diff options
| -rw-r--r-- | group_vars/k8s-stream/vars.yml | 8 | ||||
| -rw-r--r-- | host_vars/emc-test.yaml | 2 | ||||
| -rw-r--r-- | roles/kubernetes-net/tasks/main.yaml | 39 | ||||
| -rw-r--r-- | roles/kubernetes-net/templates/ifupdown.sh.j2 | 2 | ||||
| -rw-r--r-- | roles/kubernetes-net/templates/k8s.json.j2 | 12 | ||||
| -rw-r--r-- | roles/kubernetes-net/templates/kubenet-peer.service.j2 | 20 |
6 files changed, 77 insertions, 6 deletions
diff --git a/group_vars/k8s-stream/vars.yml b/group_vars/k8s-stream/vars.yml index 953ba35c..e91ce15a 100644 --- a/group_vars/k8s-stream/vars.yml +++ b/group_vars/k8s-stream/vars.yml @@ -8,11 +8,11 @@ kubernetes: ## the info is spread over multiple files and this makes it more diffcult ## to find mistakes, so it is nicer to keep it in one place... net_index: - emc-01: 1 - emc-02: 2 - emc-03: 3 +# emc-01: 1 +# emc-02: 2 +# emc-03: 3 emc-test: 99 - emc-master: 100 +# emc-master: 100 dione: 101 helene: 102 kube2016: 120 diff --git a/host_vars/emc-test.yaml b/host_vars/emc-test.yaml new file mode 100644 index 00000000..042ee609 --- /dev/null +++ b/host_vars/emc-test.yaml @@ -0,0 +1,2 @@ +--- +external_ip: 51.15.202.20 diff --git a/roles/kubernetes-net/tasks/main.yaml b/roles/kubernetes-net/tasks/main.yaml index 5c9aba91..6a50cf00 100644 --- a/roles/kubernetes-net/tasks/main.yaml +++ b/roles/kubernetes-net/tasks/main.yaml @@ -9,6 +9,10 @@ name: /var/lib/kubenet/ state: directory +- name: configure wireguard port + set_fact: + kubenet_wireguard_port: "{{ kubernetes.wireguard_port | default(51820) }}" + - name: install ifupdown script template: src: ifupdown.sh.j2 @@ -24,8 +28,9 @@ - name: fetch wireguard public key shell: "wg pubkey < /var/lib/kubenet/kube-wg0.privatekey" - register: wireguard_pubkey + register: kubenet_wireguard_pubkey changed_when: false + check_mode: no - name: install systemd service unit for network interfaces copy: @@ -39,3 +44,35 @@ name: kubenet-interfaces.service state: started enabled: yes + +- name: install systemd units for every wireguard peer + with_items: "{{ kubernetes.net_index.keys() | difference(inventory_hostname) }}" + template: + src: kubenet-peer.service.j2 + dest: "/etc/systemd/system/kubenet-peer-{{ item }}.service" + +- name: make sure kubenet peer services are started and enabled + with_items: "{{ kubernetes.net_index.keys() | difference(inventory_hostname) }}" + systemd: + daemon_reload: yes + name: "kubenet-peer-{{ item }}.service" + state: started + enabled: yes + +- name: enable IPv4 forwarding + sysctl: + name: net.ipv4.ip_forward + value: 1 + sysctl_set: yes + state: present + reload: yes + +- name: create cni config directory + file: + name: /etc/cni/net.d + state: directory + +- name: install cni config + template: + src: k8s.json.j2 + dest: /etc/cni/net.d/k8s.json diff --git a/roles/kubernetes-net/templates/ifupdown.sh.j2 b/roles/kubernetes-net/templates/ifupdown.sh.j2 index 71ec38af..9bc82325 100644 --- a/roles/kubernetes-net/templates/ifupdown.sh.j2 +++ b/roles/kubernetes-net/templates/ifupdown.sh.j2 @@ -28,7 +28,7 @@ case "$1" in # bring up wireguard tunnel to other nodes ip link add dev "$TUN_IF" type wireguard ip addr add dev "$TUN_IF" "$TUN_IP_CIDR" - wg set "$TUN_IF" listen-port 51820 private-key "$CONF_D/$TUN_IF.privatekey" + wg set "$TUN_IF" listen-port {{ kubenet_wireguard_port }} private-key "$CONF_D/$TUN_IF.privatekey" ip link set up dev "$TUN_IF" ip route add "$POD_NET_CIDR" dev "$TUN_IF" src "$TUN_IP" ;; diff --git a/roles/kubernetes-net/templates/k8s.json.j2 b/roles/kubernetes-net/templates/k8s.json.j2 new file mode 100644 index 00000000..f457ed1c --- /dev/null +++ b/roles/kubernetes-net/templates/k8s.json.j2 @@ -0,0 +1,12 @@ +{ + "cniVersion": "0.3.1", + "name": "k8s", + "type": "bridge", + "bridge": "kube-br0", + "isDefaultGateway": true, + "hairpinMode": true, + "ipam": { + "type": "host-local", + "subnet": "{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) }}" + } +} diff --git a/roles/kubernetes-net/templates/kubenet-peer.service.j2 b/roles/kubernetes-net/templates/kubenet-peer.service.j2 new file mode 100644 index 00000000..a076512d --- /dev/null +++ b/roles/kubernetes-net/templates/kubenet-peer.service.j2 @@ -0,0 +1,20 @@ +[Unit] +Description=Kubernetes Network Peer {{ item }} +After=network.target +Requires=kubenet-interfaces.service +After=kubenet-interfaces.service + +{% set wg_pubkey = hostvars[item].kubenet_wireguard_pubkey.stdout -%} +{% set wg_host = hostvars[item].external_ip | default(hostvars[item].ansible_default_ipv4.address) -%} +{% set wg_port = hostvars[item].kubenet_wireguard_port -%} +{% set tun_ip = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[item]) | ipaddr('address') -%} +{% set pod_net = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[item]) -%} +{% set wg_allowedips = tun_ip + "/32," + pod_net %} +[Service] +Type=oneshot +ExecStart=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} allowed-ips {{ wg_allowedips }} endpoint {{ wg_host }}:{{ wg_port }} persistent-keepalive 10 +ExecStop=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} remove +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target |