porkadot 0.22.2 → 0.23.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 89c9072a82772720ff6d492d2dcaf475ef31460bc108886be716b1b7b0e0a3d7
-  data.tar.gz: edcc58e0f9e5a616020caa2348a46ecb06e796930fb565efcc6dfad25244d69b
+  metadata.gz: 8e2a062cd96fa6e9c56b2fd70f7d0dd4709265e1b5cf58057048cc19bf46868e
+  data.tar.gz: 4a18c93e458b1a822fe35b73d7af0b12804d4d4c174cbb8a3efc0daf30bbbc1e
 SHA512:
-  metadata.gz: aa12a3f43721a233b17f46708cced2989430da72ccd3e90be46c72b4d2d01b675372f07f609050d0c49cb966d600c40b2eb209a591715e62c411d148a9ace680
-  data.tar.gz: 2cacb639c73ecb17300b48ba50e923a15a02f95b619fec2c05d3c3ae50eef7f9b5ae5a62fc784c4957bcf8a04850384d1bca7ba6c623101d812d669cd8939423
+  metadata.gz: fef441fe9dc698fa5e993ae9b7d5a4e6270590aa2f8fcdbb3bca4601266faed8d6b5c96f545d3347716915bdbe0f78ebc1898caef201c1be50cc006955dec44d
+  data.tar.gz: a7bfadba85de2c3d631ebab8f74c4afaa75fcfdabeccbae6d20d4f23e2817185efc7d4174d4e901e19da8dbabcf4bdf522e12706dbc025113e6b0480d9b32826

data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/kustomization.yaml.erb

@@ -1,3 +1,5 @@
+namespace: metallb-system
+
 resources:
 - 000-metallb.yaml
 - metallb.config.yaml

data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml

@@ -0,0 +1,480 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: metallb
+  name: controller
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []
+  allowedHostPaths: []
+  defaultAddCapabilities: []
+  defaultAllowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  hostIPC: false
+  hostNetwork: false
+  hostPID: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - secret
+  - emptyDir
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities:
+  - NET_RAW
+  allowedHostPaths: []
+  defaultAddCapabilities: []
+  defaultAllowPrivilegeEscalation: false
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: false
+  hostNetwork: true
+  hostPID: false
+  hostPorts:
+  - max: 7472
+    min: 7472
+  - max: 7946
+    min: 7946
+  privileged: true
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - configMap
+  - secret
+  - emptyDir
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:controller
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - services/status
+  verbs:
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - policy
+  resourceNames:
+  - controller
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:speaker
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - services
+  - endpoints
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["discovery.k8s.io"]
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - policy
+  resourceNames:
+  - speaker
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: config-watcher
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  resourceNames:
+  - memberlist
+  verbs:
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  resourceNames:
+  - controller
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:speaker
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:speaker
+subjects:
+- kind: ServiceAccount
+  name: speaker
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: config-watcher
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: config-watcher
+subjects:
+- kind: ServiceAccount
+  name: controller
+- kind: ServiceAccount
+  name: speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-lister
+subjects:
+- kind: ServiceAccount
+  name: speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: metallb
+    component: speaker
+  name: speaker
+  namespace: metallb-system
+spec:
+  selector:
+    matchLabels:
+      app: metallb
+      component: speaker
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: metallb
+        component: speaker
+    spec:
+      containers:
+      - args:
+        - --port=7472
+        - --config=config
+        - --log-level=info
+        env:
+        - name: METALLB_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: METALLB_HOST
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: METALLB_ML_BIND_ADDR
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        # needed when another software is also using memberlist / port 7946
+        # when changing this default you also need to update the container ports definition
+        # and the PodSecurityPolicy hostPorts definition
+        #- name: METALLB_ML_BIND_PORT
+        #  value: "7946"
+        - name: METALLB_ML_LABELS
+          value: "app=metallb,component=speaker"
+        - name: METALLB_ML_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: memberlist
+              key: secretkey
+        image: quay.io/metallb/speaker:v0.12.1
+        name: speaker
+        ports:
+        - containerPort: 7472
+          name: monitoring
+        - containerPort: 7946
+          name: memberlist-tcp
+        - containerPort: 7946
+          name: memberlist-udp
+          protocol: UDP
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_RAW
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: speaker
+      terminationGracePeriodSeconds: 2
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: metallb
+    component: controller
+  name: controller
+  namespace: metallb-system
+spec:
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: metallb
+      component: controller
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: metallb
+        component: controller
+    spec:
+      containers:
+      - args:
+        - --port=7472
+        - --config=config
+        - --log-level=info
+        env:
+        - name: METALLB_ML_SECRET_NAME
+          value: memberlist
+        - name: METALLB_DEPLOYMENT
+          value: controller
+        image: quay.io/metallb/controller:v0.12.1
+        name: controller
+        ports:
+        - containerPort: 7472
+          name: monitoring
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        fsGroup: 65534
+      serviceAccountName: controller
+      terminationGracePeriodSeconds: 0

