From 66cb4d2367f2237f408b745129959d710b70fc32 Mon Sep 17 00:00:00 2001 From: "Egorov, Stanislav" Date: Wed, 30 Oct 2019 14:43:35 -0700 Subject: [PATCH] containerd support Introduced new name for the field to define package that has files which will be used as runtime for UCP containers. Prepared set of yaml files as an example of containerd usage. Prepared zuul job to use containerd in simple deployment. Change-Id: Ifc82a505d064c4f13efccfd92ffc336a510220bf --- .zuul.yaml | 10 + doc/source/configuration/host-system.rst | 39 +- examples/basic/HostSystem.yaml | 162 +-- examples/complete/HostSystem.yaml | 6 +- examples/containerd/Docker.yaml | 18 + examples/containerd/EncryptionPolicy.yaml | 19 + examples/containerd/Genesis.yaml | 82 ++ examples/containerd/HostSystem.yaml | 118 +++ examples/containerd/Kubelet.yaml | 28 + examples/containerd/KubernetesNetwork.yaml | 43 + examples/containerd/LayeringPolicy.yaml | 11 + examples/containerd/PKICatalog-addition.yaml | 22 + examples/containerd/PKICatalog.yaml | 128 +++ examples/containerd/armada-resources.yaml | 965 ++++++++++++++++++ examples/gate/HostSystem.yaml | 162 +-- promenade/schemas/HostSystem.yaml | 30 +- promenade/templates/include/up.sh | 43 +- tools/g2/lib/virsh.sh | 2 + .../deploy-promenade-containerd.yaml | 73 ++ 19 files changed, 1760 insertions(+), 201 deletions(-) create mode 100644 examples/containerd/Docker.yaml create mode 100644 examples/containerd/EncryptionPolicy.yaml create mode 100644 examples/containerd/Genesis.yaml create mode 100644 examples/containerd/HostSystem.yaml create mode 100644 examples/containerd/Kubelet.yaml create mode 100644 examples/containerd/KubernetesNetwork.yaml create mode 100644 examples/containerd/LayeringPolicy.yaml create mode 100644 examples/containerd/PKICatalog-addition.yaml create mode 100644 examples/containerd/PKICatalog.yaml create mode 100644 examples/containerd/armada-resources.yaml create mode 100644 tools/zuul/playbooks/deploy-promenade-containerd.yaml diff --git a/.zuul.yaml b/.zuul.yaml index 8fafbcc8..3b7f05d2 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -25,6 +25,7 @@ - airship-promenade-chart-build-latest-htk - airship-promenade-unit-py35 - airship-promenade-genesis-gate + - airship-promenade-genesis-containerd-gate gate: jobs: @@ -34,6 +35,7 @@ - airship-promenade-chart-build-gate - airship-promenade-unit-py35 - airship-promenade-genesis-gate + - airship-promenade-genesis-containerd-gate post: jobs: @@ -60,6 +62,14 @@ timeout: 3600 nodeset: airship-promenade-single-node-bionic +- job: + name: airship-promenade-genesis-containerd-gate + description: | + Deploy airship promenade genesis with containerd + run: tools/zuul/playbooks/deploy-promenade-containerd.yaml + timeout: 3600 + nodeset: airship-promenade-single-node-bionic + - job: name: airship-promenade-lint-ws description: | diff --git a/doc/source/configuration/host-system.rst b/doc/source/configuration/host-system.rst index 632bace5..710df8ac 100644 --- a/doc/source/configuration/host-system.rst +++ b/doc/source/configuration/host-system.rst @@ -1,8 +1,8 @@ HostSystem ========== -Sample Document ---------------- +Sample Document to run containers in Docker runtime +--------------------------------------------------- .. code-block:: yaml @@ -63,7 +63,40 @@ Sample Document - curl - jq required: - docker: docker-engine=1.13.1-0~ubuntu-xenial + runtime: docker-engine=1.13.1-0~ubuntu-xenial + socat: socat=1.7.3.1-1 + + +Sample Document to run containers in Containerd runtime +------------------------------------------------------- + +.. code-block:: yaml + + schema: promenade/HostSystem/v1 + metadata: + schema: metadata/Document/v1 + name: host-system + layeringDefinition: + abstract: false + layer: site + data: + files: + - path: /opt/kubernetes/bin/kubelet + tar_url: https://dl.k8s.io/v1.11.6/kubernetes-node-linux-amd64.tar.gz + tar_path: kubernetes/node/bin/kubelet + mode: 0555 + images: + haproxy: haproxy:1.8.3 + helm: + helm: lachlanevenson/k8s-helm:v2.14.0 + kubernetes: + kubectl: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + packages: + additional: + - curl + - jq + required: + runtime: containerd socat: socat=1.7.3.1-1 diff --git a/examples/basic/HostSystem.yaml b/examples/basic/HostSystem.yaml index 78fdcf07..e5f49c61 100644 --- a/examples/basic/HostSystem.yaml +++ b/examples/basic/HostSystem.yaml @@ -119,90 +119,90 @@ data: - curl - jq required: - docker: docker-engine + runtime: docker-engine socat: socat - genesis: - repositories: - - deb http://apt.dockerproject.org/repo ubuntu-xenial main - keys: - - |- - -----BEGIN PGP PUBLIC KEY BLOCK----- + genesis: + repositories: + - deb http://apt.dockerproject.org/repo ubuntu-xenial main + keys: + - |- + -----BEGIN PGP PUBLIC KEY BLOCK----- - mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o - ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R - mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn - TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK - dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT - X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG - HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c - NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ - hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U - 65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM - zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB - tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv - Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe - AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n - Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I - 1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl - uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv - 0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8 - L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD - YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR - 7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc - jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP - HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL - MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ - TvBR8Q== - =Fm3p - -----END PGP PUBLIC KEY BLOCK----- - additional: - - ceph-common - - curl - - jq - required: - docker: docker-engine - socat: socat - join: - repositories: - - deb http://apt.dockerproject.org/repo ubuntu-xenial main - keys: - - |- - -----BEGIN PGP PUBLIC KEY BLOCK----- + mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o + ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R + mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn + TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK + dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT + X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG + HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c + NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ + hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U + 65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM + zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB + tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv + Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe + AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n + Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I + 1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl + uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv + 0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8 + L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD + YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR + 7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc + jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP + HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL + MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ + TvBR8Q== + =Fm3p + -----END PGP PUBLIC KEY BLOCK----- + additional: + - ceph-common + - curl + - jq + required: + runtime: docker-engine + socat: socat + join: + repositories: + - deb http://apt.dockerproject.org/repo ubuntu-xenial main + keys: + - |- + -----BEGIN PGP PUBLIC KEY BLOCK----- - mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o - ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R - mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn - TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK - dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT - X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG - HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c - NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ - hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U - 65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM - zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB - tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv - Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe - AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n - Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I - 1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl - uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv - 0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8 - L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD - YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR - 7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc - jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP - HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL - MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ - TvBR8Q== - =Fm3p - -----END PGP PUBLIC KEY BLOCK----- - additional: - - ceph-common - - curl - - jq - required: - docker: docker-engine - socat: socat + mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o + ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R + mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn + TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK + dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT + X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG + HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c + NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ + hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U + 65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM + zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB + tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv + Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe + AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n + Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I + 1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl + uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv + 0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8 + L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD + YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR + 7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc + jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP + HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL + MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ + TvBR8Q== + =Fm3p + -----END PGP PUBLIC KEY BLOCK----- + additional: + - ceph-common + - curl + - jq + required: + runtime: docker-engine + socat: socat validation: pod_logs: image: *busybox diff --git a/examples/complete/HostSystem.yaml b/examples/complete/HostSystem.yaml index 10bb3029..9b5cabc7 100644 --- a/examples/complete/HostSystem.yaml +++ b/examples/complete/HostSystem.yaml @@ -85,7 +85,7 @@ data: - curl - jq required: - docker: docker-engine + runtime: docker-engine socat: socat genesis: repositories: @@ -126,7 +126,7 @@ data: - curl - jq required: - docker: docker-engine + runtime: docker-engine socat: socat join: repositories: @@ -167,6 +167,6 @@ data: - curl - jq required: - docker: docker-engine + runtime: docker-engine socat: socat ... diff --git a/examples/containerd/Docker.yaml b/examples/containerd/Docker.yaml new file mode 100644 index 00000000..9463e9f9 --- /dev/null +++ b/examples/containerd/Docker.yaml @@ -0,0 +1,18 @@ +--- +schema: promenade/Docker/v1 +metadata: + schema: metadata/Document/v1 + name: docker + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + config: + insecure-registries: + - registry:5000 + live-restore: true + max-concurrent-downloads: 10 + oom-score-adjust: -999 + storage-driver: overlay2 +... diff --git a/examples/containerd/EncryptionPolicy.yaml b/examples/containerd/EncryptionPolicy.yaml new file mode 100644 index 00000000..4b627b42 --- /dev/null +++ b/examples/containerd/EncryptionPolicy.yaml @@ -0,0 +1,19 @@ +--- +schema: promenade/EncryptionPolicy/v1 +metadata: + schema: metadata/Document/v1 + name: encryption-policy + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + etcd: + - resources: + - 'secrets' + providers: + - secretbox: + keys: + - name: key1 + secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk= +... diff --git a/examples/containerd/Genesis.yaml b/examples/containerd/Genesis.yaml new file mode 100644 index 00000000..58007c8c --- /dev/null +++ b/examples/containerd/Genesis.yaml @@ -0,0 +1,82 @@ +--- +schema: promenade/Genesis/v1 +metadata: + schema: metadata/Document/v1 + name: genesis + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext + substitutions: + - src: + schema: promenade/EncryptionPolicy/v1 + name: encryption-policy + path: .etcd + dest: + path: .apiserver.encryption +data: + hostname: n0 + ip: 