RubyGems - porkadot - Versions diffs - 0.18.1 → 0.21.0 - Mend

porkadot 0.18.1 → 0.21.0

Files changed (31) hide show

data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.secrets.yaml.erb CHANGED Viewed

@@ -11,6 +11,7 @@ data:
   kubelet-client.crt: <%= certs.kubernetes.to_base64(:kubelet_client_cert) %>
   kubelet-client.key: <%= certs.kubernetes.to_base64(:kubelet_client_key) %>
   sa.pub: <%= certs.kubernetes.to_base64(:sa_public_key) %>
+  sa.key: <%= certs.kubernetes.to_base64(:sa_private_key) %>
 kind: Secret
 metadata:
   name: kube-apiserver

data/lib/porkadot/assets/kubernetes/manifests/kubelet-rubber-stamp.yaml.erb CHANGED Viewed

@@ -51,7 +51,7 @@ roleRef:
   name: kubelet-rubber-stamp
   apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: kubelet-rubber-stamp

data/lib/porkadot/assets/kubernetes/manifests/metallb.config.yaml.erb ADDED Viewed

@@ -0,0 +1,13 @@
+<% k8s = global_config.k8s -%>
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: metallb
+  name: config
+  namespace: metallb-system
+data:
+  config: |
+<%= u.indent(global_config.lb.lb_config, 4) %>

data/lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb CHANGED Viewed

@@ -1,11 +1,3 @@
-<% k8s = global_config.k8s -%>
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    app: metallb
-  name: metallb-system
----
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -58,9 +50,7 @@ metadata:
 spec:
   allowPrivilegeEscalation: false
   allowedCapabilities:
-  - NET_ADMIN
   - NET_RAW
-  - SYS_ADMIN
   allowedHostPaths: []
   defaultAddCapabilities: []
   defaultAllowPrivilegeEscalation: false
@@ -72,6 +62,8 @@ spec:
   hostPorts:
   - max: 7472
     min: 7472
+  - max: 7946
+    min: 7946
   privileged: true
   readOnlyRootFilesystem: true
   requiredDropCapabilities:
@@ -118,7 +110,6 @@ rules:
   - get
   - list
   - watch
-  - update
 - apiGroups:
   - ''
   resources:
@@ -158,6 +149,13 @@ rules:
   - get
   - list
   - watch
+- apiGroups: ["discovery.k8s.io"]
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ''
   resources:
@@ -207,6 +205,37 @@ rules:
   - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  resourceNames:
+  - memberlist
+  verbs:
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  resourceNames:
+  - controller
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -268,6 +297,21 @@ subjects:
 - kind: ServiceAccount
   name: speaker
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -308,47 +352,44 @@ spec:
             fieldRef:
               fieldPath: status.podIP
         # needed when another software is also using memberlist / port 7946
+        # when changing this default you also need to update the container ports definition
+        # and the PodSecurityPolicy hostPorts definition
         #- name: METALLB_ML_BIND_PORT
         #  value: "7946"
         - name: METALLB_ML_LABELS
           value: "app=metallb,component=speaker"
-        - name: METALLB_ML_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
         - name: METALLB_ML_SECRET_KEY
           valueFrom:
             secretKeyRef:
               name: memberlist
               key: secretkey
-        image: metallb/speaker:v0.9.4
-        imagePullPolicy: Always
+        image: quay.io/metallb/speaker:v0.10.2
         name: speaker
         ports:
         - containerPort: 7472
           name: monitoring
-        resources:
-          limits:
-            cpu: 100m
-            memory: 100Mi
+        - containerPort: 7946
+          name: memberlist-tcp
+        - containerPort: 7946
+          name: memberlist-udp
+          protocol: UDP
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             add:
-            - NET_ADMIN
             - NET_RAW
-            - SYS_ADMIN
             drop:
             - ALL
           readOnlyRootFilesystem: true
       hostNetwork: true
       nodeSelector:
-        beta.kubernetes.io/os: linux
+        kubernetes.io/os: linux
       serviceAccountName: speaker
       terminationGracePeriodSeconds: 2
       tolerations:
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
+        operator: Exists
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -377,16 +418,16 @@ spec:
       - args:
         - --port=7472
         - --config=config
-        image: metallb/controller:v0.9.4
-        imagePullPolicy: Always
+        env:
+        - name: METALLB_ML_SECRET_NAME
+          value: memberlist
+        - name: METALLB_DEPLOYMENT
+          value: controller
+        image: quay.io/metallb/controller:v0.10.2
         name: controller
         ports:
         - containerPort: 7472
           name: monitoring
-        resources:
-          limits:
-            cpu: 100m
-            memory: 100Mi
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
@@ -400,14 +441,3 @@ spec:
         runAsUser: 65534
       serviceAccountName: controller
       terminationGracePeriodSeconds: 0
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: metallb
-  name: config
-  namespace: metallb-system
-data:
-  config: |
-<%= u.indent(global_config.lb.lb_config, 4) %>

