From bbe5f87d3fa8894abcd788928dca2ec30d4ac4e3 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 7 Jan 2018 00:55:38 +0100
Subject: basic interface config for kubenet works now

---
 group_vars/k8s-stream/vars.yml                     | 18 ++++++++
 hosts.ini                                          |  6 ++-
 .../files/kubenet-interfaces.service               | 12 ++++++
 roles/kubernetes-net/tasks/main.yaml               | 36 ++++++++++++++++
 roles/kubernetes-net/templates/ifupdown.sh.j2      | 50 ++++++++++++++++++++++
 5 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 group_vars/k8s-stream/vars.yml
 create mode 100644 roles/kubernetes-net/files/kubenet-interfaces.service
 create mode 100644 roles/kubernetes-net/templates/ifupdown.sh.j2

diff --git a/group_vars/k8s-stream/vars.yml b/group_vars/k8s-stream/vars.yml
new file mode 100644
index 00000000..953ba35c
--- /dev/null
+++ b/group_vars/k8s-stream/vars.yml
@@ -0,0 +1,18 @@
+kubernetes:
+  pod_ip_range: 172.18.0.0/16
+  pod_ip_range_size: 24
+  service_ip_range: 172.18.192.0/18
+  ## net_index must be in the range between 1 and 191 -> 190 hosts possible
+  ##
+  ## hardcoded hostnames are not nice but if we do this via host_vars
+  ## the info is spread over multiple files and this makes it more diffcult
+  ## to find mistakes, so it is nicer to keep it in one place...
+  net_index:
+    emc-01: 1
+    emc-02: 2
+    emc-03: 3
+    emc-test: 99
+    emc-master: 100
+    dione: 101
+    helene: 102
+    kube2016: 120
diff --git a/hosts.ini b/hosts.ini
index ce14adf0..7699a499 100644
--- a/hosts.ini
+++ b/hosts.ini
@@ -56,7 +56,11 @@ helene
 
 [k8s-stream-streamer]
 emc-test
-#emc0[1:3]
+#emc-0[1:3]
+
+[k8s-stream-master]
+dione
+#emc-master
 
 [k8s-stream-stats]
 kube2016
diff --git a/roles/kubernetes-net/files/kubenet-interfaces.service b/roles/kubernetes-net/files/kubenet-interfaces.service
new file mode 100644
index 00000000..f27fb85b
--- /dev/null
+++ b/roles/kubernetes-net/files/kubenet-interfaces.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Kubernetes Network Interfaces
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/var/lib/kubenet/ifupdown.sh up
+ExecStop=/var/lib/kubenet/ifupdown.sh down
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/kubernetes-net/tasks/main.yaml b/roles/kubernetes-net/tasks/main.yaml
index 907115c4..5c9aba91 100644
--- a/roles/kubernetes-net/tasks/main.yaml
+++ b/roles/kubernetes-net/tasks/main.yaml
@@ -3,3 +3,39 @@
   copy:
     src: daemon.json
     dest: /etc/docker/daemon.json
+
+- name: create network config directory
+  file:
+    name: /var/lib/kubenet/
+    state: directory
+
+- name: install ifupdown script
+  template:
+    src: ifupdown.sh.j2
+    dest: /var/lib/kubenet/ifupdown.sh
+    mode: 0755
+  # TODO: notify reload... this is unfortunately already to late because
+  #                        it must probably be brought down by the old version of the script
+
+- name: generate wireguard private key
+  shell: "umask 077; wg genkey > /var/lib/kubenet/kube-wg0.privatekey"
+  args:
+    creates: /var/lib/kubenet/kube-wg0.privatekey
+
+- name: fetch wireguard public key
+  shell: "wg pubkey < /var/lib/kubenet/kube-wg0.privatekey"
+  register: wireguard_pubkey
+  changed_when: false
+
+- name: install systemd service unit for network interfaces
+  copy:
+    src: kubenet-interfaces.service
+    dest: /etc/systemd/system/kubenet-interfaces.service
+  # TODO: notify: reload...
+
+- name: make sure kubenet interfaces service is started and enabled
+  systemd:
+    daemon_reload: yes
+    name: kubenet-interfaces.service
+    state: started
+    enabled: yes
diff --git a/roles/kubernetes-net/templates/ifupdown.sh.j2 b/roles/kubernetes-net/templates/ifupdown.sh.j2
new file mode 100644
index 00000000..71ec38af
--- /dev/null
+++ b/roles/kubernetes-net/templates/ifupdown.sh.j2
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -e
+
+CONF_D="/var/lib/kubenet/"
+
+INET_IF="{{ ansible_default_ipv4.interface }}"
+
+POD_NET_CIDR="{{ kubernetes.pod_ip_range }}"
+
+BR_IF="kube-br0"
+BR_IP_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) | ipaddr(1) }}"
+BR_NET_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) }}"
+
+TUN_IF="kube-wg0"
+TUN_IP="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[inventory_hostname]) | ipaddr('address') }}"
+TUN_IP_CIDR="{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[inventory_hostname]) }}"
+
+
+case "$1" in
+  up)
+    # bring up bridge for local pods
+    ip link add dev "$BR_IF" type bridge
+    ip addr add dev "$BR_IF" "$BR_IP_CIDR"
+    ip link set up dev "$BR_IF"
+    iptables -t nat -A POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE
+
+    # bring up wireguard tunnel to other nodes
+    ip link add dev "$TUN_IF" type wireguard
+    ip addr add dev "$TUN_IF" "$TUN_IP_CIDR"
+    wg set "$TUN_IF" listen-port 51820 private-key "$CONF_D/$TUN_IF.privatekey"
+    ip link set up dev "$TUN_IF"
+    ip route add "$POD_NET_CIDR" dev "$TUN_IF" src "$TUN_IP"
+    ;;
+  down)
+    # bring down wireguard tunnel to other nodes
+    ip route del "$POD_NET_CIDR" dev "$TUN_IF"
+    ip link del dev "$TUN_IF"
+
+    # bring down bridge for local pods
+    iptables -t nat -D POSTROUTING -s "$BR_NET_CIDR" -o "$INET_IF" -j MASQUERADE
+    ip link del dev "$BR_IF"
+    ;;
+  *)
+    echo "usage: $0 (up|down)"
+    exit 1
+    ;;
+esac
+
+exit 0
-- 
cgit v1.2.3