.1: Creating...
  access_ip_v4:          "" => "<computed>"
  access_ip_v6:          "" => "<computed>"
  flavor_id:             "" => "<computed>"
  flavor_name:           "" => "GP2-Xlarge"
  image_id:              "" => "<computed>"
  image_name:            "" => "CentOS-71"
  key_pair:              "" => "k8s-keypair"
  metadata.#:            "" => "3"
  metadata.dc:           "" => "dc1"
  metadata.role:         "" => "node"
  metadata.ssh_user:     "" => "centos"
  name:                  "" => "k8s-node-02"
  network.#:             "" => "1"
  network.0.fixed_ip_v4: "" => "<computed>"
  network.0.fixed_ip_v6: "" => "<computed>"
  network.0.mac:         "" => "<computed>"
  network.0.name:        "" => "<computed>"
  network.0.port:        "" => "<computed>"
  network.0.uuid:        "" => "8f3508a9-d4f5-4f9c-a5da-fd7f04059303"
  region:                "" => "us-texas-3"
  security_groups.#:     "" => "2"
  security_groups.0:     "" => "cluster.local1"
  security_groups.1:     "" => "default"
module.k8s-hosts.openstack_compute_instance_v2.node.2: Creating...
  access_ip_v4:          "" => "<computed>"
  access_ip_v6:          "" => "<computed>"
  flavor_id:             "" => "<computed>"
  flavor_name:           "" => "GP2-Xlarge"
  image_id:              "" => "<computed>"
  image_name:            "" => "CentOS-71"
  key_pair:              "" => "k8s-keypair"
  metadata.#:            "" => "3"
  metadata.dc:           "" => "dc1"
  metadata.role:         "" => "node"
  metadata.ssh_user:     "" => "centos"
  name:                  "" => "k8s-node-03"
  network.#:             "" => "1"
  network.0.fixed_ip_v4: "" => "<computed>"
  network.0.fixed_ip_v6: "" => "<computed>"
  network.0.mac:         "" => "<computed>"
  network.0.name:        "" => "<computed>"
  network.0.port:        "" => "<computed>"
  network.0.uuid:        "" => "8f3508a9-d4f5-4f9c-a5da-fd7f04059303"
  region:                "" => "us-texas-3"
  security_groups.#:     "" => "2"
  security_groups.0:     "" => "cluster.local1"
  security_groups.1:     "" => "default"
module.k8s-hosts.openstack_blockstorage_volume_v1.k8s-glusterfs: Creation complete
module.k8s-hosts.openstack_compute_instance_v2.master: Creating...
  access_ip_v4:                "" => "<computed>"
  access_ip_v6:                "" => "<computed>"
  flavor_id:                   "" => "<computed>"
  flavor_name:                 "" => "GP2-Large"
  image_id:                    "" => "<computed>"
  image_name:                  "" => "CentOS-71"
  key_pair:                    "" => "k8s-keypair"
  metadata.#:                  "" => "3"
  metadata.dc:                 "" => "dc1"
  metadata.role:               "" => "master"
  metadata.ssh_user:           "" => "centos"
  name:                        "" => "k8s-master-01"
  network.#:                   "" => "1"
  network.0.fixed_ip_v4:       "" => "<computed>"
  network.0.fixed_ip_v6:       "" => "<computed>"
  network.0.mac:               "" => "<computed>"
  network.0.name:              "" => "<computed>"
  network.0.port:              "" => "<computed>"
  network.0.uuid:              "" => "8f3508a9-d4f5-4f9c-a5da-fd7f04059303"
  region:                      "" => "us-texas-3"
  security_groups.#:           "" => "2"
  security_groups.0:           "" => "cluster.local1"
  security_groups.1:           "" => "default"
  volume.#:                    "" => "1"
  volume.2650791260.device:    "" => "/dev/vdb"
  volume.2650791260.id:        "" => "<computed>"
  volume.2650791260.volume_id: "" => "fcc3d57f-6414-4982-a79a-39b31a5ddca3"
Error applying plan:

