porkadot 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +15 -0
- data/.travis.yml +7 -0
- data/Gemfile +4 -0
- data/README.md +35 -0
- data/Rakefile +10 -0
- data/Vagrantfile +63 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/config/porkadot.yaml +25 -0
- data/config/unstable.yaml +49 -0
- data/exe/porkadot +5 -0
- data/lib/porkadot/assets/bootstrap/bootstrap/kube-proxy-bootstrap.yaml.erb +1 -0
- data/lib/porkadot/assets/bootstrap/bootstrap/kubeconfig-bootstrap.yaml.erb +18 -0
- data/lib/porkadot/assets/bootstrap/cleanup.sh.erb +12 -0
- data/lib/porkadot/assets/bootstrap/install.sh.erb +14 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-apiserver.bootstrap.yaml.erb +91 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-controller-manager.bootstrap.yaml.erb +69 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-proxy.bootstrap.yaml.erb +56 -0
- data/lib/porkadot/assets/bootstrap/manifests/kube-scheduler.bootstrap.yaml.erb +31 -0
- data/lib/porkadot/assets/bootstrap.rb +52 -0
- data/lib/porkadot/assets/certs/etcd.rb +21 -0
- data/lib/porkadot/assets/certs/front_proxy.rb +21 -0
- data/lib/porkadot/assets/certs/k8s.rb +90 -0
- data/lib/porkadot/assets/certs.rb +175 -0
- data/lib/porkadot/assets/etcd/etcd-server.yaml.erb +57 -0
- data/lib/porkadot/assets/etcd/install.sh.erb +12 -0
- data/lib/porkadot/assets/etcd.rb +109 -0
- data/lib/porkadot/assets/kubelet/bootstrap-kubelet.conf.erb +21 -0
- data/lib/porkadot/assets/kubelet/config.yaml.erb +36 -0
- data/lib/porkadot/assets/kubelet/install-deps.sh.erb +21 -0
- data/lib/porkadot/assets/kubelet/install-pkgs.sh.erb +33 -0
- data/lib/porkadot/assets/kubelet/install.sh.erb +35 -0
- data/lib/porkadot/assets/kubelet/kubelet.service.erb +22 -0
- data/lib/porkadot/assets/kubelet.rb +102 -0
- data/lib/porkadot/assets/kubernetes/install.sh.erb +7 -0
- data/lib/porkadot/assets/kubernetes/manifests/flannel.yaml.erb +602 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-apiserver.yaml.erb +129 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-controller-manager.yaml.erb +173 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-proxy.yaml.erb +132 -0
- data/lib/porkadot/assets/kubernetes/manifests/kube-scheduler.yaml.erb +162 -0
- data/lib/porkadot/assets/kubernetes/manifests/kubelet-rubber-stamp.yaml.erb +86 -0
- data/lib/porkadot/assets/kubernetes/manifests/kubelet.yaml.erb +40 -0
- data/lib/porkadot/assets/kubernetes/manifests/metallb.yaml.erb +323 -0
- data/lib/porkadot/assets/kubernetes/manifests/pod-checkpointer.yaml.erb +130 -0
- data/lib/porkadot/assets/kubernetes/manifests/porkadot.yaml.erb +69 -0
- data/lib/porkadot/assets/kubernetes.rb +39 -0
- data/lib/porkadot/assets.rb +24 -0
- data/lib/porkadot/cmd/cli.rb +45 -0
- data/lib/porkadot/cmd/install/bootstrap.rb +50 -0
- data/lib/porkadot/cmd/install.rb +36 -0
- data/lib/porkadot/cmd/render/certs.rb +68 -0
- data/lib/porkadot/cmd/render.rb +67 -0
- data/lib/porkadot/cmd.rb +4 -0
- data/lib/porkadot/config.rb +115 -0
