sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
havelight-ee
2023-05-30 14:44:26 +09:00
parent 9a3174deef
commit 4c32a7239d
2598 changed files with 164595 additions and 487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1943
kubespray/roles/download/defaults/main.yml Normal file
View File

File diff suppressed because it is too large Load Diff

2
kubespray/roles/download/meta/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
allow_duplicates: true

25
kubespray/roles/download/tasks/check_pull_required.yml Normal file
View File

@@ -0,0 +1,25 @@
---
# The image_info_command depends on the Container Runtime and will output something like the following:
# nginx:1.15,gcr.io/google-containers/kube-proxy:v1.14.1,gcr.io/google-containers/kube-proxy@sha256:44af2833c6cbd9a7fc2e9d2f5244a39dfd2e31ad91bf9d4b7d810678db738ee9,gcr.io/google-containers/kube-apiserver:v1.14.1,etc...
- name: check_pull_required | Generate a list of information about the images on a node # noqa 305 image_info_command contains a pipe, therefore requiring shell
shell: "{{ image_info_command }}"
register: docker_images
changed_when: false
check_mode: no
when: not download_always_pull
- name: check_pull_required | Set pull_required if the desired image is not yet loaded
set_fact:
pull_required: >-
{%- if image_reponame | regex_replace('^docker\.io/(library/)?','') in docker_images.stdout.split(',') %}false{%- else -%}true{%- endif -%}
when: not download_always_pull
- name: check_pull_required | Check that the local digest sha256 corresponds to the given image tag
assert:
that: "{{ download.repo }}:{{ download.tag }} in docker_images.stdout.split(',')"
when:
- not download_always_pull
- not pull_required
- pull_by_digest
tags:
- asserts

125
kubespray/roles/download/tasks/download_container.yml Normal file
View File

@@ -0,0 +1,125 @@
---
- block:
- name: set default values for flag variables
set_fact:
image_is_cached: false
image_changed: false
pull_required: "{{ download_always_pull }}"
tags:
- facts
- name: download_container | Set a few facts
import_tasks: set_container_facts.yml
tags:
- facts
- name: download_container | Prepare container download
include_tasks: check_pull_required.yml
when:
- not download_always_pull
- debug: # noqa unnamed-task
msg: "Pull {{ image_reponame }} required is: {{ pull_required }}"
- name: download_container | Determine if image is in cache
stat:
path: "{{ image_path_cached }}"
get_attributes: no
get_checksum: no
get_mime: no
delegate_to: localhost
connection: local
delegate_facts: no
register: cache_image
changed_when: false
become: false
when:
- download_force_cache
- name: download_container | Set fact indicating if image is in cache
set_fact:
image_is_cached: "{{ cache_image.stat.exists }}"
tags:
- facts
when:
- download_force_cache
- name: Stop if image not in cache on ansible host when download_force_cache=true
assert:
that: image_is_cached
msg: "Image cache file {{ image_path_cached }} not found for {{ image_reponame }} on localhost"
when:
- download_force_cache
- not download_run_once
- name: download_container | Download image if required
command: "{{ image_pull_command_on_localhost if download_localhost else image_pull_command }} {{ image_reponame }}"
delegate_to: "{{ download_delegate if download_run_once else inventory_hostname }}"
delegate_facts: yes
run_once: "{{ download_run_once }}"
register: pull_task_result
until: pull_task_result is succeeded
delay: "{{ retry_stagger | random + 3 }}"
retries: 4
become: "{{ user_can_become_root | default(false) or not download_localhost }}"
environment: "{{ proxy_env if container_manager == 'containerd' else omit }}"
when:
- pull_required or download_run_once
- not image_is_cached
- name: download_container | Save and compress image
shell: "{{ image_save_command_on_localhost if download_localhost else image_save_command }}" # noqa 305 image_save_command_on_localhost contains a pipe, therefore requires shell
delegate_to: "{{ download_delegate }}"
delegate_facts: no
register: container_save_status
failed_when: container_save_status.stderr
run_once: true
become: "{{ user_can_become_root | default(false) or not download_localhost }}"
when:
- not image_is_cached
- download_run_once
- name: download_container | Copy image to ansible host cache
synchronize:
src: "{{ image_path_final }}"
dest: "{{ image_path_cached }}"
use_ssh_args: true
mode: pull
when:
- not image_is_cached
- download_run_once
- not download_localhost
- download_delegate == inventory_hostname
- name: download_container | Upload image to node if it is cached
synchronize:
src: "{{ image_path_cached }}"
dest: "{{ image_path_final }}"
use_ssh_args: true
mode: push
delegate_facts: no
register: upload_image
failed_when: not upload_image
until: upload_image is succeeded
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
when:
- pull_required
- download_force_cache
- name: download_container | Load image into the local container registry
shell: "{{ image_load_command }}" # noqa 305 image_load_command uses pipes, therefore requires shell
register: container_load_status
failed_when: container_load_status is failed
when:
- pull_required
- download_force_cache
- name: download_container | Remove container image from cache
file:
state: absent
path: "{{ image_path_final }}"
when:
- not download_keep_remote_cache
tags:
- download