data/lib/porkadot/assets/kubernetes/manifests/storage-version-migrator.yaml.erb CHANGED Viewed

@@ -1,327 +1,357 @@
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+---
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  name: storageversionmigrations.migration.k8s.io
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes/enhancements/pull/747
+  name: storagestates.migration.k8s.io
 spec:
   group: migration.k8s.io
   names:
-    kind: StorageVersionMigration
-    listKind: StorageVersionMigrationList
-    plural: storageversionmigrations
-    singular: storageversionmigration
+    kind: StorageState
+    listKind: StorageStateList
+    plural: storagestates
+    singular: storagestate
+  preserveUnknownFields: false
   scope: Cluster
-  subresources:
-    status: {}
-  version: v1alpha1
   versions:
   - name: v1alpha1
-    served: true
-    storage: true
-  "validation":
-    "openAPIV3Schema":
-      description: StorageVersionMigration represents a migration of stored data to
-        the latest storage version.
-      type: object
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: Specification of the migration.
-          type: object
-          required:
-          - resource
-          properties:
-            continueToken:
-              description: The token used in the list options to get the next chunk
-                of objects to migrate. When the .status.conditions indicates the migration
-                is "Running", users can use this token to check the progress of the
-                migration.
-              type: string
-            resource:
-              description: The resource that is being migrated. The migrator sends
-                requests to the endpoint serving the resource. Immutable.
-              type: object
-              properties:
-                group:
-                  description: The name of the group.
-                  type: string
-                resource:
-                  description: The name of the resource.
-                  type: string
-                version:
-                  description: The name of the version.
-                  type: string
-        status:
-          description: Status of the migration.
-          type: object
-          properties:
-            conditions:
-              description: The latest available observations of the migration's current
-                state.
-              type: array
-              items:
-                description: Describes the state of a migration at a certain point.
-                type: object
-                required:
-                - status
-                - type
+    schema:
+      openAPIV3Schema:
+        description: The state of the storage of a specific resource.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            properties:
+              name:
+                description: name must be "<.spec.resource.resouce>.<.spec.resource.group>".
+                type: string
+            type: object
+          spec:
+            description: Specification of the storage state.
+            properties:
+              resource:
+                description: The resource this storageState is about.
                 properties:
-                  lastUpdateTime:
-                    description: The last time this condition was updated.
+                  group:
+                    description: The name of the group.
                     type: string
-                    format: date-time
-                  message:
-                    description: A human readable message indicating details about
-                      the transition.
-                    type: string
-                  reason:
-                    description: The reason for the condition's last transition.
-                    type: string
-                  status:
-                    description: Status of the condition, one of True, False, Unknown.
-                    type: string
-                  type:
-                    description: Type of the condition.
+                  resource:
+                    description: The name of the resource.
                     type: string
+                type: object
+            type: object
+          status:
+            description: Status of the storage state.
+            properties:
+              currentStorageVersionHash:
+                description: The hash value of the current storage version, as shown
+                  in the discovery document served by the API server. Storage Version
+                  is the version to which objects are converted to before persisted.
+                type: string
+              lastHeartbeatTime:
+                description: LastHeartbeatTime is the last time the storage migration
+                  triggering controller checks the storage version hash of this resource
+                  in the discovery document and updates this field.
+                format: date-time
+                type: string
+              persistedStorageVersionHashes:
+                description: The hash values of storage versions that persisted instances
+                  of spec.resource might still be encoded in. "Unknown" is a valid
+                  value in the list, and is the default value. It is not safe to upgrade
+                  or downgrade to an apiserver binary that does not support all versions
+                  listed in this field, or if "Unknown" is listed. Once the storage
