Openstack provider

cluster/get-kube.sh

@@ -38,6 +38,8 @@
 #   * export KUBERNETES_PROVIDER=photon-controller; wget -q -O - https://get.k8s.io | bash
 #  Rackspace
 #   * export KUBERNETES_PROVIDER=rackspace; wget -q -O - https://get.k8s.io | bash
+#  OpenStack-Heat
+#   * export KUBERNETES_PROVIDER=openstack-heat; wget -q -O - https://get.k8s.io | bash
 #
 #  Set KUBERNETES_SKIP_DOWNLOAD to non-empty to skip downloading a release.
 #  Set KUBERNETES_SKIP_CONFIRM to skip the installation confirmation prompt.

cluster/kube-up.sh

@@ -64,6 +64,15 @@ elif [[ "${validate_result}" == "2" ]]; then
 	echo "...ignoring non-fatal errors in validate-cluster" >&2
 fi
 
+if [[ "${ENABLE_PROXY:-}" == "true" ]]; then
+  . /tmp/kube-proxy-env
+  echo ""
+  echo "*** Please run the following to add the kube-apiserver endpoint to your proxy white-list ***"
+  cat /tmp/kube-proxy-env
+  echo "***                                                                                      ***"
+  echo ""
+fi
+
 echo -e "Done, listing cluster services:\n" >&2
 "${KUBE_ROOT}/cluster/kubectl.sh" cluster-info
 echo

cluster/openstack-heat/config-default.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Contains configuration values for the Openstack cluster
+
+# Stack name
+STACK_NAME=${STACK_NAME:-KubernetesStack}
+
+# Keypair for kubernetes stack
+KUBERNETES_KEYPAIR_NAME=${KUBERNETES_KEYPAIR_NAME:-kubernetes_keypair}
+
+# Kubernetes release tar file
+KUBERNETES_RELEASE_TAR=${KUBERNETES_RELEASE_TAR:-kubernetes-server-linux-amd64.tar.gz}
+
+NUMBER_OF_MINIONS=${NUMBER_OF_MINIONS-3}
+
+MAX_NUMBER_OF_MINIONS=${MAX_NUMBER_OF_MINIONS:-3}
+
+MASTER_FLAVOR=${MASTER_FLAVOR:-m1.medium}
+
+MINION_FLAVOR=${MINION_FLAVOR:-m1.medium}
+
+EXTERNAL_NETWORK=${EXTERNAL_NETWORK:-public}
+
+SWIFT_SERVER_URL=${SWIFT_SERVER_URL:-}
+
+# Flag indicates if new image must be created. If 'false' then image with IMAGE_ID will be used.
+# If 'true' then new image will be created from file config-image.sh
+CREATE_IMAGE=${CREATE_IMAGE:-true} # use "true" for devstack
+
+# Flag indicates if image should be downloaded
+DOWNLOAD_IMAGE=${DOWNLOAD_IMAGE:-true}
+
+# Image id which will be used for kubernetes stack
+IMAGE_ID=${IMAGE_ID:-f0f394b1-5546-4b68-b2bc-8abe8a7e6b8b}
+
+# DNS server address
+DNS_SERVER=${DNS_SERVER:-8.8.8.8}
+
+# Public RSA key path
+CLIENT_PUBLIC_KEY_PATH=${CLIENT_PUBLIC_KEY_PATH:-~/.ssh/id_rsa.pub}
+
+# Max time period for stack provisioning. Time in minutes.
+STACK_CREATE_TIMEOUT=${STACK_CREATE_TIMEOUT:-60}
+
+# Enable Proxy, if true kube-up will apply your current proxy settings(defined by *_PROXY environment variables) to the deployment.
+ENABLE_PROXY=${ENABLE_PROXY:-false}
+
+# Per-protocol proxy settings.
+FTP_PROXY=${FTP_PROXY:-}
+HTTP_PROXY=${HTTP_PROXY:-}
+HTTPS_PROXY=${HTTPS_PROXY:-}
+SOCKS_PROXY=${SOCKS_PROXY:-}
+
+# IPs and Domains that bypass the proxy.
+NO_PROXY=${NO_PROXY:-}

