RubyGems - porkadot - Versions diffs - 0.1.0 → 0.18.1 - Mend

porkadot 0.1.0 → 0.18.1

Files changed (37) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d234a54eadea75f593857f0d1a697af8be3cb74c5a4b48bb42b19ec966a905ae
-  data.tar.gz: a62e0011627d9d7f5b93e34fadd8c76df6dc88496c7ff39b561d808880ac1570
+  metadata.gz: 9ee36f6490d8e4d8cfa07f29fae9b79a4a2eda35fe977f052f60ec7aa43ce802
+  data.tar.gz: 675c0c3679ee246844abfaaf39f0230c5b63fa2b661bcb21bb111f1ff7a0e6d5
 SHA512:
-  metadata.gz: e359ab5f970e9ed84d82c1210a4c74215bec8fb878a42b736add72a2c27771ab1c8fe3d36125387694b3ea84c626f5b5bbdcbc9bbcb25e0f47dfa6c54484c651
-  data.tar.gz: 1dda5458027c308e37832c74cd66b67422935c88968960b2ea017aa30aad2a6d39aa3ca2d3eaeb0d334431e4a2e50f4eb2e35bd43cca8b216eccab9c93a38c6b
+  metadata.gz: bef9c31a3f3371702948ad4c5b18df384387a42a2d363c0820a250227659b45db3c3a3260929c3821860f8eff9800c6fd983a52211bc5885b4b65af3962ece1f
+  data.tar.gz: 542e8cbeb5bd220ff9b6c12c109c55a88f1d1315cc3c17bf01ce2e8af9816293117bcf8002ab32330cf257b41285b35cfe43d30820f50ff7c2230f3027c49765

data/lib/porkadot/assets.rb CHANGED

@@ -4,6 +4,15 @@ module Porkadot::Assets
       space = space.times.map{' '}.join('')
       text.lines.map{|line| "#{space}#{line}"}.join('')
     end
+    def to_yaml(obj, space=0)
+      h = Hashie::Mash.new({obj: obj})
+      h = h.to_hash
+      if h['obj'].size == 0
+        return ''
+      end
+      return self.indent(h['obj'].to_yaml(canonical: false, header: false).gsub(/---\n/, ''), space)
+    end
   end
   def render_erb file, opts={}
@@ -21,4 +30,19 @@ module Porkadot::Assets
     end
   end
+  def render_secrets_erb file, opts={}
+    file = file.to_s
+    opts[:config] = self.config
+    opts[:global_config] = self.global_config
+    opts[:certs] = Porkadot::Assets::Certs.new(self.global_config)
+    opts[:u] = ErbUtils.new
+    logger.info "----> #{file}"
+    open(File.join(self.class::TEMPLATE_DIR, "#{file}.erb")) do |io|
+      open(config.secrets_path(file), 'w') do |out|
+        out.write ERB.new(io.read, trim_mode: '-').result_with_hash(opts)
+      end
+    end
+  end
 end

data/lib/porkadot/assets/bootstrap.rb CHANGED

@@ -18,8 +18,8 @@ module Porkadot; module Assets
     def render
       logger.info "--> Rendering bootstrap manifests"
-      unless File.directory?(config.target_path)
-        FileUtils.mkdir_p(config.target_path)
+      unless File.directory?(config.bootstrap_path)
+        FileUtils.mkdir_p(config.bootstrap_path)
       end
       render_secrets
       render_erb 'bootstrap/kubeconfig-bootstrap.yaml'

data/lib/porkadot/assets/etcd.rb CHANGED

@@ -50,6 +50,9 @@ module Porkadot; module Assets
       unless File.directory?(config.target_path)
         FileUtils.mkdir_p(config.target_path)
       end
+      unless File.directory?(config.target_secrets_path)
+        FileUtils.mkdir_p(config.target_secrets_path)
+      end
       render_ca_crt
       render_etcd_crt
       render_erb 'etcd-server.yaml', etcd: global_config.etcd
@@ -83,7 +86,7 @@ module Porkadot; module Assets
         ca_key = self.certs.ca_key
         ca_cert = self.certs.ca_cert(false)
         @etcd_cert = certs.unsigned_cert(
-          "/O=porkadot:etcd-servers/CN=porkadot:etcd-server-#{config.member_name}",
+          "/O=porkadot:etcd-servers/CN=#{config.member_name}",
           self.etcd_key, ca_cert,
           1 * 365 * 24 * 60 * 60
         )

data/lib/porkadot/assets/etcd/etcd-server.yaml.erb CHANGED

@@ -30,6 +30,8 @@ spec:
     - --data-dir=/var/lib/etcd
     - --heartbeat-interval=1000
     - --election-timeout=10000
+    env:
+<%= u.to_yaml(etcd.extra_env, 4) -%>
     volumeMounts:
     - mountPath: /var/lib/etcd
       name: etcd

