Merge pull request #21737 from FujitsuEnablingSoftwareTechnologyGmbH/…

…openstack-provider Automatic merge from submit-queue Openstack provider Our pull request delivers solution to create Kubernetes cluster on the top of OpenStack. Heat OpenStack Orchestration engine describes the infrastructure for Kubernetes cluster. CentoOS images are used for Kubernetes host machines. We tested our solution with DevStack and Citycloud provider. We believe that our solution will fill the gap that which is on the market.  --- This change is [<img src="http://reviewable.k8s.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](http://reviewable.k8s.io/reviews/kubernetes/kubernetes/21737)
kubernetes · May 11, 2016 · 17c3f19 · 17c3f19
2 parents 22dfaef + 892c2ab
commit 17c3f19
Show file tree

Hide file tree

Showing 28 changed files with 1,632 additions and 17 deletions.
diff --git a/cluster/get-kube.sh b/cluster/get-kube.sh
@@ -38,6 +38,8 @@
 #   * export KUBERNETES_PROVIDER=photon-controller; wget -q -O - https://get.k8s.io | bash
 #  Rackspace
 #   * export KUBERNETES_PROVIDER=rackspace; wget -q -O - https://get.k8s.io | bash
+#  OpenStack-Heat
+#   * export KUBERNETES_PROVIDER=openstack-heat; wget -q -O - https://get.k8s.io | bash
 #
 #  Set KUBERNETES_SKIP_DOWNLOAD to non-empty to skip downloading a release.
 #  Set KUBERNETES_SKIP_CONFIRM to skip the installation confirmation prompt.

diff --git a/cluster/kube-up.sh b/cluster/kube-up.sh
@@ -64,6 +64,15 @@ elif [[ "${validate_result}" == "2" ]]; then
 	echo "...ignoring non-fatal errors in validate-cluster" >&2
 fi
 
+if [[ "${ENABLE_PROXY:-}" == "true" ]]; then
+  . /tmp/kube-proxy-env
+  echo ""
+  echo "*** Please run the following to add the kube-apiserver endpoint to your proxy white-list ***"
+  cat /tmp/kube-proxy-env
+  echo "***                                                                                      ***"
+  echo ""
+fi
+
 echo -e "Done, listing cluster services:\n" >&2
 "${KUBE_ROOT}/cluster/kubectl.sh" cluster-info
 echo

