porkadot 0.21.0 → 0.22.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 839afa115dc53563a391b710c14ab686f6c45a5420a6d1f6c6eee21ebdb1e6cf
-  data.tar.gz: 8f8fbc1099bebe03b5f994050e083c385baad03536d15c14ef6ed1f412ce278c
+  metadata.gz: 89c9072a82772720ff6d492d2dcaf475ef31460bc108886be716b1b7b0e0a3d7
+  data.tar.gz: edcc58e0f9e5a616020caa2348a46ecb06e796930fb565efcc6dfad25244d69b
 SHA512:
-  metadata.gz: 20194aa567e21c0e7af5caa6deb7645c617d58240c5685b0a90e477ea9331ea522618c206718b97a4218ab9d939fa6bd7b557df698703fb8c45c240dbb025e95
-  data.tar.gz: 3fdd45b9a6132bf0167c4e30c939aa42db77331a6007a850baa1adb67335731e639ccc9483435aecc7c3411d49094698846592a712205b5377adda17965ea930
+  metadata.gz: aa12a3f43721a233b17f46708cced2989430da72ccd3e90be46c72b4d2d01b675372f07f609050d0c49cb966d600c40b2eb209a591715e62c411d148a9ace680
+  data.tar.gz: 2cacb639c73ecb17300b48ba50e923a15a02f95b619fec2c05d3c3ae50eef7f9b5ae5a62fc784c4957bcf8a04850384d1bca7ba6c623101d812d669cd8939423

data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb

@@ -12,6 +12,9 @@ metadata:
     <%- end -%>
 spec:
   hostNetwork: true
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: kube-apiserver
     resources:
@@ -23,6 +26,35 @@ spec:
     <%- k8s.apiserver.args(bootstrap: true).each do |k, v| -%>
     - <%= k %><% if v ;%>=<%= v %><%; end %>
     <%- end -%>
+    livenessProbe:
+      failureThreshold: 8
+      httpGet:
+        host: 127.0.0.1
+        path: /livez
+        port: 6443
+        scheme: HTTPS
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 15
+    readinessProbe:
+      failureThreshold: 3
+      httpGet:
+        host: 127.0.0.1
+        path: /readyz
+        port: 6443
+        scheme: HTTPS
+      periodSeconds: 1
+      timeoutSeconds: 15
+    startupProbe:
+      failureThreshold: 24
+      httpGet:
+        host: 127.0.0.1
+        path: /livez
+        port: 6443
+        scheme: HTTPS
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 15
     env:
     - name: POD_IP
       valueFrom:

data/lib/porkadot/assets/bootstrap/manifests/kube-controller-manager.bootstrap.yaml.erb

@@ -10,6 +10,9 @@ metadata:
     <%= k.to_s %>: <%= v %>
     <%- end -%>
 spec:
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: kube-controller-manager
     image: <%= k8s.image_repository %>/kube-controller-manager:<%= k8s.kubernetes_version %>
@@ -18,6 +21,26 @@ spec:
     <%- k8s.controller_manager.args(bootstrap: true).each do |k, v| -%>
     - <%= k %><% if v ;%>=<%= v %><%; end %>
     <%- end -%>
+    livenessProbe:
+      failureThreshold: 8
+      httpGet:
+        host: 127.0.0.1
+        path: /healthz
+        port: 10257
+        scheme: HTTPS
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 15
+    startupProbe:
+      failureThreshold: 24
+      httpGet:
+        host: 127.0.0.1
+        path: /healthz
+        port: 10257
+        scheme: HTTPS
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 15
     volumeMounts:
     - name: var-run-kubernetes
       mountPath: /var/run/kubernetes

data/lib/porkadot/assets/bootstrap/manifests/kube-scheduler.bootstrap.yaml.erb

@@ -10,6 +10,9 @@ metadata:
     <%= k.to_s %>: <%= v %>
     <%- end -%>
 spec:
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: kube-scheduler
     image: <%= k8s.image_repository %>/kube-scheduler:<%= k8s.kubernetes_version %>
@@ -18,6 +21,26 @@ spec:
     <%- k8s.scheduler.args(bootstrap: true).each do |k, v| -%>
     - <%= k %><% if v ;%>=<%= v %><%; end %>
     <%- end -%>
+    livenessProbe:
+      failureThreshold: 8
+      httpGet:
+        host: 127.0.0.1
+        path: /healthz
+        port: 10259
+        scheme: HTTPS
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 15
+    startupProbe:
+      failureThreshold: 24
+      httpGet:
+        host: 127.0.0.1
+        path: /healthz
+        port: 10259
+        scheme: HTTPS
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 15
     volumeMounts:
     - name: kubernetes
       mountPath: /etc/kubernetes

data/lib/porkadot/assets/kubelet/install-deps.sh.erb

@@ -37,3 +37,12 @@ chmod +x ${ETCD_TMP}/etcdctl
 rm -f /opt/bin/etcdctl
 mv ${ETCD_TMP}/etcdctl /opt/bin/etcdctl-${ETCD_VER}
 ln -s /opt/bin/etcdctl-${ETCD_VER} /opt/bin/etcdctl
+
+CRICTL_VER="<%= global_config.k8s.crictl_version %>"
+CRICTL_URL=https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VER}/crictl-${CRICTL_VER}-linux-${architecture}.tar.gz
+CRICTL_TMP=$(mktemp -d)
+curl -L ${CRICTL_URL} -o ${CRICTL_TMP}/crictl.tar.gz
+tar zxvf ${CRICTL_TMP}/crictl.tar.gz -C ${CRICTL_TMP}/
+rm -f /opt/bin/crictl
+mv ${CRICTL_TMP}/crictl /opt/bin/crictl-${CRICTL_VER}
+ln -s /opt/bin/crictl-${CRICTL_VER} /opt/bin/crictl

