update readme

adding submodules again
remove apps directories
2026-06-11 16:23:16 +03:00 · 2015-10-18 22:21:08 +02:00 · 2015-10-18 22:10:30 +02:00 · 2015-10-18 21:41:19 +02:00 · 2015-10-18 16:25:03 +02:00 · 2015-10-18 16:23:01 +02:00
101 changed files with 2094 additions and 200 deletions
@@ -1 +0,0 @@
-ssh
@@ -0,0 +1,30 @@
+[submodule "roles/apps/k8s-kube-ui"]
+    path = roles/apps/k8s-kube-ui
+    url = https://github.com/ansibl8s/k8s-kube-ui.git
+[submodule "roles/apps/k8s-skydns"]
+    path = roles/apps/k8s-skydns
+    url = https://github.com/ansibl8s/k8s-skydns.git
+[submodule "roles/apps/k8s-common"]
+    path = roles/apps/k8s-common
+    url = https://github.com/ansibl8s/k8s-common.git
+[submodule "roles/apps/k8s-redis"]
+    path = roles/apps/k8s-redis
+    url = https://github.com/ansibl8s/k8s-redis.git
+[submodule "roles/apps/k8s-elasticsearch"]
+    path = roles/apps/k8s-elasticsearch
+    url = https://github.com/ansibl8s/k8s-elasticsearch.git
+[submodule "roles/apps/k8s-fabric8"]
+    path = roles/apps/k8s-fabric8
+    url = https://github.com/ansibl8s/k8s-fabric8.git
+[submodule "roles/apps/k8s-memcached"]
+    path = roles/apps/k8s-memcached
+    url = https://github.com/ansibl8s/k8s-memcached.git
+[submodule "roles/apps/k8s-haproxy"]
+    path = roles/apps/k8s-haproxy
+    url = https://github.com/ansibl8s/k8s-haproxy.git
+[submodule "roles/apps/k8s-postgres"]
+    path = roles/apps/k8s-postgres
+    url = https://github.com/ansibl8s/k8s-postgres.git
+[submodule "roles/apps/k8s-kubedns"]
+    path = roles/apps/k8s-kubedns
+    url = https://github.com/ansibl8s/k8s-kubedns.git
@@ -1,33 +1,210 @@
-vagrant-k8s
-===========
-Scripts to create libvirt lab with vagrant and prepare some stuff for `k8s` deployment with `kargo`.
+kubernetes-ansible
+========
+
+Install and configure a kubernetes cluster including network overlay and optionnal addons.
+Based on [CiscoCloud](https://github.com/CiscoCloud/kubernetes-ansible) work.
+
+### Requirements
+Tested on **Debian Jessie** and **Ubuntu** (14.10, 15.04, 15.10).
+The target servers must have access to the Internet in order to pull docker imaqes.
+The firewalls are not managed, you'll need to implement your own rules the way you used to.
+
+Ansible v1.9.x
+
+### Components
+* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.0.6
+* [etcd](https://github.com/coreos/etcd/releases) v2.2.0
+* [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.5.1
+* [flanneld](https://github.com/coreos/flannel/releases) v0.5.3
+* [docker](https://www.docker.com/) v1.8.2


-Requirements
-============
+Ansible
+-------------------------
+### Download binaries
+A role allows to download required binaries which will be stored in a directory defined by the variable
+**'local_release_dir'** (by default /tmp).
+Please ensure that you have enough disk space there (about **1G**).

-* `libvirt`
-* `vagrant`
-* `vagrant-libvirt` plugin
-* `$USER` should be able to connect to libvirt (test with `virsh list --all`)
+**Note**: Whenever you'll need to change the version of a software, you'll have to erase the content of this directory.

-How-to
-======

-* Prepare the virtual lab:
+### Variables
+The main variables to change are located in the directory ```environments/[env_name]/group_vars/k8s-cluster.yml```.

-```bash
-export VAGRANT_POOL="10.100.0.0/16"
-git clone https://github.com/adidenko/vagrant-k8s
-cd vagrant-k8s
-vagrant up
+### Playbook
+```
+---
+- hosts: downloader
+  sudo: no
+  roles:
+    - { role: download, tags: download }
+
+- hosts: k8s-cluster
+  roles:
+    - { role: etcd, tags: etcd }
+    - { role: docker, tags: docker }
+    - { role: overlay_network, tags: ['calico', 'flannel', 'network'] }
+    - { role: dnsmasq, tags: dnsmasq }
+
+- hosts: kube-master
+  roles:
+    - { role: kubernetes/master, tags: master }
+    - { role: apps/k8s-kubedns, tags: ['kubedns', 'apps']  }
+    - { role: apps/k8s-fabric8, tags: ['fabric8', 'apps']  }
+
+- hosts: kube-node
+  roles:
+    - { role: kubernetes/node, tags: node }
 ```

-* Login to master node and deploy k8s with kargo:
-
-```bash
-vagrant ssh $USER-k8s-01
-# Inside your master VM run this:
-sudo su -
-./deploy-k8s.kargo.sh
+### Run
+It is possible to define variables for different environments.
+For instance, in order to deploy the cluster on 'dev' environment run the following command.
+```
+ansible-playbook -i environments/dev/inventory cluster.yml -u root
+```
+
+Kubernetes
+-------------------------
+
+### Network Overlay
+You can choose between 2 network overlays. Only one must be chosen.
+
+* **flannel**: gre/vxlan (layer 2) networking. ([official docs]('https://github.com/coreos/flannel'))
+
+* **calico**: bgp (layer 3) networking. ([official docs]('http://docs.projectcalico.org/en/0.13/'))
+
+The choice is defined with the variable '**overlay_network_plugin**'
+
+### Expose a service
+There are several loadbalancing solutions.
+The ones i found suitable for kubernetes are [Vulcand]('http://vulcand.io/') and [Haproxy]('http://www.haproxy.org/')
+
+My cluster is working with haproxy and kubernetes services are configured with the loadbalancing type '**nodePort**'.
+eg: each node opens the same tcp port and forwards the traffic to the target pod wherever it is located.
+
+Then Haproxy can be configured to request kubernetes's api in order to loadbalance on the proper tcp port on the nodes.
+
+Please refer to the proper kubernetes documentation on [Services]('https://github.com/kubernetes/kubernetes/blob/release-1.0/docs/user-guide/services.md')
+
+### Check cluster status
+
+#### Kubernetes components
+Master processes : kube-apiserver, kube-scheduler, kube-controller, kube-proxy
+Nodes processes : kubelet, kube-proxy, [calico-node|flanneld]
+
+* Check the status of the processes
+```
+systemctl status [process_name]
+```
+
+* Check the logs
+```
+journalctl -ae -u [process_name]
+```
+
+* Check the NAT rules
+```
+iptables -nLv -t nat
+```
+
+
+#### Available apps, installation procedure
+Additionnal apps can be installed with ```ansible-galaxy```.
+
+you'll need to edit the file '*requirements.yml*' in order to chose needed apps.
+The list of available apps are available [there](https://github.com/ansibl8s)
+
+For instance if you will probably want to install a [dns server](https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dns) as it is **strongly recommanded**.
+In order to use this role you'll need the following entries in the file '*requirements.yml*' 
+```
+- src: https://github.com/ansibl8s/k8s-common.git
+  path: roles/apps
+  # version: v1.0
+
+- src: https://github.com/ansibl8s/k8s-kubedns.git
+  path: roles/apps
+  # version: v1.0
+```
+**Note**: the role common is required by all the apps and provides the tasks and libraries needed.
+
+And empty the apps directory
+```
+rm -rf roles/apps/*
+```
+
+Then download the roles with ansible-galaxy
+```
+ansible-galaxy install -r requirements.yml
+```
+
+Finally update your playbook with the chosen role, and run it
+```
+...
+- hosts: kube-master
+  roles:
+    - { role: kubernetes/master, tags: master }
+    - { role: apps/k8s-kubedns, tags: ['kubedns', 'apps']  }
+...
+```
+Please refer to the [k8s-kubdns readme](https://github.com/ansibl8s/k8s-kubedns) for additionnal info.
+
+#### Calico networking
+Check if the calico-node container is running
+```
+docker ps | grep calico
+```
+
+The **calicoctl** command allows to check the status of the network workloads.
+* Check the status of Calico nodes
+```
+calicoctl status
+```
+
+* Show the configured network subnet for containers
+```
+calicoctl pool show
+```
+
+* Show the workloads (ip addresses of containers and their located)
+```
+calicoctl endpoint show --detail
+```
+#### Flannel networking
+
+Congrats ! now you can walk through [kubernetes basics](http://kubernetes.io/v1.0/basicstutorials.html)
+
+Known issues
+-------------
+### Node reboot and Calico
+There is a major issue with calico-kubernetes version 0.5.1 and kubernetes prior to 1.1 :
+After host reboot, the pods networking are not configured again, they are started without any network configuration.
+This issue will be fixed when kubernetes 1.1 will be released as described in this [issue](https://github.com/projectcalico/calico-kubernetes/issues/34)
+
+### Monitoring addon
+Until now i didn't managed to get the monitoring addon working.
+
+### Apiserver listen on secure port only
+Currently the api-server listens on both secure and insecure ports.
+The insecure port is mainly used for calico.
+Will be fixed soon.
+
+How to contribute
+------------------
+
+### Update available roles
+Alternatively the roles can be installed as git submodules.
+That way is easier if you want to do some changes and commit them.
+
+You can list available submodules with the following command:
+```
+grep path .gitmodules | sed 's/.*= //'
+```
+
+For instance if you will probably want to install a [dns server](https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dns) as it is **strongly recommanded**.
