Add flex volume driver/provisioner support

Author: garthy

identity/user.tf renamed to identity/cloud_controller_user.tf

@@ -18,7 +18,7 @@ resource "oci_identity_api_key" "cloud_controller_key_assoc" {
 }
 
 resource "oci_identity_user_group_membership" "cloud_controller_user_group_assoc" {
-  compartment_id = "${var.compartment_ocid}"
+  compartment_id = "${var.tenancy_ocid}"
   user_id = "${oci_identity_user.cloud_controller_user.id}"
   group_id = "${oci_identity_group.cloud_controller_group.id}"
 }

identity/flexvolume_user.tf

@@ -0,0 +1,40 @@
+resource "tls_private_key" "flexvolume_driver_user_key" {
+  algorithm   = "RSA" rsa_bits = 2048
+}
+
+resource "oci_identity_group" "flexvolume_driver_group" {
+  name = "${var.label_prefix}flexvolume_driver_group"
+  description = "Terraform created group for OCI Cloud Controller Manager"
+}
+
+resource "oci_identity_user" "flexvolume_driver_user" {
+  name = "${var.label_prefix}flexvolume_driver_user"
+  description = "Terraform created user for OCI Cloud Controller Manager"
+}
+
+resource "oci_identity_api_key" "flexvolume_driver_key_assoc" {
+  user_id = "${oci_identity_user.flexvolume_driver_user.id}"
+  key_value = "${tls_private_key.flexvolume_driver_user_key.public_key_pem}"
+}
+
+resource "oci_identity_user_group_membership" "flexvolume_driver_user_group_assoc" {
+  compartment_id = "${var.tenancy_ocid}"
+  user_id = "${oci_identity_user.flexvolume_driver_user.id}"
+  group_id = "${oci_identity_group.flexvolume_driver_group.id}"
+}
+
+resource "oci_identity_policy" "flexvolume_driver_policy" {
+  depends_on = ["oci_identity_group.flexvolume_driver_group"]
+  compartment_id = "${var.compartment_ocid}"
+  name = "${var.label_prefix}flexvolume_driver_policy"
+  description = "${var.label_prefix}flexvolume_driver_group policy"
+  statements = [
+    "Allow group id ${oci_identity_group.flexvolume_driver_group.id} to read vnic-attachments in compartment id ${var.compartment_ocid}",
+    "Allow group id ${oci_identity_group.flexvolume_driver_group.id} to read vnics in compartment id ${var.compartment_ocid}",
+    "Allow group id ${oci_identity_group.flexvolume_driver_group.id} to read instances in compartment id ${var.compartment_ocid}",
+    "Allow group id ${oci_identity_group.flexvolume_driver_group.id} to read subnets in compartment id ${var.compartment_ocid}",
+    "Allow group id ${oci_identity_group.flexvolume_driver_group.id} to use volumes in compartment id ${var.compartment_ocid}",
+    "Allow group id ${oci_identity_group.flexvolume_driver_group.id} to use instances in compartment id ${var.compartment_ocid}",
+    "Allow group id ${oci_identity_group.flexvolume_driver_group.id} to manage volume-attachments in compartment id ${var.compartment_ocid}",
+  ]
+}

