example ansible setup repo

This is a basic ansible repo that will do a couple of things

1) set up an etcd node
2) set up a master running apiserver, scheduler, controller-manager
3) setup any number of nodes

Hopefully this can be expanded to do things like set up skydns, set up a
private docker repo, set up an overlay network (flannel) etc etc.  But
right now all it does is set up etcd and configure a master and nodes.

contrib/ansible/.gitignore

@@ -0,0 +1,2 @@
+myinventory
+*.swp

contrib/ansible/cluster.yml

@@ -0,0 +1,4 @@
+# Set up a whole working cluster!
+- include: etcd.yml
+- include: kubernetes-services.yml
+

contrib/ansible/etcd.yml

@@ -0,0 +1,6 @@
+---
+- hosts: etcd
+  sudo: yes
+  roles:
+          - common
+          - etcd

contrib/ansible/group_vars/all.yml

@@ -0,0 +1,3 @@
+ansible_ssh_user: root
+#ansible_ssh_pass: password
+#ansible_sudo_pass: password

contrib/ansible/group_vars/masters.yml

@@ -0,0 +1 @@
+kube_service_addresses: 10.254.0.0/16 # MUST be defined as a range not used in your infrastructure

contrib/ansible/inventory

@@ -0,0 +1,10 @@
+[masters]
+10.0.0.1
+
+[etcd]
+10.0.0.2
+
+[minions]
+10.0.0.3
+10.0.0.4
+10.0.0.5

contrib/ansible/kubernetes-services.yml

@@ -0,0 +1,17 @@
+---
+- hosts: masters:minions
+  sudo: yes
+  roles:
+          - common
+
+- hosts: masters
+  sudo: yes
+  roles:
+          - kubernetes
+          - master
+
+- hosts: minions
+  sudo: yes
+  roles:
+          - kubernetes
+          - minion

contrib/ansible/library/rpm_facts.py

@@ -0,0 +1,37 @@
+#!/usr/bin/python
+
+import subprocess
+import re
+
+def main():
+    module = AnsibleModule(
+        argument_spec = dict(
+        ),
+    )
+
+    facts = {}
+
+    result = {}
+    result['rc'] = 0
+    result['changed'] = False
+    result['ansible_facts'] = facts
+
+    args = ("rpm", "-q", "firewalld")
+    popen = subprocess.Popen(args, stdout=subprocess.PIPE)
+    rc = popen.wait()
+    facts['has_firewalld'] = False
+    if rc == 0:
+        facts['has_firewalld'] = True
+
+    args = ("rpm", "-q", "iptables-services")
+    popen = subprocess.Popen(args, stdout=subprocess.PIPE)
+    rc = popen.wait()
+    facts['has_iptables'] = False
+    if rc == 0:
+        facts['has_iptables'] = True
+
+    module.exit_json(**result)
+
+# import module snippets
+from ansible.module_utils.basic import *
+main()

contrib/ansible/roles/common/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+- name: Determine if Atomic
+  stat: path=/run/ostree-booted
+  register: s
+  changed_when: false
+
+- name: Init the is_atomic fact
+  set_fact:
+    is_atomic: false
+
+- name: Set the is_atomic fact
+  set_fact:
+    is_atomic: true
+  when: s.stat.exists
+
+- name: Collect fact about what RPM's are installed
+  rpm_facts:
+  when: ansible_pkg_mgr == "yum"

contrib/ansible/roles/etcd/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart etcd
+  service: name=etcd state=restarted
+
+- name: Save iptables rules
+  command: service iptables save

contrib/ansible/roles/etcd/tasks/firewalld.yml

@@ -0,0 +1,16 @@
+---
+- name: Open firewalld port for etcd
+  firewalld: port={{ item }}/tcp permanent=false state=enabled
+  # in case this is also a minion where firewalld turned off
+  ignore_errors: yes
+  with_items:
+        - 4001
+        - 7001
+
+- name: Save firewalld port for etcd
+  firewalld: port={{ item }}/tcp permanent=true state=enabled
+  # in case this is also a minion where firewalld turned off
+  ignore_errors: yes
+  with_items:
+        - 4001
+        - 7001

contrib/ansible/roles/etcd/tasks/iptables.yml

@@ -0,0 +1,17 @@
+---
+- name: Get iptables rules
+  shell: iptables -L
+  register: iptablesrules
+  always_run: yes
+
+- name: Enable iptables at boot
+  service: name=iptables enabled=yes state=started
+
+- name: Open etcd client port with iptables
+  command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "etcd_client"
+  when: etcd_client not in iptablesrules.stdout
+  notify:
+          - Save iptables rules
+  with_items:
+          - 4001
+          - 7001

contrib/ansible/roles/etcd/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Install etcd
+  yum: pkg=etcd state=latest
+  notify:
+        - restart etcd
+  when: not is_atomic
+
+- name: Write etcd config file
+  template: src=etcd.conf.j2 dest=/etc/etcd/etcd.conf
+  notify:
+        - restart etcd
+
+- name: Enable etcd
+  service: name=etcd enabled=yes state=started
+
+- include: firewalld.yml
+  when: has_firewalld
+
+- include: iptables.yml
+  when: not has_firewalld and has_iptables

