feat: first working version of KubeZero on GKE

This commit is contained in:
Stefan Reimer 2024-08-09 11:45:27 +01:00
parent a6599ff390
commit 50c9a6e729
17 changed files with 100 additions and 60 deletions

View File

@ -19,6 +19,22 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
. "$SCRIPT_DIR"/libhelm.sh
CHARTS="$(dirname $SCRIPT_DIR)/charts"
# Guess platform from current context
_auth_cmd=$(kubectl config view | yq .users[0].user.exec.command)
if [ "$_auth_cmd" == "gke-gcloud-auth-plugin" ]; then
PLATFORM=gke
elif [ "$_auth_cmd" == "aws-iam-authenticator" ]; then
PLATFORM=aws
else
PLATFORM=nocloud
fi
parse_version() {
echo $([[ $1 =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] && echo "${BASH_REMATCH[0]//v/}")
}
KUBE_VERSION=$(parse_version $KUBE_VERSION)
### Various hooks for modules
################
@ -71,7 +87,7 @@ if [ ${ARTIFACTS[0]} == "all" ]; then
fi
# Delete in reverse order, continue even if errors
if [ $ACTION == "delete" ]; then
if [ "$ACTION" == "delete" ]; then
set +e
for (( idx=${#ARTIFACTS[@]}-1 ; idx>=0 ; idx-- )) ; do
_helm delete ${ARTIFACTS[idx]} || true

View File

@ -34,9 +34,11 @@ function argo_used() {
# get kubezero-values from ArgoCD if available or use in-cluster CM without Argo
function get_kubezero_values() {
local _namespace="kube-system"
[ "$PLATFORM" == "gke" ] && _namespace=kubezero
argo_used && \
{ kubectl get application kubezero -n argocd -o yaml | yq .spec.source.helm.values > ${WORKDIR}/kubezero-values.yaml; } || \
{ kubectl get configmap -n kube-system kubezero-values -o yaml | yq '.data."values.yaml"' > ${WORKDIR}/kubezero-values.yaml ;}
{ kubectl get configmap -n $_namespace kubezero-values -o yaml | yq '.data."values.yaml"' > ${WORKDIR}/kubezero-values.yaml ;}
}
@ -169,14 +171,14 @@ function _helm() {
yq eval '.spec.source.helm.values' $WORKDIR/kubezero/templates/${module}.yaml > $WORKDIR/values.yaml
echo "using values to $action of module $module: "
cat $WORKDIR/values.yaml
if [ $action == "crds" ]; then
# Allow custom CRD handling
declare -F ${module}-crds && ${module}-crds || _crds
elif [ $action == "apply" ]; then
echo "using values to $action of module $module: "
cat $WORKDIR/values.yaml
# namespace must exist prior to apply
create_ns $namespace

View File

@ -33,4 +33,4 @@ dependencies:
version: 0.11.0
repository: https://argoproj.github.io/argo-helm
condition: argocd-image-updater.enabled
kubeVersion: ">= 1.26.0"
kubeVersion: ">= 1.26.0-0"

View File

@ -65,7 +65,7 @@ Kubernetes: `>= 1.26.0`
| argo-cd.repoServer.initContainers[0].command[0] | string | `"/usr/local/bin/sa2kubeconfig.sh"` | |
| argo-cd.repoServer.initContainers[0].command[1] | string | `"/home/argocd/.kube/config"` | |
| argo-cd.repoServer.initContainers[0].image | string | `"{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include \"argo-cd.defaultTag\" .) .Values.repoServer.image.tag }}"` | |
| argo-cd.repoServer.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` | |
| argo-cd.repoServer.initContainers[0].imagePullPolicy | string | `"{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}"` | |
| argo-cd.repoServer.initContainers[0].name | string | `"create-kubeconfig"` | |
| argo-cd.repoServer.initContainers[0].securityContext.allowPrivilegeEscalation | bool | `false` | |
| argo-cd.repoServer.initContainers[0].securityContext.capabilities.drop[0] | string | `"ALL"` | |