diff --git a/cluster/openstack-heat/config-default.sh b/cluster/openstack-heat/config-default.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Contains configuration values for the Openstack cluster
+
+# Stack name
+STACK_NAME=${STACK_NAME:-KubernetesStack}
+
+# Keypair for kubernetes stack
+KUBERNETES_KEYPAIR_NAME=${KUBERNETES_KEYPAIR_NAME:-kubernetes_keypair}
+
+# Kubernetes release tar file
+KUBERNETES_RELEASE_TAR=${KUBERNETES_RELEASE_TAR:-kubernetes-server-linux-amd64.tar.gz}
+
+NUMBER_OF_MINIONS=${NUMBER_OF_MINIONS-3}
+
+MAX_NUMBER_OF_MINIONS=${MAX_NUMBER_OF_MINIONS:-3}
+
+MASTER_FLAVOR=${MASTER_FLAVOR:-m1.medium}
+
+MINION_FLAVOR=${MINION_FLAVOR:-m1.medium}
+
+EXTERNAL_NETWORK=${EXTERNAL_NETWORK:-public}
+
+SWIFT_SERVER_URL=${SWIFT_SERVER_URL:-}
+
+# Flag indicates if new image must be created. If 'false' then image with IMAGE_ID will be used.
+# If 'true' then new image will be created from file config-image.sh
+CREATE_IMAGE=${CREATE_IMAGE:-true} # use "true" for devstack
+
+# Flag indicates if image should be downloaded
+DOWNLOAD_IMAGE=${DOWNLOAD_IMAGE:-true}
+
+# Image id which will be used for kubernetes stack
+IMAGE_ID=${IMAGE_ID:-f0f394b1-5546-4b68-b2bc-8abe8a7e6b8b}
+
+# DNS server address
+DNS_SERVER=${DNS_SERVER:-8.8.8.8}
+
+# Public RSA key path
+CLIENT_PUBLIC_KEY_PATH=${CLIENT_PUBLIC_KEY_PATH:-~/.ssh/id_rsa.pub}
+
+# Max time period for stack provisioning. Time in minutes.
+STACK_CREATE_TIMEOUT=${STACK_CREATE_TIMEOUT:-60}
+
+# Enable Proxy, if true kube-up will apply your current proxy settings(defined by *_PROXY environment variables) to the deployment.
+ENABLE_PROXY=${ENABLE_PROXY:-false}
+
+# Per-protocol proxy settings.
+FTP_PROXY=${FTP_PROXY:-}
+HTTP_PROXY=${HTTP_PROXY:-}
+HTTPS_PROXY=${HTTPS_PROXY:-}
+SOCKS_PROXY=${SOCKS_PROXY:-}
+
+# IPs and Domains that bypass the proxy.
+NO_PROXY=${NO_PROXY:-}
diff --git a/cluster/openstack-heat/config-image.sh b/cluster/openstack-heat/config-image.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Contains configuration values for new image. It is skip when CREATE_IMAGE=false
+
+# Image name which will be displayed in OpenStack
+OPENSTACK_IMAGE_NAME=${OPENSTACK_IMAGE_NAME:-CentOS7}
+
+# Downloaded image name for Openstack project
+IMAGE_FILE=${IMAGE_FILE:-CentOS-7-x86_64-GenericCloud-1510.qcow2}
+
+# Absolute path where image file is stored.
+IMAGE_PATH=${IMAGE_PATH:-~/Downloads/openstack}
+
+# The URL basepath for downloading the image
+IMAGE_URL_PATH=${IMAGE_URL_PATH:-http://cloud.centos.org/centos/7/images}
+
+# The disk format of the image. Acceptable formats are ami, ari, aki, vhd, vmdk, raw, qcow2, vdi, and iso.
+IMAGE_FORMAT=${IMAGE_FORMAT:-qcow2}
+
+# The container format of the image. Acceptable formats are ami, ari, aki, bare, docker, and ovf.
+CONTAINER_FORMAT=${CONTAINER_FORMAT:-bare}
diff --git a/cluster/openstack-heat/config-test.sh b/cluster/openstack-heat/config-test.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Contains configuration values for interacting with the Ubuntu cluster in test mode
+KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
+source "${KUBE_ROOT}/cluster/openstack-heat/config-default.sh"
diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/configure-proxy.sh b/cluster/openstack-heat/kubernetes-heat/fragments/configure-proxy.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# The contents of these variables swapped in by heat via environments presented to kube-up.sh
+
+export ETC_ENVIRONMENT='FTP_PROXY=$FTP_PROXY
+HTTP_PROXY=$HTTP_PROXY
+HTTPS_PROXY=$HTTPS_PROXY
+SOCKS_PROXY=$SOCKS_PROXY
+NO_PROXY=$NO_PROXY
+ftp_proxy=$FTP_PROXY
+http_proxy=$HTTP_PROXY
+https_proxy=$HTTPS_PROXY
+socks_proxy=$SOCKS_PROXY
+no_proxy=$NO_PROXY
+'
+
+export ETC_PROFILE_D='export FTP_PROXY=$FTP_PROXY
+export HTTP_PROXY=$HTTP_PROXY
+export HTTPS_PROXY=$HTTPS_PROXY
+export SOCKS_PROXY=$SOCKS_PROXY
+export NO_PROXY=$NO_PROXY
+export ftp_proxy=$FTP_PROXY
+export http_proxy=$HTTP_PROXY
+export https_proxy=$HTTPS_PROXY
+export socks_proxy=$SOCKS_PROXY
+export no_proxy=$NO_PROXY
+'
+
+export DOCKER_PROXY='[Service]
+      Environment="HTTP_PROXY=$HTTP_PROXY"
+      Environment="HTTPS_PROXY=$HTTPS_PROXY"
+      Environment="SOCKS_PROXY=$SOCKS_PROXY"
+      Environment="NO_PROXY=$NO_PROXY"
+      Environment="ftp_proxy=$FTP_PROXY"
+      Environment="http_proxy=$HTTP_PROXY"
+      Environment="https_proxy=$HTTPS_PROXY"
+      Environment="socks_proxy=$SOCKS_PROXY"
+      Environment="no_proxy=$NO_PROXY"
+'
+
+# This again is set by heat
+ENABLE_PROXY='$ENABLE_PROXY'
+
+# Heat itself doesn't have conditionals, so this is how we set up our proxy without breaking non-proxy setups.
+if [[ "${ENABLE_PROXY}" == "true" ]]; then
+  mkdir -p /etc/systemd/system/docker.service.d/
+
+  echo "${ETC_ENVIRONMENT}" >> /etc/environment
+  echo "${ETC_PROFILE_D}" > /etc/profile.d/proxy_config.sh
+  echo "${DOCKER_PROXY}" > etc/systemd/system/docker.service.d/http-proxy.conf
+  echo "proxy=$HTTP_PROXY" >> /etc/yum.conf
+fi
diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml
@@ -0,0 +1,56 @@
+#cloud-config
+merge_how: dict(recurse_array)+list(append)
+bootcmd:
+  - mkdir -p /etc/salt/minion.d
+  - mkdir -p /srv/salt-overlay/pillar
+write_files:
+  - path: /etc/salt/minion.d/log-level-debug.conf