data/lib/porkadot/assets/kubelet.rb CHANGED

@@ -50,6 +50,9 @@ module Porkadot; module Assets
       unless File.directory?(config.target_path)
         FileUtils.mkdir_p(config.target_path)
       end
+      unless File.directory?(config.target_secrets_path)
+        FileUtils.mkdir_p(config.target_secrets_path)
+      end
       ca_data = certs.ca_cert.to_pem
       ca_data = Base64.strict_encode64(ca_data)

data/lib/porkadot/assets/kubelet/config.yaml.erb CHANGED

@@ -32,5 +32,7 @@ streamingConnectionIdleTimeout: 0s
 syncFrequency: 0s
 volumeStatsAggPeriod: 0s
 serverTLSBootstrap: true
+featureGates:
+  CSIMigration: false
 # vim:filetype=yaml

data/lib/porkadot/assets/kubelet/install-deps.sh.erb CHANGED

@@ -1,21 +1,39 @@
 #!/bin/bash
+architecture="arm64"
+case $(uname -m) in
+    x86_64) architecture="amd64" ;;
+    arm)    dpkg --print-architecture | grep -q "arm64" && architecture="arm64" || architecture="arm" ;;
+esac
+echo $architecture
 CNI_VERSION="<%= global_config.k8s.networking.cni_version %>"
 mkdir -p /opt/cni/bin
-curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-amd64-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz
+curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${architecture}-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz
 RELEASE="<%= global_config.k8s.kubernetes_version %>"
 mkdir -p /opt/bin
-curl -L https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/kubectl \
+curl -L https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/${architecture}/kubectl \
   -o /opt/bin/kubectl-${RELEASE}
 chmod +x /opt/bin/kubectl-${RELEASE}
 rm -f /opt/bin/kubectl
 ln -s /opt/bin/kubectl-${RELEASE} /opt/bin/kubectl
-curl -L https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/kubelet \
+curl -L https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/${architecture}/kubelet \
   -o /opt/bin/kubelet-${RELEASE}
 chmod +x /opt/bin/kubelet-${RELEASE}
 rm -f /opt/bin/kubelet
 ln -s /opt/bin/kubelet-${RELEASE} /opt/bin/kubelet
+ETCD_VER="<%= global_config.etcd.image_tag.gsub(/\-\w+$/, '') %>"
+ETCD_URL=https://storage.googleapis.com/etcd/${ETCD_VER}/etcd-${ETCD_VER}-linux-${architecture}.tar.gz
+ETCD_TMP=$(mktemp -d)
+curl -L ${ETCD_URL} -o ${ETCD_TMP}/etcd.tar.gz
+tar zxvf ${ETCD_TMP}/etcd.tar.gz -C ${ETCD_TMP}/ --strip-components=1
+chmod +x ${ETCD_TMP}/etcdctl
+rm -f /opt/bin/etcdctl
+mv ${ETCD_TMP}/etcdctl /opt/bin/etcdctl-${ETCD_VER}
+ln -s /opt/bin/etcdctl-${ETCD_VER} /opt/bin/etcdctl

data/lib/porkadot/assets/kubelet/install-pkgs.sh.erb CHANGED

@@ -4,6 +4,7 @@ export LC_ALL=C
 ROOT=$(dirname "${BASH_SOURCE}")
 if type apt-get > /dev/null 2>&1 ;then
+  export DEBIAN_FRONTEND=noninteractive
   apt-get update
   apt-get install -y \
       ca-certificates \
@@ -22,7 +23,8 @@ if type apt-get > /dev/null 2>&1 ;then
       nfs-common \
       socat \
       udev \
-      util-linux
+      util-linux \
+      open-iscsi
 fi
 cat <<EOF >  /etc/sysctl.d/k8s.conf
@@ -30,4 +32,10 @@ net.bridge.bridge-nf-call-ip6tables = 1
 net.bridge.bridge-nf-call-iptables = 1
 EOF
+cat <<EOF > /etc/iscsi/initiatorname.iscsi
+InitiatorName=iqn.2020-04.cloud.unstable:<%= config.hostname %>
+EOF
+systemctl restart iscsid.service
 sysctl --system

data/lib/porkadot/assets/kubernetes.rb CHANGED

@@ -20,18 +20,27 @@ module Porkadot; module Assets
       unless File.directory?(config.manifests_path)
         FileUtils.mkdir_p(config.manifests_path)
       end
+      unless File.directory?(config.manifests_secrets_path)
+        FileUtils.mkdir_p(config.manifests_secrets_path)
+      end
       lb = global_config.lb
       cni = global_config.cni
       render_erb 'manifests/porkadot.yaml'
       render_erb 'manifests/kubelet.yaml'
       render_erb "manifests/#{lb.type}.yaml"
+      render_secrets_erb "manifests/#{lb.type}.secrets.yaml"
       render_erb "manifests/#{cni.type}.yaml"
+      render_erb "manifests/coredns.yaml"
+      render_erb "manifests/dns-horizontal-autoscaler.yaml"
       render_erb "manifests/kube-apiserver.yaml"
+      render_secrets_erb "manifests/kube-apiserver.secrets.yaml"
       render_erb "manifests/kube-proxy.yaml"
       render_erb "manifests/kube-scheduler.yaml"
       render_erb "manifests/kube-controller-manager.yaml"
+      render_secrets_erb "manifests/kube-controller-manager.secrets.yaml"
       render_erb "manifests/pod-checkpointer.yaml"
       render_erb "manifests/kubelet-rubber-stamp.yaml"
+      render_erb "manifests/storage-version-migrator.yaml"
       render_erb 'install.sh'
     end

