Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial version of clusterctl create #219

Merged
merged 1 commit into from
May 31, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 3 additions & 6 deletions clusterctl/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,13 @@ $ go build
```

### Limitations

TBD

### Creating a cluster

**NOT YET SUPPORTED!** - Use [provider-specific deployer](../README.md) to create clusters till cluster creation is supported.

1. Create a `cluster.yaml` and `machines.yaml` files configured for your cluster. See the provider specific templates and generation tools at `$GOPATH/src/sigs.k8s.io/cluster-api/clusterctl/examples/<provider>`.
1. Create a `cluster.yaml`, `machines.yaml` and `provider-components.yaml` files configured for your cluster. See the provider specific templates and generation tools at `$GOPATH/src/sigs.k8s.io/cluster-api/clusterctl/examples/<provider>`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you intend to include the example provider-components.yaml in this PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is imminently coming in the next PR.

2. Create a cluster
```
clusterctl create cluster -c cluster.yaml -m machines.yaml
clusterctl create cluster -provider [google/terrraform] -c cluster.yaml -m machines.yaml -p provider-components.yaml
```
Additional advanced flags can be found via help
```
Expand Down
110 changes: 110 additions & 0 deletions clusterctl/clusterdeployer/clusterapiserver.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
/*
Copyright 2018 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package clusterdeployer

import (
"bytes"
"encoding/base64"
"fmt"
"os"
"text/template"

"github.com/golang/glog"
corev1 "k8s.io/api/core/v1"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/cert/triple"
)

var apiServerImage = "gcr.io/k8s-cluster-api/cluster-apiserver:0.0.3"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is out of date compared to head. I think the current version is 0.0.5 or so.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know. This is snapshot-ed to the version called out in the PR description. My plan is to move roll forward after landing this v0 PR. There is a lot of development in this repo (a good thing :) ) and I think it is better to land something working and improve it than hold off trying to keep up with all the development.


func init() {
if img, ok := os.LookupEnv("CLUSTER_API_SERVER_IMAGE"); ok {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why an env var instead of a flag?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is what we have been doing so far in this repo. We can change it to a flag post v0 if folks really prefer a flag over a environment variable for a development hook.

apiServerImage = img
}
}

type caCertParams struct {
caBundle string
tlsCrt string
tlsKey string
}

func getApiServerCerts() (*caCertParams, error) {
const name = "clusterapi"
const namespace = corev1.NamespaceDefault

caKeyPair, err := triple.NewCA(fmt.Sprintf("%s-certificate-authority", name))
if err != nil {
return nil, fmt.Errorf("failed to create root-ca: %v", err)
}

apiServerKeyPair, err := triple.NewServerKeyPair(
caKeyPair,
fmt.Sprintf("%s.%s.svc", name, namespace),
name,
namespace,
"cluster.local",
[]string{},
[]string{})
if err != nil {
return nil, fmt.Errorf("failed to create apiserver key pair: %v", err)
}

certParams := &caCertParams{
caBundle: base64.StdEncoding.EncodeToString(cert.EncodeCertPEM(caKeyPair.Cert)),
tlsKey: base64.StdEncoding.EncodeToString(cert.EncodePrivateKeyPEM(apiServerKeyPair.Key)),
tlsCrt: base64.StdEncoding.EncodeToString(cert.EncodeCertPEM(apiServerKeyPair.Cert)),
}

return certParams, nil
}

func getApiServerYaml() (string, error) {
tmpl, err := template.New("config").Parse(ClusterAPIAPIServerConfigTemplate)
if err != nil {
return "", err
}

certParms, err := getApiServerCerts()
if err != nil {
glog.Errorf("Error: %v", err)
return "", err
}

type params struct {
Token string
APIServerImage string
ControllerManagerImage string
MachineControllerImage string
CABundle string
TLSCrt string
TLSKey string
}

var tmplBuf bytes.Buffer
err = tmpl.Execute(&tmplBuf, params{
APIServerImage: apiServerImage,
CABundle: certParms.caBundle,
TLSCrt: certParms.tlsCrt,
TLSKey: certParms.tlsKey,
})
if err != nil {
return "", err
}

return string(tmplBuf.Bytes()), nil
}
241 changes: 241 additions & 0 deletions clusterctl/clusterdeployer/clusterapiservertemplate.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,241 @@
/*
Copyright 2018 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package clusterdeployer

