porkadot 0.19.0 → 0.19.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5cfc450609e887309caa2a6948b5d4c42bb283ee98e3fd6fe69e36f445f6c22f
-  data.tar.gz: e49e504ac9c2f040dadeeaf978b3f06e8b942a8d4f585c852afbbfe8d4c1c3ca
+  metadata.gz: 834e1f31cbbf8c7c8766162945572512fc0311dbf772df008f85ef2a00b3ea3d
+  data.tar.gz: f453e7a4899673f08a550b69c41b30c908eb5bf0906a67eee79a21ccd5fc1dcd
 SHA512:
-  metadata.gz: 565661c3e35d41268bc974b3399f08a1ddee32f6604bd4608d84f91e341b492ea61d7ddef56d3a59c61f99694bb23fb470610dca8f9ca239ed7ad73db0deb3d6
-  data.tar.gz: 1a6391937252ee71a7794499494e90a532174e65d621be0b20782b24b83e11523e25e85a841c8da3a8aeff825ce068ed5520be9c6ce571e2e3f85feb2e644265
+  metadata.gz: e13576f10e90eb2d277302bfcfe7cecb7feb681d25070052c50b6060b95e0b455061d093d8ddde84a69c650e2fa6f2b3775e25913cf743023c2ee036bdef0764
+  data.tar.gz: 5714fefdd57b9683974ea42f6d111ac87b66f723221f5f0852c95b758d92cf19f6eac32c9ddd2e98e1f77dcbac4db70c735eddf4999cb39be71ad2717efb5d5d

data/hack/storage-version-migrator/kustomization.yaml

@@ -1,5 +1,7 @@
+namespace: kube-system
+
 resources:
-- https://github.com/kubernetes-sigs/kube-storage-version-migrator/manifests/?ref=master
+- https://github.com/kubernetes-sigs/kube-storage-version-migrator/manifests/?ref=acdee30ced218b79e39c6a701985e8cd8bd33824
 
 images:
 - name: REGISTRY/storage-version-migration-initializer:VERSION
@@ -11,3 +13,65 @@ images:
 - name: REGISTRY/storage-version-migration-trigger:VERSION
   newName: asia.gcr.io/k8s-artifacts-prod/storage-migrator/storage-version-migration-trigger
   newTag: v0.0.3
+patchesJson6902:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: migrator
+    namespace: kube-system
+  patch: |-
+    - op: remove
+      path: /spec/template/spec/containers/0/livenessProbe
+    - op: add
+      path: /spec/template/spec/containers/0/command/-
+      value: --kubeconfig=/etc/migrator/kubeconfig
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: trigger
+    namespace: kube-system
+  patch: |-
+    - op: remove
+      path: /spec/template/spec/containers/0/livenessProbe
+    - op: add
+      path: /spec/template/spec/containers/0/args
+      value: ["--kubeconfig=/etc/migrator/kubeconfig"]
+patchesStrategicMerge:
+- |-
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: migrator
+    namespace: NAMESPACE
+  spec:
+    template:
+      spec:
+        containers:
+        - name: migrator
+          volumeMounts:
+          - mountPath: /etc/migrator
+            name: kubeconfig
+        volumes:
+        - name: kubeconfig
+          configMap:
+            name: kubeconfig-in-cluster-latest
+- |-
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: trigger
+    namespace: NAMESPACE
+  spec:
+    template:
+      spec:
+        containers:
+        - name: trigger
+          volumeMounts:
+          - mountPath: /etc/migrator
+            name: kubeconfig
+        volumes:
+        - name: kubeconfig
+          configMap:
+            name: kubeconfig-in-cluster-latest

