Merge pull request #107 from ansibl8s/race_condition_api_master

Slowdown apimaster restart
Use local etcd/etcdproxy for calico
2026-06-04 10:37:59 +00:00 · 2016-01-26 18:00:47 +01:00 · 2016-01-26 17:28:30 +01:00 · 2016-01-26 15:31:11 +01:00 · 2016-01-26 15:25:28 +01:00 · 2016-01-26 15:23:16 +01:00
140 changed files with 23403 additions and 910 deletions
@@ -1,2 +0,0 @@
-ssh
-nodes
@@ -0,0 +1,53 @@
+[submodule "roles/apps/k8s-kube-ui"]
+	path = roles/apps/k8s-kube-ui
+	url = https://github.com/ansibl8s/k8s-kube-ui.git
+	branch = v1.0
+[submodule "roles/apps/k8s-kubedns"]
+	path = roles/apps/k8s-kubedns
+	url = https://github.com/ansibl8s/k8s-kubedns.git
+	branch = v1.0
+[submodule "roles/apps/k8s-common"]
+	path = roles/apps/k8s-common
+	url = https://github.com/ansibl8s/k8s-common.git
+	branch = v1.0
+[submodule "roles/apps/k8s-redis"]
+	path = roles/apps/k8s-redis
+	url = https://github.com/ansibl8s/k8s-redis.git
+	branch = v1.0
+[submodule "roles/apps/k8s-elasticsearch"]
+	path = roles/apps/k8s-elasticsearch
+	url = https://github.com/ansibl8s/k8s-elasticsearch.git
+[submodule "roles/apps/k8s-fabric8"]
+	path = roles/apps/k8s-fabric8
+	url = https://github.com/ansibl8s/k8s-fabric8.git
+	branch = v1.0
+[submodule "roles/apps/k8s-memcached"]
+	path = roles/apps/k8s-memcached
+	url = https://github.com/ansibl8s/k8s-memcached.git
+	branch = v1.0
+[submodule "roles/apps/k8s-postgres"]
+	path = roles/apps/k8s-postgres
+	url = https://github.com/ansibl8s/k8s-postgres.git
+	branch = v1.0
+[submodule "roles/apps/k8s-kubedash"]
+	path = roles/apps/k8s-kubedash
+	url = https://github.com/ansibl8s/k8s-kubedash.git
+[submodule "roles/apps/k8s-heapster"]
+	path = roles/apps/k8s-heapster
+	url = https://github.com/ansibl8s/k8s-heapster.git
+[submodule "roles/apps/k8s-influxdb"]
+	path = roles/apps/k8s-influxdb
+	url = https://github.com/ansibl8s/k8s-influxdb.git
+[submodule "roles/apps/k8s-kube-logstash"]
+	path = roles/apps/k8s-kube-logstash
+	url = https://github.com/ansibl8s/k8s-kube-logstash.git
+[submodule "roles/apps/k8s-etcd"]
+	path = roles/apps/k8s-etcd
+	url = https://github.com/ansibl8s/k8s-etcd.git
+[submodule "roles/apps/k8s-rabbitmq"]
+	path = roles/apps/k8s-rabbitmq
+	url = https://github.com/ansibl8s/k8s-rabbitmq.git
+[submodule "roles/apps/k8s-pgbouncer"]
+	path = roles/apps/k8s-pgbouncer
+	url = https://github.com/ansibl8s/k8s-pgbouncer.git
+	branch = v1.0
@@ -0,0 +1,38 @@
+sudo: required
+dist: trusty
+language: python
+python: "2.7"
+
+addons:
+  hosts:
+    - node1
+
+env:
+  - SITE=cluster.yml ANSIBLE_VERSION=2.0.0
+
+install:
+  # Install Ansible.
+  - sudo -H pip install ansible==${ANSIBLE_VERSION}
+  - sudo -H pip install netaddr
+
+cache:
+  directories:
+    - $HOME/releases
+    - $HOME/.cache/pip
+
+before_script:
+  - export PATH=$PATH:/usr/local/bin
+
+script:
+  # Check the role/playbook's syntax.
+  - "sudo -H ansible-playbook -i inventory/local-tests.cfg $SITE --syntax-check"
+
+  # Run the role/playbook with ansible-playbook.
+  - "sudo -H ansible-playbook -i inventory/local-tests.cfg $SITE --connection=local"
+
+  # Run the role/playbook again, checking to make sure it's idempotent.
+  - >
+    sudo -H ansible-playbook -i inventory/local-tests.cfg $SITE --connection=local
+    | tee /dev/stderr | grep -q 'changed=0.*failed=0'
+    && (echo 'Idempotence test: pass' && exit 0)
+    || (echo 'Idempotence test: fail' && exit 1)
@@ -1,161 +1,319 @@
-vagrant-k8s
-===========
-Scripts to create libvirt lab with vagrant and prepare some stuff for `k8s` deployment with `kargo`.
+[![Build Status](https://travis-ci.org/ansibl8s/setup-kubernetes.svg)](https://travis-ci.org/ansibl8s/setup-kubernetes)
+kubernetes-ansible
+========

+This project allows to
+- Install and configure a **Multi-Master/HA kubernetes** cluster.
+- Choose the **network plugin** to be used within the cluster
+- A **set of roles** in order to install applications over the k8s cluster
+- A **flexible method** which helps to create new roles for apps.

-Requirements
------------
+Linux distributions tested:
+* **Debian** Wheezy, Jessie
+* **Ubuntu** 14.10, 15.04, 15.10
+* **Fedora** 23
+* **CentOS** 7 (Currently with flannel only)

-* `libvirt`
-* `vagrant`
-* `vagrant-libvirt` plugin (`vagrant plugin install vagrant-libvirt`)
-* `$USER` should be able to connect to libvirt (test with `virsh list --all`)
+### Requirements
+* The target servers must have **access to the Internet** in order to pull docker imaqes.
+* The firewalls are not managed, you'll need to implement your own rules the way you used to.
+in order to avoid any issue during deployment you should **disable your firewall**
+* **Copy your ssh keys** to all the servers part of your inventory.
+* **Ansible v2.x and python-netaddr**
+* Base knowledge on Ansible. Please refer to [Ansible documentation](http://www.ansible.com/how-ansible-works)

-Vargant lab preparation
-----------------------
+### Components
+* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.4
+* [etcd](https://github.com/coreos/etcd/releases) v2.2.4
+* [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.14.0
+* [flanneld](https://github.com/coreos/flannel/releases) v0.5.5
+* [docker](https://www.docker.com/) v1.9.1

-* Change default IP pool for vagrant networks if you want:
+Quickstart
+-------------------------
+The following steps will quickly setup a kubernetes cluster with default configuration.
+These defaults are good for tests purposes.

-```bash
-export VAGRANT_POOL="10.100.0.0/16"
+Edit the inventory according to the number of servers
+```
+[kube-master]
+10.115.99.31
+
+[etcd]
+10.115.99.31
+10.115.99.32
+10.115.99.33
+
+[kube-node]
+10.115.99.32
+10.115.99.33
+
+[k8s-cluster:children]
+kube-node
+kube-master
 ```

-* Clone this repo
-
-```bash
-git clone https://github.com/adidenko/vagrant-k8s
-cd vagrant-k8s
+Run the playbook
+```
+ansible-playbook -i inventory/inventory.cfg cluster.yml -u root
 ```

-* Prepare the virtual lab:
+You can jump directly to "*Available apps, installation procedure*"
+
+
+Ansible
+-------------------------
+### Variables
+The main variables to change are located in the directory ```inventory/group_vars/all.yml```.
+
+### Inventory
+Below is an example of an inventory.
+Note : The bgp vars local_as and peers are not mandatory if the var **'peer_with_router'** is set to false
+By default this variable is set to false and therefore all the nodes are configure in **'node-mesh'** mode.
+In node-mesh mode the nodes peers with all the nodes in order to exchange routes.

-```bash
-vagrant up
 ```

-Deployment on a lab
-------------------
+[kube-master]
+node1 ansible_ssh_host=10.99.0.26
+node2 ansible_ssh_host=10.99.0.27

-* Login to master node and sudo to root:
+[etcd]
+node1 ansible_ssh_host=10.99.0.26
+node2 ansible_ssh_host=10.99.0.27
+node3 ansible_ssh_host=10.99.0.4

-```bash
-vagrant ssh $USER-k8s-00
-sudo su -
+[kube-node]
+node2 ansible_ssh_host=10.99.0.27
+node3 ansible_ssh_host=10.99.0.4
+node4 ansible_ssh_host=10.99.0.5
+node5 ansible_ssh_host=10.99.0.36
+node6 ansible_ssh_host=10.99.0.37
+
+[paris]
+node1 ansible_ssh_host=10.99.0.26
+node3 ansible_ssh_host=10.99.0.4 local_as=xxxxxxxx
+node4 ansible_ssh_host=10.99.0.5 local_as=xxxxxxxx
+
+[new-york]
+node2 ansible_ssh_host=10.99.0.27
+node5 ansible_ssh_host=10.99.0.36 local_as=xxxxxxxx
+node6 ansible_ssh_host=10.99.0.37 local_as=xxxxxxxx
+
+[k8s-cluster:children]
+kube-node
+kube-master
 ```

-* Clone this repo
+### Playbook
+```
+---
+
+- hosts: k8s-cluster
+  roles:
+    - { role: download, tags: download }
+    - { role: kubernetes/preinstall, tags: preinstall }
+    - { role: docker, tags: docker }
+    - { role: kubernetes/node, tags: node }
+    - { role: etcd, tags: etcd }
+    - { role: dnsmasq, tags: dnsmasq }
+    - { role: network_plugin, tags: ['calico', 'flannel', 'network'] }
+
+- hosts: kube-master
+  roles:
+    - { role: kubernetes/master, tags: master }

-```bash
-git clone https://github.com/adidenko/vagrant-k8s ~/mcp
 ```

-* Install required software and pull needed repos:
-
-```bash
-cd ~/mcp
-./bootstrap-master.sh
+### Run
+It is possible to define variables for different environments.
+For instance, in order to deploy the cluster on 'dev' environment run the following command.
+```
+ansible-playbook -i inventory/dev/inventory.cfg cluster.yml -u root
 ```

-* Check `nodes` list and make sure you have SSH access to them
+Kubernetes
+-------------------------
+### Multi master notes
+* You can choose where to install the master components. If you want your master node to act both as master (api,scheduler,controller) and node (e.g. accept workloads, create pods ...),
+the server address has to be present on both groups 'kube-master' and 'kube-node'.