data/lib/porkadot/assets/kubelet/setup-containerd.sh.erb

@@ -5,6 +5,13 @@ ROOT=$(dirname "${BASH_SOURCE}")
 
 mkdir -p /etc/containerd
 containerd config default | tee /etc/containerd/config.toml
-sed -i -e "/containerd.runtimes.runc.options/a SystemdCgroup = true" /etc/containerd/config.toml
+
+grep SystemdCgroup /etc/containerd/config.toml && :
+
+if [[ $? == 0 ]]; then
+  sed -i -e "s/SystemdCgroup.*$/SystemdCgroup = true/" /etc/containerd/config.toml
+else
+  sed -i -e "/containerd.runtimes.runc.options/a SystemdCgroup = true" /etc/containerd/config.toml
+fi
 
 systemctl restart containerd

data/lib/porkadot/assets/kubelet-default/install.sh.erb

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eu
+export LC_ALL=C
+ROOT=$(dirname "${BASH_SOURCE}")
+
+# Install addons
+for addon in $(ls ${ROOT}/addons/); do
+  install_sh="${ROOT}/addons/${addon}/install.sh"
+  if [[ -f ${install_sh} ]]; then
+    echo "Install: ${install_sh}"
+    bash ${install_sh}
+  fi
+done

data/lib/porkadot/assets/kubelet.rb

@@ -7,11 +7,13 @@ module Porkadot; module Assets
   class KubeletList
     attr_reader :global_config
     attr_reader :logger
+    attr_reader :kubelet_default
     attr_reader :kubelets
 
     def initialize global_config
       @global_config = global_config
       @logger = global_config.logger
+      @kubelet_default = KubeletDefault.new(global_config.kubelet_default)
       @kubelets = {}
       global_config.nodes.each do |k, config|
         @kubelets[k] = Kubelet.new(config)
@@ -19,6 +21,7 @@ module Porkadot; module Assets
     end
 
     def render
+      self.kubelet_default.render
       self.kubelets.each do |_, v|
         v.render
       end
@@ -29,6 +32,35 @@ module Porkadot; module Assets
     end
   end
 
+  class KubeletDefault
+    include Porkadot::Assets
+    TEMPLATE_DIR = File.join(File.dirname(__FILE__), "kubelet-default")
+
+    attr_reader :global_config
+    attr_reader :config
+    attr_reader :logger
+    attr_reader :certs
+
+    def initialize config
+      @config = config
+      @logger = config.logger
+      @global_config = config.config
+      @certs = Porkadot::Assets::Certs::Kubernetes.new(global_config)
+    end
+
+    def render
+      logger.info "--> Rendering Kubelet default configs"
+      unless File.directory?(config.addon_path)
+        FileUtils.mkdir_p(config.addon_path)
+      end
+      unless File.directory?(config.addon_secrets_path)
+        FileUtils.mkdir_p(config.addon_secrets_path)
+      end
+
+      render_erb 'install.sh'
+    end
+  end
+
   class Kubelet
     include Porkadot::Assets
     TEMPLATE_DIR = File.join(File.dirname(__FILE__), "kubelet")

data/lib/porkadot/assets/kubernetes/install.secrets.sh.erb

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -eu
+export LC_ALL=C
+ROOT=$(dirname "${BASH_SOURCE}")
+
+/opt/bin/kubectl apply -R -f ${ROOT}/manifests
+

data/lib/porkadot/assets/kubernetes/install.sh.erb

@@ -3,5 +3,12 @@
 set -eu
 export LC_ALL=C
 ROOT=$(dirname "${BASH_SOURCE}")
+KUBECTL_OPTS=${KUBECTL_OPTS:-""}
 
-/opt/bin/kubectl apply -f ${ROOT}/manifests/
+KUBECTL_OPTS="${KUBECTL_OPTS} --server-side --force-conflicts --prune"
+KUBECTL_OPTS="${KUBECTL_OPTS} -l kubernetes.unstable.cloud/installed-by=porkadot"
+<%- prune_allowlist.each do |a| -%>
+KUBECTL_OPTS="${KUBECTL_OPTS} --prune-whitelist=<%= a %>"
+<%- end -%>
+
+/opt/bin/kubectl apply ${KUBECTL_OPTS} -k ${ROOT}

data/lib/porkadot/assets/kubernetes/kustomization.yaml.erb

@@ -0,0 +1,7 @@
+# Modify this file if you want to kustomize generated manifests
+# This file will not be overridden by Porkadot.
+labels:
+- pairs:
+    'kubernetes.unstable.cloud/installed-by': 'porkadot'
+resources:
+- manifests

data/lib/porkadot/assets/kubernetes/manifests/{coredns.yaml.erb → addons/coredns/coredns.yaml.erb}

