diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
new file mode 100644
index 0000000000000000000000000000000000000000..b82daadde7ab0f7712c0965a57a07ac341301d54
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,47 @@
+<!-- Thanks for filing an issue! Before hitting the button, please answer these questions.-->
+
+**Is this a BUG REPORT or FEATURE REQUEST?** (choose one):
+
+<!--
+If this is a BUG REPORT, please:
+ - Fill in as much of the template below as you can. If you leave out
+ information, we can't help you as well.
+
+If this is a FEATURE REQUEST, please:
+ - Describe *in detail* the feature/behavior/change you'd like to see.
+
+In both cases, be ready for followup questions, and please respond in a timely
+manner. If we can't reproduce a bug or think a feature already exists, we
+might close your issue. If we're wrong, PLEASE feel free to reopen it and
+explain why.
+-->
+
+**Environment**:
+- **Cloud provider or hardware configuration:**
+
+- **OS (`printf "$(uname -srm)\n$(cat /etc/os-release)\n"`):**
+
+- **Version of Ansible** (`ansible --version`):
+
+
+**Kargo version (commit) (`git rev-parse --short HEAD`):**
+
+
+**Network plugin used**:
+
+
+**Copy of your inventory file:**
+
+
+**Command used to invoke ansible**:
+
+
+**Output of ansible run**:
+<!-- We recommend using snippets services like https://gist.github.com/ etc. -->
+
+**Anything else do we need to know**:
+<!-- By running scripts/collect-info.yaml you can get a lot of useful informations.
+Script can be started by:
+ansible-playbook -i <inventory_file_path> -u <ssh_user> -e ansible_ssh_user=<ssh_user> -b --become-user=root -e dir=`pwd` scripts/collect-info.yaml
+(If you using CoreOS remember to add '-e ansible_python_interpreter=/opt/bin/python').
+After running this command you can find logs in `pwd`/logs.tar.gz. You can even upload somewhere entire file and paste link here.-->
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index feb84e4b4ff38f834fd08c47912f567bed8124d0..cc86762aeaaa0be9392d3927851b1e3227195435 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -51,7 +51,8 @@ before_script:
LOG_LEVEL: "-vv"
ETCD_DEPLOYMENT: "docker"
KUBELET_DEPLOYMENT: "docker"
-
+ MAGIC: "ci check this"
+
.gce: &gce
<<: *job
<<: *docker_service
@@ -215,7 +216,7 @@ before_script:
ETCD_DEPLOYMENT: rkt
KUBELET_DEPLOYMENT: rkt
-# Builds for PRs only (auto) and triggers (auto)
+# Builds for PRs only (premoderated by unit-tests step) and triggers (auto)
coreos-calico-sep:
stage: deploy-gce-part1
<<: *job
@@ -429,12 +430,16 @@ ubuntu-rkt-sep:
except: ['triggers']
only: ['master', /^pr-.*$/]
+# Premoderated with manual actions
syntax-check:
<<: *job
stage: unit-tests
+ before_script:
+ - apt-get -y install jq
script:
- ansible-playbook -i inventory/local-tests.cfg -u root -e ansible_ssh_user=root -b --become-user=root cluster.yml -vvv --syntax-check
- except: ['triggers']
+ - /bin/sh scripts/premoderator.sh
+ except: ['triggers', 'master']
tox-inventory-builder:
stage: unit-tests
@@ -443,4 +448,4 @@ tox-inventory-builder:
- pip install tox
- cd contrib/inventory_builder && tox
when: manual
- except: ['triggers']
+ except: ['triggers', 'master']
diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 90a5702bbe289fd78fb70846d9450c7a0a08257d..0a4319baa6ad25725ec989e2dd6aefc4ba882214 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -51,3 +51,5 @@ netchecker_kubectl_memory_requests: 64M
# SSL
etcd_cert_dir: "/etc/ssl/etcd/ssl"
+calico_cert_dir: "/etc/calico/certs"
