From 6d624c7ad58de9112bddcd62c3ae2e83c460c8dd Mon Sep 17 00:00:00 2001 From: Kashif Saadat Date: Fri, 6 Oct 2017 17:52:19 +0100 Subject: [PATCH 1/8] Add Calico v2.5 support for Kubernetes v1.8+ --- .../k8s-1.8.yaml.template | 439 ++++++++++++++++++ .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 32 +- 2 files changed, 464 insertions(+), 7 deletions(-) create mode 100644 upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.8.yaml.template diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.8.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.8.yaml.template new file mode 100644 index 0000000000..eea3a281d3 --- /dev/null +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.8.yaml.template @@ -0,0 +1,439 @@ +# This ConfigMap can be used to configure a self-hosted Canal installation. +kind: ConfigMap +apiVersion: v1 +metadata: + name: canal-config + namespace: kube-system +data: + # The interface used by canal for host <-> host communication. + # If left blank, then the interface is chosen using the node's + # default route. + canal_iface: "" + + # Whether or not to masquerade traffic to destinations not within + # the pod network. + masquerade: "true" + + # The CNI network configuration to install on each node. + cni_network_config: |- + { + "name": "k8s-pod-network", + "cniVersion": "0.1.0", + "type": "calico", + "log_level": "info", + "datastore_type": "kubernetes", + "nodename": "__KUBERNETES_NODE_NAME__", + "ipam": { + "type": "host-local", + "subnet": "usePodCidr" + }, + "policy": { + "type": "k8s", + "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" + }, + "kubernetes": { + "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", + "kubeconfig": "__KUBECONFIG_FILEPATH__" + } + } + + # Flannel network configuration. Mounted into the flannel container. + net-conf.json: | + { + "Network": "{{ .NonMasqueradeCIDR }}", + "Backend": { + "Type": "vxlan" + } + } + +--- + +# This manifest installs the calico/node container, as well +# as the Calico CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: extensions/v1beta1 +metadata: + name: canal + namespace: kube-system + labels: + k8s-app: canal +spec: + selector: + matchLabels: + k8s-app: canal + template: + metadata: + labels: + k8s-app: canal + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + hostNetwork: true + serviceAccountName: canal + tolerations: + # Allow the pod to run on the master. This is required for + # the master to communicate with pods. + - key: node-role.kubernetes.io/master + effect: NoSchedule + # Mark the pod as a critical add-on for rescheduling. + - key: "CriticalAddonsOnly" + operator: "Exists" + containers: + # Runs calico/node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: quay.io/calico/node:v2.5.1 + env: + # Use Kubernetes API as the backing datastore. + - name: DATASTORE_TYPE + value: "kubernetes" + # Enable felix logging. + - name: FELIX_LOGSEVERITYSYS + value: "info" + # Don't enable BGP. + - name: CALICO_NETWORKING_BACKEND + value: "none" + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "kops,canal" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Period, in seconds, at which felix re-applies all iptables state + - name: FELIX_IPTABLESREFRESHINTERVAL + value: "60" + # Disable IPV6 support in Felix. + - name: FELIX_IPV6SUPPORT + value: "false" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + # No IP address needed. + - name: IP + value: "" + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "{{- or .Networking.Canal.DefaultEndpointToHostAction "ACCEPT" }}" + # Controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom + - name: FELIX_CHAININSERTMODE + value: "{{- or .Networking.Canal.ChainInsertMode "insert" }}" + # Set to enable the experimental Prometheus metrics server + - name: FELIX_PROMETHEUSMETRICSENABLED + value: "{{- or .Networking.Canal.PrometheusMetricsEnabled "false" }}" + # TCP port that the Prometheus metrics server should bind to + - name: FELIX_PROMETHEUSMETRICSPORT + value: "{{- or .Networking.Canal.PrometheusMetricsPort "9091" }}" + # Enable Prometheus Go runtime metrics collection + - name: FELIX_PROMETHEUSGOMETRICSENABLED + value: "{{- or .Networking.Canal.PrometheusGoMetricsEnabled "true" }}" + # Enable Prometheus process metrics collection + - name: FELIX_PROMETHEUSPROCESSMETRICSENABLED + value: "{{- or .Networking.Canal.PrometheusProcessMetricsEnabled "true" }}" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: + privileged: true + resources: + limits: + cpu: 250m + requests: + cpu: 250m + livenessProbe: + httpGet: + path: /liveness + port: 9099 + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + readinessProbe: + httpGet: + path: /readiness + port: 9099 + periodSeconds: 10 + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + # This container installs the Calico CNI binaries + # and CNI network config file on each node. + - name: install-cni + image: quay.io/calico/cni:v1.10.0 + command: ["/install-cni.sh"] + env: + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: canal-config + key: cni_network_config + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + # This container runs flannel using the kube-subnet-mgr backend + # for allocating subnets. + - name: kube-flannel + image: quay.io/coreos/flannel:v0.8.0 + command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr" ] + securityContext: + privileged: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: FLANNELD_IFACE + valueFrom: + configMapKeyRef: + name: canal-config + key: canal_iface + - name: FLANNELD_IP_MASQ + valueFrom: + configMapKeyRef: + name: canal-config + key: masquerade + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: run + mountPath: /run + - name: flannel-cfg + mountPath: /etc/kube-flannel/ + volumes: + # Used by calico/node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Used by flannel. + - name: run + hostPath: + path: /run + - name: flannel-cfg + configMap: + name: canal-config + + +# Create all the CustomResourceDefinitions needed for +# Calico policy-only mode. +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +description: Calico Global Felix Configuration +kind: CustomResourceDefinition +metadata: + name: globalfelixconfigs.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: GlobalFelixConfig + plural: globalfelixconfigs + singular: globalfelixconfig + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +description: Calico Global BGP Configuration +kind: CustomResourceDefinition +metadata: + name: globalbgpconfigs.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: GlobalBGPConfig + plural: globalbgpconfigs + singular: globalbgpconfig + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +description: Calico IP Pools +kind: CustomResourceDefinition +metadata: + name: ippools.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: IPPool + plural: ippools + singular: ippool + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +description: Calico Global Network Policies +kind: CustomResourceDefinition +metadata: + name: globalnetworkpolicies.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + version: v1 + names: + kind: GlobalNetworkPolicy + plural: globalnetworkpolicies + singular: globalnetworkpolicy + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: canal + namespace: kube-system + +--- + +# Calico Roles +# Pulled from https://docs.projectcalico.org/v2.5/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico + namespace: kube-system +rules: + - apiGroups: [""] + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: [""] + resources: + - pods/status + verbs: + - update + - apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: [""] + resources: + - nodes + verbs: + - get + - list + - update + - watch + - apiGroups: ["extensions"] + resources: + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: ["crd.projectcalico.org"] + resources: + - globalfelixconfigs + - bgppeers + - globalbgpconfigs + - ippools + - globalnetworkpolicies + verbs: + - create + - get + - list + - update + - watch + +--- + +# Flannel roles +# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: flannel +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- + +# Bind the flannel ClusterRole to the canal ServiceAccount. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: canal-flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel +subjects: +- kind: ServiceAccount + name: canal + namespace: kube-system + +--- + +# Bind the calico ClusterRole to the canal ServiceAccount. +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: canal-calico +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico +subjects: +- kind: ServiceAccount + name: canal + namespace: kube-system diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index a49a603052..8ae29007ea 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -443,16 +443,19 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri if b.cluster.Spec.Networking.Canal != nil { key := "networking.projectcalico.org.canal" - // Locking canal addon version to 2.4.1 (same as Calico node). Best to maintain lockstep for sanity - version := "2.4.1" + versions := map[string]string{ + "pre-k8s-1.6": "2.4.1", + "k8s-1.6": "2.4.1", + "k8s-1.8": "2.5.1", + } { - location := key + "/pre-k8s-1.6.yaml" id := "pre-k8s-1.6" + location := key + "/" + id + ".yaml" addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ Name: fi.String(key), - Version: fi.String(version), + Version: fi.String(versions[id]), Selector: networkingSelector, Manifest: fi.String(location), KubernetesVersion: "<1.6.0", @@ -462,15 +465,30 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri } { - location := key + "/k8s-1.6.yaml" id := "k8s-1.6" + location := key + "/" + id + ".yaml" addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ Name: fi.String(key), - Version: fi.String(version), + Version: fi.String(versions[id]), Selector: networkingSelector, Manifest: fi.String(location), - KubernetesVersion: ">=1.6.0", + KubernetesVersion: ">=1.6.0 <1.8.0", + Id: id, + }) + manifests[key+"-"+id] = "addons/" + location + } + + { + id := "k8s-1.8" + location := key + "/" + id + ".yaml" + + addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ + Name: fi.String(key), + Version: fi.String(versions[id]), + Selector: networkingSelector, + Manifest: fi.String(location), + KubernetesVersion: ">=1.8.0", Id: id, }) manifests[key+"-"+id] = "addons/" + location From e2357f856882ec81019930746ccefbd19d363bf5 Mon Sep 17 00:00:00 2001 From: Bryan Boreham Date: Mon, 16 Oct 2017 13:47:36 +0000 Subject: [PATCH 2/8] Add critical-pod annotation and toleration for rescheduler Background at https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ Note the extra toleration is not strictly necessary, because rescheduler adds CriticalAddonsOnly with effect NoSchedule, so it's covered by the existing toleration, but that isn't documented so going by the book we add both. --- .../resources/addons/networking.weave/k8s-1.6.yaml.template | 4 ++++ .../resources/addons/networking.weave/k8s-1.7.yaml.template | 4 ++++ .../addons/networking.weave/pre-k8s-1.6.yaml.template | 3 ++- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/upup/models/cloudup/resources/addons/networking.weave/k8s-1.6.yaml.template b/upup/models/cloudup/resources/addons/networking.weave/k8s-1.6.yaml.template index 99af954df5..81954c3020 100644 --- a/upup/models/cloudup/resources/addons/networking.weave/k8s-1.6.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.weave/k8s-1.6.yaml.template @@ -64,6 +64,8 @@ spec: labels: name: weave-net role.kubernetes.io/networking: "1" + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' spec: containers: - name: weave @@ -136,6 +138,8 @@ spec: tolerations: - effect: NoSchedule operator: Exists + - key: CriticalAddonsOnly + operator: Exists volumes: - name: weavedb hostPath: diff --git a/upup/models/cloudup/resources/addons/networking.weave/k8s-1.7.yaml.template b/upup/models/cloudup/resources/addons/networking.weave/k8s-1.7.yaml.template index 3c74d3b175..e7ea479a28 100644 --- a/upup/models/cloudup/resources/addons/networking.weave/k8s-1.7.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.weave/k8s-1.7.yaml.template @@ -64,6 +64,8 @@ spec: labels: name: weave-net role.kubernetes.io/networking: "1" + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' spec: containers: - name: weave @@ -141,6 +143,8 @@ spec: tolerations: - effect: NoSchedule operator: Exists + - key: CriticalAddonsOnly + operator: Exists volumes: - name: weavedb hostPath: diff --git a/upup/models/cloudup/resources/addons/networking.weave/pre-k8s-1.6.yaml.template b/upup/models/cloudup/resources/addons/networking.weave/pre-k8s-1.6.yaml.template index 2880182770..0b54f06a34 100644 --- a/upup/models/cloudup/resources/addons/networking.weave/pre-k8s-1.6.