From 1201fd97c2f78fbcf04ab02c1d6297e0e9433315 Mon Sep 17 00:00:00 2001 From: Neil Hickey Date: Thu, 1 Jul 2021 15:27:35 -0600 Subject: [PATCH 1/8] Merge kubo-deployment into kubo-release Signed-off-by: Neil Hickey --- manifests/README.md | 136 ++++ manifests/cfcr.yml | 585 ++++++++++++++++++ .../iaas/aws/use-vm-extensions.yml | 9 + .../iaas/azure/use-vm-extensions.yml | 24 + .../iaas/gcp/use-vm-extensions.yml | 8 + .../iaas/vsphere/use-vm-extensions.yml | 5 + .../add-hostname-to-master-certificate.yml | 3 + manifests/ops-files/add-oidc-endpoint.yml | 31 + manifests/ops-files/add-proxy.yml | 47 ++ manifests/ops-files/add-syslog-tls.yml | 12 + manifests/ops-files/add-syslog.yml | 21 + .../ops-files/add-vm-extensions-to-master.yml | 3 + manifests/ops-files/addons-spec.yml | 3 + .../ops-files/allow-privileged-containers.yml | 4 + .../ops-files/change-audit-log-flags.yml | 13 + manifests/ops-files/change-cidrs.yml | 25 + .../ops-files/change-etcd-metrics-url.yml | 8 + .../ops-files/disable-anonymous-auth.yml | 4 + manifests/ops-files/disable-swap.yml | 7 + manifests/ops-files/enable-bbr.yml | 14 + .../ops-files/enable-csi-shared-mounts.yml | 3 + .../ops-files/enable-denyescalatingexec.yml | 4 + .../ops-files/enable-encryption-config.yml | 7 + manifests/ops-files/enable-nfs.yml | 3 + .../ops-files/enable-podsecuritypolicy.yml | 4 + .../ops-files/enable-securitycontextdeny.yml | 4 + .../example-vars-files/add-syslog-tls.yml | 12 + .../example-vars-files/add-syslog.yml | 3 + .../change-audit-log-flags.yml | 3 + .../example-vars-files/fs-inotify-limit.yml | 1 + .../iaas/azure/cloud-provider.yml | 10 + .../iaas/gcp/cloud-provider.yml | 4 + .../iaas/openstack/cloud-provider.yml | 6 + .../iaas/vsphere/cloud-provider.yml | 6 + .../iaas/vsphere/set-working-dir-no-rp.yml | 6 + .../example-vars-files/misc/bootstrap.yml | 3 + .../example-vars-files/misc/oidc.yml | 7 + .../example-vars-files/new-cidrs.yml | 4 + .../example-vars-files/system-specs.yml | 6 + .../iaas/aws/add-master-credentials.yml | 5 + .../iaas/aws/add-worker-credentials.yml | 5 + .../ops-files/iaas/aws/cloud-config/lb.yml | 3 + .../ops-files/iaas/aws/cloud-provider.yml | 54 ++ manifests/ops-files/iaas/aws/lb.yml | 5 + .../ops-files/iaas/azure/cloud-config/lb.yml | 3 + .../ops-files/iaas/azure/cloud-provider.yml | 82 +++ manifests/ops-files/iaas/azure/subnet.yml | 12 + manifests/ops-files/iaas/azure/use-cifs.yml | 5 + .../ops-files/iaas/azure/use-credentials.yml | 23 + .../iaas/gcp/add-service-key-master.yml | 7 + .../iaas/gcp/add-service-key-worker.yml | 7 + ...-subnetwork-for-internal-load-balancer.yml | 7 + .../load-balancer-target-pools.yml | 3 + .../remove-service-account-master.yml | 2 + .../remove-service-account-worker.yml | 2 + .../ops-files/iaas/gcp/cloud-provider.yml | 65 ++ .../iaas/openstack/cloud-provider.yml | 70 +++ .../iaas/openstack/master-static-ip.yml | 16 + .../ops-files/iaas/virtualbox/bosh-lite.yml | 25 + .../ops-files/iaas/vsphere/cloud-provider.yml | 64 ++ .../iaas/vsphere/master-static-ip.yml | 6 + .../iaas/vsphere/set-working-dir-no-rp.yml | 3 + .../iaas/vsphere/use-vm-extensions.yml | 5 + .../iaas/vsphere/windows/cloud-provider.yml | 13 + .../vsphere/windows/use-vm-extensions.yml | 5 + manifests/ops-files/kubo-local-release.yml | 6 + manifests/ops-files/misc/bootstrap.yml | 23 + manifests/ops-files/misc/deployment-name.yml | 4 + manifests/ops-files/misc/dev.yml | 5 + .../ops-files/misc/first-time-deploy.yml | 3 + .../ops-files/misc/local-config-server.yml | 8 + manifests/ops-files/misc/scale-to-one-az.yml | 23 + manifests/ops-files/misc/single-master.yml | 3 + manifests/ops-files/misc/small-vm.yml | 9 + manifests/ops-files/misc/version.yml | 5 + .../ops-files/non-precompiled-releases.yml | 19 + manifests/ops-files/rename.yml | 3 + .../ops-files/set-certificate-duration.yml | 45 ++ manifests/ops-files/set-fs-inotify-limit.yml | 23 + manifests/ops-files/use-hostgw.yml | 8 + .../use-persistent-disk-for-workers.yml | 7 + manifests/ops-files/use-vm-extensions.yml | 9 + manifests/ops-files/vm-types.yml | 11 + manifests/ops-files/windows/add-worker.yml | 104 ++++ manifests/ops-files/windows/change-cidrs.yml | 12 + manifests/ops-files/windows/enable-rdp.yml | 30 + manifests/ops-files/windows/pause-image.yml | 4 + .../ops-files/windows/scale-to-one-az.yml | 7 + manifests/ops-files/windows/use-hostgw.yml | 4 + manifests/ops-files/windows/use-overlay.yml | 7 + manifests/ops-files/windows/vm-types.yml | 3 + manifests/ops-files/worker_count.yml | 3 + spec/test_cert_duration_ops_file_spec.rb | 27 + 93 files changed, 1970 insertions(+) create mode 100644 manifests/README.md create mode 100644 manifests/cfcr.yml create mode 100644 manifests/cloud-config/iaas/aws/use-vm-extensions.yml create mode 100644 manifests/cloud-config/iaas/azure/use-vm-extensions.yml create mode 100644 manifests/cloud-config/iaas/gcp/use-vm-extensions.yml create mode 100644 manifests/cloud-config/iaas/vsphere/use-vm-extensions.yml create mode 100644 manifests/ops-files/add-hostname-to-master-certificate.yml create mode 100644 manifests/ops-files/add-oidc-endpoint.yml create mode 100644 manifests/ops-files/add-proxy.yml create mode 100644 manifests/ops-files/add-syslog-tls.yml create mode 100644 manifests/ops-files/add-syslog.yml create mode 100644 manifests/ops-files/add-vm-extensions-to-master.yml create mode 100644 manifests/ops-files/addons-spec.yml create mode 100644 manifests/ops-files/allow-privileged-containers.yml create mode 100644 manifests/ops-files/change-audit-log-flags.yml create mode 100644 manifests/ops-files/change-cidrs.yml create mode 100644 manifests/ops-files/change-etcd-metrics-url.yml create mode 100644 manifests/ops-files/disable-anonymous-auth.yml create mode 100644 manifests/ops-files/disable-swap.yml create mode 100644 manifests/ops-files/enable-bbr.yml create mode 100644 manifests/ops-files/enable-csi-shared-mounts.yml create mode 100644 manifests/ops-files/enable-denyescalatingexec.yml create mode 100644 manifests/ops-files/enable-encryption-config.yml create mode 100644 manifests/ops-files/enable-nfs.yml create mode 100644 manifests/ops-files/enable-podsecuritypolicy.yml create mode 100644 manifests/ops-files/enable-securitycontextdeny.yml create mode 100644 manifests/ops-files/example-vars-files/add-syslog-tls.yml create mode 100644 manifests/ops-files/example-vars-files/add-syslog.yml create mode 100644 manifests/ops-files/example-vars-files/change-audit-log-flags.yml create mode 100644 manifests/ops-files/example-vars-files/fs-inotify-limit.yml create mode 100644 manifests/ops-files/example-vars-files/iaas/azure/cloud-provider.yml create mode 100644 manifests/ops-files/example-vars-files/iaas/gcp/cloud-provider.yml create mode 100644 manifests/ops-files/example-vars-files/iaas/openstack/cloud-provider.yml create mode 100644 manifests/ops-files/example-vars-files/iaas/vsphere/cloud-provider.yml create mode 100644 manifests/ops-files/example-vars-files/iaas/vsphere/set-working-dir-no-rp.yml create mode 100644 manifests/ops-files/example-vars-files/misc/bootstrap.yml create mode 100644 manifests/ops-files/example-vars-files/misc/oidc.yml create mode 100644 manifests/ops-files/example-vars-files/new-cidrs.yml create mode 100644 manifests/ops-files/example-vars-files/system-specs.yml create mode 100644 manifests/ops-files/iaas/aws/add-master-credentials.yml create mode 100644 manifests/ops-files/iaas/aws/add-worker-credentials.yml create mode 100644 manifests/ops-files/iaas/aws/cloud-config/lb.yml create mode 100644 manifests/ops-files/iaas/aws/cloud-provider.yml create mode 100644 manifests/ops-files/iaas/aws/lb.yml create mode 100644 manifests/ops-files/iaas/azure/cloud-config/lb.yml create mode 100644 manifests/ops-files/iaas/azure/cloud-provider.yml create mode 100644 manifests/ops-files/iaas/azure/subnet.yml create mode 100644 manifests/ops-files/iaas/azure/use-cifs.yml create mode 100644 manifests/ops-files/iaas/azure/use-credentials.yml create mode 100644 manifests/ops-files/iaas/gcp/add-service-key-master.yml create mode 100644 manifests/ops-files/iaas/gcp/add-service-key-worker.yml create mode 100644 manifests/ops-files/iaas/gcp/add-subnetwork-for-internal-load-balancer.yml create mode 100644 manifests/ops-files/iaas/gcp/cloud-config/load-balancer-target-pools.yml create mode 100644 manifests/ops-files/iaas/gcp/cloud-config/remove-service-account-master.yml create mode 100644 manifests/ops-files/iaas/gcp/cloud-config/remove-service-account-worker.yml create mode 100644 manifests/ops-files/iaas/gcp/cloud-provider.yml create mode 100644 manifests/ops-files/iaas/openstack/cloud-provider.yml create mode 100644 manifests/ops-files/iaas/openstack/master-static-ip.yml create mode 100644 manifests/ops-files/iaas/virtualbox/bosh-lite.yml create mode 100644 manifests/ops-files/iaas/vsphere/cloud-provider.yml create mode 100644 manifests/ops-files/iaas/vsphere/master-static-ip.yml create mode 100644 manifests/ops-files/iaas/vsphere/set-working-dir-no-rp.yml create mode 100644 manifests/ops-files/iaas/vsphere/use-vm-extensions.yml create mode 100644 manifests/ops-files/iaas/vsphere/windows/cloud-provider.yml create mode 100644 manifests/ops-files/iaas/vsphere/windows/use-vm-extensions.yml create mode 100644 manifests/ops-files/kubo-local-release.yml create mode 100644 manifests/ops-files/misc/bootstrap.yml create mode 100644 manifests/ops-files/misc/deployment-name.yml create mode 100644 manifests/ops-files/misc/dev.yml create mode 100644 manifests/ops-files/misc/first-time-deploy.yml create mode 100644 manifests/ops-files/misc/local-config-server.yml create mode 100644 manifests/ops-files/misc/scale-to-one-az.yml create mode 100644 manifests/ops-files/misc/single-master.yml create mode 100644 manifests/ops-files/misc/small-vm.yml create mode 100644 manifests/ops-files/misc/version.yml create mode 100644 manifests/ops-files/non-precompiled-releases.yml create mode 100644 manifests/ops-files/rename.yml create mode 100644 manifests/ops-files/set-certificate-duration.yml create mode 100644 manifests/ops-files/set-fs-inotify-limit.yml create mode 100644 manifests/ops-files/use-hostgw.yml create mode 100644 manifests/ops-files/use-persistent-disk-for-workers.yml create mode 100644 manifests/ops-files/use-vm-extensions.yml create mode 100644 manifests/ops-files/vm-types.yml create mode 100644 manifests/ops-files/windows/add-worker.yml create mode 100644 manifests/ops-files/windows/change-cidrs.yml create mode 100644 manifests/ops-files/windows/enable-rdp.yml create mode 100644 manifests/ops-files/windows/pause-image.yml create mode 100644 manifests/ops-files/windows/scale-to-one-az.yml create mode 100644 manifests/ops-files/windows/use-hostgw.yml create mode 100644 manifests/ops-files/windows/use-overlay.yml create mode 100644 manifests/ops-files/windows/vm-types.yml create mode 100644 manifests/ops-files/worker_count.yml create mode 100644 spec/test_cert_duration_ops_file_spec.rb diff --git a/manifests/README.md b/manifests/README.md new file mode 100644 index 00000000..2b7d2e4d --- /dev/null +++ b/manifests/README.md @@ -0,0 +1,136 @@ +# Deploying CFCR + +The base manifest "just works" and will deploy a running cluster of Kubernetes: + +``` +bosh -d cfcr deploy kubo-deployment/manifests/cfcr.yml +``` + +For deeper documentation to deploy CFCR go [here](https://github.com/cloudfoundry-incubator/kubo-release/#deploying-cfcr). + + +## Operator files + +### BOSH options + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| [`ops-files/rename.yml`](ops-files/rename.yml) | Specify the deployment name | The deployment name is also used for etcd certificates. | +| [`ops-files/vm-types.yml`](ops-files/vm-types.yml) | Specify the `vm_type` for `master`, `worker` and `apply-addons` instances | By default, `master`, `worker` and `apply-addons` instances assume `vm_type: small`, `vm_type: small-highmem` and `vm_type: minimal`, respectively (`vm_types` that are also assumed to exists by https://github.com/cloudfoundry/cf-deployment manifests). You may want to use bespoke `vm_types` so as to scale them, tag them, or apply unique `cloud_properties` independently of other deployments in the same BOSH environment. | +| [`ops-files/add-vm-extensions-to-master.yml`](ops-files/add-vm-extensions-to-master.yml) | Add VM Extensions for loadbalancers to master | | +| [`ops-files/use-vm-extensions.yml`](ops-files/use-vm-extensions.yml) | Configure the `master` and `worker` instance groups on AWS and GCP to consume their respective `vm_extensions` | Only works when used in tandem with the BOSH cloud-configs for AWS or GCP outlined below | +| [`ops-files/iaas/vsphere/use-vm-extensions.yml`](ops-files/iaas/vsphere/use-vm-extensions.yml) | Configure vSphere `worker` instance groups to consume their respective `vm_extensions` | Only works when used in tandem with the BOSH cloud-config for vSphere outlined below | +| [`ops-files/worker_count.yml`](ops-files/worker_count.yml) | Specify the count for `worker` instances | By default, 3 `worker` instances. | +| [`ops-files/non-precompiled-releases.yml`](ops-files/non-precompiled-releases.yml) | Use non-precompiled releases when deploying CFCR. | +| [`ops-files/use-persistent-disk-for-workers.yml`](ops-files/use-persistent-disk-for-workers.yml) | Enables persistent disk to store docker data | +| [`ops-files/disable-swap.yml`](ops-files/disable-swap.yml) | Disables swap on worker VMs | + +### BOSH Cloud Config + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| **AWS** +| [`cloud-config/iaas/aws/use-vm-extensions.yml`](cloud-config/iaas/aws/use-vm-extensions.yml) | Configure the cloud-config to control the AWS Cloud Provider using `vm_extensions` | | +| **GCP** +| [`cloud-config/iaas/gcp/use-vm-extensions.yml`](cloud-config/iaas/gcp/use-vm-extensions.yml) | Configure the cloud-config to control the GCP Cloud Provider using `vm_extensions` | | +| **vSphere** +| [`cloud-config/iaas/vsphere/use-vm-extensions.yml`](cloud-config/iaas/vsphere/use-vm-extensions.yml) | Configure the cloud-config to control the vSphere Cloud Provider using `vm_extensions` | | + +### Routing options + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| **OpenStack** | | | +| [`ops-files/iaas/openstack/master-static-ip.yml`](ops-files/iaas/openstack/master-static-ip.yml) | Attach floating IP to Kube API | Assign allocated floating IP to `master` instance. IP included in TLS certificates. | +| **vSphere** | | | +| [`ops-files/iaas/vsphere/master-static-ip.yml`](ops-files/iaas/vsphere/master-static-ip.yml) | Assign static