Skip to content

Commit

Permalink
Changes for vcluster dependency upgrades (#31)
Browse files Browse the repository at this point in the history 
* Use an emptyDir volume for some temporary k3s files
* Update coredns integration from upstream helm chart
* Simplify applying manifests to clusters with native methods
  • Loading branch information
@bastjan
bastjan authored Aug 9, 2022
1 parent e2d96d5 commit 6a5712a
Show file tree
Hide file tree
Showing 6 changed files with 581 additions and 146 deletions.
46 changes: 43 additions & 3 deletions component/cluster.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,24 @@ local cluster = function(name, options)
},
};

local initManifestsCM = kube.ConfigMap(name + '-init-manifests') {
local manifests = options.additional_manifests,
local manifestArray = if std.isArray(manifests) then
manifests
else if std.isObject(manifests) then
std.objectValues(manifests)
else
error 'Manifests must be array or object'
,

metadata+: {
namespace: options.namespace,
},
data: {
manifests: std.manifestYamlStream(manifestArray, false, false),
},
};

local statefulSet = kube.StatefulSet(name) {
metadata+: {
namespace: options.namespace,
Expand Down Expand Up @@ -199,12 +217,24 @@ local cluster = function(name, options)
affinity: {},
tolerations: [],
serviceAccountName: 'vc-' + name,
volumes: if !options.storage.persistence then [
volumes: [
{
name: 'coredns',
configMap: {
name: 'vc-%s-coredns' % name,
defaultMode: 420,
},
},
{
name: 'etc-rancher',
emptyDir: {},
},
] + if !options.storage.persistence then [
{
name: 'data',
emptyDir: {},
},
],
] else [],
local tlsSANs = [
'--tls-san=%s.%s.svc.cluster.local' % [ name, options.namespace ],
'--tls-san=%s.%s.svc' % [ name, options.namespace ],
Expand Down Expand Up @@ -248,6 +278,10 @@ local cluster = function(name, options)
mountPath: '/data',
name: 'data',
},
{
mountPath: '/etc/rancher',
name: 'etc-rancher',
},
],
resources: {
limits: {
Expand Down Expand Up @@ -295,6 +329,11 @@ local cluster = function(name, options)
name: 'data',
readOnly: true,
},
{
mountPath: '/manifests/coredns',
name: 'coredns',
readOnly: true,
},
],
resources: {
limits: {
Expand Down Expand Up @@ -358,8 +397,9 @@ local cluster = function(name, options)
service,
headlessService,
statefulSet,
initManifestsCM,
(import 'coredns.libsonnet').corednsConfigMap(name, options.namespace),
if options.ingress.host != null then ingress,
if std.length(options.additional_manifests) > 0 then postSetup.ApplyManifests(name, 'vc-%s-kubeconfig' % name, options.additional_manifests),
if options.syn.registration_url != null then postSetup.Synthesize(name, 'vc-%s-kubeconfig' % name, options.syn.registration_url),
] + if options.ocp_route.host != null then ocpRoute.RouteCreateJob(name, 'vc-%s-kubeconfig' % name, options.ocp_route.host) else []);

Expand Down
238 changes: 238 additions & 0 deletions component/coredns.libsonnet
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,238 @@
local kap = import 'lib/kapitan.libjsonnet';
local kube = import 'lib/kube.libjsonnet';
local inv = kap.inventory();
local common = import 'common.libsonnet';
// The hiera parameters for the component
local params = inv.parameters.vcluster;

local corednsConfigMap =
function(name, namespace)
kube.ConfigMap('vc-%s-coredns' % name) {
metadata+: {
namespace: namespace,
},
data: {
// The deployment has some variables in there that get modified by vcluster.
// It is not valid yaml, so we need to use a string.
// The Helm chart does use a string too.
'coredns.yaml': |||
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:coredns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
- pods
- namespaces
verbs:
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:coredns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:coredns
subjects:
- kind: ServiceAccount
name: coredns
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:1053 {
{{.LOG_IN_DEBUG}}
errors
health
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
}
hosts /etc/coredns/NodeHosts {
ttl 60
reload 15s
fallthrough
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
import /etc/coredns/custom/*.server
NodeHosts: ""
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/name: "CoreDNS"
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
priorityClassName: "system-cluster-critical"
serviceAccountName: coredns
nodeSelector:
kubernetes.io/os: linux
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
k8s-app: kube-dns
containers:
- name: coredns
image: {{.IMAGE}}
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 1000m
memory: 170Mi
requests:
cpu: 100m
memory: 70Mi
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readOnly: true
- name: custom-config-volume
mountPath: /etc/coredns/custom
readOnly: true
ports:
- containerPort: 1053
name: dns
protocol: UDP
- containerPort: 1053
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
securityContext:
runAsUser: {{.RUN_AS_USER}}
runAsNonRoot: {{.RUN_AS_NON_ROOT}}
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 8181
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 2
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
- key: NodeHosts
path: NodeHosts
- name: custom-config-volume
configMap:
name: coredns-custom
optional: true
---
apiVersion: v1
kind: Service
metadata:
name: kube-dns
namespace: kube-system
annotations:
prometheus.io/port: "9153"
prometheus.io/scrape: "true"
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: kube-dns
type: ClusterIP
ports:
- name: dns
port: 53
targetPort: 1053
protocol: UDP
- name: dns-tcp
port: 53
targetPort: 1053
protocol: TCP
- name: metrics
port: 9153
protocol: TCP
|||,
},
};

{
corednsConfigMap: corednsConfigMap,
}
46 changes: 0 additions & 46 deletions component/post-setup.libsonnet
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,52 +42,6 @@ local synthesize = function(name, secretName, url)
},
};

local applyManifests = function(name, secretName, manifests)
local jobName = '%s-apply-manifests' % name;
local manifestArray = if std.isArray(manifests) then
manifests
else if std.isObject(manifests) then
std.objectValues(manifests)
else
error 'Manifests must be array or object'
;
kube.Job(jobName) {
metadata+: {
namespace: params.namespace,
annotations+: {
'argocd.argoproj.io/hook': 'PostSync',
},
},
spec+: {
template+: {
spec+: {
containers_+: {
patch_crds: kube.Container(jobName) {
image: common.formatImage(params.images.kubectl),
workingDir: '/export',
command: [ 'sh' ],
args: [ '-eu', '-c', importstr './scripts/apply.sh', '--' ] + std.map(function(m) std.manifestJsonEx(m, ''), manifestArray),
env: [
{ name: 'HOME', value: '/export' },
{ name: 'VCLUSTER_SERVER_URL', value: 'https://%s:443' % name },
],
volumeMounts: [
{ name: 'export', mountPath: '/export' },
{ name: 'kubeconfig', mountPath: '/etc/vcluster-kubeconfig', readOnly: true },
],
},
},
volumes+: [
{ name: 'export', emptyDir: {} },
{ name: 'kubeconfig', secret: { secretName: secretName } },
],
},
},
},
};


{
Synthesize: synthesize,
ApplyManifests: applyManifests,
}
Loading

0 comments on commit 6a5712a

Please sign in to comment.