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.weave/pre-k8s-1.6.yaml.template @@ -19,8 +19,9 @@ spec: template: metadata: annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: >- - [{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}] + [{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"},{"key":"CriticalAddonsOnly", "operator":"Exists"}] labels: name: weave-net role.kubernetes.io/networking: "1" From a21dfafa0d7b1014276882c8fc6c821455fac5d2 Mon Sep 17 00:00:00 2001 From: William Austin Date: Mon, 16 Oct 2017 10:29:34 -0600 Subject: [PATCH 3/8] Add missing "-nanny" in image name. --- docs/advisories/cve_2017_14491.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advisories/cve_2017_14491.md b/docs/advisories/cve_2017_14491.md index 715a9c1a41..9710566a3c 100644 --- a/docs/advisories/cve_2017_14491.md +++ b/docs/advisories/cve_2017_14491.md @@ -83,7 +83,7 @@ Apply the update to the container: ```bash kubectl set image deployment/kube-dns -n kube-system \ - dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-amd64:1.14.5 + dnsmasq=gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5 ``` Validate the change was applied to the deployment: From 91d4e7e3e83d681490afc43beff9cbb038332623 Mon Sep 17 00:00:00 2001 From: chrislovecnm Date: Mon, 16 Oct 2017 10:38:53 -0600 Subject: [PATCH 4/8] fixing bazel missed BUILD stuff --- cmd/kops/BUILD.bazel | 1 + protokube/pkg/protokube/BUILD.bazel | 2 ++ 2 files changed, 3 insertions(+) diff --git a/cmd/kops/BUILD.bazel b/cmd/kops/BUILD.bazel index a25b7e7c6d..a96eaed58b 100644 --- a/cmd/kops/BUILD.bazel +++ b/cmd/kops/BUILD.bazel @@ -145,6 +145,7 @@ go_test( "//pkg/jsonutils:go_default_library", "//pkg/kopscodecs:go_default_library", "//pkg/testutils:go_default_library", + "//upup/pkg/fi/cloudup:go_default_library", "//upup/pkg/fi/cloudup/gce:go_default_library", "//util/pkg/ui:go_default_library", "//vendor/github.com/ghodss/yaml:go_default_library", diff --git a/protokube/pkg/protokube/BUILD.bazel b/protokube/pkg/protokube/BUILD.bazel index 31ac896ac3..d826fd011c 100644 --- a/protokube/pkg/protokube/BUILD.bazel +++ b/protokube/pkg/protokube/BUILD.bazel @@ -16,6 +16,7 @@ go_library( "kube_context.go", "kube_dns.go", "models.go", + "nsenter_exec.go", "rbac.go", "tainter.go", "utils.go", @@ -58,6 +59,7 @@ go_library( "//vendor/k8s.io/client-go/kubernetes:go_default_library", "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library", "//vendor/k8s.io/kubernetes/pkg/util/mount:go_default_library", + "//vendor/k8s.io/utils/exec:go_default_library", ], ) From 583bcab6bf7adf8d302fabb59b746641c69256b9 Mon Sep 17 00:00:00 2001 From: Ali Fathieh Date: Tue, 17 Oct 2017 12:44:29 +1100 Subject: [PATCH 5/8] link to cve Advisory release doc fixed --- docs/releases/1.7.1.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/releases/1.7.1.md b/docs/releases/1.7.1.md index b3350c0f72..01bf78550e 100644 --- a/docs/releases/1.7.1.md +++ b/docs/releases/1.7.1.md @@ -4,9 +4,10 @@ This document describes the changes since 1.7.0. # Significant changes -* kube-dns has been updated with the hotfix for CVE-2017-14491. For more details, please see [CVE Advisory](kops/docs/advisories/cve_2017_14491.md). +* kube-dns has been updated with the hotfix for CVE-2017-14491. For more details, please see [CVE Advisory](../advisories/cve_2017_14491.md). # Full changelist * Update images in CI tests (thanks @justinsb) * Update kube-dns to 1.14.5 for CVE-2017-14491 (thanks @mikesplain) + From 552d04589e873b7fc87f1ab0c37739ae55881bd2 Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Tue, 17 Oct 2017 09:58:59 -0400 Subject: [PATCH 6/8] Avoid spurious mirror tasks in plan --- upup/pkg/fi/fitasks/mirrorkeystore.go | 6 ++++++ upup/pkg/fi/fitasks/mirrorsecrets.go | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/upup/pkg/fi/fitasks/mirrorkeystore.go b/upup/pkg/fi/fitasks/mirrorkeystore.go index 0936869ad2..7f1908f3e9 100644 --- a/upup/pkg/fi/fitasks/mirrorkeystore.go +++ b/upup/pkg/fi/fitasks/mirrorkeystore.go @@ -45,6 +45,12 @@ func (e *MirrorKeystore) GetDependencies(tasks map[string]fi.Task) []fi.Task { // Find implements fi.Task::Find func (e *MirrorKeystore) Find(c *fi.Context) (*MirrorKeystore, error) { + if vfsKeystore, ok := c.Keystore.