IP to Kube API | Assign static IP to `master` instance. IP included in TLS certificates. | +| **gcp** | | | +| [`ops-files/iaas/gcp/add-service-key-master.yml`](ops-files/iaas/gcp/add-service-key-master.yml) | Allow user to specify GCP key instead of service account | | +| [`ops-files/iaas/gcp/add-service-key-worker.yml`](ops-files/iaas/gcp/add-service-key-worker.yml) | Allow user to specify GCP key instead of service account | | + +### Infrastructure + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| **AWS** | | | +| [`ops-files/iaas/aws/cloud-provider.yml`](ops-files/iaas/aws/cloud-provider.yml) | Enable Cloud Provider for AWS | Requires AWS Instance Profiles (not API keys) to grant Kubernetes access to AWS | +| [`ops-files/iaas/aws/lb.yml`](ops-files/iaas/aws/lb.yml) | Enable instance tagging for AWS | | +| [`ops-files/iaas/aws/add-master-credentials.yml`](ops-files/iaas/aws/add-master-credentials.yml) | Set AWS credentials for the Kube API and Kube Controller Manager | | +| [`ops-files/iaas/aws/add-worker-credentials.yml`](ops-files/iaas/aws/add-worker-credentials.yml) | Set AWS credentials for the Kubelet | | +| **OpenStack** | | | +| [`ops-files/iaas/openstack/cloud-provider.yml`](ops-files/iaas/openstack/cloud-provider.yml) | Enable Cloud Provider for OpenStack | Enable Cloud Provider for OpenStack | +| **GCP** | | | +| [`ops-files/iaas/gcp/cloud-provider.yml`](ops-files/iaas/gcp/cloud-provider.yml) | Enable Cloud Provider for GCP | - | +| [`ops-files/iaas/gcp/add-subnetwork-for-internal-load-balancer.yml`](ops-files/iaas/gcp/add-subnetwork-for-internal-load-balancer.yml) | Specify subnetwork for GCP | Cloud Provider has to be enabled first | +| **vSphere** | | | +| [`ops-files/iaas/vsphere/cloud-provider.yml`](ops-files/iaas/vsphere/cloud-provider.yml) | Enable Cloud Provider for vSphere | - | +| [`ops-files/iaas/vsphere/set-working-dir-no-rp.yml`](ops-files/iaas/vsphere/set-working-dir-no-rp.yml) | Configure vSphere cloud provider's working dir if there is no resource pool | - | +| **virtualbox** | | | +| [`ops-files/iaas/virtualbox/bosh-lite.yml`](ops-files/iaas/virtualbox/bosh-lite.yml) | Enables CFCR to run on a virtualbox bosh-lite environment | Deploys 1 master and 3 workers. Master is deployed to a static ip: 10.244.0.34 | +| **Azure** | | | +| [`ops-files/iaas/azure/cloud-provider.yml`](ops-files/iaas/azure/cloud-provider.yml) | Enable Cloud Provider for Azure | Requires Azure CPI >= v35.5.0 | +| [`ops-files/iaas/azure/subnet.yml`](ops-files/iaas/azure/subnet.yml) | Changes the subnet | | +| [`ops-files/iaas/azure/use-cifs.yml`](ops-files/iaas/azure/use-cifs.yml) | Installs CIFS utils and allows using azure-file volume | | +| [`ops-files/iaas/azure/use-credentials.yml`](ops-files/iaas/azure/use-credentials.yml) | Uses AD credentials instead of Managed Identity | | + +### Proxy + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| [`ops-files/add-proxy.yml`](ops-files/add-proxy.yml) | Configure HTTP_PROXY, HTTPS_PROXY, and NO_PROXY for Kubernetes components | All Kubernetes components are configured with the `http_proxy`, `https_proxy`, and `no_proxy` environment variables | + +### Kubernetes + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| [`ops-files/addons-spec.yml`](ops-files/addons-spec.yml) | Addons to be deployed into the Kubernetes cluster | - | +| [`ops-files/allow-privileged-containers.yml`](ops-files/allow-privileged-containers.yml) | Allows privileged containers for the Kubernetes cluster. | It is not recommended to use privileged containers however some workloads require it. Container privileges can be limited with the SecurityContextDeny admission plugin (set by default in CFCR). See kubernetes documentation for more information | +| [`ops-files/disable-anonymous-auth.yml`](ops-files/disable-anonymous-auth.yml) | Disable `anonymous-auth` on the API server | - | +| [`ops-files/add-oidc-endpoint.yml`](ops-files/add-oidc-endpoint.yml) | Enable OIDC authentication for the Kubernetes cluster | - | +| [`ops-files/change-cidrs.yml`](ops-files/change-cidrs.yml) | Change POD CIDR and Service Cluster CIDR. This should only be applied to a new cluster, please do not apply to an existing cluster. | Extra Vars Required:
- **first_ip_of_service_cluster_cidr:** Required for TLS certificate of apiserver
- **kubedns_service_ip**: Required for kube dns IP address, needs to be part of service_cluster_cidr | +| [`ops-files/enable-denyescalatingexec.yml`](ops-files/enable-denyescalatingexec.yml) | Enables the DenyEscalatingExec admission plugin. | This ops-file is recommended for most clusters. | - | +| [`ops-files/enable-securitycontextdeny.yml`](ops-files/enable-securitycontextdeny.yml) | Enables the SecurityContextDeny admission plugin. | This ops-file is recommended for most clusters. | - | +| [`ops-files/enable-podsecuritypolicy.yml`](ops-files/enable-podsecuritypolicy.yml) | Enables the PodSecurityPolicy admission plugin. | Please ensure that you have applied an appropriate policy before enabling this plugin. Failure to do so will result in failure of your workloads. | +| [`ops-files/change-audit-log-flags.yml`](ops-files/change-audit-log-flags.yml) | Changes the kube-apiserver's audit-log flags. See [here](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#log-backend) for more details | Extra Vars Required: [audit-log-example-vars](manifests/ops-files/example-vars-files/change-audit-log-flags.yml) | +| [`ops-files/add-hostname-to-master-certificate.yml`](ops-files/add-hostname-to-master-certificate.yml) | Add hostname to master certificate | Extra Vars Required:
- **api-hostname:** Required for TLS certificate of apiserver | +| [`ops-files/enable-encryption-config.yml`](ops-files/enable-encryption-config.yml) | Enable data encryption at rest | Extra Vars Required:
- **encryption-config:** Encryption configuration as described [here](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration). Var value must be the content of the yaml. Easier to define in a `--vars-file` file | +| [`ops-files/enable-csi-shared-mounts.yml`](ops-files/enable-csi-shared-mounts.yml) | Enable shared mounts in Docker for CSI volumes | - | +| [`ops-files/use-hostgw.yml`](ops-files/use-hostgw.yml) | Sets the cluster to use host-gw backend in flannel. Necessary for Windows workers. | - | +| [`ops-files/set-fs-inotify-limit.yml`](ops-files/set-fs-inotify-limit.yml) | Configure fs.inotify.max_user_watches.| Extra Vars Required:
- **fs_inotify_max_user_watches:** Required for configuring the max inotify user watches. | + +### Etcd + +| Name | Purpose | Notes| +|:--- |:--- |:--- | +| [`ops-files/change-etcd-metrics-url.yml`](ops-files/change-etcd-metrics-url.yml) | Change procotol and port of the etcd's metrics endpoint | - | + +### Certificates + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| [`ops-files/set-certificate-duration.yml`](ops-files/set-certificate-duration.yml) | Set the duration of all generated certificates to a specified duration | Extra Vars Required:
- certificate-duration: Duration, specified in days, for all certificates generated in manifest | + +### BOSH Backup & Restore + +| Name | Purpose | Notes| +|:--- |:--- |:--- | +| [`ops-files/enable-bbr.yml`](ops-files/enable-bbr.yml) | Deploy jobs required to enable BBR. | Only tested with single master. | + +### Syslog + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| [`ops-files/add-syslog.yml`](ops-files/add-syslog.yml) | Enables forwarding local syslog events in RFC5424 format to a remote syslog endpoint. | +| [`ops-files/add-syslog-tls.yml`](ops-files/add-syslog-tls.yml) | Requires `add-syslog.yml`. Configure TLS for syslog fowarding. | + +### NFS + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| [`ops-files/enable-nfs.yml`](ops-files/enable-nfs.yml) | Enables packages to be install on worker vms required for NFS | - | + +### Dev + +| Name | Purpose | Notes | +|:--- |:--- |:--- | +| [`ops-files/kubo-local-release.yml`](ops-files/kubo-local-release.yml) | Deploy a local kubo release located in `../kubo-release` | - | diff --git a/manifests/cfcr.yml b/manifests/cfcr.yml new file mode 100644 index 00000000..67f2e712 --- /dev/null +++ b/manifests/cfcr.yml @@ -0,0 +1,585 @@ +addons: +- include: + stemcell: + - os: ubuntu-bionic + jobs: + - name: kubo-dns-aliases + release: kubo + name: bosh-dns-aliases +features: + use_dns_addresses: true +instance_groups: +- azs: + - z1 + instances: 1 + jobs: + - name: apply-specs + properties: + addons: + - coredns + - metrics-server + admin-password: ((kubo-admin-password)) + admin-username: admin + api-token: ((kubelet-password)) + tls: + kubernetes: ((tls-kubernetes)) + metrics-server: ((tls-metrics-server)) + release: kubo + lifecycle: errand + name: apply-addons + networks: + - name: default + stemcell: default + vm_type: minimal +- azs: + - z1 + - z2 + - z3 + instances: 3 + jobs: + - name: bpm + release: bpm + - name: flanneld + properties: + tls: + etcdctl: + ca: ((tls-etcdctl-flanneld.ca)) + certificate: ((tls-etcdctl-flanneld.certificate)) + private_key: ((tls-etcdctl-flanneld.private_key)) + provides: + flanneld: + as: worker-flanneld + release: kubo + - name: kube-apiserver + properties: + admin-password: ((kubo-admin-password)) + admin-username: admin + audit-policy: + apiVersion: audit.k8s.io/v1beta1 + kind: Policy + rules: + - level: None + resources: + - group: "" + resources: + - endpoints + - services + - services/status + users: + - system:kube-proxy + verbs: + - watch + - level: None + resources: + - group: "" + resources: + - nodes + - nodes/status + users: + - kubelet + verbs: + - get + - level: None + resources: + - group: "" + resources: + - nodes + - nodes/status + userGroups: + - system:nodes + verbs: + - get + - level: None + namespaces: + - kube-system + resources: + - group: "" + resources: + - endpoints + users: + - system:kube-controller-manager + - system:kube-scheduler + - system:serviceaccount:kube-system:endpoint-controller + verbs: + - get + - update + - level: None + resources: + - group: "" + resources: + - namespaces + - namespaces/status + - namespaces/finalize + users: + - system:apiserver + verbs: + - get + - level: None + resources: + - group: metrics.k8s.io + users: + - system:kube-controller-manager + verbs: + - get + - list + - level: None + nonResourceURLs: + - /healthz* + - /version + - /swagger* + - level: None + resources: + - group: "" + resources: + - events + - level: Request + omitStages: + - RequestReceived + resources: + - group: "" + resources: + - nodes/status + - pods/status + userGroups: + - system:nodes + verbs: + - update + - patch + - level: Request + omitStages: + - RequestReceived + users: + - system:serviceaccount:kube-system:namespace-controller + verbs: + - deletecollection + - level: Metadata + omitStages: + - RequestReceived + resources: + - group: "" + resources: + - secrets + - configmaps + - group: authentication.k8s.io + resources: + - tokenreviews + - level: Request + omitStages: + - RequestReceived + resources: + - group: "" + - group: admissionregistration.k8s.io + - group: apiextensions.k8s.io + - group: apiregistration.k8s.io + - group: apps + - group: authentication.k8s.io + - group: authorization.k8s.io + - group: autoscaling + - group: batch + - group: certificates.k8s.io + - group: extensions + - group: metrics.k8s.io + - group: networking.k8s.io + - group: policy + - group: rbac.authorization.k8s.io + - group: settings.k8s.io + - group: storage.k8s.io + verbs: + - get + - list + - watch + - level: RequestResponse + omitStages: + - RequestReceived + resources: + - group: "" + - group: admissionregistration.k8s.io + - group: apiextensions.k8s.io + - group: apiregistration.k8s.io + - group: apps + - group: authentication.k8s.io + - group: authorization.k8s.io + - group: autoscaling + - group: batch + - group: certificates.k8s.io + - group: extensions + - group: metrics.k8s.io + - group: networking.k8s.io + - group: policy + - group: rbac.authorization.k8s.io + - group: settings.k8s.io + - group: storage.k8s.io + - level: Metadata + omitStages: + - RequestReceived + k8s-args: + audit-log-maxage: 0 + audit-log-maxbackup: 7 + audit-log-maxsize: 49 + audit-log-path: /var/vcap/sys/log/kube-apiserver/audit.log + audit-policy-file: /var/vcap/jobs/kube-apiserver/config/audit_policy.yml + authorization-mode: RBAC + client-ca-file: /var/vcap/jobs/kube-apiserver/config/kubernetes-ca.pem + disable-admission-plugins: [] + enable-admission-plugins: [] + enable-aggregator-routing: true + enable-bootstrap-token-auth: true + enable-swagger-ui: true + etcd-cafile: /var/vcap/jobs/kube-apiserver/config/etcd-ca.crt + etcd-certfile: /var/vcap/jobs/kube-apiserver/config/etcd-client.crt + etcd-keyfile: /var/vcap/jobs/kube-apiserver/config/etcd-client.key + kubelet-client-certificate: /var/vcap/jobs/kube-apiserver/config/kubelet-client-cert.pem + kubelet-client-key: /var/vcap/jobs/kube-apiserver/config/kubelet-client-key.pem + proxy-client-cert-file: /var/vcap/jobs/kube-apiserver/config/kubernetes.pem + proxy-client-key-file: /var/vcap/jobs/kube-apiserver/config/kubernetes-key.pem + requestheader-allowed-names: aggregator + requestheader-client-ca-file: /var/vcap/jobs/kube-apiserver/config/kubernetes-ca.pem + requestheader-extra-headers-prefix: X-Remote-Extra- + requestheader-group-headers: X-Remote-Group + requestheader-username-headers: X-Remote-User + runtime-config: api/v1 + secure-port: 8443 + service-account-key-file: /var/vcap/jobs/kube-apiserver/config/service-account-public-key.pem + service-cluster-ip-range: 10.100.200.0/24 + storage-media-type: application/json + tls-cert-file: /var/vcap/jobs/kube-apiserver/config/kubernetes.pem + tls-private-key-file: /var/vcap/jobs/kube-apiserver/config/kubernetes-key.pem + token-auth-file: /var/vcap/jobs/kube-apiserver/config/tokens.csv + v: 2 + kube-controller-manager-password: ((kube-controller-manager-password)) + kube-proxy-password: ((kube-proxy-password)) + kube-scheduler-password: ((kube-scheduler-password)) + kubelet-drain-password: ((kubelet-drain-password)) + kubelet-password: ((kubelet-password)) + service-account-public-key: ((service-account-key.public_key)) + tls: + kubelet-client: ((tls-kubelet-client)) + kubernetes: + ca: ((tls-kubernetes.ca)) + certificate: ((tls-kubernetes.certificate))((tls-kubernetes.ca)) + private_key: ((tls-kubernetes.private_key)) + release: kubo + - name: kube-controller-manager + properties: + api-token: ((kube-controller-manager-password)) + cluster-signing: ((kubo_ca)) + k8s-args: + cluster-signing-cert-file: /var/vcap/jobs/kube-controller-manager/config/cluster-signing-ca.pem + cluster-signing-key-file: /var/vcap/jobs/kube-controller-manager/config/cluster-signing-key.pem + kubeconfig: /var/vcap/jobs/kube-controller-manager/config/kubeconfig + root-ca-file: /var/vcap/jobs/kube-controller-manager/config/ca.pem + service-account-private-key-file: /var/vcap/jobs/kube-controller-manager/config/service-account-private-key.pem + terminated-pod-gc-threshold: 100 + tls-cert-file: /var/vcap/jobs/kube-controller-manager/config/kube-controller-manager-cert.pem + tls-private-key-file: /var/vcap/jobs/kube-controller-manager/config/kube-controller-manager-private-key.pem + use-service-account-credentials: true + v: 2 + service-account-private-key: ((service-account-key.private_key)) + tls: + kube-controller-manager: ((tls-kube-controller-manager)) + kubernetes: ((tls-kubernetes)) + release: kubo + - name: kube-scheduler + properties: + api-token: ((kube-scheduler-password)) + k8s-args: null + kube-scheduler-configuration: + apiVersion: kubescheduler.config.k8s.io/v1alpha1 + clientConnection: + kubeconfig: /var/vcap/jobs/kube-scheduler/config/kubeconfig + disablePreemption: false + kind: KubeSchedulerConfiguration + tls: + kubernetes: ((tls-kubernetes)) + release: kubo + - name: kubernetes-roles + properties: + admin-password: ((kubo-admin-password)) + admin-username: admin + tls: + kubernetes: ((tls-kubernetes)) + release: kubo + - name: etcd + properties: + etcd: + dns_suffix: etcd.cfcr.internal + tls: + etcd: + ca: ((etcd_ca.certificate)) + certificate: ((tls-etcd-v0-29-0.certificate)) + private_key: ((tls-etcd-v0-29-0.private_key)) + etcdctl: + ca: ((tls-etcdctl-v0-29-0.ca)) + certificate: ((tls-etcdctl-v0-29-0.certificate)) + private_key: ((tls-etcdctl-v0-29-0.private_key)) + etcdctl-root: + ca: ((tls-etcdctl-v0-29-0.ca)) + certificate: ((tls-etcdctl-root.certificate)) + private_key: ((tls-etcdctl-root.private_key)) + peer: + ca: ((tls-etcd-v0-29-0.ca)) + certificate: ((tls-etcd-v0-29-0.certificate)) + private_key: ((tls-etcd-v0-29-0.private_key)) + users: + - name: root + password: ((etcd_user_root_password)) + versions: + - v2 + - name: flanneld + password: ((etcd_user_flanneld_password)) + permissions: + read: + - /coreos.com/network/* + write: + - /coreos.com/network/* + versions: + - v2 + release: cfcr-etcd + - name: smoke-tests + release: kubo + name: master + networks: + - name: default + persistent_disk: 5120 + stemcell: default + vm_type: small +- azs: + - z1 + - z2 + - z3 + instances: 3 + jobs: + - name: flanneld + properties: + tls: + etcdctl: + ca: ((tls-etcdctl-flanneld.ca)) + certificate: ((tls-etcdctl-flanneld.certificate)) + private_key: ((tls-etcdctl-flanneld.private_key)) + release: kubo + - name: docker + properties: + bridge: cni0 + default_ulimits: + - nofile=1048576 + env: {} + flannel: true + ip_masq: false + iptables: false + live_restore: true + log_level: error + log_options: + - max-size=128m + - max-file=2 + storage_driver: overlay2 + store_dir: /var/vcap/data + release: docker + - name: kubernetes-dependencies + release: kubo + - name: kubelet + properties: + api-token: ((kubelet-password)) + drain-api-token: ((kubelet-drain-password)) + k8s-args: + cni-bin-dir: /var/vcap/jobs/kubelet/packages/cni/bin + container-runtime: docker + docker: unix:///var/vcap/sys/run/docker/docker.sock + docker-endpoint: unix:///var/vcap/sys/run/docker/docker.sock + kubeconfig: /var/vcap/jobs/kubelet/config/kubeconfig + network-plugin: cni + root-dir: /var/vcap/data/kubelet + kubelet-configuration: + apiVersion: kubelet.config.k8s.io/v1beta1 + authentication: + anonymous: + enabled: false + x509: + clientCAFile: /var/vcap/jobs/kubelet/config/kubelet-client-ca.pem + authorization: + mode: Webhook + clusterDNS: + - 10.100.200.10 + clusterDomain: cluster.local + failSwapOn: false + kind: KubeletConfiguration + serializeImagePulls: false + tlsCertFile: /var/vcap/jobs/kubelet/config/kubelet.pem + tlsPrivateKeyFile: /var/vcap/jobs/kubelet/config/kubelet-key.pem + tls: + kubelet: + ca: ((tls-kubelet.ca)) + certificate: ((tls-kubelet.certificate))((tls-kubelet.ca)) + private_key: ((tls-kubelet.private_key)) + kubelet-client-ca: + certificate: ((tls-kubelet-client.ca)) + kubernetes: ((tls-kubernetes)) + release: kubo + - name: kube-proxy + properties: + api-token: ((kube-proxy-password)) + kube-proxy-configuration: + apiVersion: kubeproxy.config.k8s.io/v1alpha1 + clientConnection: + kubeconfig: /var/vcap/jobs/kube-proxy/config/kubeconfig + clusterCIDR: 10.200.0.0/16 + iptables: + masqueradeAll: false + masqueradeBit: 14 + minSyncPeriod: 0s + syncPeriod: 30s + kind: KubeProxyConfiguration + mode: iptables + portRange: "" + tls: + kubernetes: ((tls-kubernetes)) + release: kubo + name: worker + networks: + - name: default + stemcell: default + vm_type: small-highmem +name: cfcr +releases: +- name: kubo + sha1: 8f7da8665f44e4f7d0ca686fc3c71f4f75e1339c + stemcell: + os: ubuntu-xenial + version: 621.76 + url: https://storage.googleapis.com/kubo-precompiled-releases/kubo-0.44.0-ubuntu-xenial-621.76-20200716-220634-5482734.tgz + version: 0.44.0 +- name: cfcr-etcd + sha1: 8b84ed14df94263940e99d849d842545aad3bc0e + stemcell: + os: ubuntu-bionic + version: 1.13 + url: https://storage.googleapis.com/kubo-precompiled-releases/cfcr-etcd-1.13.0-ubuntu-bionic-1.13-20210629-101434-126328236.tgz + version: 1.13.0 +- name: docker + sha1: cbc590e3458cb753b936997056eb737eaa26a2ea + stemcell: + os: ubuntu-bionic + version: 1.13 + url: https://storage.googleapis.com/kubo-precompiled-releases/docker-36.0.2-ubuntu-bionic-1.13-20210629-101148-392442543.tgz + version: 36.0.2 +- name: bpm + sha1: 0f47cd98a00e65917091f4e0df3d97b45870c404 + stemcell: + os: ubuntu-bionic + version: 1.13 + url: https://storage.googleapis.com/kubo-precompiled-releases/bpm-1.1.12-ubuntu-bionic-1.13-20210629-101856-050958343.tgz + version: 1.1.12 +stemcells: +- alias: default + os: ubuntu-bionic + version: "1.13" +update: + canaries: 1 + canary_watch_time: 10000-300000 + max_in_flight: 1 + update_watch_time: 10000-300000 +variables: +- name: kubo-admin-password + type: password +- name: kubelet-password + type: password +- name: kubelet-drain-password + type: password +- name: kube-proxy-password + type: password +- name: kube-controller-manager-password + type: password +- name: kube-scheduler-password + type: password +- name: etcd_user_root_password + type: password +- name: etcd_user_flanneld_password + type: password +- name: kubo_ca + options: + common_name: ca + is_ca: true + type: certificate +- name: tls-kubelet + options: + alternative_names: [] + ca: kubo_ca + common_name: kubelet.cfcr.internal + organization: system:nodes + type: certificate +- name: tls-kubelet-client + options: + ca: kubo_ca + common_name: kube-apiserver.cfcr.internal + extended_key_usage: + - client_auth + organization: system:masters + type: certificate +- name: tls-kubernetes + options: + alternative_names: + - 10.100.200.1 + - kubernetes + - kubernetes.default + - kubernetes.default.svc + - kubernetes.default.svc.cluster.local + - master.cfcr.internal + ca: kubo_ca + common_name: master.cfcr.internal + organization: system:masters + type: certificate +- name: service-account-key + type: rsa +- name: tls-kube-controller-manager + options: + alternative_names: + - localhost + - 127.0.0.1 + ca: kubo_ca + common_name: kube-controller-manager + extended_key_usage: + - server_auth + key_usage: + - digital_signature + - key_encipherment + type: certificate +- name: etcd_ca + options: + common_name: etcd.ca + is_ca: true + type: certificate +- name: tls-etcd-v0-29-0 + options: + ca: etcd_ca + common_name: '*.etcd.cfcr.internal' + extended_key_usage: + - client_auth + - server_auth + type: certificate +- name: tls-etcdctl-v0-29-0 + options: + ca: etcd_ca + common_name: etcdClient + extended_key_usage: + - client_auth + type: certificate +- name: tls-etcdctl-root + options: + ca: etcd_ca + common_name: root + extended_key_usage: + - client_auth + type: certificate +- name: tls-etcdctl-flanneld + options: + ca: etcd_ca + common_name: flanneld + extended_key_usage: + - client_auth + type: certificate +- name: tls-metrics-server + options: + alternative_names: + - metrics-server.kube-system.svc + ca: kubo_ca + common_name: metrics-server + type: certificate diff --git a/manifests/cloud-config/iaas/aws/use-vm-extensions.yml b/manifests/cloud-config/iaas/aws/use-vm-extensions.yml new file mode 100644 index 00000000..4c685a6b --- /dev/null +++ b/manifests/cloud-config/iaas/aws/use-vm-extensions.yml @@ -0,0 +1,9 @@ +vm_extensions: +- cloud_properties: + iam_instance_profile: ((master_iam_instance_profile)) + elbs: + - ((cfcr_master_target_pool)) + name: ((deployment_name))-master-cloud-properties +- cloud_properties: + iam_instance_profile: ((worker_iam_instance_profile)) + name: ((deployment_name))-worker-cloud-properties diff --git a/manifests/cloud-config/iaas/azure/use-vm-extensions.yml b/manifests/cloud-config/iaas/azure/use-vm-extensions.yml new file mode 100644 index 00000000..c2d860d9 --- /dev/null +++ b/manifests/cloud-config/iaas/azure/use-vm-extensions.yml @@ -0,0 +1,24 @@ +vm_extensions: +- cloud_properties: + resource_group_name: ((resource_group_name)) + load_balancer: + name: ((master_load_balancer_name)) + resource_group_name: ((resource_group_name)) + security_group: + name: ((master_security_group)) + resource_group_name: ((resource_group_name)) + managed_identity: + type: UserAssigned + user_assigned_identity_name: ((master_managed_identity)) + name: ((deployment_name))-master-cloud-properties + +- cloud_properties: + resource_group_name: ((resource_group_name)) + managed_identity: + type: UserAssigned + user_assigned_identity_name: ((worker_managed_identity)) + name: ((deployment_name))-worker-cloud-properties + +- cloud_properties: + resource_group_name: ((resource_group_name)) + name: ((deployment_name))-apply-addons-cloud-properties diff --git a/manifests/cloud-config/iaas/gcp/use-vm-extensions.yml b/manifests/cloud-config/iaas/gcp/use-vm-extensions.yml new file mode 100644 index 00000000..4ac7a7e0 --- /dev/null +++ b/manifests/cloud-config/iaas/gcp/use-vm-extensions.yml @@ -0,0 +1,8 @@ +vm_extensions: +- cloud_properties: + backend_service: ((cfcr_backend_service)) + service_account: ((cfcr_master_service_account_address)) + name: ((deployment_name))-master-cloud-properties +- cloud_properties: + service_account: ((cfcr_worker_service_account_address)) + name: ((deployment_name))-worker-cloud-properties diff --git a/manifests/cloud-config/iaas/vsphere/use-vm-extensions.yml b/manifests/cloud-config/iaas/vsphere/use-vm-extensions.yml new file mode 100644 index 00000000..bf9a0f88 --- /dev/null +++ b/manifests/cloud-config/iaas/vsphere/use-vm-extensions.yml @@ -0,0 +1,5 @@ +vm_extensions: +- cloud_properties: + vmx_options: + disk.enableUUID: "1" + name: enable-disk-UUID diff --git a/manifests/ops-files/add-hostname-to-master-certificate.yml b/manifests/ops-files/add-hostname-to-master-certificate.yml new file mode 100644 index 00000000..e8cdf8ab --- /dev/null +++ b/manifests/ops-files/add-hostname-to-master-certificate.yml @@ -0,0 +1,3 @@ +- type: replace + path: /variables/name=tls-kubernetes/options/alternative_names/- + value: ((api-hostname)) diff --git a/manifests/ops-files/add-oidc-endpoint.yml b/manifests/ops-files/add-oidc-endpoint.yml new file mode 100644 index 00000000..de79c861 --- /dev/null +++ b/manifests/ops-files/add-oidc-endpoint.yml @@ -0,0 +1,31 @@ +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/oidc?/ca? + value: ((oidc_ca)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args?/oidc-ca-file? + value: /var/vcap/jobs/kube-apiserver/config/oidc-ca.pem + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args?/oidc-client-id? + value: ((oidc_client_id)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args?/oidc-groups-claim? + value: ((oidc_groups_claim)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args?/oidc-groups-prefix? + value: ((oidc_groups_prefix)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args?/oidc-issuer-url? + value: ((oidc_issuer_url)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args?/oidc-username-claim? + value: ((oidc_username_claim)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args?/oidc-username-prefix? + value: ((oidc_username_prefix)) diff --git a/manifests/ops-files/add-proxy.yml b/manifests/ops-files/add-proxy.yml new file mode 100644 index 00000000..34720fdf --- /dev/null +++ b/manifests/ops-files/add-proxy.yml @@ -0,0 +1,47 @@ +- type: replace + path: /instance_groups/name=worker/jobs/name=docker/properties/env/http_proxy? + value: ((http_proxy)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/http_proxy? + value: ((http_proxy)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/http_proxy? + value: ((http_proxy)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-controller-manager/properties/http_proxy? + value: ((http_proxy)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=docker/properties/env/https_proxy? + value: ((https_proxy)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/https_proxy? + value: ((https_proxy)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/https_proxy? + value: ((https_proxy)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-controller-manager/properties/https_proxy? + value: ((https_proxy)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=docker/properties/env/no_proxy? + value: ((no_proxy)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/no_proxy? + value: ((no_proxy)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/no_proxy? + value: ((no_proxy)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-controller-manager/properties/no_proxy? + value: ((no_proxy)) diff --git a/manifests/ops-files/add-syslog-tls.yml b/manifests/ops-files/add-syslog-tls.yml new file mode 100644 index 00000000..e9dd4e0b --- /dev/null +++ b/manifests/ops-files/add-syslog-tls.yml @@ -0,0 +1,12 @@ +# requires add-syslog.yml +- type: replace + path: /addons/name=syslog_forwarder/jobs/name=syslog_forwarder/properties/syslog/tls_enabled? + value: true + +- type: replace + path: /addons/name=syslog_forwarder/jobs/name=syslog_forwarder/properties/syslog/permitted_peer? + value: ((syslog_permitted_peer)) + +- type: replace + path: /addons/name=syslog_forwarder/jobs/name=syslog_forwarder/properties/syslog/ca_cert? + value: ((syslog_ca_cert)) \ No newline at end of file diff --git a/manifests/ops-files/add-syslog.yml b/manifests/ops-files/add-syslog.yml new file mode 100644 index 00000000..adcc3aed --- /dev/null +++ b/manifests/ops-files/add-syslog.yml @@ -0,0 +1,21 @@ +- type: replace + path: /addons?