1 # SPDX-FileCopyrightText: 2021 Intel Corporation.
3 # SPDX-License-Identifier: Apache-2.0
6 - name: install dependencies
8 name: install_dependencies
10 - name: clone CMK repository
12 repo: "{{ cmk_git_url }}"
14 version: "{{ cmk_version }}"
17 - name: patch CMK dockerfile (1/3)
19 path: "{{ cmk_dir }}/Dockerfile"
20 regexp: '^FROM clearlinux'
21 line: 'FROM centos/python-36-centos7:latest'
23 - name: patch CMK dockerfile (2/3)
25 path: "{{ cmk_dir }}/Dockerfile"
26 insertafter: '^FROM centos'
30 - name: patch CMK dockerfile (3/3)
32 path: "{{ cmk_dir }}/Dockerfile"
36 - name: build CMK image
38 chdir: "{{ cmk_dir }}"
39 when: container_runtime == "docker"
41 # NOTE(przemeklal): this fixes problem in CMK with ImagePullPolicy hardcoded to Never and the pod is scheduled on controller node
43 command: docker tag cmk:{{ cmk_img_version }} {{ registry_local_address }}/cmk:{{ cmk_img_version }}
45 when: container_runtime == "docker"
47 - name: push CMK image to local registry
48 command: docker push {{ registry_local_address }}/cmk:{{ cmk_img_version }}
51 - container_runtime == "docker"
52 - inventory_hostname == groups['kube-node'][0]
54 - name: build and tag CMK image
55 command: podman build -f Dockerfile -t {{ registry_local_address }}/cmk:{{ cmk_img_version }}
57 chdir: "{{ cmk_dir }}"
59 when: '"docker" not in container_runtime'
61 - name: push CMK image to local registry
62 command: podman push {{ registry_local_address }}/cmk:{{ cmk_img_version }}
65 - inventory_hostname == groups['kube-node'][0]
66 - '"docker" not in container_runtime'
68 - name: clean up any pre-existing certs/key/CSR files
69 file: path=/etc/ssl/cmk state=absent
70 when: inventory_hostname == groups['kube-master'][0]
74 - name: delete any pre-existing certs/key/CSR from Kubernetes
75 command: kubectl delete csr cmk-webhook-{{ item }}.{{ cmk_namespace }}
76 when: inventory_hostname == groups['kube-master'][0]
82 - name: create directory for CMK cert and key generation
91 - name: populate CMK CSR template
93 src: "webhook_{{ item }}_csr.json.j2"
94 dest: "/etc/ssl/cmk/cmk-webhook-{{ item }}-csr.json"
102 - inventory_hostname == groups['kube-master'][0]
105 command: go env GOPATH
108 - inventory_hostname == groups['kube-master'][0]
110 - name: generate key and CSR
111 shell: "set -o pipefail \
112 && {{ gopath.stdout }}/bin/cfssl genkey cmk-webhook-{{ item }}-csr.json | {{ gopath.stdout }}/bin/cfssljson -bare cmk-webhook-{{ item }}"
114 chdir: "/etc/ssl/cmk/"
115 executable: /bin/bash
120 - inventory_hostname == groups['kube-master'][0]
123 - name: read generated server key
124 command: cat cmk-webhook-server-key.pem
126 chdir: "/etc/ssl/cmk/"
129 - inventory_hostname == groups['kube-master'][0]
131 - name: read generated client key
132 command: cat cmk-webhook-client-key.pem
134 chdir: "/etc/ssl/cmk/"
137 - inventory_hostname == groups['kube-master'][0]
139 - name: load generated server key
141 cmk_webhook_server_key: "{{ server_key.stdout | b64encode }}"
143 - inventory_hostname == groups['kube-master'][0]
145 - name: load generated client key
147 cmk_webhook_client_key: "{{ client_key.stdout | b64encode }}"
149 - inventory_hostname == groups['kube-master'][0]
151 - name: read generated client csr
152 command: cat cmk-webhook-client.csr
154 chdir: "/etc/ssl/cmk/"
157 - inventory_hostname == groups['kube-master'][0]
159 - name: load generated client csr
161 cmk_webhook_client_csr: "{{ client_csr.stdout | b64encode }}"
163 - inventory_hostname == groups['kube-master'][0]
165 - name: read generated server csr
166 command: cat cmk-webhook-server.csr
168 chdir: "/etc/ssl/cmk/"
171 - inventory_hostname == groups['kube-master'][0]
173 - name: load generated server csr
175 cmk_webhook_server_csr: "{{ server_csr.stdout | b64encode }}"
177 - inventory_hostname == groups['kube-master'][0]
179 - name: populate CMK Kubernetes CA CSR template
181 src: "kube_{{ item }}_csr.yml.j2"
182 dest: "/etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml"
189 - inventory_hostname == groups['kube-master'][0]
191 - name: send CSR to the Kubernetes API Server
192 command: kubectl apply -f /etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml
197 - inventory_hostname == groups['kube-master'][0]
199 - name: approve request
