diff --git a/README.md b/README.md index 4daf463..eb1b882 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Thanks to [Hypriot](https://github.com/hypriot/image-builder-rpi/releases/latest 1. Download the latest Hyoriot image and store it as `hypriot.zip` : - curl -L https://github.com/hypriot/image-builder-rpi/releases/download/v1.5.0/hypriotos-rpi-v1.5.0.img.zip -o hypriot.zip + curl -L https://github.com/hypriot/image-builder-rpi/releases/download/v1.6.0/hypriotos-rpi-v1.6.0.img.zip -o hypriot.zip 2. Install Hypriots' [flash](https://github.com/hypriot/flash) installer script. Follow the directions on the installation page. @@ -137,8 +137,6 @@ The following steps will be applied by this command (which may take a bit): With this basic setup you have already a working Docker environment. -**Now its time to reboot the whole cluster since some required boot params has been added. Plug the wire.** - ### Kubernetes Setup The final step for a working Kubernetes cluster is to run diff --git a/roles/base/tasks/apt.yml b/roles/base/tasks/apt.yml index 3f20578..94e3300 100644 --- a/roles/base/tasks/apt.yml +++ b/roles/base/tasks/apt.yml @@ -7,10 +7,18 @@ - name: Add Kubernetes Repo Key apt_key: url=https://packages.cloud.google.com/apt/doc/apt-key.gpg +- name: Add Docker Repo Key + apt_key: + id: F76221572C52609D + keyserver: hkp://keyserver.ubuntu.com:80 + - name: Add Kubernetes Repo # Try to pick up latest stable builds. Switch over to '-unstable' if targeting latest releases apt_repository: repo='deb http://apt.kubernetes.io/ kubernetes-xenial main' state=present +- name: Add Docker Repo + apt_repository: repo='deb [arch=armhf] https://apt.dockerproject.org/repo raspbian-jessie main' state=present + - name: Update APT package cache and upgrade apt: update_cache: yes diff --git a/roles/base/tasks/user.yml b/roles/base/tasks/user.yml index 63b9a47..66f2bec 100644 --- a/roles/base/tasks/user.yml +++ b/roles/base/tasks/user.yml @@ -7,7 +7,7 @@ - name: Add user pi to group docker user: name=pi groups=docker,pi,video append=yes shell=/bin/bash -- name: Add pi to to sudoers +- name: Add pi to sudoers lineinfile: dest: /etc/sudoers state: present diff --git a/roles/kubernetes/defaults/main.yml b/roles/kubernetes/defaults/main.yml index 78ffbbc..393de35 100644 --- a/roles/kubernetes/defaults/main.yml +++ b/roles/kubernetes/defaults/main.yml @@ -5,9 +5,10 @@ network: pod_subnet: 10.1.0.0/16 images: flannel: quay.io/coreos/flannel:v0.7.0-arm - weave: weaveworks/weave-kube:1.9.4 - weave_npc: weaveworks/weave-npc:1.9.4 + weave: weaveworks/weave-kube:2.0.4 + weave_npc: weaveworks/weave-npc:2.0.4 k8s: + version: 1.8.0* # Timing is good for demos. Defaults are 5min eviction and 40s node grace period # TODO: Not yet put into the k8s configuration pod_eviction_timeout: 5s @@ -16,6 +17,5 @@ docker: # devicemapper or overlay2 storage_driver: devicemapper expose_tcp: true - version: "1.12*" - + version: "17.03*" debug_level: 2 diff --git a/roles/kubernetes/tasks/apt.yml b/roles/kubernetes/tasks/apt.yml index 4da45f1..1c5e87d 100644 --- a/roles/kubernetes/tasks/apt.yml +++ b/roles/kubernetes/tasks/apt.yml @@ -4,7 +4,7 @@ force: yes state: present with_items: - - kubelet - - kubeadm - - kubectl + - kubelet={{ k8s.version }} + - kubeadm={{ k8s.version }} + - kubectl={{ k8s.version }} - kubernetes-cni diff --git a/roles/kubernetes/tasks/docker.yml b/roles/kubernetes/tasks/docker.yml index 6087691..615cb69 100644 --- a/roles/kubernetes/tasks/docker.yml +++ b/roles/kubernetes/tasks/docker.yml @@ -13,7 +13,7 @@ dockerd_extra_args: "{{ '-H tcp://' + inventory_hostname + ':2375' if docker.expose_tcp else '' }}" - name: Update docker service startup - template: src=docker-1.12.service dest=/etc/systemd/system/multi-user.target.wants/docker.service + template: src=docker.service dest=/etc/systemd/system/docker.service register: result notify: - restart docker diff --git a/roles/kubernetes/tasks/master.yml b/roles/kubernetes/tasks/master.yml index 8c60078..504eddb 100644 --- a/roles/kubernetes/tasks/master.yml +++ b/roles/kubernetes/tasks/master.yml @@ -1,35 +1,28 @@ -- name: Check for an already generated token - become: no - stat: path={{ playbook_dir }}/run/kubeadm-token.txt - delegate_to: localhost - register: kubeadm_token - -- block: - - name: Create a token from master - command: kubeadm token generate - register: kubeadm_gen_token - - name: Copy token to local file 'kubernetes-token' - become: no - copy: content={{ kubeadm_gen_token.stdout }} dest={{ playbook_dir }}/run/kubeadm-token.txt - delegate_to: localhost - when: kubeadm_token.stat.exists == false and mode == "master" - -- name: Register token as fact - set_fact: - kubeadm_token: "{{ lookup('file', playbook_dir + '/run/kubeadm-token.txt') }}" - - name: Copy init file for kubeadm template: src=kubeadm.yml dest=/etc/kubernetes/kubeadm.yml mode=0755 +- name: Clean up /var/lib/kubelet/ + file: path=/var/lib/kubelet/pki state=absent + - name: Run kubeadm init on master -# environment: - # Temporary until 1.6 is released -# KUBE_HYPERKUBE_IMAGE: luxas/hyperkube:v1.6.0-and-PR-42911 command: kubeadm init --config /etc/kubernetes/kubeadm.yml register: kubeadm_init +- name: Create a dedicated token from master + command: kubeadm token create --ttl 0 --groups system:bootstrappers:kubeadm:default-node-token --description "Bootstrap token which does not expire" + register: kubeadm_gen_token + +- name: Copy token to local file 'kubernetes-token' + become: no + copy: content={{ kubeadm_gen_token.stdout }} dest={{ playbook_dir }}/run/kubeadm-token.txt + delegate_to: localhost + +- name: Register token as fact + set_fact: + kubeadm_token: "{{ lookup('file', playbook_dir + '/run/kubeadm-token.txt') }}" + - name: Copy Kubernetes access config to ~/.kube/config on nodes - copy: remote_src=True src=/etc/kubernetes/admin.conf dest=/home/pi/.kube/config owner=pi + copy: remote_src=True src=/etc/kubernetes/admin.conf dest=/home/pi/.kube/config owner=pi group=pi # - debug: var=kubeadm_init.stdout diff --git a/roles/kubernetes/tasks/node.yml b/roles/kubernetes/tasks/node.yml index 4ca55a8..71f185a 100644 --- a/roles/kubernetes/tasks/node.yml +++ b/roles/kubernetes/tasks/node.yml @@ -2,8 +2,20 @@ set_fact: kubeadm_token: "{{ lookup('file', playbook_dir + '/run/kubeadm-token.txt') }}" +- name: Clean up /var/lib/kubelet/ + file: path=/var/lib/kubelet/pki state=absent + - name: Run kubeadm join on node - command: kubeadm join --token={{ kubeadm_token }} master:6443 + command: kubeadm join --token={{ kubeadm_token }} --discovery-token-unsafe-skip-ca-verification master:6443 +- name: Wait for /etc/kubernetes/kubelet.conf to be created + wait_for: path=/etc/kubernetes/kubelet.conf + - name: Copy Kubernetes access config to ~/.kube/config on nodes - copy: remote_src=True src=/etc/kubernetes/kubelet.conf dest=/home/pi/.kube/config owner=pi + copy: remote_src=True src=/etc/kubernetes/kubelet.conf dest=/home/pi/.kube/config owner=pi group=pi + +- name: Fix permission for kubelet-client.key + file: path=/var/lib/kubelet/pki/kubelet-client.key mode="660" group=pi + +- name: Fix permission for kubelet.key + file: path=/var/lib/kubelet/pki/kubelet.key mode="660" group=pi diff --git a/roles/kubernetes/templates/cni/weave.yml b/roles/kubernetes/templates/cni/weave.yml index e38bb05..e373096 100644 --- a/roles/kubernetes/templates/cni/weave.yml +++ b/roles/kubernetes/templates/cni/weave.yml @@ -1,118 +1,140 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: weave-net -rules: -- apiGroups: - - "" - resources: - - pods - - namespaces - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - extensions - resources: - - networkpolicies - verbs: - - get - - list - - watch ---- apiVersion: v1 -kind: ServiceAccount -metadata: - name: weave-net - namespace: kube-system ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: weave-net -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: weave-net -subjects: -- kind: ServiceAccount - name: weave-net - namespace: kube-system ---- -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - name: weave-net - namespace: kube-system -spec: - template: +kind: List +items: + - apiVersion: v1 + kind: ServiceAccount metadata: + name: weave-net labels: name: weave-net + namespace: kube-system + - apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + name: weave-net + labels: + name: weave-net + rules: + - apiGroups: + - '' + resources: + - pods + - namespaces + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: weave-net + labels: + name: weave-net + roleRef: + kind: ClusterRole + name: weave-net + apiGroup: rbac.authorization.k8s.io + subjects: + - kind: ServiceAccount + name: weave-net + namespace: kube-system + - apiVersion: extensions/v1beta1 + kind: DaemonSet + metadata: + name: weave-net + labels: + name: weave-net + namespace: kube-system spec: - hostNetwork: true - hostPID: true - containers: - - name: weave - image: {{ images.weave }} - command: - - /home/weave/launch.sh - livenessProbe: - initialDelaySeconds: 30 - httpGet: - host: 127.0.0.1 - path: /status - port: 6784 + template: + metadata: + labels: + name: weave-net + spec: + containers: + - name: weave + command: + - /home/weave/launch.sh + env: + - name: HOSTNAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: '{{ images.weave }}' + livenessProbe: + httpGet: + host: 127.0.0.1 + path: /status + port: 6784 + initialDelaySeconds: 30 + resources: + requests: + cpu: 10m + securityContext: + privileged: true + volumeMounts: + - name: weavedb + mountPath: /weavedb + - name: cni-bin + mountPath: /host/opt + - name: cni-bin2 + mountPath: /host/home + - name: cni-conf + mountPath: /host/etc + - name: dbus + mountPath: /host/var/lib/dbus + - name: lib-modules + mountPath: /lib/modules + - name: weave-npc + env: + - name: HOSTNAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: '{{ images.weave_npc }}' + resources: + requests: + cpu: 10m + securityContext: + privileged: true + hostNetwork: true + hostPID: true + restartPolicy: Always securityContext: - privileged: true - volumeMounts: + seLinuxOptions: {} + serviceAccountName: weave-net + tolerations: + - effect: NoSchedule + operator: Exists + volumes: - name: weavedb - mountPath: /weavedb + hostPath: + path: /var/lib/weave - name: cni-bin - mountPath: /host/opt + hostPath: + path: /opt - name: cni-bin2 - mountPath: /host/home + hostPath: + path: /home - name: cni-conf - mountPath: /host/etc + hostPath: + path: /etc - name: dbus - mountPath: /host/var/lib/dbus + hostPath: + path: /var/lib/dbus - name: lib-modules - mountPath: /lib/modules - resources: - requests: - cpu: 10m - - name: weave-npc - image: {{ images.weave_npc }} - resources: - requests: - cpu: 10m - securityContext: - privileged: true - restartPolicy: Always - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - serviceAccountName: weave-net - securityContext: - seLinuxOptions: - type: spc_t - volumes: - - name: weavedb - emptyDir: {} - - name: cni-bin - hostPath: - path: /opt - - name: cni-bin2 - hostPath: - path: /home - - name: cni-conf - hostPath: - path: /etc - - name: dbus - hostPath: - path: /var/lib/dbus - - name: lib-modules - hostPath: - path: /lib/modules + hostPath: + path: /lib/modules + updateStrategy: + type: RollingUpdate diff --git a/roles/kubernetes/templates/docker-1.12.service b/roles/kubernetes/templates/docker-1.12.service deleted file mode 100644 index a287aba..0000000 --- a/roles/kubernetes/templates/docker-1.12.service +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=Docker Application Container Engine -Documentation=https://docs.docker.com -After=network.target docker.socket -Requires=docker.socket - -[Service] -Type=notify -# the default is not to use systemd for cgroups because the delegate issues still -# exists and systemd currently does not support the cgroup feature set required -# for containers run by docker -# Extra options: -# - select overlay as file driver -# - make the cluster accessible from the outside -ExecStart=/usr/bin/dockerd -H fd:// {{ dockerd_extra_args }} -s {{ docker.storage_driver }} -ExecReload=/bin/kill -s HUP $MAINPID -# Having non-zero Limit*s causes performance problems due to accounting overhead -# in the kernel. We recommend using cgroups to do container-local accounting. -LimitNOFILE=infinity -LimitNPROC=infinity -LimitCORE=infinity -# Uncomment TasksMax if your systemd version supports it. -# Only systemd 226 and above support this version. -#TasksMax=infinity -TimeoutStartSec=0 -# set delegate yes so