From f82d094449f2f4a9df74faa74e3e0965537a10b2 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 1 May 2020 18:14:40 +0100 Subject: [PATCH] Add calical and local-volume-provisioner, adjust urls --- artifacts/calico/README.md | 12 + artifacts/calico/canal.yaml | 697 ++++++++++++++++++ artifacts/calico/kustomization.yaml | 8 + artifacts/calico/logging.yaml | 16 + artifacts/calico/prometheus.yaml | 14 + artifacts/local-volume-provisioner/README.md | 12 + .../kustomization.yaml | 5 + .../local-sc-xfs.yaml | 8 + .../local-volume-provisioner.yaml | 136 ++++ artifacts/local-volume-provisioner/update.sh | 5 + .../local-volume-provisioner/values.yaml | 11 + charts/kubezero-app/Chart.yaml | 2 +- charts/kubezero-app/values.yaml | 5 +- charts/kubezero/values.yaml | 8 +- 14 files changed, 933 insertions(+), 6 deletions(-) create mode 100644 artifacts/calico/README.md create mode 100644 artifacts/calico/canal.yaml create mode 100644 artifacts/calico/kustomization.yaml create mode 100644 artifacts/calico/logging.yaml create mode 100644 artifacts/calico/prometheus.yaml create mode 100644 artifacts/local-volume-provisioner/README.md create mode 100644 artifacts/local-volume-provisioner/kustomization.yaml create mode 100644 artifacts/local-volume-provisioner/local-sc-xfs.yaml create mode 100644 artifacts/local-volume-provisioner/local-volume-provisioner.yaml create mode 100755 artifacts/local-volume-provisioner/update.sh create mode 100644 artifacts/local-volume-provisioner/values.yaml diff --git a/artifacts/calico/README.md b/artifacts/calico/README.md new file mode 100644 index 0000000..ba64f7e --- /dev/null +++ b/artifacts/calico/README.md @@ -0,0 +1,12 @@ +# Calico CNI + +## Known issues +Due to a bug in Kustomize V2 vs. V3 we have to remove all namespaces from the base resources. +The kube-system namespace will be applied by kustomize. + +See eg: `https://github.com/kubernetes-sigs/kustomize/issues/1351` + + +## Upgrade +See: https://docs.projectcalico.org/maintenance/kubernetes-upgrade +`curl https://docs.projectcalico.org/manifests/canal.yaml -O` diff --git a/artifacts/calico/canal.yaml b/artifacts/calico/canal.yaml new file mode 100644 index 0000000..ef79974 --- /dev/null +++ b/artifacts/calico/canal.yaml @@ -0,0 +1,697 @@ +--- +# Source: calico/templates/calico-config.yaml +# This ConfigMap is used to configure a self-hosted Canal installation. +kind: ConfigMap +apiVersion: v1 +metadata: + name: canal-config +data: + # Typha is disabled. + typha_service_name: "none" + # The interface used by canal for host <-> host communication. + # If left blank, then the interface is chosen using the node's + # default route. + canal_iface: "" + + # Whether or not to masquerade traffic to destinations not within + # the pod network. + masquerade: "true" + + # Configure the MTU to use + veth_mtu: "1450" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "name": "k8s-pod-network", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "log_level": "info", + "datastore_type": "kubernetes", + "nodename": "__KUBERNETES_NODE_NAME__", + "mtu": __CNI_MTU__, + "ipam": { + "type": "host-local", + "subnet": "usePodCidr" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + + # Flannel network configuration. Mounted into the flannel container. + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan" + } + } + +--- +# Source: calico/templates/kdd-crds.yaml + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: bgpconfigurations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: BGPConfiguration + plural: bgpconfigurations + singular: bgpconfiguration + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: bgppeers.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: BGPPeer + plural: bgppeers + singular: bgppeer + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: blockaffinities.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: BlockAffinity + plural: blockaffinities + singular: blockaffinity + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterinformations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: ClusterInformation + plural: clusterinformations + singular: clusterinformation + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: felixconfigurations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: FelixConfiguration + plural: felixconfigurations + singular: felixconfiguration + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: globalnetworkpolicies.