- data/lib/porkadot/configs/bootstrap.rb +67 -0
- data/lib/porkadot/configs/certs/etcd.rb +33 -0
- data/lib/porkadot/configs/certs/front_proxy.rb +33 -0
- data/lib/porkadot/configs/certs/k8s.rb +89 -0
- data/lib/porkadot/configs/certs.rb +50 -0
- data/lib/porkadot/configs/cni.rb +22 -0
- data/lib/porkadot/configs/etcd.rb +95 -0
- data/lib/porkadot/configs/kubelet.rb +61 -0
- data/lib/porkadot/configs/kubernetes.rb +223 -0
- data/lib/porkadot/configs/loadbalancer.rb +26 -0
- data/lib/porkadot/const.rb +8 -0
- data/lib/porkadot/default.yaml +123 -0
- data/lib/porkadot/install/base.rb +5 -0
- data/lib/porkadot/install/bootstrap.rb +76 -0
- data/lib/porkadot/install/kubelet.rb +63 -0
- data/lib/porkadot/install/kubernetes.rb +33 -0
- data/lib/porkadot/utils/hash_recursive_merge.rb +73 -0
- data/lib/porkadot/utils.rb +25 -0
- data/lib/porkadot/version.rb +3 -0
- data/lib/porkadot.rb +41 -0
- data/porkadot.gemspec +42 -0
- metadata +205 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: d234a54eadea75f593857f0d1a697af8be3cb74c5a4b48bb42b19ec966a905ae
|
4
|
+
data.tar.gz: a62e0011627d9d7f5b93e34fadd8c76df6dc88496c7ff39b561d808880ac1570
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: e359ab5f970e9ed84d82c1210a4c74215bec8fb878a42b736add72a2c27771ab1c8fe3d36125387694b3ea84c626f5b5bbdcbc9bbcb25e0f47dfa6c54484c651
|
7
|
+
data.tar.gz: 1dda5458027c308e37832c74cd66b67422935c88968960b2ea017aa30aad2a6d39aa3ca2d3eaeb0d334431e4a2e50f4eb2e35bd43cca8b216eccab9c93a38c6b
|
data/.gitignore
ADDED
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/README.md
ADDED
@@ -0,0 +1,35 @@
|
|
1
|
+
# Porkadot
|
2
|
+
|
3
|
+
Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/porkadot`. To experiment with that code, run `bin/console` for an interactive prompt.
|
4
|
+
|
5
|
+
TODO: Delete this and the text above, and describe your gem
|
6
|
+
|
7
|
+
## Installation
|
8
|
+
|
9
|
+
Add this line to your application's Gemfile:
|
10
|
+
|
11
|
+
```ruby
|
12
|
+
gem 'porkadot'
|
13
|
+
```
|
14
|
+
|
15
|
+
And then execute:
|
16
|
+
|
17
|
+
$ bundle
|
18
|
+
|
19
|
+
Or install it yourself as:
|
20
|
+
|
21
|
+
$ gem install porkadot
|
22
|
+
|
23
|
+
## Usage
|
24
|
+
|
25
|
+
TODO: Write usage instructions here
|
26
|
+
|
27
|
+
## Development
|
28
|
+
|
29
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
30
|
+
|
31
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
32
|
+
|
33
|
+
## Contributing
|
34
|
+
|
35
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/yuanying/porkadot.
|
data/Rakefile
ADDED
data/Vagrantfile
ADDED
@@ -0,0 +1,63 @@
|
|
1
|
+
# -*- mode: ruby -*-
|
2
|
+
# vi: set ft=ruby :
|
3
|
+
|
4
|
+
public_key = nil
|
5
|
+
[ENV['PORKA_PUBLIC_KEY'], "~/.ssh/id_rsa.pub", "~/.ssh/id_dsa.pub"].each do |p_key|
|
6
|
+
if p_key
|
7
|
+
p_key = File.expand_path(p_key)
|
8
|
+
if File.file?(p_key)
|
9
|
+
public_key = open(p_key).read
|
10
|
+
break
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
unless public_key
|
16
|
+
raise "Please specify ssh public key using following env: PORKA_PUBLIC_KEY"