4 error(s) occurred:

* openstack_compute_instance_v2.node.0: Error creating OpenStack server: Expected HTTP response code [201 202] when accessing [POST https://us-texas-3.cloud.cisco.com:8774/v2/723aafd28d964f95b4f9818ae90e41ac/servers], but got 409 instead
{"conflictingRequest": {"message": "Multiple security_group matches found for name 'cluster.local1', use an ID to be more specific.", "code": 409}}
* openstack_compute_instance_v2.node.2: Error creating OpenStack server: Expected HTTP response code [201 202] when accessing [POST https://us-texas-3.cloud.cisco.com:8774/v2/723aafd28d964f95b4f9818ae90e41ac/servers], but got 409 instead
{"conflictingRequest": {"message": "Multiple security_group matches found for name 'cluster.local1', use an ID to be more specific.", "code": 409}}
* openstack_compute_instance_v2.node.1: Error creating OpenStack server: Expected HTTP response code [201 202] when accessing [POST https://us-texas-3.cloud.cisco.com:8774/v2/723aafd28d964f95b4f9818ae90e41ac/servers], but got 409 instead
{"conflictingRequest": {"message": "Multiple security_group matches found for name 'cluster.local1', use an ID to be more specific.", "code": 409}}
* openstack_compute_instance_v2.master: Error creating OpenStack server: Expected HTTP response code [201 202] when accessing [POST https://us-texas-3.cloud.cisco.com:8774/v2/723aafd28d964f95b4f9818ae90e41ac/servers], but got 409 instead
{"conflictingRequest": {"message": "Multiple security_group matches found for name 'cluster.local1', use an ID to be more specific.", "code": 409}}

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

The complete output of the subsequent run:

terraform apply -no-color -state-out=out.state -state=in.state david.plan
module.k8s-hosts.openstack_blockstorage_volume_v1.k8s-glusterfs: Creating...
  attachment.#:      "" => "<computed>"
  availability_zone: "" => "<computed>"
  description:       "" => "k8s-master-glusterfs-01"
  metadata.#:        "" => "1"
  metadata.usage:    "" => "container-volumes"
  name:              "" => "k8s-master-glusterfs-01"
  region:            "" => "us-texas-3"
  size:              "" => "1"
  volume_type:       "" => "<computed>"
module.k8s-secgroup.openstack_compute_secgroup_v2.cluster: Creating...
  description:        "" => "Security Group for cluster.local1"
  name:               "" => "cluster.local1"
  region:             "" => "us-texas-3"
  rule.#:             "" => "3"
  rule.0.from_port:   "" => "1"
  rule.0.id:          "" => "<computed>"
  rule.0.ip_protocol: "" => "tcp"
  rule.0.self:        "" => "1"
  rule.0.to_port:     "" => "65535"
  rule.1.from_port:   "" => "1"
  rule.1.id:          "" => "<computed>"
  rule.1.ip_protocol: "" => "udp"
  rule.1.self:        "" => "1"
  rule.1.to_port:     "" => "65535"
  rule.2.cidr:        "" => "0.0.0.0/0"
  rule.2.from_port:   "" => "443"
  rule.2.id:          "" => "<computed>"
  rule.2.ip_protocol: "" => "tcp"
  rule.2.self:        "" => "0"
  rule.2.to_port:     "" => "443"
module.k8s-keypair.openstack_compute_keypair_v2.keypair: Creating...
  name:       "" => "k8s-keypair"
  public_key: "" => "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLBc78VNeigvu28a7J2H4p199NAI0RXPzPqTsohhSQPCLBSlIarVnNpRL+wXJpX5q8vV4OQ6gvVklDZzcEijnY4Uof97XAyedZ1UE9it35aCCEzIv9hEzPvIc/aRtggRxVG7r3E/JiKq9W/hDTHjrdhX0G+IgrYDAI9vhj9rEqM3l1O34xRlxETI9BoId1v00PVZG7salV0XLAkYJ09cpq4ArPXe+Un2VFBlz7oapRrbKDYSnytSvNY0rO8Y54DjZxueOpssBzMEQ3nbNpvmgLZFrBf7Iy7FSEnTXvdoKeGLHbnHP2FEd+HW3qVPafyfpLmBPYVCaX9sEI7hNF1WZX\n"
  region:     "" => "us-texas-3"
module.k8s-secgroup.openstack_compute_secgroup_v2.cluster: Creation complete
module.k8s-hosts.openstack_blockstorage_volume_v1.k8s-glusterfs: Creation complete
Error applying plan:

1 error(s) occurred:

* openstack_compute_keypair_v2.keypair: Error creating OpenStack keypair: Expected HTTP response code [200] when accessing [POST https://us-texas-3.cloud.cisco.com:8774/v2/723aafd28d964f95b4f9818ae90e41ac/os-keypairs], but got 409 instead
{"conflictingRequest": {"message": "Key pair 'k8s-keypair' already exists.", "code": 409}}

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Make etcd roles consistent

Both projects use etcd as a service discovery mechanizm. The roles differ, so we'll need to make them consistent to make the integration process possible.

We may want to consider update to the latest etcd 2.2.

Refactor Opportunties

refactor kube-proxy from master and minion roles to kubernetes
refactor install kubernetes-node on master and minion (provides kubectl, kube-proxy, kubelet
leverage meta dependencies completely and simplify setup.yml

Current visual of role dependencies

Calico networking

Implement Calico networking overlay for Kubernetes (ref. #46)

Extend platforms support where we can run Kubernetes

Mantl claims to support the following platforms:

OpenStack
Cisco MetaCloud
Cisco Cloud Services
GCE
AWS
DigitalOcean
VMware vSphere
Vagrant
SoftLayer

As far as I know, this project has been thoroughly tested on OpenStack only. If Kubernetes is going to become a part of Mantl, all major platforms should be supported (or at least most popular cloud providers). We may want to consider running this project on bare metal servers as well.

We should take into account that Kubernetes provides more close integration with some cloud providers which allows us to leverage some specific features that are unique to a cloud provider: https://github.com/kubernetes/kubernetes/tree/master/pkg/cloudprovider/providers
We may want to reuse this functionality.

Container Isolation

As a tenant, my containers are isolated from other containers on the platform so that my workload is secure

Weird SkyDNS error

TASK: [addons | SkyDNS | Write service file] **********************************
fatal: [kmster] => {'msg': "AnsibleError: Failed to template {{ kube_service_addresses|ipaddr('net')|ipaddr(253)|ipaddr('address') }}: The ipaddr filter requires python-netaddr be installed on the ansible controller", 'failed': True}
fatal: [kmster] => {'msg': "AnsibleError: Failed to template {{ kube_service_addresses|ipaddr('net')|ipaddr(253)|ipaddr('address') }}: The ipaddr filter requires python-netaddr be installed on the ansible controller", 'failed': True}

FATAL: all hosts have already failed -- aborting

PLAY RECAP *****************************************************************

Automated IP Assignment - Design

As a tenant, I can assign an IP automatically to services on CloudProvider (OpenStack) via cmd line so that services can easily be made external

Currently tenants must modify their /etc/hosts file or do other hacky workarounds to reach the guestbook example in Kubernetes when running outside of Google App Engine. It would be great to automate this and create a better user experience.

terraform.py don't returns public IP's

When using terraform deployment with floating ip's terraform.py don't returns public ip's and returns private instead.

Generate and setup certs for etcd instances

Ref #88

Accessing k8s cluster from outside with generated certificates doesn't work

Hi there,

First, thanks for the repo, it has allowed us to advance with kubernetes internally a lot. I have been using this installation, but I cannot manage to access the created cluster with kubectl from an appliance outside of those specifically created by terraform (master or node machines).