141
kubespray/roles/download/tasks/download_file.yml Normal file
View File

@@ -0,0 +1,141 @@
---
- block:
- name: prep_download | Set a few facts
set_fact:
download_force_cache: "{{ true if download_run_once else download_force_cache }}"
- name: download_file | Starting download of file
debug:
msg: "{{ download.url }}"
run_once: "{{ download_run_once }}"
- name: download_file | Set pathname of cached file
set_fact:
file_path_cached: "{{ download_cache_dir }}/{{ download.dest | basename }}"
tags:
- facts
- name: download_file | Create dest directory on node
file:
path: "{{ download.dest | dirname }}"
owner: "{{ download.owner | default(omit) }}"
mode: 0755
state: directory
recurse: yes
- name: download_file | Create local cache directory
file:
path: "{{ file_path_cached | dirname }}"
state: directory
recurse: yes
delegate_to: localhost
connection: local
delegate_facts: false
run_once: true
become: false
when:
- download_force_cache
tags:
- localhost
- name: download_file | Create cache directory on download_delegate host
file:
path: "{{ file_path_cached | dirname }}"
state: directory
recurse: yes
delegate_to: "{{ download_delegate }}"
delegate_facts: false
run_once: true
when:
- download_force_cache
- not download_localhost
# We check a number of mirrors that may hold the file and pick a working one at random
# This task will avoid logging it's parameters to not leak environment passwords in the log
- name: download_file | Validate mirrors
uri:
url: "{{ mirror }}"
method: HEAD
validate_certs: "{{ download_validate_certs }}"
url_username: "{{ download.username | default(omit) }}"
url_password: "{{ download.password | default(omit) }}"
force_basic_auth: "{{ download.force_basic_auth | default(omit) }}"
delegate_to: "{{ download_delegate if download_force_cache else inventory_hostname }}"
run_once: "{{ download_force_cache }}"
register: uri_result
until: uri_result is success
retries: 4
delay: "{{ retry_stagger | default(5) }}"
environment: "{{ proxy_env }}"
no_log: "{{ not (unsafe_show_logs|bool) }}"
loop: "{{ download.mirrors | default([download.url]) }}"
loop_control:
loop_var: mirror
ignore_errors: true
# Ansible 2.9 requires we convert a generator to a list
- name: download_file | Get the list of working mirrors
set_fact:
valid_mirror_urls: "{{ uri_result.results | selectattr('failed', 'eq', False) | map(attribute='mirror') | list }}"
delegate_to: "{{ download_delegate if download_force_cache else inventory_hostname }}"
# This must always be called, to check if the checksum matches. On no-match the file is re-downloaded.
# This task will avoid logging it's parameters to not leak environment passwords in the log
- name: download_file | Download item
get_url:
url: "{{ valid_mirror_urls | random }}"
dest: "{{ file_path_cached if download_force_cache else download.dest }}"
owner: "{{ omit if download_localhost else (download.owner | default(omit)) }}"
mode: "{{ omit if download_localhost else (download.mode | default(omit)) }}"
checksum: "{{ 'sha256:' + download.sha256 if download.sha256 else omit }}"
validate_certs: "{{ download_validate_certs }}"
url_username: "{{ download.username | default(omit) }}"
url_password: "{{ download.password | default(omit) }}"
force_basic_auth: "{{ download.force_basic_auth | default(omit) }}"
delegate_to: "{{ download_delegate if download_force_cache else inventory_hostname }}"
run_once: "{{ download_force_cache }}"
register: get_url_result
become: "{{ not download_localhost }}"
until: "'OK' in get_url_result.msg or 'file already exists' in get_url_result.msg"
retries: 4
delay: "{{ retry_stagger | default(5) }}"
environment: "{{ proxy_env }}"
no_log: "{{ not (unsafe_show_logs|bool) }}"
- name: download_file | Copy file back to ansible host file cache
synchronize:
src: "{{ file_path_cached }}"
dest: "{{ file_path_cached }}"
use_ssh_args: true
mode: pull
when:
- download_force_cache
- not download_localhost
- download_delegate == inventory_hostname
- name: download_file | Copy file from cache to nodes, if it is available
synchronize:
src: "{{ file_path_cached }}"
dest: "{{ download.dest }}"
use_ssh_args: true
mode: push
register: get_task
until: get_task is succeeded
delay: "{{ retry_stagger | random + 3 }}"
retries: 4
when:
- download_force_cache
- name: download_file | Set mode and owner
file:
path: "{{ download.dest }}"
mode: "{{ download.mode | default(omit) }}"
owner: "{{ download.owner | default(omit) }}"
when:
- download_force_cache
- name: "download_file | Extract file archives"
include_tasks: "extract_file.yml"
tags:
- download