const ClusterAPIAPIServerConfigTemplate = `
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.cluster.k8s.io
labels:
api: clusterapi
apiserver: "true"
spec:
version: v1alpha1
group: cluster.k8s.io
groupPriorityMinimum: 2000
priority: 200
service:
name: clusterapi
namespace: default
versionPriority: 10
caBundle: {{ .CABundle }}
---
apiVersion: v1
kind: Service
metadata:
name: clusterapi
namespace: default
labels:
api: clusterapi
apiserver: "true"
spec:
ports:
- port: 443
protocol: TCP
targetPort: 443
selector:
api: clusterapi
apiserver: "true"
---
apiVersion: apps/v1beta1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deployments should use v1 instead of v1beta1.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is snapshot-ed to the version called out in the PR description. I want to check it in with a consistent working snapshot so we know what changes it is caught up with and what changes it has yet to catch up on.

kind: Deployment
metadata:
name: clusterapi-apiserver
namespace: default
labels:
api: clusterapi
apiserver: "true"
spec:
replicas: 1
template:
metadata:
labels:
api: clusterapi
apiserver: "true"
spec:
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.alpha.kubernetes.io/notReady
operator: Exists
- effect: NoExecute
key: node.alpha.kubernetes.io/unreachable
operator: Exists
containers:
- name: apiserver
image: {{ .APIServerImage }}
volumeMounts:
- name: cluster-apiserver-certs
mountPath: /apiserver.local.config/certificates
readOnly: true
- name: config
mountPath: /etc/kubernetes
- name: certs
mountPath: /etc/ssl/certs
command:
- "./apiserver"
args:
- "--etcd-servers=http://etcd-clusterapi-svc:2379"
- "--tls-cert-file=/apiserver.local.config/certificates/tls.crt"
- "--tls-private-key-file=/apiserver.local.config/certificates/tls.key"
- "--audit-log-path=-"
- "--audit-log-maxage=0"
- "--audit-log-maxbackup=0"
- "--authorization-kubeconfig=/etc/kubernetes/admin.conf"
- "--kubeconfig=/etc/kubernetes/admin.conf"
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 100m
memory: 30Mi
volumes:
- name: cluster-apiserver-certs
secret:
secretName: cluster-apiserver-certs
- name: config
hostPath:
path: /etc/kubernetes
- name: certs
hostPath:
path: /etc/ssl/certs
---
apiVersion: rbac.authorization.k8s.io/
kind: RoleBinding
metadata:
name: clusterapi
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: default
namespace: default
---
apiVersion: apps/v1beta1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is snapshot-ed to the version called out in the PR description. I want to check it in with a consistent working snapshot so we know what changes it is caught up with and what changes it has yet to catch up on.

kind: StatefulSet
metadata:
name: etcd-clusterapi
namespace: default
spec:
serviceName: "etcd"
replicas: 1
template:
metadata:
labels:
app: etcd
spec:
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
key: node.alpha.kubernetes.io/notReady
operator: Exists
- effect: NoExecute
key: node.alpha.kubernetes.io/unreachable
operator: Exists
volumes:
- hostPath:
path: /var/lib/etcd2
type: DirectoryOrCreate
name: etcd-data-dir
terminationGracePeriodSeconds: 10
containers:
- name: etcd
image: quay.io/coreos/etcd:latest
imagePullPolicy: Always
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 100m
memory: 30Mi
env:
- name: ETCD_DATA_DIR
value: /etcd-data-dir
command:
- /usr/local/bin/etcd
- --listen-client-urls
- http://0.0.0.0:2379
- --advertise-client-urls
- http://localhost:2379
ports:
- containerPort: 2379
volumeMounts:
- name: etcd-data-dir
mountPath: /etcd-data-dir
readinessProbe:
httpGet:
port: 2379
path: /health
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
port: 2379
path: /health
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
name: etcd-clusterapi-svc
namespace: default
labels:
app: etcd
spec:
ports:
- port: 2379
name: etcd
targetPort: 2379
selector:
app: etcd
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: cluster-apiserver-certs
namespace: default
labels:
api: clusterapi
apiserver: "true"
data:
tls.crt: {{ .TLSCrt }}
tls.key: {{ .TLSKey }}
`
Loading