I created a kubeconfig file in one of the masters (the main one, which has ip 192.168.0.69 on my openstack installation):

CLUSTER_NICK=k8s_test_cluster
SERVER_IP=192.168.0.69
K8S_SSL_PATH=/etc/kubernetes/ssl
CONFIG_PATH=/home/centos/.kube

USER_NICK=kube
username=kube
password=changeme

mkdir -p $CONFIG_PATH
# create kubeconfig entry
kubectl config set-cluster $CLUSTER_NICK \
    --server=https://$SERVER_IP/api \
    --certificate-authority=$K8S_SSL_PATH/ca.crt \
    --embed-certs=true \
    --kubeconfig=$CONFIG_PATH/config
    # Or if tls not needed, replace --certificate-authority and --embed-certs with
    # --insecure-skip-tls-verify=true \

# create user entry
kubectl config set-credentials $USER_NICK \
    --username=$username \
    --password=$password \
    --client-certificate=$K8S_SSL_PATH/kubecfg.crt \
    --client-key=$K8S_SSL_PATH/kubecfg.key \
    --embed-certs=true \
    --kubeconfig=$CONFIG_PATH/config
    # bearer token credentials, generated on kube master
    # --token=$token \
    # use either username|password or token, not both


# create context entry
kubectl config set-context CONTEXT1 --cluster=$CLUSTER_NICK --user=$USER_NICK

The keys/certificates are the ones originally created through ansible. I copy the kubeconfig file to the standard location on a machine that is outside the kubernetes cluster (but within the same openstack internal network). This machine is in the same openstack security group as the one created for the k8s masters and nodes.

Checking the config on the external machine, this is loaded correctly:

user@ext-vm:~$ ./kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.0.69/api
  name: k8s_test_cluster
contexts:
- context:
    cluster: k8s_test_cluster
    user: kube
  name: CONTEXT1
current-context: ""
kind: Config
preferences: {}
users:
- name: kube
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    password: changeme
    username: kube

When I try to access through kubectl from this external machine (to set up a proxy to it), however:

user@ext-vm:~$ ./kubectl proxy --api-prefix=/custom/
Starting to serve on localhost:8001error: couldn't read version from server: Get http://localhost:8080/api: dial tcp 127.0.0.1:8080: connection refused

it doesn't seem to consider the server setting of the config file but instead tries to find a local api-server to connect to.

However, if I explicitly add the --server tag:

user@ext-vm:~$ ./kubectl proxy --api-prefix=/custom/ --server=https://192.168.0.69/api
Starting to serve on localhost:8001Please enter Username: kube
Please enter Password: changeme
error: couldn't read version from server: Get https://192.168.0.69/api: x509: certificate is valid for 10.254.0.1, not 192.168.0.69

and only this works (ignoring the certificate):

user@ext-vm:~$ ./kubectl proxy --api-prefix=/custom/ --server=https://192.168.0.69/api --insecure-skip-tls-verify=true
Starting to serve on localhost:8001Please enter Username: kube
Please enter Password: changeme

At this point I can send commands through the REST api on the external machine (ext-vm).

user@ext-vm:~$ curl http://localhost:8001/custom/api/
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ]
}

What I see from the key/certifcate creation in ansible is that it uses the service ip range, instead of the master's ip on the openstack network to generate the certificates. If I understand correctly, one of the ways of accessing the cluster from outside would be through kubectl dealing with the authentication and opening a proxy from there? or this is not intended in the way that you shaped this k8s installation? Or should I just create a different set of keys that make use of the openstack VM IP for the master that I'm trying to connect to and create a new kubeconfig with those keys/certificates (which I guess I need to give to the api-server)? Or am I using this wrong altogether and I shouldn't aim to have a proxy created outside the cluster?