@@ -75,7 +75,7 @@ data:
             lameduck 5s
         }
         ready
-        kubernetes <%= k8s.networking.dns_domain %>  in-addr.arpa ip6.arpa {
+        kubernetes <%= k8s.networking.dns_domain %> <%= k8s.networking.additional_domains.join(" ") %> in-addr.arpa ip6.arpa {
             pods insecure
             fallthrough in-addr.arpa ip6.arpa
             ttl 30
@@ -193,6 +193,7 @@ metadata:
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
     kubernetes.io/name: "CoreDNS"
+    app.kubernetes.io/name: kube-dns
 spec:
   selector:
     k8s-app: kube-dns

data/lib/porkadot/assets/kubernetes/manifests/{dns-horizontal-autoscaler.yaml.erb → addons/coredns/dns-horizontal-autoscaler.yaml.erb}

@@ -82,8 +82,6 @@ spec:
       securityContext:
         supplementalGroups: [ 65534 ]
         fsGroup: 65534
-      nodeSelector:
-        kubernetes.io/os: linux
       containers:
       - name: autoscaler
         image: k8s.gcr.io/cluster-proportional-autoscaler-amd64:1.7.1

data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/kustomization.yaml.erb

@@ -0,0 +1,3 @@
+resources:
+- coredns.yaml
+- dns-horizontal-autoscaler.yaml

data/lib/porkadot/assets/kubernetes/manifests/{flannel.yaml.erb → addons/flannel/flannel.yaml.erb}

@@ -1,3 +1,5 @@
+<% cni = config.flannel -%>
+<% k8s = global_config.k8s -%>
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -125,9 +127,15 @@ data:
     }
   net-conf.json: |
     {
-      "Network": "<%= global_config.k8s.networking.pod_subnet %>",
+      <%- if k8s.networking.enable_ipv4 -%>
+      "Network": "<%= k8s.networking.pod_v4subnet %>",
+      <%- end -%>
+      <%- if k8s.networking.enable_ipv6 -%>
+      "EnableIPv6": true,
+      "IPv6Network": "<%= k8s.networking.pod_v6subnet %>",
+      <%- end -%>
       "Backend": {
-        "Type": "<%= global_config.cni.backend %>"
+        "Type": "<%= cni.backend %>"
       }
     }
 ---
@@ -165,8 +173,20 @@ spec:
         effect: NoSchedule
       serviceAccountName: flannel
       initContainers:
+      - name: install-cni-plugin
+       #image: flannelcni/flannel-cni-plugin:v1.0.1 for ppc64le and mips64le (dockerhub limitations may apply)
+        image: <%= cni.plugin_image_repository %>:<%= cni.plugin_image_tag %>
+        command:
+        - cp
+        args:
+        - -f
+        - /flannel
+        - /opt/cni/bin/flannel
+        volumeMounts:
+        - name: cni-plugin
+          mountPath: /opt/cni/bin
       - name: install-cni
-        image: quay.io/coreos/flannel:v0.14.0
+        image: <%= cni.daemon_image_repository %>:<%= cni.daemon_image_tag %>
         command:
         - cp
         args:
@@ -180,19 +200,14 @@ spec:
           mountPath: /etc/kube-flannel/
       containers:
       - name: kube-flannel
-        image: quay.io/coreos/flannel:v0.14.0
+        image: <%= cni.daemon_image_repository %>:<%= cni.daemon_image_tag %>
         command:
         - /opt/bin/flanneld
         args:
         - --ip-masq
         - --kube-subnet-mgr
         resources:
-          requests:
-            cpu: "100m"
-            memory: "50Mi"
-          limits:
-            cpu: "100m"
-            memory: "50Mi"
+<%= u.to_yaml(cni.resources, 10)%>
         securityContext:
           privileged: false
           capabilities:
@@ -211,13 +226,27 @@ spec:
           mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
+        - name: ipam-data
+          mountPath: /var/lib/cni/networks
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
       - name: run
         hostPath:
           path: /run/flannel
+      - name: cni-plugin
+        hostPath:
+          path: /opt/cni/bin
       - name: cni
         hostPath:
           path: /etc/cni/net.d
+      - name: ipam-data
+        hostPath:
+          path: /var/lib/cni/networks
       - name: flannel-cfg
         configMap:
           name: kube-flannel-cfg
+      - name: xtables-lock
+        hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate

data/lib/porkadot/assets/kubernetes/manifests/addons/flannel/kustomization.yaml.erb

@@ -0,0 +1,2 @@
+resources:
+- flannel.yaml

data/lib/porkadot/assets/kubernetes/manifests/{kubelet-rubber-stamp.yaml.erb → addons/kubelet-rubber-stamp/kubelet-rubber-stamp.yaml.erb}

@@ -24,7 +24,7 @@ spec:
         - name: kubelet-rubber-stamp
           # image: quay.io/kontena/kubelet-rubber-stamp-amd64:0.2
           # Use following image until issue is fixed
-          image: yuanying/kubelet-rubber-stamp:0.3.0.y01
+          image: ghcr.io/porkadot/kubelet-rubber-stamp:0.22.0
           args:
             - "--v=2"
           imagePullPolicy: Always

data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-rubber-stamp/kustomization.yaml.erb

@@ -0,0 +1,2 @@
+resources:
+- kubelet-rubber-stamp.yaml

data/lib/porkadot/assets/kubernetes/manifests/addons/kustomization.yaml.erb

@@ -0,0 +1,4 @@
+resources:
+<%- config.enabled.each do |a| -%>
+- <%= a %>
+<%- end %>

data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/kustomization.yaml.erb

@@ -0,0 +1,4 @@
+resources:
+- 000-metallb.yaml
+- metallb.config.yaml
+- metallb.yaml

data/lib/porkadot/assets/kubernetes/manifests/{metallb.config.yaml.erb → addons/metallb/metallb.config.yaml.erb}

