RubyGems - porkadot - Versions diffs - 0.23.0 → 0.25.0 - Mend

porkadot 0.23.0 → 0.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8e2a062cd96fa6e9c56b2fd70f7d0dd4709265e1b5cf58057048cc19bf46868e
-  data.tar.gz: 4a18c93e458b1a822fe35b73d7af0b12804d4d4c174cbb8a3efc0daf30bbbc1e
+  metadata.gz: 91ee01d34fb9504cf2c2da60cc375102d212a88adfa83d5335ba07efaf1dc126
+  data.tar.gz: 88cc5cf3c93e0bf12d41a558a1d92e2fb62a86ea7824282e55d2eb66c9fc029b
 SHA512:
-  metadata.gz: fef441fe9dc698fa5e993ae9b7d5a4e6270590aa2f8fcdbb3bca4601266faed8d6b5c96f545d3347716915bdbe0f78ebc1898caef201c1be50cc006955dec44d
-  data.tar.gz: a7bfadba85de2c3d631ebab8f74c4afaa75fcfdabeccbae6d20d4f23e2817185efc7d4174d4e901e19da8dbabcf4bdf522e12706dbc025113e6b0480d9b32826
+  metadata.gz: ad4c075b775c38030b2f96a32d09a2a28a3eb10eba0c4bb96109ee997a3c26d4c3e11ef3e37dbffc41f3c63d158668242a14493002ec2bcc9b7485886eb2b62b
+  data.tar.gz: ae0f9beb775bea1601fc7189a5aff026592c88567bf5dc9be32a82068849d48da451c06fd0c56c7250c371a4ff4110d92187c00a6257a9df199751e1e6c1328d

data/hack/metallb/crds/kustomization.yaml ADDED Viewed

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- https://github.com/metallb/metallb/config/crd/?ref=v0.13.9

data/hack/metallb/exclude-l2-config.yaml ADDED Viewed

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: metallb-excludel2
+  namespace: metallb-system
+data:
+  excludel2.yaml: |
+    announcedInterfacesToExclude: ["docker.*", "cbr.*", "dummy.*", "virbr.*", "lxcbr.*", "veth.*", "lo", "^cali.*", "^tunl.*", "flannel.*", "kube-ipvs.*", "cni.*", "^nodelocaldns.*"]

data/hack/metallb/kustomization.yaml ADDED Viewed

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: metallb-system
+resources:
+- https://github.com/metallb/metallb/config/rbac/?ref=v0.13.9
+- https://github.com/metallb/metallb/config/controllers/?ref=v0.13.9
+- https://github.com/metallb/metallb/config/webhook/?ref=v0.13.9
+- exclude-l2-config.yaml

data/hack/update-kubelet-cert-approver.sh ADDED Viewed

@@ -0,0 +1,6 @@
+#!/bin/bash
+ROOT=$(dirname "${BASH_SOURCE}")/..
+ROOT=$(cd ${ROOT} && pwd)
+curl -L https://github.com/alex1989hu/kubelet-serving-cert-approver/raw/main/deploy/standalone-install.yaml > ${ROOT}/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/src.yaml.erb

data/hack/update-metallb.sh ADDED Viewed

@@ -0,0 +1,7 @@
+#!/bin/bash
+ROOT=$(dirname "${BASH_SOURCE}")/..
+ROOT=$(cd ${ROOT} && pwd)
+kubectl kustomize ${ROOT}/hack/metallb/crds > ${ROOT}/lib/porkadot/assets/kubernetes/manifests/addons/metallb/crds.yaml
+kubectl kustomize ${ROOT}/hack/metallb > ${ROOT}/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb

data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb CHANGED Viewed

@@ -46,7 +46,7 @@ spec:
       periodSeconds: 1
       timeoutSeconds: 15
     startupProbe:
-      failureThreshold: 24
+      failureThreshold: 48
       httpGet:
         host: 127.0.0.1
         path: /livez

