diff --git a/mcapi_vexxhost/README.rst b/mcapi_vexxhost/README.rst index 73edaf07..5207abee 100644 --- a/mcapi_vexxhost/README.rst +++ b/mcapi_vexxhost/README.rst @@ -110,10 +110,13 @@ in `/etc/openstack_deploy/group_vars/k8s_all/haproxy_service.yml` Configure the LXC container that will host the control plane k8s cluster to be suitable for running nested containers in `/etc/openstack_deploy/group_vars/k8s_all/main.yml` +There you can also set config-overrides for the control plane of the k8s cluster, +which integrate the control plane k8s deployment with the rest of the openstack-ansible deployment. + .. literalinclude:: ../../mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/main.yml :language: yaml -Set up config-overrides for the magnum service in `/etc/openstack_deploy/user_variables_magnum.yml`. +Set up config-overrides for the magnum service in `/etc/openstack_deploy/group_vars/magnum_all/main.yml`. Adjust the images and flavors here as necessary, these are just for demonstration. Upload as many images as you need for the different workload cluster kubernetes versions. @@ -123,14 +126,7 @@ service and cluster-api can be configured to interact with either the external o internal endpoint and must trust the SSL certificiate. Depending on the environment, these may be derived from different certificate authorities. -.. literalinclude:: ../../mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml - :language: yaml - -Set up config-overrides for the control plane k8s cluster in /etc/openstack_deploy/user_variables_k8s.yml` -These variables integrate the control plane k8s deployment with the rest of the -openstack-ansible deployment. - -.. literalinclude:: ../../mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_k8s.yml +.. literalinclude:: ../../mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/magnum_all/main.yml :language: yaml Run the deployment diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/main.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/main.yml index 43bf045c..5a38d82c 100644 --- a/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/main.yml +++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/k8s_all/main.yml @@ -1,6 +1,31 @@ +--- +# Run ansible modules in a venv on the target hosts +ansible_collection_kubernetes_target_venv: /opt/mcapi_ansible_venv + +# Pick a range of addresses for cilium that do not collide with anything else +cilium_ipv4_cidr: 172.29.200.0/22 + +# wire OSA group, host and network addresses into k8s deployment +kubelet_hostname: "{{ ansible_facts['hostname'] | lower }}" +kubelet_node_ip: "{{ management_address }}" +kubernetes_control_plane_group: k8s_container +kubernetes_hostname: "{{ internal_lb_vip_address }}" +kubernetes_non_init_namespace: true + +# Define custom k8s version for the control cluster +# kubernetes_version: 1.31 + +# Define LXC container overrides lxc_container_config_list: - "lxc.apparmor.profile=unconfined" lxc_container_mount_auto: - "proc:rw" - "sys:rw" + +# Set this manually, or kube-proxy will try to do this - not possible +# in a non-init namespace and will fail in LXC +openstack_host_nf_conntrack_max: 1572864 + +# OSA containers dont run ssh by default so cannot use synchronize +upload_helm_chart_method: copy diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/magnum_all/main.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/magnum_all/main.yml new file mode 100644 index 00000000..5a360a82 --- /dev/null +++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/group_vars/magnum_all/main.yml @@ -0,0 +1,38 @@ +--- +# Copyright 2020, VEXXHOST, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +magnum_magnum_cluster_api_git_install_branch: v0.22.1 + +# install magnum-cluster-api and kubernetes python package into magnum venv +magnum_user_pip_packages: + - "git+https://github.com/vexxhost/magnum-cluster-api@{{ magnum_magnum_cluster_api_git_install_branch }}#egg=magnum-cluster-api" + - kubernetes + +# ensure that the internal VIP CA is trusted by the CAPI driver +magnum_config_overrides: + drivers: + # Supply a custom CA file which will be passed and used exclusively on all workload nodes + # System trust will be used by default + openstack_ca_file: '/usr/local/share/ca-certificates/ExampleCorpRoot.crt' + capi_client: + # Supply a CA that will be used exclusively for connections towards + # OpenStack public and internal endpoints. + ca_file: '/usr/local/share/ca-certificates/ExampleCorpRoot.crt' + endpoint: 'internalURL' + cluster_template: + kubernetes_allowed_network_drivers: 'calico' + kubernetes_default_network_driver: 'calico' + certificates: + cert_manager_type: x509keypair diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_k8s.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_k8s.yml deleted file mode 100644 index 2a3ebd3b..00000000 --- a/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_k8s.yml +++ /dev/null @@ -1,19 +0,0 @@ -# wire OSA group, host and network addresses into k8s deployment -kubernetes_control_plane_group: k8s_container -kubelet_hostname: "{{ ansible_facts['hostname'] | lower }}" -kubelet_node_ip: "{{ management_address }}" -kubernetes_hostname: "{{ internal_lb_vip_address }}" -kubernetes_non_init_namespace: true - -# Pick a range of addresses for cilium that do not collide with anything else -cilium_ipv4_cidr: 172.29.200.0/22 - -# Set this manually, or kube-proxy will try to do this - not possible -# in a non-init namespace and will fail in LXC -openstack_host_nf_conntrack_max: 1572864 - -# OSA containers dont run ssh by default so cannot use synchronize -upload_helm_chart_method: copy - -# Run ansible modules in a venv on the target hosts -ansible_collection_kubernetes_target_venv: /opt/mcapi_ansible_venv diff --git a/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml index 1b07279b..57f92ef0 100644 --- a/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml +++ b/mcapi_vexxhost/playbooks/files/openstack_deploy/user_variables_z_magnum.yml @@ -13,27 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -magnum_magnum_cluster_api_git_install_branch: v0.22.1 - -# install magnum-cluster-api and kubernetes python package into magnum venv -magnum_user_pip_packages: - - "git+https://github.com/vexxhost/magnum-cluster-api@{{ magnum_magnum_cluster_api_git_install_branch }}#egg=magnum-cluster-api" - - kubernetes - -# ensure that the internal VIP CA is trusted by the CAPI driver -# TODO - this is too hardwired somehow -magnum_config_overrides: - drivers: - openstack_ca_file: '/usr/local/share/ca-certificates/ExampleCorpRoot.crt' - capi_client: - ca_file: '/usr/local/share/ca-certificates/ExampleCorpRoot.crt' - endpoint: 'internalURL' - cluster_template: - kubernetes_allowed_network_drivers: 'calico' - kubernetes_default_network_driver: 'calico' - certificates: - cert_manager_type: x509keypair - # use the openstack_resources role in the capi functional test rather than os_magnum # to create the test resources magnum_glance_images: []