/- + value: + name: syslog_forwarder + jobs: + - name: syslog_forwarder + release: syslog + properties: + syslog: + address: ((syslog_address)) + port: ((syslog_port)) + transport: ((syslog_transport)) + forward_files: true + +- type: replace + path: /releases/- + value: + name: syslog + version: "11.3.2" + url: "https://bosh.io/d/github.com/cloudfoundry/syslog-release?v=11.3.2" + sha1: "64cf40d44746b50edffa78cb0e0dd6f072fee695" \ No newline at end of file diff --git a/manifests/ops-files/add-vm-extensions-to-master.yml b/manifests/ops-files/add-vm-extensions-to-master.yml new file mode 100644 index 00000000..4303c572 --- /dev/null +++ b/manifests/ops-files/add-vm-extensions-to-master.yml @@ -0,0 +1,3 @@ +- type: replace + path: /instance_groups/name=master/vm_extensions?/- + value: cfcr-master-loadbalancer diff --git a/manifests/ops-files/addons-spec.yml b/manifests/ops-files/addons-spec.yml new file mode 100644 index 00000000..1e767ae2 --- /dev/null +++ b/manifests/ops-files/addons-spec.yml @@ -0,0 +1,3 @@ +- type: replace + path: /instance_groups/name=apply-addons/jobs/name=apply-specs/properties/addons-spec? + value: ((addons-spec)) diff --git a/manifests/ops-files/allow-privileged-containers.yml b/manifests/ops-files/allow-privileged-containers.yml new file mode 100644 index 00000000..9860a81d --- /dev/null +++ b/manifests/ops-files/allow-privileged-containers.yml @@ -0,0 +1,4 @@ +--- +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/allow-privileged? + value: true diff --git a/manifests/ops-files/change-audit-log-flags.yml b/manifests/ops-files/change-audit-log-flags.yml new file mode 100644 index 00000000..c1db9863 --- /dev/null +++ b/manifests/ops-files/change-audit-log-flags.yml @@ -0,0 +1,13 @@ +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/audit-log-maxage + value: ((audit-log-maxage)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/audit-log-maxbackup + value: ((audit-log-maxbackup)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/audit-log-maxsize + value: ((audit-log-maxsize)) + + diff --git a/manifests/ops-files/change-cidrs.yml b/manifests/ops-files/change-cidrs.yml new file mode 100644 index 00000000..c8bbcffc --- /dev/null +++ b/manifests/ops-files/change-cidrs.yml @@ -0,0 +1,25 @@ +--- +- type: replace + path: /instance_groups/name=apply-addons/jobs/name=apply-specs/properties/kubedns-service-ip? + value: ((kubedns_service_ip)) + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/service-cluster-ip-range? + value: ((service_cluster_cidr)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/kubelet-configuration/clusterDNS? + value: [((kubedns_service_ip))] + +- type: replace + path: /instance_groups/name=worker/jobs/name=flanneld/properties?/pod-network-cidr? + value: ((pod_network_cidr)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=kube-proxy/properties/kube-proxy-configuration?/clusterCIDR? + value: ((pod_network_cidr)) + +# NOTE: This is required for the default kubernetes service which always runs on first IP address of the service CIDR +- type: replace + path: /variables/name=tls-kubernetes/options/alternative_names/0 + value: ((first_ip_of_service_cluster_cidr)) diff --git a/manifests/ops-files/change-etcd-metrics-url.yml b/manifests/ops-files/change-etcd-metrics-url.yml new file mode 100644 index 00000000..5ad9c55f --- /dev/null +++ b/manifests/ops-files/change-etcd-metrics-url.yml @@ -0,0 +1,8 @@ +--- +- type: replace + path: /instance_groups/name=master/jobs/name=etcd/properties/etcd?/metrics_protocol? + value: ((etcd_metrics_protocol)) + +- type: replace + path: /instance_groups/name=master/jobs/name=etcd/properties/etcd?/metrics_port? + value: ((etcd_metrics_port)) \ No newline at end of file diff --git a/manifests/ops-files/disable-anonymous-auth.yml b/manifests/ops-files/disable-anonymous-auth.yml new file mode 100644 index 00000000..e20f9026 --- /dev/null +++ b/manifests/ops-files/disable-anonymous-auth.yml @@ -0,0 +1,4 @@ +--- +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/anonymous-auth? + value: false diff --git a/manifests/ops-files/disable-swap.yml b/manifests/ops-files/disable-swap.yml new file mode 100644 index 00000000..ffd42fd8 --- /dev/null +++ b/manifests/ops-files/disable-swap.yml @@ -0,0 +1,7 @@ +- type: replace + path: /instance_groups/name=worker/env?/bosh?/swap_size? + value: 0 + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/kubelet-configuration/failSwapOn + value: true diff --git a/manifests/ops-files/enable-bbr.yml b/manifests/ops-files/enable-bbr.yml new file mode 100644 index 00000000..02da7630 --- /dev/null +++ b/manifests/ops-files/enable-bbr.yml @@ -0,0 +1,14 @@ +- type: replace + path: /instance_groups/name=master/jobs/- + value: + name: bbr-etcd + release: cfcr-etcd + properties: + bbr: + backup_one_restore_all: true + +- type: replace + path: /instance_groups/name=master/jobs/- + value: + name: bbr-kube-apiserver + release: kubo diff --git a/manifests/ops-files/enable-csi-shared-mounts.yml b/manifests/ops-files/enable-csi-shared-mounts.yml new file mode 100644 index 00000000..7e1d7679 --- /dev/null +++ b/manifests/ops-files/enable-csi-shared-mounts.yml @@ -0,0 +1,3 @@ +- type: replace + path: /instance_groups/name=worker/jobs/name=docker/properties/shared_mounts_enable? + value: true diff --git a/manifests/ops-files/enable-denyescalatingexec.yml b/manifests/ops-files/enable-denyescalatingexec.yml new file mode 100644 index 00000000..0e22d26f --- /dev/null +++ b/manifests/ops-files/enable-denyescalatingexec.yml @@ -0,0 +1,4 @@ +--- +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/enable-admission-plugins/- + value: DenyEscalatingExec diff --git a/manifests/ops-files/enable-encryption-config.yml b/manifests/ops-files/enable-encryption-config.yml new file mode 100644 index 00000000..9dbe4e82 --- /dev/null +++ b/manifests/ops-files/enable-encryption-config.yml @@ -0,0 +1,7 @@ +--- +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/encryption-config? + value: ((encryption-config)) +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/encryption-provider-config? + value: /var/vcap/jobs/kube-apiserver/config/encryption-config.yml diff --git a/manifests/ops-files/enable-nfs.yml b/manifests/ops-files/enable-nfs.yml new file mode 100644 index 00000000..124b3a3b --- /dev/null +++ b/manifests/ops-files/enable-nfs.yml @@ -0,0 +1,3 @@ +- type: replace + path: /instance_groups/name=worker/jobs/name=kubernetes-dependencies/properties?/nfs? + value: true diff --git a/manifests/ops-files/enable-podsecuritypolicy.yml b/manifests/ops-files/enable-podsecuritypolicy.yml new file mode 100644 index 00000000..dc026507 --- /dev/null +++ b/manifests/ops-files/enable-podsecuritypolicy.yml @@ -0,0 +1,4 @@ +--- +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/enable-admission-plugins/- + value: PodSecurityPolicy diff --git a/manifests/ops-files/enable-securitycontextdeny.yml b/manifests/ops-files/enable-securitycontextdeny.yml new file mode 100644 index 00000000..0cd85b07 --- /dev/null +++ b/manifests/ops-files/enable-securitycontextdeny.yml @@ -0,0 +1,4 @@ +--- +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/properties/k8s-args/enable-admission-plugins/- + value: SecurityContextDeny diff --git a/manifests/ops-files/example-vars-files/add-syslog-tls.yml b/manifests/ops-files/example-vars-files/add-syslog-tls.yml new file mode 100644 index 00000000..214f5857 --- /dev/null +++ b/manifests/ops-files/example-vars-files/add-syslog-tls.yml @@ -0,0 +1,12 @@ +syslog_permitted_peer: "*.example.com" +syslog_ca_cert: | + -----BEGIN CERTIFICATE----- + MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv + ... + pu/xO28QOG8= + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU + ... + mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= + -----END CERTIFICATE----- \ No newline at end of file diff --git a/manifests/ops-files/example-vars-files/add-syslog.yml b/manifests/ops-files/example-vars-files/add-syslog.yml new file mode 100644 index 00000000..3b038e9c --- /dev/null +++ b/manifests/ops-files/example-vars-files/add-syslog.yml @@ -0,0 +1,3 @@ +syslog_address: logs.example.com +syslog_port: 514 +syslog_transport: tcp \ No newline at end of file diff --git a/manifests/ops-files/example-vars-files/change-audit-log-flags.yml b/manifests/ops-files/example-vars-files/change-audit-log-flags.yml new file mode 100644 index 00000000..107339ff --- /dev/null +++ b/manifests/ops-files/example-vars-files/change-audit-log-flags.yml @@ -0,0 +1,3 @@ +audit-log-maxage: 30 +audit-log-maxbackup: 10 +audit-log-maxsize: 100 diff --git a/manifests/ops-files/example-vars-files/fs-inotify-limit.yml b/manifests/ops-files/example-vars-files/fs-inotify-limit.yml new file mode 100644 index 00000000..bc71bef0 --- /dev/null +++ b/manifests/ops-files/example-vars-files/fs-inotify-limit.yml @@ -0,0 +1 @@ +fs_inotify_max_user_watches: 524288 diff --git a/manifests/ops-files/example-vars-files/iaas/azure/cloud-provider.yml b/manifests/ops-files/example-vars-files/iaas/azure/cloud-provider.yml new file mode 100644 index 00000000..8106e2b6 --- /dev/null +++ b/manifests/ops-files/example-vars-files/iaas/azure/cloud-provider.yml @@ -0,0 +1,10 @@ +azure_cloud_name: AzurePublicCloud +subscription_id: +tenant_id: +location: southeastasia +resource_group_name: sample-cfcr-bosh +vnet_resource_group_name: sample-cfcr-bosh +vnet_name: sample-cfcr-bosh-vn +subnet_name: sample-cfcr-cfcr-sn +default_security_group: sample-cfcr-cfcr-master-sg +primary_availability_set: bosh-sample-cfcr-azurecfcr-worker diff --git a/manifests/ops-files/example-vars-files/iaas/gcp/cloud-provider.yml b/manifests/ops-files/example-vars-files/iaas/gcp/cloud-provider.yml new file mode 100644 index 00000000..ba2eaec0 --- /dev/null +++ b/manifests/ops-files/example-vars-files/iaas/gcp/cloud-provider.yml @@ -0,0 +1,4 @@ +director_name: my-bosh +deployment_name: cfcr +network: gcp-network +project_id: gcp-project-id diff --git a/manifests/ops-files/example-vars-files/iaas/openstack/cloud-provider.yml b/manifests/ops-files/example-vars-files/iaas/openstack/cloud-provider.yml new file mode 100644 index 00000000..c4113414 --- /dev/null +++ b/manifests/ops-files/example-vars-files/iaas/openstack/cloud-provider.yml @@ -0,0 +1,6 @@ +auth_url: # OpenStack authentication URL +openstack_domain: # OpenStack domain (optional) +openstack_project_id: # Openstack project name +region: # OpenStack region (optional) +openstack_username: # OpenStack admin username +openstack_password: # admin user password for OpenStack diff --git a/manifests/ops-files/example-vars-files/iaas/vsphere/cloud-provider.yml b/manifests/ops-files/example-vars-files/iaas/vsphere/cloud-provider.yml new file mode 100644 index 00000000..b09d2d65 --- /dev/null +++ b/manifests/ops-files/example-vars-files/iaas/vsphere/cloud-provider.yml @@ -0,0 +1,6 @@ +vcenter_ip: 10.11.12.2 +vcenter_master_user: master +vcenter_master_password: master_password +vcenter_dc: Interxion ABC1 +vcenter_vms: prod/vms +vcenter_ds: vol309|vol310 diff --git a/manifests/ops-files/example-vars-files/iaas/vsphere/set-working-dir-no-rp.yml b/manifests/ops-files/example-vars-files/iaas/vsphere/set-working-dir-no-rp.yml new file mode 100644 index 00000000..29dbe336 --- /dev/null +++ b/manifests/ops-files/example-vars-files/iaas/vsphere/set-working-dir-no-rp.yml @@ -0,0 +1,6 @@ +vcenter_ip: 10.11.12.2 +vcenter_master_user: master +vcenter_master_password: master_password +vcenter_ds: vol309|vol310 +vcenter_dc: Interxion ABC1 +vcenter_vms: prod/vms diff --git a/manifests/ops-files/example-vars-files/misc/bootstrap.yml b/manifests/ops-files/example-vars-files/misc/bootstrap.yml new file mode 100644 index 00000000..e93839f4 --- /dev/null +++ b/manifests/ops-files/example-vars-files/misc/bootstrap.yml @@ -0,0 +1,3 @@ +deployment_name: cfcr-bootstrap +kubernetes_master_host: cfcr-bootstrap.com +worker_count: 1 diff --git a/manifests/ops-files/example-vars-files/misc/oidc.yml b/manifests/ops-files/example-vars-files/misc/oidc.yml new file mode 100644 index 00000000..95128284 --- /dev/null +++ b/manifests/ops-files/example-vars-files/misc/oidc.yml @@ -0,0 +1,7 @@ +oidc_issuer_url: https://uaa.kubo.sh +oidc_client_id: kubernetes +oidc_username_claim: sub +oidc_username_prefix: uaa +oidc_groups_claim: groups +oidc_groups_prefix: uaa +oidc_ca: uaa-ca-cert diff --git a/manifests/ops-files/example-vars-files/new-cidrs.yml b/manifests/ops-files/example-vars-files/new-cidrs.yml new file mode 100644 index 00000000..8b793900 --- /dev/null +++ b/manifests/ops-files/example-vars-files/new-cidrs.yml @@ -0,0 +1,4 @@ +service_cluster_cidr: 192.168.20.0/24 +kubedns_service_ip: 192.168.20.50 +first_ip_of_service_cluster_cidr: 192.168.20.1 +pod_network_cidr: 192.168.22.0/24 diff --git a/manifests/ops-files/example-vars-files/system-specs.yml b/manifests/ops-files/example-vars-files/system-specs.yml new file mode 100644 index 00000000..a5dc250f --- /dev/null +++ b/manifests/ops-files/example-vars-files/system-specs.yml @@ -0,0 +1,6 @@ +kubelet-password: password +kubo-admin-password: admin-password +tls-kubernetes: + ca: ca + certificate: cert + private_key: key diff --git a/manifests/ops-files/iaas/aws/add-master-credentials.yml b/manifests/ops-files/iaas/aws/add-master-credentials.yml new file mode 100644 index 00000000..04b22543 --- /dev/null +++ b/manifests/ops-files/iaas/aws/add-master-credentials.yml @@ -0,0 +1,5 @@ +- type: replace + path: /instance_groups/name=master/jobs/name=cloud-provider/properties/cloud-provider/aws? + value: + access_key_id: ((aws_access_key_id_master)) + secret_access_key: ((aws_secret_access_key_master)) diff --git a/manifests/ops-files/iaas/aws/add-worker-credentials.yml b/manifests/ops-files/iaas/aws/add-worker-credentials.yml new file mode 100644 index 00000000..f1c84e8b --- /dev/null +++ b/manifests/ops-files/iaas/aws/add-worker-credentials.yml @@ -0,0 +1,5 @@ +- type: replace + path: /instance_groups/name=worker/jobs/name=cloud-provider/properties/cloud-provider/aws? + value: + access_key_id: ((aws_access_key_id_worker)) + secret_access_key: ((aws_secret_access_key_worker)) diff --git a/manifests/ops-files/iaas/aws/cloud-config/lb.yml b/manifests/ops-files/iaas/aws/cloud-config/lb.yml new file mode 100644 index 00000000..5809bc45 --- /dev/null +++ b/manifests/ops-files/iaas/aws/cloud-config/lb.yml @@ -0,0 +1,3 @@ +- type: replace + path: /vm_types/name=master/cloud_properties/elbs? + value: [((master_target_pool))] diff --git a/manifests/ops-files/iaas/aws/cloud-provider.yml b/manifests/ops-files/iaas/aws/cloud-provider.yml new file mode 100644 index 00000000..cb5fbe2b --- /dev/null +++ b/manifests/ops-files/iaas/aws/cloud-provider.yml @@ -0,0 +1,54 @@ +- type: replace + path: /instance_groups/name=master/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: aws + provides: + cloud-provider: {as: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-controller-manager/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kubernetes-roles/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: aws + provides: + cloud-provider: {as: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/consumes? + value: + cloud-provider: {from: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/cloud-provider? + value: aws + +- type: replace + path: /instance_groups/name=worker/jobs/name=kube-proxy/properties/cloud-provider? + value: aws + +- type: replace + path: /instance_groups/name=apply-addons/jobs/name=apply-specs/consumes? + value: + cloud-provider: {from: master-cloud-provider} diff --git a/manifests/ops-files/iaas/aws/lb.yml b/manifests/ops-files/iaas/aws/lb.yml new file mode 100644 index 00000000..f68ccb05 --- /dev/null +++ b/manifests/ops-files/iaas/aws/lb.yml @@ -0,0 +1,5 @@ +- type: replace + path: /tags? + value: + KubernetesCluster: ((kubernetes_cluster_tag)) + kubernetes.io/cluster/((kubernetes_cluster_tag)): "" diff --git a/manifests/ops-files/iaas/azure/cloud-config/lb.yml b/manifests/ops-files/iaas/azure/cloud-config/lb.yml new file mode 100644 index 00000000..21a001aa --- /dev/null +++ b/manifests/ops-files/iaas/azure/cloud-config/lb.yml @@ -0,0 +1,3 @@ +- type: replace + path: /vm_types/name=master/cloud_properties/load_balancer? + value: ((master_target_pool)) diff --git a/manifests/ops-files/iaas/azure/cloud-provider.yml b/manifests/ops-files/iaas/azure/cloud-provider.yml new file mode 100644 index 00000000..644ddc07 --- /dev/null +++ b/manifests/ops-files/iaas/azure/cloud-provider.yml @@ -0,0 +1,82 @@ +- type: replace + path: /instance_groups/name=master/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: azure + cloud-config: + useManagedIdentityExtension: true + cloud: ((azure_cloud_name)) + location: ((location)) + primaryAvailabilitySetName: ((primary_availability_set)) + resourceGroup: ((resource_group_name)) + securityGroupName: ((default_security_group)) + subnetName: ((subnet_name)) + subscriptionId: ((subscription_id)) + tenantId: ((tenant_id)) + useInstanceMetadata: true + vnetName: ((vnet_name)) + vnetResourceGroup: ((vnet_resource_group_name)) + loadBalancerSku: standard + provides: + cloud-provider: {as: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-controller-manager/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kubernetes-roles/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=apply-addons/jobs/name=apply-specs/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: azure + cloud-config: + useManagedIdentityExtension: true + cloud: ((azure_cloud_name)) + location: ((location)) + primaryAvailabilitySetName: ((primary_availability_set)) + resourceGroup: ((resource_group_name)) + securityGroupName: ((default_security_group)) + subnetName: ((subnet_name)) + subscriptionId: ((subscription_id)) + tenantId: ((tenant_id)) + useInstanceMetadata: true + vnetName: ((vnet_name)) + vnetResourceGroup: ((vnet_resource_group_name)) + loadBalancerSku: standard + provides: + cloud-provider: {as: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/consumes? + value: + cloud-provider: {from: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/cloud-provider? + value: azure + +- type: replace + path: /instance_groups/name=worker/jobs/name=kube-proxy/properties/cloud-provider? + value: azure diff --git a/manifests/ops-files/iaas/azure/subnet.yml b/manifests/ops-files/iaas/azure/subnet.yml new file mode 100644 index 00000000..dc615706 --- /dev/null +++ b/manifests/ops-files/iaas/azure/subnet.yml @@ -0,0 +1,12 @@ +- type: replace + path: /instance_groups/name=master/networks + value: + - name: cfcr +- type: replace + path: /instance_groups/name=worker/networks + value: + - name: cfcr +- type: replace + path: /instance_groups/name=apply-addons/networks + value: + - name: cfcr \ No newline at end of file diff --git a/manifests/ops-files/iaas/azure/use-cifs.yml b/manifests/ops-files/iaas/azure/use-cifs.yml new file mode 100644 index 00000000..6b6add22 --- /dev/null +++ b/manifests/ops-files/iaas/azure/use-cifs.yml @@ -0,0 +1,5 @@ +- type: replace + path: /instance_groups/name=worker/jobs/- + value: + name: cifs-utils + release: kubo diff --git a/manifests/ops-files/iaas/azure/use-credentials.yml b/manifests/ops-files/iaas/azure/use-credentials.yml new file mode 100644 index 00000000..0e6316eb --- /dev/null +++ b/manifests/ops-files/iaas/azure/use-credentials.yml @@ -0,0 +1,23 @@ +- type: replace + path: /instance_groups/name=master/jobs/name=cloud-provider/properties/cloud-config/useManagedIdentityExtension + value: false + +- type: replace + path: /instance_groups/name=master/jobs/name=cloud-provider/properties/cloud-config/aadClientId? + value: ((client_id)) + +- type: replace + path: /instance_groups/name=master/jobs/name=cloud-provider/properties/cloud-config/aadClientSecret? + value: ((client_secret)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=cloud-provider/properties/cloud-config/useManagedIdentityExtension + value: false + +- type: replace + path: /instance_groups/name=worker/jobs/name=cloud-provider/properties/cloud-config/aadClientId? + value: ((client_id)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=cloud-provider/properties/cloud-config/aadClientSecret? + value: ((client_secret)) diff --git a/manifests/ops-files/iaas/gcp/add-service-key-master.yml b/manifests/ops-files/iaas/gcp/add-service-key-master.yml new file mode 100644 index 00000000..6c18f893 --- /dev/null +++ b/manifests/ops-files/iaas/gcp/add-service-key-master.yml @@ -0,0 +1,7 @@ +- type: replace + path: /instance_groups/name=master/jobs/name=cloud-provider/properties/cloud-provider/gce?/service_key? + value: ((service_key_master)) + +- type: replace + path: /instance_groups/name=master/jobs/name=cloud-provider/properties/cloud-config?/Global?/token-url? + value: 'nil' diff --git a/manifests/ops-files/iaas/gcp/add-service-key-worker.yml b/manifests/ops-files/iaas/gcp/add-service-key-worker.yml new file mode 100644 index 00000000..f852edf4 --- /dev/null +++ b/manifests/ops-files/iaas/gcp/add-service-key-worker.yml @@ -0,0 +1,7 @@ +- type: replace + path: /instance_groups/name=worker/jobs/name=cloud-provider/properties/cloud-provider/gce?/service_key? + value: ((service_key_worker)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=cloud-provider/properties/cloud-config?/Global?/token-url? + value: 'nil' diff --git a/manifests/ops-files/iaas/gcp/add-subnetwork-for-internal-load-balancer.yml b/manifests/ops-files/iaas/gcp/add-subnetwork-for-internal-load-balancer.yml new file mode 100644 index 00000000..9e174fec --- /dev/null +++ b/manifests/ops-files/iaas/gcp/add-subnetwork-for-internal-load-balancer.yml @@ -0,0 +1,7 @@ +- type: replace + path: /instance_groups/name=master/jobs/name=cloud-provider/properties/cloud-config?/Global?/subnetwork-name? + value: ((subnetwork)) + +- type: replace + path: /instance_groups/name=worker/jobs/name=cloud-provider/properties/cloud-config?/Global?/subnetwork-name? + value: ((subnetwork)) diff --git a/manifests/ops-files/iaas/gcp/cloud-config/load-balancer-target-pools.yml b/manifests/ops-files/iaas/gcp/cloud-config/load-balancer-target-pools.yml new file mode 100644 index 00000000..112ffbbb --- /dev/null +++ b/manifests/ops-files/iaas/gcp/cloud-config/load-balancer-target-pools.yml @@ -0,0 +1,3 @@ +- type: replace + path: /vm_types/name=master/cloud_properties/backend_service? + value: ((master_target_pool)) diff --git a/manifests/ops-files/iaas/gcp/cloud-config/remove-service-account-master.yml b/manifests/ops-files/iaas/gcp/cloud-config/remove-service-account-master.yml new file mode 100644 index 00000000..e32edd47 --- /dev/null +++ b/manifests/ops-files/iaas/gcp/cloud-config/remove-service-account-master.yml @@ -0,0 +1,2 @@ +- type: remove + path: /vm_types/name=master/cloud_properties/service_account \ No newline at end of file diff --git a/manifests/ops-files/iaas/gcp/cloud-config/remove-service-account-worker.yml b/manifests/ops-files/iaas/gcp/cloud-config/remove-service-account-worker.yml new file mode 100644 index 00000000..cdd07805 --- /dev/null +++ b/manifests/ops-files/iaas/gcp/cloud-config/remove-service-account-worker.yml @@ -0,0 +1,2 @@ +- type: remove + path: /vm_types/name=worker/cloud_properties/service_account \ No newline at end of file diff --git a/manifests/ops-files/iaas/gcp/cloud-provider.yml b/manifests/ops-files/iaas/gcp/cloud-provider.yml new file mode 100644 index 00000000..1df48adb --- /dev/null +++ b/manifests/ops-files/iaas/gcp/cloud-provider.yml @@ -0,0 +1,65 @@ +- type: replace + path: /instance_groups/name=master/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: gce + cloud-config: + Global: + project-id: ((project_id)) + network-name: ((network)) + node-tags: ((director_name))-((deployment_name))-worker + multizone: true + provides: + cloud-provider: {as: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-controller-manager/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kubernetes-roles/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: gce + cloud-config: + Global: + project-id: ((project_id)) + network-name: ((network)) + node-tags: ((director_name))-((deployment_name))-worker + provides: + cloud-provider: {as: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/consumes? + value: + cloud-provider: {from: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/cloud-provider? + value: gce + +- type: replace + path: /instance_groups/name=worker/jobs/name=kube-proxy/properties/cloud-provider? + value: gce + +- type: replace + path: /instance_groups/name=apply-addons/jobs/name=apply-specs/consumes? + value: + cloud-provider: {from: master-cloud-provider} diff --git a/manifests/ops-files/iaas/openstack/cloud-provider.yml b/manifests/ops-files/iaas/openstack/cloud-provider.yml new file mode 100644 index 00000000..7950d39c --- /dev/null +++ b/manifests/ops-files/iaas/openstack/cloud-provider.yml @@ -0,0 +1,70 @@ +- type: replace + path: /instance_groups/name=master/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: openstack + cloud-config: + Global: + auth-url: ((auth_url)) + domain-name: ((openstack_domain)) + password: ((openstack_password)) + region: ((region)) + tenant-id: ((openstack_project_id)) + username: ((openstack_username)) + provides: + cloud-provider: {as: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-controller-manager/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kubernetes-roles/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: openstack + cloud-config: + Global: + auth-url: ((auth_url)) + domain-name: ((openstack_domain)) + password: ((openstack_password)) + region: ((region)) + tenant-id: ((openstack_project_id)) + username: ((openstack_username)) + provides: + cloud-provider: {as: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/consumes? + value: + cloud-provider: {from: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/cloud-provider? + value: openstack + +- type: replace + path: /instance_groups/name=worker/jobs/name=kube-proxy/properties/cloud-provider? + value: openstack + +- type: replace + path: /instance_groups/name=apply-addons/jobs/name=apply-specs/consumes? + value: + cloud-provider: {from: master-cloud-provider} diff --git a/manifests/ops-files/iaas/openstack/master-static-ip.yml b/manifests/ops-files/iaas/openstack/master-static-ip.yml new file mode 100644 index 00000000..a4a64c7e --- /dev/null +++ b/manifests/ops-files/iaas/openstack/master-static-ip.yml @@ -0,0 +1,16 @@ +- type: replace + path: /instance_groups/name=master/networks/- + value: + name: vip + type: vip + static_ips: [((kubernetes_master_host))] +- type: replace + path: /instance_groups/name=master/networks/0/default? + value: [dns, gateway] + +- type: replace + path: /variables/name=tls-kubernetes/options/common_name + value: ((kubernetes_master_host)) +- type: replace + path: /variables/name=tls-kubernetes/options/alternative_names/- + value: ((kubernetes_master_host)) diff --git a/manifests/ops-files/iaas/virtualbox/bosh-lite.yml b/manifests/ops-files/iaas/virtualbox/bosh-lite.yml new file mode 100644 index 00000000..8bad3db3 --- /dev/null +++ b/manifests/ops-files/iaas/virtualbox/bosh-lite.yml @@ -0,0 +1,25 @@ +- type: replace + path: /instance_groups/name=apply-addons/vm_type + value: default + +- type: replace + path: /instance_groups/name=master/vm_type + value: default + +- type: replace + path: /instance_groups/name=worker/vm_type + value: default + +- type: replace + path: /instance_groups/name=worker/update?/max_in_flight + value: 100% + +- type: replace + path: /instance_groups/name=master/networks + value: + - name: default + static_ips: [10.244.0.34] + +- type: replace + path: /variables/name=tls-kubernetes/options/alternative_names/- + value: 10.244.0.34 diff --git a/manifests/ops-files/iaas/vsphere/cloud-provider.yml b/manifests/ops-files/iaas/vsphere/cloud-provider.yml new file mode 100644 index 00000000..d0bb7f30 --- /dev/null +++ b/manifests/ops-files/iaas/vsphere/cloud-provider.yml @@ -0,0 +1,64 @@ +- type: replace + path: /instance_groups/name=master/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: vsphere + cloud-config: + Global: + datacenter: ((vcenter_dc)) + datastore: ((vcenter_ds)) + password: ((vcenter_master_password)) + server: ((vcenter_ip)) + user: ((vcenter_master_user)) + working-dir: /((vcenter_dc))/vm/((vcenter_vms)) + Disk: + scsicontrollertype: pvscsi + provides: + cloud-provider: {as: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-apiserver/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kube-controller-manager/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=master/jobs/name=kubernetes-roles/consumes? + value: + cloud-provider: {from: master-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/properties/cloud-provider? + value: vsphere + +- type: replace + path: /instance_groups/name=worker/jobs/- + value: + name: cloud-provider + release: kubo + properties: + cloud-provider: + type: vsphere + provides: + cloud-provider: {as: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kubelet/consumes? + value: + cloud-provider: {from: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=worker/jobs/name=kube-proxy/properties/cloud-provider? + value: vsphere + +- type: replace + path: /instance_groups/name=apply-addons/jobs/name=apply-specs/consumes? + value: + cloud-provider: {from: master-cloud-provider} diff --git a/manifests/ops-files/iaas/vsphere/master-static-ip.yml b/manifests/ops-files/iaas/vsphere/master-static-ip.yml new file mode 100644 index 00000000..4f900c60 --- /dev/null +++ b/manifests/ops-files/iaas/vsphere/master-static-ip.yml @@ -0,0 +1,6 @@ +- type: replace + path: /instance_groups/name=master/networks + value: + - name: default + default: [dns, gateway] + static_ips: [ ((kubernetes_master_host)) ] diff --git a/manifests/ops-files/iaas/vsphere/set-working-dir-no-rp.yml b/manifests/ops-files/iaas/vsphere/set-working-dir-no-rp.yml new file mode 100644 index 00000000..d06a15b4 --- /dev/null +++ b/manifests/ops-files/iaas/vsphere/set-working-dir-no-rp.yml @@ -0,0 +1,3 @@ +- type: replace + path: /instance_groups/name=master/jobs/name=cloud-provider/properties/cloud-config?