11
kubespray/roles/download/tasks/extract_file.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: extract_file | Unpacking archive
unarchive:
src: "{{ download.dest }}"
dest: "{{ download.dest | dirname }}"
owner: "{{ download.owner | default(omit) }}"
mode: "{{ download.mode | default(omit) }}"
copy: no
extra_opts: "{{ download.unarchive_extra_opts|default(omit) }}"
when:
- download.unarchive | default(false)

30
kubespray/roles/download/tasks/main.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- name: download | Prepare working directories and variables
import_tasks: prep_download.yml
when:
- not skip_downloads|default(false)
tags:
- download
- upload
- name: download | Get kubeadm binary and list of required images
include_tasks: prep_kubeadm_images.yml
when:
- not skip_downloads|default(false)
- inventory_hostname in groups['kube_control_plane']
tags:
- download
- upload
- name: download | Download files / images
include_tasks: "{{ include_file }}"
loop: "{{ downloads | combine(kubeadm_images) | dict2items }}"
vars:
download: "{{ download_defaults | combine(item.value) }}"
include_file: "download_{% if download.container %}container{% else %}file{% endif %}.yml"
when:
- not skip_downloads | default(false)
- download.enabled
- item.value.enabled
- (not (item.value.container | default(false))) or (item.value.container and download_container)
- (download_run_once and inventory_hostname == download_delegate) or (group_names | intersect(download.groups) | length)

