porkadot 0.1.0

data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb

@@ -0,0 +1,129 @@
+<% k8s = global_config.k8s -%>
+---
+apiVersion: v1
+data:
+  apiserver.crt: <%= certs.kubernetes.to_base64(:apiserver_cert) %>
+  apiserver.key: <%= certs.kubernetes.to_base64(:apiserver_key) %>
+  ca.crt: <%= certs.kubernetes.to_base64(:ca_cert) %>
+  front-proxy-ca.crt: <%= certs.front_proxy.to_base64(:ca_cert) %>
+  front-proxy-client.crt: <%= certs.front_proxy.to_base64(:client_cert) %>
+  front-proxy-client.key: <%= certs.front_proxy.to_base64(:client_key) %>
+  kubelet-client.crt: <%= certs.kubernetes.to_base64(:kubelet_client_cert) %>
+  kubelet-client.key: <%= certs.kubernetes.to_base64(:kubelet_client_key) %>
+  sa.pub: <%= certs.kubernetes.to_base64(:sa_public_key) %>
+kind: Secret
+metadata:
+  name: kube-apiserver
+  namespace: kube-system
+  labels:
+    <%- k8s.apiserver.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+type: Opaque
+---
+apiVersion: v1
+data:
+  ca.crt: <%= certs.etcd.to_base64(:ca_cert) %>
+  etcd-client.crt:  <%= certs.etcd.to_base64(:client_cert) %>
+  etcd-client.key:  <%= certs.etcd.to_base64(:client_key) %>
+kind: Secret
+metadata:
+  name: etcd-tls
+  namespace: kube-system
+  labels:
+    <%- k8s.apiserver.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+type: Opaque
+---
+apiVersion: "apps/v1"
+kind: DaemonSet
+metadata:
+  name: kube-apiserver
+  namespace: kube-system
+  labels:
+    <%- k8s.apiserver.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+spec:
+  selector:
+    matchLabels:
+      <%- k8s.apiserver.instance_labels.each do |k, v| -%>
+      <%= k.to_s %>: <%= v %>
+      <%- end -%>
+  template:
+    metadata:
+      labels:
+        <%- k8s.apiserver.labels.each do |k, v| -%>
+        <%= k.to_s %>: <%= v %>
+        <%- end -%>
+      annotations:
+        checkpointer.alpha.coreos.com/checkpoint: "true"
+    spec:
+      containers:
+      - name: kube-apiserver
+        resources:
+          requests:
+            cpu: 250m
+        image: <%= k8s.image_repository %>/kube-apiserver:<%= k8s.kubernetes_version %>
+        command:
+        - kube-apiserver
+        <%- k8s.apiserver.args.each do |k, v| -%>
+        - <%= k %><% if v ;%>=<%= v %><%; end %>
+        <%- end -%>
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        volumeMounts:
+        - mountPath: /etc/ca-certificates
+          name: etc-ca-certificates
+          readOnly: true
+        - mountPath: /etc/ssl/certs
+          name: ca-certs
+          readOnly: true
+        - mountPath: /usr/share/ca-certificates
+          name: usr-share-ca-certificates
+          readOnly: true
+        - mountPath: /etc/kubernetes/pki/kubernetes
+          name: k8s-tls
+          readOnly: true
+        - mountPath: /etc/kubernetes/pki/etcd
+          name: etcd-tls
+          readOnly: true
+        - mountPath: /var/lock
+          name: var-lock
+          readOnly: false
+      hostNetwork: true
+      priorityClassName: system-cluster-critical
+      nodeSelector:
+        k8s.unstable.cloud/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - hostPath:
+          path: /etc/ssl/certs
+          type: DirectoryOrCreate
+        name: ca-certs
+      - hostPath:
+          path: /usr/share/ca-certificates
+          type: DirectoryOrCreate
+        name: usr-share-ca-certificates
+      - hostPath:
+          path: /etc/ca-certificates
+          type: DirectoryOrCreate
+        name: etc-ca-certificates
+      - name: k8s-tls
+        secret:
+          secretName: kube-apiserver
+      - name: etcd-tls
+        secret:
+          secretName: etcd-tls
+      - name: var-lock
+        hostPath:
+          path: /var/lock