cluster/openstack-heat/config-image.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Contains configuration values for new image. It is skip when CREATE_IMAGE=false
+
+# Image name which will be displayed in OpenStack
+OPENSTACK_IMAGE_NAME=${OPENSTACK_IMAGE_NAME:-CentOS7}
+
+# Downloaded image name for Openstack project
+IMAGE_FILE=${IMAGE_FILE:-CentOS-7-x86_64-GenericCloud-1510.qcow2}
+
+# Absolute path where image file is stored.
+IMAGE_PATH=${IMAGE_PATH:-~/Downloads/openstack}
+
+# The URL basepath for downloading the image
+IMAGE_URL_PATH=${IMAGE_URL_PATH:-http://cloud.centos.org/centos/7/images}
+
+# The disk format of the image. Acceptable formats are ami, ari, aki, vhd, vmdk, raw, qcow2, vdi, and iso.
+IMAGE_FORMAT=${IMAGE_FORMAT:-qcow2}
+
+# The container format of the image. Acceptable formats are ami, ari, aki, bare, docker, and ovf.
+CONTAINER_FORMAT=${CONTAINER_FORMAT:-bare}

cluster/openstack-heat/config-test.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## Contains configuration values for interacting with the Ubuntu cluster in test mode
+KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../..
+source "${KUBE_ROOT}/cluster/openstack-heat/config-default.sh"

cluster/openstack-heat/kubernetes-heat/fragments/configure-proxy.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# The contents of these variables swapped in by heat via environments presented to kube-up.sh
+
+export ETC_ENVIRONMENT='FTP_PROXY=$FTP_PROXY
+HTTP_PROXY=$HTTP_PROXY
+HTTPS_PROXY=$HTTPS_PROXY
+SOCKS_PROXY=$SOCKS_PROXY
+NO_PROXY=$NO_PROXY
+ftp_proxy=$FTP_PROXY
+http_proxy=$HTTP_PROXY
+https_proxy=$HTTPS_PROXY
+socks_proxy=$SOCKS_PROXY
+no_proxy=$NO_PROXY
+'
+
+export ETC_PROFILE_D='export FTP_PROXY=$FTP_PROXY
+export HTTP_PROXY=$HTTP_PROXY
+export HTTPS_PROXY=$HTTPS_PROXY
+export SOCKS_PROXY=$SOCKS_PROXY
+export NO_PROXY=$NO_PROXY
+export ftp_proxy=$FTP_PROXY
+export http_proxy=$HTTP_PROXY
+export https_proxy=$HTTPS_PROXY
+export socks_proxy=$SOCKS_PROXY
+export no_proxy=$NO_PROXY
+'
+
+export DOCKER_PROXY='[Service]
+      Environment="HTTP_PROXY=$HTTP_PROXY"
+      Environment="HTTPS_PROXY=$HTTPS_PROXY"
+      Environment="SOCKS_PROXY=$SOCKS_PROXY"
+      Environment="NO_PROXY=$NO_PROXY"
+      Environment="ftp_proxy=$FTP_PROXY"
+      Environment="http_proxy=$HTTP_PROXY"
+      Environment="https_proxy=$HTTPS_PROXY"
+      Environment="socks_proxy=$SOCKS_PROXY"
+      Environment="no_proxy=$NO_PROXY"
+'
+
+# This again is set by heat
+ENABLE_PROXY='$ENABLE_PROXY'
+
+# Heat itself doesn't have conditionals, so this is how we set up our proxy without breaking non-proxy setups.
+if [[ "${ENABLE_PROXY}" == "true" ]]; then
+  mkdir -p /etc/systemd/system/docker.service.d/
+
+  echo "${ETC_ENVIRONMENT}" >> /etc/environment
+  echo "${ETC_PROFILE_D}" > /etc/profile.d/proxy_config.sh
+  echo "${DOCKER_PROXY}" > etc/systemd/system/docker.service.d/http-proxy.conf
+  echo "proxy=$HTTP_PROXY" >> /etc/yum.conf
+fi