+canal_cert_dir: "/etc/canal/certs"
diff --git a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
index a3915f9ba53987d4f3d04987e61d593e2dd35284..447fb719f89f2eda1a9d1db72c34fe3a4661d6c8 100644
--- a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
+++ b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
@@ -1,8 +1,13 @@
+---
+- set_fact:
+ calico_cert_dir: "{{ canal_cert_dir }}"
+ when: kube_network_plugin == 'canal'
+ tags: facts
+
- name: Write calico-policy-controller yaml
template: src=calico-policy-controller.yml.j2 dest={{kube_config_dir}}/calico-policy-controller.yml
when: inventory_hostname == groups['kube-master'][0]
-
- name: Start of Calico policy controller
kube:
name: "calico-policy-controller"
diff --git a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
index c92328f15f08f8aa8b5f3157a6f0fc90fd16e6e1..06bb78b7c19d063010fcfde9cfad0852151a174c 100644
--- a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
@@ -36,11 +36,11 @@ spec:
- name: ETCD_ENDPOINTS
value: "{{ etcd_access_endpoint }}"
- name: ETCD_CA_CERT_FILE
- value: "{{ etcd_cert_dir }}/ca.pem"
+ value: "{{ calico_cert_dir }}/ca_cert.crt"
- name: ETCD_CERT_FILE
- value: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+ value: "{{ calico_cert_dir }}/cert.crt"
- name: ETCD_KEY_FILE
- value: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+ value: "{{ calico_cert_dir }}/key.pem"
# Location of the Kubernetes API - this shouldn't need to be
# changed so long as it is used in conjunction with
# CONFIGURE_ETC_HOSTS="true".
@@ -53,10 +53,10 @@ spec:
- name: CONFIGURE_ETC_HOSTS
value: "true"
volumeMounts:
- - mountPath: {{ etcd_cert_dir }}
+ - mountPath: {{ calico_cert_dir }}
name: etcd-certs
readOnly: true
volumes:
- hostPath:
- path: {{ etcd_cert_dir }}
+ path: {{ calico_cert_dir }}
name: etcd-certs
diff --git a/roles/network_plugin/calico/templates/calicoctl-container.j2 b/roles/network_plugin/calico/templates/calicoctl-container.j2
index 0ecfba0c14bd261fc4f971a53af4792092eb4518..ec8642c011e1c35f30770c9b5c5888f3532ca594 100644
--- a/roles/network_plugin/calico/templates/calicoctl-container.j2
+++ b/roles/network_plugin/calico/templates/calicoctl-container.j2
@@ -2,13 +2,13 @@
{{ docker_bin_dir }}/docker run -i --privileged --rm \
--net=host --pid=host \
-e ETCD_ENDPOINTS={{ etcd_access_endpoint }} \
--e ETCD_CA_CERT_FILE=/etc/calico/certs/ca_cert.crt \
--e ETCD_CERT_FILE=/etc/calico/certs/cert.crt \
--e ETCD_KEY_FILE=/etc/calico/certs/key.pem \
+-e ETCD_CA_CERT_FILE={{ calico_cert_dir }}/ca_cert.crt \
+-e ETCD_CERT_FILE={{ calico_cert_dir }}/cert.crt \
+-e ETCD_KEY_FILE={{ calico_cert_dir }}/key.pem \
-v {{ docker_bin_dir }}/docker:{{ docker_bin_dir }}/docker \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /var/run/calico:/var/run/calico \
--v /etc/calico/certs:/etc/calico/certs:ro \
+-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
--memory={{ calicoctl_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calicoctl_cpu_limit|regex_replace('m', '') }} \
{{ calicoctl_image_repo }}:{{ calicoctl_image_tag}} \
$@
diff --git a/roles/network_plugin/flannel/defaults/main.yml b/roles/network_plugin/flannel/defaults/main.yml
index b6768f1bd12c63aa64c69d6435323c32f323c942..f8be25969cc91f1c15a4dfb48defa7f90689acfb 100644
--- a/roles/network_plugin/flannel/defaults/main.yml
+++ b/roles/network_plugin/flannel/defaults/main.yml
@@ -16,3 +16,6 @@ flannel_memory_limit: 500M
flannel_cpu_limit: 300m
flannel_memory_requests: 256M
