kubespray 2.24 추가
This commit is contained in:
변정훈
@@ -0,0 +1,13 @@
|
||||
# This YAML file contains secret objects,
|
||||
# which are necessary to run external openstack cloud controller.
|
||||
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: external-openstack-cloud-config
|
||||
namespace: kube-system
|
||||
data:
|
||||
cloud.conf: {{ external_openstack_cloud_config_secret }}
|
||||
{% if external_openstack_cacert_b64.content is defined %}
|
||||
ca.cert: {{ external_openstack_cacert_b64.content }}
|
||||
{% endif %}
|
||||
@@ -0,0 +1,92 @@
|
||||
[Global]
|
||||
auth-url="{{ external_openstack_auth_url }}"
|
||||
{% if external_openstack_application_credential_id == "" and external_openstack_application_credential_name == "" %}
|
||||
username="{{ external_openstack_username }}"
|
||||
password="{{ external_openstack_password }}"
|
||||
{% endif %}
|
||||
{% if external_openstack_application_credential_id is defined and external_openstack_application_credential_id != "" %}
|
||||
application-credential-id={{ external_openstack_application_credential_id }}
|
||||
{% endif %}
|
||||
{% if external_openstack_application_credential_name is defined and external_openstack_application_credential_name != "" %}
|
||||
application-credential-name={{ external_openstack_application_credential_name }}
|
||||
{% endif %}
|
||||
{% if external_openstack_application_credential_secret is defined and external_openstack_application_credential_secret != "" %}
|
||||
application-credential-secret={{ external_openstack_application_credential_secret }}
|
||||
{% endif %}
|
||||
region="{{ external_openstack_region }}"
|
||||
{% if external_openstack_tenant_id is defined and external_openstack_tenant_id != "" %}
|
||||
tenant-id="{{ external_openstack_tenant_id }}"
|
||||
{% endif %}
|
||||
{% if external_openstack_tenant_name is defined and external_openstack_tenant_name != "" %}
|
||||
tenant-name="{{ external_openstack_tenant_name }}"
|
||||
{% endif %}
|
||||
{% if external_openstack_domain_name is defined and external_openstack_domain_name != "" %}
|
||||
domain-name="{{ external_openstack_domain_name }}"
|
||||
{% elif external_openstack_domain_id is defined and external_openstack_domain_id != "" %}
|
||||
domain-id ="{{ external_openstack_domain_id }}"
|
||||
{% endif %}
|
||||
{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
|
||||
ca-file="{{ kube_config_dir }}/external-openstack-cacert.pem"
|
||||
{% endif %}
|
||||
|
||||
[LoadBalancer]
|
||||
enabled={{ external_openstack_lbaas_enabled | string | lower }}
|
||||
{% if external_openstack_lbaas_floating_network_id is defined %}
|
||||
floating-network-id={{ external_openstack_lbaas_floating_network_id }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_floating_subnet_id is defined %}
|
||||
floating-subnet-id={{ external_openstack_lbaas_floating_subnet_id }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_method is defined %}
|
||||
lb-method={{ external_openstack_lbaas_method }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_provider is defined %}
|
||||
lb-provider={{ external_openstack_lbaas_provider }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_subnet_id is defined %}
|
||||
subnet-id={{ external_openstack_lbaas_subnet_id }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_network_id is defined %}
|
||||
network-id={{ external_openstack_lbaas_network_id }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_manage_security_groups is defined %}
|
||||
manage-security-groups={{ external_openstack_lbaas_manage_security_groups }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_create_monitor is defined %}
|
||||
create-monitor={{ external_openstack_lbaas_create_monitor }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_monitor_delay is defined %}
|
||||
monitor-delay={{ external_openstack_lbaas_monitor_delay }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_monitor_max_retries is defined %}
|
||||
monitor-max-retries={{ external_openstack_lbaas_monitor_max_retries }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_monitor_timeout is defined %}
|
||||
monitor-timeout={{ external_openstack_lbaas_monitor_timeout }}
|
||||
{% endif %}
|
||||
{% if external_openstack_lbaas_internal_lb is defined %}
|
||||
internal-lb={{ external_openstack_lbaas_internal_lb }}
|
||||
{% endif %}
|
||||
{% if external_openstack_enable_ingress_hostname is defined %}
|
||||
enable-ingress-hostname={{ external_openstack_enable_ingress_hostname | string | lower }}
|
||||
{% endif %}
|
||||
{% if external_openstack_ingress_hostname_suffix is defined %}
|
||||
ingress-hostname-suffix={{ external_openstack_ingress_hostname_suffix | string | lower }}
|
||||
{% endif %}
|
||||
{% if external_openstack_max_shared_lb is defined %}
|
||||
max-shared-lb={{ external_openstack_max_shared_lb }}
|
||||
{% endif %}
|
||||
|
||||
[Networking]
|
||||
ipv6-support-disabled={{ external_openstack_network_ipv6_disabled | string | lower }}
|
||||
{% for network_name in external_openstack_network_internal_networks %}
|