|
17
|
+
end
|
18
|
+
|
19
|
+
SCRIPT = <<-EOF
|
20
|
+
echo "#{public_key}" >> ~vagrant/.ssh/authorized_keys
|
21
|
+
|
22
|
+
apt update
|
23
|
+
apt install -y socat conntrack ipset
|
24
|
+
EOF
|
25
|
+
|
26
|
+
CNI_INSTALL = <<-EOF
|
27
|
+
CNI_VERSION="v0.8.2"
|
28
|
+
mkdir -p /opt/cni/bin
|
29
|
+
curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-amd64-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz
|
30
|
+
EOF
|
31
|
+
|
32
|
+
K8S_INSTALL = <<-EOF
|
33
|
+
RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)"
|
34
|
+
|
35
|
+
mkdir -p /opt/bin
|
36
|
+
cd /opt/bin
|
37
|
+
curl -L --remote-name-all https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/{kubeadm,kubelet,kubectl}
|
38
|
+
chmod +x {kubeadm,kubelet,kubectl}
|
39
|
+
|
40
|
+
curl -sSL "https://raw.githubusercontent.com/kubernetes/kubernetes/${RELEASE}/build/debs/kubelet.service" | sed "s:/usr/bin:/opt/bin:g" > /etc/systemd/system/kubelet.service
|
41
|
+
mkdir -p /etc/systemd/system/kubelet.service.d
|
42
|
+
curl -sSL "https://raw.githubusercontent.com/kubernetes/kubernetes/${RELEASE}/build/debs/10-kubeadm.conf" | sed "s:/usr/bin:/opt/bin:g" > /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
43
|
+
EOF
|
44
|
+
|
45
|
+
Vagrant.configure("2") do |config|
|
46
|
+
config.vm.box = "ubuntu/bionic64"
|
47
|
+
config.vm.box_check_update = true
|
48
|
+
|
49
|
+
[[:node01, 111], [:node02, 112], [:node03, 113], [:node04, 114]].each do |worker|
|
50
|
+
config.vm.define worker[0] do |w|
|
51
|
+
w.vm.hostname = worker[0].to_s
|
52
|
+
w.vm.provider "virtualbox" do |v, override|
|
53
|
+
v.customize ["modifyvm", :id, "--memory", "2048"]
|
54
|
+
end
|
55
|
+
|
56
|
+
w.vm.network :private_network, ip: "192.168.33.#{worker[1]}"
|
57
|
+
w.vm.provision "docker", images: ["busybox"]
|
58
|
+
w.vm.provision :shell, inline: SCRIPT
|
59
|
+
w.vm.provision :shell, inline: CNI_INSTALL
|
60
|
+
w.vm.provision :shell, inline: K8S_INSTALL
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
data/bin/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "porkadot"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start(__FILE__)
|
data/bin/setup
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
nodes:
|
2
|
+
node01:
|
3
|
+
hostname: 192.168.33.111
|
4
|
+
labels:
|
5
|
+
"k8s.unstable.cloud/master":
|
6
|
+
"etcd.unstable.cloud/member": node01
|
7
|
+
taints:
|
8
|
+
"node-role.kubernetes.io/master": :NoSchedule"
|
9
|
+
"etcd.unstable.cloud/member": node02
|
10
|
+
node02:
|
11
|
+
hostname: 192.168.33.112
|
12
|
+
labels:
|
13
|
+
"k8s.unstable.cloud/master":
|
14
|
+
"etcd.unstable.cloud/member": node03
|
15
|
+
taints:
|
16
|
+
"node-role.kubernetes.io/master": :NoSchedule"
|
17
|
+
node03:
|
18
|
+
hostname: 192.168.33.113
|
19
|
+
node04:
|
20
|
+
hostname: 192.168.33.114
|
21
|
+
|
22
|
+
bootstrap: {}
|
23
|
+
|
24
|
+
kubernetes:
|
25
|
+
control_plane_endpoint: '192.168.33.101:6443'
|
@@ -0,0 +1,49 @@
|
|
1
|
+
nodes:
|
2
