Skip to content
This repository has been archived by the owner on Oct 22, 2021. It is now read-only.

Commit

Permalink
Merge pull request #249 from SUSE/fix_eirini_extensions
Browse files Browse the repository at this point in the history 
Bump Eirini to v1 and fix eirini extensions
  • Loading branch information
Dimitris Karakasilis authored Dec 13, 2019
2 parents 7db5325 + 6dc20df commit 60fecb5
Show file tree
Hide file tree
Showing 10 changed files with 323 additions and 13 deletions.
15 changes: 7 additions & 8 deletions bosh/releases/pre_render_scripts/eirini/eirini-loggregator-bridge/bpm/patch_bpm.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,14 @@
set -o errexit -o nounset

target="/var/vcap/all-releases/jobs-src/eirini/eirini-loggregator-bridge/templates/bpm.yml.erb"
sentinel="${target}.patch_sentinel"
if [[ -f "${sentinel}" ]]; then
echo "Patch already applied. Skipping"
exit 0
fi

# Patch BPM, since we're actually running in-cluster without BPM
PATCH=$(cat <<'EOT'
patch --verbose "${target}" <<'EOT'
@@ -8,17 +8,3 @@
- "--kubeconfig"
- "<%= kubeconfig %>"
Expand All @@ -25,11 +30,5 @@ PATCH=$(cat <<'EOT'
- mount_only: true
- <% end %>
EOT
)

# Only patch once
if ! patch --reverse --dry-run -f "${target}" <<<"$PATCH" 2>&1 >/dev/null ; then
patch --verbose "${target}" <<<"$PATCH"
else
echo "Patch already applied. skipping"
fi
touch "${sentinel}"
34 changes: 34 additions & 0 deletions bosh/releases/pre_render_scripts/eirini/eirini-persi-broker/bpm/patch_bpm.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#!/usr/bin/env bash

set -o errexit -o nounset

target="/var/vcap/all-releases/jobs-src/eirini/eirini-persi-broker/templates/bpm.yml.erb"
sentinel="${target}.patch_sentinel"
if [[ -f "${sentinel}" ]]; then
echo "Patch already applied. Skipping"
exit 0
fi

# Patch BPM, since we're actually running in-cluster without BPM
patch --verbose "${target}" <<'EOT'
@@ -3,17 +3,4 @@ processes:
executable: /var/vcap/packages/eirini-persi-broker/bin/eirini-persi-broker
args: []
env:
- KUBERNETES_SERVICE_HOST: "<%= p("eirini-persi-broker.kube_service_host") %>"
- KUBERNETES_SERVICE_PORT: "<%= p("eirini-persi-broker.kube_service_port") %>"
BROKER_CONFIG_PATH: /var/vcap/jobs/eirini-persi-broker/config/eirini-persi-broker.yml
- <% if properties.opi&.k8s&.host_url.nil? %>
- # The ServiceAccount admission controller has to be enabled.
- # https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
- additional_volumes:
- - path: /var/run/secrets/kubernetes.io/serviceaccount/token
- mount_only: true
- - path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- mount_only: true
- - path: /var/run/secrets/kubernetes.io/serviceaccount/namespace
- mount_only: true
- <% end %>
EOT

touch "${sentinel}"
38 changes: 38 additions & 0 deletions bosh/releases/pre_render_scripts/eirini/eirini-persi/bpm/patch_bpm.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/usr/bin/env bash

set -o errexit -o nounset

target="/var/vcap/all-releases/jobs-src/eirini/eirini-persi/templates/bpm.yml.erb"
sentinel="${target}.patch_sentinel"
if [[ -f "${sentinel}" ]]; then
echo "Patch already applied. Skipping"
exit 0
fi

