-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial version of clusterctl create #219
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
/* | ||
Copyright 2018 The Kubernetes Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package clusterdeployer | ||
|
||
import ( | ||
"bytes" | ||
"encoding/base64" | ||
"fmt" | ||
"os" | ||
"text/template" | ||
|
||
"github.com/golang/glog" | ||
corev1 "k8s.io/api/core/v1" | ||
"k8s.io/client-go/util/cert" | ||
"k8s.io/client-go/util/cert/triple" | ||
) | ||
|
||
var apiServerImage = "gcr.io/k8s-cluster-api/cluster-apiserver:0.0.3" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is out of date compared to head. I think the current version is 0.0.5 or so. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I know. This is snapshot-ed to the version called out in the PR description. My plan is to move roll forward after landing this v0 PR. There is a lot of development in this repo (a good thing :) ) and I think it is better to land something working and improve it than hold off trying to keep up with all the development. |
||
|
||
func init() { | ||
if img, ok := os.LookupEnv("CLUSTER_API_SERVER_IMAGE"); ok { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why an env var instead of a flag? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is what we have been doing so far in this repo. We can change it to a flag post v0 if folks really prefer a flag over a environment variable for a development hook. |
||
apiServerImage = img | ||
} | ||
} | ||
|
||
type caCertParams struct { | ||
caBundle string | ||
tlsCrt string | ||
tlsKey string | ||
} | ||
|
||
func getApiServerCerts() (*caCertParams, error) { | ||
const name = "clusterapi" | ||
const namespace = corev1.NamespaceDefault | ||
|
||
caKeyPair, err := triple.NewCA(fmt.Sprintf("%s-certificate-authority", name)) | ||
if err != nil { | ||
return nil, fmt.Errorf("failed to create root-ca: %v", err) | ||
} | ||
|
||
apiServerKeyPair, err := triple.NewServerKeyPair( | ||
caKeyPair, | ||
fmt.Sprintf("%s.%s.svc", name, namespace), | ||
name, | ||
namespace, | ||
"cluster.local", | ||
[]string{}, | ||
[]string{}) | ||
if err != nil { | ||
return nil, fmt.Errorf("failed to create apiserver key pair: %v", err) | ||
} | ||
|
||
certParams := &caCertParams{ | ||
caBundle: base64.StdEncoding.EncodeToString(cert.EncodeCertPEM(caKeyPair.Cert)), | ||
tlsKey: base64.StdEncoding.EncodeToString(cert.EncodePrivateKeyPEM(apiServerKeyPair.Key)), | ||
tlsCrt: base64.StdEncoding.EncodeToString(cert.EncodeCertPEM(apiServerKeyPair.Cert)), | ||
} | ||
|
||
return certParams, nil | ||
} | ||
|
||
func getApiServerYaml() (string, error) { | ||
tmpl, err := template.New("config").Parse(ClusterAPIAPIServerConfigTemplate) | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
certParms, err := getApiServerCerts() | ||
if err != nil { | ||
glog.Errorf("Error: %v", err) | ||
return "", err | ||
} | ||
|
||
type params struct { | ||
Token string | ||
APIServerImage string | ||
ControllerManagerImage string | ||
MachineControllerImage string | ||
CABundle string | ||
TLSCrt string | ||
TLSKey string | ||
} | ||
|
||
var tmplBuf bytes.Buffer | ||
err = tmpl.Execute(&tmplBuf, params{ | ||
APIServerImage: apiServerImage, | ||
CABundle: certParms.caBundle, | ||
TLSCrt: certParms.tlsCrt, | ||
TLSKey: certParms.tlsKey, | ||
}) | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
return string(tmplBuf.Bytes()), nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,241 @@ | ||
/* | ||
Copyright 2018 The Kubernetes Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package clusterdeployer | ||
|
||
const ClusterAPIAPIServerConfigTemplate = ` | ||
apiVersion: apiregistration.k8s.io/v1beta1 | ||
kind: APIService | ||
metadata: | ||
name: v1alpha1.cluster.k8s.io | ||
labels: | ||
api: clusterapi | ||
apiserver: "true" | ||
spec: | ||
version: v1alpha1 | ||
group: cluster.k8s.io | ||
groupPriorityMinimum: 2000 | ||
priority: 200 | ||
service: | ||
name: clusterapi | ||
namespace: default | ||
versionPriority: 10 | ||
caBundle: {{ .CABundle }} | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: clusterapi | ||
namespace: default | ||
labels: | ||
api: clusterapi | ||
apiserver: "true" | ||
spec: | ||
ports: | ||
- port: 443 | ||
protocol: TCP | ||
targetPort: 443 | ||
selector: | ||
api: clusterapi | ||
apiserver: "true" | ||
--- | ||
apiVersion: apps/v1beta1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Deployments should use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is snapshot-ed to the version called out in the PR description. I want to check it in with a consistent working snapshot so we know what changes it is caught up with and what changes it has yet to catch up on. |
||
kind: Deployment | ||
metadata: | ||