/Global?/working-dir? + value: /((vcenter_dc))/vm/((vcenter_vms)) diff --git a/manifests/ops-files/iaas/vsphere/use-vm-extensions.yml b/manifests/ops-files/iaas/vsphere/use-vm-extensions.yml new file mode 100644 index 00000000..12f2b204 --- /dev/null +++ b/manifests/ops-files/iaas/vsphere/use-vm-extensions.yml @@ -0,0 +1,5 @@ +--- +- type: replace + path: /instance_groups/name=worker/vm_extensions?/- + value: enable-disk-UUID + diff --git a/manifests/ops-files/iaas/vsphere/windows/cloud-provider.yml b/manifests/ops-files/iaas/vsphere/windows/cloud-provider.yml new file mode 100644 index 00000000..2573117c --- /dev/null +++ b/manifests/ops-files/iaas/vsphere/windows/cloud-provider.yml @@ -0,0 +1,13 @@ +- type: replace + path: /instance_groups/name=windows-worker/jobs/name=kubelet-windows/properties/cloud-provider? + value: vsphere + +- type: replace + path: /instance_groups/name=windows-worker/jobs/name=kubelet-windows/consumes? + value: + cloud-provider: {from: worker-cloud-provider} + +- type: replace + path: /instance_groups/name=windows-worker/jobs/name=kube-proxy-windows/properties/cloud-provider? + value: vsphere + diff --git a/manifests/ops-files/iaas/vsphere/windows/use-vm-extensions.yml b/manifests/ops-files/iaas/vsphere/windows/use-vm-extensions.yml new file mode 100644 index 00000000..430068e2 --- /dev/null +++ b/manifests/ops-files/iaas/vsphere/windows/use-vm-extensions.yml @@ -0,0 +1,5 @@ +--- +- type: replace + path: /instance_groups/name=windows-worker/vm_extensions?/- + value: enable-disk-UUID + diff --git a/manifests/ops-files/kubo-local-release.yml b/manifests/ops-files/kubo-local-release.yml new file mode 100644 index 00000000..f0cd2d61 --- /dev/null +++ b/manifests/ops-files/kubo-local-release.yml @@ -0,0 +1,6 @@ +- type: replace + path: /releases/name=kubo + value: + name: kubo + version: create + url: file://../kubo-release diff --git a/manifests/ops-files/misc/bootstrap.yml b/manifests/ops-files/misc/bootstrap.yml new file mode 100644 index 00000000..fb4e6727 --- /dev/null +++ b/manifests/ops-files/misc/bootstrap.yml @@ -0,0 +1,23 @@ +- type: replace + path: /name + value: ((deployment_name)) + +- type: replace + path: /instance_groups/name=master/vm_type + value: master + +- type: replace + path: /instance_groups/name=worker/vm_type + value: worker + +- type: replace + path: /instance_groups/name=worker/instances + value: ((worker_count)) + +- type: replace + path: /variables/name=tls-kubernetes/options/common_name + value: ((kubernetes_master_host)) + +- type: replace + path: /variables/name=tls-kubernetes/options/alternative_names/- + value: ((kubernetes_master_host)) diff --git a/manifests/ops-files/misc/deployment-name.yml b/manifests/ops-files/misc/deployment-name.yml new file mode 100644 index 00000000..aff44151 --- /dev/null +++ b/manifests/ops-files/misc/deployment-name.yml @@ -0,0 +1,4 @@ +- type: replace + path: /name + value: ((deployment_name)) + diff --git a/manifests/ops-files/misc/dev.yml b/manifests/ops-files/misc/dev.yml new file mode 100644 index 00000000..f8ebb609 --- /dev/null +++ b/manifests/ops-files/misc/dev.yml @@ -0,0 +1,5 @@ +- type: replace + path: /releases/name=kubo + value: + name: kubo + version: latest diff --git a/manifests/ops-files/misc/first-time-deploy.yml b/manifests/ops-files/misc/first-time-deploy.yml new file mode 100644 index 00000000..62dc28cd --- /dev/null +++ b/manifests/ops-files/misc/first-time-deploy.yml @@ -0,0 +1,3 @@ +- type: replace + path: /update/max_in_flight + value: 100% diff --git a/manifests/ops-files/misc/local-config-server.yml b/manifests/ops-files/misc/local-config-server.yml new file mode 100644 index 00000000..eec7cd31 --- /dev/null +++ b/manifests/ops-files/misc/local-config-server.yml @@ -0,0 +1,8 @@ +- type: remove + path: /variables/name=tls-kubelet/options/organization +- type: remove + path: /variables/name=tls-kubelet-client/options/organization +- type: remove + path: /variables/name=tls-kubernetes/options/organization +- type: remove + path: /variables/name=tls-kube-controller-manager/options/key_usage diff --git a/manifests/ops-files/misc/scale-to-one-az.yml b/manifests/ops-files/misc/scale-to-one-az.yml new file mode 100644 index 00000000..9a3faef5 --- /dev/null +++ b/manifests/ops-files/misc/scale-to-one-az.yml @@ -0,0 +1,23 @@ +--- +# Default kubo-deployment deploys a (mostly) HA configuration. +# Use this override to only deploy single instance of each job, +# in a single Availability Zone. +- type: replace + path: /instance_groups/name=master/instances + value: 1 +- type: replace + path: /instance_groups/name=worker/instances + value: 1 +- type: replace + path: /instance_groups/name=apply-addons/instances + value: 1 + +- type: replace + path: /instance_groups/name=master/azs + value: [ z1 ] +- type: replace + path: /instance_groups/name=worker/azs + value: [ z1 ] +- type: replace + path: /instance_groups/name=apply-addons/azs + value: [ z1 ] \ No newline at end of file diff --git a/manifests/ops-files/misc/single-master.yml b/manifests/ops-files/misc/single-master.yml new file mode 100644 index 00000000..3eafc97d --- /dev/null +++ b/manifests/ops-files/misc/single-master.yml @@ -0,0 +1,3 @@ +- type: replace + path: /instance_groups/name=master/instances + value: 1 diff --git a/manifests/ops-files/misc/small-vm.yml b/manifests/ops-files/misc/small-vm.yml new file mode 100644 index 00000000..8418dbca --- /dev/null +++ b/manifests/ops-files/misc/small-vm.yml @@ -0,0 +1,9 @@ +- type: replace + path: /instance_groups/name=apply-addons/vm_type + value: minimal +- type: replace + path: /instance_groups/name=master/vm_type + value: minimal +- type: replace + path: /instance_groups/name=worker/vm_type + value: minimal diff --git a/manifests/ops-files/misc/version.yml b/manifests/ops-files/misc/version.yml new file mode 100644 index 00000000..3dcee037 --- /dev/null +++ b/manifests/ops-files/misc/version.yml @@ -0,0 +1,5 @@ +- type: replace + path: /releases/name=kubo + value: + name: kubo + version: ((kubo-version)) diff --git a/manifests/ops-files/non-precompiled-releases.yml b/manifests/ops-files/non-precompiled-releases.yml new file mode 100644 index 00000000..efc3166e --- /dev/null +++ b/manifests/ops-files/non-precompiled-releases.yml @@ -0,0 +1,19 @@ +- path: /releases + type: replace + value: + - name: kubo + sha1: 50a87d140204a4bfc90603d9765e656ad801f9b1 + url: https://github.com/cloudfoundry-incubator/kubo-release/releases/download/v0.44.0/kubo-release-0.44.0.tgz + version: 0.44.0 + - name: cfcr-etcd + sha1: 5a7beca63244cfcc3592d69bbc84abdbe9099a3f + url: https://bosh.io/d/github.com/cloudfoundry-incubator/cfcr-etcd-release?v=1.13.0 + version: 1.13.0 + - name: docker + sha1: c95d9e0aac57ab516ff987d0710470452593e50d + url: https://bosh.io/d/github.com/cloudfoundry-incubator/docker-boshrelease?v=36.0.2 + version: 36.0.2 + - name: bpm + sha1: 502e9446fa34accaf122ad2b28b6ffa543d5bbca + url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=1.1.12 + version: 1.1.12 diff --git a/manifests/ops-files/rename.yml b/manifests/ops-files/rename.yml new file mode 100644 index 00000000..8c21e039 --- /dev/null +++ b/manifests/ops-files/rename.yml @@ -0,0 +1,3 @@ +- type: replace + path: /name + value: ((deployment_name)) diff --git a/manifests/ops-files/set-certificate-duration.yml b/manifests/ops-files/set-certificate-duration.yml new file mode 100644 index 00000000..0c6acf11 --- /dev/null +++ b/manifests/ops-files/set-certificate-duration.yml @@ -0,0 +1,45 @@ +- type: replace + path: /variables/name=kubo_ca/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-kubelet/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-kubelet-client/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-kubernetes/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-kube-controller-manager/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=etcd_ca/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-etcd-v0-29-0/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-etcdctl-v0-29-0/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-etcdctl-root/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-etcdctl-flanneld/options/duration? + value: ((certificate-duration)) + +- type: replace + path: /variables/name=tls-metrics-server/options/duration? + value: ((certificate-duration)) + + diff --git a/manifests/ops-files/set-fs-inotify-limit.yml b/manifests/ops-files/set-fs-inotify-limit.yml new file mode 100644 index 00000000..60ba7dc7 --- /dev/null +++ b/manifests/ops-files/set-fs-inotify-limit.yml @@ -0,0 +1,23 @@ +- type: replace + path: /addons/- + value: + jobs: + - name: sysctl + release: os-conf + properties: + sysctl: + - fs.inotify.max_user_watches=((fs_inotify_max_user_watches)) + name: fs-inotify-limit + include: + stemcell: + - os: ubuntu-trusty + - os: ubuntu-xenial + +- type: replace + path: /releases/- + value: + name: "os-conf" + version: "20.0.0" + url: "https://bosh.io/d/github.com/cloudfoundry/os-conf-release?v=20.0.0" + sha1: "a60187f038d45e2886db9df82b72a9ab5fdcc49d" + diff --git a/manifests/ops-files/use-hostgw.yml b/manifests/ops-files/use-hostgw.yml new file mode 100644 index 00000000..5d0cb26c --- /dev/null +++ b/manifests/ops-files/use-hostgw.yml @@ -0,0 +1,8 @@ +--- +- type: replace + path: /instance_groups/name=master/jobs/name=flanneld/properties?/backend-type + value: "host-gw" +- type: replace + path: /instance_groups/name=worker/jobs/name=flanneld/properties?/backend-type + value: "host-gw" + diff --git a/manifests/ops-files/use-persistent-disk-for-workers.yml b/manifests/ops-files/use-persistent-disk-for-workers.yml new file mode 100644 index 00000000..7baa041a --- /dev/null +++ b/manifests/ops-files/use-persistent-disk-for-workers.yml @@ -0,0 +1,7 @@ +- type: replace + path: /instance_groups/name=worker?/persistent_disk + value: ((disk_size)) +- type: replace + path: /instance_groups/name=worker/jobs/name=docker/properties/store_dir + value: /var/vcap/store + diff --git a/manifests/ops-files/use-vm-extensions.yml b/manifests/ops-files/use-vm-extensions.yml new file mode 100644 index 00000000..e8ff1b08 --- /dev/null +++ b/manifests/ops-files/use-vm-extensions.yml @@ -0,0 +1,9 @@ +--- +- type: replace + path: /instance_groups/name=master/vm_extensions?/- + value: ((deployment_name))-master-cloud-properties + +- type: replace + path: /instance_groups/name=worker/vm_extensions?/- + value: ((deployment_name))-worker-cloud-properties + diff --git a/manifests/ops-files/vm-types.yml b/manifests/ops-files/vm-types.yml new file mode 100644 index 00000000..f1fbeca8 --- /dev/null +++ b/manifests/ops-files/vm-types.yml @@ -0,0 +1,11 @@ +- type: replace + path: /instance_groups/name=master/vm_type + value: ((master_vm_type)) + +- type: replace + path: /instance_groups/name=worker/vm_type + value: ((worker_vm_type)) + +- type: replace + path: /instance_groups/name=apply-addons/vm_type + value: ((apply_addons_vm_type)) diff --git a/manifests/ops-files/windows/add-worker.yml b/manifests/ops-files/windows/add-worker.yml new file mode 100644 index 00000000..23b3060a --- /dev/null +++ b/manifests/ops-files/windows/add-worker.yml @@ -0,0 +1,104 @@ +- label: kubo-windows + path: /releases/name=kubo-windows? + type: replace + value: + name: kubo-windows + sha1: 977794c52caadf973629ce1d44205d988a442a82 + url: https://github.com/cloudfoundry-incubator/kubo-release-windows/releases/download/v0.44.0/kubo-release-windows-0.44.0.tgz + version: 0.44.0 +- path: /stemcells/- + type: replace + value: + alias: windows + os: windows2019 + version: "2019.17" +- path: /instance_groups/- + type: replace + value: + azs: + - z1 + - z2 + - z3 + instances: 3 + jobs: + - name: kubelet-windows + properties: + api-token: ((kubelet-password)) + drain-api-token: ((kubelet-drain-password)) + k8s-args: + cni-bin-dir: C:\var\vcap\jobs\kubelet-windows\packages\cni-windows\bin + container-runtime: docker + image-pull-progress-deadline: 20m + kubeconfig: C:\var\vcap\jobs\kubelet-windows\config\kubeconfig + network-plugin: cni + pod-infra-container-image: mcr.microsoft.com/k8s/core/pause:1.2.0 + register-with-taints: windows=2019:NoSchedule + resolv-conf: "" + kubelet-configuration: + apiVersion: kubelet.config.k8s.io/v1beta1 + authentication: + anonymous: + enabled: false + x509: + clientCAFile: C:\var\vcap\jobs\kubelet-windows\config\kubelet-client-ca.pem + authorization: + mode: Webhook + cgroupsPerQOS: false + clusterDNS: + - 10.100.200.10 + clusterDomain: cluster.local + enforceNodeAllocatable: [] + failSwapOn: false + kind: KubeletConfiguration + readOnlyPort: 0 + serializeImagePulls: false + tlsCertFile: C:\var\vcap\jobs\kubelet-windows\config\kubelet.pem + tlsPrivateKeyFile: C:\var\vcap\jobs\kubelet-windows\config\kubelet-key.pem + tls: + kubelet: ((tls-kubelet)) + kubelet-client-ca: + certificate: ((tls-kubelet-client.ca)) + kubernetes: ((tls-kubernetes)) + release: kubo-windows + - consumes: + flanneld: + from: worker-flanneld + name: flanneld-windows + properties: + tls: + etcdctl: + ca: ((tls-etcdctl-flanneld.ca)) + certificate: ((tls-etcdctl-flanneld.certificate)) + private_key: ((tls-etcdctl-flanneld.private_key)) + release: kubo-windows + - name: kube-proxy-windows + properties: + api-token: ((kube-proxy-password)) + kube-proxy-configuration: + apiVersion: kubeproxy.config.k8s.io/v1alpha1 + clientConnection: + kubeconfig: /var/vcap/jobs/kube-proxy-windows/config/kubeconfig + clusterCIDR: 10.200.0.0/16 + kind: KubeProxyConfiguration + mode: kernelspace + portRange: "" + tls: + kubernetes: ((tls-kubernetes)) + release: kubo-windows + - name: docker-windows + release: kubo-windows + name: windows-worker + networks: + - name: default + stemcell: windows + vm_type: worker +- path: /addons/- + type: replace + value: + include: + stemcell: + - os: windows2019 + jobs: + - name: kubo-dns-aliases + release: kubo + name: bosh-dns-aliases-windows diff --git a/manifests/ops-files/windows/change-cidrs.yml b/manifests/ops-files/windows/change-cidrs.yml new file mode 100644 index 00000000..768ff9d3 --- /dev/null +++ b/manifests/ops-files/windows/change-cidrs.yml @@ -0,0 +1,12 @@ +--- +- type: replace + path: /instance_groups/name=windows-worker/jobs/name=flanneld-windows/properties?