+In order to use this role you'll need to follow these steps
+```
+git submodule init roles/apps/k8s-common roles/apps/k8s-kubedns
+git submodule update
 ```
@@ -1,88 +0,0 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-ENV["VAGRANT_DEFAULT_PROVIDER"] = "libvirt"
-pool = ENV["VAGRANT_POOL"] || "10.210.0.0/16"
-prefix = pool.gsub(/\.\d+\.\d+\/16$/, "")
-
-$num_instances = 7
-$vm_memory = 2048
-$vm_cpus = 2
-
-$user = ENV["USER"]
-$public_subnet = prefix.to_s + ".0"
-$private_subnet = prefix.to_s + ".1"
-$mgmt_cidr = prefix.to_s + ".2.0/24"
-
-$instance_name_prefix = "#{$user}-k8s"
-
-# Boxes with libvirt provider support:
-#$box = "yk0/ubuntu-xenial" #900M
-#$box = "centos/7"
-$box = "nrclark/xenial64-minimal-libvirt"
-
-# Create SSH keys for future lab
-system 'bash ssh-keygen.sh'
-
-# Create nodes list for future kargo deployment
-nodes=""
-(2..$num_instances).each do |i|
-  ip = "#{$private_subnet}.#{i+10}"
-  nodes = "#{nodes}#{ip}\n"
-end
-File.open("nodes", 'w') { |file| file.write(nodes) }
-
-# Create the lab
-Vagrant.configure("2") do |config|
-  (1..$num_instances).each do |i|
-    # First node would be master node
-    if i == 1
-      master = true
-    else
-      master = false
-    end
-
-    config.ssh.insert_key = false
-    vm_name = "%s-%02d" % [$instance_name_prefix, i]
-
-    config.vm.define vm_name do |test_vm|
-      test_vm.vm.box = $box
-      test_vm.vm.hostname = vm_name
-
-      # Libvirt provider settings
-      test_vm.vm.provider :libvirt do |domain|
-        domain.uri = "qemu+unix:///system"
-        domain.memory = $vm_memory
-        domain.cpus = $vm_cpus
-        domain.driver = "kvm"
-        domain.host = "localhost"
-        domain.connect_via_ssh = false
-        domain.username = $user
-        domain.storage_pool_name = "default"
-        domain.nic_model_type = "e1000"
-        domain.management_network_name = "#{$instance_name_prefix}-mgmt-net"
-        domain.management_network_address = $mgmt_cidr
-        domain.nested = true
-        domain.cpu_mode = "host-passthrough"
-        domain.volume_cache = "unsafe"
-        domain.disk_bus = "virtio"
-      end
-
-      ip = "#{$private_subnet}.#{i+10}"
-      test_vm.vm.network :private_network, :ip => "#{ip}"
-
-      # Provisioning
-      config.vm.provision "file", source: "ssh", destination: "~/ssh"
-      if master
-        config.vm.provision "deploy-k8s", type: "file", source: "deploy-k8s.kargo.sh", destination: "~/deploy-k8s.kargo.sh"
-        config.vm.provision "custom.yaml", type: "file", source: "custom.yaml", destination: "~/custom.yaml"
-        config.vm.provision "kubedns.yaml", type: "file", source: "kubedns.yaml", destination: "~/kubedns.yaml"
-        config.vm.provision "nodes", type: "file", source: "nodes", destination: "~/nodes"
-        config.vm.provision "bootstrap", type: "shell", path: "bootstrap-master.sh"
-      else
-        config.vm.provision "bootstrap", type: "shell", path: "bootstrap-node.sh"
-      end
-
-    end
-  end
-end
@@ -1,31 +0,0 @@
-#!/bin/bash
-echo master > /var/tmp/role
-
-# Packages
-sudo apt-get --yes update
-sudo apt-get --yes upgrade
-sudo apt-get --yes install git screen vim telnet tcpdump python-setuptools gcc python-dev python-pip libssl-dev libffi-dev software-properties-common
-
-# Get ansible-2.1+, vanilla ubuntu-16.04 ansible (2.0.0.2) is broken due to https://github.com/ansible/ansible/issues/13876
-sudo sh -c 'apt-add-repository -y ppa:ansible/ansible;apt-get update;apt-get install -y ansible'
-
-# Kargo-cli
-sudo git clone https://github.com/kubespray/kargo-cli.git /root/kargo-cli
-sudo sh -c 'cd /root/kargo-cli && python setup.py install'
-
-# k8s deploy script and configs
-sudo sh -c 'cp -a ~vagrant/deploy-k8s.kargo.sh /root/ && chmod 755 /root/deploy-k8s.kargo.sh'
-sudo cp -a ~vagrant/custom.yaml /root/custom.yaml
-sudo cp -a ~vagrant/kubedns.yaml /root/kubedns.yaml
-
-# SSH keys and config
-sudo rm -rf /root/.ssh
-sudo mv ~vagrant/ssh /root/.ssh
-sudo echo -e 'Host 10.*\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile=/dev/null' >> /root/.ssh/config
-sudo chown -R root: /root/.ssh
-
-# Copy nodes list
-sudo cp ~vagrant/nodes /root/nodes
-
-# README
-sudo echo 'cd /root/kargo ; ansible-playbook -vvv -i inv/inventory.cfg cluster.yml -u root -f 7' > /root/README
@@ -1,17 +0,0 @@
-#!/bin/bash
-echo node > /var/tmp/role
-
-# Packages
-sudo apt-get --yes update
-sudo apt-get --yes upgrade
-sudo apt-get --yes install screen vim telnet tcpdump python-pip
-
-# Pip
-sudo pip install kpm
-
-# SSH
-sudo rm -rf /root/.ssh
-sudo mv ~vagrant/ssh /root/.ssh
-sudo rm -f /root/.ssh/id_rsa*
-sudo chown -R root: /root/.ssh
-
@@ -0,0 +1,23 @@
+---
+- hosts: downloader
+  sudo: no
+  roles:
+    - { role: download, tags: download }
+
+- hosts: k8s-cluster
+  roles:
+    - { role: etcd, tags: etcd }
+    - { role: docker, tags: docker }
+    - { role: overlay_network, tags: ['calico', 'flannel', 'network'] }
+    - { role: dnsmasq, tags: dnsmasq }
+
+- hosts: kube-master
+  roles:
+    - { role: kubernetes/master, tags: master }
+    # Apps to be installed
+    # - { role: apps/k8s-kubedns, tags: ['kubedns', 'apps'] }
+    # - { role: apps/k8s-fabric8, tags: ['fabric8', 'apps'] }
+
+- hosts: kube-node
+  roles:
+    - { role: kubernetes/node, tags: node }
@@ -1,3 +0,0 @@
-kube_network_plugin: "calico"
-kube_proxy_mode: "iptables"
-local_release_dir: "/var/tmp/releases"
@@ -1,26 +0,0 @@
-#!/bin/bash
-
-INVENTORY="kargo/inventory/inventory.cfg"
-
-nodes=""
-i=1
-for nodeip in `cat /root/nodes` ; do
-  i=$(( $i+1 ))
-  nodes+=" node${i}[ansible_ssh_host=${nodeip},ip=${nodeip}]"
-done
-
-if [ -f "$INVENTORY" ] ; then
-  echo "$INVENTORY already exists, if you want to recreate, pls remove it and re-run this script"
-else
-  echo "Preparing inventory..."
-  kargo prepare -y --nodes $nodes
-fi
-
-echo "Running deployment..."
-kargo deploy -y --ansible-opts="-e @custom.yaml"
-deploy_res=$?
-
-if [ "$deploy_res" -eq "0" ]; then
-  echo "Setting up kubedns..."
-  ansible-playbook -i $INVENTORY kubedns.yaml
-fi
@@ -0,0 +1,6 @@
+# Directory where the binaries will be installed
+bin_dir: /usr/local/bin
+
+# Where the binaries will be downloaded.
+# Note: ensure that you've enough disk space (about 1G)
+local_release_dir: "/tmp/releases"
@@ -0,0 +1,57 @@
+# Users to create for basic auth in Kubernetes API via HTTP
+kube_users:
+  kube:
+    pass: changeme
+    role: admin
+  root:
+    pass: changeme
+    role: admin
+
+# Kubernetes cluster name, also will be used as DNS domain
+cluster_name: cluster.local
+   #
+# set this variable to calico if needed. keep it empty if flannel is used
+overlay_network_plugin: calico
+
+# Kubernetes internal network for services, unused block of space.
+kube_service_addresses: 10.233.0.0/18
+
+# internal network. When used, it will assign IP
+# addresses from this range to individual pods.
+# This network must be unused in your network infrastructure!
+overlay_network_subnet: 10.233.64.0/18
+
+# internal network total size (optional). This is the prefix of the
+# entire overlay network.  So the entirety of 4.0.0.0/16 must be
+# unused in your environment.
+# overlay_network_prefix: 18
+
+# internal network node size allocation (optional). This is the size allocated
+# to each node on your network.  With these defaults you should have
+# room for 4096 nodes with 254 pods per node.
+overlay_network_host_prefix: 24
+
+# With calico it is possible to distributed routes with border routers of the datacenter.
+peer_with_router: false
+# Warning : enabling router peering will disable calico's default behavior ('node mesh').
+# The subnets of each nodes will be distributed by the datacenter router
+
+# Internal DNS configuration.
+# Kubernetes can create and mainatain its own DNS server to resolve service names
+# into appropriate IP addresses. It's highly advisable to run such DNS server,
+# as it greatly simplifies configuration of your applications - you can use
+# service names instead of magic environment variables.
+# You still must manually configure all your containers to use this DNS server,
+# Kubernetes won't do this for you (yet).
+
+# Upstream dns servers used by dnsmasq
+upstream_dns_servers:
+  - 8.8.8.8
+  - 4.4.8.8
+
+# Use dns server : https://github.com/ansibl8s/k8s-skydns/blob/master/skydns-README.md
+dns_setup: true
+dns_domain: "{{ cluster_name }}"
+
+# Ip address of the kubernetes dns service
+dns_server: 10.233.0.10
@@ -0,0 +1,36 @@
+[downloader]
+172.16.0.1
+
+[kube-master]
+# NB : the br_addr must be in the {{ calico_pool }} subnet
+# it will assign a /24 subnet per node
+172.16.0.1 br_addr=10.233.64.1
+
+[etcd]
+172.16.0.1
+
+[kube-node:children]
+usa
+france
+
+[usa]
+172.16.0.1 br_addr=10.233.64.1
+# Configure the as assigned to the each node if bgp peering with border routers is enabled
+172.16.0.2 br_addr=10.233.65.1 # local_as=65xxx
+172.16.0.3 br_addr=10.233.66.1 # local_as=65xxx
+
+[france]
+192.168.0.1 br_addr=10.233.67.1 # local_as=65xxx
+192.168.0.2 br_addr=10.233.68.1 # local_as=65xxx
+
+[k8s-cluster:children]
+kube-node
+kube-master
+
+# If you want to configure bgp peering with border router you'll need to set the following vars
+# List of routers and their as number
+#[usa:vars]
+#bgp_peers=[{"router_id": "172.16.0.252", "as": "65xxx"}, {"router_id": "172.16.0.253", "as": "65xxx"}]
+#
+#[france:vars]
+#bgp_peers=[{"router_id": "192.168.0.252", "as": "65xxx"}, {"router_id": "192.168.0.253", "as": "65xxx"}]
@@ -0,0 +1,6 @@
+# Directory where the binaries will be installed
+bin_dir: /usr/local/bin
+
+# Where the binaries will be downloaded.