data/lib/porkadot/assets/etcd/etcd-server.yaml.erb CHANGED Viewed

@@ -13,23 +13,27 @@ spec:
     image: <%= etcd.image_repository %>:<%= etcd.image_tag %>
     command:
     - /usr/local/bin/etcd
-    - --name=<%= config.member_name %>
     - --advertise-client-urls=<%= config.advertise_client_urls.join(',') %>
+    - --cert-file=/etc/etcd/pki/etcd.crt
+    - --client-cert-auth=true
+    - --data-dir=/var/lib/etcd
+    - --election-timeout=10000
+    - --experimental-initial-corrupt-check=true
+    - --experimental-watch-progress-notify-interval=5s
+    - --heartbeat-interval=1000
     - --initial-advertise-peer-urls=<%= config.advertise_peer_urls.join(',') %>
     - --initial-cluster=<%= config.initial_cluster.map{|k,v| "#{k}=#{v}"}.join(',') %>
+    - --key-file=/etc/etcd/pki/etcd.key
     - --listen-client-urls=<%= config.listen_client_urls.join(',') %>
     - --listen-peer-urls=<%= config.listen_peer_urls.join(',') %>
-    - --client-cert-auth=true
-    - --cert-file=/etc/etcd/pki/etcd.crt
-    - --key-file=/etc/etcd/pki/etcd.key
-    - --trusted-ca-file=/etc/etcd/pki/ca.crt
-    - --peer-client-cert-auth=true
+    - --listen-metrics-urls=<%= config.listen_metrics_urls.join(',') %>
+    - --name=<%= config.member_name %>
     - --peer-cert-file=/etc/etcd/pki/etcd.crt
+    - --peer-client-cert-auth=true
     - --peer-key-file=/etc/etcd/pki/etcd.key
     - --peer-trusted-ca-file=/etc/etcd/pki/ca.crt
-    - --data-dir=/var/lib/etcd
-    - --heartbeat-interval=1000
-    - --election-timeout=10000
+    - --snapshot-count=10000
+    - --trusted-ca-file=/etc/etcd/pki/ca.crt
     env:
 <%= u.to_yaml(etcd.extra_env, 4) -%>
     volumeMounts:
@@ -44,6 +48,10 @@ spec:
     - mountPath: /etc/etcd/pki
       name: etcd-certs-host
       readOnly: true
+  priorityClassName: system-node-critical
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
   volumes:
   - hostPath:
       path: /var/lib/etcd

data/lib/porkadot/assets/etcd/etcd.env.erb ADDED Viewed

@@ -0,0 +1,4 @@
+export ETCDCTL_CACERT=/etc/etcd/pki/ca.crt
+export ETCDCTL_CERT=/etc/etcd/pki/etcd.crt
+export ETCDCTL_KEY=/etc/etcd/pki/etcd.key
+export ETCDCTL_ENDPOINTS=https://127.0.0.1:2379

data/lib/porkadot/assets/etcd/install.sh.erb CHANGED Viewed

@@ -8,5 +8,6 @@ mkdir -p /etc/etcd/pki
 cp ${ROOT}/etcd.crt /etc/etcd/pki/
 cp ${ROOT}/etcd.key /etc/etcd/pki/
 cp ${ROOT}/ca.crt /etc/etcd/pki/
+cp ${ROOT}/etcd.env /etc/etcd/
 mkdir -p /etc/kubernetes/manifests
 cp ${ROOT}/etcd-server.yaml /etc/kubernetes/manifests/

data/lib/porkadot/assets/etcd.rb CHANGED Viewed

@@ -56,6 +56,7 @@ module Porkadot; module Assets
       render_ca_crt
       render_etcd_crt
       render_erb 'etcd-server.yaml', etcd: global_config.etcd
+      render_erb 'etcd.env', etcd: global_config.etcd
       render_erb 'install.sh', etcd: global_config.etcd
     end

data/lib/porkadot/assets/kubelet/config.yaml.erb CHANGED Viewed

@@ -1,39 +1 @@
-apiVersion: kubelet.config.k8s.io/v1beta1
-authentication:
-  anonymous:
-    enabled: false
-  webhook:
-    cacheTTL: 0s
-    enabled: true
-  x509:
-    clientCAFile: /etc/kubernetes/pki/ca.crt
-authorization:
-  mode: Webhook
-  webhook:
-    cacheAuthorizedTTL: 0s
-    cacheUnauthorizedTTL: 0s
-cgroupDriver: systemd
-clusterDNS:
-  - <%= global_config.k8s.networking.dns_ip %>
-clusterDomain: <%= global_config.k8s.networking.dns_domain %>
-cpuManagerReconcilePeriod: 0s
-evictionPressureTransitionPeriod: 0s
-fileCheckFrequency: 0s
-healthzBindAddress: 127.0.0.1
-healthzPort: 10248
-httpCheckFrequency: 0s
-imageMinimumGCAge: 0s
-kind: KubeletConfiguration
-nodeStatusReportFrequency: 0s
-nodeStatusUpdateFrequency: 0s
-rotateCertificates: true
-runtimeRequestTimeout: 0s
-staticPodPath: /etc/kubernetes/manifests
-streamingConnectionIdleTimeout: 0s
-syncFrequency: 0s
-volumeStatsAggPeriod: 0s
-serverTLSBootstrap: true
-featureGates:
-  CSIMigration: false
-# vim:filetype=yaml
+<%= config.kubelet_config.to_hash.to_yaml %>

