Add huawei cloud controller (#10198)

* Add huaweicloud as external cloud controller * Add huaweicloud example config * Rename AK,SK to ACCESS_KEY and SECRET_KEY * Add reference to huaweicloud * Fix variable naming * Fix env var name * Update example * Fix variable naming * Fix cloud_config path * Add namespace for leader election * Revert reviewers * Delete OWNERS Delete owners who are not responsible here. * Fix build validation
1 year ago · e573a2f6d4
11 changed files with 388 additions and 1 deletions
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@ -48,7 +48,7 @@ loadbalancer_apiserver_healthcheck_port: 8081
 # cloud_provider:
 ## When cloud_provider is set to 'external', you can set the cloud controller to deploy
 ## Supported cloud controllers are: 'openstack', 'vsphere' and 'hcloud'
 ## Supported cloud controllers are: 'openstack', 'vsphere', 'huaweicloud' and 'hcloud'
 ## When openstack or vsphere are used make sure to source in the required fields
 # external_cloud_provider:
--- a/inventory/sample/group_vars/all/huaweicloud.yml
+++ b/inventory/sample/group_vars/all/huaweicloud.yml
@ -0,0 +1,17 @@
 ## Values for the external Huawei Cloud Controller
 # external_huaweicloud_lbaas_subnet_id: "Neutron subnet ID to create LBaaS VIP"
 # external_huaweicloud_lbaas_network_id: "Neutron network ID to create LBaaS VIP"
 ## Credentials to authenticate against Keystone API
 ## All of them are required Per default these values will be
 ## read from the environment.
 # external_huaweicloud_auth_url: "{{ lookup('env','OS_AUTH_URL')  }}"
 # external_huaweicloud_access_key: "{{ lookup('env','OS_ACCESS_KEY')  }}"
 # external_huaweicloud_secret_key: "{{ lookup('env','OS_SECRET_KEY')  }}"
 # external_huaweicloud_region: "{{ lookup('env','OS_REGION_NAME')  }}"
 # external_huaweicloud_project_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID'),true) }}"
 # external_huaweicloud_cloud: "{{ lookup('env','OS_CLOUD') }}"
 ## The repo and tag of the external Huawei Cloud Controller image
 # external_huawei_cloud_controller_image_repo: "swr.ap-southeast-1.myhuaweicloud.com"
 # external_huawei_cloud_controller_image_tag: "v0.26.3"
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/defaults/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/defaults/main.yml
@ -0,0 +1,19 @@
 ---
 # The external cloud controller will need credentials to access
 # openstack apis. Per default these values will be
 # read from the environment.
 external_huaweicloud_auth_url: "{{ lookup('env','OS_AUTH_URL')  }}"
 external_huaweicloud_access_key: "{{ lookup('env','OS_ACCESS_KEY')  }}"
 external_huaweicloud_secret_key: "{{ lookup('env','OS_SECRET_KEY')  }}"
 external_huaweicloud_region: "{{ lookup('env','OS_REGION_NAME')  }}"
 external_huaweicloud_project_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID'),true) }}"
 external_huaweicloud_cloud: "{{ lookup('env','OS_CLOUD') }}"
 ## A dictionary of extra arguments to add to the huawei cloud controller manager deployment
 ## Format:
 ##  external_huawei_cloud_controller_extra_args:
 ##    arg1: "value1"
 ##    arg2: "value2"
 external_huawei_cloud_controller_extra_args: {}
 external_huawei_cloud_controller_image_repo: "swr.ap-southeast-1.myhuaweicloud.com"
 external_huawei_cloud_controller_image_tag: "v0.26.3"
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/tasks/huaweicloud-credential-check.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/tasks/huaweicloud-credential-check.yml
@ -0,0 +1,33 @@
 ---
 - name: External Huawei Cloud Controller | check external_huaweicloud_auth_url value
  fail:
    msg: "external_huaweicloud_auth_url is missing"
  when: external_huaweicloud_auth_url is not defined or not external_huaweicloud_auth_url
 - name: External Huawei Cloud Controller | check external_huaweicloud_access_key value
  fail:
    msg: "you must set external_huaweicloud_access_key"
  when:
    - external_huaweicloud_access_key is not defined or not external_huaweicloud_access_key
 - name: External Huawei Cloud Controller | check external_huaweicloud_secret_key value
  fail:
    msg: "external_huaweicloud_secret_key is missing"
  when:
    - external_huaweicloud_access_key is defined
    - external_huaweicloud_access_key|length > 0
    - external_huaweicloud_secret_key is not defined or not external_huaweicloud_secret_key
 - name: External Huawei Cloud Controller | check external_huaweicloud_region value
  fail:
    msg: "external_huaweicloud_region is missing"
  when: external_huaweicloud_region is not defined or not external_huaweicloud_region
 - name: External Huawei Cloud Controller | check external_huaweicloud_project_id value
  fail:
    msg: "one of external_huaweicloud_project_id must be specified"
  when:
    - external_huaweicloud_project_id is not defined or not external_huaweicloud_project_id
