Skip to content

Commit fd7e20b

Browse files
Gerrit91Gerrit91
authored
Ignition service for bootstrapping kubeadm and kubelet. (#8)
* Ignition service for bootstrapping kubeadm and kubelet. * Provide containerd config. * Deploy more stuff from Ansible. * Typo * Install as binary, GPG does not work easily without tty.
1 parent cfba940 commit fd7e20b

File tree

12 files changed

+222
-73
lines changed

12 files changed

+222
-73
lines changed

README.md

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,7 @@
1111
```bash
1212
make -C capi-lab
1313
eval $(make -C capi-lab --silent dev-env)
14-
kubectl apply -f ../firewall-controller-manager/config/crds
15-
kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.77.1/bundle.yaml
16-
clusterctl init
14+
EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION=true clusterctl init
1715
make push-to-capi-lab
1816

1917
kubectl apply -k config/samples

capi-lab/deploy.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,16 @@
33
hosts: localhost
44
connection: local
55
gather_facts: false
6+
vars:
7+
setup_yaml:
8+
- url: https://raw.githubusercontent.com/metal-stack/releases/develop/release.yaml
9+
meta_var: metal_stack_release
610
roles:
711
- name: ansible-common
812
- name: metal-roles
913
- name: cert-manager
14+
- name: prometheus
15+
- name: firewall-controller-manager
16+
vars:
17+
firewall_controller_manager_namespace: cap-metal-stack
1018
- name: cluster-api-provider-metal-stack

capi-lab/firewall-rules.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
egress:
2+
- comment: allow outgoing traffic for HTTP and HTTPS and DNS
3+
ports:
4+
- 443
5+
- 80
6+
- 53
7+
protocol: TCP
8+
to:
9+
- 0.0.0.0/0
10+
- comment: allow outgoing DNS and NTP via UDP
11+
ports:
12+
- 53
13+
- 123
14+
protocol: UDP
15+
to:
16+
- 0.0.0.0/0
17+
ingress:
18+
- comment: allow incoming HTTPS to kube-apiserver
19+
ports:
20+
- 443
21+
protocol: TCP
22+
from:
23+
- 0.0.0.0/0

capi-lab/requirements.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,4 @@
66
version: v0.2.9
77
- src: https://github.com/metal-stack/metal-roles
88
name: metal-roles
9-
version: v0.14.2
9+
version: v0.14.5

capi-lab/roles/firewall-controller-manager/defaults/main.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
firewall_controller_manager_namespace: "firewall-controller-manager"

capi-lab/roles/firewall-controller-manager/tasks/main.yaml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
---
2+
- name: Gather release versions
3+
setup_yaml:
4+
5+
- name: Create namespace
6+
k8s:
7+
definition:
8+
apiVersion: v1
9+
kind: Namespace
10+
metadata:
11+
name: "{{ firewall_controller_manager_namespace }}"
12+
labels:
13+
name: "{{ firewall_controller_manager_namespace }}"
14+
15+
- name: Deploy firewall-controller-manager CRDs
16+
k8s:
17+
definition: "{{ lookup('url', 'https://raw.githubusercontent.com/metal-stack/firewall-controller-manager/refs/tags/' + firewall_controller_manager_image_tag + '/config/crds/' + item, split_lines=False) }}"
18+
namespace: "{{ firewall_controller_manager_namespace }}"
19+
loop:
20+
- firewall.metal-stack.io_firewalldeployments.yaml
21+
- firewall.metal-stack.io_firewallmonitors.yaml
22+
- firewall.metal-stack.io_firewalls.yaml
23+
- firewall.metal-stack.io_firewallsets.yaml
24+
25+
# - name: Deploy firewall-controller-manager
26+
# k8s:
27+
# definition:
28+
29+
# namespace: "{{ firewall_controller_manager_namespace }}"

capi-lab/roles/prometheus/defaults/main.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
---
2+
prometheus_namespace: prometheus
3+
prometheus_helm_chart_version: "66.2.1"

capi-lab/roles/prometheus/tasks/main.yaml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
---
2+
- name: Create namespace
3+
k8s:
4+
definition:
5+
apiVersion: v1
6+
kind: Namespace
7+
metadata:
8+
name: "{{ prometheus_namespace }}"
9+
labels:
10+
name: "{{ prometheus_namespace }}"
11+
12+
- name: Deploy Prometheus
13+
include_role:
14+
name: ansible-common/roles/helm-chart
15+
vars:
16+
helm_chart: kube-prometheus-stack
17+
helm_repo: https://prometheus-community.github.io/helm-charts