+                  version migration for this resource has completed, the value of
+                  this field is refined to only contain the currentStorageVersionHash.
+                  Once the apiserver has changed the storage version, the new storage
+                  version is appended to the list.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
 ---
-apiVersion: apiextensions.k8s.io/v1beta1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  name: storagestates.migration.k8s.io
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes/community/pull/2524
+  name: storageversionmigrations.migration.k8s.io
 spec:
   group: migration.k8s.io
   names:
-    kind: StorageState
-    listKind: StorageStateList
-    plural: storagestates
-    singular: storagestate
+    kind: StorageVersionMigration
+    listKind: StorageVersionMigrationList
+    plural: storageversionmigrations
+    singular: storageversionmigration
+  preserveUnknownFields: false
   scope: Cluster
-  subresources:
-    status: {}
-  version: v1alpha1
   versions:
   - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: StorageVersionMigration represents a migration of stored data
+          to the latest storage version.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specification of the migration.
+            properties:
+              continueToken:
+                description: The token used in the list options to get the next chunk
+                  of objects to migrate. When the .status.conditions indicates the
+                  migration is "Running", users can use this token to check the progress
+                  of the migration.
+                type: string
+              resource:
+                description: The resource that is being migrated. The migrator sends
+                  requests to the endpoint serving the resource. Immutable.
+                properties:
+                  group:
+                    description: The name of the group.
+                    type: string
+                  resource:
+                    description: The name of the resource.
+                    type: string
+                  version:
+                    description: The name of the version.
+                    type: string
+                type: object
+            required:
+            - resource
+            type: object
+          status:
+            description: Status of the migration.
+            properties:
+              conditions:
+                description: The latest available observations of the migration's
+                  current state.
+                items:
+                  description: Describes the state of a migration at a certain point.
+                  properties:
+                    lastUpdateTime:
+                      description: The last time this condition was updated.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of the condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
     served: true
     storage: true
-  "validation":
-    "openAPIV3Schema":
-      description: The state of the storage of a specific resource.
-      type: object
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation
-            of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this
-            object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          description: The name must be "<.spec.resource.resouce>.<.spec.resource.group>".
-          type: object
-        spec:
-          description: Specification of the storage state.
-          type: object
-          properties:
-            resource:
-              description: The resource this storageState is about.
-              type: object
-              properties:
-                group:
-                  description: The name of the group.
-                  type: string
-                resource:
-                  description: The name of the resource.
-                  type: string
-        status:
-          description: Status of the storage state.
-          type: object
-          properties:
-            currentStorageVersionHash:
-              description: The hash value of the current storage version, as shown
-                in the discovery document served by the API server. Storage Version
-                is the version to which objects are converted to before persisted.
-              type: string
-            lastHeartbeatTime:
-              description: LastHeartbeatTime is the last time the storage migration
-                triggering controller checks the storage version hash of this resource
-                in the discovery document and updates this field.
-              type: string
-              format: date-time
-            persistedStorageVersionHashes:
-              description: The hash values of storage versions that persisted instances
-                of spec.resource might still be encoded in. "Unknown" is a valid value
-                in the list, and is the default value. It is not safe to upgrade or
-                downgrade to an apiserver binary that does not support all versions
-                listed in this field, or if "Unknown" is listed. Once the storage
-                version migration for this resource has completed, the value of this
-                field is refined to only contain the currentStorageVersionHash. Once
-                the apiserver has changed the storage version, the new storage version