data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb

@@ -20,35 +20,9 @@ spec:
     image: <%= k8s.image_repository %>/kube-apiserver:<%= k8s.kubernetes_version %>
     command:
     - kube-apiserver
-    - --advertise-address=$(POD_IP)
-    - --allow-privileged
-    - --authorization-mode=Node,RBAC
-    - --bind-address=0.0.0.0
-    - --client-ca-file=/etc/kubernetes/secrets/kubernetes/ca.crt
-    - --enable-admission-plugins=NodeRestriction
-    - --enable-bootstrap-token-auth=true
-    - --etcd-cafile=/etc/kubernetes/secrets/etcd/ca.crt
-    - --etcd-certfile=/etc/kubernetes/secrets/etcd/etcd-client.crt
-    - --etcd-keyfile=/etc/kubernetes/secrets/etcd/etcd-client.key
-    - --etcd-servers=<%= global_config.etcd.advertise_client_urls.join(',') %>
-    - --kubelet-certificate-authority=/etc/kubernetes/secrets/kubernetes/ca.crt
-    - --kubelet-client-certificate=/etc/kubernetes/secrets/kubernetes/kubelet-client.crt
-    - --kubelet-client-key=/etc/kubernetes/secrets/kubernetes/kubelet-client.key
-    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
-    - --proxy-client-cert-file=/etc/kubernetes/secrets/kubernetes/front-proxy-client.crt
-    - --proxy-client-key-file=/etc/kubernetes/secrets/kubernetes/front-proxy-client.key
-    - --requestheader-allowed-names=front-proxy-client
-    - --requestheader-client-ca-file=/etc/kubernetes/secrets/kubernetes/front-proxy-ca.crt
-    - --requestheader-extra-headers-prefix=X-Remote-Extra-
-    - --requestheader-group-headers=X-Remote-Group
-    - --requestheader-username-headers=X-Remote-User
-    - --secure-port=<%= k8s.apiserver.bind_port %>
-    - --service-account-key-file=/etc/kubernetes/secrets/kubernetes/sa.pub
-    - --service-cluster-ip-range=<%= k8s.networking.service_subnet %>
-    - --storage-backend=etcd3
-    - --tls-cert-file=/etc/kubernetes/secrets/kubernetes/apiserver.crt
-    - --tls-private-key-file=/etc/kubernetes/secrets/kubernetes/apiserver.key
-    - --v=2
+    <%- k8s.apiserver.args(bootstrap: true).each do |k, v| -%>
+    - <%= k %><% if v ;%>=<%= v %><%; end %>
+    <%- end -%>
     env:
     - name: POD_IP
       valueFrom:
@@ -64,7 +38,7 @@ spec:
     - mountPath: /usr/share/ca-certificates
       name: usr-share-ca-certificates
       readOnly: true
-    - mountPath: /etc/kubernetes/secrets
+    - mountPath: /etc/kubernetes/pki
       name: secrets
       readOnly: true
     - mountPath: /var/lock

data/lib/porkadot/assets/bootstrap/manifests/kube-controller-manager.bootstrap.yaml.erb

@@ -15,23 +15,17 @@ spec:
     image: <%= k8s.image_repository %>/kube-controller-manager:<%= k8s.kubernetes_version %>
     command:
     - kube-controller-manager
-    - --allocate-node-cidrs=true
-    - --cluster-cidr=<%= k8s.networking.pod_subnet %>
-    - --cluster-signing-cert-file=/etc/kubernetes/bootstrap/secrets/kubernetes/ca.crt
-    - --cluster-signing-key-file=/etc/kubernetes/bootstrap/secrets/kubernetes/ca.key
-    - --controllers=*,bootstrapsigner,tokencleaner
-    - --kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
-    - --leader-elect=true
-    - --node-cidr-mask-size=24
-    - --root-ca-file=/etc/kubernetes/bootstrap/secrets/kubernetes/ca.crt
-    - --service-account-private-key-file=/etc/kubernetes/bootstrap/secrets/kubernetes/sa.key
-    - --use-service-account-credentials=true
-    - --v=2
+    <%- k8s.controller_manager.args(bootstrap: true).each do |k, v| -%>
+    - <%= k %><% if v ;%>=<%= v %><%; end %>
+    <%- end -%>
     volumeMounts:
     - name: var-run-kubernetes
       mountPath: /var/run/kubernetes
-    - name: kubernetes
-      mountPath: /etc/kubernetes
+    - name: kubernetes-secrets
+      mountPath: /etc/kubernetes/pki
+      readOnly: true
+    - name: kubernetes-bootstrap
+      mountPath: /etc/kubernetes/bootstrap
       readOnly: true
     - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
       name: flexvolume-dir
@@ -48,9 +42,12 @@ spec:
   volumes:
   - name: var-run-kubernetes
     emptyDir: {}
-  - name: kubernetes
+  - name: kubernetes-secrets
+    hostPath:
+      path: /etc/kubernetes/bootstrap/secrets
+  - name: kubernetes-bootstrap
     hostPath:
-      path: /etc/kubernetes
+      path: /etc/kubernetes/bootstrap
   - hostPath:
       path: /etc/ssl/certs
       type: DirectoryOrCreate

data/lib/porkadot/assets/bootstrap/manifests/kube-proxy.bootstrap.yaml.erb

@@ -18,8 +18,9 @@ spec:
     imagePullPolicy: IfNotPresent
     command:
     - kube-proxy
-    - --config=/etc/kubernetes/bootstrap/kube-proxy-bootstrap.yaml
-    - --hostname-override=$(NODE_NAME)
+    <%- k8s.proxy.args(bootstrap: true).each do |k, v| -%>
+    - <%= k %><% if v ;%>=<%= v %><%; end %>
+    <%- end -%>
     env:
       - name: NODE_NAME
         valueFrom:

