Updates to rook / kube-dashboard / traefik (#78)

kahkhang · web-flow · commit 45a0afcfc82c · 2018-01-13T19:29:32.000+08:00
Rook environmental variable FLEXVOLUME_DIR_PATH is now set
Traefik is now a daemonset
Kube-Dashboard is bumped to v1.8.1
A dedicated block device is now created (recommended for Ceph Bluestore)
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,4 @@ resolv.conf
 bootkube
 manifests/grafana/grafana-credentials.yaml
 install.exp
+manifests/container-linux/master-config.yaml.bak
diff --git a/install-coreos.sh b/install-coreos.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 set -euo pipefail
+[[ -n "$REBOOT_STRATEGY" ]] || die "Need a reboot strategy. Run with eg. '\$REBOOT_STRATEGY=off ./install-coreos.sh'"
+
 PUBLIC_IP=$(ip addr show eth0 | grep "inet\b" | grep "/24" | awk '{print $2}' | cut -d/ -f1)
 PRIVATE_IP=$(ip addr show eth0 | grep "inet\b" | grep "/17" | awk '{print $2}' | cut -d/ -f1)
 
diff --git a/linode-utilities.sh b/linode-utilities.sh
@@ -182,22 +182,18 @@ boot_linode() {
 
 update_coreos_config() {
   linode_api linode.config.update LinodeID=$LINODE_ID ConfigID=$CONFIG_ID Label="CoreOS" \
-      DiskList=$DISK_ID KernelID=213 RootDeviceNum=1 helper_network=false
+      DiskList=$DISK_ID,$STORAGE_DISK_ID KernelID=213 RootDeviceNum=1 helper_network=false
 }
 
 transfer_acme() {
+  IP=$1
   ssh -i ~/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -tt "core@$IP" \
   "sudo truncate -s 0 /etc/traefik/acme/acme.json; echo '$( base64 $base64_args < acme.json )' \
    | base64 --decode | sudo tee --append /etc/traefik/acme/acme.json" 2>/dev/null >/dev/null
   ssh -i ~/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -tt "core@$IP" \
   "sudo chmod 600 /etc/traefik/acme/acme.json" 2>/dev/null >/dev/null
 }
 
-delete_bootstrap_script() {
-  ssh -i ~/.ssh/id_rsa -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -tt "core@$IP" \
-          "rm bootstrap.sh" 2>/dev/null
-}
-
 change_to_provisioned() {
   local LINODE_ID=$1
   local NODE_TYPE=$2
@@ -232,7 +228,6 @@ install() {
     local LINODE_ID
     local PLAN
     local ROOT_PASSWORD
-    local COREOS_OLD_DISK_SIZE
     NODE_TYPE=$1
     LINODE_ID=$2
     PUBLIC_IP=$(get_public_ip $LINODE_ID)
@@ -241,28 +236,31 @@ install() {
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Retrieving current plan" "get_plan_id $LINODE_ID" PLAN
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Retrieving maximum available disk size" "get_max_disk_size $PLAN" TOTAL_DISK_SIZE
 
-    INSTALL_DISK_SIZE=4096
-    COREOS_OLD_DISK_SIZE=$((${TOTAL_DISK_SIZE}-${INSTALL_DISK_SIZE}))
+    INSTALL_DISK_SIZE=1024
+    COREOS_DISK_SIZE=10240
+    STORAGE_DISK_SIZE=$((${TOTAL_DISK_SIZE}-${COREOS_DISK_SIZE}))
 
-    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Creating CoreOS disk" "create_raw_disk $LINODE_ID $COREOS_OLD_DISK_SIZE CoreOS" DISK_ID
+    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Creating ${COREOS_DISK_SIZE}mb CoreOS disk" "create_raw_disk $LINODE_ID $COREOS_DISK_SIZE CoreOS" DISK_ID
 
     # Create the install OS disk from script
-    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Creating install disk" create_install_disk INSTALL_DISK_ID
+    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Creating ${INSTALL_DISK_SIZE}mb install disk" create_install_disk INSTALL_DISK_ID
 