@@ -1,4 +1,3 @@
-<% k8s = global_config.k8s -%>
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -9,5 +8,5 @@ metadata:
   namespace: metallb-system
 data:
   config: |
-<%= u.indent(global_config.lb.lb_config, 4) %>
+<%= u.indent(config.metallb.config, 4) %>
 

data/lib/porkadot/assets/kubernetes/manifests/addons/storage-version-migrator/kustomization.yaml.erb

@@ -0,0 +1,2 @@
+resources:
+- storage-version-migrator.yaml

data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb

@@ -24,6 +24,9 @@ spec:
       annotations:
         checkpointer.alpha.coreos.com/checkpoint: "true"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: kube-apiserver
         resources:
@@ -35,6 +38,35 @@ spec:
         <%- k8s.apiserver.args.each do |k, v| -%>
         - <%= k %><% if v ;%>=<%= v %><%; end %>
         <%- end -%>
+        livenessProbe:
+          failureThreshold: 8
+          httpGet:
+            host: 127.0.0.1
+            path: /livez
+            port: 6443
+            scheme: HTTPS
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 15
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            host: 127.0.0.1
+            path: /readyz
+            port: 6443
+            scheme: HTTPS
+          periodSeconds: 1
+          timeoutSeconds: 15
+        startupProbe:
+          failureThreshold: 24
+          httpGet:
+            host: 127.0.0.1
+            path: /livez
+            port: 6443
+            scheme: HTTPS
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 15
         env:
         - name: POD_IP
           valueFrom:

data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb

@@ -1,6 +1,6 @@
 <% k8s = global_config.k8s -%>
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: kube-controller-manager
@@ -69,6 +69,11 @@ spec:
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+        runAsUser: 65534
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -97,10 +102,22 @@ spec:
         - <%= k %><% if v ;%>=<%= v %><%; end %>
         <%- end -%>
         livenessProbe:
+          failureThreshold: 8
           httpGet:
             path: /healthz
-            port: 10252  # Note: Using default port. Update if --port option is set differently.
-          initialDelaySeconds: 15
+            port: 10257
+            scheme: HTTPS
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 15
+        startupProbe:
+          failureThreshold: 24
+          httpGet:
+            path: /healthz
+            port: 10257
+            scheme: HTTPS
+          initialDelaySeconds: 10
+          periodSeconds: 10
           timeoutSeconds: 15
         volumeMounts:
         - name: var-run-kubernetes
@@ -122,9 +139,6 @@ spec:
       priorityClassName: system-cluster-critical
       nodeSelector:
         k8s.unstable.cloud/master: ""
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
       serviceAccountName: kube-controller-manager
       tolerations:
       - key: CriticalAddonsOnly

data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb

@@ -1,6 +1,6 @@
 <% k8s = global_config.k8s -%>
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: kube-scheduler
@@ -113,6 +113,11 @@ spec:
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
+        runAsUser: 65534
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -141,17 +146,26 @@ spec:
         - <%= k %><% if v ;%>=<%= v %><%; end %>
         <%- end -%>
         livenessProbe:
+          failureThreshold: 8
           httpGet:
             path: /healthz
-            port: 10251  # Note: Using default port. Update if --port option is set differently.
-          initialDelaySeconds: 15
+            port: 10259
+            scheme: HTTPS
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 15
+        startupProbe:
+          failureThreshold: 24
+          httpGet:
+            path: /healthz
+            port: 10259
+            scheme: HTTPS
+          initialDelaySeconds: 10
+          periodSeconds: 10
           timeoutSeconds: 15
       priorityClassName: system-cluster-critical
       nodeSelector:
         k8s.unstable.cloud/master: ""
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
       serviceAccountName: kube-scheduler
       tolerations:
       - key: CriticalAddonsOnly

data/lib/porkadot/assets/kubernetes/manifests/kubelet.yaml.erb

@@ -15,7 +15,6 @@ roleRef:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: auto-approve-csrs-for-group
   name: porkadot:node-autoapprove-bootstrap
 subjects:
 - kind: Group

data/lib/porkadot/assets/kubernetes/manifests/kustomization.yaml.erb

@@ -0,0 +1,8 @@
+resources:
+- addons
+- kube-apiserver.yaml
+- kube-controller-manager.yaml
+- kube-proxy.yaml
+- kube-scheduler.yaml
+- kubelet.yaml
+- porkadot.yaml