cluster/openstack-heat/kubernetes-heat/fragments/configure-salt.yaml

@@ -0,0 +1,56 @@
+#cloud-config
+merge_how: dict(recurse_array)+list(append)
+bootcmd:
+  - mkdir -p /etc/salt/minion.d
+  - mkdir -p /srv/salt-overlay/pillar
+write_files:
+  - path: /etc/salt/minion.d/log-level-debug.conf
+    content: |
+      log_level: warning
+      log_level_logfile: warning
+  - path: /etc/salt/minion.d/grains.conf
+    content: |
+      grains:
+        node_ip: $MASTER_IP
+        publicAddressOverride: $MASTER_IP
+        network_mode: openvswitch
+        networkInterfaceName: eth0
+        api_servers: $MASTER_IP
+        cloud: openstack
+        cloud_config: /srv/kubernetes/openstack.conf
+        roles:
+          - $role
+        runtime_config: ""
+        docker_opts: ""
+        master_extra_sans: "DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local,DNS:kubernetes-master"
+        keep_host_etcd: true
+  - path: /srv/kubernetes/openstack.conf
+    content: |
+      [Global]
+      auth-url=$OS_AUTH_URL
+      username=$OS_USERNAME
+      password=$OS_PASSWORD
+      region=$OS_REGION_NAME
+      tenant-id=$OS_TENANT_ID
+  - path: /srv/salt-overlay/pillar/cluster-params.sls
+    content: |
+      service_cluster_ip_range: 10.246.0.0/16
+      cert_ip: 10.246.0.1
+      enable_cluster_monitoring: influxdb
+      enable_cluster_logging: "true"
+      enable_cluster_ui: "true"
+      enable_node_logging: "true"
+      logging_destination: elasticsearch
+      elasticsearch_replicas: "1"
+      enable_cluster_dns: "true"
+      dns_replicas: "1"
+      dns_server: 10.246.0.10
+      dns_domain: cluster.local
+      instance_prefix: kubernetes
+      admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+      enable_cpu_cfs_quota: "true"
+      network_provider: none
+      opencontrail_tag: R2.20
+      opencontrail_kubernetes_tag: master
+      opencontrail_public_subnet: 10.1.0.0/16
+      e2e_storage_test_environment: "false"

cluster/openstack-heat/kubernetes-heat/fragments/deploy-kube-auth-files-master.yaml

@@ -0,0 +1,43 @@
+#cloud-config
+merge_how: dict(recurse_array)+list(append)
+bootcmd:
+  - mkdir -p /srv/salt-overlay/salt/kube-apiserver
+  - mkdir -p /srv/salt-overlay/salt/kubelet
+write_files:
+  - path: /srv/salt-overlay/salt/kube-apiserver/basic_auth.csv
+    permissions: "0600"
+    content: |
+      $apiserver_password,$apiserver_user,admin
+  - path: /srv/salt-overlay/salt/kube-apiserver/known_tokens.csv
+    permissions: "0600"
+    content: |
+      $token_kubelet,kubelet,kubelet
+      $token_kube_proxy,kube_proxy,kube_proxy
+      TokenSystemScheduler,system:scheduler,system:scheduler
+      TokenSystemControllerManager,system:controller_manager,system:controller_manager
+      TokenSystemLogging,system:logging,system:logging
+      TokenSystemMonitoring,system:monitoring,system:monitoring
+      TokenSystemDns,system:dns,system:dns
+  - path: /srv/salt-overlay/salt/kubelet/kubernetes_auth
+    permissions: "0600"
+    content: |
+      {"BearerToken": "$token_kubelet", "Insecure": true }
+  - path: /srv/salt-overlay/salt/kubelet/kubeconfig
+    permissions: "0600"
+    content: |
+      apiVersion: v1
+      kind: Config
+      users:
+        - name: kubelet
+          user:
+            token: $token_kubelet
+      clusters:
+        - name: local
+          cluster:
+            insecure-skip-tls-verify: true
+      contexts:
+        - context:
+            cluster: local
+            user: kubelet
+          name: service-account-context
+      current-context: service-account-context

cluster/openstack-heat/kubernetes-heat/fragments/deploy-kube-auth-files-node.yaml

@@ -0,0 +1,44 @@
+#cloud-config
+merge_how: dict(recurse_array)+list(append)
+bootcmd:
+  - mkdir -p /srv/salt-overlay/salt/kubelet
+  - mkdir -p /srv/salt-overlay/salt/kube-proxy
+write_files:
+  - path: /srv/salt-overlay/salt/kubelet/kubeconfig
+    permissions: "0600"
+    content: |
+      apiVersion: v1
+      kind: Config
+      users:
+        - name: kubelet
+          user:
+            token: $token_kubelet
+      clusters:
+        - name: local
+          cluster:
+            insecure-skip-tls-verify: true
+      contexts:
+        - context:
+            cluster: local
+            user: kubelet
+          name: service-account-context
+      current-context: service-account-context
+  - path: /srv/salt-overlay/salt/kube-proxy/kubeconfig
+    permissions: "0600"
+    content: |
+      apiVersion: v1
+      kind: Config
+      users:
+        - name: kube-proxy
+          user:
+            token: $token_kube_proxy
+      clusters:
+        - name: local
+          cluster:
+            insecure-skip-tls-verify: true
+      contexts:
+        - context:
+            cluster: local
+            user: kube-proxy
+          name: service-account-context
+      current-context: service-account-context

cluster/openstack-heat/kubernetes-heat/fragments/hostname-hack.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Workaround for this, which has been fixed but not widely distributed: https://bugs.launchpad.net/cloud-init/+bug/1246485
+# See also http://blog.oddbit.com/2014/12/10/cloudinit-and-the-case-of-the-changing-hostname/
+hostname > /etc/hostname