-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Implement kube-master HA for multiple masters #761
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
[Match] | ||
Name={{ kube_internal_interface }} | ||
|
||
[Network] | ||
Address={{ kube_internal_ip }}{{ kube_internal_cidr }} | ||
|
||
{% if kube_internal_routes %} | ||
{% for route in kube_internal_routes %} | ||
{% set route_dest=route.split(',')[0] %} | ||
{% set route_mask=route.split(',')[1] %} | ||
{% set route_next_hop=route.split(',')[2] %} | ||
[Route] | ||
Destination={{ route_dest }}{{ route_mask }} | ||
Gateway={{ route_next_hop }} | ||
|
||
{% endfor %} | ||
{% endif %} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,15 @@ | ||
kube_master_insecure_port: 8080 | ||
|
||
kube_master_api_port: 443 | ||
|
||
kube_apiserver_interface: "{{ ansible_default_ipv4.interface }}" | ||
|
||
localBuildOutput: ../../_output/local/go/bin | ||
|
||
admission_controllers: NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota | ||
|
||
kube_apiserver_bind_address: "0.0.0.0" | ||
|
||
# hyperkube is an all-in-one kubernetes binary that is automatically pushed on every release | ||
# https://github.com/kubernetes/kubernetes/tree/master/cluster/images/hyperkube | ||
hyperkube_version: "v1.1.8" |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,12 +14,15 @@ | |
|
||
- name: restart apiserver | ||
service: name=kube-apiserver state=restarted | ||
when: groups['masters']|length == 1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would prefer this syntax if it works b/c it's used elsewhere in the project: groups['masters'][0] There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't follow. groups['masters'][0] is used elsewhere to delegate a task to just one master (generating tokens and certs is one example). In this case, we only want to restart the apiserver service when there is only one master. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. got it. thanks. |
||
|
||
- name: restart controller-manager | ||
service: name=kube-controller-manager state=restarted | ||
when: groups['masters']|length == 1 | ||
|
||
- name: restart scheduler | ||
service: name=kube-scheduler state=restarted | ||
when: groups['masters']|length == 1 | ||
|
||
- name: restart iptables | ||
service: name=iptables state=restarted | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
- name: Generic | Install kubernetes node | ||
action: "{{ ansible_pkg_mgr }}" | ||
args: | ||
name: kubernetes-node | ||
state: latest | ||
notify: | ||
- restart daemons | ||
when: not is_coreos | ||
|
||
- name: CoreOS | Get Systemd Unit Files for kubelet | ||
get_url: | ||
url=https://raw.githubusercontent.com/kubernetes/contrib/master/init/systemd/{{ item }}.service | ||
dest=/etc/systemd/system/{{ item }}.service | ||
force=yes | ||
register: "{{ item }}_service" | ||
notify: | ||
- reload systemd | ||
with_items: | ||
- kubelet | ||
environment: | ||
http_proxy: "{{ http_proxy|default('') }}" | ||
https_proxy: "{{ https_proxy|default('') }}" | ||
no_proxy: "{{ no_proxy|default('') }}" | ||
when: is_coreos | ||
|
||
- name: CoreOS | Create dropin directories for kubelet | ||
file: path=/etc/systemd/system/{{ item }}.service.d state=directory mode=0755 | ||
with_items: | ||
- kubelet | ||
when: is_coreos | ||
|
||
- name: CoreOS | Write kubelet drop-in file | ||
template: src={{ item }}-dropin.j2 dest="/etc/systemd/system/{{ item }}.service.d/10-conf-file.conf" | ||
register: "{{ item }}_dropin" | ||
with_items: | ||
- kubelet | ||
notify: | ||
- reload systemd | ||
when: is_coreos | ||
|
||
- name: Set selinux permissive because tokens and selinux do not work together | ||
selinux: state=permissive policy={{ ansible_selinux.type }} | ||
when: ansible_selinux is defined and ansible_selinux.status == "enabled" | ||
|
||
- name: Create the kubelet working directory | ||
file: path=/var/lib/kubelet state=directory | ||
|
||
- name: write the kubecfg (auth) file for kubelet | ||
template: src=kubelet.kubeconfig.j2 dest={{ kube_config_dir }}/kubelet.kubeconfig | ||
|
||
- name: Write the pod manifest for the controller-manager | ||
template: src=kube-controller-manager-hyperkube.yml.j2 dest={{ kube_standby_manifest_dir }}/kube-controller-manager-hyperkube.yml | ||
|
||
- name: Write the pod manifest for the api server | ||