identity/outputs.tf

@@ -14,3 +14,38 @@ output "cloud_controller_private_key" {
 output "cloud_controller_user_fingerprint" {
   value = "run 'terraform output cloud_controller_private_key > cc_key && openssl rsa -in cc_key -pubout -outform DER | openssl md5 -c && rm cc_key' determine the fingerprint"
 }
+
+output "flexvolume_driver_user" {
+  value = "${oci_identity_user.flexvolume_driver_user.id}"
+}
+
+output "flexvolume_driver_public_key" {
+  value = "${tls_private_key.flexvolume_driver_user_key.public_key_pem}"
+}
+
+output "flexvolume_driver_private_key" {
+  sensitive = true
+  value = "${tls_private_key.flexvolume_driver_user_key.private_key_pem}"
+}
+
+output "flexvolume_driver_user_fingerprint" {
+  value = "run 'terraform output flexvolume_driver_private_key > cc_key && openssl rsa -in cc_key -pubout -outform DER | openssl md5 -c && rm cc_key' determine the fingerprint"
+}
+
+output "volume_provisioner_user" {
+  value = "${oci_identity_user.volume_provisioner_user.id}"
+}
+
+output "volume_provisioner_public_key" {
+  value = "${tls_private_key.volume_provisioner_user_key.public_key_pem}"
+}
+
+output "volume_provisioner_private_key" {
+  sensitive = true
+  value = "${tls_private_key.volume_provisioner_user_key.private_key_pem}"
+}
+
+output "volume_provisioner_user_fingerprint" {
+  value = "run 'terraform output volume_provisioner_private_key > cc_key && openssl rsa -in cc_key -pubout -outform DER | openssl md5 -c && rm cc_key' determine the fingerprint"
+}
+

identity/volume_provisioner_user.tf

@@ -0,0 +1,34 @@
+resource "tls_private_key" "volume_provisioner_user_key" {
+  algorithm   = "RSA" rsa_bits = 2048
+}
+
+resource "oci_identity_group" "volume_provisioner_group" {
+  name = "${var.label_prefix}volume_provisioner_group"
+  description = "Terraform created group for OCI Cloud Controller Manager"
+}
+
+resource "oci_identity_user" "volume_provisioner_user" {
+  name = "${var.label_prefix}volume_provisioner_user"
+  description = "Terraform created user for OCI Cloud Controller Manager"
+}
+
+resource "oci_identity_api_key" "volume_provisioner_key_assoc" {
+  user_id = "${oci_identity_user.volume_provisioner_user.id}"
+  key_value = "${tls_private_key.volume_provisioner_user_key.public_key_pem}"
+}
+
+resource "oci_identity_user_group_membership" "volume_provisioner_user_group_assoc" {
+  compartment_id = "${var.tenancy_ocid}"
+  user_id = "${oci_identity_user.volume_provisioner_user.id}"
+  group_id = "${oci_identity_group.volume_provisioner_group.id}"
+}
+
+resource "oci_identity_policy" "volume_provisioner_policy" {
+  depends_on = ["oci_identity_group.volume_provisioner_group"]
+  compartment_id = "${var.compartment_ocid}"
+  name = "${var.label_prefix}volume_provisioner_policy"
+  description = "${var.label_prefix}volume_provisioner_group policy"
+  statements = [
+    "Allow group id ${oci_identity_group.volume_provisioner_group.id} to manage volumes in compartment id ${var.compartment_ocid}",
+  ]
+}

instances/k8smaster/cloud_init/bootstrap.template.yaml

@@ -57,6 +57,16 @@ write_files:
     encoding: "gzip+base64"
     content: |
       ${cloud_provider_secret_content}
+  - path: "/root/flexvolume-driver-secret.yaml"
+    permissions: "0600"
+    encoding: "gzip+base64"
+    content: |
+      ${flexvolume_driver_secret_content}
+  - path: "/root/volume-provisioner-secret.yaml"
+    permissions: "0600"
+    encoding: "gzip+base64"
+    content: |
+      ${volume_provisioner_secret_content}
   - path: "/root/services/flannel.service"
     permissions: "0600"
     encoding: "gzip+base64"

instances/k8smaster/datasources.tf

@@ -145,6 +145,8 @@ data "template_file" "kube_master_cloud_init_file" {
     cnibridge_service_content                = "${base64gzip(data.template_file.cnibridge-service.rendered)}"
     cnibridge_sh_content                     = "${base64gzip(data.template_file.cnibridge-sh.rendered)}"
     cloud_provider_secret_content            = "${base64gzip(var.cloud_controller_secret)}"
+    flexvolume_driver_secret_content         = "${base64gzip(var.flexvolume_driver_secret)}"
+    volume_provisioner_secret_content        = "${base64gzip(var.volume_provisioner_secret)}"
   }
 }
 