-```bash
-cd ~/mcp
-cat nodes
-ansible all -m ping -i nodes_to_inv.py
+* Almost all kubernetes components are running into pods except *kubelet*. These pods are managed by kubelet which ensure they're always running
+
+* For safety reasons, you should have at least two master nodes and 3 etcd servers
+
+* Kube-proxy doesn't support multiple apiservers on startup ([Issue 18174](https://github.com/kubernetes/kubernetes/issues/18174)). An external loadbalancer needs to be configured.
+In order to do so, some variables have to be used '**loadbalancer_apiserver**' and '**apiserver_loadbalancer_domain_name**'
+
+
+### Network Overlay
+You can choose between 2 network plugins. Only one must be chosen.
+
+* **flannel**: gre/vxlan (layer 2) networking. ([official docs](https://github.com/coreos/flannel))
+
+* **calico**: bgp (layer 3) networking. ([official docs](http://docs.projectcalico.org/en/0.13/))
+
+The choice is defined with the variable '**kube_network_plugin**'
+
+### Expose a service
+There are several loadbalancing solutions.
+The one i found suitable for kubernetes are [Vulcand](http://vulcand.io/) and [Haproxy](http://www.haproxy.org/)
+
+My cluster is working with haproxy and kubernetes services are configured with the loadbalancing type '**nodePort**'.
+eg: each node opens the same tcp port and forwards the traffic to the target pod wherever it is located.
+
+Then Haproxy can be configured to request kubernetes's api in order to loadbalance on the proper tcp port on the nodes.
+
+Please refer to the proper kubernetes documentation on [Services](https://github.com/kubernetes/kubernetes/blob/release-1.0/docs/user-guide/services.md)
+
+### Check cluster status
+
+#### Kubernetes components
+
+* Check the status of the processes
+```
+systemctl status kubelet
 ```

-* Deploy k8s using kargo playbooks
-
-```bash
-cd ~/mcp
-./deploy-k8s.kargo.sh
+* Check the logs
+```
+journalctl -ae -u kubelet
 ```

-* Deploy OpenStack CCP:
-
-```bash
-cd ~/mcp
-# Build CCP images
-ansible-playbook -i nodes_to_inv.py playbooks/ccp-build.yaml
-# Deploy CCP
-ansible-playbook -i nodes_to_inv.py playbooks/ccp-deploy.yaml
+* Check the NAT rules
+```
+iptables -nLv -t nat
 ```

-* Wait for CCP deployment to complete
-
-```bash
-# On k8s master node
-# Check CCP pods, all should become running
-kubectl --namespace=openstack get pods -o wide
-
-# Check CCP jobs status, wait until all complete
-kubectl --namespace=openstack get jobs
+For the master nodes you'll have to see the docker logs for the apiserver
+```
+docker logs [apiserver docker id]
 ```

-* Check Horizon:

-```bash
-# On k8s master node check nodePort of Horizon service
-HORIZON_PORT=$(kubectl --namespace=openstack get svc/horizon -o go-template='{{(index .spec.ports 0).nodePort}}')
-echo $HORIZON_PORT
+### Available apps, installation procedure

-# Access Horizon via nodePort
-curl -i -s $ANY_K8S_NODE_IP:$HORIZON_PORT
+There are two ways of installing new apps
+
+#### Ansible galaxy
+
+Additionnal apps can be installed with ```ansible-galaxy```.
+
+ou'll need to edit the file '*requirements.yml*' in order to chose needed apps.
+The list of available apps are available [there](https://github.com/ansibl8s)
+
+For instance it is **strongly recommanded** to install a dns server which resolves kubernetes service names.
+In order to use this role you'll need the following entries in the file '*requirements.yml*'
+Please refer to the [k8s-kubedns readme](https://github.com/ansibl8s/k8s-kubedns) for additionnal info.
+```
+- src: https://github.com/ansibl8s/k8s-common.git
+  path: roles/apps
+  # version: v1.0
+
+- src: https://github.com/ansibl8s/k8s-kubedns.git
+  path: roles/apps
+  # version: v1.0
+```
+**Note**: the role common is required by all the apps and provides the tasks and libraries needed.
+
+And empty the apps directory
+```
+rm -rf roles/apps/*
 ```

-Working with kubernetes
-----------------------
-
-* Login to one of your kube-master nodes and run:
-
-```bash
-# List images in registry
-curl -s 127.0.0.1:31500/v2/_catalog | python -mjson.tool
-
-# Check CCP jobs status
-kubectl --namespace=openstack get jobs
-
-# Check CCP pods
-kubectl --namespace=openstack get pods -o wide
+Then download the roles with ansible-galaxy
+```
+ansible-galaxy install -r requirements.yml
 ```

-* Troubleshooting
-
-```bash
-# Get logs from pod
-kubectl --namespace=openstack logs $POD_NAME
-
-# Exec command from pod
-kubectl --namespace=openstack exec $POD_NAME -- cat /etc/resolv.conf
-kubectl --namespace=openstack exec $POD_NAME -- curl http://etcd-client:2379/health
-
-# Run a container
-docker run -t -i 127.0.0.1:31500/mcp/neutron-dhcp-agent /bin/bash
+Finally update the playbook ```apps.yml``` with the chosen roles, and run it
+```
+...
+- hosts: kube-master
+  roles:
+    - { role: apps/k8s-kubedns, tags: ['kubedns', 'apps']  }
+...
 ```

-* Network checker
-
-```bash
-cd ~/mcp
-./deploy-netchecker.sh
-# or in openstack namespace
-./deploy-netchecker.sh openstack
+```
+ansible-playbook -i inventory/inventory.cfg apps.yml -u root
 ```

-* CCP
+#### Git submodules
+Alternatively the roles can be installed as git submodules.
+That way is easier if you want to do some changes and commit them.

-```bash
-# Run a bash in one of containers
-docker run -t -i 127.0.0.1:31500/mcp/nova-base /bin/bash

-# Inside container export credentials
-export OS_USERNAME=admin
-export OS_PASSWORD=password
-export OS_TENANT_NAME=admin
-export OS_REGION_NAME=RegionOne
-export OS_AUTH_URL=http://keystone:35357
+### Networking