     # Configure the installer to boot
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Creating boot configuration" create_boot_configuration CONFIG_ID
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Booting installer" "boot_linode $LINODE_ID $CONFIG_ID"
-    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Updating CoreOS config" update_coreos_config
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Installing CoreOS (might take a while)" "install_coreos $LINODE_ID $NODE_TYPE"
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Shutting down CoreOS" "linode_api linode.shutdown LinodeID=$LINODE_ID"
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Deleting install disk $INSTALL_DISK_ID" "linode_api linode.disk.delete LinodeID=$LINODE_ID DiskID=$INSTALL_DISK_ID"
-    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Resizing CoreOS disk $DISK_ID" "linode_api linode.disk.resize LinodeID=$LINODE_ID DiskID=$DISK_ID Size=$TOTAL_DISK_SIZE"
+    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Waiting for existing jobs to complete" "wait_jobs $LINODE_ID"
+    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Creating ${STORAGE_DISK_SIZE}mb storage disk" "create_raw_disk $LINODE_ID $STORAGE_DISK_SIZE Storage" STORAGE_DISK_ID
+    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Updating CoreOS config" update_coreos_config
+    spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Waiting for existing jobs to complete" "wait_jobs $LINODE_ID"
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Booting CoreOS" "linode_api linode.boot LinodeID=$LINODE_ID ConfigID=$CONFIG_ID"
     spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Waiting for CoreOS to be ready" "wait_jobs $LINODE_ID; sleep 20"
 
     if [ "$NODE_TYPE" = "master" ] ; then
         if [ -e acme.json ] ; then
-            spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Transferring acme.json" transfer_acme
+            spinner "${CYAN}[$PUBLIC_IP]${NORMAL} Transferring acme.json" "transfer_acme $PUBLIC_IP"
         fi
     fi
 
@@ -288,23 +286,24 @@ provision_master() {
   [ -e ~/.kube/config ] && mv ~/.kube/config ~/.kube/config.bak
   cp cluster/auth/kubeconfig ~/.kube/config
   while true; do kubectl --namespace=kube-system create secret generic kubesecret --from-file auth --request-timeout 0 && break || sleep 5; done
-  if kubectl --request-timeout 0 get namespaces | grep -q "monitoring"; then
-    echo "namespace monitoring exists"
-  else
-    while true; do kubectl create namespace "monitoring" --request-timeout 0 && break || sleep 5; done
-  fi
-  if kubectl --request-timeout 0 get namespaces | grep -q "rook"; then
-    echo "namespace rook exists"
-  else
-    while true; do kubectl create namespace "rook" --request-timeout 0 && break || sleep 5; done
-  fi
+  cat <<EOF | kubectl apply --request-timeout 0 -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rook
+EOF
   while true; do kubectl --namespace=monitoring create secret generic kubesecret --from-file auth --request-timeout 0 && break || sleep 5; done
-  while true; do kubectl apply -f manifests/heapster.yaml --validate=false --request-timeout 0 && break || sleep 5; done
+  while true; do kubectl apply -f manifests/heapster.yaml --request-timeout 0 && break || sleep 5; done
   if [ $INSTALL_K8S_DASHBOARD = true ]; then
     while true; do cat manifests/kube-dashboard.yaml | sed "s/\${DOMAIN}/${DOMAIN}/g" | kubectl apply --request-timeout 0 --validate=false -f - && break || sleep 5; done
   fi
   if [ $INSTALL_TRAEFIK = true ]; then
-    while true; do cat manifests/traefik.yaml | sed "s/\${DOMAIN}/${DOMAIN}/g" | sed "s/\${MASTER_IP}/${IP}/g" | sed "s/\$EMAIL/${EMAIL}/g" | kubectl apply --request-timeout 0 --validate=false -f - && break || sleep 5; done
+    while true; do cat manifests/traefik.yaml | sed "s/\${DOMAIN}/${DOMAIN}/g" | sed "s/\$EMAIL/${EMAIL}/g" | kubectl apply --request-timeout 0 --validate=false -f - && break || sleep 5; done
   fi
   echo "provisioned master"
 }
@@ -321,37 +320,29 @@ provision_worker() {
 