data/lib/porkadot/assets/kubernetes.rb

@@ -17,34 +17,109 @@ module Porkadot; module Assets
 
     def render
       logger.info "--> Rendering kubernetes manifests"
-      unless File.directory?(config.manifests_path)
-        FileUtils.mkdir_p(config.manifests_path)
-      end
-      unless File.directory?(config.manifests_secrets_path)
-        FileUtils.mkdir_p(config.manifests_secrets_path)
-      end
-      lb = global_config.lb
-      cni = global_config.cni
       render_erb 'manifests/porkadot.yaml'
       render_erb 'manifests/kubelet.yaml'
-      render_erb "manifests/000-#{lb.type}.yaml"
-      render_erb "manifests/#{lb.type}.yaml"
-      render_erb "manifests/#{lb.type}.config.yaml"
-      render_secrets_erb "manifests/#{lb.type}.secrets.yaml"
-      render_erb "manifests/#{cni.type}.yaml"
-      render_erb "manifests/coredns.yaml"
-      render_erb "manifests/dns-horizontal-autoscaler.yaml"
       render_erb "manifests/kube-apiserver.yaml"
       render_secrets_erb "manifests/kube-apiserver.secrets.yaml"
       render_erb "manifests/kube-proxy.yaml"
       render_erb "manifests/kube-scheduler.yaml"
       render_erb "manifests/kube-controller-manager.yaml"
       render_secrets_erb "manifests/kube-controller-manager.secrets.yaml"
-      render_erb "manifests/kubelet-rubber-stamp.yaml"
-      render_erb "manifests/storage-version-migrator.yaml"
       render_secrets_erb "kubeconfig.yaml"
-      render_erb 'install.sh'
+      render_erb 'manifests/kustomization.yaml'
+      render_erb 'kustomization.yaml', force: false
+      render_erb 'install.sh', prune_allowlist: prune_allowlist
+      render_secrets_erb 'install.secrets.sh'
+
+      addons = Addons.new(global_config)
+      addons.render
+    end
+
+    def prune_allowlist
+      return %w[
+        apiextensions.k8s.io/v1/customresourcedefinition
+        apps/v1/daemonset
+        apps/v1/deployment
+        core/v1/configmap
+        core/v1/namespace
+        core/v1/service
+        core/v1/serviceaccount
+        policy/v1/poddisruptionbudget
+        policy/v1beta1/podsecuritypolicy
+        rbac.authorization.k8s.io/v1/clusterrole
+        rbac.authorization.k8s.io/v1/clusterrolebinding
+        rbac.authorization.k8s.io/v1/role
+        rbac.authorization.k8s.io/v1/rolebinding
+      ]
     end
+  end
+
+  class Addons
+    include Porkadot::Assets
+    TEMPLATE_DIR = File.join(File.dirname(__FILE__), "kubernetes", "manifests", "addons")
+    attr_reader :global_config
+    attr_reader :config
+    attr_reader :logger
+
+    def initialize global_config
+      @global_config = global_config
+      @config = global_config.addons
+      @logger = global_config.logger
+    end
+
+    def render
+      logger.info "--> Rendering kubernetes addons"
+      render_erb "kustomization.yaml"
+
+      self.config.enabled.each do |name|
+        manifests = @@manifests[name]
+        manifests.each do |m|
+          render_erb(m)
+        end
+        secrets = @@secrets_manifests[name]
+        secrets.each do |m|
+          render_secrets_erb(m)
+        end
+      end
+    end
+
+    def self.register_manifests name, manifests, secrets: []
+      @@manifests ||= {}
+      @@manifests[name] = manifests
+      @@secrets_manifests ||= {}
+      @@secrets_manifests[name] = secrets
+    end
+
+    register_manifests('flannel', [
+      'flannel/flannel.yaml',
+      'flannel/kustomization.yaml'
+    ])
+
+    register_manifests('coredns', [
+      'coredns/coredns.yaml',
+      'coredns/dns-horizontal-autoscaler.yaml',
+      'coredns/kustomization.yaml'
+    ])
+
+    register_manifests('metallb', [
+      'metallb/000-metallb.yaml',
+      'metallb/metallb.yaml',
+      'metallb/metallb.config.yaml',
+      'metallb/kustomization.yaml'
+    ], secrets: [
+      'metallb/metallb.secrets.yaml'
+    ])
+
+
+    register_manifests('kubelet-rubber-stamp', [
+      'kubelet-rubber-stamp/kubelet-rubber-stamp.yaml',
+      'kubelet-rubber-stamp/kustomization.yaml'
+    ])
+
+    register_manifests('storage-version-migrator', [
+      'storage-version-migrator/storage-version-migrator.yaml',
+      'storage-version-migrator/kustomization.yaml'
+    ])
 
   end
 end; end

data/lib/porkadot/assets.rb

@@ -15,7 +15,7 @@ module Porkadot::Assets
     end
   end
 
-  def render_erb file, opts={}
+  def render_erb file, **opts
     file = file.to_s
     opts[:config] = self.config
     opts[:global_config] = self.global_config
@@ -23,8 +23,15 @@ module Porkadot::Assets
     opts[:u] = ErbUtils.new
 
     logger.info "----> #{file}"
+    asset = config.asset_path(file)
+    if opts[:force] != nil && File.file?(asset)
+      logger.debug "------> Already exists: skipping #{file}"
+      return
+    end
+    asset_dir = File.dirname(asset)
+    FileUtils.mkdir_p(asset_dir) unless File.directory?(asset_dir)
     open(File.join(self.class::TEMPLATE_DIR, "#{file}.erb")) do |io|
-      open(config.asset_path(file), 'w') do |out|
+      open(asset, 'w') do |out|
         out.write ERB.new(io.read, trim_mode: '-').result_with_hash(opts)
       end
     end
@@ -38,8 +45,11 @@ module Porkadot::Assets
     opts[:u] = ErbUtils.new
 