# Patch BPM, since we're actually running in-cluster without BPM
patch --verbose "${target}" <<'EOT'
@@ -3,21 +3,8 @@ processes:
executable: /var/vcap/packages/eirini-persi/bin/eirini-persi
args: []
env:
- KUBERNETES_SERVICE_HOST: "<%= p("eirini-persi.kube_service_host") %>"
- KUBERNETES_SERVICE_PORT: "<%= p("eirini-persi.kube_service_port") %>"
OPERATOR_WEBHOOK_HOST: "<%= p("eirini-persi.operator_webhook_host") %>"
OPERATOR_WEBHOOK_PORT: "<%= p("eirini-persi.operator_webhook_port") %>"
NAMESPACE: "<%= p("eirini-persi.namespace") %>"
OPERATOR_SERVICE_NAME: "<%= p("eirini-persi.operator_webhook_servicename") %>"
OPERATOR_WEBHOOK_NAMESPACE: "<%= p("eirini-persi.operator_webhook_namespace") %>"
- <% if properties.opi&.k8s&.host_url.nil? %>
- # The ServiceAccount admission controller has to be enabled.
- # https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
- additional_volumes:
- - path: /var/run/secrets/kubernetes.io/serviceaccount/token
- mount_only: true
- - path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- mount_only: true
- - path: /var/run/secrets/kubernetes.io/serviceaccount/namespace
- mount_only: true
- <% end %>
EOT

touch "${sentinel}"
38 changes: 38 additions & 0 deletions bosh/releases/pre_render_scripts/eirini/eirini-ssh-extension/bpm/patch_bpm.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/usr/bin/env bash

set -o errexit -o nounset

target="/var/vcap/all-releases/jobs-src/eirini/eirini-ssh-extension/templates/bpm.yml.erb"
sentinel="${target}.patch_sentinel"
if [[ -f "${sentinel}" ]]; then
echo "Patch already applied. Skipping"
exit 0
fi

# Patch BPM, since we're actually running in-cluster without BPM
patch --verbose "${target}" <<'EOT'
@@ -3,21 +3,8 @@ processes:
executable: /var/vcap/packages/eirini-ssh-extension/bin/eirini-ssh-extension
args: []
env:
- KUBERNETES_SERVICE_HOST: "<%= p("eirini-ssh-extension.kube_service_host") %>"
- KUBERNETES_SERVICE_PORT: "<%= p("eirini-ssh-extension.kube_service_port") %>"
EIRINI_EXTENSION_HOST: "<%= p("eirini-ssh-extension.operator_webhook_host") %>"
EIRINI_EXTENSION_PORT: "<%= p("eirini-ssh-extension.operator_webhook_port") %>"
EIRINI_EXTENSION_NAMESPACE: "<%= p("eirini-ssh-extension.namespace") %>"
OPERATOR_SERVICE_NAME: "<%= p("eirini-ssh-extension.operator_webhook_servicename") %>"
OPERATOR_WEBHOOK_NAMESPACE: "<%= p("eirini-ssh-extension.operator_webhook_namespace") %>"
- <% if properties.opi&.k8s&.host_url.nil? %>
- # The ServiceAccount admission controller has to be enabled.
- # https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
- additional_volumes:
- - path: /var/run/secrets/kubernetes.io/serviceaccount/token
- mount_only: true
- - path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- mount_only: true
- - path: /var/run/secrets/kubernetes.io/serviceaccount/namespace
- mount_only: true
- <% end %>
EOT

touch "${sentinel}"
35 changes: 35 additions & 0 deletions bosh/releases/pre_render_scripts/eirini/eirini-ssh-proxy/bpm/patch_bpm.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/usr/bin/env bash

set -o errexit -o nounset

target="/var/vcap/all-releases/jobs-src/eirini/eirini-ssh-proxy/templates/bpm.yml.erb"
sentinel="${target}.patch_sentinel"
if [[ -f "${sentinel}" ]]; then
echo "Patch already applied. Skipping"
exit 0
fi

