update

2023-05-30 14:44:26 +09:00
parent 9a3174deef
commit 4c32a7239d
2598 changed files with 164595 additions and 487 deletions
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/cinder-csi/defaults/main.yml
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/cinder-csi/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+snapshot_classes:
+  - name: cinder-csi-snapshot
+    is_default: false
+    force_create: true
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/cinder-csi/tasks/main.yml
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/cinder-csi/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: Kubernetes Snapshots | Copy Cinder CSI Snapshot Class template
+  template:
+    src: "cinder-csi-snapshot-class.yml.j2"
+    dest: "{{ kube_config_dir }}/cinder-csi-snapshot-class.yml"
+    mode: 0644
+  register: manifests
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+
+- name: Kubernetes Snapshots | Add Cinder CSI Snapshot Class
+  kube:
+    kubectl: "{{ bin_dir }}/kubectl"
+    filename: "{{ kube_config_dir }}/cinder-csi-snapshot-class.yml"
+    state: "latest"
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - manifests.changed
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/cinder-csi/templates/cinder-csi-snapshot-class.yml.j2
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/cinder-csi/templates/cinder-csi-snapshot-class.yml.j2
@@ -0,0 +1,13 @@
+{% for class in snapshot_classes %}
+---
+kind: VolumeSnapshotClass
+apiVersion: snapshot.storage.k8s.io/v1beta1
+metadata:
+  name: "{{ class.name }}"
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "{{ class.is_default | default(false) | ternary("true","false") }}"
+driver: cinder.csi.openstack.org
+deletionPolicy: Delete
+parameters:
+  force-create: "{{ class.force_create }}"
+{% endfor %}
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/meta/main.yml
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/meta/main.yml
@@ -0,0 +1,14 @@
+---
+dependencies:
+  - role: kubernetes-apps/snapshots/snapshot-controller
+    when:
+      - cinder_csi_enabled or csi_snapshot_controller_enabled
+    tags:
+      - snapshot-controller
+
+  - role: kubernetes-apps/snapshots/cinder-csi
+    when:
+      - cinder_csi_enabled
+    tags:
+      - snapshot
+      - cinder-csi-driver
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/defaults/main.yml
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+snapshot_controller_replicas: 1
+snapshot_controller_namespace: kube-system
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/tasks/main.yml
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: check if snapshot namespace exists
+  register: snapshot_namespace_exists
+  kube:
+    kubectl: "{{ bin_dir }}/kubectl"
+    name: "{{ snapshot_controller_namespace }}"
+    resource: "namespace"
+    state: "exists"
+  when: inventory_hostname == groups['kube_control_plane'][0]
+  tags: snapshot-controller
+
+- name: Snapshot Controller | Generate Manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
+  with_items:
+    - {name: snapshot-ns, file: snapshot-ns.yml, apply: not snapshot_namespace_exists}
+    - {name: rbac-snapshot-controller, file: rbac-snapshot-controller.yml}
+    - {name: snapshot-controller, file: snapshot-controller.yml}
+  register: snapshot_controller_manifests
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - item.apply | default(True) | bool
+  tags: snapshot-controller
+
+- name: Snapshot Controller | Apply Manifests
+  kube:
+    kubectl: "{{ bin_dir }}/kubectl"
+    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
+    state: "latest"
+  with_items:
+    - "{{ snapshot_controller_manifests.results }}"
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - not item is skipped
+  loop_control:
+    label: "{{ item.item.file }}"
+  tags: snapshot-controller
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/templates/rbac-snapshot-controller.yml.j2
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/templates/rbac-snapshot-controller.yml.j2
@@ -0,0 +1,85 @@
+# RBAC file for the snapshot controller.
+#
+# The snapshot controller implements the control loop for CSI snapshot functionality.
+# It should be installed as part of the base Kubernetes distribution in an appropriate
+# namespace for components implementing base system functionality. For installing with
+# Vanilla Kubernetes, kube-system makes sense for the namespace.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: snapshot-controller
+  namespace: {{ snapshot_controller_namespace }}
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  # rename if there are conflicts
+  name: snapshot-controller-runner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["update"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-controller-role
+subjects:
+  - kind: ServiceAccount
+    name: snapshot-controller
+    namespace: {{ snapshot_controller_namespace }}
+roleRef:
+  kind: ClusterRole
+  # change the name also here if the ClusterRole gets renamed
+  name: snapshot-controller-runner
+  apiGroup: rbac.authorization.k8s.io
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: {{ snapshot_controller_namespace }}
+  name: snapshot-controller-leaderelection
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-controller-leaderelection
+  namespace: {{ snapshot_controller_namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: snapshot-controller
+    namespace: {{ snapshot_controller_namespace }}
+roleRef:
+  kind: Role
+  name: snapshot-controller-leaderelection
+  apiGroup: rbac.authorization.k8s.io
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/templates/snapshot-controller.yml.j2
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/templates/snapshot-controller.yml.j2
@@ -0,0 +1,40 @@
+# This YAML file shows how to deploy the snapshot controller
+
+# The snapshot controller implements the control loop for CSI snapshot functionality.
+# It should be installed as part of the base Kubernetes distribution in an appropriate
+# namespace for components implementing base system functionality. For installing with
+# Vanilla Kubernetes, kube-system makes sense for the namespace.
+
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: snapshot-controller
+  namespace: {{ snapshot_controller_namespace }}
+spec:
+  replicas: {{ snapshot_controller_replicas }}
+  selector:
+    matchLabels:
+      app: snapshot-controller
+  # the snapshot controller won't be marked as ready if the v1 CRDs are unavailable
+  # in #504 the snapshot-controller will exit after around 7.5 seconds if it
+  # can't find the v1 CRDs so this value should be greater than that
+  minReadySeconds: 15
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: snapshot-controller
+    spec:
+      serviceAccount: snapshot-controller
+      containers:
+        - name: snapshot-controller
+          image: {{ snapshot_controller_image_repo }}:{{ snapshot_controller_image_tag }}
+          args:
+            - "--v=5"
+            - "--leader-election=false"
+          imagePullPolicy: {{ k8s_image_pull_policy }}
--- a/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/templates/snapshot-ns.yml.j2
+++ b/kubespray/extra_playbooks/roles/kubernetes-apps/snapshots/snapshot-controller/templates/snapshot-ns.yml.j2
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ snapshot_controller_namespace }}
+  labels:
+    name: {{ snapshot_controller_namespace }}