data/lib/porkadot/assets/kubelet/initiatorname.iscsi.erb ADDED Viewed

	@@ -0,0 +1 @@
1	+ InitiatorName=iqn.2020-04.cloud.unstable:<%= config.hostname %>

data/lib/porkadot/assets/kubelet/kubelet.service.erb CHANGED Viewed

@@ -5,18 +5,14 @@ Documentation=http://kubernetes.io/docs/
 [Service]
 EnvironmentFile=-/etc/default/kubelet
 ExecStart=/opt/bin/kubelet \
-    --container-runtime=remote \
     --container-runtime-endpoint=/run/containerd/containerd.sock \
     --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf \
     --kubeconfig=/etc/kubernetes/kubelet.conf \
     --config=/var/lib/kubelet/config.yaml \
-    --network-plugin=cni \
-    --pod-infra-container-image=k8s.gcr.io/pause:3.4.1 \
     --hostname-override=<%= config.hostname %> \
-    --node-labels=<%= config.labels_string %> \
-    --register-with-taints=<%= config.taints_string %> \
-    --resolv-conf=/run/systemd/resolve/resolv.conf
+    --node-labels=<%= config.labels_string %>
 Restart=always
 StartLimitInterval=0
 RestartSec=10

data/lib/porkadot/assets/kubelet/metadata.json.erb ADDED Viewed

@@ -0,0 +1,5 @@
+{
+  "name": "<%= config.name %>",
+  "labels": <%= config.labels.to_json %>,
+  "annotations": <%= config.annotations.to_json %>
+}

data/lib/porkadot/assets/{kubelet → kubelet-default}/install-deps.sh.erb RENAMED Viewed

@@ -1,5 +1,7 @@
 #!/bin/bash
+set -euo pipefail
 architecture="arm64"
 case $(uname -m) in
     x86_64) architecture="amd64" ;;
@@ -28,7 +30,7 @@ rm -f /opt/bin/kubelet
 ln -s /opt/bin/kubelet-${RELEASE} /opt/bin/kubelet
 ETCD_VER="<%= global_config.etcd.image_tag.gsub(/\-\w+$/, '') %>"
-ETCD_URL=https://storage.googleapis.com/etcd/${ETCD_VER}/etcd-${ETCD_VER}-linux-${architecture}.tar.gz
+ETCD_URL=https://github.com/etcd-io/etcd/releases/download/v${ETCD_VER}/etcd-v${ETCD_VER}-linux-${architecture}.tar.gz
 ETCD_TMP=$(mktemp -d)
 curl -L ${ETCD_URL} -o ${ETCD_TMP}/etcd.tar.gz

data/lib/porkadot/assets/{kubelet → kubelet-default}/install-pkgs.sh.erb RENAMED Viewed

@@ -41,9 +41,7 @@ net.ipv4.ip_forward                 = 1
 net.bridge.bridge-nf-call-iptables  = 1
 EOF
-cat <<EOF > /etc/iscsi/initiatorname.iscsi
-InitiatorName=iqn.2020-04.cloud.unstable:<%= config.hostname %>
-EOF
+cp ${ROOT}/initiatorname.iscsi /etc/iscsi/
 systemctl restart iscsid.service