instances/k8smaster/manifests/kube-controller-manager.yaml

@@ -32,10 +32,10 @@ spec:
     - mountPath: /etc/kubernetes/ca
       name: ssl-certs-kubernetes
       readOnly: true
-    - mountPath: /etc/ssl/certs
+    - mountPath: /etc/ssl
       name: ssl-certs-host
       readOnly: true
-    - mountPath: /etc/pki/certs
+    - mountPath: /etc/pki
       name: pki-certs-host
       readOnly: true
     - mountPath: /usr/libexec/kubernetes/kubelet-plugins
@@ -45,10 +45,10 @@ spec:
       path: /etc/kubernetes/ssl
     name: ssl-certs-kubernetes
   - hostPath:
-      path: /etc/ssl/certs
+      path: /etc/ssl
     name: ssl-certs-host
   - hostPath:
-      path: /etc/pki/certs
+      path: /etc/pki
     name: pki-certs-host
   - hostPath:
       path: /usr/libexec/kubernetes/kubelet-plugins

instances/k8smaster/scripts/setup.template.sh

@@ -114,6 +114,13 @@ cat >/etc/cni/net.d/10-flannel.conf <<EOF
 }
 EOF
 
+## Install Flex Volume Driver for OCI
+#####################################
+mkdir -p /usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/
+curl -L --retry 3 https://github.com/oracle/oci-flexvolume-driver/releases/download/0.1.0/oci -o/usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/oci
+chmod a+x /usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/oci
+mv /root/flexvolume-driver-secret.yaml /usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/config.yaml
+
 ## Install kubelet, kubectl, and kubernetes-cni
 ###############################################
 yum-config-manager --add-repo http://yum.kubernetes.io/repos/kubernetes-el7-x86_64
@@ -190,4 +197,13 @@ kubectl create -f /root/services/kube-dns.yaml
 ## install kubernetes-dashboard
 kubectl create -f /root/services/kubernetes-dashboard.yaml
 
+## Install Volume Provisioner of OCI
+kubectl create secret generic oci-volume-provisioner -n kube-system --from-file=config.yaml=/root/volume-provisioner-secret.yaml
+kubectl apply -f https://raw.githubusercontent.com/oracle/oci-volume-provisioner/master/manifests/oci-volume-provisioner-rbac.yaml
+kubectl apply -f https://raw.githubusercontent.com/oracle/oci-volume-provisioner/master/manifests/oci-volume-provisioner.yaml
+kubectl apply -f https://raw.githubusercontent.com/oracle/oci-volume-provisioner/master/manifests/storage-class.yaml
+kubectl apply -f https://raw.githubusercontent.com/oracle/oci-volume-provisioner/master/manifests/storage-class-ext3.yaml
+
+rm -f /root/volume-provisioner-secret.yaml
+
 echo "Finished running setup.sh"

instances/k8smaster/variables.tf

@@ -73,3 +73,7 @@ variable "master_docker_max_log_files" {
 }
 
 variable "cloud_controller_secret" {}
+
+variable "flexvolume_driver_secret" {}
+
+variable "volume_provisioner_secret" {}

instances/k8sworker/scripts/setup.template.sh

@@ -158,6 +158,13 @@ cat >/etc/cni/net.d/10-flannel.conf <<EOF
 }
 EOF
 
+## Install Flex Volume Driver for OCI
+#####################################
+mkdir -p /usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/
+curl -L --retry 3 https://github.com/oracle/oci-flexvolume-driver/releases/download/0.1.0/oci -o/usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/oci
+chmod a+x /usr/libexec/kubernetes/kubelet-plugins/volume/exec/oracle~oci/oci
+
+
 ## Install kubelet, kubectl, and kubernetes-cni
 ###############################################
 yum-config-manager --add-repo http://yum.kubernetes.io/repos/kubernetes-el7-x86_64