     logger.info "----> #{file}"
+    secret = config.secrets_path(file)
+    secret_dir = File.dirname(secret)
+    FileUtils.mkdir_p(secret_dir) unless File.directory?(secret_dir)
     open(File.join(self.class::TEMPLATE_DIR, "#{file}.erb")) do |io|
-      open(config.secrets_path(file), 'w') do |out|
+      open(secret, 'w') do |out|
         out.write ERB.new(io.read, trim_mode: '-').result_with_hash(opts)
       end
     end

data/lib/porkadot/cmd/cli.rb

@@ -29,6 +29,22 @@ module Porkadot; module Cmd
       ""
     end
 
+    desc "setup-node", "Setup node default settings"
+    option :node, type: :string
+    option :force, type: :boolean, default: false
+    def setup_node
+      logger.info "Setup node default"
+      kubelets = Porkadot::Install::KubeletList.new(self.config)
+      nodes = []
+      if node = options[:node]
+        nodes = kubelets[node]
+      else
+        nodes = kubelets.kubelets.values
+      end
+      kubelets.setup_default hosts: nodes, force: options[:force]
+      ""
+    end
+
     desc "set-config", "Set cluster to kubeconfig"
     def set_config
       name = config.k8s.cluster_name

data/lib/porkadot/cmd/install.rb

@@ -26,6 +26,21 @@ module Porkadot; module Cmd; module Install
       ""
     end
 
+    desc "kubernetes", "Install kubernetes"
+    option :node, type: :string
+    def kubernetes
+      logger.info "Installing kubernetes"
+      kubelets = Porkadot::Install::KubeletList.new(self.config)
+      if node = options[:node]
+        nodes = kubelets[node]
+      else
+        nodes = Porkadot::Install::Bootstrap.new(self.config).host
+      end
+      k8s = Porkadot::Install::Kubernetes.new(self.config)
+      k8s.install(nodes)
+      ""
+    end
+
     desc "bootstrap", "Install bootstrap components"
     subcommand "bootstrap", Porkadot::Cmd::Install::Bootstrap::Cli
 

data/lib/porkadot/config.rb

@@ -31,16 +31,15 @@ module Porkadot
       self.raw.connection
     end
 
+    def addons
+      @addons ||= Porkadot::Configs::Addons.new(self)
+    end
+
     def lb
       @lb ||= Porkadot::Configs::Lb.new(self)
       return @lb
     end
 
-    def cni
-      @cni ||= Porkadot::Configs::Cni.new(self)
-      return @cni
-    end
-
     def bootstrap
       @bootstrap ||= Porkadot::Configs::Bootstrap.new(self)
       return @bootstrap
@@ -57,6 +56,11 @@ module Porkadot
       return @etcd
     end
 
+    def kubelet_default
+      @kubelet_default ||= Porkadot::Configs::KubeletDefault.new(self)
+      return @kubelet_default
+    end
+
     def nodes
       @nodes ||= {}.tap do |nodes|
         self.raw.nodes.each do |k, v|

data/lib/porkadot/configs/addons.rb

@@ -0,0 +1,21 @@
+
+module Porkadot; module Configs
+  class Addons
+    include Porkadot::ConfigUtils
+
+    def initialize config
+      @config = config
+      @raw = config.raw.addons
+    end
+
+    def target_path
+      File.join(self.config.assets_dir, 'kubernetes', 'manifests', 'addons')
+    end
+
+    def target_secrets_path
+      File.join(self.config.secrets_root_dir, 'kubernetes', 'manifests', 'addons')
+    end
+
+  end
+end; end
+

data/lib/porkadot/configs/kubelet.rb

@@ -1,4 +1,30 @@
 module Porkadot; module Configs
+  class KubeletDefault
+    include Porkadot::ConfigUtils
+
+    def initialize config
+      @config = config
+      @raw = ::Porkadot::Raw.new
+    end
+
+    def target_path
+      File.join(self.config.assets_dir, 'kubelet-default')
+    end
+
+    def target_secrets_path
+      File.join(self.config.secrets_root_dir, 'kubelet-default')
+    end
+
+    def addon_path
+      File.join(self.target_path, 'addons')
+    end
+
+    def addon_secrets_path
+      File.join(self.target_secrets_path, 'addons')
+    end
+
+  end
+
   class Kubelet
     include Porkadot::ConfigUtils
     attr_reader :name

data/lib/porkadot/configs/kubernetes.rb

@@ -1,4 +1,3 @@
-
 module Porkadot; module Configs
   class Kubernetes
     include Porkadot::ConfigUtils
@@ -35,10 +34,6 @@ module Porkadot; module Configs
       File.join(self.target_path, 'manifests')
     end
 
-    def manifests_secrets_path
-      File.join(self.target_secrets_path, 'manifests')
-    end
-
     def control_plane_endpoint_host_and_port
       endpoint = self.config.k8s.control_plane_endpoint
       raise "kubernetes.control_plane_endpoint should not be nil" unless endpoint
@@ -196,9 +191,9 @@ module Porkadot; module Configs
           --cluster-signing-key-file=/etc/kubernetes/pki/kubernetes/ca.key
           --controllers=*,bootstrapsigner,tokencleaner
           --leader-elect=true
-          --node-cidr-mask-size=24
           --root-ca-file=/etc/kubernetes/pki/kubernetes/ca.crt
           --service-account-private-key-file=/etc/kubernetes/pki/kubernetes/sa.key
+          --service-cluster-ip-range=#{config.k8s.networking.service_subnet}
           --use-service-account-credentials=true
           --v=#{self.log_level}
         ).map {|i| i.split('=', 2)}.to_h
@@ -249,13 +244,35 @@ module Porkadot; module Configs
       end
 
