You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

181 lines
6.2 KiB

contiv network support (#1914) * Add Contiv support Contiv is a network plugin for Kubernetes and Docker. It supports vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies, multiple networks and bridging pods onto physical networks. * Update contiv version to 1.1.4 Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config. * Load openvswitch module to workaround on CentOS7.4 * Set contiv cni version to 0.1.0 Correct contiv CNI version to 0.1.0. * Use kube_apiserver_endpoint for K8S_API_SERVER Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks to a available endpoint no matter if there's a loadbalancer or not. * Make contiv use its own etcd Before this commit, contiv is using a etcd proxy mode to k8s etcd, this work fine when the etcd hosts are co-located with contiv etcd proxy, however the k8s peering certs are only in etcd group, as a result the etcd-proxy is not able to peering with the k8s etcd on etcd group, plus the netplugin is always trying to find the etcd endpoint on localhost, this will cause problem for all netplugins not runnign on etcd group nodes. This commit make contiv uses its own etcd, separate from k8s one. on kube-master nodes (where net-master runs), it will run as leader mode and on all rest nodes it will run as proxy mode. * Use cp instead of rsync to copy cni binaries Since rsync has been removed from hyperkube, this commit changes it to use cp instead. * Make contiv-etcd able to run on master nodes * Add rbac_enabled flag for contiv pods * Add contiv into CNI network plugin lists * migrate contiv test to tests/files Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> * Add required rules for contiv netplugin * Better handling json return of fwdMode * Make contiv etcd port configurable * Use default var instead of templating * roles/download/defaults/main.yml: use contiv 1.1.7 Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
7 years ago
  1. # Kubernetes configuration dirs and system namespace.
  2. # Those are where all the additional config stuff goes
  3. # the kubernetes normally puts in /srv/kubernets.
  4. # This puts them in a sane location and namespace.
  5. # Editting those values will almost surely break something.
  6. kube_config_dir: /etc/kubernetes
  7. kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
  8. kube_manifest_dir: "{{ kube_config_dir }}/manifests"
  9. system_namespace: kube-system
  10. # Logging directory (sysvinit systems)
  11. kube_log_dir: "/var/log/kubernetes"
  12. # This is where all the cert scripts and certs will be located
  13. kube_cert_dir: "{{ kube_config_dir }}/ssl"
  14. # This is where all of the bearer tokens will be stored
  15. kube_token_dir: "{{ kube_config_dir }}/tokens"
  16. # This is where to save basic auth file
  17. kube_users_dir: "{{ kube_config_dir }}/users"
  18. kube_api_anonymous_auth: false
  19. ## Change this to use another Kubernetes version, e.g. a current beta release
  20. kube_version: v1.8.4
  21. # Where the binaries will be downloaded.
  22. # Note: ensure that you've enough disk space (about 1G)
  23. local_release_dir: "/tmp/releases"
  24. # Random shifts for retrying failed ops like pushing/downloading
  25. retry_stagger: 5
  26. # This is the group that the cert creation scripts chgrp the
  27. # cert files to. Not really changable...
  28. kube_cert_group: kube-cert
  29. # Cluster Loglevel configuration
  30. kube_log_level: 2
  31. # Users to create for basic auth in Kubernetes API via HTTP
  32. # Optionally add groups for user
  33. kube_api_pwd: "{{ lookup('password', 'credentials/kube_user length=15 chars=ascii_letters,digits') }}"
  34. kube_users:
  35. kube:
  36. pass: "{{kube_api_pwd}}"
  37. role: admin
  38. groups:
  39. - system:masters
  40. ## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
  41. #kube_oidc_auth: false
  42. #kube_basic_auth: false
  43. #kube_token_auth: false
  44. ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
  45. ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
  46. # kube_oidc_url: https:// ...