200 command: kubectl certificate approve cmk-webhook-{{ item }}.{{ cmk_namespace }}
205 - inventory_hostname == groups['kube-master'][0]
207 - name: get approved server certificate
208 shell: kubectl get csr cmk-webhook-server.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
210 chdir: "/etc/ssl/cmk/"
211 register: server_cert
213 - inventory_hostname == groups['kube-master'][0]
216 until: server_cert.rc == 0
218 - name: get approved client certificate
219 shell: kubectl get csr cmk-webhook-client.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
221 chdir: "/etc/ssl/cmk/"
222 register: client_cert
224 - inventory_hostname == groups['kube-master'][0]
227 until: client_cert.rc == 0
229 - name: load generated server cert
231 cmk_webhook_server_cert: "{{ server_cert.stdout }}"
233 - inventory_hostname == groups['kube-master'][0]
235 - name: load generated client cert
237 cmk_webhook_client_cert: "{{ client_cert.stdout }}"
239 - inventory_hostname == groups['kube-master'][0]
241 - name: populate cmk-webhook.conf file
243 src: "cmk-webhook.conf.j2"
244 dest: "/etc/kubernetes/admission-control/cmk-webhook.conf"
248 - inventory_hostname == groups['kube-master'][0]
250 - name: add MutatingAdmissionWebhook to AdmissionConfiguration
252 path: /etc/kubernetes/admission-control/config.yaml
253 insertafter: "plugins:"
255 - name: MutatingAdmissionWebhook
257 apiVersion: apiserver.config.k8s.io/v1
258 kind: WebhookAdmissionConfiguration
259 kubeConfigFile: /etc/kubernetes/admission-control/cmk-webhook.conf
261 - inventory_hostname == groups['kube-master'][0]
264 - name: restart kube-apiserver after updating admission control configuration
265 when: inventory_hostname == groups['kube-master'][0]
267 - name: remove kube-apiserver container
268 # noqa 305 - shell is used intentionally here
270 {{ (container_runtime == 'docker') | ternary('docker ps -af name=k8s_kube-apiserver* -q |
271 xargs --no-run-if-empty docker rm -f',
272 'crictl ps -a --name=kube-apiserver* -q |
273 xargs --no-run-if-empty crictl rm -f') }}
275 executable: /bin/bash
276 register: remove_apiserver_container
278 until: remove_apiserver_container.rc == 0
280 - name: wait for kube-apiserver to be up
282 url: "https://127.0.0.1:6443/healthz"
283 client_cert: "/etc/kubernetes/ssl/ca.crt"
284 client_key: "/etc/kubernetes/ssl/ca.key"
287 until: result.status == 200
291 - name: create Helm charts directory if needed
293 path: /usr/src/charts
297 - inventory_hostname == groups['kube-master'][0]
299 - name: copy CMK Helm chart to the controller node
301 src: "{{ role_path }}/charts/cpu-manager-for-kubernetes"
302 dest: "/usr/src/charts/"
305 - inventory_hostname == groups['kube-master'][0]
307 # adds all kube-nodes to the list of CMK nodes
308 - name: build list of CMK hosts
310 cmk_hosts_list: "{{ groups['kube-node'] | join(',') }}"
312 - not cmk_use_all_hosts
313 - (cmk_hosts_list is undefined) or (cmk_hosts_list | length == 0)
315 - name: set values for CMK Helm chart values
317 cmk_image: "{{ registry_local_address }}/cmk"
318 cmk_tag: "{{ cmk_img_version }}"
320 - inventory_hostname == groups['kube-master'][0]
325 chdir: "/etc/kubernetes/ssl/"
328 - inventory_hostname == groups['kube-master'][0]
332 caBundle_cert: "{{ ca_cert.stdout | b64encode }}"
334 - inventory_hostname == groups['kube-master'][0]
336 - name: populate CMK Helm chart values template and push to controller node
338 src: "helm_values.yml.j2"
339 dest: "/usr/src/charts/cmk-values.yml"
343 - inventory_hostname == groups['kube-master'][0]
345 # remove any pre-existing configmaps before cmk redeployment
346 - name: remove any pre-existing configmaps before CMK deployment
347 command: kubectl delete cm cmk-config-{{ inventory_hostname }}
349 - inventory_hostname in (cmk_hosts_list.split(',') if (cmk_hosts_list is defined and cmk_hosts_list | length > 0) else [])
350 delegate_to: "{{ groups['kube-master']|first }}"
353 - name: install CMK helm chart
354 command: helm upgrade --install cmk --namespace {{ cmk_namespace }} -f /usr/src/charts/cmk-values.yml /usr/src/charts/cpu-manager-for-kubernetes
356 - inventory_hostname == groups['kube-master'][0]
358 - name: clean up any certs/key/CSR files
359 file: path=/etc/ssl/cmk state=absent
360 when: inventory_hostname == groups['kube-master'][0]