-# Run CLI commands
-openstack service list
-neutron agent-list
+#### Calico
+Check if the calico-node container is running
 ```
+docker ps | grep calico
+```
+
+The **calicoctl** command allows to check the status of the network workloads.
+* Check the status of Calico nodes
+```
+calicoctl status
+```
+
+* Show the configured network subnet for containers
+```
+calicoctl pool show
+```
+
+* Show the workloads (ip addresses of containers and their located)
+```
+calicoctl endpoint show --detail
+```
+
+#### Flannel
+
+* Flannel configuration file should have been created there
+```
+cat /run/flannel/subnet.env
+FLANNEL_NETWORK=10.233.0.0/18
+FLANNEL_SUBNET=10.233.16.1/24
+FLANNEL_MTU=1450
+FLANNEL_IPMASQ=false
+```
+
+* Check if the network interface has been created
+```
+ip a show dev flannel.1
+4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
+    link/ether e2:f3:a7:0f:bf:cb brd ff:ff:ff:ff:ff:ff
+    inet 10.233.16.0/18 scope global flannel.1
+       valid_lft forever preferred_lft forever
+    inet6 fe80::e0f3:a7ff:fe0f:bfcb/64 scope link
+       valid_lft forever preferred_lft forever
+```
+
+* Docker must be configured with a bridge ip in the flannel subnet.
+```
+ps aux | grep docker
+root     20196  1.7  2.7 1260616 56840 ?       Ssl  10:18   0:07 /usr/bin/docker daemon --bip=10.233.16.1/24 --mtu=1450
+```
+
+* Try to run a container and check its ip address
+```
+kubectl run test --image=busybox --command -- tail -f /dev/null
+replicationcontroller "test" created
+
+kubectl describe po test-34ozs | grep ^IP
+IP:				10.233.16.2
+```
+
+```
+kubectl exec test-34ozs -- ip a show dev eth0
+8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1450 qdisc noqueue
+    link/ether 02:42:0a:e9:2b:03 brd ff:ff:ff:ff:ff:ff
+    inet 10.233.16.2/24 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::42:aff:fee9:2b03/64 scope link tentative flags 08
+       valid_lft forever preferred_lft forever
+```
+
+
+Congrats ! now you can walk through [kubernetes basics](http://kubernetes.io/v1.1/basicstutorials.html)
@@ -1,115 +0,0 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-pool = ENV["VAGRANT_POOL"] || "10.250.0.0/16"
-
-ENV["VAGRANT_DEFAULT_PROVIDER"] = "libvirt"
-prefix = pool.gsub(/\.\d+\.\d+\/16$/, "")
-
-$num_instances = 4
-$vm_memory = 6144
-$vm_cpus = 2
-$master_memory = 1024
-$master_cpus = 1
-
-$user = ENV["USER"]
-$public_subnet = prefix.to_s + ".0"
-$private_subnet = prefix.to_s + ".1"
-$mgmt_cidr = prefix.to_s + ".2.0/24"
-$neutron_subnet = "172.30.250"
-
-$instance_name_prefix = "#{$user}-k8s"
-
-# Boxes with libvirt provider support:
-#$box = "yk0/ubuntu-xenial" #900M
-#$box = "centos/7"
-#$box = "nrclark/xenial64-minimal-libvirt"
-$box = "peru/ubuntu-16.04-server-amd64"
-
-# Create SSH keys for future lab
-system 'bash vagrant-scripts/ssh-keygen.sh'
-
-# Create nodes list for future kargo deployment
-nodes=""
-(1..$num_instances-1).each do |i|
-  ip = "#{$private_subnet}.#{i+10}"
-  nodes = "#{nodes}#{ip}\n"
-end
-File.open("nodes", 'w') { |file| file.write(nodes) }
-
-# Create the lab
-Vagrant.configure("2") do |config|
-  (0..$num_instances-1).each do |i|
-    # First node would be master node
-    master = i == 0
-
-    config.ssh.insert_key = false
-    vm_name = "%s-%02d" % [$instance_name_prefix, i]
-
-    config.vm.define vm_name do |test_vm|
-      test_vm.vm.box = $box
-      test_vm.vm.hostname = vm_name
-
-      # Libvirt provider settings
-      test_vm.vm.provider :libvirt do |domain|
-        domain.uri = "qemu+unix:///system"
-        if master
-          domain.memory = $master_memory
-          domain.cpus = $master_cpus
-        else
-          domain.memory = $vm_memory
-          domain.cpus = $vm_cpus
-        end
-        domain.driver = "kvm"
-        domain.host = "localhost"
-        domain.connect_via_ssh = false
-        domain.username = $user
-        domain.storage_pool_name = "default"
-        domain.nic_model_type = "e1000"
-        domain.management_network_name = "#{$instance_name_prefix}-mgmt-net"
-        domain.management_network_address = $mgmt_cidr
-        domain.nested = true
-        domain.cpu_mode = "host-passthrough"
-        domain.volume_cache = "unsafe"
-        domain.disk_bus = "virtio"
-        # DISABLED: switched to new box which has 100G / partition
-        #domain.storage :file, :type => 'qcow2', :bus => 'virtio', :size => '20G', :device => 'vdb'
-      end
-
-      # Networks and interfaces
-      ip = "#{$private_subnet}.#{i+10}"
-      pub_ip = "#{$public_subnet}.#{i+10}"
-      # "public" network with nat forwarding
-      test_vm.vm.network :private_network,
-        :ip => pub_ip,
-        :model_type => "e1000",
-        :libvirt__network_name => "#{$instance_name_prefix}-public",
-        :libvirt__dhcp_enabled => false,
-        :libvirt__forward_mode => "nat"
-      # "private" isolated network
-      test_vm.vm.network :private_network,
-        :ip => ip,
-        :model_type => "e1000",
-        :libvirt__network_name => "#{$instance_name_prefix}-private",
-        :libvirt__dhcp_enabled => false,
-        :libvirt__forward_mode => "none"
-      # "neutron" isolated network
-      test_vm.vm.network :private_network,
-        :ip => "#{$neutron_subnet}.#{i+10}",
-        :model_type => "e1000",
-        :libvirt__network_name => "#{$instance_name_prefix}-neutron",
-        :libvirt__dhcp_enabled => false,
-        :libvirt__forward_mode => "none"
-
-      # Provisioning
-      config.vm.provision "file", source: "ssh", destination: "~/ssh"
-      if master
-        config.vm.provision "nodes", type: "file", source: "nodes", destination: "/var/tmp/nodes"
-        config.vm.provision "bootstrap", type: "shell", path: "vagrant-scripts/provision-master.sh"
-      else
-        config.vm.provision "bootstrap", type: "shell", path: "vagrant-scripts/provision-node.sh"
-      end
-
-    end
-  end
-end
@@ -0,0 +1,33 @@
+---
+- hosts: kube-master
+  roles:
+    # System
+    - { role: apps/k8s-kubedns, tags: ['kubedns', 'kube-system'] }
+
+    # Databases
+    - { role: apps/k8s-postgres, tags: 'postgres' }
+    - { role: apps/k8s-elasticsearch, tags: 'elasticsearch' }
+    - { role: apps/k8s-memcached, tags: 'memcached' }
+    - { role: apps/k8s-redis, tags: 'redis' }
+    - { role: apps/k8s-mongodb-simple, tags: 'mongodb-simple' }
+
+    # Msg Broker
+    - { role: apps/k8s-rabbitmq, tags: 'rabbitmq' }
+
+    # Monitoring
+    - { role: apps/k8s-influxdb, tags: ['influxdb', 'kube-system']}
+    - { role: apps/k8s-heapster, tags: ['heapster', 'kube-system']}
+    - { role: apps/k8s-kubedash, tags: ['kubedash', 'kube-system']}
+
+    # logging
+    - { role: apps/k8s-kube-logstash, tags: 'kube-logstash'}
+
+    # Console
+    - { role: apps/k8s-fabric8, tags: 'fabric8' }
+    - { role: apps/k8s-kube-ui, tags: ['kube-ui', 'kube-system']}
+
+    # ETCD
+    - { role: apps/k8s-etcd, tags: 'etcd'}
+
+    # Chat Apps
+    - { role: apps/k8s-rocketchat, tags: 'rocketchat'}
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-set -e
-
-INVENTORY="nodes_to_inv.py"
-
-echo "Createing repository and CCP images, it may take a while..."
-ansible-playbook -i $INVENTORY playbooks/ccp-build.yaml
-
-echo "Deploying up OpenStack CCP..."
-ansible-playbook -i $INVENTORY playbooks/ccp-deploy.yaml
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-# Packages
-apt-get --yes update
-apt-get --yes upgrade
-apt-get --yes install git screen vim telnet tcpdump python-setuptools gcc python-dev python-pip libssl-dev libffi-dev software-properties-common curl python-netaddr
-
-# Get ansible-2.1+, vanilla ubuntu-16.04 ansible (2.0.0.2) is broken due to https://github.com/ansible/ansible/issues/13876
-ansible --version || (
-  apt-add-repository -y ppa:ansible/ansible
-  apt-get update
-  apt-get install -y ansible
-)
-
-# Copy/create nodes list
-test -f ./nodes || cp /var/tmp/nodes ./nodes
-
-# Either pull or copy microservices repos
-cp -a /var/tmp/microservices* ./ccp/ || touch /var/tmp/ccp-download
-
-# Pull kargo
-git clone https://github.com/kubespray/kargo ~/kargo
@@ -1,2 +0,0 @@
-microservices-repos
-microservices
@@ -1,16 +0,0 @@
-[DEFAULT]
-deploy_config = /root/ccp/deploy-config.yaml
-
-[builder]
-push = True
-
-[registry]
-address = "127.0.0.1:31500"
-
-[kubernetes]
-namespace = "openstack"
-
-[repositories]
-skip_empty = True
-protocol = https
-port = 443
@@ -1,6 +0,0 @@
-configs:
-  public_interface: "eth1"
-  private_interface: "eth2"
-  neutron_external_interface: "eth3"
-  neutron_logging_debug: "true"
-  neutron_plugin_agent: "openvswitch"
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-set -e
-
-# FIXME: hardcoded roles
-declare -A nodes
-nodes=( \
-["node1"]="openstack-controller=true"
-["node2"]="openstack-compute=true"
-["node3"]="openstack-compute=true"
-)
-
-label_nodes() {
-  all_label='openstack-compute-controller=true'
-  for i in "${!nodes[@]}"
-  do
-    node=$i
-    label=${nodes[$i]}
-    kubectl get nodes $node --show-labels | grep -q "$label" || kubectl label nodes $node $label
-    kubectl get nodes $node --show-labels | grep -q "$all_label" || kubectl label nodes $node $all_label
-  done
-}
-
-label_nodes
-
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: registry
-  labels:
-    app: registry
-spec:
-  containers:
-    - name: registry
-      image: registry:2
-      env:
-      imagePullPolicy: Always
-      ports:
-        - containerPort: 5000
-          hostPort: 5000
-
@@ -1,15 +0,0 @@
-kind: "Service"
-apiVersion: "v1"
-metadata:
-  name: "registry"
-spec:
-  selector:
-    app: "registry"
-  ports:
-    -
-      protocol: "TCP"
-      port: 5000
-      targetPort: 5000
-      nodePort: 31500
-  type: "NodePort"
-
@@ -0,0 +1,15 @@
+---
+- hosts: k8s-cluster
+  roles:
+    - { role: adduser, tags: adduser }
+    - { role: download, tags: download }
+    - { role: kubernetes/preinstall, tags: preinstall }
+    - { role: docker, tags: docker }
+    - { role: kubernetes/node, tags: node }
+    - { role: etcd, tags: etcd }
+    - { role: dnsmasq, tags: dnsmasq }
+    - { role: network_plugin, tags: ['calico', 'flannel', 'network'] }
+
+- hosts: kube-master
+  roles:
+    - { role: kubernetes/master, tags: master }
@@ -1,13 +0,0 @@
-# Kubernetes version
-kube_version: "v1.2.4"
-# Switch network to calico
-kube_network_plugin: "calico"
-# Kube-proxy should be iptables for calico
-kube_proxy_mode: "iptables"
-# Use non-tmpfs tmp dir
-local_release_dir: "/var/tmp/releases"
-# Upstream DNS servers with mirantis.net
-upstream_dns_servers:
-  - 8.8.8.8
-  - 8.8.4.4
-  - /mirantis.net/172.18.32.6
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-INVENTORY="nodes_to_inv.py"
-
-echo "Installing requirements on nodes..."
-ansible-playbook -i $INVENTORY playbooks/bootstrap-nodes.yaml
-
-echo "Running deployment..."
-ansible-playbook -i $INVENTORY /root/kargo/cluster.yml -e @custom.yaml
-deploy_res=$?
-
-if [ "$deploy_res" -eq "0" ]; then
-  echo "Setting up kubedns..."
-  ansible-playbook -i $INVENTORY playbooks/kubedns.yaml
-  echo "Setting up kubedashboard..."
-  ansible-playbook -i $INVENTORY playbooks/kubedashboard.yaml
-  echo "Setting up ip route work-around for DNS clusterIP availability..."
-  ansible-playbook -i $INVENTORY playbooks/ipro_for_cluster_ips.yaml
-fi
@@ -1,36 +0,0 @@
-#!/bin/bash
-
-if [ -n "$1" ] ; then
-  NS="--namespace=$1"
-fi
-
-kubectl get nodes || exit 1
-
-echo "Installing netchecker server"
-git clone https://github.com/adidenko/netchecker-server
-pushd netchecker-server
-  pushd docker
-    docker build -t 127.0.0.1:31500/netchecker/server:latest .
-    docker push 127.0.0.1:31500/netchecker/server:latest
-  popd
-  kubectl create -f netchecker-server_pod.yaml $NS
-  kubectl create -f netchecker-server_svc.yaml $NS
-popd
-
-echo "Installing netchecker agents"
-git clone https://github.com/adidenko/netchecker-agent
-pushd netchecker-agent
-  pushd docker