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: GlobalNetworkPolicy + plural: globalnetworkpolicies + singular: globalnetworkpolicy + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: globalnetworksets.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: GlobalNetworkSet + plural: globalnetworksets + singular: globalnetworkset + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: hostendpoints.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: HostEndpoint + plural: hostendpoints + singular: hostendpoint + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamblocks.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMBlock + plural: ipamblocks + singular: ipamblock + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamconfigs.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMConfig + plural: ipamconfigs + singular: ipamconfig + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamhandles.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPAMHandle + plural: ipamhandles + singular: ipamhandle + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPPool + plural: ippools + singular: ippool + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.projectcalico.org +spec: + scope: Namespaced + group: crd.projectcalico.org + version: v1 + names: + kind: NetworkPolicy + plural: networkpolicies + singular: networkpolicy + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: networksets.crd.projectcalico.org +spec: + scope: Namespaced + group: crd.projectcalico.org + version: v1 + names: + kind: NetworkSet + plural: networksets + singular: networkset + +--- +--- +# Source: calico/templates/rbac.yaml + +# Include a clusterrole for the calico-node DaemonSet, +# and bind it to the calico-node serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-node +rules: + # The CNI plugin needs to get pods, nodes, and namespaces. + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - endpoints + - services + verbs: + # Used to discover service IPs for advertisement. + - watch + - list + # Used to discover Typhas. + - get + # Pod CIDR auto-detection on kubeadm needs access to config maps. + - apiGroups: [""] + resources: + - configmaps + verbs: + - get + - apiGroups: [""] + resources: + - nodes/status + verbs: + # Needed for clearing NodeNetworkUnavailable flag. + - patch + # Calico stores some configuration information in node annotations. + - update + # Watch for changes to Kubernetes NetworkPolicies. + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - watch + - list + # Used by Calico for policy information. + - apiGroups: [""] + resources: + - pods + - namespaces + - serviceaccounts + verbs: + - list + - watch + # The CNI plugin patches pods/status. + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + # Calico monitors various CRDs for config. + - apiGroups: ["crd.projectcalico.org"] + resources: + - globalfelixconfigs + - felixconfigurations + - bgppeers + - globalbgpconfigs + - bgpconfigurations + - ippools + - ipamblocks + - globalnetworkpolicies + - globalnetworksets + - networkpolicies + - networksets + - clusterinformations + - hostendpoints + - blockaffinities + verbs: + - get + - list + - watch + # Calico must create and update some CRDs on startup. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + - felixconfigurations + - clusterinformations + verbs: + - create + - update + # Calico stores some configuration information on the node. + - apiGroups: [""] + resources: + - nodes + verbs: + - get + - list + - watch + # These permissions are only requried for upgrade from v2.6, and can + # be removed after upgrade or on fresh installations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - bgpconfigurations + - bgppeers + verbs: + - create + - update + +--- +# Flannel ClusterRole +# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel +rules: + - apiGroups: [""] + resources: + - pods + verbs: + - get + - apiGroups: [""] + resources: + - nodes + verbs: + - list + - watch + - apiGroups: [""] + resources: + - nodes/status + verbs: + - patch +--- +# Bind the flannel ClusterRole to the canal ServiceAccount. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: canal-flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: canal + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: canal-calico +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-node +subjects: +- kind: ServiceAccount + name: canal + namespace: kube-system + +--- +# Source: calico/templates/calico-node.yaml +# This manifest installs the canal container, as well +# as the CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: canal + labels: + k8s-app: canal +spec: + selector: + matchLabels: + k8s-app: canal + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: canal + annotations: + # This, along with the CriticalAddonsOnly toleration below, + # marks the pod as a critical add-on, ensuring it gets + # priority scheduling and that its resources are reserved + # if it ever gets evicted. + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + nodeSelector: + kubernetes.io/os: linux + hostNetwork: true + tolerations: + # Make sure canal gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: canal + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni + image: calico/cni:v3.13.3 + command: ["/install-cni.sh"] + env: + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "10-canal.conflist" + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: canal-config + key: cni_network_config + # Set the hostname based on the k8s node name. + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # CNI MTU Config variable + - name: CNI_MTU + valueFrom: + configMapKeyRef: + name: canal-config + key: veth_mtu + # Prevents the container from sleeping forever. + - name: SLEEP + value: "false" + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + securityContext: + privileged: true + # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes + # to communicate with Felix over the Policy Sync API. + - name: flexvol-driver + image: calico/pod2daemon-flexvol:v3.13.3 + volumeMounts: + - name: flexvol-driver-host + mountPath: /host/driver + securityContext: + privileged: true + containers: + # Runs canal container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: calico/node:v3.13.3 + env: + # Use Kubernetes API as the backing datastore. + - name: DATASTORE_TYPE + value: "kubernetes" + # Configure route aggregation based on pod CIDR. + - name: USE_POD_CIDR + value: "true" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + # Set based on the k8s node name. + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Don't enable BGP. + - name: CALICO_NETWORKING_BACKEND + value: "none" + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "k8s,canal" + # Period, in seconds, at which felix re-applies all iptables state + - name: FELIX_IPTABLESREFRESHINTERVAL + value: "60" + # No IP address needed. + - name: IP + value: "" + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. + # - name: CALICO_IPV4POOL_CIDR + # value: "192.168.0.0/16" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + # Disable IPv6 on Kubernetes. + - name: FELIX_IPV6SUPPORT + value: "false" + # Set Felix logging to "info" + - name: FELIX_LOGSEVERITYSCREEN + value: "info" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + livenessProbe: + exec: + command: + - /bin/calico-node + - -felix-live + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + readinessProbe: + httpGet: + path: /readiness + port: 9099 + host: localhost + periodSeconds: 10 + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + - name: policysync + mountPath: /var/run/nodeagent + # This container runs flannel using the kube-subnet-mgr backend + # for allocating subnets. + - name: kube-flannel + image: quay.io/coreos/flannel:v0.11.0 + command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] + securityContext: + privileged: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: FLANNELD_IFACE + valueFrom: + configMapKeyRef: + name: canal-config + key: canal_iface + - name: FLANNELD_IP_MASQ + valueFrom: + configMapKeyRef: + name: canal-config + key: masquerade + volumeMounts: + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + volumes: + # Used by canal. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + # Used by flannel. + - name: flannel-cfg + configMap: + name: canal-config + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Used to create per-pod Unix Domain Sockets + - name: policysync + hostPath: + type: DirectoryOrCreate + path: /var/run/nodeagent + # Used to install Flex Volume Driver + - name: flexvol-driver-host + hostPath: + type: DirectoryOrCreate + path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: canal + +--- +# Source: calico/templates/calico-etcd-secrets.yaml + +--- +# Source: calico/templates/calico-kube-controllers.yaml + +--- +# Source: calico/templates/calico-typha.yaml + +--- +# Source: calico/templates/configure-canal.yaml + + diff --git a/artifacts/calico/kustomization.yaml b/artifacts/calico/kustomization.yaml new file mode 100644 index 0000000..d91e517 --- /dev/null +++ b/artifacts/calico/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: kube-system + +resources: +- canal.yaml + +patchesStrategicMerge: +- logging.yaml +- prometheus.yaml diff --git a/artifacts/calico/logging.yaml b/artifacts/calico/logging.yaml new file mode 100644 index 0000000..aa4cfb8 --- /dev/null +++ b/artifacts/calico/logging.