data/lib/porkadot/assets/bootstrap/manifests/kube-scheduler.bootstrap.yaml.erb

@@ -15,11 +15,9 @@ spec:
     image: <%= k8s.image_repository %>/kube-scheduler:<%= k8s.kubernetes_version %>
     command:
     - kube-scheduler
-    - --kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
-    - --authentication-kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
-    - --authorization-kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
-    - --leader-elect=true
-    - --v=2
+    <%- k8s.scheduler.args(bootstrap: true).each do |k, v| -%>
+    - <%= k %><% if v ;%>=<%= v %><%; end %>
+    <%- end -%>
     volumeMounts:
     - name: kubernetes
       mountPath: /etc/kubernetes

data/lib/porkadot/assets/kubelet.rb

@@ -64,6 +64,7 @@ module Porkadot; module Assets
       render_erb 'install.sh'
       render_erb 'install-deps.sh'
       render_erb 'install-pkgs.sh'
+      render_erb 'setup-containerd.sh'
     end
 
     def render_bootstrap_certs

data/lib/porkadot/assets/kubelet/install-pkgs.sh.erb

@@ -41,12 +41,6 @@ net.ipv4.ip_forward                 = 1
 net.bridge.bridge-nf-call-iptables  = 1
 EOF
 
-mkdir -p /etc/containerd
-containerd config default | tee /etc/containerd/config.toml
-sed -i -e "/containerd.runtimes.runc.options/a SystemdCgroup = true" /etc/containerd/config.toml
-
-systemctl restart containerd
-
 cat <<EOF > /etc/iscsi/initiatorname.iscsi
 InitiatorName=iqn.2020-04.cloud.unstable:<%= config.hostname %>
 EOF

data/lib/porkadot/assets/kubelet/setup-containerd.sh.erb

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -eu
+export LC_ALL=C
+ROOT=$(dirname "${BASH_SOURCE}")
+
+mkdir -p /etc/containerd
+containerd config default | tee /etc/containerd/config.toml
+sed -i -e "/containerd.runtimes.runc.options/a SystemdCgroup = true" /etc/containerd/config.toml
+
+systemctl restart containerd

data/lib/porkadot/assets/kubernetes/manifests/storage-version-migrator.yaml.erb

@@ -315,15 +315,16 @@ spec:
         - --alsologtostderr
         - --kube-api-qps=40
         - --kube-api-burst=1000
+        - --kubeconfig=/etc/migrator/kubeconfig
         image: asia.gcr.io/k8s-artifacts-prod/storage-migrator/storage-version-migration-migrator:v0.0.3
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 2112
-            scheme: HTTP
-          initialDelaySeconds: 10
-          timeoutSeconds: 60
         name: migrator
+        volumeMounts:
+        - mountPath: /etc/migrator
+          name: kubeconfig
+      volumes:
+      - configMap:
+          name: kubeconfig-in-cluster-latest
+        name: kubeconfig
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -343,12 +344,14 @@ spec:
         app: trigger
     spec:
       containers:
-      - image: asia.gcr.io/k8s-artifacts-prod/storage-migrator/storage-version-migration-trigger:v0.0.3
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 2113
-            scheme: HTTP
-          initialDelaySeconds: 10
-          timeoutSeconds: 60
+      - args:
+        - --kubeconfig=/etc/migrator/kubeconfig
+        image: asia.gcr.io/k8s-artifacts-prod/storage-migrator/storage-version-migration-trigger:v0.0.3
         name: trigger
+        volumeMounts:
+        - mountPath: /etc/migrator
+          name: kubeconfig
+      volumes:
+      - configMap:
+          name: kubeconfig-in-cluster-latest
+        name: kubeconfig

data/lib/porkadot/cmd/cli.rb

@@ -13,6 +13,22 @@ module Porkadot; module Cmd
     desc "install", "Install kubernetes"
     subcommand "install", Porkadot::Cmd::Install::Cli
 