|
+
172.18.13.111:
|
3
|
+
labels:
|
4
|
+
"k8s.unstable.cloud/master":
|
5
|
+
"etcd.unstable.cloud/member": node01
|
6
|
+
taints:
|
7
|
+
"node-role.kubernetes.io/master": ":NoSchedule"
|
8
|
+
172.18.13.112:
|
9
|
+
labels:
|
10
|
+
"k8s.unstable.cloud/master":
|
11
|
+
"etcd.unstable.cloud/member": node02
|
12
|
+
taints:
|
13
|
+
"node-role.kubernetes.io/master": ":NoSchedule"
|
14
|
+
172.18.13.113:
|
15
|
+
labels:
|
16
|
+
"k8s.unstable.cloud/master":
|
17
|
+
"etcd.unstable.cloud/member": node03
|
18
|
+
taints:
|
19
|
+
"node-role.kubernetes.io/master": ":NoSchedule"
|
20
|
+
172.18.13.121:
|
21
|
+
172.18.13.122:
|
22
|
+
172.18.13.123:
|
23
|
+
|
24
|
+
bootstrap:
|
25
|
+
node:
|
26
|
+
hostname: 172.18.13.121
|
27
|
+
|
28
|
+
lb:
|
29
|
+
metallb:
|
30
|
+
config: |
|
31
|
+
address-pools:
|
32
|
+
- name: default
|
33
|
+
protocol: layer2
|
34
|
+
addresses:
|
35
|
+
- 172.18.13.101/32
|
36
|
+
- 172.18.13.140-172.18.13.200
|
37
|
+
|
38
|
+
cni:
|
39
|
+
flannel:
|
40
|
+
backend: host-gw
|
41
|
+
|
42
|
+
kubernetes:
|
43
|
+
kubernetes_version: v1.15.11
|
44
|
+
cluster_name: unstable
|
45
|
+
control_plane_endpoint: '172.18.13.101:6443'
|
46
|
+
|
47
|
+
proxy:
|
48
|
+
config:
|
49
|
+
mode: 'ipvs'
|
data/exe/porkadot
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
<%= global_config.k8s.proxy.proxy_config('/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml') %>
|
@@ -0,0 +1,18 @@
|
|
1
|
+
apiVersion: v1
|
2
|
+
kind: Config
|
3
|
+
clusters:
|
4
|
+
- name: kubernetes
|
5
|
+
cluster:
|
6
|
+
certificate-authority: /etc/kubernetes/bootstrap/secrets/kubernetes/ca.crt
|
7
|
+
server: https://127.0.0.1:<%= global_config.k8s.apiserver.bind_port %>
|
8
|
+
users:
|
9
|
+
- name: admin
|
10
|
+
user:
|
11
|
+
client-certificate: /etc/kubernetes/bootstrap/secrets/kubernetes/admin.crt
|
12
|
+
client-key: /etc/kubernetes/bootstrap/secrets/kubernetes/admin.key
|
13
|
+
contexts:
|
14
|
+
- context:
|
15
|
+
cluster: kubernetes
|
16
|
+
user: admin
|
17
|
+
name: admin-context
|
18
|
+
current-context: admin-context
|
@@ -0,0 +1,12 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -eu
|
4
|
+
export LC_ALL=C
|
5
|
+
ROOT=$(dirname "${BASH_SOURCE}")
|
6
|
+
|
7
|
+
export KUBERNETES_PATH="/etc/kubernetes"
|
8
|
+
export KUBERNETES_BOOTSTRAP_ASSETS_PATH="${KUBERNETES_PATH}/bootstrap"
|
9
|
+
export KUBERNETES_MANIFESTS_PATH="${KUBERNETES_PATH}/manifests"
|
10
|
+
|
11
|
+
rm -rf ${KUBERNETES_BOOTSTRAP_ASSETS_PATH}
|
12
|
+
rm -rf ${KUBERNETES_MANIFESTS_PATH}/*.bootstrap.yaml
|
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -eu
|
4
|
+
export LC_ALL=C
|
5
|
+
ROOT=$(dirname "${BASH_SOURCE}")
|
6
|
+
|
7
|
+
export KUBERNETES_PATH="/etc/kubernetes"
|
8
|
+
export KUBERNETES_BOOTSTRAP_ASSETS_PATH="${KUBERNETES_PATH}/bootstrap"
|
9
|
+
export KUBERNETES_MANIFESTS_PATH="${KUBERNETES_PATH}/manifests"
|
10
|
+
|
11
|
+
mkdir -p ${KUBERNETES_BOOTSTRAP_ASSETS_PATH}
|
12
|
+
|
13
|
+
cp ${ROOT}/manifests/*.bootstrap.yaml ${KUBERNETES_MANIFESTS_PATH}/
