1 # SPDX-FileCopyrightText: 2020 Intel Corporation.
3 # SPDX-License-Identifier: Apache-2.0
6 - name: install epel-release on Red Hat based OS
7 package: name=epel-release
8 when: ansible_os_family == 'RedHat'
10 # note: on Ubuntu, pip is installed via install_dependencies
15 - ansible_distribution in ["RedHat", "CentOS"]
16 - ansible_distribution_version < '8'
22 - ansible_distribution in ["RedHat", "CentOS"]
23 - ansible_distribution_version >= '8'
25 - name: install dependencies
27 name: install_dependencies
29 - name: install Python dependencies
35 - name: clone CMK repository
37 repo: "{{ cmk_git_url }}"
39 version: "{{ cmk_version }}"
42 - name: patch CMK dockerfile (1/3)
44 path: "{{ cmk_dir }}/Dockerfile"
45 regexp: '^FROM clearlinux'
46 line: 'FROM centos/python-36-centos7:latest'
48 - name: patch CMK dockerfile (2/3)
50 path: "{{ cmk_dir }}/Dockerfile"
51 insertafter: '^FROM centos'
55 - name: patch CMK dockerfile (3/3)
57 path: "{{ cmk_dir }}/Dockerfile"
61 - name: build CMK image
63 chdir: "{{ cmk_dir }}"
65 # NOTE(przemeklal): this fixes problem in CMK with ImagePullPolicy hardcoded to Never and the pod is scheduled on controller node
67 command: docker tag cmk:{{ cmk_img_version }} {{ registry_local_address }}/cmk:{{ cmk_img_version }}
70 - name: push CMK image to local registry
71 command: docker push {{ registry_local_address }}/cmk:{{ cmk_img_version }}
73 - inventory_hostname == groups['kube-node'][0]
76 - name: clean up any preexisting certs/key/CSR files
77 file: path=/etc/ssl/cmk state=absent
78 when: inventory_hostname == groups['kube-master'][0]
82 - name: delete any preexisting certs/key/CSR from Kubernetes
83 command: kubectl delete csr cmk-webhook-{{ item }}.{{ cmk_namespace }}
84 when: inventory_hostname == groups['kube-master'][0]
90 - name: create directory for CMK cert and key generation
99 - name: populate CMK CSR template
101 src: "webhook_{{ item }}_csr.json.j2"
102 dest: "/etc/ssl/cmk/cmk-webhook-{{ item }}-csr.json"
110 - inventory_hostname == groups['kube-master'][0]
113 command: go env GOPATH
116 - inventory_hostname == groups['kube-master'][0]
118 - name: generate key and CSR
119 shell: "set -o pipefail \
120 && {{ gopath.stdout }}/bin/cfssl genkey cmk-webhook-{{ item }}-csr.json | {{ gopath.stdout }}/bin/cfssljson -bare cmk-webhook-{{ item }}"
122 chdir: "/etc/ssl/cmk/"
123 executable: /bin/bash
128 - inventory_hostname == groups['kube-master'][0]
131 - name: read generated server key
132 command: cat cmk-webhook-server-key.pem
134 chdir: "/etc/ssl/cmk/"
137 - inventory_hostname == groups['kube-master'][0]
139 - name: read generated client key
140 command: cat cmk-webhook-client-key.pem
142 chdir: "/etc/ssl/cmk/"
145 - inventory_hostname == groups['kube-master'][0]
147 - name: load generated server key
149 cmk_webhook_server_key: "{{ server_key.stdout | b64encode }}"
151 - inventory_hostname == groups['kube-master'][0]
153 - name: load generated client key
155 cmk_webhook_client_key: "{{ client_key.stdout | b64encode }}"
157 - inventory_hostname == groups['kube-master'][0]
159 - name: read generated client csr
160 command: cat cmk-webhook-client.csr
162 chdir: "/etc/ssl/cmk/"
165 - inventory_hostname == groups['kube-master'][0]
167 - name: load generated client csr
169 cmk_webhook_client_csr: "{{ client_csr.stdout | b64encode }}"
171 - inventory_hostname == groups['kube-master'][0]
173 - name: read generated server csr
174 command: cat cmk-webhook-server.csr
176 chdir: "/etc/ssl/cmk/"
179 - inventory_hostname == groups['kube-master'][0]
181 - name: load generated server csr
183 cmk_webhook_server_csr: "{{ server_csr.stdout | b64encode }}"
185 - inventory_hostname == groups['kube-master'][0]
187 - name: populate CMK Kubernetes CA CSR template
189 src: "kube_{{ item }}_csr.yml.j2"
190 dest: "/etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml"
197 - inventory_hostname == groups['kube-master'][0]
199 - name: send CSR to the Kubernetes API Server
200 command: kubectl apply -f /etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml
205 - inventory_hostname == groups['kube-master'][0]
207 - name: approve request
208 command: kubectl certificate approve cmk-webhook-{{ item }}.{{ cmk_namespace }}
213 - inventory_hostname == groups['kube-master'][0]
215 - name: get approved server certificate
216 shell: kubectl get csr cmk-webhook-server.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
218 chdir: "/etc/ssl/cmk/"
219 register: server_cert
221 - inventory_hostname == groups['kube-master'][0]
224 until: server_cert.rc == 0
226 - name: get approved client certificate
227 shell: kubectl get csr cmk-webhook-client.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
229 chdir: "/etc/ssl/cmk/"
230 register: client_cert
232 - inventory_hostname == groups['kube-master'][0]
235 until: client_cert.rc == 0
237 - name: load generated server cert
239 cmk_webhook_server_cert: "{{ server_cert.stdout }}"
241 - inventory_hostname == groups['kube-master'][0]
243 - name: load generated client cert
245 cmk_webhook_client_cert: "{{ client_cert.stdout }}"
247 - inventory_hostname == groups['kube-master'][0]
249 - name: populate cmk-webhook.conf file
251 src: "cmk-webhook.conf.j2"
252 dest: "/etc/kubernetes/admission-control/cmk-webhook.conf"
256 - inventory_hostname == groups['kube-master'][0]
258 - name: add MutatingAdmissionWebhook to AdmissionConfiguration
260 path: /etc/kubernetes/admission-control/config.yaml
261 insertafter: "plugins:"
263 - name: MutatingAdmissionWebhook
265 apiVersion: apiserver.config.k8s.io/v1
266 kind: WebhookAdmissionConfiguration
267 kubeConfigFile: /etc/kubernetes/admission-control/cmk-webhook.conf
269 - inventory_hostname == groups['kube-master'][0]
272 - name: restart kube-apiserver after updating admission control configuration
273 when: inventory_hostname == groups['kube-master'][0]
275 - name: remove kube-apiserver Docker container
276 shell: docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f
278 executable: /bin/bash
279 register: remove_apiserver_container
281 until: remove_apiserver_container.rc == 0
283 - name: wait for kube-apiserver to be up
285 url: "https://127.0.0.1:6443/healthz"
286 client_cert: "/etc/kubernetes/ssl/ca.crt"
287 client_key: "/etc/kubernetes/ssl/ca.key"
290 until: result.status == 200
294 - name: create Helm charts directory if needed
296 path: /usr/src/charts
300 - inventory_hostname == groups['kube-master'][0]
302 - name: copy CMK Helm chart to the controller node
304 src: "{{ role_path }}/charts/cpu-manager-for-kubernetes"
305 dest: "/usr/src/charts/"
308 - inventory_hostname == groups['kube-master'][0]
310 # adds all kube-nodes to the list of CMK nodes
311 - name: build list of CMK hosts
313 cmk_hosts_list: "{{ groups['kube-node'] | join(',') }}"
315 - not cmk_use_all_hosts
316 - (cmk_hosts_list is undefined) or (cmk_hosts_list | length == 0)
318 - name: set values for CMK Helm chart values
320 cmk_image: "{{ registry_local_address }}/cmk"
321 cmk_tag: "{{ cmk_img_version }}"
323 - inventory_hostname == groups['kube-master'][0]
328 chdir: "/etc/kubernetes/ssl/"
331 - inventory_hostname == groups['kube-master'][0]
335 caBundle_cert: "{{ ca_cert.stdout | b64encode }}"
337 - inventory_hostname == groups['kube-master'][0]
339 - name: populate CMK Helm chart values template and push to controller node
341 src: "helm_values.yml.j2"
342 dest: "/usr/src/charts/cmk-values.yml"
346 - inventory_hostname == groups['kube-master'][0]
348 # remove any preexisting configmaps before cmk redeployment
349 - name: remove any preexisting configmaps before CMK deployment
350 command: kubectl delete cm cmk-config-{{ inventory_hostname }}
352 - inventory_hostname in cmk_hosts_list.split(',')
353 delegate_to: "{{ groups['kube-master']|first }}"
356 - name: install CMK helm chart
357 command: helm upgrade --install cmk --namespace {{ cmk_namespace }} -f /usr/src/charts/cmk-values.yml /usr/src/charts/cpu-manager-for-kubernetes
359 - inventory_hostname == groups['kube-master'][0]
361 - name: clean up any certs/key/CSR files
362 file: path=/etc/ssl/cmk state=absent
363 when: inventory_hostname == groups['kube-master'][0]