+    desc "setup-containerd", "Setup containerd"
+    option :node, type: :string
+    option :force, type: :boolean, default: false
+    def setup_containerd
+      logger.info "Setup containerd"
+      kubelets = Porkadot::Install::KubeletList.new(self.config)
+      nodes = []
+      if node = options[:node]
+        nodes = kubelets[node]
+      else
+        nodes = kubelets.kubelets.values
+      end
+      kubelets.setup_containerd hosts: nodes, force: options[:force]
+      ""
+    end
+
     desc "set-config", "Set cluster to kubeconfig"
     def set_config
       name = config.k8s.cluster_name

data/lib/porkadot/configs/kubernetes.rb

@@ -69,11 +69,14 @@ module Porkadot; module Configs
         }
       end
 
-      def args
+      def args bootstrap: false
         extra = {}
         if self.extra_args
           extra = self.extra_args.map{|i| i.split('=', 2)}.to_h
         end
+        if bootstrap
+          extra = self.bootstrap_args.merge(extra)
+        end
         return self.default_args.merge(extra)
       end
 
@@ -96,6 +99,10 @@ module Porkadot; module Configs
         'kube-apiserver'
       end
 
+      def bootstrap_args
+        return {}
+      end
+
       def default_args
         return %W(
           --advertise-address=$(POD_IP)
@@ -103,6 +110,7 @@ module Porkadot; module Configs
           --authorization-mode=Node,RBAC
           --bind-address=0.0.0.0
           --client-ca-file=/etc/kubernetes/pki/kubernetes/ca.crt
+          --enable-admission-plugins=NodeRestriction
           --enable-bootstrap-token-auth=true
           --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
           --etcd-certfile=/etc/kubernetes/pki/etcd/etcd-client.crt
@@ -143,6 +151,14 @@ module Porkadot; module Configs
         'kube-scheduler'
       end
 
+      def bootstrap_args
+        return %W(
+          --kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
+          --authentication-kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
+          --authorization-kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
+        ).map {|i| i.split('=', 2)}.to_h
+      end
+
       def default_args
         return %W(
           --leader-elect=true
@@ -164,6 +180,12 @@ module Porkadot; module Configs
         'kube-controller-manager'
       end
 
+      def bootstrap_args
+        return %W(
+          --kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
+        ).map {|i| i.split('=', 2)}.to_h
+      end
+
       def default_args
         return %W(
           --allocate-node-cidrs=true
@@ -202,6 +224,12 @@ module Porkadot; module Configs
         'kube-proxy'
       end
 
+      def bootstrap_args
+        return %W(
+          --config=/etc/kubernetes/bootstrap/kube-proxy-bootstrap.yaml
+        ).map {|i| i.split('=', 2)}.to_h
+      end
+
       def default_args
         return %W(
           --config=/var/lib/kube-proxy/config.conf

data/lib/porkadot/install/kubelet.rb

@@ -16,6 +16,30 @@ module Porkadot; module Install
       end
     end
 
+    def setup_containerd hosts: nil, force: false
+      unless hosts
+        hosts = []
+        self.kubelets.each do |_, v|
+          hosts << v
+        end
+      end
+
+      on(hosts) do |host|
+        execute(:mkdir, '-p', Porkadot::Install::KUBE_TEMP)
+        if test("[ -d #{KUBE_TEMP} ]")
+          execute(:rm, '-rf', KUBE_TEMP)
+          execute(:rm, '-rf', KUBE_SECRETS_TEMP)
+        end
+        upload! host.config.target_path, KUBE_TEMP, recursive: true
+        upload! host.config.target_secrets_path, KUBE_SECRETS_TEMP, recursive: true
+        execute(:cp, '-r', KUBE_SECRETS_TEMP + '/*', KUBE_TEMP)
+
+        as user: 'root' do
+          execute(:bash, File.join(KUBE_TEMP, 'setup-containerd.sh'))
+        end
+      end
+    end
+
     def install hosts: nil, force: false
       unless hosts
         hosts = []

data/lib/porkadot/version.rb

@@ -1,3 +1,3 @@
 module Porkadot
-  VERSION = "0.19.0"
+  VERSION = "0.19.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: porkadot
 version: !ruby/object:Gem::Version
-  version: 0.19.0
+  version: 0.19.1
 platform: ruby
 authors:
 - OTSUKA, Yuanying
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-06-03 00:00:00.000000000 Z
+date: 2021-07-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -140,6 +140,7 @@ files:
 - lib/porkadot/assets/kubelet/install-pkgs.sh.erb
 - lib/porkadot/assets/kubelet/install.sh.erb
 - lib/porkadot/assets/kubelet/kubelet.service.erb
+- lib/porkadot/assets/kubelet/setup-containerd.sh.erb
 - lib/porkadot/assets/kubernetes.rb
 - lib/porkadot/assets/kubernetes/install.sh.erb
 - lib/porkadot/assets/kubernetes/manifests/coredns.yaml.erb