+# Note: ensure that you've enough disk space (about 1G)
+local_release_dir: "/tmp/releases"
@@ -0,0 +1,57 @@
+# Users to create for basic auth in Kubernetes API via HTTP
+# kube_users:
+#   kube:
+#     pass: changeme
+#     role: admin
+#   root:
+#     pass: changeme
+#     role: admin
+
+# Kubernetes cluster name, also will be used as DNS domain
+# cluster_name: cluster.local
+   #
+# set this variable to calico if needed. keep it empty if flannel is used
+# overlay_network_plugin: calico
+
+# Kubernetes internal network for services, unused block of space.
+# kube_service_addresses: 10.233.0.0/18
+
+# internal network. When used, it will assign IP
+# addresses from this range to individual pods.
+# This network must be unused in your network infrastructure!
+# overlay_network_subnet: 10.233.64.0/18
+
+# internal network total size (optional). This is the prefix of the
+# entire overlay network.  So the entirety of 4.0.0.0/16 must be
+# unused in your environment.
+# overlay_network_prefix: 18
+
+# internal network node size allocation (optional). This is the size allocated
+# to each node on your network.  With these defaults you should have
+# room for 4096 nodes with 254 pods per node.
+# overlay_network_host_prefix: 24
+
+# With calico it is possible to distributed routes with border routers of the datacenter.
+# peer_with_router: false
+# Warning : enabling router peering will disable calico's default behavior ('node mesh').
+# The subnets of each nodes will be distributed by the datacenter router
+
+# Internal DNS configuration.
+# Kubernetes can create and mainatain its own DNS server to resolve service names
+# into appropriate IP addresses. It's highly advisable to run such DNS server,
+# as it greatly simplifies configuration of your applications - you can use
+# service names instead of magic environment variables.
+# You still must manually configure all your containers to use this DNS server,
+# Kubernetes won't do this for you (yet).
+
+# Upstream dns servers used by dnsmasq
+# upstream_dns_servers:
+#   - 8.8.8.8
+#   - 4.4.8.8
+#
+# # Use dns server : https://github.com/ansibl8s/k8s-skydns/blob/master/skydns-README.md
+# dns_setup: true
+# dns_domain: "{{ cluster_name }}"
+#
+# # Ip address of the kubernetes dns service
+# dns_server: 10.233.0.10
@@ -1,5 +0,0 @@
- hosts: kube-master
-  tasks:
-    - name: setup-kubedns
-      shell: kpm deploy kube-system/kubedns --namespace=kube-system
-      run_once: true
@@ -0,0 +1,36 @@
+---
+- src: https://github.com/ansibl8s/k8s-common.git
+  path: roles/apps
+  # version: v1.0
+
+- src: https://github.com/ansibl8s/k8s-skydns.git
+  path: roles/apps
+  # version: v1.0
+
+#- src: https://github.com/ansibl8s/k8s-kube-ui.git
+#  path: roles/apps
+#  # version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-fabric8.git
+#  path: roles/apps
+#  # version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-elasticsearch.git
+#  path: roles/apps
+#  # version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-redis.git
+#  path: roles/apps
+#  # version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-memcached.git
+#  path: roles/apps
+#  # version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-haproxy.git
+#  path: roles/apps
+#  # version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-postgres.git
+#  path: roles/apps
+#  # version: v1.0
@@ -0,0 +1,4 @@
+#!/bin/sh
+make_resolv_conf() {
+    :
+}
@@ -0,0 +1,3 @@
+---
+- name: restart dnsmasq
+  command: systemctl restart dnsmasq
@@ -0,0 +1,58 @@
+---
+- name: populate inventory into hosts file
+  lineinfile:
+    dest: /etc/hosts
+    regexp: "^{{ hostvars[item].ansible_default_ipv4.address }} {{ item }}$"
+    line: "{{ hostvars[item].ansible_default_ipv4.address }} {{ item }}"
+    state: present
+  when: hostvars[item].ansible_default_ipv4.address is defined
+  with_items: groups['all']
+
+- name: clean hosts file
+  lineinfile:
+    dest: /etc/hosts
+    regexp: "{{ item }}"
+    state: absent
+  with_items:
+    - '^127\.0\.0\.1(\s+){{ inventory_hostname }}.*'
+    - '^::1(\s+){{ inventory_hostname }}.*'
+
+- name: install dnsmasq and bindr9utils
+  apt:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - dnsmasq
+    - bind9utils
+  when: inventory_hostname in groups['kube-master'][0]
+
+- name: ensure dnsmasq.d directory exists
+  file:
+    path: /etc/dnsmasq.d
+    state: directory
+  when: inventory_hostname in groups['kube-master'][0]
+
+- name: configure dnsmasq
+  template:
+    src: 01-kube-dns.conf.j2
+    dest: /etc/dnsmasq.d/01-kube-dns.conf
+    mode: 755
+  notify:
+    - restart dnsmasq
+  when: inventory_hostname in groups['kube-master'][0]
+
+- name: enable dnsmasq
+  service:
+    name: dnsmasq
+    state: started
+    enabled: yes
+  when: inventory_hostname in groups['kube-master'][0]
+
+- name: update resolv.conf with new DNS setup
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+    mode: 644
+
+- name: disable resolv.conf modification by dhclient
+  copy: src=dhclient_nodnsupdate dest=/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate mode=u+x
@@ -0,0 +1,19 @@
+#Listen on all interfaces
+interface=*
+
+addn-hosts=/etc/hosts
+
+bogus-priv
+
+#Set upstream dns servers
+{% if upstream_dns_servers is defined %}
+{% for srv in upstream_dns_servers %}
+server={{ srv }}
+{% endfor %}
+{% else %}
+ server=8.8.8.8
+ server=8.8.4.4
+{% endif %}
+
+# Forward k8s domain to kube-dns
+server=/{{ dns_domain }}/{{ dns_server }}
@@ -0,0 +1,5 @@
+; generated by ansible
+search {{ [ 'default.svc.' + dns_domain, 'svc.' + dns_domain, dns_domain ] | join(' ') }}
+{% for host in groups['kube-master'] %}
+nameserver {{ hostvars[host]['ansible_default_ipv4']['address'] }}
+{% endfor %}
@@ -0,0 +1,17 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=network.target docker.socket
+Requires=docker.socket
+
+[Service]
+EnvironmentFile=-/etc/default/docker
+Type=notify
+ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS
+MountFlags=slave
+LimitNOFILE=1048576
+LimitNPROC=1048576
+LimitCORE=infinity
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,12 @@
+---
+- name: restart docker
+  command: /bin/true
+  notify:
+    - reload systemd
+    - restart docker service
+
+- name: reload systemd
+  shell: systemctl daemon-reload
+
+- name: restart docker service
+  service: name=docker state=restarted
@@ -0,0 +1,33 @@
+---
+- name: Write script for calico/docker bridge configuration
+  template: src=create_cbr.j2 dest=/etc/network/if-up.d/create_cbr mode=u+x
+  when: overlay_network_plugin is defined and overlay_network_plugin == "calico"
+
+- name: Configure calico/docker bridge
+  shell: /etc/network/if-up.d/create_cbr
+  when: overlay_network_plugin is defined and overlay_network_plugin == "calico"
+
+- name: Configure docker to use cbr0 bridge
+  lineinfile:
+    dest=/etc/default/docker
+    regexp='.*DOCKER_OPTS=.*'
+    line='DOCKER_OPTS="--bridge=cbr0 --iptables=false --ip-masq=false"'
+  notify:
+    - restart docker
+  when: overlay_network_plugin is defined and overlay_network_plugin == "calico"
+
+- name: enable docker
+  service:
+    name: docker
+    enabled: yes
+    state: started
+  tags:
+    - docker
+
+- meta: flush_handlers
+
+#- name: login to arkena's docker registry
+#  shell : >
+#    docker login --username={{ dockerhub_user }}
+#    --password={{ dockerhub_pass }}
+#    --email={{ dockerhub_email }}
@@ -0,0 +1,24 @@
+---
+- name: Install prerequisites for https transport
+  apt: pkg={{ item }} state=present update_cache=yes
+  with_items:
+    - apt-transport-https
+    - ca-certificates
+
+- name: Configure docker apt repository
+  template: src=docker.list.j2 dest=/etc/apt/sources.list.d/docker.list
+
+- name: Install docker-engine
+  apt: pkg={{ item }} state=present force=yes update_cache=yes
+  with_items:
+    - aufs-tools
+    - cgroupfs-mount
+    - docker-engine=1.8.2-0~{{ ansible_distribution_release }}
+
+- name: Copy default docker configuration
+  template: src=default-docker.j2 dest=/etc/default/docker
+  notify: restart docker
+
+- name: Copy Docker systemd unit file
+  copy: src=systemd-docker.service dest=/lib/systemd/system/docker.service
+  notify: restart docker
@@ -0,0 +1,3 @@
+---
+- include: install.yml
+- include: configure.yml
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Create calico bridge cbr0 if it doesn't exist
+ifaces=$(ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d' |tr '\n' ' ')
+if ! [[ "${ifaces}" =~ "cbr0" ]];then
+   brctl addbr cbr0
+   ip link set cbr0 up
+fi
+
+# Configure calico bridge ip
+br_ips=$(ip addr list cbr0 |grep "inet " |cut -d' ' -f6)
+if ! [[ "${br_ips}" =~ "{{ br_addr }}/{{ overlay_network_host_prefix }}" ]];then
+       ip a add {{ br_addr }}/{{ overlay_network_host_prefix }} dev cbr0
+fi
@@ -0,0 +1,15 @@
+# Docker Upstart and SysVinit configuration file
+
+# Customize location of Docker binary (especially for development testing).
+#DOCKER="/usr/local/bin/docker"
+
+# Use DOCKER_OPTS to modify the daemon startup options.
+{% if overlay_network_plugin is defined and overlay_network_plugin == "calico" %}
+DOCKER_OPTS="--bridge=cbr0 --iptables=false --ip-masq=false"
+{% endif %}
+
+# If you need Docker to use an HTTP proxy, it can also be specified here.
+#export http_proxy="http://127.0.0.1:3128/"
+
+# This is also a handy place to tweak where Docker's temporary files go.