template: src=kube-api-hyperkube.yml.j2 dest={{ kube_manifest_dir }}/kube-api-hyperkube.yml | ||
|
||
- name: Write the pod manifest for the scheduler | ||
template: src=kube-scheduler-hyperkube.yml.j2 dest={{ kube_standby_manifest_dir }}/kube-scheduler-hyperkube.yml | ||
|
||
- name: Write the pod manifest for podmaster | ||
template: src=podmaster.yml.j2 dest={{ kube_manifest_dir }}/podmaster.yml | ||
|
||
- name: Make sure kube master log files exist | ||
file: path=/var/log/{{ item }} state=touch mode=0755 | ||
with_items: | ||
- kube-apiserver.log | ||
- kube-controller-manager.log | ||
- kube-scheduler.log | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It appears the services running in containers are not logging to these log files on the host:
This is not a PR stopper, but it needs to get addressed. Can you look into this, ping the kube slack channel and see what the deal is? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Certainly. It might have to do with hyperkube. Logs were working fine before I switched over, I'll triage. |
||
- name: write the config files for kubelet | ||
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet | ||
notify: | ||
- restart kubelet | ||
|
||
- name: Enable kubelet | ||
service: name=kubelet enabled=yes state=started |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,7 @@ | ||
--- | ||
- include: coreos.yml | ||
- name: CoreOS | Force source_type to github | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure why this is needed for ha. If it's a fix/patch outside of ha, issue a separate pr. We need this pr to be clean, meaning code only what is needed to address ha. nm, I see single_master.yml below. |
||
set_fact: | ||
source_type: "github-release" | ||
when: is_coreos | ||
|
||
- include: packageManagerInstall.yml | ||
|
@@ -12,29 +14,21 @@ | |
tags: | ||
- binary-update | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Will master non-ha work with the lines you removed in this file? If not, then this pr will get blocked. Keep in mind support for centos 7 as well. this will need to be tested in vagrant. nm, I see single_master.yml below. |
||
|
||
- name: write the config file for the api server | ||
template: src=apiserver.j2 dest={{ kube_config_dir }}/apiserver | ||
notify: | ||
- restart apiserver | ||
- name: Make sure manifests directory exists | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should not be needed if master role dep's the kube role (meta/main.yml) |
||
file: path={{ kube_manifest_dir }} state=directory mode=0755 | ||
|
||
- name: Ensure that a token auth file exists (addons may populate it) | ||
file: path={{ kube_token_dir }}/known_tokens.csv state=touch | ||
changed_when: false | ||
|
||
- name: add cap_net_bind_service to kube-apiserver | ||
capabilities: path=/usr/bin/kube-apiserver capability=cap_net_bind_service=ep state=present | ||
when: not is_atomic and not is_coreos | ||
|
||
- name: Enable apiserver | ||
service: name=kube-apiserver enabled=yes state=started | ||
|
||
- name: Get the master token values | ||
slurp: | ||
src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If this is being removed b/c we are running kube-api in a pod, we may need to add this logic to the template being used for the kube-api pod: http://osdir.com/ml/scm-fedora-commits/2015-06/msg33074.html nm, I see single_master.yml below. |
||
with_items: | ||
- "system:controller_manager" | ||
- "system:scheduler" | ||
- "system:kubectl" | ||
- "system:kubelet" | ||
register: tokens | ||
delegate_to: "{{ groups['masters'][0] }}" | ||
|
||
|
@@ -43,53 +37,26 @@ | |
controller_manager_token: "{{ tokens.results[0].content|b64decode }}" | ||
scheduler_token: "{{ tokens.results[1].content|b64decode }}" | ||
kubectl_token: "{{ tokens.results[2].content|b64decode }}" | ||
|
||
- name: write the config file for the controller-manager | ||
template: src=controller-manager.j2 dest={{ kube_config_dir }}/controller-manager | ||
notify: | ||
- restart controller-manager | ||
kubelet_token: "{{ tokens.results[3].content|b64decode }}" | ||
|
||
- name: write the kubecfg (auth) file for controller-manager | ||
template: src=controller-manager.kubeconfig.j2 dest={{ kube_config_dir }}/controller-manager.kubeconfig | ||
notify: | ||
- restart controller-manager | ||
|
||
- name: Enable controller-manager | ||