       def kubernetes_ip
-        cluster_ip_range = IPAddr.new(self.service_subnet)
-        cluster_ip_range.to_range.first(2)[1].to_s
+        cluster_ip_range = IPAddr.new(self.default_service_subnet)
+        cluster_ip_range.to_range.first(2)[1]
       end
 
       def dns_ip
-        cluster_ip_range = IPAddr.new(self.service_subnet)
-        cluster_ip_range.to_range.first(11)[10].to_s
+        cluster_ip_range = IPAddr.new(self.default_service_subnet)
+        cluster_ip_range.to_range.first(11)[10]
+      end
+
+      def default_service_subnet
+        self.service_subnet.split(',')[0]
+      end
+
+      def pod_v4subnet
+        if ip = self._pod_subnet.find{ |net| net.ipv4? }
+          return "#{ip.to_s}/#{ip.prefix}"
+        end
+      end
+      alias enable_ipv4 pod_v4subnet
+
+      def pod_v6subnet
+        if ip = self._pod_subnet.find{ |net| net.ipv6? }
+          return "#{ip.to_s}/#{ip.prefix}"
+        end
+      end
+      alias enable_ipv6 pod_v6subnet
+
+      def _pod_subnet
+        self.pod_subnet.split(",").map{|net| IPAddr.new(net)}
       end
     end
   end

data/lib/porkadot/default.yaml

@@ -10,13 +10,25 @@ nodes: {}
 
 bootstrap: {}
 
-cni:
-  type: flannel
+addons:
+  enabled: [flannel, coredns, metallb, kubelet-rubber-stamp, storage-version-migrator]
+
   flannel:
     backend: vxlan
+    plugin_image_repository: rancher/mirrored-flannelcni-flannel-cni-plugin
+    plugin_image_tag: v1.0.1
+    daemon_image_repository: rancher/mirrored-flannelcni-flannel
+    daemon_image_tag: v0.17.0
+    resources:
+      requests:
+        cpu: "100m"
+        memory: "50Mi"
+      limits:
+        cpu: "100m"
+        memory: "50Mi"
+
+  coredns: {}
 
-lb:
-  type: metallb
   metallb:
     config: |
       address-pools:
@@ -25,20 +37,26 @@ lb:
         addresses:
         - 192.168.1.240-192.168.1.250
 
+  kubelet-rubber-stamp: {}
+
+  storage-version-migrator: {}
+
 etcd:
   image_repository: gcr.io/etcd-development/etcd
   image_tag: v3.4.13
   extra_env: []
 
 kubernetes:
-  kubernetes_version: v1.21.3
+  kubernetes_version: v1.22.8
+  crictl_version: v1.22.0
   image_repository: k8s.gcr.io
 
   networking:
-    cni_version: v0.8.2
+    cni_version: v1.0.1
     service_subnet: '10.254.0.0/24'
     pod_subnet: '10.244.0.0/16'
     dns_domain: 'cluster.local'
+    additional_domains: []
 
   apiserver:
     bind_port: 6443

data/lib/porkadot/install/kubelet.rb

@@ -2,6 +2,7 @@ module Porkadot; module Install
   class KubeletList
     KUBE_TEMP = File.join(Porkadot::Install::KUBE_TEMP, 'kubelet')
     KUBE_SECRETS_TEMP = File.join(Porkadot::Install::KUBE_TEMP, '.kubelet')
+    KUBE_DEFAULT_TEMP = File.join(Porkadot::Install::KUBE_TEMP, '.default')
     include SSHKit::DSL
     attr_reader :global_config
     attr_reader :logger
@@ -40,6 +41,30 @@ module Porkadot; module Install
       end
     end
 
+    def setup_default hosts: nil, force: false
+      unless hosts
+        hosts = []
+        self.kubelets.each do |_, v|
+          hosts << v
+        end
+      end
+
+      on(hosts) do |host|
+        execute(:mkdir, '-p', Porkadot::Install::KUBE_TEMP)
+        if test("[ -d #{KUBE_TEMP} ]")
+          execute(:rm, '-rf', KUBE_TEMP)
+          execute(:rm, '-rf', KUBE_SECRETS_TEMP)
+        end
+        upload! host.global_config.kubelet_default.target_path, KUBE_TEMP, recursive: true
+        upload! host.global_config.kubelet_default.target_secrets_path, KUBE_SECRETS_TEMP, recursive: true
+        execute(:cp, '-r', KUBE_SECRETS_TEMP + '/*', KUBE_TEMP)
+
+        as user: 'root' do
+          execute(:bash, File.join(KUBE_TEMP, 'install.sh'))
+        end
+      end
+    end
+
     def install hosts: nil, force: false
       unless hosts
         hosts = []

data/lib/porkadot/install/kubernetes.rb

@@ -24,10 +24,10 @@ module Porkadot; module Install
         end
         upload! config.target_path, KUBE_TEMP, recursive: true
         upload! config.target_secrets_path, KUBE_SECRETS_TEMP, recursive: true
-        execute(:cp, '-r', KUBE_SECRETS_TEMP + '/*', KUBE_TEMP)
 