92
kubespray/roles/download/tasks/prep_download.yml Normal file
View File

@@ -0,0 +1,92 @@
---
- name: prep_download | Set a few facts
set_fact:
download_force_cache: "{{ true if download_run_once else download_force_cache }}"
tags:
- facts
- name: prep_download | On localhost, check if passwordless root is possible
command: "true"
delegate_to: localhost
connection: local
run_once: true
register: test_become
changed_when: false
ignore_errors: true # noqa ignore-errors
become: true
when:
- download_localhost
tags:
- localhost
- asserts
- name: prep_download | On localhost, check if user has access to the container runtime without using sudo
shell: "{{ image_info_command_on_localhost }}" # noqa 305 image_info_command_on_localhost contains pipe, therefore requires shell
delegate_to: localhost
connection: local
run_once: true
register: test_docker
changed_when: false
ignore_errors: true # noqa ignore-errors
become: false
when:
- download_localhost
tags:
- localhost
- asserts
- name: prep_download | Parse the outputs of the previous commands
set_fact:
user_in_docker_group: "{{ not test_docker.failed }}"
user_can_become_root: "{{ not test_become.failed }}"
when:
- download_localhost
tags:
- localhost
- asserts
- name: prep_download | Check that local user is in group or can become root
assert:
that: "user_in_docker_group or user_can_become_root"
msg: >-
Error: User is not in docker group and cannot become root. When download_localhost is true, at least one of these two conditions must be met.
when:
- download_localhost
tags:
- localhost
- asserts
- name: prep_download | Register docker images info
shell: "{{ image_info_command }}" # noqa 305 image_info_command contains pipe therefore requires shell
no_log: "{{ not (unsafe_show_logs|bool) }}"
register: docker_images
failed_when: false
changed_when: false
check_mode: no
when: download_container
- name: prep_download | Create staging directory on remote node
file:
path: "{{ local_release_dir }}/images"
state: directory
recurse: yes
mode: 0755
owner: "{{ ansible_ssh_user | default(ansible_user_id) }}"
when:
- ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
- name: prep_download | Create local cache for files and images on control node
file:
path: "{{ download_cache_dir }}/images"
state: directory
recurse: yes
mode: 0755
delegate_to: localhost
connection: local
delegate_facts: no
run_once: true
become: false
when:
- download_force_cache
tags:
- localhost

71
kubespray/roles/download/tasks/prep_kubeadm_images.yml Normal file
View File

@@ -0,0 +1,71 @@
---
- name: prep_kubeadm_images | Check kubeadm version matches kubernetes version
fail:
msg: "Kubeadm version {{ kubeadm_version }} do not matches kubernetes {{ kube_version }}"
when:
- not skip_downloads | default(false)
- not kubeadm_version == downloads.kubeadm.version
- name: prep_kubeadm_images | Download kubeadm binary
include_tasks: "download_file.yml"
vars:
download: "{{ download_defaults | combine(downloads.kubeadm) }}"
when:
- not skip_downloads | default(false)
- downloads.kubeadm.enabled
- name: prep_kubeadm_images | Create kubeadm config
template:
src: "kubeadm-images.yaml.j2"
dest: "{{ kube_config_dir }}/kubeadm-images.yaml"
mode: 0644
when:
- not skip_kubeadm_images|default(false)
- name: prep_kubeadm_images | Copy kubeadm binary from download dir to system path
copy:
src: "{{ local_release_dir }}/kubeadm-{{ kubeadm_version }}-{{ image_arch }}"
dest: "{{ bin_dir }}/kubeadm"
mode: 0755
remote_src: true
- name: prep_kubeadm_images | Set kubeadm binary permissions
file:
path: "{{ bin_dir }}/kubeadm"
mode: "0755"
state: file
- name: prep_kubeadm_images | Generate list of required images
shell: "set -o pipefail && {{ bin_dir }}/kubeadm config images list --config={{ kube_config_dir }}/kubeadm-images.yaml | grep -Ev 'coredns|pause'"
args:
executable: /bin/bash
register: kubeadm_images_raw
run_once: true
changed_when: false
when:
- not skip_kubeadm_images|default(false)
- name: prep_kubeadm_images | Parse list of images
vars:
kubeadm_images_list: "{{ kubeadm_images_raw.stdout_lines }}"
set_fact:
kubeadm_image:
key: "kubeadm_{{ (item | regex_replace('^(?:.*\\/)*','')).split(':')[0] }}"
value:
enabled: true
container: true
repo: "{{ item | regex_replace('^(.*):.*$','\\1') }}"
tag: "{{ item | regex_replace('^.*:(.*)$','\\1') }}"
groups: k8s_cluster
loop: "{{ kubeadm_images_list | flatten(levels=1) }}"
register: kubeadm_images_cooked
run_once: true
when:
- not skip_kubeadm_images|default(false)
- name: prep_kubeadm_images | Convert list of images to dict for later use
set_fact:
kubeadm_images: "{{ kubeadm_images_cooked.results | map(attribute='ansible_facts.kubeadm_image') | list | items2dict }}"
run_once: true
when:
- not skip_kubeadm_images|default(false)