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/tasks/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/tasks/main.yml
@ -0,0 +1,49 @@
 ---
 - name: External Huawei Cloud Controller | Check Huawei credentials
  include_tasks: huaweicloud-credential-check.yml
  tags: external-huaweicloud
 - name: External huaweicloud Cloud Controller | Get base64 cacert
  slurp:
    src: "{{ external_huaweicloud_cacert }}"
  register: external_huaweicloud_cacert_b64
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
    - external_huaweicloud_cacert is defined
    - external_huaweicloud_cacert | length > 0
  tags: external-huaweicloud
 - name: External huaweicloud Cloud Controller | Get base64 cloud-config
  set_fact:
    external_huawei_cloud_config_secret: "{{ lookup('template', 'external-huawei-cloud-config.j2') | b64encode }}"
  when: inventory_hostname == groups['kube_control_plane'][0]
  tags: external-huaweicloud
 - name: External Huawei Cloud Controller | Generate Manifests
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
    group: "{{ kube_cert_group }}"
    mode: 0640
  with_items:
    - {name: external-huawei-cloud-config-secret, file: external-huawei-cloud-config-secret.yml}
    - {name: external-huawei-cloud-controller-manager-roles, file: external-huawei-cloud-controller-manager-roles.yml}
    - {name: external-huawei-cloud-controller-manager-role-bindings, file: external-huawei-cloud-controller-manager-role-bindings.yml}
    - {name: external-huawei-cloud-controller-manager-ds, file: external-huawei-cloud-controller-manager-ds.yml}
  register: external_huaweicloud_manifests
  when: inventory_hostname == groups['kube_control_plane'][0]
  tags: external-huaweicloud
 - name: External Huawei Cloud Controller | Apply Manifests
  kube:
    kubectl: "{{ bin_dir }}/kubectl"
    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
    state: "latest"
  with_items:
    - "{{ external_huaweicloud_manifests.results }}"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
    - not item is skipped
  loop_control:
    label: "{{ item.item.file }}"
  tags: external-huaweicloud
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-config-secret.yml.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-config-secret.yml.j2
@ -0,0 +1,10 @@
 # This YAML file contains secret objects,
 # which are necessary to run external huaweicloud cloud controller.
 kind: Secret
 apiVersion: v1
 metadata:
  name: external-huawei-cloud-config
  namespace: kube-system
 data:
  cloud-config: {{ external_huawei_cloud_config_secret }}
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-config.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-config.j2
@ -0,0 +1,23 @@
 [Global]
 auth-url="{{ external_huaweicloud_auth_url }}"
 {% if external_huaweicloud_access_key is defined and external_huaweicloud_access_key != "" %}
 access-key={{ external_huaweicloud_access_key }}
 {% endif %}
 {% if external_huaweicloud_secret_key is defined and external_huaweicloud_secret_key != "" %}
 secret-key={{ external_huaweicloud_secret_key }}
 {% endif %}
 region="{{ external_huaweicloud_region }}"
 {% if external_huaweicloud_project_id is defined and external_huaweicloud_project_id != "" %}
 project-id="{{ external_huaweicloud_project_id }}"
 {% endif %}
 {% if external_huaweicloud_cloud is defined and external_huaweicloud_cloud != "" %}
 cloud="{{ external_huaweicloud_cloud }}"
 {% endif %}
 [VPC]
 {% if external_huaweicloud_lbaas_subnet_id is defined %}
 subnet-id={{ external_huaweicloud_lbaas_subnet_id }}
 {% endif %}
 {% if external_huaweicloud_lbaas_network_id is defined %}
 id={{ external_huaweicloud_lbaas_network_id }}
 {% endif %}
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-controller-manager-ds.yml.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-controller-manager-ds.yml.j2
@ -0,0 +1,93 @@
 kind: Namespace
 apiVersion: v1
 metadata:
  name: huawei-cloud-provider
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: cloud-controller-manager
  namespace: kube-system
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: huawei-cloud-controller-manager
  namespace: kube-system
  labels:
    k8s-app: huawei-cloud-controller-manager
 spec:
  selector:
    matchLabels:
      k8s-app: huawei-cloud-controller-manager
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        k8s-app: huawei-cloud-controller-manager
    spec:
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
      securityContext:
        runAsUser: 1001
      tolerations:
      - key: node.cloudprovider.kubernetes.io/uninitialized
        value: "true"
        effect: NoSchedule
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      - key: node-role.kubernetes.io/control-plane
        effect: NoSchedule
      serviceAccountName: cloud-controller-manager