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: canal +spec: + template: + spec: + containers: + - name: calico-node + env: + - name: FELIX_LOGSEVERITYSCREEN + value: "Warning" + - name: FELIX_LOGSEVERITYFILE + value: "Warning" + - name: FELIX_LOGSEVERITYSYS + value: "" diff --git a/artifacts/calico/prometheus.yaml b/artifacts/calico/prometheus.yaml new file mode 100644 index 0000000..1b183e2 --- /dev/null +++ b/artifacts/calico/prometheus.yaml @@ -0,0 +1,14 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: canal +spec: + template: + spec: + containers: + - name: calico-node + env: + - name: FELIX_PROMETHEUSGOMETRICSENABLED + value: "false" + - name: FELIX_PROMETHEUSMETRICSENABLED + value: "true" diff --git a/artifacts/local-volume-provisioner/README.md b/artifacts/local-volume-provisioner/README.md new file mode 100644 index 0000000..0c10bf0 --- /dev/null +++ b/artifacts/local-volume-provisioner/README.md @@ -0,0 +1,12 @@ +# local-volume-provisioner +Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles. + +As the upstream Helm chart is not part of a repository we extract the chart and store it locally as base for kustomize. +See `update.sh`. + +## Kustomizations +- add nodeSelector to only install on nodes actually having ephemeral local storage +- provide matching storage class to expose mounted disks under `/mnt/disks` + +## Resources +- https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner.git diff --git a/artifacts/local-volume-provisioner/kustomization.yaml b/artifacts/local-volume-provisioner/kustomization.yaml new file mode 100644 index 0000000..3035364 --- /dev/null +++ b/artifacts/local-volume-provisioner/kustomization.yaml @@ -0,0 +1,5 @@ +nameSpace: kube-system + +resources: +- local-sc-xfs.yaml +- local-volume-provisioner.yaml diff --git a/artifacts/local-volume-provisioner/local-sc-xfs.yaml b/artifacts/local-volume-provisioner/local-sc-xfs.yaml new file mode 100644 index 0000000..86e9bdb --- /dev/null +++ b/artifacts/local-volume-provisioner/local-sc-xfs.yaml @@ -0,0 +1,8 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: local-sc-xfs +provisioner: kubernetes.io/no-provisioner +volumeBindingMode: WaitForFirstConsumer +# Supported policies: Delete, Retain +reclaimPolicy: Delete diff --git a/artifacts/local-volume-provisioner/local-volume-provisioner.yaml b/artifacts/local-volume-provisioner/local-volume-provisioner.yaml new file mode 100644 index 0000000..c2b1d09 --- /dev/null +++ b/artifacts/local-volume-provisioner/local-volume-provisioner.yaml @@ -0,0 +1,136 @@ +--- +# Source: provisioner/templates/provisioner.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: local-provisioner-config + namespace: kube-system + labels: + heritage: "Helm" + release: "RELEASE-NAME" + chart: provisioner-2.3.3 +data: + storageClassMap: | + local-sc-xfs: + hostDir: /mnt/disks + mountDir: /mnt/disks +--- +# Source: provisioner/templates/provisioner-service-account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: local-storage-admin + namespace: kube-system + labels: + heritage: "Helm" + release: "RELEASE-NAME" + chart: provisioner-2.3.3 +--- +# Source: provisioner/templates/provisioner-cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: local-storage-provisioner-node-clusterrole + labels: + heritage: "Helm" + release: "RELEASE-NAME" + chart: provisioner-2.3.3 +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] +--- +# Source: provisioner/templates/provisioner-cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: local-storage-provisioner-pv-binding + labels: + heritage: "Helm" + release: "RELEASE-NAME" + chart: provisioner-2.3.3 +subjects: +- kind: ServiceAccount + name: local-storage-admin + namespace: kube-system +roleRef: + kind: ClusterRole + name: system:persistent-volume-provisioner + apiGroup: rbac.authorization.k8s.io +--- +# Source: provisioner/templates/provisioner-cluster-role-binding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: local-storage-provisioner-node-binding + labels: + heritage: "Helm" + release: "RELEASE-NAME" + chart: provisioner-2.3.3 +subjects: +- kind: ServiceAccount + name: local-storage-admin + namespace: kube-system +roleRef: + kind: ClusterRole + name: local-storage-provisioner-node-clusterrole + apiGroup: rbac.authorization.k8s.io +--- +# Source: provisioner/templates/provisioner.