55
kubespray/roles/download/tasks/set_container_facts.yml Normal file
View File

@@ -0,0 +1,55 @@
---
- name: set_container_facts | Display the name of the image being processed
debug:
msg: "{{ download.repo }}"
- name: set_container_facts | Set if containers should be pulled by digest
set_fact:
pull_by_digest: "{{ download.sha256 is defined and download.sha256 }}"
- name: set_container_facts | Define by what name to pull the image
set_fact:
image_reponame: >-
{%- if pull_by_digest %}{{ download.repo }}@sha256:{{ download.sha256 }}{%- else -%}{{ download.repo }}:{{ download.tag }}{%- endif -%}
- name: set_container_facts | Define file name of image
set_fact:
image_filename: "{{ image_reponame | regex_replace('/|\0|:', '_') }}.tar"
- name: set_container_facts | Define path of image
set_fact:
image_path_cached: "{{ download_cache_dir }}/images/{{ image_filename }}"
image_path_final: "{{ local_release_dir }}/images/{{ image_filename }}"
- name: Set image save/load command for docker
set_fact:
image_save_command: "{{ docker_bin_dir }}/docker save {{ image_reponame }} | gzip -{{ download_compress }} > {{ image_path_final }}"
image_load_command: "{{ docker_bin_dir }}/docker load < {{ image_path_final }}"
when: container_manager == 'docker'
- name: Set image save/load command for containerd
set_fact:
image_save_command: "{{ bin_dir }}/nerdctl -n k8s.io image save -o {{ image_path_final }} {{ image_reponame }}"
image_load_command: "{{ bin_dir }}/nerdctl -n k8s.io image load < {{ image_path_final }}"
when: container_manager == 'containerd'
- name: Set image save/load command for crio
set_fact:
image_save_command: "{{ bin_dir }}/skopeo copy containers-storage:{{ image_reponame }} docker-archive:{{ image_path_final }} 2>/dev/null"
image_load_command: "{{ bin_dir }}/skopeo copy docker-archive:{{ image_path_final }} containers-storage:{{ image_reponame }} 2>/dev/null"
when: container_manager == 'crio'
- name: Set image save/load command for docker on localhost
set_fact:
image_save_command_on_localhost: "{{ docker_bin_dir }}/docker save {{ image_reponame }} | gzip -{{ download_compress }} > {{ image_path_cached }}"
when: container_manager_on_localhost == 'docker'
- name: Set image save/load command for containerd on localhost
set_fact:
image_save_command_on_localhost: "{{ containerd_bin_dir }}/ctr -n k8s.io image export --platform linux/{{ image_arch }} {{ image_path_cached }} {{ image_reponame }}"
when: container_manager_on_localhost == 'containerd'
- name: Set image save/load command for crio on localhost
set_fact:
image_save_command_on_localhost: "{{ bin_dir }}/skopeo copy containers-storage:{{ image_reponame }} docker-archive:{{ image_path_final }} 2>/dev/null"
when: container_manager_on_localhost == 'crio'

25
kubespray/roles/download/templates/kubeadm-images.yaml.j2 Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
nodeRegistration:
criSocket: {{ cri_socket }}
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
imageRepository: {{ kube_image_repo }}
kubernetesVersion: {{ kube_version }}
etcd:
{% if etcd_deployment_type == "kubeadm" %}
local:
imageRepository: "{{ etcd_image_repo | regex_replace("/etcd$","") }}"
imageTag: "{{ etcd_image_tag }}"
{% else %}
external:
endpoints:
{% for endpoint in etcd_access_addresses.split(',') %}
- {{ endpoint }}
{% endfor %}
{% endif %}
dns:
type: CoreDNS
imageRepository: {{ coredns_image_repo | regex_replace('/coredns(?!/coredns).*$','') }}
imageTag: {{ coredns_image_tag }}