porkadot 0.1.0

data/lib/porkadot/assets/kubernetes/manifests/kubelet.yaml.erb

@@ -0,0 +1,40 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: porkadot:node-bootstrapper
+subjects:
+- kind: Group
+  name: porkadot:node-bootstrappers
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:node-bootstrapper
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: auto-approve-csrs-for-group
+  name: porkadot:node-autoapprove-bootstrap
+subjects:
+- kind: Group
+  name: porkadot:node-bootstrappers
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: auto-approve-renewals-for-nodes
+subjects:
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
+  apiGroup: rbac.authorization.k8s.io

data/lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb

@@ -0,0 +1,323 @@
+<% k8s = global_config.k8s -%>
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+  namespace: metallb-system
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities:
+  - NET_ADMIN
+  - NET_RAW
+  - SYS_ADMIN
+  fsGroup:
+    rule: RunAsAny
+  hostNetwork: true
+  hostPorts:
+  - max: 7472
+    min: 7472
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - '*'
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:controller
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - services/status
+  verbs:
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:speaker
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - services
+  - endpoints
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - extensions
+  resourceNames:
+  - speaker
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: config-watcher
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:speaker
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:speaker
+subjects:
+- kind: ServiceAccount
+  name: speaker
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: config-watcher
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: config-watcher
+subjects:
+- kind: ServiceAccount
+  name: controller
+- kind: ServiceAccount
+  name: speaker
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: metallb
+    component: speaker
+  name: speaker
+  namespace: metallb-system
+spec:
+  selector:
+    matchLabels:
+      app: metallb
+      component: speaker
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: metallb
+        component: speaker
+    spec:
+      initContainers:
+      - command:
+        - "iptables"
+        - "-P"
+        - "FORWARD"
+        - "ACCEPT"
+        image: <%= k8s.image_repository %>/hyperkube:<%= k8s.kubernetes_version %>
+        imagePullPolicy: IfNotPresent
+        name: default-iptables
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      containers:
+      - args:
+        - --port=7472
+        - --config=config
+        env:
+        - name: METALLB_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: METALLB_HOST
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        image: metallb/speaker:v0.8.2
+        imagePullPolicy: IfNotPresent
+        name: speaker
+        ports:
+        - containerPort: 7472
+          name: monitoring
+        resources:
+          limits:
+            cpu: 100m
+            memory: 100Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+            - SYS_ADMIN
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      hostNetwork: true
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+      serviceAccountName: speaker
+      terminationGracePeriodSeconds: 0
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: metallb
+    component: controller
+  name: controller
+  namespace: metallb-system
+spec:
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: metallb
+      component: controller
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: metallb
+        component: controller
+    spec:
+      containers:
+      - args:
+        - --port=7472
+        - --config=config
+        image: metallb/controller:v0.8.2
+        imagePullPolicy: IfNotPresent
+        name: controller
+        ports:
+        - containerPort: 7472
+          name: monitoring
+        resources:
+          limits:
+            cpu: 100m
+            memory: 100Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: controller
+      terminationGracePeriodSeconds: 0
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: metallb
+  name: config
+  namespace: metallb-system
+data:
+  config: |
+<%= u.indent(global_config.lb.lb_config, 4) %>

data/lib/porkadot/assets/kubernetes/manifests/pod-checkpointer.yaml.erb

@@ -0,0 +1,130 @@
+<% k8s = global_config.k8s -%>
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-checkpointer
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pod-checkpointer
+  namespace: kube-system
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["pods"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["secrets", "configmaps"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-checkpointer
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-checkpointer
+subjects:
+- kind: ServiceAccount
+  name: pod-checkpointer
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-checkpointer
+rules:
+  - apiGroups: [""]
+    resources: ["nodes", "nodes/proxy"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pod-checkpointer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pod-checkpointer
+subjects:
+- kind: ServiceAccount
+  name: pod-checkpointer
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: pod-checkpointer
+  namespace: kube-system
+  labels:
+    tier: control-plane
+    k8s-app: pod-checkpointer
+spec:
+  selector:
+    matchLabels:
+      tier: control-plane
+      k8s-app: pod-checkpointer
+  template:
+    metadata:
+      labels:
+        tier: control-plane
+        k8s-app: pod-checkpointer
+      annotations:
+        checkpointer.alpha.coreos.com/checkpoint: "true"
+    spec:
+      containers:
+      - name: pod-checkpointer
+        image: quay.io/coreos/pod-checkpointer:83e25e5968391b9eb342042c435d1b3eeddb2be1
+        command:
+        - /checkpoint
+        - --lock-file=/var/run/lock/pod-checkpointer.lock
+        - --kubeconfig=/etc/checkpointer/kubeconfig
+        - --checkpoint-grace-period=5m
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        imagePullPolicy: Always
+        volumeMounts:
+        - mountPath: /etc/checkpointer
+          name: kubeconfig
+        - mountPath: /etc/kubernetes
+          name: etc-kubernetes
+        - mountPath: /var/run
+          name: var-run
+      serviceAccountName: pod-checkpointer
+      hostNetwork: true
+      nodeSelector:
+        k8s.unstable.cloud/master: ""
+      restartPolicy: Always
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: kubeconfig
+        configMap:
+          name: kubeconfig-in-cluster
+      - name: etc-kubernetes
+        hostPath:
+          path: /etc/kubernetes
+      - name: var-run
+        hostPath:
+          path: /var/run
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate

data/lib/porkadot/assets/kubernetes/manifests/porkadot.yaml.erb

@@ -0,0 +1,69 @@
+<% k8s = global_config.k8s -%>
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+  labels:
+    provider: porkadot
+  name: porkadot-kubernetes
+  namespace: kube-system
+spec:
+  selector:
+    app.kubernetes.io/component: kube-apiserver
+    app.kubernetes.io/managed-by: porkadot
+  <%- host, port = global_config.k8s.control_plane_endpoint_host_and_port -%>
+  loadBalancerIP: <%= host %>
+  ports:
+  - name: https
+    port: <%= port %>
+    protocol: TCP
+    targetPort: <%= global_config.k8s.apiserver.bind_port %>
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+  labels:
+    provider: porkadot
+  name: porkadot-kubernetes-latest
+  namespace: kube-system
+spec:
+  selector:
+    <%- k8s.apiserver.labels.each do |k, v| -%>
+    <%= k.to_s %>: <%= v %>
+    <%- end -%>
+  <%- _, port = global_config.k8s.control_plane_endpoint_host_and_port -%>
+  loadBalancerIP: <%= host %>
+  ports:
+  - name: https
+    port: <%= port %>
+    protocol: TCP
+    targetPort: <%= global_config.k8s.apiserver.bind_port %>
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubeconfig-in-cluster
+  namespace: kube-system
+data:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+    - name: local
+      cluster:
+        server: https://<%= k8s.control_plane_endpoint %>
+        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    users:
+    - name: service-account
+      user:
+        # Use service account token
+        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    contexts:
+    - context:
+        cluster: local
+        user: service-account

data/lib/porkadot/assets/kubernetes.rb

@@ -0,0 +1,39 @@
+require 'fileutils'
+require 'erb'
+
+module Porkadot; module Assets
+  class Kubernetes
+    include Porkadot::Assets
+    TEMPLATE_DIR = File.join(File.dirname(__FILE__), "kubernetes")
+    attr_reader :global_config
+    attr_reader :config
+    attr_reader :logger
+
+    def initialize global_config
+      @global_config = global_config
+      @config = global_config.kubernetes
+      @logger = global_config.logger
+    end
+
+    def render
+      logger.info "--> Rendering kubernetes manifests"
+      unless File.directory?(config.manifests_path)
+        FileUtils.mkdir_p(config.manifests_path)
+      end
+      lb = global_config.lb
+      cni = global_config.cni
+      render_erb 'manifests/porkadot.yaml'
+      render_erb 'manifests/kubelet.yaml'
+      render_erb "manifests/#{lb.type}.yaml"
+      render_erb "manifests/#{cni.type}.yaml"
+      render_erb "manifests/kube-apiserver.yaml"
+      render_erb "manifests/kube-proxy.yaml"
+      render_erb "manifests/kube-scheduler.yaml"
+      render_erb "manifests/kube-controller-manager.yaml"
+      render_erb "manifests/pod-checkpointer.yaml"
+      render_erb "manifests/kubelet-rubber-stamp.yaml"
+      render_erb 'install.sh'
+    end
+
+  end
+end; end

data/lib/porkadot/assets.rb

@@ -0,0 +1,24 @@
+module Porkadot::Assets
+  class ErbUtils
+    def indent(text, space=2)
+      space = space.times.map{' '}.join('')
+      text.lines.map{|line| "#{space}#{line}"}.join('')
+    end
+  end
+
+  def render_erb file, opts={}
+    file = file.to_s
+    opts[:config] = self.config
+    opts[:global_config] = self.global_config
+    opts[:certs] = Porkadot::Assets::Certs.new(self.global_config)
+    opts[:u] = ErbUtils.new
+
+    logger.info "----> #{file}"
+    open(File.join(self.class::TEMPLATE_DIR, "#{file}.erb")) do |io|
+      open(config.asset_path(file), 'w') do |out|
+        out.write ERB.new(io.read, trim_mode: '-').result_with_hash(opts)
+      end
+    end
+  end
+
+end

data/lib/porkadot/cmd/cli.rb

@@ -0,0 +1,45 @@
+
+module Porkadot; module Cmd
+  class Cli < Thor
+    include Porkadot::Utils
+
+    class_option :config, type: :string,
+      default: './porkadot.yaml',
+      desc: 'Path to porkadot config file'
+
+    desc "render", "Render assets to deploy Kubernetes"
+    subcommand "render", Porkadot::Cmd::Render::Cli
+
+    desc "install", "Install kubernetes"
+    subcommand "install", Porkadot::Cmd::Install::Cli
+
+    desc "set-config", "Set cluster to kubeconfig"
+    def set_config
+      name = config.k8s.cluster_name
+      certs = Porkadot::Assets::Certs.new(config)
+      `kubectl config set-cluster #{name} \
+        --server=https://#{config.k8s.control_plane_endpoint}`
+      `kubectl config set \
+        clusters.#{name}.certificate-authority-data \
+        "#{certs.kubernetes.to_base64(:ca_cert)}"`
+      `kubectl config set-credentials #{name}-admin`
+      `kubectl config set \
+        users.#{name}-admin.client-certificate-data \
+        "#{certs.kubernetes.to_base64(:client_cert)}"`
+      `kubectl config set \
+        users.#{name}-admin.client-key-data \
+        "#{certs.kubernetes.to_base64(:client_key)}"`
+      `kubectl config set-context #{name} \
+        --cluster=#{name} \
+        --user=#{name}-admin`
+      `kubectl config use-context #{name}`
+    end
+
+    default_task :all
+    desc "all", "Render and install Kubernetes cluster"
+    def all
+      invoke :render, [], options
+      invoke :install, [], options
+    end
+  end
+end; end