View File

@ -18,4 +18,4 @@ dependencies:
- name: cert-manager
version: v1.15.1
repository: https://charts.jetstack.io
kubeVersion: ">= 1.26.0"
kubeVersion: ">= 1.26.0-0"

View File

@ -61,31 +61,15 @@ cert-manager:
# mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
# readOnly: true
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
nodeSelector:
node-role.kubernetes.io/control-plane: ""
ingressShim:
defaultIssuerName: letsencrypt-dns-prod
defaultIssuerKind: ClusterIssuer
webhook:
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
nodeSelector:
node-role.kubernetes.io/control-plane: ""
extraArgs:
- "--logging-format=json"
cainjector:
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
nodeSelector:
node-role.kubernetes.io/control-plane: ""
extraArgs:
- "--logging-format=json"
- "--leader-elect=false"

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-istio-gateway
description: KubeZero Umbrella Chart for Istio gateways
type: application
version: 0.22.3
version: 0.22.3-1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -19,4 +19,4 @@ dependencies:
- name: gateway
version: 1.22.3
repository: https://istio-release.storage.googleapis.com/charts
kubeVersion: ">= 1.26.0"
kubeVersion: ">= 1.26.0-0"

View File

@ -16,7 +16,7 @@ Installs Istio Ingress Gateways, requires kubezero-istio to be installed !
## Requirements
Kubernetes: `>= 1.26.0`
Kubernetes: `>= 1.26.0-0`
| Repository | Name | Version |
|------------|------|---------|

View File

@ -8,7 +8,6 @@ gateway:
replicaCount: 1
terminationGracePeriodSeconds: 120
priorityClassName: system-cluster-critical
resources:
requests:

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-istio
description: KubeZero Umbrella Chart for Istio
type: application
version: 0.22.3
version: 0.22.3-1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -22,7 +22,7 @@ dependencies:
version: 1.22.3
repository: https://istio-release.storage.googleapis.com/charts
- name: kiali-server
version: "1.87.0"
version: "1.88.0"
repository: https://kiali.org/helm-charts
condition: kiali-server.enabled
kubeVersion: ">= 1.26.0"
kubeVersion: ">= 1.26.0-0"

View File

@ -16,7 +16,7 @@ Installs the Istio control plane
## Requirements
Kubernetes: `>= 1.26.0`
Kubernetes: `>= 1.26.0-0`
| Repository | Name | Version |
|------------|------|---------|
@ -31,19 +31,15 @@ Kubernetes: `>= 1.26.0`
|-----|------|---------|-------------|
| global.defaultPodDisruptionBudget.enabled | bool | `false` | |
| global.logAsJson | bool | `true` | |
| global.priorityClassName | string | `"system-cluster-critical"` | |
| global.variant | string | `"distroless"` | |
| istiod.meshConfig.accessLogEncoding | string | `"JSON"` | |
| istiod.meshConfig.accessLogFile | string | `"/dev/stdout"` | |
| istiod.meshConfig.tcpKeepalive.interval | string | `"60s"` | |
| istiod.meshConfig.tcpKeepalive.time | string | `"120s"` | |
| istiod.pilot.autoscaleEnabled | bool | `false` | |
| istiod.pilot.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
| istiod.pilot.replicaCount | int | `1` | |
| istiod.pilot.resources.requests.cpu | string | `"100m"` | |
| istiod.pilot.resources.requests.memory | string | `"128Mi"` | |
| istiod.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
| istiod.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
| istiod.telemetry.enabled | bool | `false` | |
| kiali-server.auth.strategy | string | `"anonymous"` | |
| kiali-server.deployment.ingress_enabled | bool | `false` | |

View File

@ -6,19 +6,11 @@ global:
defaultPodDisruptionBudget:
enabled: false
priorityClassName: "system-cluster-critical"
istiod:
pilot:
autoscaleEnabled: false
replicaCount: 1
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
resources:
requests:
cpu: 100m
@ -57,7 +49,7 @@ kiali-server:
prometheus:
url: "http://metrics-kube-prometheus-st-prometheus.monitoring:9090"
istio:
enabled: false
gateway: istio-ingress/private-ingressgateway