         # as user: 'root' do
-        with KUBECONFIG: File.join(KUBE_TEMP, 'kubeconfig.yaml') do
+        with KUBECONFIG: File.join(KUBE_SECRETS_TEMP, 'kubeconfig.yaml') do
+          execute(:bash, File.join(KUBE_SECRETS_TEMP, 'install.secrets.sh'))
           execute(:bash, File.join(KUBE_TEMP, 'install.sh'))
         end
       end

data/lib/porkadot/version.rb

@@ -1,3 +1,3 @@
 module Porkadot
-  VERSION = "0.21.0"
+  VERSION = "0.22.2"
 end

data/lib/porkadot.rb

@@ -20,8 +20,7 @@ require 'porkadot/configs/kubernetes'
 require 'porkadot/configs/etcd'
 require 'porkadot/configs/bootstrap'
 require 'porkadot/configs/kubernetes'
-require 'porkadot/configs/loadbalancer'
-require 'porkadot/configs/cni'
+require 'porkadot/configs/addons'
 
 require 'porkadot/assets/certs'
 require 'porkadot/assets/kubelet'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: porkadot
 version: !ruby/object:Gem::Version
-  version: 0.21.0
+  version: 0.22.2
 platform: ruby
 authors:
 - OTSUKA, Yuanying
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-07-25 00:00:00.000000000 Z
+date: 2022-04-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -133,6 +133,7 @@ files:
 - lib/porkadot/assets/etcd.rb
 - lib/porkadot/assets/etcd/etcd-server.yaml.erb
 - lib/porkadot/assets/etcd/install.sh.erb
+- lib/porkadot/assets/kubelet-default/install.sh.erb
 - lib/porkadot/assets/kubelet.rb
 - lib/porkadot/assets/kubelet/bootstrap-kubelet.conf.erb
 - lib/porkadot/assets/kubelet/config.yaml.erb
@@ -142,25 +143,34 @@ files:
 - lib/porkadot/assets/kubelet/kubelet.service.erb
 - lib/porkadot/assets/kubelet/setup-containerd.sh.erb
 - lib/porkadot/assets/kubernetes.rb
+- lib/porkadot/assets/kubernetes/install.secrets.sh.erb
 - lib/porkadot/assets/kubernetes/install.sh.erb
 - lib/porkadot/assets/kubernetes/kubeconfig.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/000-metallb.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/coredns.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/dns-horizontal-autoscaler.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/flannel.yaml.erb
+- lib/porkadot/assets/kubernetes/kustomization.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/coredns/coredns.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/coredns/dns-horizontal-autoscaler.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/coredns/kustomization.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/flannel/flannel.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/flannel/kustomization.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/kubelet-rubber-stamp/kubelet-rubber-stamp.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/kubelet-rubber-stamp/kustomization.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/kustomization.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/metallb/kustomization.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.config.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.secrets.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/storage-version-migrator/kustomization.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/storage-version-migrator/storage-version-migrator.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/kube-apiserver.secrets.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.secrets.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/kube-proxy.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/kubelet-rubber-stamp.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/kubelet.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/metallb.config.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/metallb.secrets.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/kustomization.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/porkadot.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/storage-version-migrator.yaml.erb
 - lib/porkadot/cmd.rb
 - lib/porkadot/cmd/cli.rb
 - lib/porkadot/cmd/install.rb
@@ -168,16 +178,15 @@ files:
 - lib/porkadot/cmd/render.rb
 - lib/porkadot/cmd/render/certs.rb
 - lib/porkadot/config.rb
+- lib/porkadot/configs/addons.rb
 - lib/porkadot/configs/bootstrap.rb
 - lib/porkadot/configs/certs.rb
 - lib/porkadot/configs/certs/etcd.rb
 - lib/porkadot/configs/certs/front_proxy.rb
 - lib/porkadot/configs/certs/k8s.rb
-- lib/porkadot/configs/cni.rb
 - lib/porkadot/configs/etcd.rb
 - lib/porkadot/configs/kubelet.rb
 - lib/porkadot/configs/kubernetes.rb
-- lib/porkadot/configs/loadbalancer.rb
 - lib/porkadot/const.rb
 - lib/porkadot/default.yaml
 - lib/porkadot/install/base.rb

data/lib/porkadot/configs/cni.rb

@@ -1,22 +0,0 @@
-
-module Porkadot; module Configs
-  class Cni
-    include Porkadot::ConfigUtils
-    attr_reader :type
-
-    def initialize config
-      @config = config
-      @type = config.raw.cni.type
-      @raw = config.raw.cni.send(config.raw.cni.type.to_sym)
-    end
-
-    def target_path
-      File.join(self.config.assets_dir, 'kubernetes')
-    end
-
-    def manifests_path
-      File.join(self.target_path, 'manifests')
-    end
-
-  end
-end; end

data/lib/porkadot/configs/loadbalancer.rb

@@ -1,26 +0,0 @@
-
-module Porkadot; module Configs
-  class Lb
-    include Porkadot::ConfigUtils
-    attr_reader :type
-
-    def initialize config
-      @config = config
-      @type = config.raw.lb.type
-      @raw = config.raw.lb.send(config.raw.lb.type.to_sym)
-    end
-
-    def target_path
-      File.join(self.config.assets_dir, 'kubernetes')
-    end
-
-    def manifests_path
-      File.join(self.target_path, 'manifests')
-    end
-
-    def lb_config
-      return self.raw.config
-    end
-
-  end
-end; end