|
14
|
+
cp -r ${ROOT}/bootstrap/* ${KUBERNETES_BOOTSTRAP_ASSETS_PATH}/
|
@@ -0,0 +1,91 @@
|
|
1
|
+
<% k8s = global_config.k8s -%>
|
2
|
+
apiVersion: v1
|
3
|
+
kind: Pod
|
4
|
+
metadata:
|
5
|
+
name: bootstrap-kube-apiserver
|
6
|
+
namespace: kube-system
|
7
|
+
labels:
|
8
|
+
<%- labels = k8s.apiserver.labels.to_hash.dup -%>
|
9
|
+
<%- labels[:'app.kubernetes.io/instance'] = 'kube-apiserver-porkadot-bootstrap' -%>
|
10
|
+
<%- labels.each do |k, v| -%>
|
11
|
+
<%= k.to_s %>: <%= v %>
|
12
|
+
<%- end -%>
|
13
|
+
spec:
|
14
|
+
hostNetwork: true
|
15
|
+
containers:
|
16
|
+
- name: kube-apiserver
|
17
|
+
resources:
|
18
|
+
requests:
|
19
|
+
cpu: 250m
|
20
|
+
image: <%= k8s.image_repository %>/kube-apiserver:<%= k8s.kubernetes_version %>
|
21
|
+
command:
|
22
|
+
- kube-apiserver
|
23
|
+
- --advertise-address=$(POD_IP)
|
24
|
+
- --allow-privileged
|
25
|
+
- --authorization-mode=Node,RBAC
|
26
|
+
- --bind-address=0.0.0.0
|
27
|
+
- --client-ca-file=/etc/kubernetes/secrets/kubernetes/ca.crt
|
28
|
+
- --enable-admission-plugins=NodeRestriction
|
29
|
+
- --enable-bootstrap-token-auth=true
|
30
|
+
- --etcd-cafile=/etc/kubernetes/secrets/etcd/ca.crt
|
31
|
+
- --etcd-certfile=/etc/kubernetes/secrets/etcd/etcd-client.crt
|
32
|
+
- --etcd-keyfile=/etc/kubernetes/secrets/etcd/etcd-client.key
|
33
|
+
- --etcd-servers=<%= global_config.etcd.advertise_client_urls.join(',') %>
|
34
|
+
- --kubelet-certificate-authority=/etc/kubernetes/secrets/kubernetes/ca.crt
|
35
|
+
- --kubelet-client-certificate=/etc/kubernetes/secrets/kubernetes/kubelet-client.crt
|
36
|
+
- --kubelet-client-key=/etc/kubernetes/secrets/kubernetes/kubelet-client.key
|
37
|
+
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
38
|
+
- --proxy-client-cert-file=/etc/kubernetes/secrets/kubernetes/front-proxy-client.crt
|
39
|
+
- --proxy-client-key-file=/etc/kubernetes/secrets/kubernetes/front-proxy-client.key
|
40
|
+
- --requestheader-allowed-names=front-proxy-client
|
41
|
+
- --requestheader-client-ca-file=/etc/kubernetes/secrets/kubernetes/front-proxy-ca.crt
|
42
|
+
- --requestheader-extra-headers-prefix=X-Remote-Extra-
|
43
|
+
- --requestheader-group-headers=X-Remote-Group
|
44
|
+
- --requestheader-username-headers=X-Remote-User
|
45
|
+
- --secure-port=<%= k8s.apiserver.bind_port %>
|
46
|
+
- --service-account-key-file=/etc/kubernetes/secrets/kubernetes/sa.pub
|
47
|
+
- --service-cluster-ip-range=<%= k8s.networking.service_subnet %>
|
48
|
+
- --storage-backend=etcd3
|
49
|
+
- --tls-cert-file=/etc/kubernetes/secrets/kubernetes/apiserver.crt
|
50
|
+
- --tls-private-key-file=/etc/kubernetes/secrets/kubernetes/apiserver.key
|
51
|
+
- --v=2
|
52
|
+
env:
|
53
|
+
- name: POD_IP
|
54
|
+
valueFrom:
|
55
|
+
fieldRef:
|
56
|
+
fieldPath: status.podIP
|
57
|
+
volumeMounts:
|
58
|
+
- mountPath: /etc/ca-certificates
|
59
|
+
name: etc-ca-certificates
|
60
|
+
readOnly: true
|
61
|
+
- mountPath: /etc/ssl/certs
|
62
|
+
name: ca-certs
|
63
|
+
readOnly: true