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero
description: KubeZero - Root App of Apps chart
type: application
version: 1.29.7
version: 1.29.7-1
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:
@ -15,4 +15,4 @@ dependencies:
- name: kubezero-lib
version: ">= 0.1.6"
repository: https://cdn.zero-downtime.net/charts
kubeVersion: ">= 1.26.0"
kubeVersion: ">= 1.26.0-0"

View File

@ -9,10 +9,29 @@ cert-manager:
type: Recreate
{{- end }}
prometheus:
servicemonitor:
enabled: {{ $.Values.metrics.enabled }}
{{ with index .Values "cert-manager" "IamArn" }}
{{- if eq .Values.global.platform "aws" }}
# map everything to the control-plane
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
webhook:
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
nodeSelector:
node-role.kubernetes.io/control-plane: ""
cainjector:
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
nodeSelector:
node-role.kubernetes.io/control-plane: ""
{{ with index .Values "cert-manager" "IamArn" }}
extraEnv:
- name: AWS_ROLE_ARN
value: "{{ . }}"
@ -34,7 +53,19 @@ cert-manager:
- name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
{{- end }}
{{- end }}
{{- end }}
{{- if eq .Values.global.platform "gke" }}
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: "dns01-solver@{{ .Values.global.gcp.projectId }}.iam.gserviceaccount.com"
{{- end }}
prometheus:
servicemonitor:
enabled: {{ $.Values.metrics.enabled }}
{{- with index .Values "cert-manager" "clusterIssuer" }}
clusterIssuer:

View File

@ -3,6 +3,10 @@
gateway:
name: istio-ingressgateway
{{- if ne .Values.global.platform "gke" }}
priorityClassName: "system-cluster-critical"
{{- end }}
{{- with index .Values "istio-ingress" "gateway" "replicaCount" }}
replicaCount: {{ . }}
{{- if gt (int .) 1 }}
@ -11,7 +15,7 @@ gateway:
{{- end }}
{{- end }}
{{- if not (index .Values "istio-ingress" "gateway" "affinity") }}
{{- if eq .Values.global.platform "aws" }}
# Only nodes who are fronted with matching LB
affinity:
nodeAffinity:

View File

@ -1,21 +1,37 @@
{{- define "istio-values" }}
{{- if .Values.global.highAvailable }}
global:
defaultPodDisruptionBudget:
enabled: true
{{- if ne .Values.global.platform "gke" }}
priorityClassName: "system-cluster-critical"
{{- end }}
{{- end }}
istiod:
telemetry:
enabled: {{ $.Values.metrics.enabled }}
pilot:
{{- if eq .Values.global.platform "aws" }}
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
{{- end }}
{{- if .Values.global.highAvailable }}
replicaCount: 2
global:
defaultPodDisruptionBudget:
enabled: true
{{- else }}
extraContainerArgs:
- --leader-elect=false
{{- end }}
{{- with index .Values "istio" "kiali-server" }}
kiali-server:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.istio.rateLimiting }}
rateLimiting:
{{- toYaml . | nindent 2 }}

View File

@ -43,7 +43,7 @@ network:
cert-manager:
enabled: false
namespace: cert-manager
targetRevision: 0.9.8
targetRevision: 0.9.9
storage:
enabled: false
@ -64,13 +64,13 @@ storage:
istio:
enabled: false
namespace: istio-system
targetRevision: 0.22.3
targetRevision: 0.22.3-1
istio-ingress:
enabled: false
chart: kubezero-istio-gateway
namespace: istio-ingress
targetRevision: 0.22.3
targetRevision: 0.22.3-1
gateway:
service: {}
@ -78,7 +78,7 @@ istio-private-ingress:
enabled: false
chart: kubezero-istio-gateway
namespace: istio-ingress
targetRevision: 0.22.3
targetRevision: 0.22.3-1
gateway:
service: {}