diff --git a/Dockerfile b/Dockerfile index 9e8aa67..37bcb13 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,11 +13,11 @@ COPY docker/licenses /licenses # Export http and https proxy here if building locally for dev COPY requirements.yml ${HOME}/requirements.yml USER 0 -RUN update-crypto-policies --set LEGACY && pip3 install pyopenssl +RUN update-crypto-policies --set LEGACY && pip3 install pyopenssl mergedeep RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \ && chmod -R ug+rwx ${HOME}/.ansible RUN yum install git -y -RUN git clone --single-branch --branch ${ACC_PROVISION_BRANCH} https://github.com/noironetworks/acc-provision.git +RUN git clone --single-branch --branch cko https://github.com/noironetworks/acc-provision.git RUN cd acc-provision/provision && python3 setup.py install USER 1001 diff --git a/roles/accprovision/manifests/net-operator-controller-deployment.yaml b/roles/accprovision/manifests/net-operator-controller-deployment.yaml new file mode 100644 index 0000000..7382058 --- /dev/null +++ b/roles/accprovision/manifests/net-operator-controller-deployment.yaml @@ -0,0 +1,410 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: net-operator-controller +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: net-operator-controller + namespace: net-operator-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + network-plugin: calico + name: net-operator-controller +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - '*' +- apiGroups: + - '' + resources: + - nodes + - namespaces + - configmaps + - secrets + - pods + - services + - serviceaccounts + - serviceaccounts/token + - endpoints + - events + verbs: + - '*' +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - list + - watch + - get +- apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - '*' +- apiGroups: + - aci.ctrl + resources: + - accprovisioninputs + - accprovisioninputs/status + - accprovisioninputs/finalizers + verbs: + - '*' +- apiGroups: + - scheduling.k8s.io + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: net-operator-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: net-operator-controller +subjects: +- kind: ServiceAccount + name: net-operator-controller + namespace: net-operator-controller +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: accprovisioninputs.aci.ctrl +spec: + group: aci.ctrl + names: + kind: AccProvisionInput + listKind: AccProvisionInputList + plural: accprovisioninputs + singular: accprovisioninput + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: accprovisioninput defines the input configuration for ACI CNI + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + description: AccProvisionInputSpec defines the desired spec for accprovisioninput object + properties: + acc_provision_input: + type: object + properties: + operator_managed_config: + type: object + properties: + enable_updates: + type: boolean + aci_config: + type: object + properties: + system_id: + type: string + apic_hosts: + type: array + items: + type: string + apic_login: + type: object + properties: + username: + type: string + password: + type: string + l3out: + type: object + properties: + name: + type: string + external_networks: + type: array + items: + type: string + sync_login: + type: object + properties: + certfile: + type: string + keyfile: + type: string + client_ssl: + type: boolean + net_config: + type: object + properties: + node_subnet: + type: string + pod_subnet: + type: string + extern_dynamic: + type: string + kubeapi_vlan: + type: integer + infra_vlan: + type: integer + registry: + type: object + properties: + image_prefix: + type: string + image_pull_secret: + type: string + aci_cni_config: + type: object + properties: + ovs_memory_limit: + type: string + use_privileged_containers: + type: boolean + image_pull_policy: + type: string + reboot_opflex_with_ovs: + type: string + snat_operator: + type: object + properties: + port_range: + type: object + properties: + start: + type: integer + end: + type: integer + ports_per_node: + type: integer + contract_scope: + type: string + disable_periodic_snat_global_info_sync: + type: boolean + aci_config: + type: object + properties: + vmm_domain: + type: object + properties: + encap_type: + type: string + mcast_range: + type: object + properties: + start: + type: string + end: + type: string + aep: + type: string + vrf: + type: object + properties: + name: + type: string + tenant: + type: string + net_config: + type: object + properties: + interface_mtu: + type: integer + extern_static: + type: string + registry: + type: object + properties: + aci_containers_operator_version: + type: string + aci_containers_controller_version: + type: string + aci_containers_host_version: + type: string + acc_provision_operator_version: + type: string + aci_cni_operator_version: + type: string + cnideploy_version: + type: string + opflex_agent_version: + type: string + openvswitch_version: + type: string + gbp_version: + type: string + network_operator_version: + type: string + kube_config: + type: object + properties: + logging: + type: object + properties: + controller_log_level: + type: string + hostagent_log_level: + type: string + opflexagent_log_level: + type: string + istio_config: + type: object + properties: + install_istio: + type: boolean + install_profile: + type: string + multus: + type: object + properties: + disable: + type: boolean + drop_log_config: + type: object + properties: + enable: + type: boolean + nodepodif_config: + type: object + properties: + enable: + type: boolean + sriov_config: + type: object + properties: + enable: + type: boolean + calico_config: + type: object + properties: + net_config: + type: object + properties: + block_size: + type: integer + bgp_config: + type: object + properties: + bgp_secret: + type: string + bgp_peer_config: + type: object + properties: + as_number: + type: integer + racks: + type: array + items: + type: array + items: + type: string + profile: + type: string + type: object + status: + description: AccProvisionInputStatus defines the successful completion of AccProvisionInput + properties: + status: + type: boolean + type: object + required: + - spec + type: object +--- +apiVersion: v1 +data: + spec: "{}" +kind: ConfigMap +metadata: + name: acc-provision-config + namespace: net-operator-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: net-operator-controller + namespace: net-operator-controller +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + name: net-operator-controller + network-plugin: aci-containers + strategy: + type: Recreate + template: + metadata: + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + labels: + name: net-operator-controller + network-plugin: aci-containers + name: net-operator-controller + namespace: net-operator-controller + spec: + containers: + - env: + - name: ANSIBLE_GATHERING + value: explicit + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ACC_PROVISION_FLAVOR + value: cko-calico + - name: ACC_PROVISION_INPUT_CR_NAME + value: accprovisioninput + image: quay.io/noirolabs/acc-provision-operator:abhishek + imagePullPolicy: Always + name: acc-provision-operator + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + hostNetwork: true + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: net-operator-controller + serviceAccountName: net-operator-controller + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoSchedule + operator: Exists + volumes: + - configMap: + items: + - key: spec + path: acc-provision-operator.conf + name: acc-provision-config + name: acc-provision-config diff --git a/roles/accprovision/scripts/compute_input_provision_yaml.py b/roles/accprovision/scripts/compute_input_provision_yaml.py new file mode 100644 index 0000000..6023fb7 --- /dev/null +++ b/roles/accprovision/scripts/compute_input_provision_yaml.py @@ -0,0 +1,29 @@ +#!/usr/bin/python3 + +import yaml +import os +from mergedeep import merge + +def main(): + crd_input = os.getenv('CRDINPUT') + config = yaml.safe_load(crd_input) + if config.get("aci_cni_config"): + for key, value in config["aci_cni_config"].items(): + if key in config.keys(): + merge(config[key],config["aci_cni_config"][key]) + elif key == 'kube_config': + config.update(config["aci_cni_config"]['kube_config']) + else: + config[key] = config["aci_cni_config"][key] + + acc_prov_file_path = os.path.join(os.getenv('ACCPROVDIR'), os.getenv('ACCPROVFILE')) + with open(acc_prov_file_path, 'w') as outfile: + for key, value in config.items(): + if key == 'aci_cni_config': + pass + else: + yaml.dump({key: value}, outfile, default_flow_style=False) + return 0 + +if __name__ == "__main__": + main() diff --git a/roles/accprovision/tasks/main.yml b/roles/accprovision/tasks/main.yml index 7e744f9..9ed7792 100644 --- a/roles/accprovision/tasks/main.yml +++ b/roles/accprovision/tasks/main.yml @@ -1,3 +1,7 @@ - name: Run script to upgrade cluster include_tasks: upgrade.yml - when: acc_provision_input['operator_managed_config'] is defined and acc_provision_input['operator_managed_config']['enable_updates'] is defined and acc_provision_input['operator_managed_config']['enable_updates'] == true + when: acc_provision_input['operator_managed_config'] is defined and acc_provision_input['operator_managed_config']['enable_updates'] is defined and acc_provision_input['operator_managed_config']['enable_updates'] == true and acc_provision_input['profile'] != "cko-calico" + +- name: Run script to deploy net-operator-controller + include_tasks: net-operator-controller.yml + when: acc_provision_input['profile'] == "cko-calico" diff --git a/roles/accprovision/tasks/net-operator-controller.yml b/roles/accprovision/tasks/net-operator-controller.yml new file mode 100644 index 0000000..fd686ba --- /dev/null +++ b/roles/accprovision/tasks/net-operator-controller.yml @@ -0,0 +1,21 @@ +--- +- name: Create directory for acc-provision run + file: + path: "{{ acc_provision_dir_path }}" + state: directory + mode: '0755' + +- name: Compute input provision file + script: "scripts/compute_input_provision_yaml.py" + args: + executable: /usr/bin/python3 + environment: + CRDINPUT: "{{ acc_provision_input }}" + ACCPROVDIR: "{{ acc_provision_dir_path }}" + ACCPROVFILE: "{{ acc_provision_file_name }}" + + +- name: Generate new deployment yaml + shell: "acc-provision -c {{ acc_provision_file_name }} -f {{ lookup('env', 'ACC_PROVISION_FLAVOR') }} -o {{ aci_cni_deployment_file }}" + args: + chdir: "{{ acc_provision_dir_path }}" diff --git a/roles/accprovision/templates/net-operator-cr.yaml b/roles/accprovision/templates/net-operator-cr.yaml new file mode 100644 index 0000000..496e434 --- /dev/null +++ b/roles/accprovision/templates/net-operator-cr.yaml @@ -0,0 +1,94 @@ +apiVersion: aci.ctrl/v1alpha1 +kind: AccProvisionInput +metadata: + name: accprovisioninput + namespace: net-operator-controller +spec: + acc_provision_input: + aci_config: + system_id: dummy + apic_hosts: + - dummy + apic_login: + username: dummy + password: dummy + l3out: + name: dummy + external_networks: + - dummy + sync_login: + certfile: dummy + keyfile: dummy + client_ssl: False + net_config: + node_subnet: dummy + pod_subnet: dummy + extern_dynamic: dummy + kubeapi_vlan: 0 + infra_vlan: 0 + calico_config: + net_config: + block_size: 0 + bgp_config: + bgp_secret: dummy + bgp_peer_config: + as_number: 0 + racks: [] + registry: + image_prefix: dummy + image_pull_secret: dummy + aci_cni_config: + ovs_memory_limit: dummy + use_privileged_containers: False + image_pull_policy: Never + reboot_opflex_with_ovs: dummy + snat_operator: + port_range: + start: 0 + end: 0 + ports_per_node: 0 + contract_scope: dummy + disable_periodic_snat_global_info_sync: False + aci_config: + vmm_domain: + encap_type: dummy + mcast_range: + start: dummy + end: dummy + aep: dummy + vrf: + name: dummy + tenant: dummy + net_config: + interface_mtu: 0 + extern_static: dummy + registry: + aci_containers_operator_version: dummy + aci_containers_controller_version: dummy + aci_containers_host_version: dummy + acc_provision_operator_version: dummy + aci_cni_operator_version: dummy + cnideploy_version: dummy + opflex_agent_version: dummy + openvswitch_version: dummy + gbp_version: dummy + network_operator_version: dummy + kube_config: + logging: + controller_log_level: debug + hostagent_log_level: debug + opflexagent_log_level: debug + istio_config: + install_istio: False + install_profile: dummy + multus: + disable: True + drop_log_config: + enable: False + nodepodif_config: + enable: False + sriov_config: + enable: False + profile: cko-calico + operator_managed_config: + enable_updates: False