|
64
|
+
- mountPath: /usr/share/ca-certificates
|
65
|
+
name: usr-share-ca-certificates
|
66
|
+
readOnly: true
|
67
|
+
- mountPath: /etc/kubernetes/secrets
|
68
|
+
name: secrets
|
69
|
+
readOnly: true
|
70
|
+
- mountPath: /var/lock
|
71
|
+
name: var-lock
|
72
|
+
readOnly: false
|
73
|
+
volumes:
|
74
|
+
- name: secrets
|
75
|
+
hostPath:
|
76
|
+
path: /etc/kubernetes/bootstrap/secrets
|
77
|
+
- hostPath:
|
78
|
+
path: /etc/ssl/certs
|
79
|
+
type: DirectoryOrCreate
|
80
|
+
name: ca-certs
|
81
|
+
- hostPath:
|
82
|
+
path: /usr/share/ca-certificates
|
83
|
+
type: DirectoryOrCreate
|
84
|
+
name: usr-share-ca-certificates
|
85
|
+
- hostPath:
|
86
|
+
path: /etc/ca-certificates
|
87
|
+
type: DirectoryOrCreate
|
88
|
+
name: etc-ca-certificates
|
89
|
+
- name: var-lock
|
90
|
+
hostPath:
|
91
|
+
path: /var/lock
|
@@ -0,0 +1,69 @@
|
|
1
|
+
<% k8s = global_config.k8s -%>
|
2
|
+
---
|
3
|
+
apiVersion: v1
|
4
|
+
kind: Pod
|
5
|
+
metadata:
|
6
|
+
name: bootstrap-kube-controller-manager
|
7
|
+
namespace: kube-system
|
8
|
+
labels:
|
9
|
+
<%- k8s.controller_manager.labels.each do |k, v| -%>
|
10
|
+
<%= k.to_s %>: <%= v %>
|
11
|
+
<%- end -%>
|
12
|
+
spec:
|
13
|
+
containers:
|
14
|
+
- name: kube-controller-manager
|
15
|
+
image: <%= k8s.image_repository %>/kube-controller-manager:<%= k8s.kubernetes_version %>
|
16
|
+
command:
|
17
|
+
- kube-controller-manager
|
18
|
+
- --allocate-node-cidrs=true
|
19
|
+
- --cluster-cidr=<%= k8s.networking.pod_subnet %>
|
20
|
+
- --cluster-signing-cert-file=/etc/kubernetes/bootstrap/secrets/kubernetes/ca.crt
|
21
|
+
- --cluster-signing-key-file=/etc/kubernetes/bootstrap/secrets/kubernetes/ca.key
|
22
|
+
- --controllers=*,bootstrapsigner,tokencleaner
|
23
|
+
- --kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
|
24
|
+
- --leader-elect=true
|
25
|
+
- --node-cidr-mask-size=24
|
26
|
+
- --root-ca-file=/etc/kubernetes/bootstrap/secrets/kubernetes/ca.crt
|
27
|
+
- --service-account-private-key-file=/etc/kubernetes/bootstrap/secrets/kubernetes/sa.key
|
28
|
+
- --use-service-account-credentials=true
|
29
|
+
- --v=2
|
30
|
+
volumeMounts:
|
31
|
+
- name: var-run-kubernetes
|
32
|
+
mountPath: /var/run/kubernetes
|
33
|
+
- name: kubernetes
|
34
|
+
mountPath: /etc/kubernetes
|
35
|
+
readOnly: true
|
36
|
+
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
|
37
|
+
name: flexvolume-dir
|
38
|
+
- mountPath: /usr/share/ca-certificates
|
39
|
+
name: usr-share-ca-certificates
|
40
|
+
readOnly: true
|
41
|
+
- mountPath: /etc/ca-certificates
|
42
|
+
name: etc-ca-certificates
|
43
|
+
readOnly: true
|
44
|
+
- mountPath: /etc/ssl/certs
|
45
|
+
name: ca-certs
|
46
|
+
readOnly: true
|
47
|
+
hostNetwork: true
|
48
|
+
volumes:
|
49
|
+
- name: var-run-kubernetes
|
50
|
+
emptyDir: {}
|
51
|
+
- name: kubernetes
|
52
|
+
hostPath:
|
53
|
+
path: /etc/kubernetes
|
54
|
+
- hostPath:
|
55
|
+
path: /etc/ssl/certs
|
56
|
+
type: DirectoryOrCreate
|
57
|
+
name: ca-certs
|
58
|
+
- hostPath:
|
59
|
+
path: /var/lib/kubelet/volumeplugins
|
60
|
+
type: DirectoryOrCreate
|
61
|
+
name: flexvolume-dir
|
62
|
+
- hostPath:
|
63
|
+
path: /usr/share/ca-certificates
|
64
|
+
type: DirectoryOrCreate
|
65
|
+
name: usr-share-ca-certificates
|
66
|
+
- hostPath:
|
67
|
+
path: /etc/ca-certificates
|
68
|
+
type: DirectoryOrCreate
|
69
|
+
name: etc-ca-certificates
|
@@ -0,0 +1,56 @@
|
|
1
|
+
<% k8s = global_config.k8s -%>
|
2
|
+
---
|
3
|
+
apiVersion: v1
|
4
|
+
kind: Pod
|
5
|
+
metadata:
|
6
|
+
name: bootstrap-kube-proxy
|
7
|
+
namespace: kube-system
|
8
|
+
labels:
|
9
|
+
tier: node
|
10
|
+
k8s-app: kube-proxy
|
11
|
+
<%- k8s.proxy.labels.each do |k, v| -%>
|
12
|
+
<%= k.to_s %>: <%= v %>
|
13
|
+
<%- end -%>
|
14
|
+
spec:
|
15
|
+
containers:
|
16
|
+
- name: kube-proxy
|
17
|
+
image: <%= k8s.image_repository %>/kube-proxy:<%= k8s.kubernetes_version %>
|
18
|
+
imagePullPolicy: IfNotPresent
|
19
|
+
command:
|
20
|
+
- kube-proxy
|
21
|
+
- --config=/etc/kubernetes/bootstrap/kube-proxy-bootstrap.yaml
|
22
|
+
- --hostname-override=$(NODE_NAME)
|
23
|
+
env:
|
24
|
+
- name: NODE_NAME
|
25
|
+
valueFrom:
|
26
|
+
fieldRef:
|
27
|
+
fieldPath: spec.nodeName
|
28
|
+
securityContext:
|
29
|
+
privileged: true
|
30
|
+
volumeMounts:
|
31
|
+
- name: kubernetes
|
32
|
+
mountPath: /etc/kubernetes
|
33
|
+
readOnly: true
|
34
|
+
- mountPath: /run/xtables.lock
|
35
|
+
name: xtables-lock
|
36
|
+
- mountPath: /lib/modules
|
37
|
+
name: lib-modules
|
38
|
+
readOnly: true
|
39
|
+
hostNetwork: true
|
40
|
+
priorityClassName: system-node-critical
|
41
|
+
serviceAccountName: kube-proxy
|
42
|
+
tolerations:
|
43
|
+
- operator: Exists
|
44
|
+
effect: NoSchedule
|
45
|
+
volumes:
|
46
|
+
- hostPath:
|
47
|
+
path: /run/xtables.lock
|
48
|
+
type: FileOrCreate
|
49
|
+
name: xtables-lock
|
50
|
+
- hostPath:
|
51
|
+
path: /lib/modules
|
52
|
+
type: ""
|
53
|
+
name: lib-modules
|
54
|
+
- name: kubernetes
|
55
|
+
hostPath:
|
56
|
+
path: /etc/kubernetes
|
@@ -0,0 +1,31 @@
|
|
1
|
+
<% k8s = global_config.k8s -%>
|
2
|
+
---
|
3
|
+
apiVersion: v1
|
4
|
+
kind: Pod
|
5
|
+
metadata:
|
6
|
+
name: bootstrap-kube-scheduler
|
7
|
+
namespace: kube-system
|
8
|
+
labels:
|
9
|
+
<%- k8s.scheduler.labels.each do |k, v| -%>
|
10
|
+
<%= k.to_s %>: <%= v %>
|
11
|
+
<%- end -%>
|
12
|
+
spec:
|
13
|
+
containers:
|
14
|
+
- name: kube-scheduler
|
15
|
+
image: <%= k8s.image_repository %>/kube-scheduler:<%= k8s.kubernetes_version %>
|
16
|
+
command:
|
17
|
+
- kube-scheduler
|
18
|
+
- --kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
|
19
|
+
- --authentication-kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
|
20
|
+
- --authorization-kubeconfig=/etc/kubernetes/bootstrap/kubeconfig-bootstrap.yaml
|
21
|
+
- --leader-elect=true
|
22
|
+
- --v=2
|
23
|
+
volumeMounts:
|
24
|
+
- name: kubernetes
|
25
|
+
mountPath: /etc/kubernetes
|
26
|
+
readOnly: true
|
27
|
+
hostNetwork: true
|
28
|
+
volumes:
|
29
|
+
- name: kubernetes
|
30
|
+
hostPath:
|
31
|
+
path: /etc/kubernetes
|
@@ -0,0 +1,52 @@
|
|
1
|
+
require 'fileutils'
|
2
|
+
|
3
|
+
module Porkadot; module Assets
|
4
|
+
class Bootstrap
|
5
|
+
include Porkadot::Assets
|
6
|
+
TEMPLATE_DIR = File.join(File.dirname(__FILE__), "bootstrap")
|
7
|
+
attr_reader :global_config
|
8
|
+
attr_reader :config
|
9
|
+
attr_reader :certs_config
|
10
|
+
attr_reader :logger
|
11
|
+
|
12
|
+
def initialize global_config
|
13
|
+
@global_config = global_config
|
14
|
+
@config = global_config.bootstrap
|
15
|
+
@certs_config = global_config.certs
|
16
|
+
@logger = global_config.logger
|
17
|
+
end
|
18
|
+
|
19
|
+
def render
|
20
|
+
logger.info "--> Rendering bootstrap manifests"
|
21
|
+
unless File.directory?(config.target_path)
|
22
|
+
FileUtils.mkdir_p(config.target_path)
|
23
|
+
end
|
24
|
+
render_secrets
|
25
|
+
render_erb 'bootstrap/kubeconfig-bootstrap.yaml'
|
26
|
+
render_erb 'bootstrap/kube-proxy-bootstrap.yaml'
|
27
|
+
render_manifests
|
28
|
+
render_erb 'install.sh'
|
29
|
+
render_erb 'cleanup.sh'
|
30
|
+
end
|
31
|
+
|
32
|
+
def render_secrets
|
33
|
+
logger.info "----> Secrets"
|
34
|
+
unless File.directory?(config.secrets_path)
|
35
|
+
FileUtils.mkdir_p(config.secrets_path)
|
36
|
+
end
|
37
|
+
FileUtils.cp_r(Dir.glob(File.join(certs_config.certs_root_dir, '*')), config.secrets_path)
|
38
|
+
end
|
39
|
+
|
40
|
+
def render_manifests
|
41
|
+
unless File.directory?(config.manifests_path)
|
42
|
+
FileUtils.mkdir_p(config.manifests_path)
|
43
|
+
end
|
44
|
+
render_erb 'manifests/kube-apiserver.bootstrap.yaml'
|
45
|
+
render_erb 'manifests/kube-controller-manager.bootstrap.yaml'
|
46
|
+
render_erb 'manifests/kube-scheduler.bootstrap.yaml'
|
47
|
+
render_erb 'manifests/kube-proxy.bootstrap.yaml'
|
48
|
+
end
|
49
|
+
|
50
|
+
end
|
51
|
+
|
52
|
+
end; end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
|
2
|
+
class Porkadot::Assets::Certs::Etcd
|
3
|
+
include Porkadot::Assets::CertsUtils
|
4
|
+
attr_reader :global_config
|
5
|
+
attr_reader :config
|
6
|
+
attr_reader :logger
|
7
|
+
|
8
|
+
def initialize global_config
|
9
|
+
@config = Porkadot::Configs::Certs::Etcd.new(global_config)
|
10
|
+
@logger = config.logger
|
11
|
+
@global_config = config.config
|
12
|
+
end
|
13
|
+
|
14
|
+
def ca_name
|
15
|
+
'/CN=kube-ca'
|
16
|
+
end
|
17
|
+
|
18
|
+
def client_name
|
19
|
+
'/CN=etcd-client'
|
20
|
+
end
|
21
|
+
end
|
@@ -0,0 +1,21 @@
|
|
1
|
+
|
2
|
+
class Porkadot::Assets::Certs::FrontProxy
|
3
|
+
include Porkadot::Assets::CertsUtils
|
4
|
+
attr_reader :global_config
|
5
|
+
attr_reader :config
|
6
|
+
attr_reader :logger
|
7
|
+
|
8
|
+
def initialize global_config
|
9
|
+
@config = Porkadot::Configs::Certs::FrontProxy.new(global_config)
|
10
|
+
@logger = config.logger
|
11
|
+
@global_config = config.config
|
12
|
+
end
|
13
|
+
|
14
|
+
def ca_name
|
15
|
+
'/CN=front-proxy-ca'
|
16
|
+
end
|
17
|
+
|
18
|
+
def client_name
|
19
|
+
'/CN=aggregator-client'
|
20
|
+
end
|
21
|
+
end
|