-    docker build -t 127.0.0.1:31500/netchecker/agent:latest .
-    docker push 127.0.0.1:31500/netchecker/agent:latest
-  popd
-  kubectl get nodes | grep Ready | awk '{print $1}' | xargs -I {} kubectl label nodes {} netchecker=agent
-  NUMNODES=`kubectl get nodes --show-labels | grep Ready | grep netchecker=agent | wc -l`
-  sed -e "s/replicas:.*/replicas: $NUMNODES/g" -i netchecker-agent_rc.yaml
-  kubectl create -f netchecker-agent_rc.yaml $NS
-popd
-
-echo "DONE"
-echo
-echo "use the following command to check agents:"
-echo "curl -s -X GET 'http://localhost:31081/api/v1/agents/' | python -mjson.tool"
@@ -1,25 +0,0 @@
-CCP examples
-============
-Some examples for Openstack CCP.
-
-Expose Horizon
-==============
-
-* Get nodePort of Horizon service:
-```bash
-echo $(kubectl --namespace=openstack get svc/horizon -o go-template='{{(index .spec.ports 0).nodePort}}')
-```
-
-* NAT on your router/jump-box to any k8s minion public IP and nodePort to provide external access:
-```bash
-iptables -t nat -I PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.210.0.12:32643
-iptables -t nat -I POSTROUTING -d 10.210.0.12 ! -s 10.210.0.0/24 -j MASQUERADE
-iptables -I FORWARD -d 10.210.0.12 -j ACCEPT
-```
-
-Where `10.210.0.12` is IP of one of your k8s minions and `32643` is nodePort of Horizon service.
-
-* You can do the same for novnc:
-```bash
-echo $(kubectl --namespace=openstack get svc/nova-novncproxy -o go-template='{{(index .spec.ports 0).nodePort}}')
-```
@@ -1,36 +0,0 @@
-# This script should be executed inside k8s:
-# docker run -t -i 127.0.0.1:31500/mcp/nova-base /bin/bash
-
-export OS_USERNAME=admin
-export OS_PASSWORD=password
-export OS_TENANT_NAME=admin
-export OS_REGION_NAME=RegionOne
-export OS_AUTH_URL=http://keystone:35357
-
-# Key
-nova keypair-add test > test.pem
-chmod 600 test.pem
-
-# Flavor
-nova flavor-create demo --is-public true auto 128 2 1
-
-# Image
-curl -O http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
-glance image-create --name cirros --disk-format qcow2 --container-format bare --file cirros-0.3.4-x86_64-disk.img
-
-# Aggregates
-node2=`openstack hypervisor list | grep -o '[a-z]\+-k8s-02'`
-node3=`openstack hypervisor list | grep -o '[a-z]\+-k8s-03'`
-nova aggregate-create n2 n2
-nova aggregate-add-host n2 $node2
-nova aggregate-create n3 n3
-nova aggregate-add-host n3 $node3
-
-# Network
-neutron net-create net1 --provider:network-type vxlan
-neutron subnet-create net1 172.20.0.0/24 --name subnet1
-
-# Instances
-net_id=`neutron net-list | grep net1 | awk '{print $2}'`
-nova boot ti02 --image cirros --flavor demo --nic net-id=$net_id --key-name test --availability-zone n2
-nova boot ti03 --image cirros --flavor demo --nic net-id=$net_id --key-name test --availability-zone n3
@@ -1,45 +0,0 @@
-Examples how to expose k8s services
-===================================
-
-Exposing dashboard via frontend and externalIPs
-----------------------------------------------
-
-* Edit `kubernetes-dashboard.yaml` and update `externalIPs` to the list of external IPs of your k8s minions
-
-* Run:
-
-```bash
-kubectl create -f kubernetes-dashboard.yaml --namespace=kube-system
-```
-
-* Access:
-
-```bash
-curl $ANY_MINION_EXTERNAL_IP:9090
-```
-
-Exposing dashboard via nodePort
-------------------------------
-
-* Get nodePort of the service:
-
-```bash
-echo $(kubectl --namespace=kube-system get svc/kubernetes-dashboard -o go-template='{{(index .spec.ports 0).nodePort}}')
-```
-
-* NAT on your router/jump-box to any k8s minion public IP and nodePort to provide external access:
-
-```bash
-iptables -t nat -I PREROUTING -p tcp --dport 9090 -j DNAT --to-destination 10.210.0.12:32005
-iptables -t nat -I POSTROUTING -d 10.210.0.12 ! -s 10.210.0.0/24 -j MASQUERADE
-iptables -I FORWARD -d 10.210.0.12 -j ACCEPT
-```
-
-Where `10.210.0.12` is public IP of one of your k8s minions and `32005` is nodePort of `kubernetes-dashboard` service.
-
-* Access:
-
-```bash
-curl 10.210.0.12:9090
-```
-
@@ -1,22 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: kubedash-frontend
-  labels:
-    app: kubedash-frontend
-    tier: frontend
-spec:
-  externalIPs:
-  - 10.210.0.12
-  - 10.210.0.13
-  - 10.210.0.14
-  - 10.210.0.15
-  - 10.210.0.16
-  - 10.210.0.17
-  ports:
-  - name: http
-    port: 8289
-    protocol: TCP
-    targetPort: 8289
-  selector:
-    name: kubedash
@@ -1,22 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: dashboard-frontend
-  labels:
-    app: dashboard-frontend
-    tier: frontend
-spec:
-  externalIPs:
-  - 10.210.0.12
-  - 10.210.0.13
-  - 10.210.0.14
-  - 10.210.0.15
-  - 10.210.0.16
-  - 10.210.0.17
-  ports:
-  - name: http
-    port: 9090
-    protocol: TCP
-    targetPort: 9090
-  selector:
-    app: kubernetes-dashboard
@@ -1,18 +0,0 @@
-Nginx example with external IPs
-===============================
-
-* Edit `nginx-frontend.yaml` and update `externalIPs` to the list of external IPs of your k8s minions
-
-* Deploy:
-
-```bash
-kubectl create -f nginx-backends.yaml
-kubectl create -f nginx-frontend.yaml
-```
-
-* Check:
-
-```bash
-curl $ANY_MINION_EXTERNAL_IP
-```
-
@@ -1,24 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
-  name: nginx-backend
-spec:
-  replicas: 3
-  template:
-    metadata:
-      labels:
-        app: nginx-backend
-        tier: backend
-    spec:
-      containers:
-      - name: nginx
-        image: nginx
-        resources:
-          requests:
-            cpu: 100m
-            memory: 100Mi
-        env:
-        - name: GET_HOSTS_FROM
-          value: dns
-        ports:
-        - containerPort: 80
@@ -1,22 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: nginx-frontend
-  labels:
-    app: nginx-frontend
-    tier: frontend
-spec:
-  externalIPs:
-  - 10.210.0.12
-  - 10.210.0.13
-  - 10.210.0.14
-  - 10.210.0.15
-  - 10.210.0.16
-  - 10.210.0.17
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    app: nginx-backend
@@ -0,0 +1,90 @@
+ # Directory where the binaries will be installed
+bin_dir: /usr/local/bin
+
+# Where the binaries will be downloaded.
+# Note: ensure that you've enough disk space (about 1G)
+local_release_dir: "/tmp/releases"
+
+# This is the group that the cert creation scripts chgrp the
+# cert files to. Not really changable...
+kube_cert_group: kube-cert
+
+# Cluster Loglevel configuration
+kube_log_level: 2
+
+# Users to create for basic auth in Kubernetes API via HTTP
+kube_users:
+  kube:
+    pass: changeme
+    role: admin
+#   root:
+#     pass: changeme
+#     role: admin
+
+# Kubernetes cluster name, also will be used as DNS domain
+cluster_name: cluster.local
+
+# set this variable to calico if needed. keep it empty if flannel is used
+kube_network_plugin: calico
+
+# Kubernetes internal network for services, unused block of space.
+kube_service_addresses: 10.233.0.0/18
+
+# internal network. When used, it will assign IP
+# addresses from this range to individual pods.
+# This network must be unused in your network infrastructure!
+kube_pods_subnet: 10.233.64.0/18
+
+# internal network total size (optional). This is the prefix of the
+# entire network. Must be unused in your environment.
+# kube_network_prefix: 18
+
+# internal network node size allocation (optional). This is the size allocated
+# to each node on your network.  With these defaults you should have
+# room for 4096 nodes with 254 pods per node.
+kube_network_node_prefix: 24
+
+# With calico it is possible to distributed routes with border routers of the datacenter.
+peer_with_router: false
+# Warning : enabling router peering will disable calico's default behavior ('node mesh').
+# The subnets of each nodes will be distributed by the datacenter router
+
+# The port the API Server will be listening on.
+kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
+kube_apiserver_port: 443 # (https)
+kube_apiserver_insecure_port: 8080 # (http)
+
+# Internal DNS configuration.
+# Kubernetes can create and mainatain its own DNS server to resolve service names
+# into appropriate IP addresses. It's highly advisable to run such DNS server,
+# as it greatly simplifies configuration of your applications - you can use
+# service names instead of magic environment variables.
+# You still must manually configure all your containers to use this DNS server,
+# Kubernetes won't do this for you (yet).
+
+# Upstream dns servers used by dnsmasq
+upstream_dns_servers:
+  - 8.8.8.8
+  - 4.4.8.8
+#
+# # Use dns server : https://github.com/ansibl8s/k8s-skydns/blob/master/skydns-README.md
+dns_setup: true
+dns_domain: "{{ cluster_name }}"
+#
+# # Ip address of the kubernetes dns service
+dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
+
+# For multi masters architecture:
+# kube-proxy doesn't support multiple apiservers for the time being so you'll need to configure your own loadbalancer
+# This domain name will be inserted into the /etc/hosts file of all servers
+# configuration example with haproxy :
+# listen kubernetes-apiserver-https
+#   bind 10.99.0.21:8383
+#    option ssl-hello-chk
+#    mode tcp
+#    timeout client 3h
+#    timeout server 3h
+#    server master1 10.99.0.26:443
+#    server master2 10.99.0.27:443
+#    balance roundrobin
+# apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
@@ -0,0 +1,10 @@
+#---
+#peers:
+#  -router_id: "10.99.0.34"
+#   as: "65xxx"
+#  - router_id: "10.99.0.35"
+#   as: "65xxx"
+#
+#loadbalancer_apiserver:
+#  address: "10.99.0.44"
+#  port: "8383"
@@ -0,0 +1,10 @@
+#---
+#peers:
+#  -router_id: "10.99.0.2"
+#   as: "65xxx"
+#  - router_id: "10.99.0.3"
+#   as: "65xxx"
+#
+#loadbalancer_apiserver:
+#  address: "10.99.0.21"
+#  port: "8383"
@@ -0,0 +1,29 @@
+[kube-master]
+node1 ansible_ssh_host=10.99.0.26
+node2 ansible_ssh_host=10.99.0.27
+
+[etcd]
+node1 ansible_ssh_host=10.99.0.26
+node2 ansible_ssh_host=10.99.0.27
+node3 ansible_ssh_host=10.99.0.4
+
+[kube-node]
+node2 ansible_ssh_host=10.99.0.27
+node3 ansible_ssh_host=10.99.0.4
+node4 ansible_ssh_host=10.99.0.5
+node5 ansible_ssh_host=10.99.0.36
+node6 ansible_ssh_host=10.99.0.37
+
+[paris]
+node1 ansible_ssh_host=10.99.0.26
+node3 ansible_ssh_host=10.99.0.4 local_as=xxxxxxxx
+node4 ansible_ssh_host=10.99.0.5 local_as=xxxxxxxx
+
+[new-york]
+node2 ansible_ssh_host=10.99.0.27
+node5 ansible_ssh_host=10.99.0.36 local_as=xxxxxxxx
+node6 ansible_ssh_host=10.99.0.37 local_as=xxxxxxxx
+
+[k8s-cluster:children]
+kube-node
+kube-master
@@ -0,0 +1,14 @@
+node1 ansible_connection=local local_release_dir={{ansible_env.HOME}}/releases
+
+[kube-master]
+node1
+
+[etcd]
+node1
+
+[kube-node]
+node1
+
+[k8s-cluster:children]
+kube-node
+kube-master
@@ -1,97 +0,0 @@
-#!/usr/bin/env python
-
-# A simple dynamic replacemant of 'kargo prepare'
-# Generates ansible inventory from a list of IPs in 'nodes' file.
-
-import argparse
-import json
-import os
-import yaml
-
-def read_nodes_from_file(filename):
-    f = open(filename, 'r')
-    content = [x.strip('\n') for x in f.readlines()]
-    return content
-
-def read_vars_from_file(src="/root/kargo/inventory/group_vars/all.yml"):
-    with open(src, 'r') as f:
-        content = yaml.load(f)
-    return content
-
-def nodes_to_hash(nodes_list, masters, group_vars):
-    nodes = {
-          'all': {
-              'hosts': [],
-              'vars': group_vars
-          },
-          'etcd': {
-              'hosts': [],
-          },
-          'kube-master': {
-              'hosts': [],
-          },
-          'kube-node': {
-              'hosts': [],
-          },
-          'k8s-cluster': {
-              'children': ['kube-node', 'kube-master']
-          },
-          '_meta': {
-              'hostvars': {}
-          }
-    }
-    i = 1
-
-    for node_ip in nodes_list:
-        node_name = "node%s" % i
-        nodes['all']['hosts'].append(node_name)
-        nodes['_meta']['hostvars'][node_name] = {
-            'ansible_ssh_host': node_ip,
-            'ip': node_ip,
