fix(helm): etcd initial-cluster value was hard-coded #114
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… along with ports
prometherion
force-pushed
the
fix/etcd-initial-cluster
branch
from
44274b9 to
5bdf27a
Compare
|
The required changes have been addressed, @bsctl. This is the output of ---
# Source: kamaji/templates/etcd_sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/components: etcd
name: etcd
namespace: kamaji-system
---
# Source: kamaji/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: kamaji-controller-manager
labels:
helm.sh/chart: kamaji-0.1.1
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: controller-manager
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
namespace: kamaji-system
---
# Source: kamaji/templates/etcd_cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/components: etcd
name: etcd-csr
namespace: kamaji-system
data:
ca-csr.json: |-
{
"CN": "Clastix CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "IT",
"ST": "Italy",
"L": "Milan"
}
]
}
config.json: |-
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"server-authentication": {
"usages": ["signing", "key encipherment", "server auth"],
"expiry": "8760h"
},
"client-authentication": {
"usages": ["signing", "key encipherment", "client auth"],
"expiry": "8760h"
},
"peer-authentication": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
server-csr.json: |-
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": ["etcd-0.etcd.kamaji-system.svc.cluster.local","etcd-1.etcd.kamaji-system.svc.cluster.local","etcd-2.etcd.kamaji-system.svc.cluster.local",
"etcd-server.kamaji-system.svc.cluster.local",
"etcd-server.kamaji-system.svc",
"etcd-server",
"127.0.0.1"
]
}
peer-csr.json: |-
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": ["etcd-0",
"etcd-0.etcd",
"etcd-0.etcd.kamaji-system.svc",
"etcd-0.etcd.kamaji-system.svc.cluster.local","etcd-1",
"etcd-1.etcd",
"etcd-1.etcd.kamaji-system.svc",
"etcd-1.etcd.kamaji-system.svc.cluster.local","etcd-2",
"etcd-2.etcd",
"etcd-2.etcd.kamaji-system.svc",
"etcd-2.etcd.kamaji-system.svc.cluster.local",
"127.0.0.1"
]
}
root-client-csr.json: |-
{
"CN": "root",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "system:masters"
}
]
}
---
# Source: kamaji/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: kamaji-manager-role
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- kamaji.clastix.io
resources:
- tenantcontrolplanes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- kamaji.clastix.io
resources:
- tenantcontrolplanes/finalizers
verbs:
- update
- apiGroups:
- kamaji.clastix.io
resources:
- tenantcontrolplanes/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
# Source: kamaji/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kamaji-metrics-reader
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
---
# Source: kamaji/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kamaji-proxy-role
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
# Source: kamaji/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kamaji-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kamaji-manager-role
subjects:
- kind: ServiceAccount
name: kamaji-controller-manager
namespace: kamaji-system
---
# Source: kamaji/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kamaji-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kamaji-proxy-role
subjects:
- kind: ServiceAccount
name: kamaji-controller-manager
namespace: kamaji-system
---
# Source: kamaji/templates/etcd_rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/components: etcd
name: etcd-gen-certs-role
namespace: kamaji-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- delete
resourceNames:
- etcd-certs
- root-client-certs
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- list
- watch
---
# Source: kamaji/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kamaji-leader-election-role
namespace: kamaji-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
# Source: kamaji/templates/etcd_rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/components: etcd
name: etcd-gen-certs-rolebiding
namespace: kamaji-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: etcd-gen-certs-role
subjects:
- kind: ServiceAccount
name: etcd
namespace: kamaji-system
---
# Source: kamaji/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kamaji-leader-election-rolebinding
namespace: kamaji-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kamaji-leader-election-role
subjects:
- kind: ServiceAccount
name: kamaji-controller-manager
namespace: kamaji-system
---
# Source: kamaji/templates/etcd_service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/components: etcd
name: etcd
namespace: kamaji-system
spec:
clusterIP: None
ports:
- port: 2379
name: client
- port: 2380
name: peer
selector:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: etcd
---
# Source: kamaji/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: kamaji
labels:
helm.sh/chart: kamaji-0.1.1
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: controller-manager
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
namespace: kamaji-system
spec:
type: ClusterIP
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: controller-manager
---
# Source: kamaji/templates/controller.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kamaji
labels:
helm.sh/chart: kamaji-0.1.1
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: controller-manager
app.kubernetes.io/version: "0.1.0"
app.kubernetes.io/managed-by: Helm
namespace: kamaji-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: controller-manager
template:
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: controller-manager
spec:
securityContext:
runAsNonRoot: true
serviceAccountName: kamaji-controller-manager
containers:
- args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=10
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
name: kube-rbac-proxy
ports:
- containerPort: 8443
name: https
protocol: TCP
- args:
- --config-file=./kamaji.yaml
- --etcd-ca-secret-name=etcd-certs
- --etcd-ca-secret-namespace=kamaji-system
- --etcd-client-secret-name=root-client-certs
- --etcd-client-secret-namespace=kamaji-system
- --etcd-compaction-interval=0