(*fi.VFSCAStore); ok { + if vfsKeystore.VFSPath().Path() == e.MirrorPath.Path() { + return e, nil + } + } + // TODO: implement Find so that we aren't always mirroring glog.V(2).Infof("MirrorKeystore::Find not implemented; always copying (inefficient)") return nil, nil diff --git a/upup/pkg/fi/fitasks/mirrorsecrets.go b/upup/pkg/fi/fitasks/mirrorsecrets.go index e638f83c5c..da70bec6c0 100644 --- a/upup/pkg/fi/fitasks/mirrorsecrets.go +++ b/upup/pkg/fi/fitasks/mirrorsecrets.go @@ -19,6 +19,7 @@ package fitasks import ( "github.com/golang/glog" "k8s.io/kops/upup/pkg/fi" + "k8s.io/kops/upup/pkg/fi/secrets" "k8s.io/kops/util/pkg/vfs" ) @@ -45,6 +46,12 @@ func (e *MirrorSecrets) GetDependencies(tasks map[string]fi.Task) []fi.Task { // Find implements fi.Task::Find func (e *MirrorSecrets) Find(c *fi.Context) (*MirrorSecrets, error) { + if vfsSecretStore, ok := c.SecretStore.(*secrets.VFSSecretStore); ok { + if vfsSecretStore.VFSPath().Path() == e.MirrorPath.Path() { + return e, nil + } + } + // TODO: implement Find so that we aren't always mirroring glog.V(2).Infof("MirrorSecrets::Find not implemented; always copying (inefficient)") return nil, nil From 1d5a19b30c8041368a7918cfad699eaefe414d9b Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Tue, 17 Oct 2017 11:43:51 -0400 Subject: [PATCH 7/8] Fix misssing bazel dependency Forgot to run gazelle again --- upup/pkg/fi/fitasks/BUILD.bazel | 1 + 1 file changed, 1 insertion(+) diff --git a/upup/pkg/fi/fitasks/BUILD.bazel b/upup/pkg/fi/fitasks/BUILD.bazel index 2b7ba5be62..861f077943 100644 --- a/upup/pkg/fi/fitasks/BUILD.bazel +++ b/upup/pkg/fi/fitasks/BUILD.bazel @@ -19,6 +19,7 @@ go_library( deps = [ "//pkg/pki:go_default_library", "//upup/pkg/fi:go_default_library", + "//upup/pkg/fi/secrets:go_default_library", "//util/pkg/vfs:go_default_library", "//vendor/github.com/golang/glog:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", From bc7e5a0649af0bc34865c9c2ba9c6fb086d43908 Mon Sep 17 00:00:00 2001 From: Quentin Nerden Date: Tue, 17 Oct 2017 15:35:18 +0200 Subject: [PATCH 8/8] Add kops toolbox template docs --- docs/README.md | 1 + docs/cluster_template.md | 48 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 docs/cluster_template.md diff --git a/docs/README.md b/docs/README.md index 98a983a16f..e6bc4975ce 100644 --- a/docs/README.md +++ b/docs/README.md @@ -45,6 +45,7 @@ * [Cluster addon manager](addon_manager.md) * [Cluster addons](addons.md) * [Cluster configuration management](changing_configuration.md) +* [Cluster desired configuration creation from template](cluster_template.md) * [Cluster upgrades and migrations](cluster_upgrades_and_migrations.md) * [`etcd` volume encryption setup](etcd_volume_encryption.md) * [`etcd` backup setup](etcd_backup.md) diff --git a/docs/cluster_template.md b/docs/cluster_template.md new file mode 100644 index 0000000000..29d86cccdb --- /dev/null +++ b/docs/cluster_template.md @@ -0,0 +1,48 @@ +# Cluster template + +The command `kops replace` can replace a cluster desired configuration from the config in a yaml file (see [/cli/kops_replace.md](/cli/kops_replace.md)). + +It is possible to generate that yaml file from a template, using the command `kops toolbox template` (see [cli/kops_toolbox_template.md](cli/kops_toolbox_template.md)). + +This document details the template language used. + +The file passed as `--template` must be a [go template](https://golang.org/pkg/text/template/). Example: +```yaml +# File cluster.tmpl.yaml +apiVersion: kops/v1alpha2 +kind: InstanceGroup +metadata: + labels: + kops.k8s.io/cluster: {{.clusterName}}.{{.dnsZone}} + name: nodes +spec: + image: coreos.com/CoreOS-stable-1409.6.0-hvm + kubernetesVersion: {{.kubernetesVersion} + machineType: m4.large + maxPrice: "0.5" + maxSize: 2 + minSize: 15 + role: Node + rootVolumeSize: 100 + subnets: + - {{.awsRegion}}a + - {{.awsRegion}}b + - {{.awsRegion}}c +``` + +The file passed as `--values` must contain the variables referenced in the template. Example: +```yaml +# File values.yaml +clusterName: eu1 +kubernetesVersion: 1.7.1 +dnsZone: k8s.example.com +awsRegion: eu-west-1 +``` + +Running `kops toolbox template` replaces the placeholders in the template by values and generates the file output.yaml, which can then be used to replace the desired cluster configuration with `kops replace -f cluster.yaml`. + + +Note: +When creating a cluster desired configuration template, you can +- use `kops get k8s-cluster.example.com -o yaml > cluster-desired-config.yaml` to create the cluster desired configuration file (see [cli/kops_get.md](cli/kops_get.md)). The values in this file are defined in [cli/cluster_spec.md](cli/cluster_spec.md). +- replace values by placeholders in that file to create the template.