Skip to content

Commit

Permalink
Set up security group for Openstack instances
Browse files Browse the repository at this point in the history
  • Loading branch information
Ekaterina Chernova committed Sep 5, 2018
1 parent 2d2be5b commit 35674ce
Showing 1 changed file with 56 additions and 15 deletions.
71 changes: 56 additions & 15 deletions kqueen/engines/openstack_kubespray.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
logger = logging.getLogger("kqueen_api")
config = current_config()

MASTER_SECURITY_GR = "kqueen_master"
COMMON_SECURITY_GR = "kqueen_common"


class OpenstackKubesprayEngine(BaseEngine):
"""OpenStack Kubespray engine.
Expand Down Expand Up @@ -425,11 +428,11 @@ def __init__(self, *, cluster_id, ssh_username,

def deploy(self, resources):
inventory = self._generate_inventory(resources)
self._save_inventory(inventory, "hosts.json")
inventory_file = self._save_inventory(inventory, "hosts.json")
self._create_group_vars()
self._wait_for_ping()
self._wait_for_ping(inventory_file)
self._add_fip_to_lo(resources)
self._run_ansible()
self._run_ansible(inventory=inventory_file)
return self._get_kubeconfig(resources["masters"][0]["fip"])

def _add_fip_to_lo(self, resources):
Expand Down Expand Up @@ -457,8 +460,8 @@ def _add_fip_to_lo(self, resources):

def scale(self, resources):
inventory = self._generate_inventory(resources)
self._save_inventory(inventory, "hosts.json")
self._wait_for_ping()
inventory_file = self._save_inventory(inventory, "hosts.json")
self._wait_for_ping(inventory_file)
self._run_ansible(playbook="scale.yml")

def shrink(self, resources, *, new_slave_count):
Expand All @@ -474,8 +477,10 @@ def delete(self):
shutil.rmtree(self._get_cluster_path())

def _save_inventory(self, inventory, filename):
with open(self._get_cluster_path(filename), "w") as fp:
file_path = self._get_cluster_path(filename)
with open(file_path, "w") as fp:
json.dump(inventory, fp, indent=4)
return file_path

def _create_group_vars(self):
src = os.path.join(self.kubespray_path, "inventory/sample/group_vars")
Expand Down Expand Up @@ -566,16 +571,16 @@ def _generate_inventory(self, resources, keep_slaves=None):
def _get_cluster_path(self, *args):
return os.path.join(self.clusters_path, self.cluster_id, *args)

def _wait_for_ping(self, retries=30, sleep=10):
def _wait_for_ping(self, inventory_file, retries=20, sleep=10):
args = [config.KS_ANSIBLE_CMD, "-m",
"ping", "all", "-i", "hosts.json"]
"ping", "all", "-i", inventory_file]
while retries:
retries -= 1
time.sleep(sleep)
cp = subprocess.run(args, cwd=self._get_cluster_path())
if cp.returncode == 0:
return
raise RuntimeError("At least one node is unreachable")
try:
subprocess.check_call(args)
except subprocess.CalledProcessError as e:
raise RuntimeError("At least one node is unreachable: {}".format(e))

def _construct_env(self):
env = os.environ.copy()
Expand Down Expand Up @@ -708,14 +713,16 @@ def provision(self):
router = self.c.create_router(name=self.stack_name,
ext_gateway_net_id=self.meta['ext_net'].id)
self.c.add_router_interface(router, subnet["id"])
master_sg, common_sg = self._set_up_security_groups()
resources["router_id"] = router["id"]
resources["network_id"] = network["id"]
resources["subnet_id"] = subnet["id"]
for master in self._boot_servers(name=self.stack_name,
servers_range=range(self.meta["master_count"]),
image=self.meta['image'],
flavor=self.meta['master_flavor'],
network=network):
network=network,
sg=["default", master_sg.name, common_sg.name]):
fip = self.c.create_floating_ip("public", server=master)
resources["masters"].append({
"id": master.id,
Expand All @@ -729,7 +736,8 @@ def provision(self):
image=self.meta['image'],
flavor=self.meta['slave_flavor'],
network=network,
add_random_suffix=True):
add_random_suffix=True,
sg=["default", common_sg.name]):
resources["slaves"].append({
"id": slave.id,
"ip": list(slave.addresses.values())[0][0]["addr"],
Expand Down Expand Up @@ -812,7 +820,39 @@ def _get_userdata(self):
}
return "#cloud-config\n" + yaml.dump(userdata)

def _boot_servers(self, *, name, servers_range, image, flavor, network,
def _set_up_security_groups(self):
master_sg = self.c.get_security_group(MASTER_SECURITY_GR)
if not master_sg:
master_sg = self.c.create_security_group(name=MASTER_SECURITY_GR,
description="Kqueen master")
# etcd server client API
self.c.create_security_group_rule(master_sg.id, protocol="tcp",
port_range_min="2379",
port_range_max="2380")
# k8s API
self.c.create_security_group_rule(master_sg.id, protocol="tcp",
port_range_min="6443",
port_range_max="6443")
# Calico
self.c.create_security_group_rule(master_sg.id, protocol="tcp",
port_range_min="179",
port_range_max="179")

common_sg = self.c.get_security_group(COMMON_SECURITY_GR)
if not common_sg:
common_sg = self.c.create_security_group(name=COMMON_SECURITY_GR,
description="Kqueen common")
# Kubelet API
self.c.create_security_group_rule(common_sg.id, protocol="tcp",
port_range_min="10250",
port_range_max="10255")
# NodePort Services
self.c.create_security_group_rule(common_sg.id, protocol="tcp",
port_range_min="30000",
port_range_max="32767")
return master_sg, common_sg

def _boot_servers(self, *, name, servers_range, image, flavor, network, sg,
add_random_suffix=False):
server_ids = []
for i in servers_range:
Expand All @@ -827,6 +867,7 @@ def _boot_servers(self, *, name, servers_range, image, flavor, network,
network=network,
availability_zone=self.os_kwargs.get("availability_zone", "nova"),
key_name=self.cluster.metadata["ssh_key_name"],
security_groups=sg
)
server_ids.append(server.id)
retries = 50
Expand Down

0 comments on commit 35674ce

Please sign in to comment.