# Patch BPM, since we're actually running in-cluster without BPM
patch --verbose "${target}" <<'EOT'
@@ -5,18 +5,5 @@ processes:
- "--config"
- "/var/vcap/jobs/eirini-ssh-proxy/config/eirini-ssh-proxy.json"
env:
- KUBERNETES_SERVICE_HOST: "<%= p("eirini-ssh-proxy.kube_service_host") %>"
- KUBERNETES_SERVICE_PORT: "<%= p("eirini-ssh-proxy.kube_service_port") %>"
SSH_PROXY_KUBERNETES_NAMESPACE: "<%= p("eirini-ssh-proxy.kube_namespace") %>"
SSH_PROXY_DAEMON_PORT: "<%= p("eirini-ssh-proxy.sshd_port") %>"
- <% if properties.opi&.k8s&.host_url.nil? %>
- # The ServiceAccount admission controller has to be enabled.
- # https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
- additional_volumes:
- - path: /var/run/secrets/kubernetes.io/serviceaccount/token
- mount_only: true
- - path: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- mount_only: true
- - path: /var/run/secrets/kubernetes.io/serviceaccount/namespace
- mount_only: true
- <% end %>
EOT

touch "${sentinel}"
5 changes: 5 additions & 0 deletions deploy/helm/kubecf/assets/operations/instance_groups/api.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@
path: /instance_groups/name=api/jobs/name=file_server/properties/diego?/file_server/static_directory
value: "/var/vcap/packages/"

# Enable volume services
- type: replace
path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/cc/volume_services_enabled?
value: true

# Add empty BPM processes to buildpacks.
- type: replace
path: /instance_groups/name=api/jobs/name=binary-buildpack/properties?/quarks/bpm/processes
Expand Down
74 changes: 73 additions & 1 deletion deploy/helm/kubecf/assets/operations/instance_groups/eirini.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,52 @@
settings:
serviceAccountName: {{ .Release.Name }}-eirini
jobs:
- name: eirini-persi-broker
release: eirini
properties:
eirini-persi-broker:
namespace: {{ .Release.Name }}-eirini
backend_host: "0.0.0.0"
backend_port: 8999
auth_password: ((eirini_persi_broker_auth_password))
- name: eirini-persi
release: eirini
properties:
eirini-persi:
namespace: {{ .Release.Name }}-eirini
operator_webhook_host: "0.0.0.0"
operator_webhook_port: 8443
operator_webhook_servicename: {{ .Release.Name }}-eirini-persi
operator_webhook_namespace: {{ .Release.Name }}
- name: eirini-ssh-proxy
release: eirini
properties:
eirini-ssh-proxy:
api_url: "https://cloud-controller-ng.service.cf.internal:9024"
port: "2222"
host_key: '((eirini_ssh_proxy_key.private_key))'
kube_namespace: {{ .Release.Name }}-eirini
sshd_port: 2222
ssl:
skip_cert_verify: false
cc:
ca_cert: "((cc_tls.ca))"
uaa:
ca_cert: '((uaa_ssl.ca))'
uaa:
clients:
ssh-proxy:
secret: '((uaa_clients_ssh-proxy_secret))'
url: "https://uaa.service.cf.internal:8443"
- name: eirini-ssh-extension
release: eirini
properties:
eirini-ssh-extension:
namespace: {{ .Release.Name }}-eirini
operator_webhook_host: "0.0.0.0"
operator_webhook_port: 2999
operator_webhook_servicename: {{ .Release.Name }}-eirini-ssh
operator_webhook_namespace: {{ .Release.Name }}
- name: eirini-loggregator-bridge
release: eirini
properties:
Expand Down Expand Up @@ -133,7 +179,7 @@
path: /releases/-
value:
name: eirini
version: 0.0.22
version: 0.0.25
url: {{ .Values.releases.defaults.url | quote }}
stemcell: {{ include "kubecf.stemcellLookup" (list .Values.releases "eirini") }}

Expand Down Expand Up @@ -248,6 +294,16 @@
common_name: cloud_controller
extended_key_usage:
- client_auth
- type: replace
path: /variables/name=eirini_persi_broker_auth_password?
value:
type: password
name: eirini_persi_broker_auth_password
- type: replace
path: /variables/name=eirini_ssh_proxy_key?
value:
type: ssh
name: eirini_ssh_proxy_key