data/lib/porkadot/assets/kubelet-default/install.sh.erb CHANGED Viewed

@@ -4,11 +4,26 @@ set -eu
 export LC_ALL=C
 ROOT=$(dirname "${BASH_SOURCE}")
+export KUBERNETES_PATH="/etc/kubernetes"
+export KUBERNETES_PKI_PATH="${KUBERNETES_PATH}/pki"
+export KUBERNETES_MANIFESTS_PATH="${KUBERNETES_PATH}/manifests"
+export KUBELET_PATH="/var/lib/kubelet"
+mkdir -p ${KUBERNETES_PATH}
+mkdir -p ${KUBERNETES_PKI_PATH}
+mkdir -p ${KUBERNETES_MANIFESTS_PATH}
+mkdir -p ${KUBELET_PATH}
+cp ${ROOT}/bootstrap-kubelet.conf ${KUBERNETES_PATH}/
+cp ${ROOT}/bootstrap.* ${KUBERNETES_PKI_PATH}/
+cp ${ROOT}/ca.crt ${KUBERNETES_PKI_PATH}/
+cp ${ROOT}/config.yaml ${KUBELET_PATH}/
+cp ${ROOT}/kubelet.service /etc/systemd/system/
 # Install addons
-for addon in $(ls ${ROOT}/addons/); do
-  install_sh="${ROOT}/addons/${addon}/install.sh"
-  if [[ -f ${install_sh} ]]; then
-    echo "Install: ${install_sh}"
-    bash ${install_sh}
-  fi
-done
+bash ${ROOT}/setup-node.sh
+rm -f ${KUBERNETES_PATH}/kubelet.conf
+systemctl daemon-reload
+systemctl enable kubelet
+systemctl restart kubelet

data/lib/porkadot/assets/kubelet-default/setup-containerd.sh.erb ADDED Viewed

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -eu
+export LC_ALL=C
+ROOT=$(dirname "${BASH_SOURCE}")
+mkdir -p /etc/containerd
+if [[ -f ${ROOT}/containerd/config.toml ]]; then
+  cp -rp ${ROOT}/containerd/config.toml /etc/containerd/config.toml
+else
+  containerd config default | tee /etc/containerd/config.toml
+  grep SystemdCgroup /etc/containerd/config.toml && :
+  if [[ $? == 0 ]]; then
+    sed -i -e "s/SystemdCgroup.*$/SystemdCgroup = true/" /etc/containerd/config.toml
+  else
+    sed -i -e "/containerd.runtimes.runc.options/a SystemdCgroup = true" /etc/containerd/config.toml
+  fi
+fi
+systemctl restart containerd

data/lib/porkadot/assets/kubelet-default/setup-node.sh.erb ADDED Viewed

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -eu
+export LC_ALL=C
+ROOT=$(dirname "${BASH_SOURCE}")
+export PORKADOT_METADATA=${ROOT}/metadata.json
+# Install addons
+for addon in $(ls ${ROOT}/addons/); do
+  install_sh="${ROOT}/addons/${addon}/install.sh"
+  if [[ -f ${install_sh} ]]; then
+    echo "Install: ${install_sh}"
+    bash ${install_sh}
+  fi
+done

data/lib/porkadot/assets/kubelet.rb CHANGED Viewed

@@ -57,7 +57,19 @@ module Porkadot; module Assets
         FileUtils.mkdir_p(config.addon_secrets_path)
       end
+      render_ca_crt
+      render_erb 'setup-node.sh'
+      render_erb 'setup-containerd.sh'
       render_erb 'install.sh'
+      render_erb 'install-deps.sh'
+      render_erb 'install-pkgs.sh'
+    end
+    def render_ca_crt
+      logger.info "----> ca.crt"
+      open(config.ca_crt_path, 'w') do |out|
+        out.write self.certs.ca_cert(false).to_pem
+      end
     end
   end
@@ -92,11 +104,8 @@ module Porkadot; module Assets
       render_bootstrap_certs
       render_erb 'config.yaml'
       render_erb 'kubelet.service'
-      render_ca_crt
-      render_erb 'install.sh'
-      render_erb 'install-deps.sh'
-      render_erb 'install-pkgs.sh'
-      render_erb 'setup-containerd.sh'
+      render_erb 'initiatorname.iscsi'
+      render_erb 'metadata.json'
     end
     def render_bootstrap_certs
@@ -105,13 +114,6 @@ module Porkadot; module Assets
       self.bootstrap_cert(true)
     end
-    def render_ca_crt
-      logger.info "----> ca.crt"
-      open(config.ca_crt_path, 'w') do |out|
-        out.write self.certs.ca_cert(false).to_pem
-      end
-    end
     def bootstrap_key
       @bootstrap_key ||= certs.private_key(config.bootstrap_key_path)
       return @bootstrap_key