data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb

@@ -0,0 +1,173 @@
+<% k8s = global_config.k8s -%>
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+  labels:
+    <%- k8s.controller_manager.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      <%- k8s.controller_manager.instance_labels.each do |k, v| -%>
+      <%= k.to_s %>: <%= v %>
+      <%- end -%>
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: porkadot:kube-controller-manager
+  labels:
+    <%- k8s.controller_manager.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: kube-controller-manager
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+  labels:
+    <%- k8s.controller_manager.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+---
+apiVersion: v1
+data:
+  ca.crt: <%= certs.kubernetes.to_base64(:ca_cert) %>
+  ca.key: <%= certs.kubernetes.to_base64(:ca_key) %>
+  sa.key: <%= certs.kubernetes.to_base64(:sa_private_key) %>
+kind: Secret
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+  labels:
+    <%- k8s.controller_manager.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+type: Opaque
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+  labels:
+    <%- k8s.controller_manager.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      <%- k8s.controller_manager.instance_labels.each do |k, v| -%>
+      <%= k.to_s %>: <%= v %>
+      <%- end -%>
+  template:
+    metadata:
+      labels:
+        <%- k8s.controller_manager.labels.each do |k, v| -%>
+        <%= k.to_s %>: <%= v %>
+        <%- end -%>
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: 'app.kubernetes.io/component'
+                  operator: In
+                  values:
+                  - kube-controller-manager
+                - key: 'app.kubernetes.io/managed-by'
+                  operator: In
+                  values:
+                  - porkadot
+              topologyKey: kubernetes.io/hostname
+      containers:
+      - name: kube-controller-manager
+        resources:
+          requests:
+            cpu: 200m
+        image: <%= k8s.image_repository %>/kube-controller-manager:<%= k8s.kubernetes_version %>
+        command:
+        - kube-controller-manager
+        <%- k8s.controller_manager.args.each do |k, v| -%>
+        - <%= k %><% if v ;%>=<%= v %><%; end %>
+        <%- end -%>
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10252  # Note: Using default port. Update if --port option is set differently.
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+        volumeMounts:
+        - name: var-run-kubernetes
+          mountPath: /var/run/kubernetes
+        - name: secrets
+          mountPath: /etc/kubernetes/pki/kubernetes
+          readOnly: true
+        - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
+          name: flexvolume-dir
+        - mountPath: /usr/share/ca-certificates
+          name: usr-share-ca-certificates
+          readOnly: true
+        - mountPath: /etc/ca-certificates
+          name: etc-ca-certificates
+          readOnly: true
+        - mountPath: /etc/ssl/certs
+          name: ca-certs
+          readOnly: true
+      priorityClassName: system-cluster-critical
+      nodeSelector:
+        k8s.unstable.cloud/master: ""
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: kube-controller-manager
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: var-run-kubernetes
+        emptyDir: {}
+      - name: secrets
+        secret:
+          secretName: kube-controller-manager
+      - hostPath:
+          path: /etc/ssl/certs
+          type: DirectoryOrCreate
+        name: ca-certs
+      - hostPath:
+          path: /var/lib/kubelet/volumeplugins
+          type: DirectoryOrCreate
+        name: flexvolume-dir
+      - hostPath:
+          path: /usr/share/ca-certificates
+          type: DirectoryOrCreate
+        name: usr-share-ca-certificates
+      - hostPath:
+          path: /etc/ca-certificates
+          type: DirectoryOrCreate
+        name: etc-ca-certificates
+      dnsPolicy: Default # Don't use cluster DNS.
+

data/lib/porkadot/assets/kubernetes/manifests/kube-proxy.yaml.erb

@@ -0,0 +1,132 @@
+<% k8s = global_config.k8s -%>
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: porkadot:node-proxier
+  labels:
+    <%- k8s.proxy.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node-proxier
+subjects:
+- kind: ServiceAccount
+  name: kube-proxy
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-proxy
+  namespace: kube-system
+  labels:
+    <%- k8s.proxy.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: kube-proxy
+  namespace: kube-system
+  labels:
+    <%- k8s.proxy.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+data:
+  config.conf: |-
+<%= u.indent(k8s.proxy.proxy_config, 4) %>
+  kubeconfig.conf: |
+    apiVersion: v1
+    kind: Config
+    clusters:
+    - cluster:
+        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        server: https://<%= k8s.control_plane_endpoint %>
+      name: default
+    contexts:
+    - context:
+        cluster: default
+        namespace: default
+        user: default
+      name: default
+    current-context: default
+    users:
+    - name: default
+      user:
+        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    <%- k8s.proxy.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+  name: kube-proxy
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      <%- k8s.proxy.instance_labels.each do |k, v| -%>
+      <%= k.to_s %>: <%= v %>
+      <%- end -%>
+  template:
+    metadata:
+      labels:
+        <%- k8s.proxy.labels.each do |k, v| -%>
+        <%= k.to_s %>: <%= v %>
+        <%- end -%>
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      containers:
+      - name: kube-proxy
+        image: <%= k8s.image_repository %>/kube-proxy:<%= k8s.kubernetes_version %>
+        imagePullPolicy: IfNotPresent
+        command:
+        - kube-proxy
+        <%- k8s.proxy.args.each do |k, v| -%>
+        - <%= k %><% if v ;%>=<%= v %><%; end %>
+        <%- end -%>
+        env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /var/lib/kube-proxy
+          name: kube-proxy
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
+        - mountPath: /lib/modules
+          name: lib-modules
+          readOnly: true
+      hostNetwork: true
+      priorityClassName: system-node-critical
+      serviceAccountName: kube-proxy
+      tolerations:
+      - operator: Exists
+        effect: NoSchedule
+      volumes:
+      - configMap:
+          defaultMode: 420
+          name: kube-proxy
+        name: kube-proxy
+      - hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+        name: xtables-lock
+      - hostPath:
+          path: /lib/modules
+          type: ""
+        name: lib-modules
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate

data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb

@@ -0,0 +1,162 @@
+<% k8s = global_config.k8s -%>
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: kube-scheduler
+  namespace: kube-system
+  labels:
+    <%- k8s.scheduler.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      <%- k8s.scheduler.instance_labels.each do |k, v| -%>
+      <%= k.to_s %>: <%= v %>
+      <%- end -%>
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: porkadot:kube-scheduler
+  labels:
+    <%- k8s.scheduler.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-scheduler
+subjects:
+- kind: ServiceAccount
+  name: kube-scheduler
+  namespace: kube-system
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: porkadot:volume-scheduler
+  labels:
+    <%- k8s.scheduler.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:volume-scheduler
+subjects:
+- kind: ServiceAccount
+  name: kube-scheduler
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: porkadot:kube-scheduler
+  namespace: kube-system
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["pods"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["secrets", "configmaps"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: porkadot:kube-scheduler
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: porkadot:kube-scheduler
+subjects:
+- kind: ServiceAccount
+  name: kube-scheduler
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-scheduler
+  namespace: kube-system
+  labels:
+    <%- k8s.scheduler.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kube-scheduler
+  namespace: kube-system
+  labels:
+    <%- k8s.scheduler.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      <%- k8s.scheduler.instance_labels.each do |k, v| -%>
+      <%= k.to_s %>: <%= v %>
+      <%- end -%>
+  template:
+    metadata:
+      labels:
+        <%- k8s.scheduler.labels.each do |k, v| -%>
+        <%= k.to_s %>: <%= v %>
+        <%- end -%>
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: 'app.kubernetes.io/component'
+                  operator: In
+                  values:
+                  - kube-scheduler
+                - key: 'app.kubernetes.io/managed-by'
+                  operator: In
+                  values:
+                  - porkadot
+              topologyKey: kubernetes.io/hostname
+      containers:
+      - name: kube-scheduler
+        resources:
+          requests:
+            cpu: 100m
+        image: <%= k8s.image_repository %>/kube-scheduler:<%= k8s.kubernetes_version %>
+        command:
+        - kube-scheduler
+        <%- k8s.scheduler.args.each do |k, v| -%>
+        - <%= k %><% if v ;%>=<%= v %><%; end %>
+        <%- end -%>
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10251  # Note: Using default port. Update if --port option is set differently.
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+      priorityClassName: system-cluster-critical
+      nodeSelector:
+        k8s.unstable.cloud/master: ""
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: kube-scheduler
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+

data/lib/porkadot/assets/kubernetes/manifests/kubelet-rubber-stamp.yaml.erb

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubelet-rubber-stamp
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: kubelet-rubber-stamp
+  template:
+    metadata:
+      labels:
+        name: kubelet-rubber-stamp
+    spec:
+      serviceAccountName: kubelet-rubber-stamp
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      nodeSelector:
+        k8s.unstable.cloud/master: ""
+      priorityClassName: system-cluster-critical
+      containers:
+        - name: kubelet-rubber-stamp
+          # image: quay.io/kontena/kubelet-rubber-stamp-amd64:0.2
+          # Use following image until issue is fixed
+          image: yuanying/kubelet-rubber-stamp:0.2.0.y01
+          args:
+            - "--v=2"
+          imagePullPolicy: Always
+          env:
+            - name: WATCH_NAMESPACE
+              value: ""
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: "kubelet-rubber-stamp"
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubelet-rubber-stamp
+subjects:
+- kind: ServiceAccount
+  namespace: kube-system
+  name: kubelet-rubber-stamp
+roleRef:
+  kind: ClusterRole
+  name: kubelet-rubber-stamp
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kubelet-rubber-stamp
+rules:
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - create
+  - update
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubelet-rubber-stamp
+  namespace: kube-system