- type: replace
path: /instance_groups/name=bits/jobs/name=eirinifs/properties?/quarks?
Expand All @@ -264,6 +320,22 @@
path: /variables/name=loggregator_tls_doppler/options/alternative_names?/-
value: metron

# Add necessary labels to the eirini instance group so that the service can select it to create the endpoint for ssh-proxy
- type: replace
path: /instance_groups/name=eirini/env?/bosh/agent/settings/labels/app.kubernetes.io~1component
value: "ssh-proxy"
- type: replace
path: /instance_groups/name=eirini/env?/bosh/agent/settings/labels/app.kubernetes.io~1instance
value: {{ .Release.Name | quote }}
- type: replace
path: /instance_groups/name=eirini/env?/bosh/agent/settings/labels/app.kubernetes.io~1version
value: {{ default .Chart.Version .Chart.AppVersion | quote }}

# Set the ssh-proxy key fingerprint
- type: replace
path: /instance_groups/name=api/jobs/name=cloud_controller_ng/properties/app_ssh/host_key_fingerprint?
value: '((eirini_ssh_proxy_key.public_key_fingerprint))'

{{- $root := . -}}
{{- range $path, $bytes := .Files.Glob "assets/operations/pre_render_scripts/eirini_*" }}
{{ $root.Files.Get $path }}
Expand Down
2 changes: 2 additions & 0 deletions deploy/helm/kubecf/assets/operations/instance_groups/scheduler.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@

# Add necessary labels to the scheduler instance group so that the service can select it to create
# the endpoint.
{{- if not .Values.features.eirini.enabled -}}
- type: replace
path: /instance_groups/name=scheduler/env?/bosh/agent/settings/labels/app.kubernetes.io~1component
value: "ssh-proxy"
Expand All @@ -81,6 +82,7 @@
- type: replace
path: /instance_groups/name=scheduler/env?/bosh/agent/settings/labels/app.kubernetes.io~1version
value: {{ default .Chart.Version .Chart.AppVersion | quote }}
{{- end }}

- type: replace
path: /instance_groups/name=scheduler/jobs/name=cfdot/properties/quarks?/bpm/processes
Expand Down
77 changes: 77 additions & 0 deletions deploy/helm/kubecf/templates/eirini.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,31 @@
{{- if .Values.features.eirini.enabled -}}

# eirini-webhook cluster role for eirini service account.
# Used to implement eirinix extensions.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Namespace }}:{{ .Release.Name }}-eirini-webhook
rules:
- apiGroups: ['admissionregistration.k8s.io']
resources: ['mutatingwebhookconfigurations']
verbs: ['*']

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Release.Namespace }}:{{ .Release.Name }}-eirini-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Namespace }}:{{ .Release.Name }}-eirini-webhook
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-eirini
namespace: {{.Release.Namespace}}

# A service for the cc uploader
---
apiVersion: v1
Expand Down Expand Up @@ -38,6 +64,57 @@ spec:
port: 443
targetPort: 443
nodePort: {{ .Values.features.eirini.registry.service.nodePort }}
# A service for eirini-ssh
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-eirini-ssh
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
selector:
quarks.cloudfoundry.org/instance-group-name: eirini
quarks.cloudfoundry.org/deployment-name: {{ .Release.Name }}
ports:
- protocol: TCP
name: "https"
port: 443
targetPort: 2999
# A service for eirini-persi
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-eirini-persi
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
selector:
quarks.cloudfoundry.org/instance-group-name: eirini
quarks.cloudfoundry.org/deployment-name: {{ .Release.Name }}
ports:
- protocol: TCP
name: "https"
port: 443
targetPort: 8443
# A service for eirini-persi-broker
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-eirini-persi-broker
namespace: {{ .Release.Namespace | quote }}
spec:
type: ClusterIP
selector:
quarks.cloudfoundry.org/instance-group-name: eirini
quarks.cloudfoundry.org/deployment-name: {{ .Release.Name }}
ports:
- protocol: TCP
name: "http"
port: 8999
targetPort: 8999
---
# A namespace where eirini apps are created
apiVersion: v1
Expand Down
Loading

0 comments on commit 60fecb5

Please sign in to comment.