service: name=kube-controller-manager enabled=yes state=started | ||
|
||
- name: write the config file for the scheduler | ||
template: src=scheduler.j2 dest={{ kube_config_dir }}/scheduler | ||
notify: | ||
- restart scheduler | ||
|
||
- name: write the kubecfg (auth) file for scheduler | ||
template: src=scheduler.kubeconfig.j2 dest={{ kube_config_dir }}/scheduler.kubeconfig | ||
notify: | ||
- restart scheduler | ||
|
||
- name: Enable scheduler | ||
service: name=kube-scheduler enabled=yes state=started | ||
|
||
- name: write the kubecfg (auth) file for kubectl | ||
template: src=kubectl.kubeconfig.j2 dest={{ kube_config_dir }}/kubectl.kubeconfig | ||
|
||
# Enable kubelet on master only when OpenContrail is in use; see | ||
# https://github.com/kubernetes/contrib/pull/183 | ||
- name: write the config files for kubelet | ||
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet | ||
notify: | ||
- restart kubelet | ||
when: networking == 'opencontrail' | ||
|
||
- name: Enable kubelet | ||
service: name=kubelet enabled=yes state=started | ||
when: networking == 'opencontrail' | ||
|
||
- name: write the delay-master-services target | ||
copy: src=delay-master-services.target dest=/etc/systemd/system/ mode=0644 | ||
- include: ha_master.yml | ||
when: groups['masters']|length > 1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If master is < 1, how will the the master services start with everything that was removed? nm, I see single_master.yml below. |
||
|
||
- name: Enable delay-master-services | ||
service: name=delay-master-services.target enabled=yes | ||
- include: single_master.yml | ||
when: groups['masters']|length == 1 | ||
|
||
- include: firewalld.yml | ||
when: has_firewalld | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
- include: coreos.yml | ||
when: is_coreos | ||
|
||
- name: write the config file for the api server | ||
template: src=apiserver.j2 dest={{ kube_config_dir }}/apiserver | ||
notify: | ||
- restart apiserver | ||
|
||
- name: add cap_net_bind_service to kube-apiserver | ||
capabilities: path=/usr/bin/kube-apiserver capability=cap_net_bind_service=ep state=present | ||
when: not is_atomic and not is_coreos | ||
|
||
- name: Enable apiserver | ||
service: name=kube-apiserver enabled=yes state=started | ||
|
||
- name: write the config file for the controller-manager | ||
template: src=controller-manager.j2 dest={{ kube_config_dir }}/controller-manager | ||
notify: | ||
- restart controller-manager | ||
|
||
- name: Enable controller-manager | ||
service: name=kube-controller-manager enabled=yes state=started | ||
|
||
- name: write the config file for the scheduler | ||
template: src=scheduler.j2 dest={{ kube_config_dir }}/scheduler | ||
notify: | ||
- restart scheduler | ||
|
||
- name: Enable scheduler | ||
service: name=kube-scheduler enabled=yes state=started | ||
|
||
- name: write the config files for kubelet | ||
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet | ||
notify: | ||
- restart kubelet | ||
when: networking == 'opencontrail' | ||
|
||
- name: Enable kubelet | ||
service: name=kubelet enabled=yes state=started | ||
when: networking == 'opencontrail' | ||
|
||
# Enable kubelet on master only when OpenContrail is in use; see | ||
# https://github.com/kubernetes/contrib/pull/183 | ||
- name: write the delay-master-services target | ||
copy: src=delay-master-services.target dest=/etc/systemd/system/ mode=0644 | ||
|
||
- name: Reload systemd configuration prior to master-services | ||
command: systemctl daemon-reload | ||
|
||
- name: Enable delay-master-services | ||
service: name=delay-master-services.target enabled=yes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you walk me through the logic here? I can understand tar'ing the certs from the 1st master, then having add'l masters pull. Or, have the tar pushed to the ansible controller from master 0, so add'l masters get the tar pushed to them from the ansible controller.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Option 2 of what you wrote. Currently, the certificates (server.crt/key and kubecfg.crt/key) are generated on the first master. This needs to be shared across all the masters, so I tar it, fetch it to the ansible host, then unpack it on each master.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good. thx for confirming.