data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb

@@ -4,7 +4,6 @@ metadata:
   labels:
     app: metallb
   name: controller
-  namespace: metallb-system
 spec:
   allowPrivilegeEscalation: false
   allowedCapabilities: []
@@ -46,7 +45,6 @@ metadata:
   labels:
     app: metallb
   name: speaker
-  namespace: metallb-system
 spec:
   allowPrivilegeEscalation: false
   allowedCapabilities:
@@ -338,6 +336,7 @@ spec:
       - args:
         - --port=7472
         - --config=config
+        - --log-level=info
         env:
         - name: METALLB_NODE_NAME
           valueFrom:
@@ -363,7 +362,7 @@ spec:
             secretKeyRef:
               name: memberlist
               key: secretkey
-        image: quay.io/metallb/speaker:v0.10.2
+        image: quay.io/metallb/speaker:v0.12.1
         name: speaker
         ports:
         - containerPort: 7472
@@ -373,6 +372,24 @@ spec:
         - containerPort: 7946
           name: memberlist-udp
           protocol: UDP
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
@@ -418,16 +435,35 @@ spec:
       - args:
         - --port=7472
         - --config=config
+        - --log-level=info
         env:
         - name: METALLB_ML_SECRET_NAME
           value: memberlist
         - name: METALLB_DEPLOYMENT
           value: controller
-        image: quay.io/metallb/controller:v0.10.2
+        image: quay.io/metallb/controller:v0.12.1
         name: controller
         ports:
         - containerPort: 7472
           name: monitoring
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /metrics
+            port: monitoring
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 1
+          successThreshold: 1
+          failureThreshold: 3
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
@@ -439,5 +475,6 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 65534
+        fsGroup: 65534
       serviceAccountName: controller
       terminationGracePeriodSeconds: 0

data/lib/porkadot/assets/kubernetes.rb

@@ -106,8 +106,6 @@ module Porkadot; module Assets
       'metallb/metallb.yaml',
       'metallb/metallb.config.yaml',
       'metallb/kustomization.yaml'
-    ], secrets: [
-      'metallb/metallb.secrets.yaml'
     ])
 
 

data/lib/porkadot/cmd/cli.rb

@@ -13,15 +13,22 @@ module Porkadot; module Cmd
     desc "install", "Install kubernetes"
     subcommand "install", Porkadot::Cmd::Install::Cli
 
+    desc "etcd", "Interact with etcd"
+    subcommand "etcd", Porkadot::Cmd::Etcd::Cli
+
     desc "setup-containerd", "Setup containerd"
     option :node, type: :string
     option :force, type: :boolean, default: false
+    option :bootstrap, type: :boolean, default: false
     def setup_containerd
       logger.info "Setup containerd"
       kubelets = Porkadot::Install::KubeletList.new(self.config)
       nodes = []
       if node = options[:node]
         nodes = kubelets[node]
+      elsif options[:bootstrap]
+        bootstrap = Porkadot::Install::Bootstrap.new(self.config)
+        nodes = bootstrap.host
       else
         nodes = kubelets.kubelets.values
       end
@@ -32,12 +39,16 @@ module Porkadot; module Cmd
     desc "setup-node", "Setup node default settings"
     option :node, type: :string
     option :force, type: :boolean, default: false
+    option :bootstrap, type: :boolean, default: false
     def setup_node
       logger.info "Setup node default"
       kubelets = Porkadot::Install::KubeletList.new(self.config)
       nodes = []
       if node = options[:node]
         nodes = kubelets[node]
+      elsif options[:bootstrap]
+        bootstrap = Porkadot::Install::Bootstrap.new(self.config)
+        nodes = bootstrap.host
       else
         nodes = kubelets.kubelets.values
       end