data/lib/porkadot/assets/kubernetes/manifests/coredns.yaml.erb ADDED

@@ -0,0 +1,202 @@
+<% k8s = global_config.k8s -%>
+# __MACHINE_GENERATED_WARNING__
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: coredns
+  namespace: kube-system
+  labels:
+      kubernetes.io/cluster-service: "true"
+      addonmanager.kubernetes.io/mode: Reconcile
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+    addonmanager.kubernetes.io/mode: Reconcile
+  name: system:coredns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - services
+  - pods
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+    addonmanager.kubernetes.io/mode: EnsureExists
+  name: system:coredns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:coredns
+subjects:
+- kind: ServiceAccount
+  name: coredns
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+  labels:
+      addonmanager.kubernetes.io/mode: EnsureExists
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+            lameduck 5s
+        }
+        ready
+        kubernetes <%= k8s.networking.dns_domain %>  in-addr.arpa ip6.arpa {
+            pods insecure
+            fallthrough in-addr.arpa ip6.arpa
+            ttl 30
+        }
+        prometheus :9153
+        forward . /etc/resolv.conf
+        cache 30
+        loop
+        reload
+        loadbalance
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coredns
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/name: "CoreDNS"
+spec:
+  # replicas: not specified here:
+  # 1. In order to make Addon Manager do not reconcile this replicas parameter.
+  # 2. Default is 1.
+  # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      k8s-app: kube-dns
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+    spec:
+      priorityClassName: system-cluster-critical
+      serviceAccountName: coredns
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+      - name: coredns
+        image: k8s.gcr.io/coredns:1.6.7
+        imagePullPolicy: IfNotPresent
+        resources:
+          limits:
+            memory: 170Mi
+          requests:
+            cpu: 100m
+            memory: 70Mi
+        args: [ "-conf", "/etc/coredns/Corefile" ]
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/coredns
+          readOnly: true
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        - containerPort: 9153
+          name: metrics
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 8181
+            scheme: HTTP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+      dnsPolicy: Default
+      volumes:
+        - name: config-volume
+          configMap:
+            name: coredns
+            items:
+            - key: Corefile
+              path: Corefile
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-dns
+  namespace: kube-system
+  annotations:
+    prometheus.io/port: "9153"
+    prometheus.io/scrape: "true"
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/name: "CoreDNS"
+spec:
+  selector:
+    k8s-app: kube-dns
+  clusterIP: <%= k8s.networking.dns_ip %>
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
+  - name: metrics
+    port: 9153
+    protocol: TCP

data/lib/porkadot/assets/kubernetes/manifests/dns-horizontal-autoscaler.yaml.erb ADDED

@@ -0,0 +1,110 @@
+# Copyright 2016 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: kube-dns-autoscaler
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:kube-dns-autoscaler
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list", "watch"]
+  - apiGroups: [""]
+    resources: ["replicationcontrollers/scale"]
+    verbs: ["get", "update"]
+  - apiGroups: ["apps"]
+    resources: ["deployments/scale", "replicasets/scale"]
+    verbs: ["get", "update"]
+# Remove the configmaps rule once below issue is fixed:
+# kubernetes-incubator/cluster-proportional-autoscaler#16
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:kube-dns-autoscaler
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+subjects:
+  - kind: ServiceAccount
+    name: kube-dns-autoscaler
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: system:kube-dns-autoscaler
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-dns-autoscaler
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns-autoscaler
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kube-dns-autoscaler
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns-autoscaler
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+    spec:
+      priorityClassName: system-cluster-critical
+      securityContext:
+        supplementalGroups: [ 65534 ]
+        fsGroup: 65534
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+      - name: autoscaler
+        image: k8s.gcr.io/cluster-proportional-autoscaler-amd64:1.7.1
+        resources:
+            requests:
+                cpu: "20m"
+                memory: "10Mi"
+        command:
+          - /cluster-proportional-autoscaler
+          - --namespace=kube-system
+          - --configmap=kube-dns-autoscaler
+          # Should keep target in sync with cluster/addons/dns/kube-dns.yaml.base
+          - --target=Deployment/coredns
+          # When cluster is using large nodes(with more cores), "coresPerReplica" should dominate.
+          # If using small nodes, "nodesPerReplica" should dominate.
+          - --default-params={"linear":{"coresPerReplica":256,"nodesPerReplica":16,"preventSinglePointFailure":true}}
+          - --logtostderr=true
+          - --v=2
+      tolerations:
+      - key: "CriticalAddonsOnly"
+        operator: "Exists"
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: kube-dns-autoscaler