+    content: |
+      log_level: warning
+      log_level_logfile: warning
+  - path: /etc/salt/minion.d/grains.conf
+    content: |
+      grains:
+        node_ip: $MASTER_IP
+        publicAddressOverride: $MASTER_IP
+        network_mode: openvswitch
+        networkInterfaceName: eth0
+        api_servers: $MASTER_IP
+        cloud: openstack
+        cloud_config: /srv/kubernetes/openstack.conf
+        roles:
+          - $role
+        runtime_config: ""
+        docker_opts: ""
+        master_extra_sans: "DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local,DNS:kubernetes-master"
+        keep_host_etcd: true
+  - path: /srv/kubernetes/openstack.conf
+    content: |
+      [Global]
+      auth-url=$OS_AUTH_URL
+      username=$OS_USERNAME
+      password=$OS_PASSWORD
+      region=$OS_REGION_NAME
+      tenant-id=$OS_TENANT_ID
+  - path: /srv/salt-overlay/pillar/cluster-params.sls
+    content: |
+      service_cluster_ip_range: 10.246.0.0/16
+      cert_ip: 10.246.0.1
+      enable_cluster_monitoring: influxdb
+      enable_cluster_logging: "true"
+      enable_cluster_ui: "true"
+      enable_node_logging: "true"
+      logging_destination: elasticsearch
+      elasticsearch_replicas: "1"
+      enable_cluster_dns: "true"
+      dns_replicas: "1"
+      dns_server: 10.246.0.10
+      dns_domain: cluster.local
+      instance_prefix: kubernetes
+      admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+      enable_cpu_cfs_quota: "true"
+      network_provider: none
+      opencontrail_tag: R2.20
+      opencontrail_kubernetes_tag: master
+      opencontrail_public_subnet: 10.1.0.0/16
+      e2e_storage_test_environment: "false"
diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/deploy-kube-auth-files-master.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/deploy-kube-auth-files-master.yaml
@@ -0,0 +1,43 @@
+#cloud-config
+merge_how: dict(recurse_array)+list(append)
+bootcmd:
+  - mkdir -p /srv/salt-overlay/salt/kube-apiserver
+  - mkdir -p /srv/salt-overlay/salt/kubelet
+write_files:
+  - path: /srv/salt-overlay/salt/kube-apiserver/basic_auth.csv
+    permissions: "0600"
+    content: |
+      $apiserver_password,$apiserver_user,admin
+  - path: /srv/salt-overlay/salt/kube-apiserver/known_tokens.csv
+    permissions: "0600"
+    content: |
+      $token_kubelet,kubelet,kubelet
+      $token_kube_proxy,kube_proxy,kube_proxy
+      TokenSystemScheduler,system:scheduler,system:scheduler
+      TokenSystemControllerManager,system:controller_manager,system:controller_manager
+      TokenSystemLogging,system:logging,system:logging
+      TokenSystemMonitoring,system:monitoring,system:monitoring
+      TokenSystemDns,system:dns,system:dns
+  - path: /srv/salt-overlay/salt/kubelet/kubernetes_auth
+    permissions: "0600"
+    content: |
+      {"BearerToken": "$token_kubelet", "Insecure": true }
+  - path: /srv/salt-overlay/salt/kubelet/kubeconfig
+    permissions: "0600"
+    content: |
+      apiVersion: v1
+      kind: Config
+      users:
+        - name: kubelet
+          user:
+            token: $token_kubelet
+      clusters:
+        - name: local
+          cluster:
+            insecure-skip-tls-verify: true
+      contexts:
+        - context:
+            cluster: local
+            user: kubelet
+          name: service-account-context
+      current-context: service-account-context
diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/deploy-kube-auth-files-node.yaml b/cluster/openstack-heat/kubernetes-heat/fragments/deploy-kube-auth-files-node.yaml
@@ -0,0 +1,44 @@
+#cloud-config
+merge_how: dict(recurse_array)+list(append)
+bootcmd:
+  - mkdir -p /srv/salt-overlay/salt/kubelet
+  - mkdir -p /srv/salt-overlay/salt/kube-proxy
+write_files:
+  - path: /srv/salt-overlay/salt/kubelet/kubeconfig
+    permissions: "0600"
+    content: |
+      apiVersion: v1
+      kind: Config
+      users:
+        - name: kubelet
+          user:
+            token: $token_kubelet
+      clusters:
+        - name: local
+          cluster:
+            insecure-skip-tls-verify: true
+      contexts:
+        - context:
+            cluster: local
+            user: kubelet
+          name: service-account-context
+      current-context: service-account-context
+  - path: /srv/salt-overlay/salt/kube-proxy/kubeconfig
+    permissions: "0600"
+    content: |
+      apiVersion: v1
+      kind: Config
+      users:
+        - name: kube-proxy
+          user:
+            token: $token_kube_proxy
+      clusters:
+        - name: local
+          cluster:
+            insecure-skip-tls-verify: true
+      contexts:
+        - context:
+            cluster: local
+            user: kube-proxy
+          name: service-account-context
+      current-context: service-account-context
diff --git a/cluster/openstack-heat/kubernetes-heat/fragments/hostname-hack.sh b/cluster/openstack-heat/kubernetes-heat/fragments/hostname-hack.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Workaround for this, which has been fixed but not widely distributed: https://bugs.launchpad.net/cloud-init/+bug/1246485
+# See also http://blog.oddbit.com/2014/12/10/cloudinit-and-the-case-of-the-changing-hostname/
+hostname > /etc/hostname