data/lib/porkadot/cmd/etcd.rb

@@ -0,0 +1,68 @@
+
+module Porkadot; module Cmd; module Etcd
+  class Cli < Porkadot::SubCommandBase
+    include Porkadot::Utils
+
+    default_task :all
+    desc "all", "Interact with etcd"
+    def all
+      "Use restore or backup sub commands."
+    end
+
+    desc "backup", "Backup etcd data"
+    option :node, type: :string
+    option :path, type: :string, default: "./backup", desc: "Directory where etcd backup data will be stored."
+    def backup
+      require 'date'
+
+      filename = "etcd-#{DateTime.now.to_s}.db"
+      path = File.join(options[:path], filename)
+
+      logger.info "Backing up etcd data to #{path}"
+      kubelets = Porkadot::Install::KubeletList.new(self.config)
+      kubelets.backup_etcd host: options[:node], path: path
+      ""
+    end
+
+    desc "start", "Start etcd"
+    option :node, type: :string
+    def start
+      logger.info "Start etcd"
+      kubelets = Porkadot::Install::KubeletList.new(self.config)
+      kubelets.start_etcd hosts: options[:node]
+      ""
+    end
+
+    desc "stop", "Stop etcd"
+    option :node, type: :string
+    def stop
+      logger.info "Start etcd"
+      kubelets = Porkadot::Install::KubeletList.new(self.config)
+      kubelets.stop_etcd hosts: options[:node]
+      ""
+    end
+
+    desc "restore", "Restore etcd data"
+    option :path, type: :string, default: "./backup", desc: "Directory where etcd backup data is stored."
+    def restore
+      invoke :stop, [], options
+
+      path = Dir.glob(File.join(options[:path], "etcd-*.db")).sort.reverse[0]
+      unless path
+        return "No backup data found...: #{options[:path]}"
+      end
+
+      logger.info "Restore etcd from #{path}"
+      kubelets = Porkadot::Install::KubeletList.new(self.config)
+      kubelets.restore_etcd path: path
+
+      invoke :start, [], options
+      ""
+    end
+
+    def self.subcommand_prefix
+      'etcd'
+    end
+  end
+end; end; end
+

data/lib/porkadot/configs/certs.rb

@@ -9,6 +9,9 @@ module Porkadot; module Configs
     end
 
     def ipaddr?(addr)
+      if addr.nil?
+        return false
+      end
       IPAddr.new(addr)
       return true
     rescue IPAddr::InvalidAddressError

data/lib/porkadot/configs/etcd.rb

@@ -39,6 +39,33 @@ module Porkadot; module Configs
       return (self.raw.labels && self.raw.labels[Porkadot::ETCD_ADDRESS_LABEL]) || self.raw.hostname || self.name
     end
 
+    def listen_address label_key
+      listen_address = nil
+      if self.raw.labels
+        listen_address = self.raw.labels[label_key] || self.raw.labels[Porkadot::ETCD_LISTEN_ADDRESS_LABEL]
+      end
+
+      if !listen_adress
+        if self.ipaddr?(self.raw.hostname)
+          listen_address = self.raw.hostname
+        elsif self.ipaddr?(self.raw.name)
+          listen_address = self.raw.name
+        else
+          listen_address = '0.0.0.0'
+        end
+      end
+
+      return listen_address
+    end
+
+    def listen_client_address
+      return self.listen_address(Porkadot::ETCD_LISTEN_CLIENT_ADDRESS_LABEL)
+    end
+
+    def listen_peer_address
+      return self.listen_address(Porkadot::ETCD_LISTEN_PEER_ADDRESS_LABEL)
+    end
+
     def advertise_client_urls
      ["https://#{member_address}:2379"]
     end
@@ -48,11 +75,16 @@ module Porkadot; module Configs
     end
 
     def listen_client_urls
-      self.advertise_client_urls + ["https://127.0.0.1:2379"]
+      address = self.listen_client_address
+      if address != '0.0.0.0'
+        return  ["https://#{address}:2379", "https://127.0.0.1:2379"]
+      else
+        return  ["https://#{address}:2379"]
+      end
     end
 
     def listen_peer_urls
-      self.advertise_peer_urls
+      ["https://#{self.listen_client_address}:2380"]
     end
 