-        }
-        nodes['kube-node']['hosts'].append(node_name)
-        if i <= masters:
-            nodes['kube-master']['hosts'].append(node_name)
-        if i <= 3:
-            nodes['etcd']['hosts'].append(node_name)
-        i += 1
-
-    return nodes
-
-def main():
-    parser = argparse.ArgumentParser(description='Kargo inventory simulator')
-    parser.add_argument('--list', action='store_true')
-    parser.add_argument('--host', default=False)
-    args = parser.parse_args()
-
-    # Read params from ENV since ansible does not support passing args to dynamic inv scripts
-    if os.environ.get('K8S_NODES_FILE'):
-        nodes_file = os.environ['K8S_NODES_FILE']
-    else:
-        nodes_file = 'nodes'
-
-    if os.environ.get('K8S_MASTERS'):
-        masters = int(os.environ['K8S_MASTERS'])
-    else:
-        masters = 2
-
-    if os.environ.get('KARGO_GROUP_VARS'):
-        vars_file = os.environ['KARGO_GROUP_VARS']
-    else:
-        vars_file = "/root/kargo/inventory/group_vars/all.yml"
-
-    nodes_list = read_nodes_from_file(nodes_file)
-
-    if len(nodes_list) < 3:
-        print "Error: requires at least 3 nodes"
-        return
-
-    nodes = nodes_to_hash(nodes_list, masters, read_vars_from_file(vars_file))
-
-    if args.host:
-        print json.dumps(nodes['_meta']['hostvars'][args.host])
-    else:
-        print json.dumps(nodes)
-
-if __name__ == "__main__":
-    main()
@@ -1,17 +0,0 @@
- hosts: all
-  tasks:
-    - name: Install packages
-      package: name={{ item }} state=latest
-      with_items:
-        - python-pip
-        - screen
-        - vim
-        - telnet
-        - tcpdump
-        - traceroute
-        - iperf3
-        - nmap
-        - ethtool
-        - curl
-        - git
-        - dnsutils
@@ -1,69 +0,0 @@
- hosts: kube-master
-
-  pre_tasks:
-
-    - name: Download fuel-ccp
-      git:
-        repo: https://git.openstack.org/openstack/fuel-ccp
-        dest: /usr/local/src/fuel-ccp
-        version: master
-
-    - name: Upload ccp configs to master nodes
-      synchronize:
-        src: ../ccp/
-        dest: /root/ccp/
-
-  tasks:
-
-    - name: Install CCP cli tool
-      shell: pip install -U fuel-ccp/
-      args:
-        chdir: /usr/local/src
-        creates: /usr/local/bin/mcp-microservices
-
-    - name: Get pods
-      shell: kubectl get pods
-      register: get_pod
-      run_once: true
-
-    - name: Get services
-      shell: kubectl get svc
-      register: get_svc
-      run_once: true
-
-    - name: Create registry pod
-      shell: kubectl create -f registry_pod.yaml
-      args:
-        chdir: /root/ccp
-      run_once: true
-      when: get_pod.stdout.find('registry') == -1
-
-    - name: Create registry svc
-      shell: kubectl create -f registry_svc.yaml
-      args:
-        chdir: /root/ccp
-      run_once: true
-      when: get_svc.stdout.find('registry') == -1
-
-    - name: Fetch CCP images
-      shell: mcp-microservices --config-file=/root/ccp/ccp.conf fetch
-      run_once: true
-
-#    - name: Patch fuel-ccp-neutron
-#      run_once: true
-#      args:
-#        chdir: /root/microservices-repos/fuel-ccp-neutron
-#      shell: git fetch https://git.openstack.org/openstack/fuel-ccp-neutron {{ item }} && git cherry-pick FETCH_HEAD
-#      with_items:
-#        - "refs/changes/96/340496/6"
-
-    - name: Build CCP images
-      shell: mcp-microservices --config-file=/root/ccp/ccp.conf build
-      run_once: true
-
- hosts: k8s-cluster
-
-  tasks:
-
-    - name: Check number of built images
-      shell: test $(curl -s 127.0.0.1:31500/v2/_catalog | python -mjson.tool | grep mcp/ | wc -l) -ge 29
@@ -1,27 +0,0 @@
- hosts: kube-master
-
-  pre_tasks:
-
-    - name: Rsync CCP configs
-      synchronize:
-        src: ../ccp/
-        dest: /root/ccp/
-
-  tasks:
-    - name: Label nodes
-      shell: ./label-nodes.sh
-      args:
-        chdir: /root/ccp
-      run_once: true
-
-    - name: Get namespaces
-      shell: kubectl get namespace
-      register: get_ns
-      run_once: true
-
-    - name: Deploy CCP
-      shell: mcp-microservices --config-file=/root/ccp/ccp.conf deploy
-      args:
-        chdir: /root/ccp
-      run_once: true
-      when: get_ns.stdout.find('openstack') == -1
@@ -1,24 +0,0 @@
-# FXIME: add persistent routing rule
- hosts: kube-master
-  tasks:
-    - name: Get kube service net
-      shell: grep KUBE_SERVICE_ADDRESSES /etc/kubernetes/kube-apiserver.env | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}\b"
-      register: kube_service_addresses
-      run_once: true
- hosts: all
-  tasks:
-    - name: Get local IP
-      shell: "calicoctl status | grep IP: | awk '{print $2}'"
-      register: local_ip
-    - name: Get route
-      shell: ip ro ls | grep "^{{ hostvars[groups['kube-master'][0]]['kube_service_addresses']['stdout'] }}" || echo ""
-      register: local_route
-    - name: Clean up route
-      shell: ip ro del {{ hostvars[groups['kube-master'][0]]['kube_service_addresses']['stdout'] }} || true
-      when: local_route.stdout.find('{{ local_ip.stdout }}') == -1
-    - name: Setup route
-      shell: ip ro add {{ hostvars[groups['kube-master'][0]]['kube_service_addresses']['stdout'] }} via {{ local_ip.stdout }}
-      when: local_route.stdout.find('{{ local_ip.stdout }}') == -1
-    - name: Add openstack namespace to resolv.conf
-      shell: grep openstack.svc.cluster.local /etc/resolv.conf || sed '/^search / s/$/ openstack.svc.cluster.local/' -i /etc/resolv.conf
-
@@ -1,5 +0,0 @@
- hosts: kube-master
-  tasks:
-    - name: setup-kubedns
-      shell: kpm deploy kube-system/kubedash --namespace=kube-system
-      run_once: true
@@ -1,5 +0,0 @@
- hosts: kube-master
-  tasks:
-    - name: setup-kubedns
-      shell: kpm deploy kube-system/kubernetes-dashboard --namespace=kube-system
-      run_once: true
@@ -1,5 +0,0 @@
- hosts: kube-master
-  tasks:
-    - name: setup-kubedns
-      shell: kpm deploy kube-system/kubedns --namespace=kube-system
-      run_once: true
@@ -0,0 +1,45 @@
+---
+- src: https://github.com/ansibl8s/k8s-common.git
+  path: roles/apps
+  version: v1.0
+
+- src: https://github.com/ansibl8s/k8s-kubedns.git
+  path: roles/apps
+  version: v1.0
+
+#- src: https://github.com/ansibl8s/k8s-kube-ui.git
+#  path: roles/apps
+#  version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-fabric8.git
+#  path: roles/apps
+#  version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-elasticsearch.git
+#  path: roles/apps
+#  # version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-redis.git
+#  path: roles/apps
+#  # version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-memcached.git
+#  path: roles/apps
+#  version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-postgres.git
+#  path: roles/apps
+#  version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-pgbouncer.git
+#  path: roles/apps
+#  version: v1.0
+#
+#- src: https://github.com/ansibl8s/k8s-heapster.git
+#  path: roles/apps
+#
+#- src: https://github.com/ansibl8s/k8s-influxdb.git
+#  path: roles/apps
+#
+#- src: https://github.com/ansibl8s/k8s-kubedash.git
+#  path: roles/apps
@@ -0,0 +1,15 @@
+---
+addusers:
+  - name: etcd
+    comment: "Etcd user"
+    createhome: yes
+    home: "/var/lib/etcd"
+    system: yes
+    shell: /bin/nologin
+
+  - name: kube
+    comment: "Kubernetes user"
+    shell: /sbin/nologin
+    system: yes
+    group: "{{ kube_cert_group }}"
+    createhome: no
@@ -0,0 +1,13 @@
+- name: User | Create User Group
+  group: name={{item.group|default(item.name)}} system={{item.system|default(omit)}}
+  with_items: addusers
+
+- name: User | Create User
+  user:
+    comment: "{{item.comment|default(omit)}}"
+    createhome: "{{item.create_home|default(omit)}}"
+    group: "{{item.group|default(item.name)}}"
+    home: "{{item.home|default(omit)}}"
+    name: "{{item.name}}"
+    system: "{{item.system|default(omit)}}"
+  with_items: addusers
@@ -0,0 +1,4 @@
+#!/bin/sh
+make_resolv_conf() {
+    :
+}
@@ -0,0 +1,95 @@
+---
+- name: ensure dnsmasq.d directory exists
+  file:
+    path: /etc/dnsmasq.d
+    state: directory
+
+- name: ensure dnsmasq.d-available directory exists
+  file:
+    path: /etc/dnsmasq.d-available
+    state: directory
+
+- name: Write dnsmasq configuration
+  template:
+    src: 01-kube-dns.conf.j2
+    dest: /etc/dnsmasq.d-available/01-kube-dns.conf
+    mode: 0755
+    backup: yes
+
+- name: Stat dnsmasq configuration
+  stat: path=/etc/dnsmasq.d/01-kube-dns.conf
+  register: sym
+
+- name: Move previous configuration
+  command: mv /etc/dnsmasq.d/01-kube-dns.conf /etc/dnsmasq.d-available/01-kube-dns.conf.bak
+  changed_when: False
+  when: sym.stat.islnk is defined and sym.stat.islnk == False
+
+- name: Enable dnsmasq configuration
+  file:
+    src: /etc/dnsmasq.d-available/01-kube-dns.conf
+    dest: /etc/dnsmasq.d/01-kube-dns.conf
+    state: link
+
+- name: Create dnsmasq pod manifest
+  template: src=dnsmasq-pod.yml dest=/etc/kubernetes/manifests/dnsmasq-pod.manifest
+
+- name: Check for dnsmasq port (pulling image and running container)
+  wait_for:
+    port: 53
+    delay: 5
+
+- name: check resolvconf
+  stat: path=/etc/resolvconf/resolv.conf.d/head
+  register: resolvconf
+
+- name: target resolv.conf file
+  set_fact:
+    resolvconffile: >-
+      {%- if resolvconf.stat.exists == True -%}/etc/resolvconf/resolv.conf.d/head{%- else -%}/etc/resolv.conf{%- endif -%}
+
+- name: Add search resolv.conf
+  lineinfile:
+    line: "search {{ [ 'default.svc.' + dns_domain, 'svc.' + dns_domain, dns_domain ] | join(' ') }}"
+    dest: "{{resolvconffile}}"
+    state: present
+    insertbefore: BOF
+    backup: yes
+    follow: yes
+
+- name: Add local dnsmasq to resolv.conf
+  lineinfile:
+    line: "nameserver 127.0.0.1"
+    dest: "{{resolvconffile}}"
+    state: present
+    insertafter: "^search.*$"
+    backup: yes
+    follow: yes
+
+- name: Add options to resolv.conf
+  lineinfile:
+    line: options {{ item }}
+    dest: "{{resolvconffile}}"
+    state: present
+    regexp: "^options.*{{ item }}$"
+    insertafter: EOF
+    backup: yes
+    follow: yes
+  with_items:
+    - timeout:2
+    - attempts:2
+
+- name: disable resolv.conf modification by dhclient
+  copy: src=dhclient_nodnsupdate dest=/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate mode=0755 backup=yes
+  when: ansible_os_family == "Debian"
+
+- name: disable resolv.conf modification by dhclient
+  copy: src=dhclient_nodnsupdate dest=/etc/dhcp/dhclient.d/nodnsupdate mode=u+x backup=yes
+  when: ansible_os_family == "RedHat"
+
+- name: update resolvconf
+  command: resolvconf -u
+  changed_when: False
+  when: resolvconf.stat.exists == True
+
+- meta: flush_handlers
@@ -0,0 +1,20 @@
+#Listen on localhost
+bind-interfaces
+listen-address=127.0.0.1
+
+addn-hosts=/etc/hosts
+
+bogus-priv
+
+#Set upstream dns servers
+{% if upstream_dns_servers is defined %}
+{% for srv in upstream_dns_servers %}
+server={{ srv }}
+{% endfor %}
+{% else %}
+ server=8.8.8.8
+ server=8.8.4.4
+{% endif %}
+
+# Forward k8s domain to kube-dns
+server=/{{ dns_domain }}/{{ dns_server }}
@@ -0,0 +1,49 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dnsmasq
+  namespace: kube-system
+spec:
+  hostNetwork: true
+  containers:
+    - name: dnsmasq
+      image: andyshinn/dnsmasq:2.72
+      command:
+        - dnsmasq
+      args:
+        - -k
+        - "-7"
+        - /etc/dnsmasq.d
+        - --local-service
+      securityContext:
+        capabilities:
+          add:
+            - NET_ADMIN
+      imagePullPolicy: Always
+      resources:
+        limits:
+          cpu: 100m
+          memory: 256M
+      ports:
+        - name: dns
+          containerPort: 53
+          hostPort: 53
+          protocol: UDP
+        - name: dns-tcp
+          containerPort: 53
+          hostPort: 53
+          protocol: TCP
+      volumeMounts:
+        - name: etcdnsmasqd
+          mountPath: /etc/dnsmasq.d
+        - name: etcdnsmasqdavailable
+          mountPath: /etc/dnsmasq.d-available
+
+  volumes:
+    - name: etcdnsmasqd
+      hostPath:
+        path: /etc/dnsmasq.d
+    - name: etcdnsmasqdavailable
+      hostPath:
+        path: /etc/dnsmasq.d-available
@@ -0,0 +1,2 @@
+.*.swp
+.vagrant
@@ -0,0 +1,58 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+      - "{{ ansible_distribution|lower }}.yml"
+      - "{{ ansible_os_family|lower }}.yml"
+      - defaults.yml
+      paths:
+      - ../vars
+
+- name: check for minimum kernel version
+  fail:
+    msg: >
+          docker requires a minimum kernel version of
+          {{ docker_kernel_min_version }} on
+          {{ ansible_distribution }}-{{ ansible_distribution_version }}
+  when: ansible_kernel|version_compare(docker_kernel_min_version, "<")
+
+
+- name: ensure docker repository public key is installed
+  action: "{{ docker_repo_key_info.pkg_key }}"
+  args:
+    id: "{{item}}"
+    keyserver: "{{docker_repo_key_info.keyserver}}"
+    state: present
+  with_items: docker_repo_key_info.repo_keys
+
+- name: ensure docker repository is enabled
+  action: "{{ docker_repo_info.pkg_repo }}"
+  args:
+    repo: "{{item}}"
+    update_cache: yes
+    state: present
+  with_items: docker_repo_info.repos
+  when: docker_repo_info.repos|length > 0
+
+- name: ensure docker packages are installed
+  action: "{{ docker_package_info.pkg_mgr }}"
+  args:
+    pkg: "{{item}}"
+    update_cache: yes
+    state: latest
+  with_items: docker_package_info.pkgs
+  when: docker_package_info.pkgs|length > 0
+
+- meta: flush_handlers
+
+- name: ensure docker service is started and enabled
+  service:
+    name: "{{ item }}"
+    enabled: yes
+    state: started
+  with_items:
+    - docker
@@ -0,0 +1,14 @@
+docker_kernel_min_version: '2.6.32-431'
+
+docker_package_info:
+  pkg_mgr: yum
+  pkgs:
+    - docker-io
+
+docker_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+docker_repo_info:
+  pkg_repo: ''
+  repos: []
@@ -0,0 +1,20 @@
+docker_kernel_min_version: '3.2'
+
+docker_package_info:
+  pkg_mgr: apt
+  pkgs:
+    - docker-engine
+
+docker_repo_key_info:
+  pkg_key: apt_key
+  keyserver: hkp://p80.pool.sks-keyservers.net:80
+  repo_keys:
+    - 58118E89F3A912897C070ADBF76221572C52609D
+
+docker_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb https://apt.dockerproject.org/repo
+       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
+       main
@@ -0,0 +1,14 @@
+docker_kernel_min_version: '0'
+
+docker_package_info:
+  pkg_mgr: yum
+  pkgs:
+    - docker-io
+
+docker_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+docker_repo_info:
+  pkg_repo: ''
+  repos: []
@@ -0,0 +1,14 @@
+docker_kernel_min_version: '0'
+
+docker_package_info:
+  pkg_mgr: dnf
+  pkgs:
+    - docker-io
+
+docker_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+docker_repo_info:
+  pkg_repo: ''
+  repos: []
@@ -0,0 +1,14 @@
+docker_kernel_min_version: '0'
+
+docker_package_info:
+  pkg_mgr: yum
+  pkgs:
+    - docker
+
+docker_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+docker_repo_info:
+  pkg_repo: ''
+  repos: []
@@ -0,0 +1,66 @@
+---
+local_release_dir: /tmp
+
+# Versions
+kube_version: v1.1.4
+etcd_version: v2.2.4
+calico_version: v0.14.0
+calico_plugin_version: v0.7.0
+
+# Download URL's
+kube_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kube_version }}/bin/linux/amd64"
+etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
+calico_download_url: "https://github.com/Metaswitch/calico-docker/releases/download/{{calico_version}}/calicoctl"
+calico_plugin_download_url: "https://github.com/projectcalico/calico-kubernetes/releases/download/{{calico_plugin_version}}/calico_kubernetes"
+
+# Checksums
+calico_checksum: "f251d7a8583233906aa6d059447c1e4fb32bf1369a51fdf96a68d50466d6a69c"
+calico_plugin_checksum: "032f582f5eeec6fb26191d2fbcbf8bca4da3b14abb579db7baa7b3504d4dffec"
+etcd_checksum: "6c4e5cdeaaac1a70b8f06b5dd6b82c37ff19993c9bca81248975610e555c4b9b"
+kubectl_checksum: "873ba19926d17a3287dc8639ea1434fe3cd0cb4e61d82101ba754922cfc7a633"
+kubelet_checksum: "f2d1eae3fa6e304f6cbc9b2621e4b86fc3bcb4e74a15d35f58bf00e45c706e0a"
+kube_apiserver_checksum: "bb3814c4df65f1587a3650140437392ce3fb4b64f51d459457456691c99f1202"
+
+downloads:
+  - name: calico
+    dest: calico/bin/calicoctl
+    sha256: "{{ calico_checksum }}"
+    url: "{{ calico_download_url }}"
+    owner: "root"
+    mode: "0755"
+
+  - name: calico-plugin
+    dest: calico/bin/calico
+    sha256: "{{ calico_plugin_checksum }}"
+    url: "{{ calico_plugin_download_url }}"
+    owner: "root"
+    mode: "0755"
+
+  - name: etcd
+    dest: "etcd/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
+    sha256: "{{ etcd_checksum }}"
+    url: "{{ etcd_download_url }}"
+    unarchive: true
+    owner: "etcd"
+    mode: "0755"
+
+  - name: kubernetes-kubelet
+    dest: kubernetes/bin/kubelet
+    sha256: "{{kubelet_checksum}}"
+    url: "{{ kube_download_url }}/kubelet"
+    owner: "kube"
+    mode: "0755"
+
+  - name: kubernetes-kubectl
+    dest: kubernetes/bin/kubectl
+    sha256: "{{kubectl_checksum}}"
+    url: "{{ kube_download_url }}/kubectl"
+    owner: "kube"
+    mode: "0755"
+
+  - name: kubernetes-apiserver
+    dest: kubernetes/bin/kube-apiserver
+    sha256: "{{kube_apiserver_checksum}}"
+    url: "{{ kube_download_url }}/kube-apiserver"
+    owner: "kube"
+    mode: "0755"
@@ -0,0 +1,32 @@
+---
+- name: Create dest directories
+  file: path={{local_release_dir}}/{{item.dest|dirname}} state=directory recurse=yes
+  with_items: downloads
+
+- name: Download items
+  get_url:
+    url: "{{item.url}}"
+    dest: "{{local_release_dir}}/{{item.dest}}"
+    sha256sum: "{{item.sha256 | default(omit)}}"
+    owner: "{{ item.owner|default(omit) }}"
+    mode: "{{ item.mode|default(omit) }}"
+  with_items: downloads
+
+- name: Extract archives
+  unarchive:
+    src: "{{ local_release_dir }}/{{item.dest}}"
+    dest: "{{ local_release_dir }}/{{item.dest|dirname}}"
+    owner: "{{ item.owner|default(omit) }}"
+    mode: "{{ item.mode|default(omit) }}"
+    copy: no
+  when: "{{item.unarchive is defined and item.unarchive == True}}"
+  with_items: downloads
+
+- name: Fix permissions
+  file:
+    state: file
+    path: "{{local_release_dir}}/{{item.dest}}"
+    owner: "{{ item.owner|default(omit) }}"
+    mode: "{{ item.mode|default(omit) }}"
+  when: "{{item.unarchive is not defined or item.unarchive == False}}"
+  with_items: downloads
@@ -0,0 +1,3 @@
+---
+etcd_version: v2.2.4
+etcd_bin_dir: "{{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64/"
@@ -0,0 +1,15 @@
+---
+- name: restart etcd
+  command: /bin/true
+  notify:
+    - reload systemd
+    - reload etcd
+
+- name: reload systemd
+  command: systemctl daemon-reload
+  when: init_system == "systemd"
+
+- name: reload etcd
+  service:
+    name: etcd
+    state: restarted
@@ -0,0 +1,23 @@
+---
+- name: Configure |  Copy etcd.service systemd file
+  template:
+    src: etcd.service.j2
+    dest: /lib/systemd/system/etcd.service
+    backup: yes
+  when: init_system == "systemd"
+  notify: restart etcd
+
+- name: Configure |  Write etcd  initd script
+  template:
+    src: deb-etcd.initd.j2
+    dest: /etc/init.d/etcd
+    owner: root
+    mode: 0755
+  when: init_system == "sysvinit" and ansible_os_family == "Debian"
+  notify: restart etcd
+
+- name: Configure |  Create etcd config file
+  template:
+    src: etcd.j2
+    dest: /etc/etcd.env
+  notify: restart etcd
@@ -0,0 +1,9 @@
+---
+- name: Install | Copy etcd binary
+  command: rsync -piu "{{ etcd_bin_dir }}/etcd" "{{ bin_dir }}/etcd"
+  register: etcd_copy
+  changed_when: false
+
+- name: Install | Copy etcdctl binary
+  command: rsync -piu "{{ etcd_bin_dir }}/etcdctl" "{{ bin_dir }}/etcdctl"
+  changed_when: false
@@ -0,0 +1,18 @@
+---
+- include: install.yml
+- include: configure.yml
+
+- name: Restart etcd if binary changed
+  command: /bin/true
+  notify: restart etcd
+  when: etcd_copy.stdout_lines
+
+# reload systemd before starting service
+- meta: flush_handlers
+
+
+- name: Ensure etcd is running
+  service:
+    name: etcd
+    state: started
+    enabled: yes
@@ -0,0 +1,113 @@
+#!/bin/sh
+set -a
+
+### BEGIN INIT INFO
+# Provides:   etcd
+# Required-Start:    $local_fs $network $syslog
+# Required-Stop:
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: etcd distributed k/v store
+# Description:
+#   etcd is a distributed, consistent key-value store for shared configuration and service discovery
+### END INIT INFO
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="etcd k/v store"
+NAME=etcd
+DAEMON={{ bin_dir }}/etcd
+{% if inventory_hostname in groups['etcd'] %}
+DAEMON_ARGS=""
+{% else %}
+DAEMON_ARGS="-proxy on"
+{% endif %}
+SCRIPTNAME=/etc/init.d/$NAME
+DAEMON_USER=etcd
+STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/5/KILL/5}"
+PID=/var/run/etcd.pid
+
+# Exit if the binary is not present
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -f /etc/etcd.env ] && . /etc/etcd.env
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+do_status()
+{
+    status_of_proc -p $PID "$DAEMON" "$NAME" && exit 0 || exit $?
+}
+
+# Function that starts the daemon/service
+#
+do_start()
+{
+    start-stop-daemon --background --start --quiet --make-pidfile --pidfile $PID --user $DAEMON_USER --exec $DAEMON \
+        $DAEMON_OPTS \
+        || return 2
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+    start-stop-daemon --stop --quiet --retry=$STOP_SCHEDULE --pidfile $PID --name $NAME
+    RETVAL="$?"
+
+    sleep 1
+    return "$RETVAL"
+}
+
+
+case "$1" in
+  start)
+        log_daemon_msg "Starting $DESC" "$NAME"
+        do_start
+        case "$?" in
+                0|1) log_end_msg 0 || exit 0 ;;
+                2) log_end_msg 1 || exit 1 ;;
+        esac
+        ;;
+  stop)
+        log_daemon_msg "Stopping $DESC" "$NAME"
+        if do_stop; then
+            log_end_msg 0
+        else
+            log_failure_msg "Can't stop etcd"
+            log_end_msg 1
+        fi
+        ;;
+  status)
+        if do_status; then
+            log_end_msg 0
+        else
+            log_failure_msg "etcd is not running"
+            log_end_msg 1
+        fi
+        ;;
+
+  restart|force-reload)
+        log_daemon_msg "Restarting $DESC" "$NAME"
+        if do_stop; then
+            if do_start; then
+                log_end_msg 0
+                exit 0
+            else
+                rc="$?"
+            fi
+        else
+           rc="$?"
+        fi
+        log_failure_msg "Can't restart etcd"
+        log_end_msg ${rc}
+        ;;
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+        exit 3
+        ;;
+esac
@@ -0,0 +1,17 @@
+ETCD_DATA_DIR="/var/lib/etcd"
+{% if inventory_hostname in groups['etcd'] %}
+{% set etcd = {} %}
+{%     for host in groups['etcd'] %}
+{%         if inventory_hostname == host %}
+{%             set _dummy = etcd.update({'name':"etcd"+loop.index|string}) %}
+{%         endif %}
+{%     endfor %}
+ETCD_ADVERTISE_CLIENT_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address) }}:2379"
+ETCD_INITIAL_ADVERTISE_PEER_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address)  }}:2380"
+ETCD_INITIAL_CLUSTER_STATE="new"
+ETCD_INITIAL_CLUSTER_TOKEN="k8s_etcd"
+ETCD_LISTEN_PEER_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address)  }}:2380"
+ETCD_NAME="{{ etcd.name }}"
+{% endif %}
+ETCD_INITIAL_CLUSTER="{% for host in groups['etcd'] %}etcd{{ loop.index|string }}=http://{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}:2380{% if not loop.last %},{% endif %}{% endfor %}"
+ETCD_LISTEN_CLIENT_URLS="http://{{ hostvars[inventory_hostname]['ip'] | default( ansible_default_ipv4.address)  }}:2379,http://127.0.0.1:2379"
@@ -0,0 +1,18 @@
+[Unit]
+Description=etcd
+
+
+[Service]
+User=etcd
+EnvironmentFile=/etc/etcd.env