name: clusterapi-apiserver | ||
namespace: default | ||
labels: | ||
api: clusterapi | ||
apiserver: "true" | ||
spec: | ||
replicas: 1 | ||
template: | ||
metadata: | ||
labels: | ||
api: clusterapi | ||
apiserver: "true" | ||
spec: | ||
nodeSelector: | ||
node-role.kubernetes.io/master: "" | ||
tolerations: | ||
- effect: NoSchedule | ||
key: node-role.kubernetes.io/master | ||
- key: CriticalAddonsOnly | ||
operator: Exists | ||
- effect: NoExecute | ||
key: node.alpha.kubernetes.io/notReady | ||
operator: Exists | ||
- effect: NoExecute | ||
key: node.alpha.kubernetes.io/unreachable | ||
operator: Exists | ||
containers: | ||
- name: apiserver | ||
image: {{ .APIServerImage }} | ||
volumeMounts: | ||
- name: cluster-apiserver-certs | ||
mountPath: /apiserver.local.config/certificates | ||
readOnly: true | ||
- name: config | ||
mountPath: /etc/kubernetes | ||
- name: certs | ||
mountPath: /etc/ssl/certs | ||
command: | ||
- "./apiserver" | ||
args: | ||
- "--etcd-servers=http://etcd-clusterapi-svc:2379" | ||
- "--tls-cert-file=/apiserver.local.config/certificates/tls.crt" | ||
- "--tls-private-key-file=/apiserver.local.config/certificates/tls.key" | ||
- "--audit-log-path=-" | ||
- "--audit-log-maxage=0" | ||
- "--audit-log-maxbackup=0" | ||
- "--authorization-kubeconfig=/etc/kubernetes/admin.conf" | ||
- "--kubeconfig=/etc/kubernetes/admin.conf" | ||
resources: | ||
requests: | ||
cpu: 100m | ||
memory: 20Mi | ||
limits: | ||
cpu: 100m | ||
memory: 30Mi | ||
volumes: | ||
- name: cluster-apiserver-certs | ||
secret: | ||
secretName: cluster-apiserver-certs | ||
- name: config | ||
hostPath: | ||
path: /etc/kubernetes | ||
- name: certs | ||
hostPath: | ||
path: /etc/ssl/certs | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/ | ||
kind: RoleBinding | ||
metadata: | ||
name: clusterapi | ||
namespace: kube-system | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: extension-apiserver-authentication-reader | ||
subjects: | ||
- kind: ServiceAccount | ||
name: default | ||
namespace: default | ||
--- | ||
apiVersion: apps/v1beta1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same here There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is snapshot-ed to the version called out in the PR description. I want to check it in with a consistent working snapshot so we know what changes it is caught up with and what changes it has yet to catch up on. |
||
kind: StatefulSet | ||
metadata: | ||
name: etcd-clusterapi | ||
namespace: default | ||
spec: | ||
serviceName: "etcd" | ||
replicas: 1 | ||
template: | ||
metadata: | ||
labels: | ||
app: etcd | ||
spec: | ||
nodeSelector: | ||
node-role.kubernetes.io/master: "" | ||
tolerations: | ||
- effect: NoSchedule | ||
key: node-role.kubernetes.io/master | ||
- key: CriticalAddonsOnly | ||
operator: Exists | ||
- effect: NoExecute | ||
key: node.alpha.kubernetes.io/notReady | ||
operator: Exists | ||
- effect: NoExecute | ||
key: node.alpha.kubernetes.io/unreachable | ||
operator: Exists | ||
volumes: | ||
- hostPath: | ||
path: /var/lib/etcd2 | ||
type: DirectoryOrCreate | ||
name: etcd-data-dir | ||
terminationGracePeriodSeconds: 10 | ||
containers: | ||
- name: etcd | ||
image: quay.io/coreos/etcd:latest | ||
imagePullPolicy: Always | ||
resources: | ||
requests: | ||
cpu: 100m | ||
memory: 20Mi | ||
limits: | ||
cpu: 100m | ||
memory: 30Mi | ||
env: | ||
- name: ETCD_DATA_DIR | ||
value: /etcd-data-dir | ||
command: | ||
- /usr/local/bin/etcd | ||
- --listen-client-urls | ||
- http://0.0.0.0:2379 | ||
- --advertise-client-urls | ||
- http://localhost:2379 | ||
ports: | ||
- containerPort: 2379 | ||
volumeMounts: | ||
- name: etcd-data-dir | ||
mountPath: /etcd-data-dir | ||
readinessProbe: | ||
httpGet: | ||
port: 2379 | ||
path: /health | ||
failureThreshold: 1 | ||
initialDelaySeconds: 10 | ||
periodSeconds: 10 | ||
successThreshold: 1 | ||
timeoutSeconds: 2 | ||
livenessProbe: | ||
httpGet: | ||
port: 2379 | ||
path: /health | ||
failureThreshold: 3 | ||
initialDelaySeconds: 10 | ||
periodSeconds: 10 | ||
successThreshold: 1 | ||
timeoutSeconds: 2 | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: etcd-clusterapi-svc | ||
namespace: default | ||
labels: | ||
app: etcd | ||
spec: | ||
ports: | ||
- port: 2379 | ||
name: etcd | ||
targetPort: 2379 | ||
selector: | ||
app: etcd | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
type: kubernetes.io/tls | ||
metadata: | ||
name: cluster-apiserver-certs | ||
namespace: default | ||
labels: | ||
api: clusterapi | ||
apiserver: "true" | ||
data: | ||
tls.crt: {{ .TLSCrt }} | ||
tls.key: {{ .TLSKey }} | ||
` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did you intend to include the example provider-components.yaml in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is imminently coming in the next PR.