2 ## Copyright (c) 2020 Intel Corporation.
4 ## Licensed under the Apache License, Version 2.0 (the "License");
5 ## you may not use this file except in compliance with the License.
6 ## You may obtain a copy of the License at
8 ## http://www.apache.org/licenses/LICENSE-2.0
10 ## Unless required by applicable law or agreed to in writing, software
11 ## distributed under the License is distributed on an "AS IS" BASIS,
12 ## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 ## See the License for the specific language governing permissions and
14 ## limitations under the License.
17 - name: install epel-release on Red Hat based OS
18 package: name=epel-release
19 when: ansible_os_family == 'RedHat'
21 # note: on Ubuntu, pip is installed via install_dependencies
26 - ansible_distribution in ["RedHat", "CentOS"]
27 - ansible_distribution_version < '8'
33 - ansible_distribution in ["RedHat", "CentOS"]
34 - ansible_distribution_version >= '8'
36 - name: install dependencies
38 name: install_dependencies
40 - name: install Python dependencies
46 - name: clone CMK repository
48 repo: "{{ cmk_git_url }}"
50 version: "{{ cmk_version }}"
53 - name: patch CMK dockerfile (1/3)
55 path: "{{ cmk_dir }}/Dockerfile"
56 regexp: '^FROM clearlinux'
57 line: 'FROM centos/python-36-centos7:latest'
59 - name: patch CMK dockerfile (2/3)
61 path: "{{ cmk_dir }}/Dockerfile"
62 insertafter: '^FROM centos'
66 - name: patch CMK dockerfile (3/3)
68 path: "{{ cmk_dir }}/Dockerfile"
72 - name: build CMK image
74 chdir: "{{ cmk_dir }}"
76 # NOTE(przemeklal): this fixes problem in CMK with ImagePullPolicy hardcoded to Never and the pod is scheduled on controller node
78 command: docker tag cmk:{{ cmk_img_version }} {{ registry_local_address }}/cmk:{{ cmk_img_version }}
81 - name: push CMK image to local registry
82 command: docker push {{ registry_local_address }}/cmk:{{ cmk_img_version }}
84 - inventory_hostname == groups['kube-node'][0]
87 - name: clean up any preexisting certs/key/CSR files
88 file: path=/etc/ssl/cmk state=absent
89 when: inventory_hostname == groups['kube-master'][0]
93 - name: delete any preexisting certs/key/CSR from Kubernetes
94 command: kubectl delete csr cmk-webhook-{{ item }}.{{ cmk_namespace }}
95 when: inventory_hostname == groups['kube-master'][0]
101 - name: create directory for CMK cert and key generation
110 - name: populate CMK CSR template
112 src: "webhook_{{ item }}_csr.json.j2"
113 dest: "/etc/ssl/cmk/cmk-webhook-{{ item }}-csr.json"
121 - inventory_hostname == groups['kube-master'][0]
124 command: go env GOPATH
127 - inventory_hostname == groups['kube-master'][0]
129 - name: generate key and CSR
130 shell: "set -o pipefail \
131 && {{ gopath.stdout }}/bin/cfssl genkey cmk-webhook-{{ item }}-csr.json | {{ gopath.stdout }}/bin/cfssljson -bare cmk-webhook-{{ item }}"
133 chdir: "/etc/ssl/cmk/"
134 executable: /bin/bash
139 - inventory_hostname == groups['kube-master'][0]
142 - name: read generated server key
143 command: cat cmk-webhook-server-key.pem
145 chdir: "/etc/ssl/cmk/"
148 - inventory_hostname == groups['kube-master'][0]
150 - name: read generated client key
151 command: cat cmk-webhook-client-key.pem
153 chdir: "/etc/ssl/cmk/"
156 - inventory_hostname == groups['kube-master'][0]
158 - name: load generated server key
160 cmk_webhook_server_key: "{{ server_key.stdout | b64encode }}"
162 - inventory_hostname == groups['kube-master'][0]
164 - name: load generated client key
166 cmk_webhook_client_key: "{{ client_key.stdout | b64encode }}"
168 - inventory_hostname == groups['kube-master'][0]
170 - name: read generated client csr
171 command: cat cmk-webhook-client.csr
173 chdir: "/etc/ssl/cmk/"
176 - inventory_hostname == groups['kube-master'][0]
178 - name: load generated client csr
180 cmk_webhook_client_csr: "{{ client_csr.stdout | b64encode }}"
182 - inventory_hostname == groups['kube-master'][0]
184 - name: read generated server csr
185 command: cat cmk-webhook-server.csr
187 chdir: "/etc/ssl/cmk/"
190 - inventory_hostname == groups['kube-master'][0]
192 - name: load generated server csr
194 cmk_webhook_server_csr: "{{ server_csr.stdout | b64encode }}"
196 - inventory_hostname == groups['kube-master'][0]
198 - name: populate CMK Kubernetes CA CSR template
200 src: "kube_{{ item }}_csr.yml.j2"