||||
internal-network-name="{{ network_name }}"
|
||||
{% endfor %}
|
||||
{% for network_name in external_openstack_network_public_networks %}
|
||||
public-network-name="{{ network_name }}"
|
||||
{% endfor %}
|
||||
|
||||
[Metadata]
|
||||
{% if external_openstack_metadata_search_order is defined %}
|
||||
search-order="{{ external_openstack_metadata_search_order }}"
|
||||
{% endif %}
|
||||
@@ -0,0 +1,110 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: cloud-controller-manager
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: openstack-cloud-controller-manager
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: openstack-cloud-controller-manager
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: openstack-cloud-controller-manager
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: openstack-cloud-controller-manager
|
||||
spec:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
securityContext:
|
||||
runAsUser: 999
|
||||
tolerations:
|
||||
- key: node.cloudprovider.kubernetes.io/uninitialized
|
||||
value: "true"
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
effect: NoSchedule
|
||||
serviceAccountName: cloud-controller-manager
|
||||
containers:
|
||||
- name: openstack-cloud-controller-manager
|
||||
image: {{ docker_image_repo }}/k8scloudprovider/openstack-cloud-controller-manager:{{ external_openstack_cloud_controller_image_tag }}
|
||||
args:
|
||||
- /bin/openstack-cloud-controller-manager
|
||||
- --v=1
|
||||
- --cloud-config=$(CLOUD_CONFIG)
|
||||
- --cloud-provider=openstack
|
||||
- --cluster-name={{ cluster_name }}
|
||||
- --use-service-account-credentials=true
|
||||
- --bind-address={{ external_openstack_cloud_controller_bind_address }}
|
||||
{% for key, value in external_openstack_cloud_controller_extra_args.items() %}
|
||||
- "{{ '--' + key + '=' + value }}"
|
||||
{% endfor %}
|
||||
volumeMounts:
|
||||
- mountPath: /etc/kubernetes/pki
|
||||
name: k8s-certs
|
||||
readOnly: true
|
||||
- mountPath: /etc/ssl/certs
|
||||
name: ca-certs
|
||||
readOnly: true
|
||||
{% if ssl_ca_dirs | length %}
|
||||
{% for dir in ssl_ca_dirs %}
|
||||
- name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
|
||||
mountPath: {{ dir }}
|
||||
readOnly: true
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- mountPath: /etc/config/cloud.conf
|
||||
name: cloud-config-volume
|
||||
readOnly: true
|
||||
subPath: cloud.conf
|
||||
- mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem
|
||||
name: cloud-config-volume
|
||||
readOnly: true
|
||||
subPath: ca.cert
|
||||
{% if kubelet_flexvolumes_plugins_dir is defined %}
|
||||
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
|
||||
name: flexvolume-dir
|
||||
{% endif %}
|
||||
resources:
|
||||
requests:
|
||||
cpu: 200m
|
||||
env:
|
||||
- name: CLOUD_CONFIG
|
||||
value: /etc/config/cloud.conf
|
||||
hostNetwork: true
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
volumes:
|
||||
{% if kubelet_flexvolumes_plugins_dir is defined %}
|
||||
- name: flexvolume-dir
|
||||
hostPath:
|
||||
path: "{{ kubelet_flexvolumes_plugins_dir }}"
|
||||
type: DirectoryOrCreate
|
||||
{% endif %}
|
||||
- name: k8s-certs
|
||||
hostPath:
|
||||
path: /etc/kubernetes/pki
|
||||
type: DirectoryOrCreate
|
||||
- name: ca-certs
|
||||
hostPath:
|
||||
path: /etc/ssl/certs
|
||||
type: DirectoryOrCreate
|
||||
{% if ssl_ca_dirs | length %}
|
||||
{% for dir in ssl_ca_dirs %}
|
||||
- name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
|
||||
hostPath:
|
||||
path: {{ dir }}
|
||||
type: DirectoryOrCreate
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
- name: cloud-config-volume
|
||||
secret:
|
||||
secretName: external-openstack-cloud-config
|
||||
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
items:
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: system:cloud-controller-manager
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:cloud-controller-manager
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cloud-controller-manager
|
||||
namespace: kube-system
|
||||
kind: List
|
||||
metadata: {}
|
||||
@@ -0,0 +1,109 @@
|
||||
apiVersion: v1
|
||||
items:
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: system:cloud-controller-manager
|
||||
rules:
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes/status
|
||||
verbs:
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
verbs:
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services/status
|
||||
verbs:
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- serviceaccounts/token
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- persistentvolumes
|
||||
verbs:
|
||||
- '*'
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- list
|
||||
- get
|
||||
- watch
|
||||
- apiGroups:
|
||||
- authentication.k8s.io
|
||||
resources:
|
||||
- tokenreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- authorization.k8s.io
|
||||
resources:
|
||||
- subjectaccessreviews
|
||||
verbs:
|
||||
- create
|
||||
kind: List
|
||||
metadata: {}
|
||||
Reference in New Issue
Block a user