Many thanks for any directions!
Pablo

kubelet not able to start on nodes

Within the Icehouse Openstack environment (CITIES) the kubelet process will not when it tries to connect to the localhost using the host name. (ex. k8s-node-01).

The resolve.conf file has the proper setup for using kube-dns, and the host file has been updated to provide pairs.
The domain is not included in any of the entries, but even after appending the name.domain to the end of the line, it still will not restart.

Investigating further, but if anyone has ideas, feel free to share.

No license

Hi,

I would really like to be able to use this ansible code, but there is no visible license anywhere in the code.
Would it be possible to add a LICENSE file at the top level of the repository to indicate whether this code is open source or not.

Currently we have to assume this code is closed source, despite it being published on github.

Thanks

Calico integration

Calico in Mantl: https://microservices-infrastructure.readthedocs.org/en/latest/components/calico.html
Kubernetes plugin: https://github.com/projectcalico/calico-docker/tree/master/docs/kubernetes

We need to contemplate if it's possible to switch from flannel to Calico which is already implemented in Mantl. We should start from networking since it's the most crucial building block.

Also, Weave Scope works nicely with Calico so we could consider integrating it as well: http://www.projectcalico.org/calico-and-weave-scope

Ansible issue with Flannel

I believe we resolved this one before. What was the fix again?

TASK: [flannel | configure flannel in etcd] ***********************************
failed: [k8s-master] => {"changed": false, "cmd": ["curl", "-L", "http://k8s-master:4001/v2/keys/cluster.local/network/config", "-XPUT", "--data-urlencode", "value@/tmp/flannel.json"], "delta": "0:00:00.235268", "end": "2015-08-02 18:58:00.020974", "rc": 7, "start": "2015-08-02 18:57:59.785706", "warnings": ["Consider using get_url module rather than running curl"]}
stderr: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed connect to k8s-master:4001; Connection refused

FATAL: all hosts have already failed -- aborting

Local docker registry

New k8s addon arrived - kube local registry

Security model integration

Mantl security model: https://microservices-infrastructure.readthedocs.org/en/latest/security/index.html
Kubernetes security design: https://github.com/kubernetes/kubernetes/blob/master/docs/design/security.md

We need to review the existing security model of current project and make sure it's integrated with the Mantl security policies. We may want to leverage Kubernetes native security features and extend Mantl with the appropriate functionality.

Test netplugin with Kubernetes

Plugin sources and documentation: https://github.com/contiv/netplugin
Kubernetes integration: https://github.com/contiv/netplugin/blob/master/docs/kubernetes.md

The idea is to test this network plugin and see if we can leverage it in our project. This plugin is still experimental but it provides some unique features which flannel lacks.

Contiv network support

Contiv network plugin has good policy support, and multicast support, which is important for video streaming use case. Can we make it become another deployment option? https://github.com/contiv/netplugin

Kube ansible plugin

Hello,

I'm working on a project to build kubernetes on Debian plateforms (with Project Calico network overlay option) there : https://github.com/ansibl8s/setup-kubernetes.

I based my work on your own which is amazing :).
So I'm using the plugin kube.py you coded. I wanted to know if you think it could be included into Ansible modules ?
Indeed we prefer to create a role for each "addon"|"app". What would be the best way to pull your plugin as a dependencie according to you ?

Thanks for your help,
Smana

Automate Security Group creation via Terraform

We can automate this to avoid any problems with connectivity

ansible error if namespace already exists

If running ansible for a second time and the kube-system namespace has already been created, the error below is seen. We should expect a check for the namespace before creating it.

TASK: [addons | Create kube-system namespace] *********************************
failed: [k8s-master-01] => {"failed": true}
msg: error running kubectl (/bin/kubectl --api-version=v1 create --filename=/etc/kubernetes/manifests/kube-system.yaml) command (rc=1): Error from server: error when creating "/etc/kubernetes/manifests/kube-system.yaml": namespaces "kube-system" already exists