/kubedns-service-ip + value: ((kubedns_service_ip)) + +- type: replace + path: /instance_groups/name=windows-worker/jobs/name=kubelet-windows/properties/kubelet-configuration/clusterDNS? + value: [((kubedns_service_ip))] + +- type: replace + path: /instance_groups/name=windows-worker/jobs/name=kube-proxy-windows/properties/kube-proxy-configuration?/clusterCIDR? + value: ((pod_network_cidr)) diff --git a/manifests/ops-files/windows/enable-rdp.yml b/manifests/ops-files/windows/enable-rdp.yml new file mode 100644 index 00000000..194893c9 --- /dev/null +++ b/manifests/ops-files/windows/enable-rdp.yml @@ -0,0 +1,30 @@ +- type: replace + path: /releases/- + value: + name: "windows-utilities" + version: "0.11.0" + url: "https://bosh.io/d/github.com/cloudfoundry-incubator/windows-utilities-release?v=0.11.0" + sha1: "efc10ac0f4acae23637ce2c6f864d20df2e3a781" + +- type: replace + path: /addons/- + value: + name: set-pw + include: + stemcell: + - os: windows1803 + - os: windows1903 + - os: windows2019 + jobs: + - name: enable_rdp + release: windows-utilities + properties: + enable_rdp: + enabled: true + - name: enable_ssh + release: windows-utilities + - name: set_password + release: windows-utilities + properties: + set_password: + password: ((windows-rdp-password)) diff --git a/manifests/ops-files/windows/pause-image.yml b/manifests/ops-files/windows/pause-image.yml new file mode 100644 index 00000000..c78df864 --- /dev/null +++ b/manifests/ops-files/windows/pause-image.yml @@ -0,0 +1,4 @@ +--- +- type: replace + path: /instance_groups/name=windows-worker/jobs/name=kubelet-windows/properties/k8s-args/pod-infra-container-image + value: ((windows-pause-image)) diff --git a/manifests/ops-files/windows/scale-to-one-az.yml b/manifests/ops-files/windows/scale-to-one-az.yml new file mode 100644 index 00000000..020b45db --- /dev/null +++ b/manifests/ops-files/windows/scale-to-one-az.yml @@ -0,0 +1,7 @@ +--- +- type: replace + path: /instance_groups/name=windows-worker/instances + value: 1 +- type: replace + path: /instance_groups/name=windows-worker/azs + value: [ z1 ] diff --git a/manifests/ops-files/windows/use-hostgw.yml b/manifests/ops-files/windows/use-hostgw.yml new file mode 100644 index 00000000..1a245b9c --- /dev/null +++ b/manifests/ops-files/windows/use-hostgw.yml @@ -0,0 +1,4 @@ +--- +- type: replace + path: /instance_groups/name=windows-worker/jobs/name=flanneld-windows/properties?/backend-type + value: "win-bridge" diff --git a/manifests/ops-files/windows/use-overlay.yml b/manifests/ops-files/windows/use-overlay.yml new file mode 100644 index 00000000..8c705389 --- /dev/null +++ b/manifests/ops-files/windows/use-overlay.yml @@ -0,0 +1,7 @@ +--- +- type: replace + path: /instance_groups/name=worker/jobs/name=flanneld/properties?/vni + value: 4096 +- type: replace + path: /instance_groups/name=worker/jobs/name=flanneld/properties?/port + value: 4789 diff --git a/manifests/ops-files/windows/vm-types.yml b/manifests/ops-files/windows/vm-types.yml new file mode 100644 index 00000000..72fc9e2d --- /dev/null +++ b/manifests/ops-files/windows/vm-types.yml @@ -0,0 +1,3 @@ +- type: replace + path: /instance_groups/name=windows-worker/vm_type + value: ((windows_worker_vm_type)) diff --git a/manifests/ops-files/worker_count.yml b/manifests/ops-files/worker_count.yml new file mode 100644 index 00000000..8ad0fbd6 --- /dev/null +++ b/manifests/ops-files/worker_count.yml @@ -0,0 +1,3 @@ +- type: replace + path: /instance_groups/name=worker/instances + value: ((worker_count)) diff --git a/spec/test_cert_duration_ops_file_spec.rb b/spec/test_cert_duration_ops_file_spec.rb new file mode 100644 index 00000000..30f64d0e --- /dev/null +++ b/spec/test_cert_duration_ops_file_spec.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +require 'rspec' +require 'yaml' + +RSpec::Matchers.define :include_duration do |expected| + match do |actual| + actual["options"]["duration"] == expected + end +end + +describe 'set-certificate-duration.yml' do + + it 'modifies all the certificates generated by the CFCR base manifest' do + duration = 145200 + manifest_dir = File.expand_path("../manifests", File.dirname(__FILE__)) + bosh_int_output = %x( + bosh interpolate #{manifest_dir}/cfcr.yml --ops-file \ + #{manifest_dir}/ops-files/set-certificate-duration.yml \ + --var certificate-duration=#{duration} + ) + + yaml = YAML.safe_load(bosh_int_output) + certificates = yaml["variables"].select { |var| var["type"] == "certificate" } + expect(certificates).to all(include_duration(duration)) + end +end From 4aad729a6f3260c765a8a79120ad9375ea730a42 Mon Sep 17 00:00:00 2001 From: Neil Hickey Date: Thu, 1 Jul 2021 15:39:00 -0600 Subject: [PATCH 2/8] Add workflow Signed-off-by: Neil Hickey --- .github/workflows/unit-test.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/unit-test.yml diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml new file mode 100644 index 00000000..93ffb08d --- /dev/null +++ b/.github/workflows/unit-test.yml @@ -0,0 +1,27 @@ +name: unit-tests + +on: + push: + branches: [ merge-kubo-deployment ] + pull_request: + branches: [ merge-kubo-deployment ] + + workflow_dispatch: + +jobs: + kubo-release: + runs-on: ubuntu-latest + steps: + - name: Checkout kubo-release + uses: actions/checkout@v2 + - name: Set up Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: 2.6 + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + - name: Run tests + run: bundle exec rspec spec/*_spec.rb + - name: Install bosh-cli + run: brew install cloudfoundry/tap/bosh-cli + - name: Run tests + run: ./bin/run_tests From bf0ad7e1dfce8fd967330f19bfa6f0bd22dd999e Mon Sep 17 00:00:00 2001 From: Neil Hickey Date: Thu, 1 Jul 2021 15:40:58 -0600 Subject: [PATCH 3/8] Refactor tests Signed-off-by: Neil Hickey --- .github/workflows/unit-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index 93ffb08d..a6fc3059 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -19,9 +19,9 @@ jobs: with: ruby-version: 2.6 bundler-cache: true # runs 'bundle install' and caches installed gems automatically - - name: Run tests - run: bundle exec rspec spec/*_spec.rb - name: Install bosh-cli run: brew install cloudfoundry/tap/bosh-cli - - name: Run tests + - name: Run bosh-release tests + run: bundle exec rspec spec/*_spec.rb + - name: Run manifest tests run: ./bin/run_tests From 2859bc7557841921d1417b85afe243ef8877a130 Mon Sep 17 00:00:00 2001 From: Neil Hickey Date: Thu, 1 Jul 2021 15:44:39 -0600 Subject: [PATCH 4/8] Add bin folder Signed-off-by: Neil Hickey --- .gitignore | 1 - bin/run_tests | 149 +++++++++++++++++++++++++++++++++++++++ bin/test-standard-ops.sh | 87 +++++++++++++++++++++++ 3 files changed, 236 insertions(+), 1 deletion(-) create mode 100755 bin/run_tests create mode 100755 bin/test-standard-ops.sh diff --git a/.gitignore b/.gitignore index 9e683e55..8298f2be 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,6 @@ /.blobs /staging /blobs -/bin /pkg /releases/*.tgz /dev_releases diff --git a/bin/run_tests b/bin/run_tests new file mode 100755 index 00000000..e21c84c3 --- /dev/null +++ b/bin/run_tests @@ -0,0 +1,149 @@ +#!/bin/bash + +# From https://github.com/cloudfoundry/cf-deployment/blob/master/scripts/test + +set -eu + +exit_code=0 +GREEN='\033[0;32m' +LIGHT_GREEN='\033[0;92m' +RED='\033[0;31m' +LIGHT_RED='\033[1;31m' +YELLOW='\033[0;93m' +NOCOLOR='\033[0m' + +script_home="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +home="$( cd "${script_home}/.." && pwd )" + +# suite_name should be defined by each of our test suite functions +suite_name="UNDEFINED" + +# Grab each of our test suites, exercised by test_opsfile_interpolation() +for script in `ls ${script_home}/test-*.sh`; do + source $script +done + +# If we get killed, kill backgrounded processes +trap 'kill $(jobs -p) > /dev/null 2>&1' SIGTERM SIGINT + +fail() { + echo -e "${RED} FAIL - ${LIGHT_RED} $suite_name ${RED} - ${NOCOLOR} $1" + exit_code=1 +} + +pass() { + echo -e "${GREEN} PASS - ${YELLOW} $suite_name ${GREEN} - ${NOCOLOR} $1" +} + +skip() { + echo -e "${YELLOW} SKIP - ${YELLOW} $suite_name ${GREEN} - ${NOCOLOR} $1" +} + +interpolate() { + local tmp_creds_store + tmp_creds_store=$(mktemp) + + bosh interpolate ${home}/manifests/cfcr.yml \ + $@ \ + -o ${home}/manifests/ops-files/misc/local-config-server.yml \ + --vars-store ${tmp_creds_store} \ + --var-errs \ + --var-errs-unused > /dev/null + return $? +} + +check_interpolation() { + if [[ ${1} == name:* ]]; then + name_under_test=$1 + empty_string="" + ops_under_test="${name_under_test/name: /$empty_string}"; shift + else + ops_under_test="${1}" + fi + + if interpolate "-o $@"; then + pass "${ops_under_test}" + else + fail "${ops_under_test}" + fi +} + +test_opsfile_interpolation() { + test_standard_ops & + # test_experimental_ops & + # test_test_ops & + # test_legacy_ops & + # test_addons_ops & + + for job in $(jobs -p); do + wait $job || exit_code=1 + done +} + +ensure_opsfiles_in_readme() { + local readme=$1 + shift + + suite_name="Readme Test" + + pushd ${home} > /dev/null + for x in $@; do + local basename=$(echo $x | sed -e "s%$home/manifests/%%") + if [ $(grep \($basename\) $readme -c) != "0" ]; then + pass "$basename is in $(basename "$readme")" + else + fail "$basename does not appear in $(basename "$readme")" + fi + done; + popd > /dev/null +} +ensure_opsfiles_in_tests() { + + local test=$1 + shift + + suite_name="$test" + + pushd ${home} > /dev/null + for x in $@; do + local basename=$(basename $x) + if [ $basename == "set-certificate-duration.yml" ]; then + skip "$basename is ${YELLOW}SKIPPED${NOCOLOR} in $test" + else + if [ $(grep $basename ${script_home}/$test -c) != "0" ]; then + pass "$basename is tested in $test" + else + fail "$basename is ${RED}NOT${NOCOLOR} tested in $test" + fi + fi + done; + popd > /dev/null +} + +main() { + echo + echo -e "${LIGHT_GREEN} ***** Begin rspec tests ***** ${NOCOLOR}" + project_root="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )" + pushd "${project_root}" > /dev/null + bundle install + bundle exec rspec spec/*_spec.rb + popd > /dev/null + + echo + echo -e "${LIGHT_GREEN} ***** Begin affirmative readme operations tests ***** ${NOCOLOR}" + local ops_files; + ops_files=$(ls ${home}/manifests/ops-files/*.yml ${home}/manifests/ops-files/iaas/{aws,azure,gcp,openstack,vsphere,virtualbox}/*.yml) + ensure_opsfiles_in_readme "$home/manifests/README.md" "$ops_files" + + echo + echo -e "${LIGHT_GREEN} ***** Begin test coverage analysis ***** ${NOCOLOR}" + ensure_opsfiles_in_tests "test-standard-ops.sh" "$ops_files" + + echo + echo -e "${LIGHT_GREEN} ***** Begin interpolation operations tests ***** ${NOCOLOR}" + test_opsfile_interpolation + + exit $exit_code +} + +main diff --git a/bin/test-standard-ops.sh b/bin/test-standard-ops.sh new file mode 100755 index 00000000..6808e19d --- /dev/null +++ b/bin/test-standard-ops.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +test_standard_ops() { + # Padded for pretty output + suite_name="STANDARD " + + pushd ${home}/manifests > /dev/null + pushd ops-files > /dev/null + if interpolate ""; then + pass "cfcr.yml" + else + fail "cfcr.yml" + fi + + # CI & wrapper scripts + check_interpolation "misc/bootstrap.yml" "-l example-vars-files/misc/bootstrap.yml" + check_interpolation "misc/bootstrap.yml" "-o misc/dev.yml" "-l example-vars-files/misc/bootstrap.yml" + + # BOSH + check_interpolation "rename.yml" "-v deployment_name=fubar" + check_interpolation "vm-types.yml" "-v master_vm_type=master" "-v worker_vm_type=worker" "-v apply_addons_vm_type=addons" + check_interpolation "add-vm-extensions-to-master.yml" + check_interpolation "use-vm-extensions.yml" "-v deployment_name=cfcr" + check_interpolation "worker_count.yml" "-v worker_count=4" + check_interpolation "non-precompiled-releases.yml" + check_interpolation "use-persistent-disk-for-workers.yml" "-v disk_size=1000" + check_interpolation "disable-swap.yml" + + # Infrastructure + check_interpolation "iaas/aws/cloud-provider.yml" + check_interpolation "iaas/aws/lb.yml" "-v kubernetes_cluster_tag=test" + check_interpolation "name:iaas/aws/add-master-credentials.yml" "iaas/aws/cloud-provider.yml" "-o iaas/aws/add-master-credentials.yml" "-v aws_access_key_id_master=access-key-id" "-v aws_secret_access_key_master=secret-access-key" + check_interpolation "name:iaas/aws/add-worker-credentials.yml" "iaas/aws/cloud-provider.yml" "-o iaas/aws/add-worker-credentials.yml" "-v aws_access_key_id_worker=access-key-id" "-v aws_secret_access_key_worker=secret-access-key" + check_interpolation "iaas/azure/cloud-provider.yml" "-l example-vars-files/iaas/azure/cloud-provider.yml" + check_interpolation "name:iaas/azure/use-credentials" "iaas/azure/cloud-provider.yml" "-o iaas/azure/use-credentials.yml " "-l example-vars-files/iaas/azure/cloud-provider.yml" "-v client_id=client" "-v client_secret=secret" + check_interpolation "iaas/gcp/cloud-provider.yml" "-l example-vars-files/iaas/gcp/cloud-provider.yml" + check_interpolation "name:iaas/gcp/add-subnetwork-for-internal-load-balancer.yml" "iaas/gcp/cloud-provider.yml" "-o iaas/gcp/add-subnetwork-for-internal-load-balancer.yml" "-v subnetwork=foo" "-l example-vars-files/iaas/gcp/cloud-provider.yml" + check_interpolation "name:iaas/gcp/add-service-key-master.yml" "iaas/gcp/cloud-provider.yml" "-o iaas/gcp/add-service-key-master.yml" "-v service_key_master=foo" "-l example-vars-files/iaas/gcp/cloud-provider.yml" + check_interpolation "name:iaas/gcp/add-service-key-worker.yml" "iaas/gcp/cloud-provider.yml" "-o iaas/gcp/add-service-key-worker.yml" "-v service_key_worker=foo" "-l example-vars-files/iaas/gcp/cloud-provider.yml" + check_interpolation "iaas/openstack/master-static-ip.yml" "-v