contrib/ansible/roles/etcd/templates/etcd.conf.j2

@@ -0,0 +1,4 @@
+# etcd2.0
+ETCD_NAME=default
+ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
+ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:4001"

contrib/ansible/roles/kubernetes/tasks/fedora.yml

@@ -0,0 +1,4 @@
+---
+- name: Remove docker window manager on F20
+  yum: pkg=docker state=absent
+  when: not is_atomic and ansible_distribution_major_version == "20"

contrib/ansible/roles/kubernetes/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- include: fedora.yml
+  when: ansible_distribution == "Fedora"
+
+- name: Install kubernetes
+  yum: pkg=kubernetes state=latest
+  notify:
+        - restart daemons
+  when: not is_atomic
+
+- name: write the global config file
+  template: src=config.j2 dest=/etc/kubernetes/config
+  notify:
+          - restart daemons

contrib/ansible/roles/kubernetes/templates/config.j2

@@ -0,0 +1,23 @@
+###
+# kubernetes system config
+#
+# The following values are used to configure various aspects of all
+# kubernetes services, including
+#
+#   kube-apiserver.service
+#   kube-controller-manager.service
+#   kube-scheduler.service
+#   kubelet.service
+#   kube-proxy.service
+
+# logging to stderr means we get it in the systemd journal
+KUBE_LOGTOSTDERR="--logtostderr=true"
+
+# journal message level, 0 is debug
+KUBE_LOG_LEVEL="--v=0"
+
+# Should this cluster be allowed to run privileged docker containers
+KUBE_ALLOW_PRIV="--allow_privileged=true"
+
+# How the replication controller, scheduler, and proxy
+KUBE_MASTER="--master=http://{{ groups['masters'][0] }}:8080"

contrib/ansible/roles/master/files/controller-manager

@@ -0,0 +1,7 @@
+###
+# The following values are used to configure the kubernetes controller-manager
+
+# defaults from config and apiserver should be adequate
+
+# Add you own!
+KUBE_CONTROLLER_MANAGER_ARGS=""

contrib/ansible/roles/master/files/scheduler

@@ -0,0 +1,7 @@
+###
+# kubernetes scheduler config
+
+# default config should be adequate
+
+# Add your own!
+KUBE_SCHEDULER_ARGS=""

contrib/ansible/roles/master/handlers/main.yml

@@ -0,0 +1,19 @@
+---
+- name: restart daemons
+  command: /bin/true
+  notify:
+          - restart apiserver
+          - restart controller-manager
+          - restart scheduler
+
+- name: restart apiserver
+  service: name=kube-apiserver state=restarted
+
+- name: restart controller-manager
+  service: name=kube-controller-manager state=restarted
+
+- name: restart scheduler
+  service: name=kube-scheduler state=restarted
+
+- name: restart iptables
+  service: name=iptables state=restarted

contrib/ansible/roles/master/tasks/firewalld.yml

@@ -0,0 +1,10 @@
+---
+- name: Open firewalld port for apiserver
+  firewalld: port=8080/tcp permanent=false state=enabled
+  # in case this is also a minion with firewalld turned off
+  ignore_errors: yes
+
+- name: Save firewalld port for apiserver
+  firewalld: port=8080/tcp permanent=true state=enabled
+  # in case this is also a minion with firewalld turned off
+  ignore_errors: yes

contrib/ansible/roles/master/tasks/iptables.yml

@@ -0,0 +1,15 @@
+---
+- name: Get iptables rules
+  shell: iptables -L
+  register: iptablesrules
+  always_run: yes
+
+- name: Open apiserver port with iptables
+  command: /sbin/iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT -m comment --comment "kube-apiserver"
+  when: kube-apiserver not in iptablesrules.stdout
+  notify:
+          - restart iptables
+
+- name: Save iptables rules
+  command: service iptables save
+  when: kube-apiserver not in iptablesrules.stdout

contrib/ansible/roles/master/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: write the config file for the api server
+  template: src=apiserver.j2 dest=/etc/kubernetes/apiserver
+  notify:
+          - restart apiserver
+
+- name: write the config file for the controller-manager
+  copy: src=controller-manager dest=/etc/kubernetes/controller-manager
+  notify:
+          - restart controller-manager
+
+- name: write the config file for the scheduler
+  copy: src=scheduler dest=/etc/kubernetes/scheduler
+  notify:
+          - restart scheduler
+
+- name: Enable apiserver
+  service: name=kube-apiserver enabled=yes state=started
+
+- name: Enable controller-manager
+  service: name=kube-controller-manager enabled=yes state=started
+
+- name: Enable scheduler
+  service: name=kube-scheduler enabled=yes state=started
+
+- name: Copy minion definition json files to master
+  template: src=node.j2 dest=/tmp/node-{{ item }}.yml
+  changed_when: false
+  with_items:
+          groups['minions']
+
+- name: Load minion definition into master
+  command: /usr/bin/kubectl create -f /tmp/node-{{ item }}.yml
+  register: command_result
+  failed_when: command_result.rc != 0 and 'already exists' not in command_result.stderr
+  changed_when: "command_result.rc == 0"
+  with_items:
+          groups['minions']
+
+- name: Delete minion definitions from master
+  file: path=/tmp/node-{{ item }}.yml state=absent
+  changed_when: false
+  with_items:
+          groups['minions']
+
+- include: firewalld.yml
+  when: has_firewalld
+
+- include: iptables.yml
+  when: not has_firewalld and has_iptables