+#export TMPDIR="/mnt/bigdrive/docker-tmp"
@@ -0,0 +1 @@
+deb https://apt.dockerproject.org/repo debian-{{ ansible_distribution_release }} main
@@ -0,0 +1,4 @@
+---
+#dockerhub_user:
+#dockerhub_pass:
+#dockerhub_email:
@@ -0,0 +1,5 @@
+---
+etcd_download_url: https://github.com/coreos/etcd/releases/download
+flannel_download_url: https://github.com/coreos/flannel/releases/download
+kube_download_url: https://github.com/GoogleCloudPlatform/kubernetes/releases/download
+calico_download_url: https://github.com/Metaswitch/calico-docker/releases/download
@@ -0,0 +1,21 @@
+---
+- name: Create calico release directory
+  local_action: file
+     path={{ local_release_dir }}/calico/bin
+     recurse=yes
+     state=directory
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Check if calicoctl has been downloaded
+  local_action: stat
+     path={{ local_release_dir }}/calico/bin/calicoctl
+  register: c_tar
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+# issues with get_url module and redirects, to be tested again in the near future
+- name: Download calico
+  local_action: shell
+    curl -o {{ local_release_dir }}/calico/bin/calicoctl -Ls {{ calico_download_url }}/{{ calico_version }}/calicoctl
+  when: not c_tar.stat.exists
+  register: dl_calico
+  delegate_to: "{{ groups['kube-master'][0] }}"
@@ -0,0 +1,42 @@
+---
+- name: Create etcd release directory
+  local_action: file
+     path={{ local_release_dir }}/etcd/bin
+     recurse=yes
+     state=directory
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Check if etcd release archive has been downloaded
+  local_action: stat
+     path={{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64.tar.gz
+  register: e_tar
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+# issues with get_url module and redirects, to be tested again in the near future
+- name: Download etcd
+  local_action: shell
+    curl -o {{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64.tar.gz -Ls {{ etcd_download_url }}/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz
+  when: not e_tar.stat.exists
+  register: dl_etcd
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Extract etcd archive
+  local_action: unarchive
+     src={{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64.tar.gz
+     dest={{ local_release_dir }}/etcd copy=no
+  when: dl_etcd|changed
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Pick up only etcd binaries
+  local_action: copy
+     src={{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64/{{ item }}
+     dest={{ local_release_dir }}/etcd/bin
+  with_items:
+    - etcdctl
+    - etcd
+  when: dl_etcd|changed
+
+- name: Delete unused etcd files
+  local_action: file
+     path={{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64 state=absent
+  when: dl_etcd|changed
@@ -0,0 +1,39 @@
+---
+- name: Create flannel release directory
+  local_action: file
+     path={{ local_release_dir }}/flannel
+     recurse=yes
+     state=directory
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Check if flannel release archive has been downloaded
+  local_action: stat
+     path={{ local_release_dir }}/flannel/flannel-{{ flannel_version }}-linux-amd64.tar.gz
+  register: f_tar
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+# issues with get_url module and redirects, to be tested again in the near future
+- name: Download flannel
+  local_action: shell
+    curl -o {{ local_release_dir }}/flannel/flannel-{{ flannel_version }}-linux-amd64.tar.gz -Ls {{ flannel_download_url }}/v{{ flannel_version }}/flannel-{{ flannel_version }}-linux-amd64.tar.gz
+  when: not f_tar.stat.exists
+  register: dl_flannel
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Extract flannel archive
+  local_action: unarchive
+     src={{ local_release_dir }}/flannel/flannel-{{ flannel_version }}-linux-amd64.tar.gz
+     dest={{ local_release_dir }}/flannel copy=no
+  when: dl_flannel|changed
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Pick up only flannel binaries
+  local_action: copy
+     src={{ local_release_dir }}/flannel/flannel-{{ flannel_version }}/flanneld
+     dest={{ local_release_dir }}/flannel/bin
+  when: dl_flannel|changed
+
+- name: Delete unused flannel files
+  local_action: file
+     path={{ local_release_dir }}/flannel/flannel-{{ flannel_version }} state=absent
+  when: dl_flannel|changed
@@ -0,0 +1,47 @@
+---
+- name: Create kubernetes release directory
+  local_action: file
+     path={{ local_release_dir }}/kubernetes
+     state=directory
+
+- name: Check if kubernetes release archive has been downloaded
+  local_action: stat
+     path={{ local_release_dir }}/kubernetes/kubernetes.tar.gz
+  register: k_tar
+
+# issues with get_url module and redirects, to be tested again in the near future
+- name: Download kubernetes
+  local_action: shell
+    curl -o {{ local_release_dir }}/kubernetes/kubernetes.tar.gz -Ls {{ kube_download_url }}/{{ kube_version }}/kubernetes.tar.gz
+  when: not k_tar.stat.exists or k_tar.stat.checksum != "{{ kube_sha1 }}"
+  register: dl_kube
+
+- name: Compare kubernetes archive checksum
+  local_action: stat
+     path={{ local_release_dir }}/kubernetes/kubernetes.tar.gz
+  register: k_tar
+  failed_when: k_tar.stat.checksum != "{{ kube_sha1 }}"
+  when: dl_kube|changed
+
+- name: Extract kubernetes archive
+  local_action: unarchive
+     src={{ local_release_dir }}/kubernetes/kubernetes.tar.gz
+     dest={{ local_release_dir }}/kubernetes copy=no
+  when: dl_kube|changed
+
+- name: Extract kubernetes binaries archive
+  local_action: unarchive
+     src={{ local_release_dir }}/kubernetes/kubernetes/server/kubernetes-server-linux-amd64.tar.gz
+     dest={{ local_release_dir }}/kubernetes copy=no
+  when: dl_kube|changed
+
+- name: Pick up only kubernetes binaries
+  local_action: synchronize
+     src={{ local_release_dir }}/kubernetes/kubernetes/server/bin
+     dest={{ local_release_dir }}/kubernetes
+  when: dl_kube|changed
+
+- name: Delete unused kubernetes files
+  local_action: file
+     path={{ local_release_dir }}/kubernetes/kubernetes state=absent
+  when: dl_kube|changed
@@ -0,0 +1,5 @@
+---
+- include: kubernetes.yml
+- include: etcd.yml
+- include: calico.yml
+- include: flannel.yml
@@ -0,0 +1,8 @@
+---
+etcd_version: v2.2.0
+flannel_version: 0.5.3
+
+kube_version: v1.0.6
+kube_sha1: 289f9a11ea2f3cfcc6cbd50d29c3d16d4978b76c
+
+calico_version: v0.5.1
@@ -0,0 +1,15 @@
+---
+- name: restart daemons
+  command: /bin/true
+  notify:
+    - reload systemd
+    - restart etcd2
+
+- name: reload systemd
+  command: systemctl daemon-reload
+
+- name: restart etcd2
+  service: name=etcd2 state=restarted
+
+- name: Save iptables rules
+  command: service iptables save
@@ -0,0 +1,15 @@
+---
+- name: Disable ferm
+  service: name=ferm state=stopped enabled=no
+
+- name: Create etcd2 environment vars dir
+  file: path=/etc/systemd/system/etcd2.service.d state=directory
+
+- name: Write etcd2 config file
+  template: src=etcd2.j2 dest=/etc/systemd/system/etcd2.service.d/10-etcd2-cluster.conf
+  notify:
+    - reload systemd
+    - restart etcd2
+
+- name: Ensure etcd2 is running
+  service: name=etcd2 state=started enabled=yes
@@ -0,0 +1,24 @@
+---
+- name: Create etcd user
+  user: name=etcd shell=/bin/nologin home=/var/lib/etcd2
+
+- name: Install etcd binaries
+  copy: 
+     src={{ local_release_dir }}/etcd/bin/{{ item }}
+     dest={{ bin_dir }}
+     owner=etcd
+     mode=u+x
+  with_items:
+    - etcdctl
+    - etcd
+  notify:
+    - restart daemons
+
+- name: Create etcd2 binary symlink
+  file: src=/usr/local/bin/etcd dest=/usr/local/bin/etcd2 state=link
+
+- name: Copy etcd2.service systemd file
+  template:
+    src: systemd-etcd2.service.j2
+    dest: /lib/systemd/system/etcd2.service
+  notify: restart daemons
@@ -0,0 +1,3 @@
+---
+- include: install.yml
+- include: configure.yml
@@ -0,0 +1,17 @@
+# etcd2.0
+[Service]
+{% if inventory_hostname in groups['kube-master'] %}
+Environment="ETCD_ADVERTISE_CLIENT_URLS=http://{{ ansible_default_ipv4.address }}:2379,http://{{ ansible_default_ipv4.address }}:4001"
+Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://{{ ansible_default_ipv4.address }}:2380"
+Environment="ETCD_INITIAL_CLUSTER=master=http://{{ ansible_default_ipv4.address }}:2380"
+Environment="ETCD_INITIAL_CLUSTER_STATE=new"
+Environment="ETCD_INITIAL_CLUSTER_TOKEN=k8s_etcd"
+Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379,http://0.0.0.0:4001"
+Environment="ETCD_LISTEN_PEER_URLS=http://:2380,http://{{ ansible_default_ipv4.address }}:7001"
+Environment="ETCD_NAME=master"
+{% else %}
+Environment="ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379,http://0.0.0.0:4001"
+Environment="ETCD_INITIAL_CLUSTER=master=http://{{ groups['kube-master'][0] }}:2380"
+Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379,http://0.0.0.0:4001"
+Environment="ETCD_PROXY=on"
+{% endif %}
@@ -0,0 +1,15 @@
+[Unit]
+Description=etcd2
+Conflicts=etcd.service
+
+[Service]
+User=etcd
+Environment=ETCD_DATA_DIR=/var/lib/etcd2
+Environment=ETCD_NAME=%m
+ExecStart={{ bin_dir }}/etcd2
+Restart=always
+RestartSec=10s
+LimitNOFILE=40000
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,41 @@
+# This directory is where all the additional scripts go
+# that Kubernetes normally puts in /srv/kubernetes.
+# This puts them in a sane location
+kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
+
+# This directory is where all the additional config stuff goes
+# the kubernetes normally puts in /srv/kubernets.
+# This puts them in a sane location.
+# Editting this value will almost surely break something. Don't
+# change it. Things like the systemd scripts are hard coded to
+# look in here. Don't do it.
+kube_config_dir: /etc/kubernetes
+
+# The port the API Server will be listening on.
+kube_master_port: 443
+
+# This is where all the cert scripts and certs will be located
+kube_cert_dir: "{{ kube_config_dir }}/certs"
+
+# This is where all of the bearer tokens will be stored
+kube_token_dir: "{{ kube_config_dir }}/tokens"
+
+# This is where to save basic auth file
+kube_users_dir: "{{ kube_config_dir }}/users"
+
+# This is where you can drop yaml/json files and the kubelet will run those
+# pods on startup
+kube_manifest_dir: "{{ kube_config_dir }}/manifests"
+
+# This is the group that the cert creation scripts chgrp the
+# cert files to. Not really changable...
+kube_cert_group: kube-cert
+
+dns_domain: "{{ cluster_name }}"
+
+# IP address of the DNS server.
+# Kubernetes will create a pod with several containers, serving as the DNS
+# server and expose it under this IP address. The IP address must be from
+# the range specified as kube_service_addresses. This magic will actually
+# pick the 10th ip address in the kube_service_addresses range and use that.
+# dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(253)|ipaddr('address') }}"
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+token_dir=${TOKEN_DIR:-/var/srv/kubernetes}
+token_file="${token_dir}/known_tokens.csv"
+
+create_accounts=($@)
+
+touch "${token_file}"
+for account in "${create_accounts[@]}"; do
+  if grep ",${account}," "${token_file}" ; then
+    continue
+  fi
+  token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
+  echo "${token},${account},${account}" >> "${token_file}"
+  echo "${token}" > "${token_dir}/${account}.token"
+  echo "Added ${account}"
+done
@@ -0,0 +1,115 @@
+#!/bin/bash
+
+# Copyright 2014 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Caller should set in the ev:
+# MASTER_IP - this may be an ip or things like "_use_gce_external_ip_"
+# DNS_DOMAIN - which will be passed to minions in --cluster_domain
+# SERVICE_CLUSTER_IP_RANGE - where all service IPs are allocated
+# MASTER_NAME - I'm not sure what it is...
+
+# Also the following will be respected
+# CERT_DIR - where to place the finished certs
+# CERT_GROUP - who the group owner of the cert files should be
+
+cert_ip="${MASTER_IP:="${1}"}"
+master_name="${MASTER_NAME:="kubernetes"}"
+service_range="${SERVICE_CLUSTER_IP_RANGE:="10.0.0.0/16"}"
+dns_domain="${DNS_DOMAIN:="cluster.local"}"
+cert_dir="${CERT_DIR:-"/srv/kubernetes"}"
+cert_group="${CERT_GROUP:="kube-cert"}"
+
+# The following certificate pairs are created:
+#
+#  - ca (the cluster's certificate authority)
+#  - server
+#  - kubelet
+#  - kubecfg (for kubectl)
+#
+# TODO(roberthbailey): Replace easyrsa with a simple Go program to generate
+# the certs that we need.
+
+# TODO: Add support for discovery on other providers?
+if [ "$cert_ip" == "_use_gce_external_ip_" ]; then
+  cert_ip=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
+fi
+
+if [ "$cert_ip" == "_use_aws_external_ip_" ]; then
+  cert_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
+fi
+
+if [ "$cert_ip" == "_use_azure_dns_name_" ]; then
+  cert_ip=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
+fi
+
+tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
+trap 'rm -rf "${tmpdir}"' EXIT
+cd "${tmpdir}"
+
+# TODO: For now, this is a patched tool that makes subject-alt-name work, when
+# the fix is upstream  move back to the upstream easyrsa.  This is cached in GCS
+# but is originally taken from:
+#   https://github.com/brendandburns/easy-rsa/archive/master.tar.gz
+#
+# To update, do the following:
+# curl -o easy-rsa.tar.gz https://github.com/brendandburns/easy-rsa/archive/master.tar.gz
+# gsutil cp easy-rsa.tar.gz gs://kubernetes-release/easy-rsa/easy-rsa.tar.gz
+# gsutil acl ch -R -g all:R gs://kubernetes-release/easy-rsa/easy-rsa.tar.gz
+#
+# Due to GCS caching of public objects, it may take time for this to be widely
+# distributed.
+
+# Calculate the first ip address in the service range
+octects=($(echo "${service_range}" | sed -e 's|/.*||' -e 's/\./ /g'))
+((octects[3]+=1))
+service_ip=$(echo "${octects[*]}" | sed 's/ /./g')
+
+# Determine appropriete subject alt names
+sans="IP:${cert_ip},IP:${service_ip},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.${dns_domain},DNS:${master_name}"
+
+curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz > /dev/null 2>&1
+tar xzf easy-rsa.tar.gz > /dev/null
+cd easy-rsa-master/easyrsa3
+
+(./easyrsa init-pki > /dev/null 2>&1
+ ./easyrsa --batch "--req-cn=${cert_ip}@$(date +%s)" build-ca nopass > /dev/null 2>&1
+ ./easyrsa --subject-alt-name="${sans}" build-server-full "${master_name}" nopass > /dev/null 2>&1
+ ./easyrsa build-client-full kubelet nopass > /dev/null 2>&1
+ ./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1) || {
+ # If there was an error in the subshell, just die.
+ # TODO(roberthbailey): add better error handling here
+ echo "=== Failed to generate certificates: Aborting ==="
+ exit 2
+ }
+
+mkdir -p "$cert_dir"
+
+cp -p pki/ca.crt "${cert_dir}/ca.crt"
+cp -p "pki/issued/${master_name}.crt" "${cert_dir}/server.crt" > /dev/null 2>&1
+cp -p "pki/private/${master_name}.key" "${cert_dir}/server.key" > /dev/null 2>&1
+cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
+cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"
+cp -p pki/issued/kubelet.crt "${cert_dir}/kubelet.crt"
+cp -p pki/private/kubelet.key "${cert_dir}/kubelet.key"
+
+CERTS=("ca.crt" "server.key" "server.crt" "kubelet.key" "kubelet.crt" "kubecfg.key" "kubecfg.crt")
+for cert in "${CERTS[@]}"; do
+  chgrp "${cert_group}" "${cert_dir}/${cert}"
+  chmod 660 "${cert_dir}/${cert}"
+done
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: etcd }
@@ -0,0 +1,42 @@
+---
+#- name: Get create ca cert script from Kubernetes
+#  get_url:
+#    url=https://raw.githubusercontent.com/GoogleCloudPlatform/kubernetes/master/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
+#    dest={{ kube_script_dir }}/make-ca-cert.sh mode=0500
+#    force=yes
+
+- name: certs | install cert generation script
+  copy:
+    src=make-ca-cert.sh
+    dest={{ kube_script_dir }}
+    mode=0500
+  changed_when: false
+
+# FIXME This only generates a cert for one master...
+- name: certs | run cert generation script
+  command:
+    "{{ kube_script_dir }}/make-ca-cert.sh {{ inventory_hostname }}"
+  args:
+    creates: "{{ kube_cert_dir }}/server.crt"
+  environment:
+    MASTER_IP: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
+    MASTER_NAME: "{{ inventory_hostname }}"
+    DNS_DOMAIN: "{{ dns_domain }}"
+    SERVICE_CLUSTER_IP_RANGE: "{{ kube_service_addresses }}"
+    CERT_DIR: "{{ kube_cert_dir }}"
+    CERT_GROUP: "{{ kube_cert_group }}"
+
+- name: certs | check certificate permissions
+  file:
+    path={{ item }}
+    group={{ kube_cert_group }}
+    owner=kube
+    mode=0440
+  with_items:
+    - "{{ kube_cert_dir }}/ca.crt"
+    - "{{ kube_cert_dir }}/server.crt"
+    - "{{ kube_cert_dir }}/server.key"
+    - "{{ kube_cert_dir }}/kubecfg.crt"
+    - "{{ kube_cert_dir }}/kubecfg.key"
+    - "{{ kube_cert_dir }}/kubelet.crt"
+    - "{{ kube_cert_dir }}/kubelet.key"
@@ -0,0 +1,30 @@
+---
+- name: tokens | copy the token gen script
+  copy:
+    src=kube-gen-token.sh
+    dest={{ kube_script_dir }}
+    mode=u+x
+
+- name: tokens | generate tokens for master components
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ kube_token_dir }}"
+  with_nested:
+    - [ "system:controller_manager", "system:scheduler", "system:kubectl", 'system:proxy' ]
+    - "{{ groups['kube-master'][0] }}"
+  register: gentoken
+  changed_when: "'Added' in gentoken.stdout"
+  notify:
+    - restart daemons
+
+- name: tokens | generate tokens for node components
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ kube_token_dir }}"
+  with_nested:
+    - [ 'system:kubelet', 'system:proxy' ]
+    - "{{ groups['kube-node'] }}"
+  register: gentoken
+  changed_when: "'Added' in gentoken.stdout"
+  notify:
+    - restart daemons
@@ -0,0 +1,29 @@
+---
+- name: define alias command for kubectl all
+  lineinfile:
+    dest=/etc/bash.bashrc
+    line="alias kball='{{ bin_dir }}/kubectl --all-namespaces -o wide'"
+    regexp='^alias kball=.*$'
+    state=present
+    insertafter=EOF
+    create=True
+
+- name: create kubernetes config directory
+  file: path={{ kube_config_dir }} state=directory
+
+- name: create kubernetes script directory
+  file: path={{ kube_script_dir }} state=directory
+
+- name: Make sure manifest directory exists
+  file: path={{ kube_manifest_dir }} state=directory
+
+- name: write the global config file
+  template:
+    src: config.j2
+    dest: "{{ kube_config_dir }}/config"
+  notify:
+    - restart daemons
+
+- include: secrets.yml
+  tags:
+    - secrets
@@ -0,0 +1,50 @@
+---
+- name: certs | create system kube-cert groups
+  group: name={{ kube_cert_group }} state=present system=yes
+
+- name: create system kube user
+  user:
+    name=kube
+    comment="Kubernetes user"
+    shell=/sbin/nologin
+    state=present
+    system=yes
+    groups={{ kube_cert_group }}
+
+- name: certs | make sure the certificate directory exits
+  file:
+    path={{ kube_cert_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: tokens | make sure the tokens directory exits
+  file:
+    path={{ kube_token_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- include: gen_certs.yml
+  run_once: true
+  when: inventory_hostname == groups['kube-master'][0]
+
+- name: Read back the CA certificate
+  slurp:
+    src: "{{ kube_cert_dir }}/ca.crt"
+  register: ca_cert
+  run_once: true
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: certs | register the CA certificate as a fact for later use
+  set_fact:
+    kube_ca_cert: "{{ ca_cert.content|b64decode }}"
+
+- name: certs | write CA certificate everywhere
+  copy: content="{{ kube_ca_cert }}" dest="{{ kube_cert_dir }}/ca.crt"