   if [ $INSTALL_ROOK = true ]; then
     if ! kubectl --namespace rook get pods --request-timeout 0 2>/dev/null | grep -q "^rook-api"; then
-      if ! kubectl --namespace rook get pods --request-timeout 0 2>/dev/null | grep -q "^rook-api"; then
-        if ! kubectl --namespace rook get pods --request-timeout 0 2>/dev/null | grep -q "^rook-api"; then
-          while true; do kubectl apply -f manifests/rook/rook-operator.yaml --request-timeout 0 && break || sleep 5; done
-          while true; do kubectl apply -f manifests/rook/rook-cluster.yaml --request-timeout 0 && break || sleep 5; done
-          while true; do kubectl apply -f manifests/rook/rook-storageclass.yaml --request-timeout 0 && break || sleep 5; done
-        fi
-      fi
+      while true; do kubectl apply -f manifests/rook/rook-operator.yaml --request-timeout 0 && break || sleep 5; done
+      while true; do kubectl apply -f manifests/rook/rook-cluster.yaml --request-timeout 0 && break || sleep 5; done
+      while true; do kubectl apply -f manifests/rook/rook-storageclass.yaml --request-timeout 0 && break || sleep 5; done
     fi
   fi
 
   if [ $INSTALL_PROMETHEUS = true ]; then
     until kubectl get nodes > /dev/null 2>&1; do sleep 1; done
     if ! kubectl --namespace monitoring get ingress --request-timeout 0 2>/dev/null | grep -q "^prometheus-ingress"; then
-      if ! kubectl --namespace monitoring get ingress --request-timeout 0 2>/dev/null | grep -q "^prometheus-ingress"; then
-        if ! kubectl --namespace monitoring get ingress --request-timeout 0 2>/dev/null | grep -q "^prometheus-ingress"; then
-          while true; do kubectl --namespace monitoring apply -f manifests/prometheus-operator --request-timeout 0 && break || sleep 5; done
-          printf "Waiting for Operator to register third party objects..."
-          until kubectl --namespace monitoring get servicemonitor > /dev/null 2>&1; do sleep 1; printf "."; done
-          until kubectl --namespace monitoring get prometheus > /dev/null 2>&1; do sleep 1; printf "."; done
-          until kubectl --namespace monitoring get alertmanager > /dev/null 2>&1; do sleep 1; printf "."; done
-          while true; do kubectl --namespace monitoring apply -f manifests/node-exporter --request-timeout 0 && break || sleep 5; done
-          while true; do kubectl --namespace monitoring apply -f manifests/kube-state-metrics --request-timeout 0 && break || sleep 5; done
-          while true; do kubectl --namespace monitoring apply -f manifests/grafana/grafana-credentials.yaml --request-timeout 0 && break || sleep 5; done
-          while true; do kubectl --namespace monitoring apply -f manifests/grafana --request-timeout 0 && break || sleep 5; done
-          while true; do find manifests/prometheus -type f ! -name prometheus-k8s-roles.yaml ! -name prometheus-k8s-role-bindings.yaml ! -name prometheus-k8s-ingress.yaml -exec kubectl --request-timeout 0 --namespace "monitoring" apply -f {} \; && break || sleep 5; done
-          while true; do kubectl apply -f manifests/prometheus/prometheus-k8s-roles.yaml --request-timeout 0 && break || sleep 5; done
-          while true; do kubectl apply -f manifests/prometheus/prometheus-k8s-role-bindings.yaml --request-timeout 0 && break || sleep 5; done
-          while true; do kubectl --namespace monitoring apply -f manifests/alertmanager/ --request-timeout 0 && break || sleep 5; done
-          while true; do cat manifests/prometheus/prometheus-k8s-ingress.yaml | sed "s/\${DOMAIN}/${DOMAIN}/g" | kubectl apply --request-timeout 0 --validate=false -f - && break || sleep 5; done
-        fi
-      fi
+      while true; do kubectl --namespace monitoring apply -f manifests/prometheus-operator --request-timeout 0 && break || sleep 5; done
+      printf "Waiting for Operator to register third party objects..."
+      until kubectl --namespace monitoring get servicemonitor > /dev/null 2>&1; do sleep 1; printf "."; done
+      until kubectl --namespace monitoring get prometheus > /dev/null 2>&1; do sleep 1; printf "."; done
+      until kubectl --namespace monitoring get alertmanager > /dev/null 2>&1; do sleep 1; printf "."; done
+      while true; do kubectl --namespace monitoring apply -f manifests/node-exporter --request-timeout 0 && break || sleep 5; done
+      while true; do kubectl --namespace monitoring apply -f manifests/kube-state-metrics --request-timeout 0 && break || sleep 5; done
+      while true; do kubectl --namespace monitoring apply -f manifests/grafana/grafana-credentials.yaml --request-timeout 0 && break || sleep 5; done
+      while true; do kubectl --namespace monitoring apply -f manifests/grafana --request-timeout 0 && break || sleep 5; done
+      while true; do find manifests/prometheus -type f ! -name prometheus-k8s-roles.yaml ! -name prometheus-k8s-role-bindings.yaml ! -name prometheus-k8s-ingress.yaml -exec kubectl --request-timeout 0 --namespace "monitoring" apply -f {} \; && break || sleep 5; done
+      while true; do kubectl apply -f manifests/prometheus/prometheus-k8s-roles.yaml --request-timeout 0 && break || sleep 5; done
+      while true; do kubectl apply -f manifests/prometheus/prometheus-k8s-role-bindings.yaml --request-timeout 0 && break || sleep 5; done
+      while true; do kubectl --namespace monitoring apply -f manifests/alertmanager/ --request-timeout 0 && break || sleep 5; done
+      while true; do cat manifests/prometheus/prometheus-k8s-ingress.yaml | sed "s/\${DOMAIN}/${DOMAIN}/g" | kubectl apply --request-timeout 0 --validate=false -f - && break || sleep 5; done
     fi
   fi
 