      containers:
        - name: huawei-cloud-controller-manager
          image: {{ external_huawei_cloud_controller_image_repo }}/k8s-cloudprovider/huawei-cloud-controller-manager:{{ external_huawei_cloud_controller_image_tag }}
          args:
            - /bin/huawei-cloud-controller-manager
            - --v=1
            - --cloud-config=$(CLOUD_CONFIG)
            - --cloud-provider=huaweicloud
            - --use-service-account-credentials=true
 {% for key, value in external_huawei_cloud_controller_extra_args.items() %}
            - "{{ '--' + key + '=' + value }}"
 {% endfor %}
          volumeMounts:
            - mountPath: /etc/kubernetes
              name: k8s-certs
              readOnly: true
            - mountPath: /etc/ssl/certs
              name: ca-certs
              readOnly: true
            - mountPath: /etc/config
              name: cloud-config-volume
              readOnly: true
 {% if kubelet_flexvolumes_plugins_dir is defined %}
            - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
              name: flexvolume-dir
 {% endif %}
          resources:
            requests:
              cpu: 200m
          env:
            - name: CLOUD_CONFIG
              value: /etc/config/cloud-config
      hostNetwork: true
      volumes:
 {% if kubelet_flexvolumes_plugins_dir is defined %}
      - name: flexvolume-dir
        hostPath:
          path: "{{ kubelet_flexvolumes_plugins_dir }}"
          type: DirectoryOrCreate
 {% endif %}
      - name: k8s-certs
        hostPath:
          path: /etc/kubernetes
          type: DirectoryOrCreate
      - name: ca-certs
        hostPath:
          path: /etc/ssl/certs
          type: DirectoryOrCreate
      - name: cloud-config-volume
        secret:
          secretName: external-huawei-cloud-config
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-controller-manager-role-bindings.yml.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-controller-manager-role-bindings.yml.j2
@ -0,0 +1,16 @@
 apiVersion: v1
 items:
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: system:cloud-controller-manager
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: system:cloud-controller-manager
  subjects:
  - kind: ServiceAccount
    name: cloud-controller-manager
    namespace: kube-system
 kind: List
 metadata: {}
--- a/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-controller-manager-roles.yml.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/huaweicloud/templates/external-huawei-cloud-controller-manager-roles.yml.j2
@ -0,0 +1,117 @@
 apiVersion: v1
 items:
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: system:cloud-controller-manager
  rules:
  - resources:
    - tokenreviews
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    apiGroups:
    - authentication.k8s.io
  - resources:
    - configmaps
    - endpoints
    - pods
    - services
    - secrets
    - serviceaccounts
    - serviceaccounts/token
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    apiGroups:
    - ''
  - resources:
    - nodes
    verbs:
    - get
    - list
    - watch
    - delete
    - patch
    - update
    apiGroups:
    - ''
  - resources:
    - services/status
    - pods/status
    verbs:
    - update
    - patch
    apiGroups:
    - ''
  - resources:
    - nodes/status
    verbs:
    - patch
    - update
    apiGroups:
    - ''
  - resources:
    - events
    - endpoints
    verbs:
    - create
    - patch
    - update
    apiGroups:
    - ''
  - resources:
    - leases
    verbs:
    - get
    - update
    - create
    - delete
    apiGroups:
    - coordination.k8s.io
  - resources:
    - customresourcedefinitions
    verbs:
    - get
    - update
    - create
    - delete
    apiGroups:
      - apiextensions.k8s.io
  - resources:
    - ingresses
    verbs:
    - get
    - list
    - watch
    - update
    - create
    - patch
    - delete
    apiGroups:
    - networking.k8s.io
  - resources:
    - ingresses/status
    verbs:
    - update
    - patch
    apiGroups:
    - networking.k8s.io
  - resources:
    - endpointslices
    verbs:
    - get
    - list
    - watch
    apiGroups:
    - discovery.k8s.io
 kind: List
 metadata: {}
--- a/roles/kubernetes-apps/external_cloud_controller/meta/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/meta/main.yml
@ -30,3 +30,13 @@ dependencies:
    tags:
      - external-cloud-controller
      - external-hcloud
  - role: kubernetes-apps/external_cloud_controller/huaweicloud
    when:
      - cloud_provider is defined
      - cloud_provider == "external"
      - external_cloud_provider is defined
      - external_cloud_provider == "huaweicloud"
      - inventory_hostname == groups['kube_control_plane'][0]
    tags:
      - external-cloud-controller
      - external-huaweicloud