     def initial_cluster
@@ -72,6 +104,7 @@ module Porkadot; module Configs
           sans << "DNS:#{san}"
         end
       end
+      sans << "IP:127.0.0.1"
       return sans
     end
 

data/lib/porkadot/const.rb

@@ -5,4 +5,7 @@ module Porkadot
   K8S_MASTER_LABEL = "k8s.unstable.cloud/master"
   ETCD_MEMBER_LABEL = "etcd.unstable.cloud/member"
   ETCD_ADDRESS_LABEL = "etcd.unstable.cloud/address"
+  ETCD_LISTEN_ADDRESS_LABEL = "etcd.unstable.cloud/listen-address"
+  ETCD_LISTEN_CLIENT_ADDRESS_LABEL = "etcd.unstable.cloud/listen-client-address"
+  ETCD_LISTEN_PEER_ADDRESS_LABEL = "etcd.unstable.cloud/listen-client-address"
 end

data/lib/porkadot/default.yaml

@@ -47,8 +47,8 @@ etcd:
   extra_env: []
 
 kubernetes:
-  kubernetes_version: v1.22.8
-  crictl_version: v1.22.0
+  kubernetes_version: v1.23.5
+  crictl_version: v1.23.0
   image_repository: k8s.gcr.io
 
   networking:

data/lib/porkadot/install/kubelet.rb

@@ -3,6 +3,7 @@ module Porkadot; module Install
     KUBE_TEMP = File.join(Porkadot::Install::KUBE_TEMP, 'kubelet')
     KUBE_SECRETS_TEMP = File.join(Porkadot::Install::KUBE_TEMP, '.kubelet')
     KUBE_DEFAULT_TEMP = File.join(Porkadot::Install::KUBE_TEMP, '.default')
+    ETCD_TEMP = '/opt/porkadot'
     include SSHKit::DSL
     attr_reader :global_config
     attr_reader :logger
@@ -93,6 +94,114 @@ module Porkadot; module Install
       end
     end
 
+    def backup_etcd host: nil, path: "./backup/etcd.db"
+      unless host
+        self.kubelets.each do |_, v|
+          if v.etcd?
+            host = v
+          end
+        end
+      end
+
+      on(:local) do |local|
+        execute(:mkdir, '-p', File.dirname(path))
+      end
+
+      options = self.etcd_options
+      on(host) do |host|
+        execute(:mkdir, '-p', KUBE_TEMP)
+        execute(:"/opt/bin/etcdctl", *options, "snapshot", "save", "#{KUBE_TEMP}/etcd.db")
+        download! "#{KUBE_TEMP}/etcd.db", path
+      end
+    end
+
+    def restore_etcd path: "./backup/etcd.db"
+      require 'date'
+      hosts = []
+      self.kubelets.each do |_, v|
+        hosts << v if v.etcd?
+      end
+
+      options = self.etcd_options
+      on(hosts) do |host|
+        if test("[ -d #{KUBE_TEMP} ]")
+          execute(:rm, '-rf', KUBE_TEMP)
+          execute(:rm, '-rf', KUBE_SECRETS_TEMP)
+        end
+        execute(:mkdir, '-p', KUBE_TEMP)
+        upload! path, "#{KUBE_TEMP}/etcd.db"
+
+        as user: 'root' do
+          execute(:mkdir, '-p', ETCD_TEMP)
+          if test('[ -d /var/lib/etcd ]')
+            execute(:mv, '/var/lib/etcd', "${ETCD_TEMP}/data-#{DateTime.now.to_s}")
+          end
+          execute(:"/opt/bin/etcdctl", *options, "snapshot", "restore", "#{KUBE_TEMP}/etcd.db")
+        end
+      end
+    end
+
+    def start_etcd hosts: nil
+      unless hosts
+        hosts = []
+        self.kubelets.each do |_, v|
+          hosts << v if v.etcd?
+        end
+      end
+
+      on(hosts) do |host|
+        as user: 'root' do
+          execute(:mkdir, '-p', ETCD_TEMP)
+
+          result = capture(:"/opt/bin/crictl", 'ps', '-q', '--name', 'etcd')
+          with(container_runtime_endpoint: "unix:///run/containerd/containerd.sock") do
+            if result.empty?
+              info 'Trying to start etcd'
+              execute(:mv, "${ETCD_TEMP}/etcd-server.yaml", "/etc/kubernetes/manifests/etcd-server.yaml")
+            else
+              info 'etcd is already started...'
+            end
+          end
+        end
+      end
+    end
+
+    def stop_etcd hosts: nil
+      unless hosts
+        hosts = []
+        self.kubelets.each do |_, v|
+          hosts << v if v.etcd?
+        end
+      end
+
+      on(hosts) do |host|
+        as user: 'root' do
+          execute(:mkdir, '-p', ETCD_TEMP)
+
+          info "Waiting for etcd to stop..."
+          with(container_runtime_endpoint: "unix:///run/containerd/containerd.sock") do
+            unless capture(:"/opt/bin/crictl", 'ps', '-q', '--name', 'etcd').empty?
+              execute(:mv, "/etc/kubernetes/manifests/etcd-server.yaml", "${ETCD_TEMP}/etcd-server.yaml")
+              while capture(:"/opt/bin/crictl", 'ps', '-q', '--name', 'etcd') != ''
+                info 'Still waiting for stopping etcd...'
+                sleep 5
+              end
+            end
+          end
+          info 'etcd was stopped.'
+        end
+      end
+    end
+
+    def etcd_options
+      %w(
+        --cacert /etc/etcd/pki/ca.crt
+        --cert /etc/etcd/pki/etcd.crt
+        --key /etc/etcd/pki/etcd.key
+        --endpoints=https://127.0.0.1:2379
+      )
+    end
+
     def [](name)
       self.kubelets[name]
     end
@@ -112,5 +221,8 @@ module Porkadot; module Install
       super(@connection)
     end
 