diff --git a/manifests/kube-dashboard.yaml b/manifests/kube-dashboard.yaml
@@ -35,7 +35,7 @@ spec:
     spec:
       containers:
       - name: kubernetes-dashboard
-        image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.8.0
+        image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.8.1
         ports:
         - containerPort: 8443
           protocol: TCP
diff --git a/manifests/rook/rook-cluster.yaml b/manifests/rook/rook-cluster.yaml
@@ -55,10 +55,10 @@ spec:
 #      podAffinity:
 #      podAntiAffinity:
 #      tolerations:
-  storage:                # cluster level storage configuration and selection
+  storage:
     useAllNodes: true
     useAllDevices: false
-    deviceFilter:
+    deviceFilter: sdb
     metadataDevice:
     location:
     storeConfig:
diff --git a/manifests/rook/rook-operator.yaml b/manifests/rook/rook-operator.yaml
@@ -121,6 +121,8 @@ spec:
         image: rook/rook:master
         args: ["operator"]
         env:
+        - name: FLEXVOLUME_DIR_PATH
+          value: "/var/lib/kubelet/volumeplugins"
         - name: ROOK_REPO_PREFIX
           value: rook
         # The interval to check if every mon is in the quorum.
diff --git a/manifests/traefik.yaml b/manifests/traefik.yaml
@@ -57,8 +57,6 @@ spec:
       name: http
     - port: 443
       name: https
-  externalIPs:
-    - ${MASTER_IP}
 ---
 apiVersion: v1
 kind: Service
@@ -94,7 +92,7 @@ data:
       [entryPoints.https.tls]
     [acme]
     email = "$EMAIL"
-    storageFile = "/acme/acme.json"
+    storage = "/acme/acme.json"
     entryPoint = "https"
     onDemand = true
     onHostRule = true
@@ -107,14 +105,13 @@ data:
         Buckets=[0.1,0.3,1.2,5.0]
 ---
 apiVersion: extensions/v1beta1
-kind: Deployment
+kind: DaemonSet
 metadata:
   name: traefik-ingress-controller
   namespace: kube-system
   labels:
     k8s-app: traefik-ingress-lb
 spec:
-  replicas: 1
   revisionHistoryLimit: 0
   template:
     metadata:
@@ -129,15 +126,15 @@ spec:
             name: traefik-conf
         - name: acme
           hostPath:
-            path: /etc/traefik/acme/acme.json
+            path: /etc/traefik/acme
       containers:
         - image: traefik
           name: traefik-ingress-lb
           imagePullPolicy: Always
           volumeMounts:
             - mountPath: "/config"
               name: "config"
-            - mountPath: "/acme/acme.json"
+            - mountPath: "/acme"
               name: "acme"
           ports:
             - containerPort: 80
@@ -152,6 +149,15 @@ spec:
             - --web.metrics.prometheus.buckets=0.1,0.3,1.2,5.0
             - --kubernetes
             - --logLevel=DEBUG
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: In
+                values:
+                -
       tolerations:
       - key: CriticalAddonsOnly
         operator: Exists