+{% if inventory_hostname in groups['etcd'] %}
+ExecStart={{ bin_dir }}/etcd
+{% else %}
+ExecStart={{ bin_dir }}/etcd -proxy on
+{% endif %}
+Restart=always
+RestartSec=10s
+LimitNOFILE=40000
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
@@ -0,0 +1,4 @@
+---
+- name: restart kube-apiserver
+  set_fact:
+    restart_apimaster: True
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - { role: etcd }
+  - { role: kubernetes/node }
@@ -0,0 +1,24 @@
+---
+- name: tokens | generate tokens for master components
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ kube_token_dir }}"
+  with_nested:
+    - [ "system:kubectl" ]
+    - "{{ groups['kube-master'] }}"
+  register: gentoken_master
+  changed_when: "'Added' in gentoken_master.stdout"
+  when: inventory_hostname == groups['kube-master'][0]
+  notify: restart kube-apiserver
+
+- name: tokens | generate tokens for node components
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ kube_token_dir }}"
+  with_nested:
+    - [ 'system:kubelet' ]
+    - "{{ groups['kube-node'] }}"
+  register: gentoken_node
+  changed_when: "'Added' in gentoken_node.stdout"
+  when: inventory_hostname == groups['kube-master'][0]
+  notify: restart kube-apiserver
@@ -0,0 +1,126 @@
+---
+- include: gen_kube_tokens.yml
+  tags: tokens
+
+- name: Copy kubectl bash completion
+  copy:
+    src: kubectl_bash_completion.sh
+    dest: /etc/bash_completion.d/kubectl.sh
+
+- name: Copy kube-apiserver binary
+  command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kube-apiserver" "{{ bin_dir }}/kube-apiserver"
+  register: kube_apiserver_copy
+  changed_when: false
+
+- name: Copy kubectl binary
+  command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubectl" "{{ bin_dir }}/kubectl"
+  changed_when: false
+
+- name: populate users for basic auth in API
+  lineinfile:
+    dest: "{{ kube_users_dir }}/known_users.csv"
+    create: yes
+    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
+    backup: yes
+  with_dict: "{{ kube_users }}"
+  notify: restart kube-apiserver
+
+# Sync masters
+- name: synchronize auth directories for masters
+  synchronize:
+    src: "{{ item }}"
+    dest: "{{ kube_config_dir }}"
+    recursive: yes
+    delete: yes
+    rsync_opts: [ '--one-file-system']
+    set_remote_user: false
+  with_items:
+    - "{{ kube_token_dir }}"
+    - "{{ kube_cert_dir }}"
+    - "{{ kube_users_dir }}"
+  delegate_to: "{{ groups['kube-master'][0] }}"
+  when: inventory_hostname != "{{ groups['kube-master'][0] }}"
+
+- name: install | Write kube-apiserver systemd init file
+  template:
+    src: "kube-apiserver.service.j2"
+    dest: "/etc/systemd/system/kube-apiserver.service"
+    backup: yes
+  when: init_system == "systemd"
+  notify: restart kube-apiserver
+
+- name: install | Write kube-apiserver initd script
+  template:
+    src: "deb-kube-apiserver.initd.j2"
+    dest: "/etc/init.d/kube-apiserver"
+    owner: root
+    mode: 0755
+    backup: yes
+  when: init_system == "sysvinit" and ansible_os_family == "Debian"
+
+- name: Write kube-apiserver config file
+  template:
+    src: "kube-apiserver.j2"
+    dest: "{{ kube_config_dir }}/kube-apiserver.env"
+    backup: yes
+  notify: restart kube-apiserver
+
+- name: Allow apiserver to bind on both secure and insecure ports
+  shell: setcap cap_net_bind_service+ep {{ bin_dir }}/kube-apiserver
+  changed_when: false
+
+- name: Restart apiserver
+  command: "/bin/true"
+  notify: restart kube-apiserver
+  when: is_gentoken_calico|default(false)
+
+- meta: flush_handlers
+
+- include: start.yml
+  with_items: groups['kube-master']
+  when: "{{ hostvars[item].inventory_hostname == inventory_hostname }}"
+
+# Create kube-system namespace
+- name: copy 'kube-system' namespace manifest
+  copy: src=namespace.yml dest=/etc/kubernetes/kube-system-ns.yml
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0]
+
+- name: Check if kube-system exists
+  command: kubectl get ns kube-system
+  register: 'kubesystem'
+  changed_when: False
+  ignore_errors: yes
+  run_once: yes
+
+- name: wait for the apiserver to be running
+  wait_for:
+    port: "{{kube_apiserver_insecure_port}}"
+    timeout: 60
+
+- name: Create 'kube-system' namespace
+  command: kubectl create -f /etc/kubernetes/kube-system-ns.yml
+  changed_when: False
+  when: kubesystem|failed and inventory_hostname == groups['kube-master'][0]
+
+# Write manifests
+- name: Write kube-controller-manager manifest
+  template:
+    src: manifests/kube-controller-manager.manifest.j2
+    dest: "{{ kube_config_dir }}/kube-controller-manager.manifest"
+
+- name: Write kube-scheduler manifest
+  template:
+    src: manifests/kube-scheduler.manifest.j2
+    dest: "{{ kube_config_dir }}/kube-scheduler.manifest"
+
+- name: Write podmaster manifest
+  template:
+    src: manifests/kube-podmaster.manifest.j2
+    dest: "{{ kube_manifest_dir }}/kube-podmaster.manifest"
+
+- name: restart kubelet
+  service:
+    name: kubelet
+    state: restarted
+  changed_when: false
@@ -0,0 +1,21 @@
+---
+- name: Pause
+  pause: seconds=10
+
+- name: reload systemd
+  command: systemctl daemon-reload
+  when: init_system == "systemd" and restart_apimaster is defined and restart_apimaster == True
+
+- name: reload kube-apiserver
+  service:
+    name: kube-apiserver
+    state: restarted
+    enabled: yes
+  when: restart_apimaster is defined and restart_apimaster == True
+
+- name: Enable apiserver
+  service:
+    name: kube-apiserver
+    enabled: yes
+    state: started
+  when: restart_apimaster is not defined or restart_apimaster == False
@@ -0,0 +1,118 @@
+#!/bin/bash
+#
+### BEGIN INIT INFO
+# Provides:   kube-apiserver 
+# Required-Start:    $local_fs $network $syslog
+# Required-Stop:
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: The Kubernetes apiserver
+# Description:
+#   The Kubernetes apiserver.
+### END INIT INFO
+
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="The Kubernetes apiserver"
+NAME=kube-apiserver
+DAEMON={{ bin_dir }}/kube-apiserver
+DAEMON_LOG_FILE=/var/log/$NAME.log
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+DAEMON_USER=root
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/kubernetes/$NAME.env ] && . /etc/kubernetes/$NAME.env
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+        # Return
+        #   0 if daemon has been started
+        #   1 if daemon was already running
+        #   2 if daemon could not be started
+        start-stop-daemon --start --quiet --background --no-close \
+                --make-pidfile --pidfile $PIDFILE \
+                --exec $DAEMON -c $DAEMON_USER --test > /dev/null \
+                || return 1
+        start-stop-daemon --start --quiet --background --no-close \
+                --make-pidfile --pidfile $PIDFILE \
+                --exec $DAEMON -c $DAEMON_USER -- \
+                $DAEMON_ARGS >> $DAEMON_LOG_FILE 2>&1 \
+                || return 2
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+        # Return
+        #   0 if daemon has been stopped
+        #   1 if daemon was already stopped
+        #   2 if daemon could not be stopped
+        #   other if a failure occurred
+        start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+        RETVAL="$?"
+        [ "$RETVAL" = 2 ] && return 2
+        # Many daemons don't delete their pidfiles when they exit.
+        rm -f $PIDFILE
+        return "$RETVAL"
+}
+
+
+case "$1" in
+  start)
+        log_daemon_msg "Starting $DESC" "$NAME"
+        do_start
+        case "$?" in
+                0|1) log_end_msg 0 || exit 0 ;;
+                2) log_end_msg 1 || exit 1 ;;
+        esac
+        ;;
+  stop)
+        log_daemon_msg "Stopping $DESC" "$NAME"
+        do_stop
+        case "$?" in
+                0|1) log_end_msg 0 ;;
+                2) exit 1 ;;
+        esac
+        ;;
+  status)
+        status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
+        ;;
+
+  restart|force-reload)
+        log_daemon_msg "Restarting $DESC" "$NAME"
+        do_stop
+        case "$?" in
+          0|1)
+                do_start
+                case "$?" in
+                        0) log_end_msg 0 ;;
+                        1) log_end_msg 1 ;; # Old process is still running
+                        *) log_end_msg 1 ;; # Failed to start
+                esac
+                ;;
+          *)
+                # Failed to stop
+                log_end_msg 1
+                ;;
+        esac
+        ;;
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+        exit 3
+        ;;
+esac
@@ -0,0 +1,44 @@
+###
+# kubernetes system config
+#
+# The following values are used to configure the kube-apiserver
+
+{% if init_system == "sysvinit" %}
+# Logging directory
+KUBE_LOGGING="--log-dir={{ kube_log_dir }} --logtostderr=true"
+{% else %}
+# logging to stderr means we get it in the systemd journal
+KUBE_LOGGING="--logtostderr=true"
+{% endif %}
+
+# Apiserver Log level, 0 is debug
+KUBE_LOG_LEVEL="{{ kube_log_level | default('--v=2') }}"
+
+# Should this cluster be allowed to run privileged docker containers
+KUBE_ALLOW_PRIV="--allow_privileged=true"
+
+# The port on the local server to listen on.
+KUBE_API_PORT="--insecure-port={{kube_apiserver_insecure_port}} --secure-port={{ kube_apiserver_port }}"
+
+# Address range to use for services
+KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range={{ kube_service_addresses }}"
+
+# Location of the etcd cluster
+KUBE_ETCD_SERVERS="--etcd_servers={% for host in groups['etcd'] %}http://{{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}:2379{% if not loop.last %},{% endif %}{% endfor %}"
+
+# default admission control policies
+KUBE_ADMISSION_CONTROL="--admission_control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
+
+# RUNTIME API CONFIGURATION (e.g. enable extensions)
+KUBE_RUNTIME_CONFIG="{% if kube_api_runtime_config is defined %}{% for conf in kube_api_runtime_config %}--runtime-config={{ conf }} {% endfor %}{% endif %}"
+
+# TLS CONFIGURATION
+KUBE_TLS_CONFIG="--tls_cert_file={{ kube_cert_dir }}/apiserver.pem --tls_private_key_file={{ kube_cert_dir }}/apiserver-key.pem --client_ca_file={{ kube_cert_dir }}/ca.pem"
+
+# Add you own!
+KUBE_API_ARGS="--token_auth_file={{ kube_token_dir }}/known_tokens.csv --basic-auth-file={{ kube_users_dir }}/known_users.csv --service_account_key_file={{ kube_cert_dir }}/apiserver-key.pem"
+
+{% if init_system == "sysvinit" %}
+DAEMON_ARGS="$KUBE_LOGGING $KUBE_LOG_LEVEL $KUBE_ALLOW_PRIV $KUBE_API_PORT $KUBE_SERVICE_ADDRESSES \
+$KUBE_ETCD_SERVERS $KUBE_ADMISSION_CONTROL $KUBE_RUNTIME_CONFIG $KUBE_TLS_CONFIG $KUBE_API_ARGS"
+{% endif %}
@@ -0,0 +1,28 @@
+[Unit]
+Description=Kubernetes API Server
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+Requires=etcd.service
+After=etcd.service
+
+[Service]
+EnvironmentFile=/etc/kubernetes/kube-apiserver.env
+User=kube
+ExecStart={{ bin_dir }}/kube-apiserver \
+        $KUBE_LOGTOSTDERR \
+        $KUBE_LOG_LEVEL \
+        $KUBE_ETCD_SERVERS \
+        $KUBE_API_ADDRESS \
+        $KUBE_API_PORT \
+        $KUBELET_PORT \
+        $KUBE_ALLOW_PRIV \
+        $KUBE_SERVICE_ADDRESSES \
+        $KUBE_ADMISSION_CONTROL \
+        $KUBE_RUNTIME_CONFIG \
+        $KUBE_TLS_CONFIG \
+        $KUBE_API_ARGS
+Restart=on-failure
+Type=notify
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: kubectl-to-{{ cluster_name }}
+preferences: {}
+clusters:
+- cluster:
+    certificate-authority-data: {{ kube_node_cert|b64encode }}
+    server: https://{{ groups['kube-master'][0] }}:{{ kube_apiserver_port }}
+  name: {{ cluster_name }}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: kubectl
+  name: kubectl-to-{{ cluster_name }}
+users:
+- name: kubectl
+  user:
+    token: {{ kubectl_token }}
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-apiserver
+spec:
+  hostNetwork: true
+  containers:
+  - name: kube-apiserver