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: local-volume-provisioner + namespace: kube-system + labels: + app: local-volume-provisioner + heritage: "Helm" + release: "RELEASE-NAME" + chart: provisioner-2.3.3 +spec: + selector: + matchLabels: + app: local-volume-provisioner + template: + metadata: + labels: + app: local-volume-provisioner + spec: + serviceAccountName: local-storage-admin + nodeSelector: + node.kubernetes.io/localVolume: present + containers: + - image: "quay.io/external_storage/local-volume-provisioner:v2.3.3" + name: provisioner + securityContext: + privileged: true + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: JOB_CONTAINER_IMAGE + value: "quay.io/external_storage/local-volume-provisioner:v2.3.3" + volumeMounts: + - mountPath: /etc/provisioner/config + name: provisioner-config + readOnly: true + - mountPath: /dev + name: provisioner-dev + - mountPath: /mnt/disks + name: local-sc-xfs + mountPropagation: "HostToContainer" + volumes: + - name: provisioner-config + configMap: + name: local-provisioner-config + - name: provisioner-dev + hostPath: + path: /dev + - name: local-sc-xfs + hostPath: + path: /mnt/disks diff --git a/artifacts/local-volume-provisioner/update.sh b/artifacts/local-volume-provisioner/update.sh new file mode 100755 index 0000000..66e5dfc --- /dev/null +++ b/artifacts/local-volume-provisioner/update.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +# get chart and render yaml +git clone --depth=1 https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner.git +helm template ./sig-storage-local-static-provisioner/helm/provisioner -f values.yaml --namespace kube-system > local-volume-provisioner.yaml diff --git a/artifacts/local-volume-provisioner/values.yaml b/artifacts/local-volume-provisioner/values.yaml new file mode 100644 index 0000000..3f0a115 --- /dev/null +++ b/artifacts/local-volume-provisioner/values.yaml @@ -0,0 +1,11 @@ +common: + namespace: kube-system +classes: +- name: local-sc-xfs + hostDir: /mnt/disks +daemonset: + nodeSelector: + node.kubernetes.io/localVolume: present +prometheus: + operator: + enabled: false diff --git a/charts/kubezero-app/Chart.yaml b/charts/kubezero-app/Chart.yaml index 8b2a117..ae7cf98 100644 --- a/charts/kubezero-app/Chart.yaml +++ b/charts/kubezero-app/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: kubezero -description: KubeZero - ZeroDownTime Kubernetes +description: KubeZero ArgoCD Application - Root chart of the KubeZero type: application version: 0.1.0 diff --git a/charts/kubezero-app/values.yaml b/charts/kubezero-app/values.yaml index 57aed7a..216e66d 100644 --- a/charts/kubezero-app/values.yaml +++ b/charts/kubezero-app/values.yaml @@ -1,7 +1,10 @@ destination: server: https://kubernetes.default.svc source: - repoURL: https://git.zero-downtime.net/ZeroDownTime/k8s-kustomize-lib + # This repoURL is used a base for all the repoURLs applications + # Setting this to a eg. private git repo incl. the use of pathPrefix allows kubezero to be + # integrated into any repository as a git subtree if for example public internet access is unavailable + repoURL: https://github.com/zero-down-time/kubezero targetRevision: HEAD pathPrefix: '' diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 7b00f9c..ecd08c4 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -3,8 +3,8 @@ argocd: configs: secret: - argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG" - argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST" + # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG" + # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST" # Run Argo on the controllers controller: @@ -44,9 +44,9 @@ argocd: namespace: argocd project: kubezero source: - repoURL: https://git.zero-downtime.net/ZeroDownTime/k8s-kustomize-lib + repoURL: https://github.com/Zero-Down-Time/kubezero targetRevision: HEAD - path: kubezero + path: charts/kubezero-app destination: server: https://kubernetes.default.svc namespace: argocd