flannel_cpu_requests: 150m
+
+flannel_cert_dir: /etc/flannel/certs
+etcd_cert_dir: /etc/ssl/etcd/ssl
diff --git a/roles/network_plugin/flannel/tasks/main.yml b/roles/network_plugin/flannel/tasks/main.yml
index 47aec49d9f98873c375d05c7d1c89a45ff320349..4fb637975420587e0ade8249ba5d529309662b7e 100644
--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
@@ -7,6 +7,25 @@
delegate_to: "{{groups['etcd'][0]}}"
run_once: true
+- name: Flannel | Create flannel certs directory
+ file:
+ dest: "{{ flannel_cert_dir }}"
+ state: directory
+ mode: 0750
+ owner: root
+ group: root
+
+- name: Flannel | Link etcd certificates for flanneld
+ file:
+ src: "{{ etcd_cert_dir }}/{{ item.s }}"
+ dest: "{{ flannel_cert_dir }}/{{ item.d }}"
+ state: hard
+ force: yes
+ with_items:
+ - {s: "ca.pem", d: "ca_cert.crt"}
+ - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
+ - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
+
- name: Flannel | Create flannel pod manifest
template:
src: flannel-pod.yml
diff --git a/roles/network_plugin/flannel/templates/flannel-pod.yml b/roles/network_plugin/flannel/templates/flannel-pod.yml
index f9b76ce5f70e6726ba9c11d128fe9472e630345d..92ecada69a8265d7b8d02416275e3b85d4ed78d3 100644
--- a/roles/network_plugin/flannel/templates/flannel-pod.yml
+++ b/roles/network_plugin/flannel/templates/flannel-pod.yml
@@ -14,7 +14,7 @@
path: "/run/flannel"
- name: "etcd-certs"
hostPath:
- path: "{{ etcd_cert_dir }}"
+ path: "{{ flannel_cert_dir }}"
containers:
- name: "flannel-container"
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
@@ -29,7 +29,7 @@
command:
- "/bin/sh"
- "-c"
- - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ etcd_cert_dir }}/ca.pem -etcd-certfile {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -etcd-keyfile {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
+ - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ flannel_cert_dir }}/ca_cert.crt -etcd-certfile {{ flannel_cert_dir }}/cert.crt -etcd-keyfile {{ flannel_cert_dir }}/key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
ports:
- hostPort: 10253
containerPort: 10253
@@ -37,7 +37,7 @@
- name: "subnetenv"
mountPath: "/run/flannel"
- name: "etcd-certs"
- mountPath: "{{ etcd_cert_dir }}"
+ mountPath: "{{ flannel_cert_dir }}"
readOnly: true
securityContext:
privileged: true
diff --git a/scripts/premoderator.sh b/scripts/premoderator.sh
new file mode 100644
index 0000000000000000000000000000000000000000..2e730df7bd4854e74f55babf1ef3ed4aec5bea80
--- /dev/null
+++ b/scripts/premoderator.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -eux -o pipefail
+# A naive premoderation script to allow Gitlab CI pipeline on a specific PRs' comment
+# Exits with 0, if the pipeline is good to go
+
+CURL_ARGS="-fs --connect-timeout 5 --max-time 5 --retry-max-time 20 --retry 4 --retry-delay 5"
+MAGIC="${MAGIC:-ci check this}"
+
+# Get PR number from CI_BUILD_REF_NAME
+issue=$(echo ${CI_BUILD_REF_NAME} | perl -ne '/^pr-(\d+)-\S+$/ && print $1')
+# Get the user name from the PR comments with the wanted magic incantation casted
+user=$(curl ${CURL_ARGS} "https://api.github.com/repos/kubernetes-incubator/kargo/issues/${issue}/comments" \
+ | jq -M "map(select(.body | contains (\"$MAGIC\"))) | .[0] .user.login" | tr -d '"')
+# Check for the required user group membership to allow (exit 0) or decline (exit >0) the pipeline
+[ "$user" != "null" ] || exit 1
+curl ${CURL_ARGS} "https://api.github.com/orgs/kubernetes-incubator/members/${user}"