data/lib/porkadot/assets/kubernetes/install.sh.erb CHANGED Viewed

@@ -5,10 +5,12 @@ export LC_ALL=C
 ROOT=$(dirname "${BASH_SOURCE}")
 KUBECTL_OPTS=${KUBECTL_OPTS:-""}
-KUBECTL_OPTS="${KUBECTL_OPTS} --server-side --force-conflicts --prune"
+KUBECTL_OPTS="${KUBECTL_OPTS} --prune"
 KUBECTL_OPTS="${KUBECTL_OPTS} -l kubernetes.unstable.cloud/installed-by=porkadot"
 <%- prune_allowlist.each do |a| -%>
 KUBECTL_OPTS="${KUBECTL_OPTS} --prune-whitelist=<%= a %>"
 <%- end -%>
+/opt/bin/kubectl apply --force-conflicts --server-side -R -f ${ROOT}/manifests/crds
+/opt/bin/kubectl wait --for condition=established --timeout=60s crd --all
 /opt/bin/kubectl apply ${KUBECTL_OPTS} -k ${ROOT}

data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/coredns.yaml.erb CHANGED Viewed

@@ -126,7 +126,7 @@ spec:
         kubernetes.io/os: linux
       containers:
       - name: coredns
-        image: k8s.gcr.io/coredns/coredns:v1.8.3
+        image: registry.k8s.io/coredns/coredns:v1.10.1
         imagePullPolicy: IfNotPresent
         resources:
           limits:

data/lib/porkadot/assets/kubernetes/manifests/addons/coredns/dns-horizontal-autoscaler.yaml.erb CHANGED Viewed

@@ -84,7 +84,7 @@ spec:
         fsGroup: 65534
       containers:
       - name: autoscaler
-        image: k8s.gcr.io/cluster-proportional-autoscaler-amd64:1.7.1
+        image: registry.k8s.io/cluster-proportional-autoscaler-amd64:1.7.1
         resources:
             requests:
                 cpu: "20m"

data/lib/porkadot/assets/kubernetes/manifests/addons/flannel/flannel.yaml.erb CHANGED Viewed

@@ -1,62 +1,13 @@
 <% cni = config.flannel -%>
 <% k8s = global_config.k8s -%>
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: psp.flannel.unprivileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
-    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
-spec:
-  privileged: false
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
-  - hostPath
-  allowedHostPaths:
-  - pathPrefix: "/etc/cni/net.d"
-  - pathPrefix: "/etc/kube-flannel"
-  - pathPrefix: "/run/flannel"
-  readOnlyRootFilesystem: false
-  # Users and groups
-  runAsUser:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  fsGroup:
-    rule: RunAsAny
-  # Privilege Escalation
-  allowPrivilegeEscalation: false
-  defaultAllowPrivilegeEscalation: false
-  # Capabilities
-  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
-  defaultAddCapabilities: []
-  requiredDropCapabilities: []
-  # Host namespaces
-  hostPID: false
-  hostIPC: false
-  hostNetwork: true
-  hostPorts:
-  - min: 0
-    max: 65535
-  # SELinux
-  seLinux:
-    # SELinux is unused in CaaSP
-    rule: 'RunAsAny'
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+  labels:
+    k8s-app: flannel
   name: flannel
 rules:
-- apiGroups: ['extensions']
-  resources: ['podsecuritypolicies']
-  verbs: ['use']
-  resourceNames: ['psp.flannel.unprivileged']
 - apiGroups:
   - ""
   resources:
@@ -68,6 +19,7 @@ rules:
   resources:
   - nodes
   verbs:
+  - get
   - list
   - watch
 - apiGroups:
@@ -80,6 +32,8 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+  labels:
+    k8s-app: flannel
   name: flannel
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -93,6 +47,8 @@ subjects:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  labels:
+    k8s-app: flannel
   name: flannel
   namespace: kube-system
 ---
@@ -103,6 +59,7 @@ metadata:
   namespace: kube-system
   labels:
     tier: node
+    k8s-app: flannel
     app: flannel
 data:
   cni-conf.json: |
@@ -134,6 +91,7 @@ data:
       "EnableIPv6": true,
       "IPv6Network": "<%= k8s.networking.pod_v6subnet %>",
       <%- end -%>
+      "EnableNFTables": false,
       "Backend": {
         "Type": "<%= cni.backend %>"
       }
@@ -147,6 +105,7 @@ metadata:
   labels:
     tier: node
     app: flannel
+    k8s-app: flannel
 spec:
   selector:
     matchLabels:
@@ -221,6 +180,8 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: EVENT_QUEUE_DEPTH
+          value: "5000"
         volumeMounts:
         - name: run
           mountPath: /run/flannel

data/lib/porkadot/assets/kubernetes/manifests/addons/kubelet-serving-cert-approver/kustomization.yaml.erb ADDED Viewed

@@ -0,0 +1,3 @@
+resources:
+- src.yaml