18+
helm_force: false
19+
helm_release_name: kube-prometheus-stack
20+
helm_target_namespace: "{{ prometheus_namespace }}"
21+
helm_chart_version: "{{ prometheus_helm_chart_version }}"
22+
# helm_value_file_template: values.yaml

config/samples/example-kubeadm.yaml

Lines changed: 121 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,121 @@
1+
---
2+
apiVersion: cluster.x-k8s.io/v1beta1
3+
kind: Cluster
4+
metadata:
5+
name: metal-test
6+
spec:
7+
clusterNetwork:
8+
pods:
9+
cidrBlocks: ["192.168.0.0/16"]
10+
controlPlaneRef:
11+
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
12+
kind: KubeadmControlPlane
13+
name: metal-test-controlplane
14+
infrastructureRef:
15+
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
16+
kind: MetalStackCluster
17+
name: metal-test
18+
---
19+
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
20+
kind: MetalStackCluster
21+
metadata:
22+
name: metal-test
23+
spec:
24+
projectID: 00000000-0000-0000-0000-000000000001
25+
partition: mini-lab
26+
firewall:
27+
size: v1-small-x86
28+
image: firewall-ubuntu-3.0
29+
networks:
30+
- internet-mini-lab
31+
---
32+
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
33+
kind: MetalStackMachineTemplate
34+
metadata:
35+
name: metal-test-controlplane
36+
spec:
37+
template:
38+
spec:
39+
image: ubuntu-24.04
40+
size: v1-small-x86
41+
---
42+
kind: KubeadmControlPlane
43+
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
44+
metadata:
45+
name: metal-test-controlplane
46+
spec:
47+
replicas: 1
48+
version: v1.30.6
49+
machineTemplate:
50+
nodeDrainTimeout: 10m
51+
infrastructureRef:
52+
kind: MetalStackMachineTemplate
53+
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
54+
name: metal-test-controlplane
55+
kubeadmConfigSpec:
56+
format: ignition
57+
clusterConfiguration:
58+
controlPlaneEndpoint: 203.0.113.129:443
59+
initConfiguration:
60+
localAPIEndpoint:
61+
advertiseAddress: 10.0.0.2
62+
bindPort: 443
63+
nodeRegistration: {}
64+
joinConfiguration:
65+
controlPlane: {}
66+
nodeRegistration: {}
67+
ignition:
68+
containerLinuxConfig:
69+
additionalConfig: |
70+
systemd:
71+
units:
72+
- name: cluster-api-init.service
73+
enable: true
74+
contents: |-
75+
[Unit]
76+
Description=Prepares the node for bootstrapping with cluster-api kubeadm
77+
Before=kubeadm.service
78+
After=network-online.target
79+
Wants=network-online.target
80+
[Service]
81+
Type=oneshot
82+
Restart=on-failure
83+
RestartSec=5
84+
StartLimitBurst=0
85+
EnvironmentFile=/etc/environment
86+
ExecStart=/var/lib/cluster-api-init/bootstrap.sh
87+
[Install]
88+
WantedBy=multi-user.target
89+
files:
90+
- path: /var/lib/cluster-api-init/bootstrap.sh
91+
owner: "root:root"
92+
permissions: "0744"
93+
content: |
94+
#!/usr/bin/env bash
95+
set -eo pipefail
96+
set +x
97+
98+
apt update
99+
apt install conntrack
100+
101+
CNI_PLUGINS_VERSION="v1.3.0"
102+
DEST="/opt/cni/bin"
103+
mkdir -p "$DEST"
104+
curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_VERSION}/cni-plugins-linux-amd64-${CNI_PLUGINS_VERSION}.tgz" | sudo tar -C "$DEST" -xz
105+
106+
RELEASE="v1.30.6"
107+
cd /usr/local/bin
108+
sudo curl -L --remote-name-all https://dl.k8s.io/release/${RELEASE}/bin/linux/amd64/{kubeadm,kubelet,kubectl}
109+
sudo chmod +x {kubeadm,kubelet,kubectl}
110+
111+
RELEASE_VERSION="v0.16.2"
112+
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/krel/templates/latest/kubelet/kubelet.service" | sed "s:/usr/bin:/usr/local/bin:g" | sudo tee /usr/lib/systemd/system/kubelet.service
113+
sudo mkdir -p /usr/lib/systemd/system/kubelet.service.d
114+
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/krel/templates/latest/kubeadm/10-kubeadm.conf" | sed "s:/usr/bin:/usr/local/bin:g" | sudo tee /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
115+
116+
systemctl enable kubelet.service
117+
- path: /etc/containerd/config.toml
118+
owner: "root:root"
119+
permissions: "0644"
120+
content: |
121+
disabled_plugins = []

config/samples/example.yaml

Lines changed: 0 additions & 61 deletions
This file was deleted.

0 commit comments

Comments
 (0)