201 dest: "/etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml"
208 - inventory_hostname == groups['kube-master'][0]
210 - name: send CSR to the Kubernetes API Server
211 command: kubectl apply -f /etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml
216 - inventory_hostname == groups['kube-master'][0]
218 - name: approve request
219 command: kubectl certificate approve cmk-webhook-{{ item }}.{{ cmk_namespace }}
224 - inventory_hostname == groups['kube-master'][0]
226 - name: get approved server certificate
227 shell: kubectl get csr cmk-webhook-server.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
229 chdir: "/etc/ssl/cmk/"
230 register: server_cert
232 - inventory_hostname == groups['kube-master'][0]
235 until: server_cert.rc == 0
237 - name: get approved client certificate
238 shell: kubectl get csr cmk-webhook-client.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
240 chdir: "/etc/ssl/cmk/"
241 register: client_cert
243 - inventory_hostname == groups['kube-master'][0]
246 until: client_cert.rc == 0
248 - name: load generated server cert
250 cmk_webhook_server_cert: "{{ server_cert.stdout }}"
252 - inventory_hostname == groups['kube-master'][0]
254 - name: load generated client cert
256 cmk_webhook_client_cert: "{{ client_cert.stdout }}"
258 - inventory_hostname == groups['kube-master'][0]
260 - name: populate cmk-webhook.conf file
262 src: "cmk-webhook.conf.j2"
263 dest: "/etc/kubernetes/admission-control/cmk-webhook.conf"
267 - inventory_hostname == groups['kube-master'][0]
269 - name: add MutatingAdmissionWebhook to AdmissionConfiguration
271 path: /etc/kubernetes/admission-control/config.yaml
272 insertafter: "plugins:"
274 - name: MutatingAdmissionWebhook
276 apiVersion: apiserver.config.k8s.io/v1
277 kind: WebhookAdmissionConfiguration
278 kubeConfigFile: /etc/kubernetes/admission-control/cmk-webhook.conf
280 - inventory_hostname == groups['kube-master'][0]
283 - name: restart kube-apiserver after updating admission control configuration
284 when: inventory_hostname == groups['kube-master'][0]
286 - name: remove kube-apiserver Docker container
287 shell: docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f
289 executable: /bin/bash
290 register: remove_apiserver_container
292 until: remove_apiserver_container.rc == 0
294 - name: wait for kube-apiserver to be up
296 url: "https://127.0.0.1:6443/healthz"
297 client_cert: "/etc/kubernetes/ssl/ca.crt"
298 client_key: "/etc/kubernetes/ssl/ca.key"
301 until: result.status == 200
305 - name: create Helm charts directory if needed
307 path: /usr/src/charts
311 - inventory_hostname == groups['kube-master'][0]
313 - name: copy CMK Helm chart to the controller node
315 src: "{{ role_path }}/charts/cpu-manager-for-kubernetes"
316 dest: "/usr/src/charts/"
319 - inventory_hostname == groups['kube-master'][0]
321 # adds all kube-nodes to the list of CMK nodes
322 - name: build list of CMK hosts
324 cmk_hosts_list: "{{ groups['kube-node'] | join(',') }}"
326 - not cmk_use_all_hosts
327 - (cmk_hosts_list is undefined) or (cmk_hosts_list | length == 0)
329 - name: set values for CMK Helm chart values
331 cmk_image: "{{ registry_local_address }}/cmk"
332 cmk_tag: "{{ cmk_img_version }}"
334 - inventory_hostname == groups['kube-master'][0]
339 chdir: "/etc/kubernetes/ssl/"
342 - inventory_hostname == groups['kube-master'][0]
346 caBundle_cert: "{{ ca_cert.stdout | b64encode }}"
348 - inventory_hostname == groups['kube-master'][0]
350 - name: populate CMK Helm chart values template and push to controller node
352 src: "helm_values.yml.j2"
353 dest: "/usr/src/charts/cmk-values.yml"
357 - inventory_hostname == groups['kube-master'][0]
359 # remove any preexisting configmaps before cmk redeployment
360 - name: remove any preexisting configmaps before CMK deployment
361 command: kubectl delete cm cmk-config-{{ inventory_hostname }}
363 - inventory_hostname in cmk_hosts_list.split(',')
364 delegate_to: "{{ groups['kube-master']|first }}"
367 - name: install CMK helm chart
368 command: helm upgrade --install cmk --namespace {{ cmk_namespace }} -f /usr/src/charts/cmk-values.yml /usr/src/charts/cpu-manager-for-kubernetes
370 - inventory_hostname == groups['kube-master'][0]
372 - name: clean up any certs/key/CSR files
373 file: path=/etc/ssl/cmk state=absent
374 when: inventory_hostname == groups['kube-master'][0]