- --etcd-endpoints=https://etcd-0.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-1.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-2.etcd.kamaji-system.svc.cluster.local:2379
- --health-probe-bind-address=:8081
- --leader-elect
- --metrics-bind-address=:8080
- --tmp-directory=/tmp/kamaji
command:
- /manager
image: "clastix/kamaji:latest"
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: healthcheck
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 8081
name: healthcheck
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthcheck
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 200m
memory: 100Mi
requests:
cpu: 100m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
terminationGracePeriodSeconds: 10
---
# Source: kamaji/templates/etcd_sts.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/components: etcd
name: etcd
namespace: kamaji-system
spec:
serviceName: etcd
selector:
matchLabels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: etcd
replicas: 3
template:
metadata:
name: etcd
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/component: etcd
spec:
volumes:
- name: certs
secret:
secretName: etcd-certs
containers:
- name: etcd
image: quay.io/coreos/etcd:v3.5.4
imagePullPolicy: IfNotPresent
ports:
- containerPort: 2379
name: client
- containerPort: 2380
name: peer
volumeMounts:
- name: data
mountPath: /var/run/etcd
- name: certs
mountPath: /etc/etcd/pki
command:
- etcd
- --data-dir=/var/run/etcd
- --name=$(POD_NAME)
- --initial-cluster-state=new
- --initial-cluster=etcd-0=https://etcd-0.etcd.kamaji-system.svc.cluster.local:2380,etcd-1=https://etcd-1.etcd.kamaji-system.svc.cluster.local:2380,etcd-2=https://etcd-2.etcd.kamaji-system.svc.cluster.local:2380
- --initial-advertise-peer-urls=https://$(POD_NAME).etcd.$(POD_NAMESPACE).svc.cluster.local:2380
- --advertise-client-urls=https://$(POD_NAME).etcd.$(POD_NAMESPACE).svc.cluster.local:2379
- --initial-cluster-token=kamaji
- --listen-client-urls=https://0.0.0.0:2379
- --listen-metrics-urls=http://0.0.0.0:2381
- --listen-peer-urls=https://0.0.0.0:2380
- --client-cert-auth=true
- --peer-client-cert-auth=true
- --trusted-ca-file=/etc/etcd/pki/ca.crt
- --cert-file=/etc/etcd/pki/server.pem
- --key-file=/etc/etcd/pki/server-key.pem
- --peer-trusted-ca-file=/etc/etcd/pki/ca.crt
- --peer-cert-file=/etc/etcd/pki/peer.pem
- --peer-key-file=/etc/etcd/pki/peer-key.pem
- --auto-compaction-mode=periodic
- --auto-compaction-retention=5m
- --snapshot-count=10000
- --quota-backend-bytes=8589934592
- --v=8
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
livenessProbe:
failureThreshold: 8
httpGet:
path: /health?serializable=true
port: 2381
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeClaimTemplates:
- metadata:
name: data
spec:
storageClassName:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 10Gi
---
# Source: kamaji/templates/etcd_job_postdelete.yaml
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/components: etcd
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": "hook-succeeded,hook-failed"
name: "kamaji-etcd-teardown"
namespace: kamaji-system
spec:
template:
metadata:
name: "kamaji"
spec:
serviceAccountName: etcd
restartPolicy: Never
containers:
- name: kubectl
image: clastix/kubectl:v1.20
command:
- kubectl
- --namespace=kamaji-system
- delete
- secret
- --ignore-not-found=true
- etcd-certs
- root-client-certs
---
# Source: kamaji/templates/etcd_job_postinstall.yaml
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/name: kamaji
app.kubernetes.io/instance: kamaji
app.kubernetes.io/components: etcd
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": "hook-succeeded,hook-failed"
name: "kamaji-etcd-setup"
namespace: kamaji-system
spec:
template:
metadata:
name: "kamaji"
spec:
serviceAccountName: etcd
restartPolicy: Never
initContainers:
- name: cfssl
image: cfssl/cfssl:latest
command:
- bash
- -c
- |-
cfssl gencert -initca /csr/ca-csr.json | cfssljson -bare /certs/ca &&
mv /certs/ca.pem /certs/ca.crt && mv /certs/ca-key.pem /certs/ca.key &&
cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=peer-authentication /csr/peer-csr.json | cfssljson -bare /certs/peer &&
cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=peer-authentication /csr/server-csr.json | cfssljson -bare /certs/server &&
cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=client-authentication /csr/root-client-csr.json | cfssljson -bare /certs/root-client
volumeMounts:
- mountPath: /certs
name: certs
- mountPath: /csr
name: csr
- name: kubectl
image: clastix/kubectl:v1.20
command:
- sh
- -c
- |-
kubectl --namespace=kamaji-system delete secret --ignore-not-found=true etcd-certs root-client-certs &&
kubectl --namespace=kamaji-system create secret generic etcd-certs --from-file=/certs/ca.crt --from-file=/certs/ca.key --from-file=/certs/peer-key.pem --from-file=/certs/peer.pem --from-file=/certs/server-key.pem --from-file=/certs/server.pem &&
kubectl --namespace=kamaji-system create secret tls root-client-certs --key=/certs/root-client-key.pem --cert=/certs/root-client.pem &&
kubectl --namespace=kamaji-system rollout status sts/etcd --timeout=300s
volumeMounts:
- mountPath: /certs
name: certs
containers:
- command:
- bash
- -c
- |-
etcdctl member list -w table &&
etcdctl user add --no-password=true root &&
etcdctl role add root &&
etcdctl user grant-role root root &&
etcdctl auth enable
env:
- name: ETCDCTL_ENDPOINTS
value: https://etcd-0.etcd.kamaji-system.svc.cluster.local:2379
- name: ETCDCTL_CACERT
value: /opt/certs/ca/ca.crt
- name: ETCDCTL_CERT
value: /opt/certs/root-certs/tls.crt
- name: ETCDCTL_KEY
value: /opt/certs/root-certs/tls.key
image: quay.io/coreos/etcd:v3.5.1
imagePullPolicy: Always
name: etcd-client
volumeMounts:
- name: root-certs
mountPath: /opt/certs/root-certs
- name: certs
mountPath: /opt/certs/ca
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
volumes:
- name: root-certs
secret:
secretName: root-client-certs
optional: true
- name: csr
configMap:
name: etcd-csr
- name: certs
emptyDir: {}I tested the full installation with a smoke test, everything seems fine. |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Noticed this error while reviewing #112.