that systemd does not reset the cgroups of docker containers -Delegate=yes -# kill only the docker process, not all processes in the cgroup -KillMode=process - -[Install] -WantedBy=multi-user.target diff --git a/roles/kubernetes/templates/kubeadm.yml b/roles/kubernetes/templates/kubeadm.yml index 4903c3a..f486e72 100644 --- a/roles/kubernetes/templates/kubeadm.yml +++ b/roles/kubernetes/templates/kubeadm.yml @@ -1,18 +1,12 @@ kind: MasterConfiguration apiVersion: kubeadm.k8s.io/v1alpha1 -token: "{{ kubeadm_token }}" networking: podSubnet: "{{ network.pod_subnet }}" # serviceSubnet: "{{ network.service_subnet }}" controllerManagerExtraArgs: - controllers: "*,-persistentvolume-binder,bootstrapsigner,tokencleaner" horizontal-pod-autoscaler-use-rest-clients: "true" horizontal-pod-autoscaler-sync-period: "10s" node-monitor-grace-period: "10s" apiServerExtraArgs: runtime-config: "api/all=true" - feature-gates: "TaintBasedEvictions=true" -# Disabled for now, requires 1.7.0 alpha: -# proxy-client-cert-file: "/etc/kubernetes/pki/front-proxy-client.crt" -# proxy-client-key-file: "/etc/kubernetes/pki/front-proxy-client.key" -# selfHosted: true +kubernetesVersion: "latest-1.8" diff --git a/roles/management/defaults/main.yml b/roles/management/defaults/main.yml index d996808..fee635a 100644 --- a/roles/management/defaults/main.yml +++ b/roles/management/defaults/main.yml @@ -1,4 +1,4 @@ images: - dashboard: luxas/kubernetes-dashboard:v1.6.0 - heapster: luxas/heapster:v1.3.0 + dashboard: luxas/kubernetes-dashboard:v1.6.3 + heapster: luxas/heapster:v1.4.0 influxdb: luxas/heapster-influxdb:v1.1.1 diff --git a/roles/management/templates/dashboard.yml b/roles/management/templates/dashboard.yml index 07d4717..7eda4a8 100644 --- a/roles/management/templates/dashboard.yml +++ b/roles/management/templates/dashboard.yml @@ -1,57 +1,82 @@ +# Copyright 2015 Google Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Configuration to deploy release version of the Dashboard UI compatible with +# Kubernetes 1.6 (RBAC enabled). +# +# Example usage: kubectl create -f + apiVersion: v1 kind: ServiceAccount metadata: - name: dashboard + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard namespace: kube-system --- -kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding metadata: - name: dashboard-admin + name: kubernetes-dashboard + labels: + k8s-app: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount - name: dashboard + name: kubernetes-dashboard namespace: kube-system --- kind: Deployment apiVersion: extensions/v1beta1 metadata: labels: - app: kubernetes-dashboard + k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: replicas: 1 + revisionHistoryLimit: 10 selector: matchLabels: - app: kubernetes-dashboard + k8s-app: kubernetes-dashboard template: metadata: labels: - app: kubernetes-dashboard + k8s-app: kubernetes-dashboard spec: - tolerations: - - key: beta.kubernetes.io/arch - value: arm - effect: NoSchedule - serviceAccountName: dashboard containers: - name: kubernetes-dashboard image: {{ images.dashboard }} - imagePullPolicy: Always ports: - containerPort: 9090 protocol: TCP + args: + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port livenessProbe: httpGet: path: / port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule @@ -60,7 +85,7 @@ kind: Service apiVersion: v1 metadata: labels: - app: kubernetes-dashboard + k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: @@ -68,5 +93,4 @@ spec: - port: 80 targetPort: 9090 selector: - app: kubernetes-dashboard - type: NodePort + k8s-app: kubernetes-dashboard diff --git a/roles/management/templates/heapster.yml b/roles/management/templates/heapster.yml index 7ca0fdd..964446d 100644 --- a/roles/management/templates/heapster.yml +++ b/roles/management/templates/heapster.yml @@ -17,7 +17,7 @@ subjects: name: heapster namespace: kube-system --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1beta1 kind: Deployment metadata: name: heapster @@ -37,6 +37,9 @@ spec: - key: beta.kubernetes.io/arch value: arm effect: NoSchedule + - key: beta.kubernetes.io/arch + value: arm64 + effect: NoSchedule serviceAccountName: heapster containers: - name: heapster