From 2e360273c803ab00bb8e0fff6808ae65f104b764 Mon Sep 17 00:00:00 2001 From: Tomasz Arendt Date: Mon, 21 Sep 2020 12:55:47 +0200 Subject: [PATCH] separate repository machine --- CHANGELOG-0.8.md | 6 ++ CHANGELOG.md | 1 + .../configuration/minimal-cluster-config.yml | 11 ++++ .../configuration/minimal-cluster-config.yml | 2 + .../infrastructure/virtual-machine.yml | 45 +++++++++++++ .../configuration/minimal-cluster-config.yml | 2 + .../infrastructure/virtual-machine.yml | 59 +++++++++++++++++ .../data/common/ansible/playbooks/helm.yml | 21 ++++-- .../roles/helm/tasks/gather-facts.yml | 8 --- .../roles/helm/tasks/install-chart.yml | 8 ++- .../playbooks/roles/helm/tasks/main.yml | 64 +++++++++---------- .../repository/tasks/create-helm-repo.yml | 2 +- .../configuration/feature-mapping.yml | 8 ++- .../data/common/defaults/epiphany-cluster.yml | 7 ++ 14 files changed, 192 insertions(+), 52 deletions(-) delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/gather-facts.yml diff --git a/CHANGELOG-0.8.md b/CHANGELOG-0.8.md index 2ccadcdc9c..717e72e1ae 100644 --- a/CHANGELOG-0.8.md +++ b/CHANGELOG-0.8.md @@ -14,6 +14,7 @@ - [#1618](https://github.com/epiphany-platform/epiphany/issues/1618) - Add kubectl and Helm to epicli and devcontainer images - [#1225](https://github.com/epiphany-platform/epiphany/issues/1225) - Add OS_PATCHING.md with information about patching RHEL OS - [#1656](https://github.com/epiphany-platform/epiphany/issues/1656) - Run Helm tasks from Epiphany container +- [#1640](https://github.com/epiphany-platform/epiphany/issues/1640) - Added separate machine for repository and changed helm to use localhost address ### Updated @@ -33,3 +34,8 @@ - [#1659](https://github.com/epiphany-platform/epiphany/issues/1659) - epicli upgrade fails on Ubuntu on downgrading kubernetes-cni package - [#1681](https://github.com/epiphany-platform/epiphany/issues/1681) - Node exporter does not work after the upgrade - [#1705](https://github.com/epiphany-platform/epiphany/issues/1705) - [RHEL/CentOS] epicli fails on downloading requirements - Docker CE repo not available + +### Breaking changes + +- Repository machine was introduced (ref #1640) +- Change cluster configuration manifest in order to be compatible with changes in #1640 [example] (https://github.com/epiphany-platform/epiphany/blob/develop/core/src/epicli/data/common/defaults/epiphany-cluster.yml) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6900ae98e5..9752485e0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. Reference for actual cluster component versions can be found [here](docs/home/COMPONENTS.md) +- [CHANGELOG-0.8.x](./CHANGELOG-0.8.md) - [CHANGELOG-0.7.x](./CHANGELOG-0.7.md) - [CHANGELOG-0.6.x](./CHANGELOG-0.6.md) - [CHANGELOG-0.5.x](./CHANGELOG-0.5.md) diff --git a/core/src/epicli/data/any/defaults/configuration/minimal-cluster-config.yml b/core/src/epicli/data/any/defaults/configuration/minimal-cluster-config.yml index dcedfc4802..8c44c6cf8f 100644 --- a/core/src/epicli/data/any/defaults/configuration/minimal-cluster-config.yml +++ b/core/src/epicli/data/any/defaults/configuration/minimal-cluster-config.yml @@ -8,6 +8,10 @@ specification: name: operations # YOUR-ADMIN-USERNAME key_path: /user/.ssh/epiphany-operations/id_rsa # YOUR-SSH-KEY-PATH components: + repository: + count: 1 + machines: + - default-repository kubernetes_master: count: 1 machines: @@ -45,6 +49,13 @@ specification: --- kind: infrastructure/machine provider: any +name: default-repository +specification: + hostname: repository # YOUR-MACHINE-HOSTNAME + ip: 192.168.100.112 # YOUR-MACHINE-IP +--- +kind: infrastructure/machine +provider: any name: default-k8s-master1 specification: hostname: master1 # YOUR-MACHINE-HOSTNAME diff --git a/core/src/epicli/data/aws/defaults/configuration/minimal-cluster-config.yml b/core/src/epicli/data/aws/defaults/configuration/minimal-cluster-config.yml index e03f9d829d..dea78fa713 100644 --- a/core/src/epicli/data/aws/defaults/configuration/minimal-cluster-config.yml +++ b/core/src/epicli/data/aws/defaults/configuration/minimal-cluster-config.yml @@ -14,6 +14,8 @@ specification: key: XXXX-XXXX-XXXX secret: XXXXXXXXXXXXXXXX components: + repository: + count: 1 kubernetes_master: count: 1 kubernetes_node: diff --git a/core/src/epicli/data/aws/defaults/infrastructure/virtual-machine.yml b/core/src/epicli/data/aws/defaults/infrastructure/virtual-machine.yml index b6c0580129..72cba09e11 100644 --- a/core/src/epicli/data/aws/defaults/infrastructure/virtual-machine.yml +++ b/core/src/epicli/data/aws/defaults/infrastructure/virtual-machine.yml @@ -845,3 +845,48 @@ specification: destination_port_range: "0" source_address_prefix: "0.0.0.0/0" destination_address_prefix: "0.0.0.0/0" +--- +kind: infrastructure/virtual-machine +title: "Virtual Machine Infra" +provider: aws +name: repository-machine +specification: + size: t2.medium + security: + rules: + - name: ssh + description: Allow ssh traffic + direction: Inbound + protocol: Tcp + destination_port_range: "22" + source_address_prefix: "0.0.0.0/0" + destination_address_prefix: "0.0.0.0/0" + - name: repository + description: Allow repository traffic + direction: Inbound + protocol: Tcp + destination_port_range: "80" + source_address_prefix: "10.1.0.0/20" + destination_address_prefix: "0.0.0.0/0" + - name: node_exporter + description: Allow node_exporter traffic + direction: Inbound + protocol: Tcp + destination_port_range: "9100" + source_address_prefix: "10.1.0.0/20" + destination_address_prefix: "0.0.0.0/0" + - name: image_registry + description: Allow image registry traffic + direction: Inbound + protocol: Tcp + destination_port_range: "5000" + source_address_prefix: "10.1.0.0/20" + destination_address_prefix: "0.0.0.0/0" + - name: out + description: Allow out + direction: Egress + protocol: "all" + destination_port_range: "0" + source_address_prefix: "0.0.0.0/0" + destination_address_prefix: "0.0.0.0/0" + diff --git a/core/src/epicli/data/azure/defaults/configuration/minimal-cluster-config.yml b/core/src/epicli/data/azure/defaults/configuration/minimal-cluster-config.yml index 3ed40b33cc..a81871a0d5 100644 --- a/core/src/epicli/data/azure/defaults/configuration/minimal-cluster-config.yml +++ b/core/src/epicli/data/azure/defaults/configuration/minimal-cluster-config.yml @@ -11,6 +11,8 @@ specification: cloud: use_public_ips: False # When not using public IPs you have to provide connectivity via private IPs (VPN) components: + repository: + count: 1 kubernetes_master: count: 1 kubernetes_node: diff --git a/core/src/epicli/data/azure/defaults/infrastructure/virtual-machine.yml b/core/src/epicli/data/azure/defaults/infrastructure/virtual-machine.yml index c77785de7d..5633ad9b82 100644 --- a/core/src/epicli/data/azure/defaults/infrastructure/virtual-machine.yml +++ b/core/src/epicli/data/azure/defaults/infrastructure/virtual-machine.yml @@ -782,3 +782,62 @@ specification: # destination_port_range: "0" # source_address_prefix: "10.1.4.0/24" # destination_address_prefix: "0.0.0.0/0" +--- +kind: infrastructure/virtual-machine +title: "Virtual Machine Infra" +provider: azure +name: repository-machine +specification: + size: Standard_DS1_v2 + security: + rules: + - name: ssh + description: Allow SSH + priority: 100 + direction: Inbound + access: Allow + protocol: Tcp + source_port_range: "*" + destination_port_range: "22" + source_address_prefix: "0.0.0.0/0" + destination_address_prefix: "0.0.0.0/0" + - name: node_exporter + description: Allow node_exporter traffic + priority: 200 + direction: Inbound + access: Allow + protocol: Tcp + source_port_range: "*" + destination_port_range: "9100" + source_address_prefix: "10.1.0.0/20" + destination_address_prefix: "0.0.0.0/0" + - name: repository + description: Allow repository traffic + priority: 205 + direction: Inbound + access: Allow + protocol: Tcp + source_port_range: "*" + destination_port_range: "80" + source_address_prefix: "10.1.0.0/20" + destination_address_prefix: "0.0.0.0/0" + - name: image_registry + description: Allow image registry traffic + priority: 206 + direction: Inbound + access: Allow + protocol: Tcp + source_port_range: "*" + destination_port_range: "5000" + source_address_prefix: "10.1.0.0/20" + destination_address_prefix: "0.0.0.0/0" + - name: out + description: Allow out + priority: 101 + direction: Outbound + access: Allow + protocol: "*" + source_port_range: "*" + destination_port_range: "0" + source_address_prefix: "0.0.0.0/0" + destination_address_prefix: "0.0.0.0/0" diff --git a/core/src/epicli/data/common/ansible/playbooks/helm.yml b/core/src/epicli/data/common/ansible/playbooks/helm.yml index b2d0693d68..6bda64d3d0 100644 --- a/core/src/epicli/data/common/ansible/playbooks/helm.yml +++ b/core/src/epicli/data/common/ansible/playbooks/helm.yml @@ -1,7 +1,18 @@ --- -- hosts: helm - become: true - become_method: sudo - become_flags: --login +- hosts: 127.0.0.1 + gather_facts: false + connection: local + become: false roles: - - helm + - role: helm + when: + - groups.helm is defined + - groups.helm | length > 0 + - groups.repository is defined + - groups.repository | length > 0 + environment: + # The "inventory_dir" fact cannot be used here. + # Documentation (https://docs.ansible.com/ansible/latest/inventory/implicit_localhost.html) states: + # - The inventory_file and inventory_dir magic variables are not available for the implicit localhost as they are dependent on each inventory host. + # TODO: https://github.com/epiphany-platform/epiphany/issues/1650 + KUBECONFIG: "{{ vault_location }}/../kubeconfig" diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/gather-facts.yml b/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/gather-facts.yml deleted file mode 100644 index d79d805c3c..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/gather-facts.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Produce final list of hosts to deploy Helm chart sources on - set_fact: - target_repository_hostnames: >- - {{ groups.helm | difference(available_masters) | union([resolved_repository_hostname]) | unique }} - vars: - available_masters: >- - {{ groups.kubernetes_master | default([]) }} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/install-chart.yml b/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/install-chart.yml index 204febd625..92aa14a581 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/install-chart.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/install-chart.yml @@ -1,4 +1,6 @@ --- +# This file is meant to be used by other roles + - name: Prepare configuration and upgrade/install Helm chart vars: # Handling "undefined", "null", "empty" and "boolean" values all at once. @@ -9,10 +11,14 @@ always: - name: Clean up temporary Helm chart values file + delegate_to: localhost file: state: absent path: /tmp/{{ helm_chart_name }}_values.yaml - + + delegate_to: localhost + environment: + KUBECONFIG: "{{ vault_location }}/../kubeconfig" block: # IF `disable_helm_chart` - when: disable_helm_chart_bool diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/main.yml index 27c626d0c0..9b43de555c 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/main.yml @@ -1,48 +1,42 @@ --- -- import_tasks: gather-facts.yml + +- name: Check system index file existence + uri: + url: http://localhost/epirepo/helm-charts/system/index.yaml + method: HEAD + register: uri_index_test + # fail with error if status is unexpected + failed_when: uri_index_test.status not in [200, 404] - name: Deploy the "system" Helm charts - when: inventory_hostname == target_repository_hostnames[0] # execute on the main repository host only block: - name: Check if Helm chart repo already exists - shell: | - helm repo list | grep {{ helm_chart_repo_name }} + shell: helm repo list | grep -w "{{ helm_chart_repo_name }}" register: helm_repo_list failed_when: (helm_repo_list.rc != 0 and not 'no repositories' in helm_repo_list.stderr) or helm_repo_list.rc > 1 - - name: "Check if files exist in {{ specification.apache_epirepo_path }}/helm-charts/system" - find: - paths: "{{ specification.apache_epirepo_path }}/helm-charts/system" - register: helm_charts_files_number - - - name: Add Helm chart repo and install charts - when: helm_charts_files_number.matched > 1 - block: - - name: Get Helm charts list from repo before update - shell: | - helm search repo {{ helm_chart_repo_name }} --output json | jq -r '.