  47. # kube_oidc_client_id: kubernetes
  48. ## Optional settings for OIDC
  49. # kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
  50. # kube_oidc_username_claim: sub
  51. # kube_oidc_groups_claim: groups
  52. # Choose network plugin (calico, contiv, weave or flannel)
  53. # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
  54. kube_network_plugin: calico
  55. # weave's network password for encryption
  56. # if null then no network encryption
  57. # you can use --extra-vars to pass the password in command line
  58. weave_password: EnterPasswordHere
  59. # Weave uses consensus mode by default
  60. # Enabling seed mode allow to dynamically add or remove hosts
  61. # https://www.weave.works/docs/net/latest/ipam/
  62. weave_mode_seed: false
  63. # This two variable are automatically changed by the weave's role, do not manually change these values
  64. # To reset values :
  65. # weave_seed: uninitialized
  66. # weave_peers: uninitialized
  67. weave_seed: uninitialized
  68. weave_peers: uninitialized
  69. # Enable kubernetes network policies
  70. enable_network_policy: false
  71. # Kubernetes internal network for services, unused block of space.
  72. kube_service_addresses: 10.233.0.0/18
  73. # internal network. When used, it will assign IP
  74. # addresses from this range to individual pods.
  75. # This network must be unused in your network infrastructure!
  76. kube_pods_subnet: 10.233.64.0/18
  77. # internal network node size allocation (optional). This is the size allocated
  78. # to each node on your network. With these defaults you should have
  79. # room for 4096 nodes with 254 pods per node.
  80. kube_network_node_prefix: 24
  81. # The port the API Server will be listening on.
  82. kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
  83. kube_apiserver_port: 6443 # (https)
  84. kube_apiserver_insecure_port: 8080 # (http)
  85. # DNS configuration.
  86. # Kubernetes cluster name, also will be used as DNS domain
  87. cluster_name: cluster.local
  88. # Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
  89. ndots: 2
  90. # Can be dnsmasq_kubedns, kubedns or none
  91. dns_mode: kubedns
  92. # Can be docker_dns, host_resolvconf or none
  93. resolvconf_mode: docker_dns
  94. # Deploy netchecker app to verify DNS resolve as an HTTP service
  95. deploy_netchecker: false
  96. # Ip address of the kubernetes skydns service
  97. skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
  98. dnsmasq_dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
  99. dns_domain: "{{ cluster_name }}"
  100. # Path used to store Docker data
  101. docker_daemon_graph: "/var/lib/docker"
  102. ## A string of extra options to pass to the docker daemon.
  103. ## This string should be exactly as you wish it to appear.
  104. ## An obvious use case is allowing insecure-registry access
  105. ## to self hosted registries like so:
  106. docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} {{ docker_log_opts }}"
  107. docker_bin_dir: "/usr/bin"
  108. # Settings for containerized control plane (etcd/kubelet/secrets)
  109. etcd_deployment_type: docker
  110. kubelet_deployment_type: host
  111. vault_deployment_type: docker
  112. helm_deployment_type: host
  113. # K8s image pull policy (imagePullPolicy)
  114. k8s_image_pull_policy: IfNotPresent
  115. # Kubernetes dashboard
  116. # RBAC required. see docs/getting-started.md for access details.
  117. dashboard_enabled: true
  118. # Monitoring apps for k8s
  119. efk_enabled: false
  120. # Helm deployment
  121. helm_enabled: false
  122. # Istio deployment
  123. istio_enabled: false
  124. # Local volume provisioner deployment
  125. local_volumes_enabled: false
  126. # Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
  127. # kubeconfig_localhost: false
  128. # Download kubectl onto the host that runs Ansible in GITDIR/artifacts
  129. # kubectl_localhost: false
  130. # dnsmasq
  131. # dnsmasq_upstream_dns_servers:
  132. # - /resolvethiszone.with/10.0.4.250
  133. # - 8.8.8.8
  134. # Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (default true)
  135. # kubelet_cgroups_per_qos: true
  136. # A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
  137. # Acceptible options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
  138. # kubelet_enforce_node_allocatable: pods
  139. ## Supplementary addresses that can be added in kubernetes ssl keys.
  140. ## That can be usefull for example to setup a keepalived virtual IP
  141. # supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3]