-                is appended to the list.
-              type: array
-              items:
-                type: string
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kube-system
+    subresources:
+      status: {}
 ---
-kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
-  name: storage-version-migration-trigger
+  name: storage-version-migration-crd-creator
 rules:
-- apiGroups: ["migration.k8s.io"]
-  resources: ["storagestates"]
-  verbs: ["watch", "get", "list", "delete", "create", "update"]
-- apiGroups: ["migration.k8s.io"]
-  resources: ["storageversionmigrations"]
-  verbs: ["watch", "get", "list", "delete", "create"]
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
 ---
-kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
-  name: storage-version-migration-crd-creator
+  name: storage-version-migration-initializer
 rules:
-- apiGroups: ["apiextensions.k8s.io"]
-  resources: ["customresourcedefinitions"]
-  verbs: ["create", "delete", "get"]
+- apiGroups:
+  - migration.k8s.io
+  resources:
+  - storageversionmigrations
+  verbs:
+  - create
 ---
-kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
-  name: storage-version-migration-initializer
+  name: storage-version-migration-trigger
 rules:
-- apiGroups: ["migration.k8s.io"]
-  resources: ["storageversionmigrations"]
-  verbs: ["create"]
+- apiGroups:
+  - migration.k8s.io
+  resources:
+  - storagestates
+  verbs:
+  - watch
+  - get
+  - list
+  - delete
+  - create
+  - update
+- apiGroups:
+  - migration.k8s.io
+  resources:
+  - storageversionmigrations
+  verbs:
+  - watch
+  - get
+  - list
+  - delete
+  - create
 ---
-kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
-  name: storage-version-migration-migrator
+  name: storage-version-migration-crd-creator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: storage-version-migration-crd-creator
 subjects:
 - kind: ServiceAccount
   name: default
   namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: cluster-admin
-  apiGroup: rbac.authorization.k8s.io
 ---
-kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
-  name: storage-version-migration-trigger
+  name: storage-version-migration-initializer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: storage-version-migration-initializer
 subjects:
 - kind: ServiceAccount
   name: default
   namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: storage-version-migration-trigger
-  apiGroup: rbac.authorization.k8s.io
 ---
-kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
-  name: storage-version-migration-crd-creator
+  name: storage-version-migration-migrator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
 subjects:
 - kind: ServiceAccount
   name: default
   namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: storage-version-migration-crd-creator
-  apiGroup: rbac.authorization.k8s.io
 ---
-kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
-  name: storage-version-migration-initializer
+  name: storage-version-migration-trigger
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: storage-version-migration-trigger
 subjects:
 - kind: ServiceAccount
   name: default
   namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: storage-version-migration-initializer
-  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: trigger
-  namespace: kube-system
   labels:
-    app: trigger
+    app: migrator
+  name: migrator
+  namespace: kube-system
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: trigger
+      app: migrator
   template:
     metadata:
       labels:
-        app: trigger
+        app: migrator
     spec:
       containers:
-      - name: trigger
-        image: yuanying/storage-version-migration-trigger:v0.1
-        args:
-        - --kubeconfig=/etc/trigger/kubeconfig
+      - command:
+        - /migrator
+        - --v=2
+        - --alsologtostderr
+        - --kube-api-qps=40
+        - --kube-api-burst=1000
+        - --kubeconfig=/etc/migrator/kubeconfig
+        image: asia.gcr.io/k8s-artifacts-prod/storage-migrator/storage-version-migration-migrator:v0.0.3
+        name: migrator
         volumeMounts:
-        - mountPath: /etc/trigger
+        - mountPath: /etc/migrator
           name: kubeconfig
       volumes:
-      - name: kubeconfig
-        configMap:
+      - configMap:
           name: kubeconfig-in-cluster-latest
+        name: kubeconfig
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: migrator
-  namespace: kube-system
   labels:
-    app: migrator
+    app: trigger
+  name: trigger
+  namespace: kube-system
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: migrator
+      app: trigger
   template:
     metadata:
       labels:
-        app: migrator
+        app: trigger
     spec:
       containers:
-      - name: migrator
-        image: yuanying/storage-version-migration-migrator:v0.1
-        command:
-          - /migrator
-          - --v=2
-          - --alsologtostderr
-          - --kube-api-qps=40
-          - --kube-api-burst=1000
-          - --kubeconfig=/etc/migrator/kubeconfig
+      - args:
+        - --kubeconfig=/etc/migrator/kubeconfig
+        image: asia.gcr.io/k8s-artifacts-prod/storage-migrator/storage-version-migration-trigger:v0.0.3
+        name: trigger
         volumeMounts:
         - mountPath: /etc/migrator
           name: kubeconfig
       volumes:
-      - name: kubeconfig
-        configMap:
+      - configMap:
           name: kubeconfig-in-cluster-latest
+        name: kubeconfig