+  notify:
+    - restart daemons
+
+- include: gen_tokens.yml
+  run_once: true
+  when: inventory_hostname == groups['kube-master'][0]
@@ -0,0 +1,26 @@
+###
+# kubernetes system config
+#
+# The following values are used to configure various aspects of all
+# kubernetes services, including
+#
+#   kube-apiserver.service
+#   kube-controller-manager.service
+#   kube-scheduler.service
+#   kubelet.service
+#   kube-proxy.service
+
+# Comma separated list of nodes in the etcd cluster
+# KUBE_ETCD_SERVERS="--etcd_servers="
+
+# logging to stderr means we get it in the systemd journal
+KUBE_LOGTOSTDERR="--logtostderr=true"
+
+# journal message level, 0 is debug
+KUBE_LOG_LEVEL="--v=5"
+
+# Should this cluster be allowed to run privileged docker containers
+KUBE_ALLOW_PRIV="--allow_privileged=true"
+
+# How the replication controller, scheduler, and proxy
+KUBE_MASTER="--master=https://{{ groups['kube-master'][0] }}:{{ kube_master_port }}"
@@ -0,0 +1,32 @@
+---
+- name: restart daemons
+  command: /bin/true
+  notify:
+    - reload systemd
+    - restart apiserver
+    - restart controller-manager
+    - restart scheduler
+    - restart proxy
+
+- name: reload systemd
+  command: systemctl daemon-reload
+
+- name: restart apiserver
+  service:
+    name: kube-apiserver
+    state: restarted
+
+- name: restart controller-manager
+  service:
+    name: kube-controller-manager
+    state: restarted
+
+- name: restart scheduler
+  service:
+    name: kube-scheduler
+    state: restarted
+
+- name: restart proxy
+  service:
+    name: kube-proxy
+    state: restarted
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: kubernetes/common }
@@ -0,0 +1,87 @@
+---
+- name: get the node token values from token files
+  slurp:
+    src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token"
+  with_items:
+    - "system:controller_manager"
+    - "system:scheduler"
+    - "system:kubectl"
+    - "system:proxy"
+  register: tokens
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Set token facts
+  set_fact:
+    controller_manager_token: "{{ tokens.results[0].content|b64decode }}"
+    scheduler_token: "{{ tokens.results[1].content|b64decode }}"
+    kubectl_token: "{{ tokens.results[2].content|b64decode }}"
+    proxy_token: "{{ tokens.results[3].content|b64decode }}"
+
+- name: write the config files for api server
+  template: src=apiserver.j2 dest={{ kube_config_dir }}/apiserver
+  notify:
+    - restart daemons
+
+- name: write config file for controller-manager
+  template: src=controller-manager.j2 dest={{ kube_config_dir }}/controller-manager
+  notify:
+    - restart controller-manager
+
+- name: write the kubecfg (auth) file for controller-manager
+  template: src=controller-manager.kubeconfig.j2 dest={{ kube_config_dir }}/controller-manager.kubeconfig
+  notify:
+    - restart controller-manager
+
+- name: write the config file for scheduler
+  template: src=scheduler.j2 dest={{ kube_config_dir }}/scheduler
+  notify:
+    - restart scheduler
+
+- name: write the kubecfg (auth) file for scheduler
+  template: src=scheduler.kubeconfig.j2 dest={{ kube_config_dir }}/scheduler.kubeconfig
+  notify:
+    - restart scheduler
+
+- name: write the kubecfg (auth) file for kubectl
+  template: src=kubectl.kubeconfig.j2 dest={{ kube_config_dir }}/kubectl.kubeconfig
+
+- name: write the config files for proxy
+  template: src=proxy.j2 dest={{ kube_config_dir }}/proxy
+  notify:
+    - restart daemons
+
+- name: write the kubecfg (auth) file for proxy
+  template: src=proxy.kubeconfig.j2 dest={{ kube_config_dir }}/proxy.kubeconfig
+
+- name: populate users for basic auth in API
+  lineinfile:
+    dest: "{{ kube_users_dir }}/known_users.csv"
+    create: yes
+    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
+  with_dict: "{{ kube_users }}"
+  notify:
+    - restart apiserver
+
+- name: Enable apiserver
+  service:
+    name: kube-apiserver
+    enabled: yes
+    state: started
+
+- name: Enable controller-manager
+  service:
+    name: kube-controller-manager
+    enabled: yes
+    state: started
+
+- name: Enable scheduler
+  service:
+    name: kube-scheduler
+    enabled: yes
+    state: started
+
+- name: Enable kube-proxy
+  service:
+    name: kube-proxy
+    enabled: yes
+    state: started
@@ -0,0 +1,34 @@
+---
+- name: Write kube-apiserver systemd init file
+  template: src=systemd-init/kube-apiserver.service.j2 dest=/etc/systemd/system/kube-apiserver.service
+  notify: restart daemons
+
+- name: Write kube-controller-manager systemd init file
+  template: src=systemd-init/kube-controller-manager.service.j2 dest=/etc/systemd/system/kube-controller-manager.service
+  notify: restart daemons
+
+- name: Write kube-scheduler systemd init file
+  template: src=systemd-init/kube-scheduler.service.j2 dest=/etc/systemd/system/kube-scheduler.service
+  notify: restart daemons
+
+- name: Write kube-proxy systemd init file
+  template: src=systemd-init/kube-proxy.service.j2 dest=/etc/systemd/system/kube-proxy.service
+  notify: restart daemons
+
+- name: Install kubernetes binaries
+  copy: 
+     src={{ local_release_dir }}/kubernetes/bin/{{ item }}
+     dest={{ bin_dir }}
+     owner=kube
+     mode=u+x
+  with_items:
+    - kube-apiserver
+    - kube-controller-manager 
+    - kube-scheduler
+    - kube-proxy
+    - kubectl
+  notify:
+    - restart daemons
+
+- name: Allow apiserver to bind on both secure and insecure ports
+  shell: setcap cap_net_bind_service+ep {{ bin_dir }}/kube-apiserver
@@ -0,0 +1,3 @@
+---
+- include: install.yml
+- include: config.yml
@@ -0,0 +1,25 @@
+###
+# kubernetes system config
+#
+# The following values are used to configure the kube-apiserver
+#
+
+# The address on the local server to listen to.
+KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
+
+# The port on the local server to listen on.
+KUBE_API_PORT="--insecure-port=8080 --secure-port={{ kube_master_port }}"
+
+# KUBELET_PORT="--kubelet_port=10250"
+
+# Address range to use for services
+KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range={{ kube_service_addresses }}"
+
+# Location of the etcd cluster
+KUBE_ETCD_SERVERS="--etcd_servers={% for node in groups['etcd'] %}http://{{ node }}:2379{% if not loop.last %},{% endif %}{% endfor %}"
+
+# default admission control policies
+KUBE_ADMISSION_CONTROL="--admission_control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
+
+# Add you own!
+KUBE_API_ARGS="--tls_cert_file={{ kube_cert_dir }}/server.crt --tls_private_key_file={{ kube_cert_dir }}/server.key --client_ca_file={{ kube_cert_dir }}/ca.crt --token_auth_file={{ kube_token_dir }}/known_tokens.csv --basic-auth-file={{ kube_users_dir }}/known_users.csv --service_account_key_file={{ kube_cert_dir }}/server.crt"
@@ -0,0 +1,6 @@
+###
+# The following values are used to configure the kubernetes controller-manager
+
+# defaults from config and apiserver should be adequate
+
+KUBE_CONTROLLER_MANAGER_ARGS="--kubeconfig={{ kube_config_dir }}/controller-manager.kubeconfig --service_account_private_key_file={{ kube_cert_dir }}/server.key --root_ca_file={{ kube_cert_dir }}/ca.crt"
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: controller-manager-to-{{ cluster_name }}
+preferences: {}
+clusters:
+- cluster:
+    certificate-authority: {{ kube_cert_dir }}/ca.crt
+    server: https://{{ groups['kube-master'][0] }}:{{ kube_master_port }}
+  name: {{ cluster_name }}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: controller-manager
+  name: controller-manager-to-{{ cluster_name }}
+users:
+- name: controller-manager
+  user:
+    token: {{ controller_manager_token }}
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: kubectl-to-{{ cluster_name }}
+preferences: {}
+clusters:
+- cluster:
+    certificate-authority-data: {{ kube_ca_cert|b64encode }}
+    server: https://{{ groups['kube-master'][0] }}:{{ kube_master_port }}
+  name: {{ cluster_name }}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: kubectl
+  name: kubectl-to-{{ cluster_name }}
+users:
+- name: kubectl
+  user:
+    token: {{ kubectl_token }}
@@ -0,0 +1,7 @@
+###
+# kubernetes proxy config
+
+# default config should be adequate
+
+# Add your own!
+KUBE_PROXY_ARGS="--kubeconfig={{ kube_config_dir }}/proxy.kubeconfig"
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: proxy-to-{{ cluster_name }}
+preferences: {}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: proxy
+  name: proxy-to-{{ cluster_name }}
+clusters:
+- cluster:
+    certificate-authority: {{ kube_cert_dir }}/ca.crt
+    server: http://{{ groups['kube-master'][0] }}:8080
+  name: {{ cluster_name }}
+users:
+- name: proxy
+  user:
+    token: {{ proxy_token }}
@@ -0,0 +1,7 @@
+###
+# kubernetes scheduler config
+
+# default config should be adequate
+
+# Add your own!