[].name' - register: helm_charts_list_before_update + - name: Get Helm charts list from repo before update + shell: helm search repo {{ helm_chart_repo_name }} --output json | jq -r '.[].name' + register: helm_charts_list_before_update + failed_when: (helm_charts_list_before_update.rc != 0 and not 'no repositories' in helm_charts_list_before_update.stderr) + or helm_charts_list_before_update.rc > 1 - - name: "Add {{ helm_chart_repo_name }} Helm repository from url {{ repository_url }}" - shell: | - helm repo add {{ helm_chart_repo_name }} {{ repository_url }}/helm-charts/system - when: - - helm_chart_repo_name not in helm_repo_list.stdout + - name: "Add {{ helm_chart_repo_name }} Helm repository from url http://localhost/epirepo" + shell: helm repo add {{ helm_chart_repo_name }} http://localhost/epirepo/helm-charts/system + when: helm_chart_repo_name not in helm_repo_list.stdout - - name: Update Helm repo - shell: | - helm repo update + - name: Update Helm repo + shell: helm repo update - - name: Get Helm charts list from repo after update - shell: | - helm search repo {{ helm_chart_repo_name }} --output json | jq -r '.[].name' - register: helm_charts_list_after_update + - name: Get Helm charts list from repo after update + shell: helm search repo {{ helm_chart_repo_name }} --output json | jq -r '.[].name' + register: helm_charts_list_after_update - - name: Delete Helm charts not present in repository - shell: | - helm delete {{ chart_subname }} --purge - vars: - chart_subname: "{{ item.split('/')[1] }}" - loop: "{{ helm_charts_list_before_update.stdout_lines }}" - when: item not in helm_charts_list_after_update.stdout_lines + - name: Delete Helm charts not present in repository + shell: helm delete {{ chart_subname }} --purge + vars: + chart_subname: "{{ item.split('/')[1] }}" + loop: "{{ helm_charts_list_before_update.stdout_lines }}" + when: item not in helm_charts_list_after_update.stdout_lines + when: uri_index_test.status == 200 # whole block of code is supposed to be executed only if system charts exist diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/tasks/create-helm-repo.yml b/core/src/epicli/data/common/ansible/playbooks/roles/repository/tasks/create-helm-repo.yml index 99133ba9f7..2a43caa68a 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/tasks/create-helm-repo.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/tasks/create-helm-repo.yml @@ -21,7 +21,7 @@ loop: "{{ system_charts_dir_list.files }}" - name: Generate index.yaml file - shell: helm repo index {{ specification.apache_epirepo_path }}/helm-charts/system/ --url {{ repository_url }}/helm-charts/system + shell: helm repo index {{ specification.apache_epirepo_path }}/helm-charts/system/ --url http://localhost/epirepo/helm-charts/system args: executable: /bin/bash diff --git a/core/src/epicli/data/common/defaults/configuration/feature-mapping.yml b/core/src/epicli/data/common/defaults/configuration/feature-mapping.yml index c2717875c3..f083713410 100644 --- a/core/src/epicli/data/common/defaults/configuration/feature-mapping.yml +++ b/core/src/epicli/data/common/defaults/configuration/feature-mapping.yml @@ -122,9 +122,7 @@ specification: - firewall - vault kubernetes_master: - - image-registry - kubernetes-master - - repository - helm - applications - node-exporter @@ -146,3 +144,9 @@ specification: - node-exporter - filebeat - firewall + repository: + - repository + - image-registry + - firewall + - filebeat + - node-exporter diff --git a/core/src/epicli/data/common/defaults/epiphany-cluster.yml b/core/src/epicli/data/common/defaults/epiphany-cluster.yml index d5ef7689bb..c25d52e813 100644 --- a/core/src/epicli/data/common/defaults/epiphany-cluster.yml +++ b/core/src/epicli/data/common/defaults/epiphany-cluster.yml @@ -94,6 +94,13 @@ specification: subnets: - availability_zone: eu-west-2a address_pool: 10.1.10.0/24 + repository: + count: 1 + machine: repository-machine + configuration: default + subnets: + - availability_zone: eu-west-2a + address_pool: 10.1.11.0/24 single_machine: count: 0 machine: single-machine