192.168.77.10 + external_ip: 192.168.77.10 + apiserver: + arguments: + - --authorization-mode=Node,RBAC + - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,EventRateLimit,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota + - --service-cluster-ip-range=10.96.0.0/16 + - --endpoint-reconciler-type=lease + - --feature-gates=PodShareProcessNamespace=true + # NOTE(segorov): This flag is removed in Kubernetes 1.14 + - --repair-malformed-updates=false + - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml + - --experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml + - --v=3 + armada: + target_manifest: cluster-bootstrap + tiller: + storage: secret + etcd: + auxiliary_threshold: 3 + labels: + dynamic: + - calico-etcd=enabled + - coredns=enabled + - kubernetes-apiserver=enabled + - kubernetes-controller-manager=enabled + - kubernetes-etcd=enabled + - kubernetes-scheduler=enabled + - promenade-genesis=enabled + - ucp-control-plane=enabled + haproxy: + run_as_user: 65534 + images: + armada: quay.io/airshipit/armada:master-ubuntu_xenial + helm: + tiller: gcr.io/kubernetes-helm/tiller:v2.14.0 + kubernetes: + apiserver: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + controller-manager: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + etcd: quay.io/coreos/etcd:v3.3.12 + scheduler: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + files: + - path: /var/lib/anchor/calico-etcd-bootstrap + content: "# placeholder for triggering calico etcd bootstrapping" + mode: 0644 + # NOTE(mark-burnett): These are referenced by the apiserver arguments above. + - path: /etc/genesis/apiserver/acconfig.yaml + mode: 0444 + content: | + kind: AdmissionConfiguration + apiVersion: apiserver.k8s.io/v1alpha1 + plugins: + - name: EventRateLimit + path: eventconfig.yaml + - path: /etc/genesis/apiserver/eventconfig.yaml + mode: 0444 + content: | + kind: Configuration + apiVersion: eventratelimit.admission.k8s.io/v1alpha1 + limits: + - type: Server + qps: 1000 + burst: 10000 +... diff --git a/examples/containerd/HostSystem.yaml b/examples/containerd/HostSystem.yaml new file mode 100644 index 00000000..ecd8aea4 --- /dev/null +++ b/examples/containerd/HostSystem.yaml @@ -0,0 +1,118 @@ +--- +schema: promenade/HostSystem/v1 +metadata: + schema: metadata/Document/v1 + name: host-system + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + systemd_units: + kube-cgroup: + enable: true + files: + - path: /opt/kubernetes/bin/hyperkube + docker_image: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + file_path: /hyperkube + mode: 0555 + - path: /opt/kubernetes/bin/kubelet + symlink: /opt/kubernetes/bin/hyperkube + mode: 0555 + - path: /usr/local/bin/kubectl + symlink: /opt/kubernetes/bin/hyperkube + mode: 0555 + - path: /etc/systemd/system/kube-cgroup.service + content: | + [Unit] + Description=Create and tune cgroup for Kubernetes Pods + Requires=network-online.target + Before=kubelet.service + + [Service] + Delegate=yes + ExecStart=/usr/local/sbin/kube-cgroup.sh + + [Install] + RequiredBy=kubelet.service + mode: 0444 + - path: /usr/local/sbin/kube-cgroup.sh + mode: 0744 + content: |- + #!/bin/bash + + set -x + + KUBE_CGROUP=${KUBE_CGROUP:-"kube_whitelist"} + SYSTEMD_ABSPATH="/sys/fs/cgroup/systemd/$KUBE_CGROUP" + CPUSET_ABSPATH="/sys/fs/cgroup/cpuset/$KUBE_CGROUP" + CPU_ABSPATH="/sys/fs/cgroup/cpu/$KUBE_CGROUP" + MEM_ABSPATH="/sys/fs/cgroup/memory/$KUBE_CGROUP" + + for cg in $SYSTEMD_ABSPATH $CPUSET_ABSPATH $CPU_ABSPATH $MEM_ABSPATH + do + mkdir -p "$cg" + done + - path: /etc/logrotate.d/json-logrotate + mode: 0444 + content: |- + /var/lib/docker/containers/*/*-json.log + { + compress + copytruncate + create 0644 root root + daily + dateext + dateformat -%Y%m%d-%s + maxsize 10M + missingok + notifempty + su root root + rotate 1 + } + - path: /etc/profile.d/kubeconfig.sh + mode: 0744 + content: |- + export KUBECONFIG=/etc/kubernetes/admin/kubeconfig.yaml + - path: /etc/containerd/config.toml + mode: 0400 + content: |- + version = 2 + [plugins.cri] + [plugins.cri.registry.mirrors] + [plugins.cri.registry.mirrors."registry:5000"] + endpoint = ["http://registry:5000"] + images: + monitoring_image: &busybox busybox:1.28.3 + haproxy: haproxy:1.8.3 + helm: + helm: lachlanevenson/k8s-helm:v2.14.0 + packages: + common: + additional: + - ceph-common + - curl + - jq + required: + runtime: containerd + socat: socat + genesis: + additional: + - ceph-common + - curl + - jq + required: + runtime: containerd + socat: socat + join: + additional: + - ceph-common + - curl + - jq + required: + runtime: containerd + socat: socat + validation: + pod_logs: + image: *busybox +... diff --git a/examples/containerd/Kubelet.yaml b/examples/containerd/Kubelet.yaml new file mode 100644 index 00000000..7d8e7fd2 --- /dev/null +++ b/examples/containerd/Kubelet.yaml @@ -0,0 +1,28 @@ +--- +schema: promenade/Kubelet/v1 +metadata: + schema: metadata/Document/v1 + name: kubelet + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + arguments: + - --container-runtime=remote + - --container-runtime-endpoint=unix:///run/containerd/containerd.sock + - --cni-bin-dir=/opt/cni/bin + - --cni-conf-dir=/etc/cni/net.d + - --network-plugin=cni + - --v=3 + images: + pause: gcr.io/google_containers/pause-amd64:3.0 + config_file_overrides: + runtimeRequestTimeout: 15m + evictionMaxPodGracePeriod: -1 + featureGates: + PodShareProcessNamespace: true + TaintBasedEvictions: false + nodeStatusUpdateFrequency: "5s" + serializeImagePulls: false +... diff --git a/examples/containerd/KubernetesNetwork.yaml b/examples/containerd/KubernetesNetwork.yaml new file mode 100644 index 00000000..1e35dbb8 --- /dev/null +++ b/examples/containerd/KubernetesNetwork.yaml @@ -0,0 +1,43 @@ +--- +schema: promenade/KubernetesNetwork/v1 +metadata: + schema: metadata/Document/v1 + name: kubernetes-network + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + dns: + cluster_domain: cluster.local + service_ip: 10.96.0.10 + bootstrap_validation_checks: + - calico-etcd.kube-system.svc.cluster.local + - google.com + - kubernetes-etcd.kube-system.svc.cluster.local + - kubernetes.default.svc.cluster.local + upstream_servers: + - 8.8.8.8 + - 8.8.4.4 + + kubernetes: + apiserver_port: 6443 + haproxy_port: 6553 + pod_cidr: 10.97.0.0/16 + service_cidr: 10.96.0.0/16 + service_ip: 10.96.0.1 + + etcd: + container_port: 2379 + haproxy_port: 2378 + + hosts_entries: + - ip: 192.168.77.1 + names: + - registry + +# proxy: +# url: http://proxy.example.com:8080 +# additional_no_proxy: +# - 10.0.1.1 +... diff --git a/examples/containerd/LayeringPolicy.yaml b/examples/containerd/LayeringPolicy.yaml new file mode 100644 index 00000000..46ae0c58 --- /dev/null +++ b/examples/containerd/LayeringPolicy.yaml @@ -0,0 +1,11 @@ +--- +schema: deckhand/LayeringPolicy/v1 +metadata: + schema: metadata/Control/v1 + name: layering-policy +data: + layerOrder: + - global + - type + - site +... diff --git a/examples/containerd/PKICatalog-addition.yaml b/examples/containerd/PKICatalog-addition.yaml new file mode 100644 index 00000000..ec8da90a --- /dev/null +++ b/examples/containerd/PKICatalog-addition.yaml @@ -0,0 +1,22 @@ +--- +schema: promenade/PKICatalog/v1 +metadata: + schema: metadata/Document/v1 + name: cluster-certificates-addition + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + certificate_authorities: + kubernetes: + description: CA for Kubernetes components + certificates: + - document_name: kubelet-n3 + common_name: system:node:n3 + hosts: + - n3 + - 192.168.77.13 + groups: + - system:nodes +... diff --git a/examples/containerd/PKICatalog.yaml b/examples/containerd/PKICatalog.yaml new file mode 100644 index 00000000..396711ff --- /dev/null +++ b/examples/containerd/PKICatalog.yaml @@ -0,0 +1,128 @@ +--- +schema: promenade/PKICatalog/v1 +metadata: + schema: metadata/Document/v1 + name: cluster-certificates + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + certificate_authorities: + kubernetes: + description: CA for Kubernetes components + certificates: + - document_name: apiserver + description: Service certificate for Kubernetes apiserver + common_name: apiserver + hosts: + - localhost + - 127.0.0.1 + - 10.96.0.1 + kubernetes_service_names: + - kubernetes.default.svc.cluster.local + - document_name: kubelet-genesis + common_name: system:node:n0 + hosts: + - n0 + - 192.168.77.10 + groups: + - system:nodes + - document_name: kubelet-n0 + common_name: system:node:n0 + hosts: + - n0 + - 192.168.77.10 + groups: + - system:nodes + - document_name: scheduler + description: Service certificate for Kubernetes scheduler + common_name: system:kube-scheduler + - document_name: controller-manager + description: certificate for controller-manager + common_name: system:kube-controller-manager + - document_name: admin + common_name: admin + groups: + - system:masters + - document_name: armada + common_name: armada + groups: + - system:masters + kubernetes-etcd: + description: Certificates for Kubernetes's etcd servers + certificates: + - document_name: apiserver-etcd + description: etcd client certificate for use by Kubernetes apiserver + common_name: apiserver + # NOTE(mark-burnett): hosts not required for client certificates + - document_name: kubernetes-etcd-anchor + description: anchor + common_name: anchor + - document_name: kubernetes-etcd-genesis + common_name: kubernetes-etcd-genesis + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n0 + common_name: kubernetes-etcd-n0 + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + kubernetes-etcd-peer: + certificates: + - document_name: kubernetes-etcd-genesis-peer + common_name: kubernetes-etcd-genesis-peer + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-n0-peer + common_name: kubernetes-etcd-n0-peer + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + calico-etcd: + description: Certificates for Calico etcd client traffic + certificates: + - document_name: calico-etcd-anchor + description: anchor + common_name: anchor + - document_name: calico-etcd-n0 + common_name: calico-etcd-n0 + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-node + common_name: calcico-node + calico-etcd-peer: + description: Certificates for Calico etcd clients + certificates: + - document_name: calico-etcd-n0-peer + common_name: calico-etcd-n0-peer + hosts: + - n0 + - 192.168.77.10 + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-node-peer + common_name: calcico-node-peer + keypairs: + - name: service-account + description: Service account signing key for use by Kubernetes controller-manager. +... diff --git a/examples/containerd/armada-resources.yaml b/examples/containerd/armada-resources.yaml new file mode 100644 index 00000000..338b8cf7 --- /dev/null +++ b/examples/containerd/armada-resources.yaml @@ -0,0 +1,965 @@ +--- +schema: armada/Manifest/v1 +metadata: + schema: metadata/Document/v1 + name: cluster-bootstrap + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + release_prefix: ucp + chart_groups: + - kubernetes-proxy + - container-networking + - dns + - kubernetes + - ucp-services +--- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: kubernetes-proxy + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + description: Kubernetes proxy + sequenced: true + chart_group: + - kubernetes-proxy +--- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: container-networking + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + description: Container networking via Calico + sequenced: true + chart_group: + - calico-etcd + - calico +--- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: dns + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + description: Cluster DNS + chart_group: + - coredns +--- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: kubernetes + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + description: Kubernetes components + sequenced: true + chart_group: + - haproxy + - kubernetes-etcd + - kubernetes-apiserver + - kubernetes-controller-manager + - kubernetes-scheduler + - tiller +--- +schema: armada/ChartGroup/v1 +metadata: + schema: metadata/Document/v1 + name: ucp-services + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + description: Airship platform components + sequenced: true + chart_group: + - promenade +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: helm-toolkit + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + chart_name: helm-toolkit + release: helm-toolkit + namespace: helm-toolkit + wait: + timeout: 600 + upgrade: + no_hooks: true + values: {} + source: + type: git + location: https://opendev.org/openstack/openstack-helm-infra.git + subpath: helm-toolkit + reference: b7e2d6839ce600a7c1e2103f55d208ad3f5029ca + dependencies: [] +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: infra-helm-toolkit + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + chart_name: infra-helm-toolkit + release: infra-helm-toolkit + namespace: infra-helm-toolkit + wait: + timeout: 600 + upgrade: + no_hooks: true + values: {} + source: + type: git + location: https://opendev.org/openstack/openstack-helm-infra.git + subpath: helm-toolkit + reference: 681dee71b7befd199509b17852b3385d359a15a5 + dependencies: [] +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: kubernetes-proxy + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + chart_name: proxy + release: kubernetes-proxy + namespace: kube-system + wait: + timeout: 600 + labels: + release_group: ucp-kubernetes-proxy + upgrade: + no_hooks: true + values: + images: + tags: + proxy: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + network: + kubernetes_netloc: 127.0.0.1:6553 + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: proxy + dependencies: + - helm-toolkit + +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: calico-etcd + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext + substitutions: + - + src: + schema: deckhand/CertificateAuthority/v1 + name: calico-etcd + path: . + dest: + path: '.values.secrets.tls.client.ca' + - + src: + schema: deckhand/CertificateAuthority/v1 + name: calico-etcd-peer + path: . + dest: + path: '.values.secrets.tls.peer.ca' + + - + src: + schema: deckhand/Certificate/v1 + name: calico-etcd-anchor + path: . + dest: + path: '.values.secrets.anchor.tls.cert' + - + src: + schema: deckhand/CertificateKey/v1 + name: calico-etcd-anchor + path: . + dest: + path: '.values.secrets.anchor.tls.key' + + - + src: + schema: deckhand/Certificate/v1 + name: calico-etcd-n0 + path: . + dest: + path: '.values.nodes[0].tls.client.cert' + - + src: + schema: deckhand/CertificateKey/v1 + name: calico-etcd-n0 + path: . + dest: + path: '.values.nodes[0].tls.client.key' + - + src: + schema: deckhand/Certificate/v1 + name: calico-etcd-n0-peer + path: . + dest: + path: '.values.nodes[0].tls.peer.cert' + - + src: + schema: deckhand/CertificateKey/v1 + name: calico-etcd-n0-peer + path: . + dest: + path: '.values.nodes[0].tls.peer.key' + +data: + chart_name: etcd + release: calico-etcd + namespace: kube-system + test: + enabled: false + wait: + timeout: 600 + labels: + release_group: ucp-calico-etcd + upgrade: + no_hooks: true + values: + anchor: + etcdctl_endpoint: 10.96.232.136 + labels: + anchor: + node_selector_key: calico-etcd + node_selector_value: enabled + secrets: + anchor: + tls: + cert: placeholder + key: placeholder + tls: + client: + ca: placeholder + peer: + ca: placeholder + etcd: + host_data_path: /var/lib/etcd/calico + host_etc_path: /etc/etcd/calico + bootstrapping: + enabled: true + host_directory: /var/lib/anchor + filename: calico-etcd-bootstrap + images: + tags: + etcd: quay.io/coreos/etcd:v3.3.12 + etcdctl: quay.io/coreos/etcd:v3.3.12 + nodes: + - name: n0 + tls: + client: + cert: placeholder + key: placeholder + peer: + cert: placeholder + key: placeholder + service: + name: calico-etcd + ip: 10.96.232.136 + network: + service_client: + name: service_client + port: 6666 + target_port: 6666 + service_peer: + name: service_peer + port: 6667 + target_port: 6667 + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: etcd + dependencies: + - helm-toolkit + +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: calico + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext + substitutions: + - + src: + schema: deckhand/CertificateAuthority/v1 + name: calico-etcd + path: . + dest: + path: '.values.endpoints.etcd.auth.client.tls.ca' + - + src: + schema: deckhand/Certificate/v1 + name: calico-node + path: . + dest: + path: '.values.endpoints.etcd.auth.client.tls.crt' + - + src: + schema: deckhand/CertificateKey/v1 + name: calico-node + path: . + dest: + path: '.values.endpoints.etcd.auth.client.tls.key' + +data: + chart_name: calico + release: calico + namespace: kube-system + wait: + timeout: 600 + labels: + release_group: ucp-calico + upgrade: + no_hooks: true + values: + conf: + cni_network_config: + name: k8s-pod-network + cniVersion: 0.1.0 + type: calico + etcd_endpoints: __ETCD_ENDPOINTS__ + etcd_ca_cert_file: /etc/calico/pki/ca + etcd_cert_file: /etc/calico/pki/crt + etcd_key_file: /etc/calico/pki/key + log_level: debug + mtu: 1500 + ipam: + type: calico-ipam + policy: + type: k8s + k8s_api_root: https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__ + k8s_auth_token: __SERVICEACCOUNT_TOKEN__ + + policy_controller: + K8S_API: "https://10.96.0.1:443" + + node: + CALICO_STARTUP_LOGLEVEL: INFO + CLUSTER_TYPE: + - k8s + - bgp + IP_AUTODETECTION_METHOD: interface=ens3 + WAIT_FOR_STORAGE: "true" + + endpoints: + etcd: + hosts: + default: calico-etcd + host_fqdn_override: + default: 10.96.232.136 + scheme: + default: https + + networking: + podSubnet: 10.97.0.0/16 + mtu: 1500 + + images: + tags: + calico_node: quay.io/calico/node:v2.6.5 + calico_cni: quay.io/calico/cni:v1.11.2 + calico_ctl: quay.io/calico/ctl:v1.6.2 + calico_settings: quay.io/calico/ctl:v1.6.2 + calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 + + manifests: + daemonset_calico_etcd: false + job_image_repo_sync: false + service_calico_etcd: false + source: + type: git + location: https://opendev.org/openstack/openstack-helm-infra.git + reference: 681dee71b7befd199509b17852b3385d359a15a5 + subpath: calico + dependencies: + - infra-helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: coredns + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + chart_name: coredns + release: coredns + namespace: kube-system + wait: + timeout: 600 + labels: + release_group: ucp-coredns + upgrade: + no_hooks: true + values: + conf: + test: + names_to_resolve: + - att.com + - calico-etcd.kube-system.svc.cluster.local + - google.com + - kubernetes-etcd.kube-system.svc.cluster.local + - kubernetes.default.svc.cluster.local + + images: + tags: + coredns: coredns/coredns:1.6.2 + test: quay.io/airshipit/promenade:master + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: coredns + dependencies: + - helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: haproxy + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + chart_name: haproxy + release: haproxy + namespace: kube-system + wait: + timeout: 600 + labels: + release_group: ucp-haproxy + upgrade: + no_hooks: true + values: + conf: + anchor: + enable_cleanup: false + kubernetes_url: https://10.96.0.1:443 + services: + kube-system: + kubernetes-apiserver: + server_opts: "check port 6443" + conf_parts: + global: + - timeout connect 5000ms + - timeout client 30s + - timeout server 30s + frontend: + - mode tcp + - bind *:6553 + backend: + - mode tcp + - option tcp-check + - option redispatch + kubernetes-etcd: + server_opts: "check port 2379" + conf_parts: + frontend: + - mode tcp + - bind *:2378 + backend: + - mode tcp + - option tcp-check + - option redispatch + + images: + tags: + anchor: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + haproxy: haproxy:1.8.3 + test: python:3.6 + + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: haproxy + dependencies: + - helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: kubernetes-apiserver + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext + substitutions: + - + src: + schema: deckhand/CertificateAuthority/v1 + name: kubernetes + path: . + dest: + path: .values.secrets.tls.ca + - + src: + schema: deckhand/Certificate/v1 + name: apiserver + path: . + dest: + path: .values.secrets.tls.cert + - + src: + schema: deckhand/CertificateKey/v1 + name: apiserver + path: . + dest: + path: .values.secrets.tls.key + + - + src: + schema: deckhand/CertificateAuthority/v1 + name: kubernetes-etcd + path: . + dest: + path: .values.secrets.etcd.tls.ca + - + src: + schema: deckhand/Certificate/v1 + name: apiserver-etcd + path: . + dest: + path: .values.secrets.etcd.tls.cert + - + src: + schema: deckhand/CertificateKey/v1 + name: apiserver-etcd + path: . + dest: + path: .values.secrets.etcd.tls.key + - + src: + schema: deckhand/PublicKey/v1 + name: service-account + path: . + dest: + path: .values.secrets.service_account.public_key + + - + src: + schema: promenade/EncryptionPolicy/v1 + name: encryption-policy + path: .etcd + dest: + path: .values.conf.encryption_provider.content.resources +data: + chart_name: apiserver + release: kubernetes-apiserver + namespace: kube-system + wait: + timeout: 600 + labels: + release_group: ucp-kubernetes-apiserver + upgrade: + no_hooks: true + values: + conf: + encryption_provider: + file: encryption_provider.yaml + command_options: + - '--experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml' + content: + kind: EncryptionConfig + apiVersion: v1 + apiserver: + etcd: + endpoints: https://127.0.0.1:2378 + images: + tags: + anchor: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + apiserver: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + network: + kubernetes_service_ip: 10.96.0.1 + pod_cidr: 10.97.0.0/16 + service_cidr: 10.96.0.0/16 + + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: apiserver + dependencies: + - helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: kubernetes-controller-manager + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext + substitutions: + - + src: + schema: deckhand/CertificateAuthority/v1 + name: kubernetes + path: . + dest: + path: .values.secrets.tls.ca + + - + src: + schema: deckhand/Certificate/v1 + name: controller-manager + path: . + dest: + path: .values.secrets.tls.cert + - + src: + schema: deckhand/CertificateKey/v1 + name: controller-manager + path: . + dest: + path: .values.secrets.tls.key + - + src: + schema: deckhand/PrivateKey/v1 + name: service-account + path: . + dest: + path: .values.secrets.service_account.private_key + +data: + chart_name: controller_manager + release: kubernetes-controller-manager + namespace: kube-system + wait: + timeout: 600 + labels: + release_group: ucp-kubernetes-controller-manager + upgrade: + no_hooks: true + values: + images: + tags: + anchor: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + controller_manager: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + secrets: + service_account: + private_key: placeholder + tls: + ca: placeholder + cert: placeholder + key: placeholder + network: + kubernetes_netloc: 127.0.0.1:6553 + pod_cidr: 10.97.0.0/16 + service_cidr: 10.96.0.0/16 + + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: controller_manager + dependencies: + - helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: kubernetes-scheduler + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext + substitutions: + - + src: + schema: deckhand/CertificateAuthority/v1 + name: kubernetes + path: . + dest: + path: .values.secrets.tls.ca + - + src: + schema: deckhand/Certificate/v1 + name: scheduler + path: . + dest: + path: .values.secrets.tls.cert + - + src: + schema: deckhand/CertificateKey/v1 + name: scheduler + path: . + dest: + path: .values.secrets.tls.key + +data: + chart_name: scheduler + release: kubernetes-scheduler + namespace: kube-system + wait: + timeout: 600 + labels: + release_group: ucp-kubernetes-scheduler + upgrade: + no_hooks: true + values: + secrets: + tls: + ca: placeholder + cert: placeholder + key: placeholder + + network: + kubernetes_netloc: 127.0.0.1:6553 + + images: + tags: + anchor: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + scheduler: gcr.io/google_containers/hyperkube-amd64:v1.11.6 + + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: scheduler + dependencies: + - helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: kubernetes-etcd + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext + substitutions: + - + src: + schema: deckhand/CertificateAuthority/v1 + name: kubernetes-etcd + path: . + dest: + path: '.values.secrets.tls.client.ca' + - + src: + schema: deckhand/CertificateAuthority/v1 + name: kubernetes-etcd-peer + path: . + dest: + path: '.values.secrets.tls.peer.ca' + + - + src: + schema: deckhand/Certificate/v1 + name: kubernetes-etcd-anchor + path: . + dest: + path: '.values.secrets.anchor.tls.cert' + - + src: + schema: deckhand/CertificateKey/v1 + name: kubernetes-etcd-anchor + path: . + dest: + path: '.values.secrets.anchor.tls.key' + + - + src: + schema: deckhand/Certificate/v1 + name: kubernetes-etcd-n0 + path: . + dest: + path: '.values.nodes[0].tls.client.cert' + - + src: + schema: deckhand/CertificateKey/v1 + name: kubernetes-etcd-n0 + path: . + dest: + path: '.values.nodes[0].tls.client.key' + - + src: + schema: deckhand/Certificate/v1 + name: kubernetes-etcd-n0-peer + path: . + dest: + path: '.values.nodes[0].tls.peer.cert' + - + src: + schema: deckhand/CertificateKey/v1 + name: kubernetes-etcd-n0-peer + path: . + dest: + path: '.values.nodes[0].tls.peer.key' + +data: + chart_name: etcd + release: kubernetes-etcd + namespace: kube-system + wait: + timeout: 600 + labels: + release_group: ucp-kubernetes-etcd + upgrade: + no_hooks: true + values: + anchor: + etcdctl_endpoint: kubernetes-etcd.kube-system.svc.cluster.local + labels: + anchor: + node_selector_key: kubernetes-etcd + node_selector_value: enabled + secrets: + anchor: + tls: + cert: placeholder + key: placeholder + tls: + client: + ca: placeholder + peer: + ca: placeholder + etcd: + host_data_path: /var/lib/etcd/kubernetes + host_etc_path: /etc/etcd/kubernetes + images: + tags: + etcd: quay.io/coreos/etcd:v3.3.12 + etcdctl: quay.io/coreos/etcd:v3.3.12 + nodes: + - name: n0 + tls: + client: + cert: placeholder + key: placeholder + peer: + cert: placeholder + key: placeholder + service: + name: kubernetes-etcd + network: + service_client: + name: service_client + port: 2379 + target_port: 2379 + service_peer: + name: service_peer + port: 2380 + target_port: 2380 + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: etcd + dependencies: + - helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: tiller + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + chart_name: tiller + release: tiller + namespace: kube-system + install: + no_hooks: false + upgrade: + no_hooks: false + wait: + timeout: 600 + values: + images: + tags: + tiller: gcr.io/kubernetes-helm/tiller:v2.14.0 + labels: + node_selector_key: ucp-control-plane + node_selector_value: enabled + source: + type: git + location: https://opendev.org/airship/armada.git + subpath: charts/tiller + reference: master + dependencies: + - helm-toolkit +--- +schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: promenade + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: + chart_name: promenade + release: promenade + namespace: ucp + wait: + timeout: 600 + labels: + release_group: ucp-promenade + values: + pod: + env: + promenade_api: + - name: PROMENADE_DEBUG + value: '1' + conf: + paste: + app:promenade-api: + disable: keystone + pipeline:main: + pipeline: noauth promenade-api + images: + tags: + promenade: quay.io/airshipit/promenade:master + manifests: + job_ks_endpoints: false + job_ks_service: false + job_ks_user: false + secret_keystone: false + upgrade: + no_hooks: true + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: promenade + dependencies: + - helm-toolkit +... diff --git a/examples/gate/HostSystem.yaml b/examples/gate/HostSystem.yaml index 78fdcf07..e5f49c61 100644 --- a/examples/gate/HostSystem.yaml +++ b/examples/gate/HostSystem.yaml @@ -119,90 +119,90 @@ data: - curl - jq required: - docker: docker-engine + runtime: docker-engine socat: socat - genesis: - repositories: - - deb http://apt.dockerproject.org/repo ubuntu-xenial main - keys: - - |- - -----BEGIN PGP PUBLIC KEY BLOCK----- + genesis: + repositories: + - deb http://apt.dockerproject.org/repo ubuntu-xenial main + keys: + - |- + -----BEGIN PGP PUBLIC KEY BLOCK----- - mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o - ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R - mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn - TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK - dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT - X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG - HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c - NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ - hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U - 65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM - zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB - tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv - Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe - AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n - Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I - 1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl - uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv - 0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8 - L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD - YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR - 7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc - jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP - HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL - MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ - TvBR8Q== - =Fm3p - -----END PGP PUBLIC KEY BLOCK----- - additional: - - ceph-common - - curl - - jq - required: - docker: docker-engine - socat: socat - join: - repositories: - - deb http://apt.dockerproject.org/repo ubuntu-xenial main - keys: - - |- - -----BEGIN PGP PUBLIC KEY BLOCK----- + mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o + ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R + mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn + TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK + dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT + X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG + HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c + NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ + hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U + 65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM + zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB + tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv + Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe + AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n + Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I + 1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl + uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv + 0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8 + L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD + YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR + 7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc + jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP + HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL + MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ + TvBR8Q== + =Fm3p + -----END PGP PUBLIC KEY BLOCK----- + additional: + - ceph-common + - curl + - jq + required: + runtime: docker-engine + socat: socat + join: + repositories: + - deb http://apt.dockerproject.org/repo ubuntu-xenial main + keys: + - |- + -----BEGIN PGP PUBLIC KEY BLOCK----- - mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o - ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R - mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn - TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK - dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT - X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG - HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c - NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ - hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U - 65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM - zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB - tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv - Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe - AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n - Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I - 1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl - uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv - 0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8 - L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD - YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR - 7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc - jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP - HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL - MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ - TvBR8Q== - =Fm3p - -----END PGP PUBLIC KEY BLOCK----- - additional: - - ceph-common - - curl - - jq - required: - docker: docker-engine - socat: socat + mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o + ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R + mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn + TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK + dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT + X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG + HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c + NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ + hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U + 65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM + zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB + tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv + Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe + AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n + Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I + 1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl + uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv + 0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8 + L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD + YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR + 7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc + jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP + HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL + MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ + TvBR8Q== + =Fm3p + -----END PGP PUBLIC KEY BLOCK----- + additional: + - ceph-common + - curl + - jq + required: + runtime: docker-engine + socat: socat validation: pod_logs: image: *busybox diff --git a/promenade/schemas/HostSystem.yaml b/promenade/schemas/HostSystem.yaml index d548ca9a..9d145ea8 100644 --- a/promenade/schemas/HostSystem.yaml +++ b/promenade/schemas/HostSystem.yaml @@ -139,13 +139,13 @@ data: required: type: object properties: - docker: - $ref: '#/definitions/package' + oneOf: + - docker: + $ref: '#/definitions/package' + - runtime: + $ref: '#/definitions/package' socat: $ref: '#/definitions/package' - required: - - docker - - socat additionalProperties: false repositories: @@ -172,13 +172,13 @@ data: required: type: object properties: - docker: - $ref: '#/definitions/package' + oneOf: + - docker: + $ref: '#/definitions/package' + - runtime: + $ref: '#/definitions/package' socat: $ref: '#/definitions/package' - required: - - docker - - socat additionalProperties: false repositories: @@ -205,13 +205,13 @@ data: required: type: object properties: - docker: - $ref: '#/definitions/package' + oneOf: + - docker: + $ref: '#/definitions/package' + - runtime: + $ref: '#/definitions/package' socat: $ref: '#/definitions/package' - required: - - docker - - socat additionalProperties: false repositories: diff --git a/promenade/templates/include/up.sh b/promenade/templates/include/up.sh index ad37fb7f..e237a253 100644 --- a/promenade/templates/include/up.sh +++ b/promenade/templates/include/up.sh @@ -91,25 +91,27 @@ while true; do done {% for role in roles %} - {%- if config['HostSystem:packages.' + role + '.repositories'] is defined %} - while true; do - if ! DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - {%- for package in config['HostSystem:packages.' + role + '.additional'] | default([]) %} - {{ package }} \ - {%- endfor %} + while true; do + if ! DEBIAN_FRONTEND=noninteractive apt-get install -o Dpkg::Options::="--force-confold" -y --no-install-recommends \ + {%- for package in config['HostSystem:packages.' + role + '.additional'] | default([]) %} + {{ package }} \ + {%- endfor %} + {%- if config['HostSystem:packages.' + role + '.required.docker'] is defined %} {{ config['HostSystem:packages.' + role + '.required.docker'] }} \ - {{ config['HostSystem:packages.' + role + '.required.socat'] }}; then - now=$(date +%s) - if [[ ${now} -gt ${end} ]]; then - log Failed to install apt packages. - exit 1 - fi - sleep 10 - else - break + {%- elif config['HostSystem:packages.' + role + '.required.runtime'] is defined %} + {{ config['HostSystem:packages.' + role + '.required.runtime'] }} \ + {%- endif %} + {{ config['HostSystem:packages.' + role + '.required.socat'] }}; then + now=$(date +%s) + if [[ ${now} -gt ${end} ]]; then + log Failed to install apt packages. + exit 1 fi - done - {%- endif %} + sleep 10 + else + break + fi + done {% endfor %} # Start core processes @@ -126,6 +128,11 @@ systemctl {{ a }} {{ u }} {% endfor %} {% endfor %} -systemctl restart docker || true +if systemctl -q is-enabled docker > /dev/null 2>&1; then + systemctl restart docker || true +fi +if systemctl -q is-enabled containerd > /dev/null 2>&1; then + systemctl restart containerd || true +fi systemctl enable kubelet systemctl restart kubelet diff --git a/tools/g2/lib/virsh.sh b/tools/g2/lib/virsh.sh index e23c6f8c..d1bcd21d 100644 --- a/tools/g2/lib/virsh.sh +++ b/tools/g2/lib/virsh.sh @@ -138,6 +138,8 @@ vm_create() { ssh_wait "${NAME}" ssh_cmd "${NAME}" sync + # docker enables forwarding, containerd - does not + ssh_cmd "${NAME}" sysctl net.ipv4.conf.all.forwarding=1 } vm_create_all() { diff --git a/tools/zuul/playbooks/deploy-promenade-containerd.yaml b/tools/zuul/playbooks/deploy-promenade-containerd.yaml new file mode 100644 index 00000000..f6afb87e --- /dev/null +++ b/tools/zuul/playbooks/deploy-promenade-containerd.yaml @@ -0,0 +1,73 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- hosts: primary + vars: + env: + HTTP_PROXY: "" + HTTPS_PROXY: "" + NO_PROXY: "" + PROMENADE_TMP_LOCAL: "cache" + become: true + tasks: + - name: Install docker + command: apt-get install docker.io resolvconf -y + + - name: Generate configuration files + shell: | + set -xe; + ./tools/dev-build.sh examples/containerd generate-certs replace {{ ansible_default_ipv4.interface }} + args: + chdir: "{{ zuul.project.src_dir }}" + executable: /bin/bash + environment: "{{env}}" + + - name: Generate certificate files + shell: | + set -xe; + ./tools/dev-build.sh generate-certs + args: + chdir: "{{ zuul.project.src_dir }}" + executable: /bin/bash + environment: "{{env}}" + + - name: Copy build files and generated certificates to build-all + command: "mv {{ zuul.project.src_dir }}/build {{ zuul.project.src_dir }}/build-all" + + - name: Build genesis script + shell: | + set -xe; + ./tools/dev-build.sh build-all + args: + chdir: "{{ zuul.project.src_dir }}" + executable: /bin/bash + environment: "{{env}}" + + - name: Deploying genesis + shell: | + set -xe; + ./build/genesis.sh + args: + chdir: "{{ zuul.project.src_dir }}" + executable: /bin/bash + + - name: Validating genesis + shell: | + set -xe; + ./build/validate-genesis.sh + args: + chdir: "{{ zuul.project.src_dir }}" + executable: /bin/bash + register: result + retries: 3 + delay: 10 + until: result.rc == 0