+    def etcd?
+      return self.config.raw.labels && self.config.raw.labels[Porkadot::ETCD_MEMBER_LABEL]
+    end
   end
 end; end

data/lib/porkadot/version.rb

@@ -1,3 +1,3 @@
 module Porkadot
-  VERSION = "0.22.2"
+  VERSION = "0.23.0"
 end

data/lib/porkadot.rb

@@ -37,4 +37,5 @@ require 'porkadot/cmd/render/certs'
 require 'porkadot/cmd/render'
 require 'porkadot/cmd/install/bootstrap'
 require 'porkadot/cmd/install'
+require 'porkadot/cmd/etcd'
 require 'porkadot/cmd'

data/porkadot.gemspec

@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "thor", "~> 1.0"
   spec.add_dependency "hashie", "~> 4.1"
   spec.add_dependency "sshkit", "~> 1.20"
+  spec.add_dependency "net-ssh", "= 7.0.1"
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "minitest", "~> 5.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: porkadot
 version: !ruby/object:Gem::Version
-  version: 0.22.2
+  version: 0.23.0
 platform: ruby
 authors:
 - OTSUKA, Yuanying
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-04-09 00:00:00.000000000 Z
+date: 2022-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -52,6 +52,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.20'
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 7.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 7.0.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -158,7 +172,7 @@ files:
 - lib/porkadot/assets/kubernetes/manifests/addons/metallb/000-metallb.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/addons/metallb/kustomization.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.config.yaml.erb
-- lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.secrets.yaml.erb
+- lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml
 - lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/addons/storage-version-migrator/kustomization.yaml.erb
 - lib/porkadot/assets/kubernetes/manifests/addons/storage-version-migrator/storage-version-migrator.yaml.erb
@@ -173,6 +187,7 @@ files:
 - lib/porkadot/assets/kubernetes/manifests/porkadot.yaml.erb
 - lib/porkadot/cmd.rb
 - lib/porkadot/cmd/cli.rb
+- lib/porkadot/cmd/etcd.rb
 - lib/porkadot/cmd/install.rb
 - lib/porkadot/cmd/install/bootstrap.rb
 - lib/porkadot/cmd/render.rb
@@ -218,7 +233,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Porkadot is a CLI tool to deploy Kubernetes cluster.

data/lib/porkadot/assets/kubernetes/manifests/addons/metallb/metallb.secrets.yaml.erb

@@ -1,13 +0,0 @@
-<% require 'securerandom' -%>
-<% k8s = global_config.k8s -%>
----
-apiVersion: v1
-stringData:
-  secretkey: <%= SecureRandom.base64(128) %>
-kind: Secret
-metadata:
-  name: memberlist
-  namespace: metallb-system
-  labels:
-    app: metallb
-type: Opaque