+    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
+    command:
+    - /hyperkube
+    - apiserver
+    - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}
+
+    - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
+    - --service-cluster-ip-range={{ kube_service_addresses }}
+    - --client-ca-file={{ kube_cert_dir }}/ca.pem
+    - --basic-auth-file={{ kube_users_dir }}/known_users.csv
+    - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
+    - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
+    - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
+    - --secure-port={{ kube_apiserver_port }}
+    - --insecure-port={{ kube_apiserver_insecure_port }}
+{% if kube_api_runtime_config is defined %}
+{%   for conf in kube_api_runtime_config %}
+    - --runtime-config={{ conf }}
+{%   endfor %}
+{% endif %}
+    - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
+    - --v={{ kube_log_level | default('2') }}
+    - --allow-privileged=true
+    ports:
+    - containerPort: {{ kube_apiserver_port }}
+      hostPort: {{ kube_apiserver_port }}
+      name: https
+    - containerPort: {{ kube_apiserver_insecure_port }}
+      hostPort: {{ kube_apiserver_insecure_port }}
+      name: local
+    volumeMounts:
+    - mountPath: {{ kube_config_dir }}
+      name: kubernetes-config
+      readOnly: true
+    - mountPath: /etc/ssl/certs
+      name: ssl-certs-host
+      readOnly: true
+  volumes:
+  - hostPath:
+      path: {{ kube_config_dir }}
+    name: kubernetes-config
+  - hostPath:
+      path: /usr/share/ca-certificates
+    name: ssl-certs-host
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+spec:
+  hostNetwork: true
+  containers:
+  - name: kube-controller-manager
+    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
+    command:
+    - /hyperkube
+    - controller-manager
+    - --master=http://127.0.0.1:{{kube_apiserver_insecure_port}}
+    - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
+    - --root-ca-file={{ kube_cert_dir }}/ca.pem
+    - --v={{ kube_log_level | default('2') }}
+    livenessProbe:
+      httpGet:
+        host: 127.0.0.1
+        path: /healthz
+        port: 10252
+      initialDelaySeconds: 15
+      timeoutSeconds: 1
+    volumeMounts:
+    - mountPath: {{ kube_cert_dir }}
+      name: ssl-certs-kubernetes
+      readOnly: true
+    - mountPath: /etc/ssl/certs
+      name: ssl-certs-host
+      readOnly: true
+  volumes:
+  - hostPath:
+      path: {{ kube_cert_dir }}
+    name: ssl-certs-kubernetes
+  - hostPath:
+      path: /usr/share/ca-certificates
+    name: ssl-certs-host
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-podmaster
+  namespace: kube-system
+spec:
+  hostNetwork: true
+  containers:
+  - name: scheduler-elector
+    image: gcr.io/google_containers/podmaster:1.1
+    command:
+    - /podmaster
+    - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}
+
+    - --key=scheduler
+    - --source-file={{ kube_config_dir}}/kube-scheduler.manifest
+    - --dest-file={{ kube_manifest_dir }}/kube-scheduler.manifest
+    volumeMounts:
+    - mountPath: {{ kube_config_dir }}
+      name: manifest-src
+      readOnly: true
+    - mountPath: {{ kube_manifest_dir }}
+      name: manifest-dst
+  - name: controller-manager-elector
+    image: gcr.io/google_containers/podmaster:1.1
+    command:
+    - /podmaster
+    - --etcd-servers={% for srv in groups['etcd'] %}http://{{ srv }}:2379{% if not loop.last %},{% endif %}{% endfor %}
+
+    - --key=controller
+    - --source-file={{ kube_config_dir }}/kube-controller-manager.manifest
+    - --dest-file={{ kube_manifest_dir }}/kube-controller-manager.manifest
+    terminationMessagePath: /dev/termination-log
+    volumeMounts:
+    - mountPath: {{ kube_config_dir }}
+      name: manifest-src
+      readOnly: true
+    - mountPath: {{ kube_manifest_dir }}
+      name: manifest-dst
+  volumes:
+  - hostPath:
+      path: {{ kube_config_dir }}
+    name: manifest-src
+  - hostPath:
+      path: {{ kube_manifest_dir }}
+    name: manifest-dst
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-scheduler
+  namespace: kube-system
+spec:
+  hostNetwork: true
+  containers:
+  - name: kube-scheduler
+    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
+    command:
+    - /hyperkube
+    - scheduler
+    - --master=http://127.0.0.1:{{kube_apiserver_insecure_port}}
+    - --v={{ kube_log_level | default('2') }}
+    livenessProbe:
+      httpGet:
+        host: 127.0.0.1
+        path: /healthz
+        port: 10251
+      initialDelaySeconds: 15
+      timeoutSeconds: 1
@@ -0,0 +1,6 @@
+---
+namespace_kubesystem:
+  apiVersion: v1
+  kind: Namespace
+  metadata:
+    name: kube-system
@@ -0,0 +1,48 @@
+# This directory is where all the additional scripts go
+# that Kubernetes normally puts in /srv/kubernetes.
+# This puts them in a sane location
+kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
+
+# This directory is where all the additional config stuff goes
+# the kubernetes normally puts in /srv/kubernets.
+# This puts them in a sane location.
+# Editting this value will almost surely break something. Don't
+# change it. Things like the systemd scripts are hard coded to
+# look in here. Don't do it.
+kube_config_dir: /etc/kubernetes
+
+# This is where all the cert scripts and certs will be located
+kube_cert_dir: "{{ kube_config_dir }}/ssl"
+
+# This is where all of the bearer tokens will be stored
+kube_token_dir: "{{ kube_config_dir }}/tokens"
+
+# This is where to save basic auth file
+kube_users_dir: "{{ kube_config_dir }}/users"
+
+# This is where you can drop yaml/json files and the kubelet will run those
+# pods on startup
+kube_manifest_dir: "{{ kube_config_dir }}/manifests"
+
+# Logging directory (sysvinit systems)
+kube_log_dir: "/var/log/kubernetes"
+
+dns_domain: "{{ cluster_name }}"
+
+kube_proxy_mode: userspace
+
+# Temporary image, waiting for official google release
+#  hyperkube_image_repo: gcr.io/google_containers/hyperkube
+hyperkube_image_repo: quay.io/ant31/kubernetes-hyperkube
+hyperkube_image_tag: v1.1.4
+
+# IP address of the DNS server.
+# Kubernetes will create a pod with several containers, serving as the DNS
+# server and expose it under this IP address. The IP address must be from
+# the range specified as kube_service_addresses. This magic will actually
+# pick the 10th ip address in the kube_service_addresses range and use that.
+dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(253)|ipaddr('address') }}"
+
+kube_api_runtime_config:
+  - extensions/v1beta1/daemonsets=true
+  - extensions/v1beta1/deployments=true
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+token_dir=${TOKEN_DIR:-/var/srv/kubernetes}
+token_file="${token_dir}/known_tokens.csv"
+
+create_accounts=($@)
+
+if [ ! -e "${token_file}" ]; then
+  touch "${token_file}"
+fi
+
+for account in "${create_accounts[@]}"; do
+  if grep ",${account}," "${token_file}" ; then
+    continue
+  fi
+  token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
+  echo "${token},${account},${account}" >> "${token_file}"
+  echo "${token}" > "${token_dir}/${account}.token"
+  echo "Added ${account}"
+done
@@ -0,0 +1,107 @@
+#!/bin/bash
+
+# Author: skahlouc@skahlouc-laptop
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o pipefail
+
+usage()
+{
+    cat << EOF
+Create self signed certificates
+
+Usage : $(basename $0) -f <config> [-c <cloud_provider>] [-d <ssldir>] [-g <ssl_group>]
+      -h | --help         : Show this message
+      -f | --config       : Openssl configuration file
+      -c | --cloud        : Cloud provider (GCE, AWS or AZURE)
+      -d | --ssldir       : Directory where the certificates will be installed
+      -g | --sslgrp       : Group of the certificates
+               
+               ex : 
+               $(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube
+EOF
+}
+
+# Options parsing
+while (($#)); do
+    case "$1" in
+        -h | --help)   usage;   exit 0;;
+        -f | --config) CONFIG=${2}; shift 2;;
+        -c | --cloud) CLOUD=${2}; shift 2;;
+        -d | --ssldir) SSLDIR="${2}"; shift 2;; 
+        -g | --group) SSLGRP="${2}"; shift 2;;
+        *)
+            usage
+            echo "ERROR : Unknown option"
+            exit 3
+        ;;
+    esac
+done
+
+if [ -z ${CONFIG} ]; then
+    echo "ERROR: the openssl configuration file is missing. option -f"
+    exit 1
+fi
+if [ -z ${SSLDIR} ]; then
+    SSLDIR="/etc/kubernetes/certs"
+fi
+if [ -z ${SSLGRP} ]; then
+    SSLGRP="kube-cert"
+fi
+
+#echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP"
+
+SUPPORTED_CLOUDS="GCE AWS AZURE"
+
+# TODO: Add support for discovery on other providers?
+if [ "${CLOUD}" == "GCE" ]; then
+  CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
+fi
+
+if [ "${CLOUD}" == "AWS" ]; then
+  CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
+fi
+
+if [ "${CLOUD}" == "AZURE" ]; then
+  CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
+fi
+
+tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
+trap 'rm -rf "${tmpdir}"' EXIT
+cd "${tmpdir}"
+
+mkdir -p "${SSLDIR}"
+
+# Root CA
+openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
+openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
+
+# Apiserver
+openssl genrsa -out apiserver-key.pem 2048 > /dev/null 2>&1
+openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config ${CONFIG} > /dev/null 2>&1
+openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+
+# Nodes and Admin
+for i in node admin; do
+    openssl genrsa -out ${i}-key.pem 2048 > /dev/null 2>&1
+    openssl req -new -key ${i}-key.pem -out ${i}.csr -subj "/CN=kube-${i}" > /dev/null 2>&1
+    openssl x509 -req -in ${i}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${i}.pem -days 365 > /dev/null 2>&1
+done
+
+# Install certs
+mv *.pem ${SSLDIR}/
+chgrp ${SSLGRP} ${SSLDIR}/*
+chmod 600 ${SSLDIR}/*-key.pem
+chown root:root ${SSLDIR}/*-key.pem
@@ -0,0 +1,19 @@
+---
+- name: reload systemd
+  command: systemctl daemon-reload
+  when: init_system == "systemd"
+
+- name: restart kubelet
+  command: /bin/true
+  notify:
+    - reload systemd
+    - reload kubelet
+
+- name: set is_gentoken_calico fact
+  set_fact:
+    is_gentoken_calico: true
+
+- name: reload kubelet
+  service:
+    name: kubelet
+    state: restarted
@@ -0,0 +1,27 @@
+---
+- name: tokens | copy the token gen script
+  copy:
+    src=kube-gen-token.sh
+    dest={{ kube_script_dir }}
+    mode=u+x
+  when: inventory_hostname == groups['kube-master'][0]
+
+- name: tokens | generate tokens for calico
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ kube_token_dir }}"
+  with_nested:
+    - [ "system:calico" ]
+    - "{{ groups['k8s-cluster'] }}"
+  register: gentoken_calico
+  changed_when: "'Added' in gentoken_calico.stdout"
+  when: kube_network_plugin == "calico"
+  delegate_to: "{{ groups['kube-master'][0] }}"
+  notify: set is_gentoken_calico fact
+
+- name: tokens | get the calico token values
+  slurp:
+    src: "{{ kube_token_dir }}/system:calico-{{ inventory_hostname }}.token"
+  register: calico_token
+  when: kube_network_plugin == "calico"
+  delegate_to: "{{ groups['kube-master'][0] }}"
@@ -0,0 +1,28 @@
+---
+- name: certs | install cert generation script
+  copy:
+    src=make-ssl.sh
+    dest={{ kube_script_dir }}
+    mode=0500
+  changed_when: false
+
+- name: certs | write openssl config
+  template:
+    src: "openssl.conf.j2"
+    dest: "{{ kube_config_dir }}/.openssl.conf"
+
+- name: certs | run cert generation script
+  shell: >
+    {{ kube_script_dir }}/make-ssl.sh
+    -f {{ kube_config_dir }}/.openssl.conf
+    -g {{ kube_cert_group }}
+    -d {{ kube_cert_dir }}
+  args:
+    creates: "{{ kube_cert_dir }}/apiserver.pem"
+
+- name: certs | check certificate permissions
+  file:
+    path={{ kube_cert_dir }}
+    group={{ kube_cert_group }}
+    owner=kube
+    recurse=yes
--- a/Show More
+++ b/Show More