contrib/ansible/roles/master/templates/apiserver.j2

@@ -0,0 +1,26 @@
+###
+# kubernetes system config
+#
+# The following values are used to configure the kube-apiserver
+#
+
+# The address on the local server to listen to.
+KUBE_API_ADDRESS="--address=0.0.0.0"
+
+# The port on the local server to listen on.
+# KUBE_API_PORT="--port=8080"
+
+# Port minions listen on
+# KUBELET_PORT="--kubelet_port=10250"
+
+# Address range to use for services
+KUBE_SERVICE_ADDRESSES="--portal_net={{ kube_service_addresses }}"
+
+# Location of the etcd cluster
+KUBE_ETCD_SERVERS="--etcd_servers=http://{{ groups['etcd'][0] }}:4001"
+
+# default admission control policies
+KUBE_ADMISSION_CONTROL="--admission_control=NamespaceAutoProvision,LimitRanger,ResourceQuota"
+
+# Add you own!
+KUBE_API_ARGS=""

contrib/ansible/roles/master/templates/node.j2

@@ -0,0 +1,3 @@
+apiVersion: v1beta1
+id: {{ item }}
+kind: Minion

contrib/ansible/roles/minion/files/proxy

@@ -0,0 +1,7 @@
+###
+# kubernetes proxy config
+
+# default config should be adequate
+
+# Add your own!
+KUBE_PROXY_ARGS=""

contrib/ansible/roles/minion/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+- name: restart daemons
+  command: /bin/true
+  notify:
+          - restart kubelet
+          - restart proxy
+
+- name: restart kubelet
+  service: name=kubelet state=restarted
+
+- name: restart proxy
+  service: name=kube-proxy state=restarted
+
+- name: restart iptables
+  service: name=iptables state=restarted

contrib/ansible/roles/minion/tasks/firewalld.yml

@@ -0,0 +1,10 @@
+---
+# https://bugzilla.redhat.com/show_bug.cgi?id=1033606 and I think others say firewalld+docker == bad
+- name: disable firewalld
+  service: name=firewalld enabled=no state=stopped
+
+#- name: Open firewalld port for the kubelet
+#firewalld: port=10250/tcp permanent=false state=enabled
+
+#- name: Save firewalld port for the kubelet
+#firewalld: port=10250/tcp permanent=true state=enabled

contrib/ansible/roles/minion/tasks/iptables.yml

@@ -0,0 +1,18 @@
+---
+- name: Get iptables rules
+  shell: iptables -L
+  register: iptablesrules
+  always_run: yes
+
+- name: Enable iptables at boot
+  service: name=iptables enabled=yes state=started
+
+- name: Open kubelet port with iptables
+  command: /sbin/iptables -I INPUT 1 -p tcp --dport 10250 -j ACCEPT -m comment --comment "kubelet"
+  when: kubelet not in iptablesrules.stdout
+  notify:
+          - restart iptables
+
+- name: Save iptables rules
+  command: service iptables save
+  when: kubelet not in iptablesrules.stdout

contrib/ansible/roles/minion/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: write the config files for kubelet
+  template: src=kubelet.j2 dest=/etc/kubernetes/kubelet
+  notify:
+          - restart kubelet
+
+- name: write the config files for proxy
+  copy: src=proxy dest=/etc/kubernetes/proxy
+  notify:
+          - restart proxy
+
+- name: Enable kubelet
+  service: name=kubelet enabled=yes state=started
+
+- name: Enable proxy
+  service: name=kube-proxy enabled=yes state=started
+
+- include: firewalld.yml
+  when: has_firewalld
+
+- include: iptables.yml
+  when: not has_firewalld and has_iptables

contrib/ansible/roles/minion/templates/kubelet.j2

@@ -0,0 +1,17 @@
+###
+# kubernetes kubelet (minion) config
+
+# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
+KUBELET_ADDRESS="--address=0.0.0.0"
+
+# The port for the info server to serve on
+# KUBELET_PORT="--port=10250"
+
+# You may leave this blank to use the actual hostname
+KUBELET_HOSTNAME="--hostname_override={{ inventory_hostname }}"
+
+# location of the api-server
+KUBELET_API_SERVER="--api_servers=http://{{ groups['masters'][0]}}:8080"
+
+# Add your own!
+KUBELET_ARGS=""