+KUBE_SCHEDULER_ARGS="--kubeconfig={{ kube_config_dir }}/scheduler.kubeconfig"
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: scheduler-to-{{ cluster_name }}
+preferences: {}
+clusters:
+- cluster:
+    certificate-authority: {{ kube_cert_dir }}/ca.crt
+    server: https://{{ groups['kube-master'][0] }}:{{ kube_master_port }}
+  name: {{ cluster_name }}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: scheduler
+  name: scheduler-to-{{ cluster_name }}
+users:
+- name: scheduler
+  user:
+    token: {{ scheduler_token }}
@@ -0,0 +1,28 @@
+[Unit]
+Description=Kubernetes API Server
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+Requires=etcd2.service
+After=etcd2.service
+
+[Service]
+EnvironmentFile=/etc/network-environment
+EnvironmentFile=-/etc/kubernetes/config
+EnvironmentFile=-/etc/kubernetes/apiserver
+User=kube
+ExecStart={{ bin_dir }}/kube-apiserver \
+	    $KUBE_LOGTOSTDERR \
+	    $KUBE_LOG_LEVEL \
+	    $KUBE_ETCD_SERVERS \
+	    $KUBE_API_ADDRESS \
+	    $KUBE_API_PORT \
+	    $KUBELET_PORT \
+	    $KUBE_ALLOW_PRIV \
+	    $KUBE_SERVICE_ADDRESSES \
+	    $KUBE_ADMISSION_CONTROL \
+	    $KUBE_API_ARGS
+Restart=on-failure
+Type=notify
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,20 @@
+[Unit]
+Description=Kubernetes Controller Manager
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+Requires=etcd2.service
+After=etcd2.service
+
+[Service]
+EnvironmentFile=-/etc/kubernetes/config
+EnvironmentFile=-/etc/kubernetes/controller-manager
+User=kube
+ExecStart={{ bin_dir }}/kube-controller-manager \
+	    $KUBE_LOGTOSTDERR \
+	    $KUBE_LOG_LEVEL \
+	    $KUBE_MASTER \
+	    $KUBE_CONTROLLER_MANAGER_ARGS
+Restart=on-failure
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,21 @@
+[Unit]
+Description=Kubernetes Kube-Proxy Server
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+{% if overlay_network_plugin|default('') %}
+After=docker.service calico-node.service
+{% else %}
+After=docker.service
+{% endif %}
+
+[Service]
+EnvironmentFile=/etc/network-environment
+ExecStart={{ bin_dir }}/kube-proxy \
+	    $KUBE_LOGTOSTDERR \
+	    $KUBE_LOG_LEVEL \
+	    $KUBE_MASTER \
+	    $KUBE_PROXY_ARGS
+Restart=on-failure
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,20 @@
+[Unit]
+Description=Kubernetes Scheduler Plugin
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+Requires=etcd2.service
+After=etcd2.service
+
+[Service]
+EnvironmentFile=-/etc/kubernetes/config
+EnvironmentFile=-/etc/kubernetes/scheduler
+User=kube
+ExecStart={{ bin_dir }}/kube-scheduler \
+	    $KUBE_LOGTOSTDERR \
+	    $KUBE_LOG_LEVEL \
+	    $KUBE_MASTER \
+	    $KUBE_SCHEDULER_ARGS
+Restart=on-failure
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,19 @@
+---
+- name: restart daemons
+  command: /bin/true
+  notify:
+    - restart kubelet
+    - restart proxy
+
+- name: restart kubelet
+  service:
+    name: kubelet
+    state: restarted
+
+- name: restart proxy
+  service:
+    name: kube-proxy
+    state: restarted
+
+- name: reload systemd
+  command: systemctl daemon-reload
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: kubernetes/common }
@@ -0,0 +1,55 @@
+---
+- name: Get the node token values
+  slurp:
+    src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token"
+  with_items:
+    - "system:kubelet"
+    - "system:proxy"
+  register: tokens
+  run_once: true
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Set token facts
+  set_fact:
+    kubelet_token: "{{ tokens.results[0].content|b64decode }}"
+    proxy_token: "{{ tokens.results[1].content|b64decode }}"
+
+- name: Create kubelet environment vars dir
+  file: path=/etc/systemd/system/kubelet.service.d state=directory
+
+- name: Write kubelet config file
+  template: src=kubelet.j2 dest=/etc/systemd/system/kubelet.service.d/10-kubelet.conf
+  notify:
+    - reload systemd
+    - restart kubelet
+
+- name: write the kubecfg (auth) file for kubelet
+  template: src=kubelet.kubeconfig.j2 dest={{ kube_config_dir }}/kubelet.kubeconfig
+  notify:
+    - restart kubelet
+
+- name: Create proxy environment vars dir
+  file: path=/etc/systemd/system/kube-proxy.service.d state=directory
+
+- name: Write proxy config file
+  template: src=proxy.j2 dest=/etc/systemd/system/kube-proxy.service.d/10-proxy-cluster.conf
+  notify:
+    - reload systemd
+    - restart proxy
+
+- name: write the kubecfg (auth) file for kube-proxy
+  template: src=proxy.kubeconfig.j2 dest={{ kube_config_dir }}/proxy.kubeconfig
+  notify:
+    - restart proxy
+
+- name: Enable kubelet
+  service:
+    name: kubelet
+    enabled: yes
+    state: started
+
+- name: Enable proxy
+  service:
+    name: kube-proxy
+    enabled: yes
+    state: started
@@ -0,0 +1,20 @@
+---
+- name: Write kube-proxy systemd init file
+  template: src=systemd-init/kube-proxy.service.j2 dest=/etc/systemd/system/kube-proxy.service
+  notify: restart daemons
+
+- name: Write kubelet systemd init file
+  template: src=systemd-init/kubelet.service.j2 dest=/etc/systemd/system/kubelet.service
+  notify: restart daemons
+
+- name: Install kubernetes binaries
+  copy: 
+     src={{ local_release_dir }}/kubernetes/bin/{{ item }}
+     dest={{ bin_dir }}
+     owner=kube
+     mode=u+x
+  with_items:
+    - kube-proxy
+    - kubelet
+  notify:
+    - restart daemons
@@ -0,0 +1,4 @@
+---
+- include: install.yml
+- include: config.yml
+- include: temp_workaround.yml
@@ -0,0 +1,5 @@
+- name: Warning Temporary workaround !!! Disable kubelet and kube-proxy on node startup
+  service: name={{ item }} enabled=no
+  with_items:
+    - kubelet
+    - kube-proxy
@@ -0,0 +1,21 @@
+[Service]
+Environment="KUBE_LOGTOSTDERR=--logtostderr=true"
+Environment="KUBE_LOG_LEVEL=--v=0"
+Environment="KUBE_ALLOW_PRIV=--allow_privileged=true"
+Environment="KUBE_MASTER=--master=https://{{ groups['kube-master'][0] }}:{{ kube_master_port }}"
+# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
+Environment="KUBELET_ADDRESS=--address=0.0.0.0"
+# The port for the info server to serve on
+# Environment="KUBELET_PORT=--port=10250"
+# You may leave this blank to use the actual hostname
+Environment="KUBELET_HOSTNAME=--hostname_override={{ inventory_hostname }}"
+# location of the api-server
+Environment="KUBELET_API_SERVER=--api_servers=https://{{ groups['kube-master'][0]}}:{{ kube_master_port }}"
+{% if dns_setup %}
+Environment="KUBELET_ARGS=--cluster_dns={{ dns_server }} --cluster_domain={{ dns_domain }} --kubeconfig={{ kube_config_dir}}/kubelet.kubeconfig --config={{ kube_manifest_dir }}"
+{% else %}
+Environment="KUBELET_ARGS=--kubeconfig={{ kube_config_dir}}/kubelet.kubeconfig --config={{ kube_manifest_dir }}"
+{% endif %}
+{% if overlay_network_plugin|default('') %}
+Environment="KUBELET_NETWORK_PLUGIN=--network_plugin={{ overlay_network_plugin }}"
+{% endif %}
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: kubelet-to-{{ cluster_name }}
+preferences: {}
+clusters:
+- cluster:
+    certificate-authority: {{ kube_cert_dir }}/ca.crt
+    server: https://{{ groups['kube-master'][0] }}:443
+  name: {{ cluster_name }}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: kubelet
+  name: kubelet-to-{{ cluster_name }}
+users:
+- name: kubelet
+  user:
+    token: {{ kubelet_token }}
@@ -0,0 +1,6 @@
+###
+# kubernetes proxy config
+
+# default config should be adequate
+[Service]
+Environment="KUBE_PROXY_ARGS=--kubeconfig={{ kube_config_dir }}/proxy.kubeconfig"
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: proxy-to-{{ cluster_name }}
+preferences: {}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: proxy
+  name: proxy-to-{{ cluster_name }}
+clusters:
+- cluster:
+    certificate-authority: {{ kube_cert_dir }}/ca.crt
+    server: https://{{ groups['kube-master'][0] }}:{{ kube_master_port }}
+  name: {{ cluster_name }}
+users:
+- name: proxy
+  user:
+    token: {{ proxy_token }}
@@ -0,0 +1,21 @@
+[Unit]
+Description=Kubernetes Kube-Proxy Server
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+{% if overlay_network_plugin|default('') %}
+After=docker.service calico-node.service
+{% else %}
+After=docker.service
+{% endif %}
+
+[Service]
+EnvironmentFile=/etc/network-environment
+ExecStart={{ bin_dir }}/kube-proxy \
+	    $KUBE_LOGTOSTDERR \
+	    $KUBE_LOG_LEVEL \
+	    $KUBE_MASTER \
+	    $KUBE_PROXY_ARGS
+Restart=on-failure
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,26 @@
+[Unit]
+Description=Kubernetes Kubelet Server
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+{% if overlay_network_plugin|default('') %}
+After=docker.service calico-node.service
+{% else %}
+After=docker.service
+{% endif %}
+
+[Service]
+#WorkingDirectory=/var/lib/kubelet
+EnvironmentFile=/etc/network-environment
+ExecStart={{ bin_dir }}/kubelet \
+	    $KUBE_LOGTOSTDERR \
+	    $KUBE_LOG_LEVEL \
+	    $KUBELET_API_SERVER \
+	    $KUBELET_ADDRESS \
+	    $KUBELET_PORT \
+	    $KUBELET_HOSTNAME \
+	    $KUBE_ALLOW_PRIV \
+	    $KUBELET_ARGS \
+	    $KUBELET_NETWORK_PLUGIN
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,28 @@
+---
+- name: restart calico-node
+  service: name=calico-node state=restarted
+
+- name: restart docker
+  service: name=docker state=restarted
+
+- name: restart flannel
+  service: name=flannel state=restarted
+  notify:
+    - reload systemd
+    - stop docker
+    - delete docker0
+    - start docker
+  when: inventory_hostname in groups['kube-node']
+
+- name: stop docker
+  service: name=docker state=stopped
+
+- name: delete docker0
+  command: ip link delete docker0
+  ignore_errors: yes
+
+- name: start docker
+  service: name=docker state=started
+
+- name : reload systemd
+  shell: systemctl daemon-reload
@@ -0,0 +1,46 @@
+---
+- name: Calico | Install calicoctl bin
+  copy: 
+     src={{ local_release_dir }}/calico/bin/calicoctl
+     dest={{ bin_dir }}
+     mode=u+x
+  notify: restart calico-node
+
+- name: Calico | Create calicoctl symlink (needed by kubelet)
+  file: src=/usr/local/bin/calicoctl dest=/usr/bin/calicoctl state=link
+
+- name: Calico | Write calico-node systemd init file
+  template: src=calico/calico-node.service.j2 dest=/etc/systemd/system/calico-node.service
+  notify: 
+    - reload systemd
+    - restart calico-node
+
+- name: Calico | Write network-environment
+  template: src=calico/network-environment.j2 dest=/etc/network-environment mode=u+x
+  notify: 
+    - reload systemd
+    - restart calico-node
+
+- name: Calico | Enable calico-node
+  service: name=calico-node enabled=yes state=started
+
+- name: Calico | Configure calico-node remove default pool
+  shell: calicoctl pool remove 192.168.0.0/16
+  environment: 
+     ETCD_AUTHORITY: "{{ groups['kube-master'][0] }}:4001"
+  run_once: true
+
+- name: Calico | Configure calico-node desired pool
+  shell: calicoctl pool add {{ overlay_network_subnet }}
+  environment: 
+     ETCD_AUTHORITY: "{{ groups['kube-master'][0] }}:4001"
+  run_once: true
+
+- name: Calico | Disable node mesh
+  shell: calicoctl bgp node-mesh off
+  when: peer_with_router and inventory_hostname in groups['kube-node']
+
+- name: Calico | Configure peering with router(s)
+  shell: calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }}
+  with_items: peers
+  when: peer_with_router and inventory_hostname in groups['kube-node']
@@ -0,0 +1,57 @@
+---
+- name: Create flannel user
+  user: name=flannel shell=/bin/nologin
+
+- name: Install flannel binaries
+  copy: 
+     src={{ local_release_dir }}/flannel/bin/flanneld
+     dest={{ bin_dir }}
+     owner=flannel
+     mode=u+x
+  notify:
+    - restart flannel
+
+- name: Write flannel.service systemd file
+  template:
+    src: flannel/systemd-flannel.service.j2
+    dest: /etc/systemd/system/flannel.service
+  notify: restart flannel
+
+- name: Write docker.service systemd file
+  template:
+    src: flannel/systemd-docker.service.j2
+    dest: /lib/systemd/system/docker.service
+  notify: restart docker
+
+- name: Set fact for ectcd command conf file location
+  set_fact:
+    conf_file: "/tmp/flannel-conf.json"
+  run_once: true
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Create flannel config file to go in etcd
+  template: src=flannel/flannel-conf.json.j2 dest={{ conf_file }}
+  run_once: true
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Flannel configuration into etcd
+  shell: "{{ bin_dir }}/etcdctl set /{{ cluster_name }}/network/config < {{ conf_file }}"
+  delegate_to: "{{ groups['kube-master'][0] }}"
+  notify: restart flannel
+
+- name: Clean up the flannel config file
+  file: path=/tmp/flannel-config.json state=absent
+  run_once: true
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Write network-environment
+  template: src=flannel/network-environment.j2 dest=/etc/network-environment mode=u+x
+  notify: restart flannel
+
+- name: Launch Flannel
+  service: name=flannel state=started enabled=yes
+  notify:
+    - restart flannel
+
+- name: Enable Docker
+  service: name=docker enabled=yes state=started
@@ -0,0 +1,13 @@
+---
+- name: "Test if overlay network is defined"
+  fail: msg="ERROR, One overlay_network variable must be defined (Flannel or Calico)"
+  when: ( overlay_network_plugin is defined and overlay_network_plugin == "calico" and overlay_network_plugin == "flannel" ) or
+        overlay_network_plugin is not defined 
+
+- include: flannel.yml
+  when: overlay_network_plugin == "flannel"
+- include: calico.yml
+  when: overlay_network_plugin == "calico"
+
+- meta: flush_handlers
+
@@ -0,0 +1,23 @@
+[Unit]
+Description=calicoctl node
+After=etcd2.service
+
+[Service]
+EnvironmentFile=/etc/network-environment
+User=root
+PermissionsStartOnly=true
+ExecStartPre={{ bin_dir }}/calicoctl checksystem --fix
+{% if inventory_hostname in groups['kube-node'] %}
+{%    if peer_with_router %}
+ExecStart={{ bin_dir }}/calicoctl node --ip=${DEFAULT_IPV4} --as={{ local_as }} --kubernetes
+{%     else %}
+ExecStart={{ bin_dir }}/calicoctl node --ip=${DEFAULT_IPV4} --kubernetes
+{%     endif %}
+{% else %}
+ExecStart={{ bin_dir }}/calicoctl node --ip=${DEFAULT_IPV4}
+{% endif %}
+RemainAfterExit=yes
+Type=oneshot
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,19 @@
+#! /usr/bin/bash
+# This node's IPv4 address
+CALICO_IPAM=true
+DEFAULT_IPV4={{ ansible_default_ipv4.address }}
+
+{% if inventory_hostname in groups['kube-node'] %}
+# The kubernetes master IP
+KUBERNETES_MASTER={{ groups['kube-master'][0] }}
+
+# Location of etcd cluster used by Calico.  By default, this uses the etcd
+# instance running on the Kubernetes Master
+ETCD_AUTHORITY={{ groups['kube-master'][0] }}:4001
+
+# The kubernetes-apiserver location - used by the calico plugin
+KUBE_API_ROOT=http://{{ groups['kube-master'][0] }}:8080/api/v1/
+
+# Location of the calicoctl binary - used by the calico plugin
+CALICOCTL_PATH="{{ bin_dir }}/calicoctl"
+{% endif %}
@@ -0,0 +1 @@
+{ "Network": "{{ kube_service_addresses }}", "SubnetLen": {{ overlay_network_host_prefix }}, "Backend": { "Type": "vxlan" } }
@@ -0,0 +1 @@
+FLANNEL_ETCD_PREFIX="--etcd-prefix=/{{ cluster_name }}/network"
@@ -0,0 +1,17 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.com
+After=network.target docker.socket flannel.service
+Requires=docker.socket
+
+[Service]
+EnvironmentFile=/run/flannel/subnet.env
+EnvironmentFile=-/etc/default/docker
+ExecStart=/usr/bin/docker -d -H fd:// --bip=${FLANNEL_SUBNET} --mtu=${FLANNEL_MTU} $DOCKER_OPTS
+MountFlags=slave
+LimitNOFILE=1048576
+LimitNPROC=1048576
+LimitCORE=infinity
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,12 @@
+[Unit]
+Description=Flannel Network Overlay
+Documentation=https://coreos.com/flannel/docs/latest
+
+[Service]
+EnvironmentFile=/etc/network-environment
+ExecStart={{ bin_dir }}/flanneld \
+       $FLANNEL_ETCD_PREFIX
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Smaine Kahlouch	78e67aea8f	update readme	2015-10-18 22:21:08 +02:00
Smaine Kahlouch	3427119577	adding submodules again	2015-10-18 22:10:30 +02:00
Smaine Kahlouch	73084a8377	remove apps directories	2015-10-18 21:41:19 +02:00
Smaine Kahlouch	058ccea9bc	Merge pull request #6 from ansibl8s/calico_bgp_peering_opt Calico bgp peering opt	2015-10-18 16:25:03 +02:00
Smaine Kahlouch	5d61661850	renaming role k8s-skydns to k8s-kubedns	2015-10-18 16:23:01 +02:00
Smaine Kahlouch	42613eac91	uncomment all.yml variables	2015-10-18 11:29:02 +02:00
Smaine Kahlouch	af5e35e938	Configure bgp peering with border routers of dc	2015-10-15 09:40:02 +02:00
Smaine Kahlouch	f1647d621e	update submodules	2015-10-14 17:38:40 +02:00
Smaine Kahlouch	fb13b42db9	add postgres submodule	2015-10-14 13:30:17 +02:00
Smaine Kahlouch	72096c8b1b	add submodules	2015-10-14 12:01:40 +02:00
Smaine Kahlouch	bc507dfb82	missing ansible-galaxy command in the README	2015-10-14 11:47:12 +02:00
Smaine Kahlouch	fec609053c	use ansible-galaxy	2015-10-14 11:42:45 +02:00
Smaine Kahlouch	6183a4d3b1	dns vars for skydns submodule	2015-10-13 17:12:59 +02:00
Smaine Kahlouch	481d16d5ad	tag 'apps'	2015-10-12 17:31:04 +02:00
Smaine Kahlouch	347bc4a79c	remove fluentd configuration on nodes	2015-10-12 17:28:17 +02:00
Smaine Kahlouch	6646cd5cef	Remove addons vars	2015-10-12 16:07:45 +02:00
Smaine Kahlouch	9c1f722f8d	Fix common directory	2015-10-12 14:26:55 +02:00
Smaine Kahlouch	c105e20ac9	Role common required	2015-10-12 14:13:53 +02:00
Smaine Kahlouch	744b0be2ac	Comment additionnal addons in playbook	2015-10-12 13:17:40 +02:00
Smaine Kahlouch	4281506322	moving apps submodules to the directory roles/apps	2015-10-12 13:12:29 +02:00
Smaine Kahlouch	f9395f7259	add submodule postgres	2015-10-12 13:06:41 +02:00
Smaine Kahlouch	5fbfee593d	Procedure for addons installation	2015-10-11 09:48:58 +02:00
Smaine Kahlouch	9c1543c3db	tag v1.0 for skydns	2015-10-10 22:07:27 +02:00
Smaine Kahlouch	a5849938d4	add submodule skydns	2015-10-10 21:52:47 +02:00
Smaine Kahlouch	ca977d7681	tag version v1.0 of kube-ui	2015-10-08 16:19:08 +02:00
Smaine Kahlouch	c811a0b193	submodules via https	2015-10-08 14:06:43 +02:00
Smaine Kahlouch	7841d4d3c9	Add submodule/role kube-ui	2015-10-08 14:01:25 +02:00
Antoine Legrand	4a9a682a24	remove library as it is already included in k8s-common	2015-10-08 11:00:35 +02:00
Antoine Legrand	e46adbca8a	Add submodules	2015-10-08 10:58:29 +02:00
Smaine Kahlouch	b35288e6b5	Docker garbage collection is already managed by kubelet daemon, README	2015-10-08 09:22:34 +02:00
Smaine Kahlouch	6b798d87d1	Docker garbage collection is already managed by kubelet daemon	2015-10-08 09:21:49 +02:00
Antoine Legrand	4ee8bd2e0f	Add kube submodule	2015-10-07 17:32:52 +02:00
Smaine Kahlouch	fa60d0e67b	Fix errors on README	2015-10-06 10:43:35 +02:00
Smaine Kahlouch	6b6a5ceeae	docker-gc executable cron task	2015-10-05 14:22:36 +02:00
Smaine Kahlouch	67be137e01	move fabric8 addon to 'default' namespace	2015-10-05 12:01:48 +02:00
Smaine Kahlouch	5ba39f5176	add docker version to readme	2015-10-05 11:30:34 +02:00
Smaine Kahlouch	c26d2e17cd	Addon Fabric8	2015-10-05 11:27:13 +02:00
Smaine Kahlouch	488da0749d	README.md v 4	2015-10-04 21:59:09 +02:00
Smaine Kahlouch	606267b7df	README.md v 3	2015-10-04 21:38:34 +02:00
Smaine Kahlouch	a37273b422	README.md v 2	2015-10-04 21:25:09 +02:00
Smaine Kahlouch	e74ad80fe4	Readme v2	2015-10-04 10:55:52 +02:00
Smaine Kahlouch	89a25fa3fa	Readme, first ver	2015-10-03 22:49:48 +02:00
Smaine Kahlouch	00c562828f	Initial commit	2015-10-03 22:19:50 +02:00
Smana	4aa588e481	Initial commit	2015-10-03 22:18:11 +02:00
				`@@ -0,0 +1 @@`
				`deb https://apt.dockerproject.org/repo debian-{{ ansible_distribution_release }} main`
				`@@ -0,0 +1 @@`
				`{ "Network": "{{ kube_service_addresses }}", "SubnetLen": {{ overlay_network_host_prefix }}, "Backend": { "Type": "vxlan" } }`
				`@@ -0,0 +1 @@`
				`FLANNEL_ETCD_PREFIX="--etcd-prefix=/{{ cluster_name }}/network"`