kubernetes_master_host=10.11.12.13" + check_interpolation "iaas/openstack/cloud-provider.yml" "-l example-vars-files/iaas/openstack/cloud-provider.yml" + check_interpolation "iaas/vsphere/cloud-provider.yml" "-l example-vars-files/iaas/vsphere/cloud-provider.yml" + check_interpolation "name:iaas/vsphere/set-working-dir-no-rp.yml" "iaas/vsphere/cloud-provider.yml" "-o iaas/vsphere/set-working-dir-no-rp.yml" "-l example-vars-files/iaas/vsphere/set-working-dir-no-rp.yml" + check_interpolation "iaas/vsphere/master-static-ip.yml" "-v kubernetes_master_host=10.11.12.13" + check_interpolation "iaas/vsphere/use-vm-extensions.yml" + check_interpolation "iaas/virtualbox/bosh-lite.yml" + check_interpolation "iaas/azure/subnet.yml" + check_interpolation "iaas/azure/use-cifs.yml" + + # HTTP proxy options + check_interpolation "add-proxy.yml" "-v http_proxy=10.10.10.10:8000 -v https_proxy=10.10.10.10:8000 -v no_proxy=localhost,127.0.0.1" + + # Syslog + check_interpolation "add-syslog.yml" "-l example-vars-files/add-syslog.yml" + check_interpolation "name:add-syslog-tls.yml" "add-syslog.yml" "-o add-syslog-tls.yml" "-l example-vars-files/add-syslog.yml" "-l example-vars-files/add-syslog-tls.yml" + + # Kubernetes + check_interpolation "add-hostname-to-master-certificate.yml" "-v api-hostname=example.com" + check_interpolation "add-oidc-endpoint.yml" "-l example-vars-files/misc/oidc.yml" + check_interpolation "change-audit-log-flags.yml" "-l example-vars-files/change-audit-log-flags.yml" + check_interpolation "addons-spec.yml" "-v addons-spec={}" + check_interpolation "allow-privileged-containers.yml" + check_interpolation "change-cidrs.yml" "-l example-vars-files/new-cidrs.yml" + check_interpolation "disable-anonymous-auth.yml" + check_interpolation "enable-denyescalatingexec.yml" + check_interpolation "enable-podsecuritypolicy.yml" + check_interpolation "enable-securitycontextdeny.yml" + check_interpolation "enable-encryption-config.yml" "-v encryption-config=encryption-config.yml" + check_interpolation "enable-csi-shared-mounts.yml" + check_interpolation "use-hostgw.yml" + check_interpolation "set-fs-inotify-limit.yml" "-l example-vars-files/fs-inotify-limit.yml" + + # Etcd + check_interpolation "change-etcd-metrics-url.yml" "-v etcd_metrics_protocol=http -v etcd_metrics_port=2378" + + # BBR + check_interpolation "enable-bbr.yml" + + # Dev + check_interpolation "kubo-local-release.yml" + + # NFS + check_interpolation "enable-nfs.yml" + popd > /dev/null # operations + popd > /dev/null + exit $exit_code +} From 87cd6abbc3454452cec99d1a24200bd4ea0bfa7e Mon Sep 17 00:00:00 2001 From: Neil Hickey Date: Thu, 1 Jul 2021 16:20:25 -0600 Subject: [PATCH 5/8] Remove kubo-deployment from CI - Also removes unit-tests as these are now covered by Github Actions Signed-off-by: Neil Hickey --- ci/pipelines/build-kubo.yml | 64 +------------------------------------ 1 file changed, 1 insertion(+), 63 deletions(-) diff --git a/ci/pipelines/build-kubo.yml b/ci/pipelines/build-kubo.yml index 0b01abf4..e073a75a 100644 --- a/ci/pipelines/build-kubo.yml +++ b/ci/pipelines/build-kubo.yml @@ -31,21 +31,11 @@ resources: branch: master private_key: ((git-ssh-key.private_key)) -- name: git-kubo-deployment - type: git - source: - uri: git@github.com:cloudfoundry-incubator/kubo-deployment.git - branch: develop - private_key: ((git-ssh-key.private_key)) - ignore_paths: - - 'LICENSE' - - 'NOTICE' - - name: git-kubo-release type: git source: uri: git@github.com:cloudfoundry-incubator/kubo-release.git - branch: develop + branch: merge-kubo-deployment private_key: ((git-ssh-key.private_key)) ignore_paths: - 'ci' @@ -83,13 +73,6 @@ resources: deployment: compilation-windows skip_check: true -- name: gcs-kubo-deployment-tarball-untested - type: gcs - source: - json_key: ((gcs-json-key)) - bucket: kubo-pipeline-store - regexp: dev-builds/kubo-deployment-(.*).tgz - - name: gcs-kubo-release-tarball-untested type: gcs source: @@ -104,38 +87,7 @@ resources: bucket: kubo-pipeline-store regexp: dev-windows-builds/kubo-.*-windows2019-.*-(.*).tgz -- name: slack-alert - type: slack-notification - source: - url: ((build-alert-slack-url)) - jobs: -- name: run-unit-tests-release - plan: - - get: git-kubo-ci - - get: git-kubo-release - trigger: true - - task: run-release-unit-tests - file: git-kubo-ci/tasks/run-release-unit-tests.yml - on_failure: &on_failure_alert - do: - - task: configure-slack-notification - file: git-kubo-ci/tasks/configure-slack-notification.yml - - put: slack-alert - params: - attachments_file: slack-notification/attachments - text: | - Build Failed. https://ci.kubo.sh/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME - -- name: run-unit-tests-deployment - plan: - - get: git-kubo-ci - - get: git-kubo-deployment - trigger: true - - task: run-deployment-unit-tests - file: git-kubo-ci/tasks/run-deployment-unit-tests.yml - on_failure: *on_failure_alert - - name: build plan: - in_parallel: @@ -147,18 +99,11 @@ jobs: - get: git-kubo-windows-release trigger: true - get: git-kubo-release - passed: [ 'run-unit-tests-release' ] - trigger: true - - get: git-kubo-deployment - passed: [ 'run-unit-tests-deployment' ] trigger: true - in_parallel: - do: - task: build-kubo-release file: git-kubo-ci/tasks/build-kubo-release.yml - on_failure: *on_failure_alert - params: - release: kubo - task: generate-compilation-manifest file: git-kubo-ci/tasks/generate-compilation-manifest.yml params: @@ -181,7 +126,6 @@ jobs: - do: - task: build-kubo-windows-release file: git-kubo-ci/tasks/build-kubo-release.yml - on_failure: *on_failure_alert input_mapping: {git-kubo-release: git-kubo-windows-release} output_mapping: {kubo-release: kubo-windows-release} params: @@ -207,9 +151,6 @@ jobs: gcs-source-json: director-source-json compilation-deployment: compilation-deployment-windows output_mapping: {compiled-releases: compiled-releases-windows} - - task: build-kubo-deployment-tarball - file: git-kubo-ci/tasks/build-kubo-deployment-tarball.yml - on_failure: *on_failure_alert - put: gcs-kubo-release-tarball-untested attempts: 10 params: @@ -218,9 +159,6 @@ jobs: attempts: 10 params: file: compiled-releases-windows/kubo-*.tgz - - put: gcs-kubo-deployment-tarball-untested - params: - file: kubo-deployment-tarball/kubo-deployment*.tgz - name: bump-version plan: From 8f14a1a1798fd4010c26fe4acd01785c134fa324 Mon Sep 17 00:00:00 2001 From: Neil Hickey Date: Fri, 2 Jul 2021 10:22:51 -0600 Subject: [PATCH 6/8] Update bump-stemcell to remove kubo-deployment Signed-off-by: Neil Hickey --- ci/pipelines/bump-stemcell.yml | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/ci/pipelines/bump-stemcell.yml b/ci/pipelines/bump-stemcell.yml index 90ae3b18..7e180f3e 100644 --- a/ci/pipelines/bump-stemcell.yml +++ b/ci/pipelines/bump-stemcell.yml @@ -13,7 +13,7 @@ resources: - name: stemcell type: bosh-io-stemcell source: - name: bosh-google-kvm-ubuntu-xenial-go_agent + name: bosh-google-kvm-ubuntu-bionic-go_agent - name: git-kubo-ci type: git @@ -22,15 +22,12 @@ resources: branch: master private_key: ((git-ssh-key.private_key)) -- name: git-kubo-deployment +- name: git-kubo-release type: git source: - uri: git@github.com:cloudfoundry-incubator/kubo-deployment.git - branch: develop + uri: git@github.com:cloudfoundry-incubator/kubo-release + branch: merge-kubo-deployment private_key: ((git-ssh-key.private_key)) - ignore_paths: - - 'LICENSE' - - 'NOTICE' - name: gcs-precompiled-cfcr-etcd-untested type: gcs @@ -71,7 +68,7 @@ jobs: plan: - in_parallel: - get: git-kubo-ci - - get: git-kubo-deployment + - get: git-kubo-release - get: gcs-source-json - get: stemcell resource: stemcell @@ -81,7 +78,7 @@ jobs: - task: generate-compilation-manifest file: git-kubo-ci/tasks/generate-compilation-manifest.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "docker cfcr-etcd bpm" - put: compilation-deployment @@ -93,7 +90,7 @@ jobs: - task: export file: git-kubo-ci/tasks/export-release.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "docker cfcr-etcd bpm" - in_parallel: @@ -109,10 +106,10 @@ jobs: - task: bump-precompiled-releases-in-manifest file: git-kubo-ci/tasks/bump-precompiled-releases-in-manifest.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "docker cfcr-etcd bpm" - - put: git-kubo-deployment + - put: git-kubo-release params: merge: true - repository: git-kubo-deployment-output + repository: git-kubo-release-output From 81fe382da4d94795d4089f211709e85fba3e9a50 Mon Sep 17 00:00:00 2001 From: Neil Hickey Date: Fri, 2 Jul 2021 10:42:31 -0600 Subject: [PATCH 7/8] Update branch Signed-off-by: Neil Hickey --- ci/pipelines/build-kubo.yml | 2 +- ci/pipelines/bump-bosh-releases.yml | 61 ++++++++++++----------------- ci/pipelines/bump-stemcell.yml | 2 +- 3 files changed, 28 insertions(+), 37 deletions(-) diff --git a/ci/pipelines/build-kubo.yml b/ci/pipelines/build-kubo.yml index e073a75a..845a1cbe 100644 --- a/ci/pipelines/build-kubo.yml +++ b/ci/pipelines/build-kubo.yml @@ -35,7 +35,7 @@ resources: type: git source: uri: git@github.com:cloudfoundry-incubator/kubo-release.git - branch: merge-kubo-deployment + branch: develop private_key: ((git-ssh-key.private_key)) ignore_paths: - 'ci' diff --git a/ci/pipelines/bump-bosh-releases.yml b/ci/pipelines/bump-bosh-releases.yml index 90ca2cec..2ed5f641 100644 --- a/ci/pipelines/bump-bosh-releases.yml +++ b/ci/pipelines/bump-bosh-releases.yml @@ -15,13 +15,13 @@ resources: type: git source: uri: https://github.com/cloudfoundry-incubator/kubo-ci - branch: ((kubo-ci-branch)) + branch: master -- name: git-kubo-deployment +- name: git-kubo-release type: git source: - uri: git@github.com:cloudfoundry-incubator/kubo-deployment.git - branch: ((kubo-deployment.branch)) + uri: git@github.com:cloudfoundry-incubator/kubo-release.git + branch: develop private_key: ((git-ssh-key.private_key)) - name: cfcr-etcd-release @@ -71,21 +71,14 @@ resources: source: json_key: ((gcs-json-key)) bucket: kubo-pipeline-store - versioned_file: gaffer-env/source.json - -- name: gcs-compilation-source-json - type: gcs - source: - json_key: ((gcs-json-key)) - bucket: kubo-pipeline-store - versioned_file: gcp-compilation-env/source.json + versioned_file: source.json jobs: - name: bump-bpm-release plan: - in_parallel: - get: git-kubo-ci - - get: git-kubo-deployment + - get: git-kubo-release - get: gcs-source-json - get: bpm-release trigger: true @@ -98,17 +91,17 @@ jobs: - task: generate-compilation-manifest file: git-kubo-ci/tasks/generate-compilation-manifest.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "bpm" - put: compilation-deployment params: manifest: compilation-manifest/manifest.yml - source_file: gcs-compilation-source-json/source.json + source_file: gcs-source-json/source.json - task: export file: git-kubo-ci/tasks/export-release.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "bpm" - put: gcs-precompiled-bpm-untested @@ -117,18 +110,18 @@ jobs: - task: bump-precompiled-releases-in-manifest file: git-kubo-ci/tasks/bump-precompiled-releases-in-manifest.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "bpm" - - put: git-kubo-deployment + - put: git-kubo-release params: - repository: git-kubo-deployment-output + repository: git-kubo-release-output - name: bump-etcd-release plan: - in_parallel: - get: git-kubo-ci - - get: git-kubo-deployment + - get: git-kubo-release - get: gcs-source-json - get: cfcr-etcd-release trigger: true @@ -141,17 +134,17 @@ jobs: - task: generate-compilation-manifest file: git-kubo-ci/tasks/generate-compilation-manifest.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "cfcr-etcd" - put: compilation-deployment params: manifest: compilation-manifest/manifest.yml - source_file: gcs-compilation-source-json/source.json + source_file: gcs-source-json/source.json - task: export file: git-kubo-ci/tasks/export-release.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "cfcr-etcd" - put: gcs-precompiled-cfcr-etcd-untested @@ -160,20 +153,19 @@ jobs: - task: bump-precompiled-releases-in-manifest file: git-kubo-ci/tasks/bump-precompiled-releases-in-manifest.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "cfcr-etcd" - - put: git-kubo-deployment + - put: git-kubo-release params: - repository: git-kubo-deployment-output + repository: git-kubo-release-output - name: bump-docker-boshrelease plan: - in_parallel: - get: git-kubo-ci - - get: git-kubo-deployment + - get: git-kubo-release - get: gcs-source-json - - get: gcs-compilation-source-json - get: docker-boshrelease trigger: true - task: bump-kubo-docker @@ -185,18 +177,17 @@ jobs: - task: generate-compilation-manifest file: git-kubo-ci/tasks/generate-compilation-manifest.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "docker" - put: compilation-deployment params: manifest: compilation-manifest/manifest.yml - source_file: gcs-compilation-source-json/source.json + source_file: gcs-source-json/source.json - task: export file: git-kubo-ci/tasks/export-release.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output - gcs-source-json: gcs-compilation-source-json + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "docker" JOBS_LIST: containers docker flannel sanity-tests swarm-agent swarm-manager @@ -206,9 +197,9 @@ jobs: - task: bump-precompiled-releases-in-manifest file: git-kubo-ci/tasks/bump-precompiled-releases-in-manifest.yml input_mapping: - git-kubo-deployment: git-kubo-deployment-output + git-kubo-release: git-kubo-release-output params: RELEASE_LIST: "docker" - - put: git-kubo-deployment + - put: git-kubo-release params: - repository: git-kubo-deployment-output + repository: git-kubo-release-output diff --git a/ci/pipelines/bump-stemcell.yml b/ci/pipelines/bump-stemcell.yml index 7e180f3e..b17bb6b3 100644 --- a/ci/pipelines/bump-stemcell.yml +++ b/ci/pipelines/bump-stemcell.yml @@ -26,7 +26,7 @@ resources: type: git source: uri: git@github.com:cloudfoundry-incubator/kubo-release - branch: merge-kubo-deployment + branch: develop private_key: ((git-ssh-key.private_key)) - name: gcs-precompiled-cfcr-etcd-untested From 01f8a7e822cc4f91069d2fdbe78dcc2699f2dd9f Mon Sep 17 00:00:00 2001 From: Neil Hickey Date: Fri, 2 Jul 2021 10:44:15 -0600 Subject: [PATCH 8/8] update workflow to remove branch Signed-off-by: Neil Hickey --- .github/workflows/unit-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index a6fc3059..fce433c9 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -2,9 +2,9 @@ name: unit-tests on: push: - branches: [ merge-kubo-deployment ] + branches: [ develop ] pull_request: - branches: [ merge-kubo-deployment ] + branches: [ develop ] workflow_dispatch: