From 5e5d86c2a5bbccb88df65059693281c56c6f4abb Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 7 Jan 2018 04:41:46 +0100
Subject: kubernetes net role works now

---
 roles/kubernetes-net/tasks/main.yaml               | 39 +++++++++++++++++++++-
 roles/kubernetes-net/templates/ifupdown.sh.j2      |  2 +-
 roles/kubernetes-net/templates/k8s.json.j2         | 12 +++++++
 .../templates/kubenet-peer.service.j2              | 20 +++++++++++
 4 files changed, 71 insertions(+), 2 deletions(-)
 create mode 100644 roles/kubernetes-net/templates/k8s.json.j2
 create mode 100644 roles/kubernetes-net/templates/kubenet-peer.service.j2

(limited to 'roles')

diff --git a/roles/kubernetes-net/tasks/main.yaml b/roles/kubernetes-net/tasks/main.yaml
index 5c9aba91..6a50cf00 100644
--- a/roles/kubernetes-net/tasks/main.yaml
+++ b/roles/kubernetes-net/tasks/main.yaml
@@ -9,6 +9,10 @@
     name: /var/lib/kubenet/
     state: directory
 
+- name: configure wireguard port
+  set_fact:
+    kubenet_wireguard_port: "{{ kubernetes.wireguard_port | default(51820) }}"
+
 - name: install ifupdown script
   template:
     src: ifupdown.sh.j2
@@ -24,8 +28,9 @@
 
 - name: fetch wireguard public key
   shell: "wg pubkey < /var/lib/kubenet/kube-wg0.privatekey"
-  register: wireguard_pubkey
+  register: kubenet_wireguard_pubkey
   changed_when: false
+  check_mode: no
 
 - name: install systemd service unit for network interfaces
   copy:
@@ -39,3 +44,35 @@
     name: kubenet-interfaces.service
     state: started
     enabled: yes
+
+- name: install systemd units for every wireguard peer
+  with_items: "{{ kubernetes.net_index.keys() | difference(inventory_hostname) }}"
+  template:
+    src: kubenet-peer.service.j2
+    dest: "/etc/systemd/system/kubenet-peer-{{ item }}.service"
+
+- name: make sure kubenet peer services are started and enabled
+  with_items: "{{ kubernetes.net_index.keys() | difference(inventory_hostname) }}"
+  systemd:
+    daemon_reload: yes
+    name: "kubenet-peer-{{ item }}.service"
+    state: started
+    enabled: yes
+
+- name: enable IPv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: create cni config directory
+  file:
+    name: /etc/cni/net.d
+    state: directory
+
+- name: install cni config
+  template:
+    src: k8s.json.j2
+    dest: /etc/cni/net.d/k8s.json
diff --git a/roles/kubernetes-net/templates/ifupdown.sh.j2 b/roles/kubernetes-net/templates/ifupdown.sh.j2
index 71ec38af..9bc82325 100644
--- a/roles/kubernetes-net/templates/ifupdown.sh.j2
+++ b/roles/kubernetes-net/templates/ifupdown.sh.j2
@@ -28,7 +28,7 @@ case "$1" in
     # bring up wireguard tunnel to other nodes
     ip link add dev "$TUN_IF" type wireguard
     ip addr add dev "$TUN_IF" "$TUN_IP_CIDR"
-    wg set "$TUN_IF" listen-port 51820 private-key "$CONF_D/$TUN_IF.privatekey"
+    wg set "$TUN_IF" listen-port {{ kubenet_wireguard_port }} private-key "$CONF_D/$TUN_IF.privatekey"
     ip link set up dev "$TUN_IF"
     ip route add "$POD_NET_CIDR" dev "$TUN_IF" src "$TUN_IP"
     ;;
diff --git a/roles/kubernetes-net/templates/k8s.json.j2 b/roles/kubernetes-net/templates/k8s.json.j2
new file mode 100644
index 00000000..f457ed1c
--- /dev/null
+++ b/roles/kubernetes-net/templates/k8s.json.j2
@@ -0,0 +1,12 @@
+{
+  "cniVersion": "0.3.1",
+  "name": "k8s",
+  "type": "bridge",
+  "bridge": "kube-br0",
+  "isDefaultGateway": true,
+  "hairpinMode": true,
+  "ipam": {
+    "type": "host-local",
+    "subnet": "{{ kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[inventory_hostname]) }}"
+  }
+}
diff --git a/roles/kubernetes-net/templates/kubenet-peer.service.j2 b/roles/kubernetes-net/templates/kubenet-peer.service.j2
new file mode 100644
index 00000000..a076512d
--- /dev/null
+++ b/roles/kubernetes-net/templates/kubenet-peer.service.j2
@@ -0,0 +1,20 @@
+[Unit]
+Description=Kubernetes Network Peer {{ item }}
+After=network.target
+Requires=kubenet-interfaces.service
+After=kubenet-interfaces.service
+
+{% set wg_pubkey = hostvars[item].kubenet_wireguard_pubkey.stdout -%}
+{% set wg_host = hostvars[item].external_ip | default(hostvars[item].ansible_default_ipv4.address) -%}
+{% set wg_port = hostvars[item].kubenet_wireguard_port -%}
+{% set tun_ip = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[item]) | ipaddr('address') -%}
+{% set pod_net = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[item]) -%}
+{% set wg_allowedips = tun_ip + "/32," + pod_net %}
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} allowed-ips {{ wg_allowedips }} endpoint {{ wg_host }}:{{ wg_port }} persistent-keepalive 10
+ExecStop=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} remove
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
-- 
cgit v1.2.3