diff --git a/Makefile b/Makefile index 8a2f5ce9..fa3286e7 100644 --- a/Makefile +++ b/Makefile @@ -38,10 +38,11 @@ GO_INSTALL := ./scripts/go_install.sh # output OUTPUT_DIR := $(abspath $(ROOT_DIR)/_output) -BIN_DIR := $(OUTPUT_DIR)/bin +OUTPUT_BIN_DIR := $(OUTPUT_DIR)/bin +OUTPUT_TOOLS_DIR := $(OUTPUT_DIR)/tools #ARTIFACTS ?= ${OUTPUT_DIR}/_artifacts -dirs := $(OUTPUT_DIR) $(BIN_DIR) +dirs := $(OUTPUT_DIR) $(OUTPUT_BIN_DIR) $(OUTPUT_TOOLS_DIR) $(foreach dir, $(dirs), \ $(if $(shell [ -d $(dir) ] && echo 1 || echo 0),, \ @@ -49,7 +50,7 @@ $(foreach dir, $(dirs), \ ) \ ) -export PATH := $(abspath $(BIN_DIR)):$(PATH) +export PATH := $(abspath $(OUTPUT_BIN_DIR)):$(abspath $(OUTPUT_TOOLS_DIR)):$(PATH) # # Binaries. @@ -57,29 +58,29 @@ export PATH := $(abspath $(BIN_DIR)):$(PATH) # Note: Need to use abspath so we can invoke these from subdirectories KUSTOMIZE_VER := v4.5.2 KUSTOMIZE_BIN := kustomize -KUSTOMIZE := $(abspath $(BIN_DIR)/$(KUSTOMIZE_BIN)-$(KUSTOMIZE_VER)) +KUSTOMIZE := $(abspath $(OUTPUT_TOOLS_DIR)/$(KUSTOMIZE_BIN)-$(KUSTOMIZE_VER)) KUSTOMIZE_PKG := sigs.k8s.io/kustomize/kustomize/v4 SETUP_ENVTEST_VER := v0.0.0-20240521074430-fbb7d370bebc SETUP_ENVTEST_BIN := setup-envtest -SETUP_ENVTEST := $(abspath $(BIN_DIR)/$(SETUP_ENVTEST_BIN)-$(SETUP_ENVTEST_VER)) +SETUP_ENVTEST := $(abspath $(OUTPUT_TOOLS_DIR)/$(SETUP_ENVTEST_BIN)-$(SETUP_ENVTEST_VER)) SETUP_ENVTEST_PKG := sigs.k8s.io/controller-runtime/tools/setup-envtest CONTROLLER_GEN_VER := v0.15.0 CONTROLLER_GEN_BIN := controller-gen -CONTROLLER_GEN := $(abspath $(BIN_DIR)/$(CONTROLLER_GEN_BIN)-$(CONTROLLER_GEN_VER)) +CONTROLLER_GEN := $(abspath $(OUTPUT_TOOLS_DIR)/$(CONTROLLER_GEN_BIN)-$(CONTROLLER_GEN_VER)) CONTROLLER_GEN_PKG := sigs.k8s.io/controller-tools/cmd/controller-gen GOTESTSUM_VER := v1.6.4 GOTESTSUM_BIN := gotestsum -GOTESTSUM := $(abspath $(BIN_DIR)/$(GOTESTSUM_BIN)-$(GOTESTSUM_VER)) +GOTESTSUM := $(abspath $(OUTPUT_TOOLS_DIR)/$(GOTESTSUM_BIN)-$(GOTESTSUM_VER)) GOTESTSUM_PKG := gotest.tools/gotestsum HADOLINT_VER := v2.10.0 HADOLINT_FAILURE_THRESHOLD = warning GOLANGCI_LINT_BIN := golangci-lint -GOLANGCI_LINT := $(abspath $(BIN_DIR)/$(GOLANGCI_LINT_BIN)) +GOLANGCI_LINT := $(abspath $(OUTPUT_TOOLS_DIR)/$(GOLANGCI_LINT_BIN)) # # Docker. @@ -148,11 +149,9 @@ help: ## Display this help. ##@ generate: -#ALL_GENERATE_MODULES = capkk k3s-bootstrap k3s-control-plane - .PHONY: generate generate: ## Run all generate-manifests-*, generate-go-deepcopy-* targets - $(MAKE) generate-go-deepcopy-kubekey generate-manifests-kubekey + $(MAKE) generate-go-deepcopy-kubekey generate-manifests-kubekey generate-modules generate-goimports .PHONY: generate-go-deepcopy-kubekey generate-go-deepcopy-kubekey: $(CONTROLLER_GEN) ## Generate deepcopy object @@ -168,6 +167,14 @@ generate-manifests-kubekey: $(CONTROLLER_GEN) ## Generate manifests e.g. CRD, RB crd \ output:crd:dir=./config/helm/crds/ +.PHONY: generate-modules +generate-modules: ## Run go mod tidy to ensure modules are up to date + go mod tidy + +.PHONY: generate-goimports +generate-goimports: ## Format all import, `goimports` is required. + @hack/update-goimports.sh + ## -------------------------------------- ## Lint / Verify ## -------------------------------------- @@ -189,7 +196,7 @@ lint-dockerfiles: verify: $(addprefix verify-,$(ALL_VERIFY_CHECKS)) lint-dockerfiles ## Run all verify-* targets .PHONY: verify-modules -verify-modules: generate-modules ## Verify go modules are up to date +verify-modules: ## Verify go modules are up to date @if !(git diff --quiet HEAD -- go.sum go.mod $(TOOLS_DIR)/go.mod $(TOOLS_DIR)/go.sum $(TEST_DIR)/go.mod $(TEST_DIR)/go.sum); then \ git diff; \ echo "go module files are out of date"; exit 1; \ @@ -200,12 +207,16 @@ verify-modules: generate-modules ## Verify go modules are up to date fi .PHONY: verify-gen -verify-gen: generate ## Verify go generated files are up to date +verify-gen: ## Verify go generated files are up to date @if !(git diff --quiet HEAD); then \ git diff; \ echo "generated files are out of date, run make generate"; exit 1; \ fi +.PHONY: verify-goimports +verify-goimports: ## Verify go imports + @hack/verify-goimports.sh + ## -------------------------------------- ## Binaries ## -------------------------------------- @@ -214,7 +225,7 @@ verify-gen: generate ## Verify go generated files are up to date .PHONY: kk kk: ## build kk binary - @CGO_ENABLED=0 GOARCH=$(GOARCH) GOOS=$(GOOS) go build -trimpath -tags "$(BUILDTAGS)" -ldflags "$(LDFLAGS)" -o $(BIN_DIR)/kk cmd/kk/kubekey.go + @CGO_ENABLED=0 GOARCH=$(GOARCH) GOOS=$(GOOS) go build -trimpath -tags "$(BUILDTAGS)" -ldflags "$(LDFLAGS)" -o $(OUTPUT_BIN_DIR)/kk cmd/kk/kubekey.go .PHONY: docker-build ## build and push all images docker-build: docker-build-operator docker-build-kk @@ -326,20 +337,19 @@ helm-package: ## Helm-package. ##@ test: - #ifeq ($(shell go env GOOS),darwin) # Use the darwin/amd64 binary until an arm64 version is available # KUBEBUILDER_ASSETS ?= $(shell $(SETUP_ENVTEST) use --use-env -p path --arch amd64 $(KUBEBUILDER_ENVTEST_KUBERNETES_VERSION)) #else # KUBEBUILDER_ASSETS ?= $(shell $(SETUP_ENVTEST) use --use-env -p path $(KUBEBUILDER_ENVTEST_KUBERNETES_VERSION)) #endif -# -#.PHONY: test -#test: $(SETUP_ENVTEST) ## Run unit and integration tests -# KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... $(TEST_ARGS) -#.PHONY: test-verbose -#test-verbose: ## Run unit and integration tests with verbose flag -# $(MAKE) test TEST_ARGS="$(TEST_ARGS) -v" +.PHONY: test +test: $(SETUP_ENVTEST) ## Run unit and integration tests + KUBEBUILDER_ASSETS="$(KUBEBUILDER_ASSETS)" go test ./... $(TEST_ARGS) + +.PHONY: test-verbose +test-verbose: ## Run unit and integration tests with verbose flag + $(MAKE) test TEST_ARGS="$(TEST_ARGS) -v" # #.PHONY: test-junit #test-junit: $(SETUP_ENVTEST) $(GOTESTSUM) ## Run unit and integration tests and generate a junit report @@ -516,11 +526,11 @@ helm-package: ## Helm-package. .PHONY: clean clean: ## Remove all generated files - $(MAKE) clean-bin + $(MAKE) clean-output clean-generated-deepcopy -.PHONY: clean-bin -clean-bin: ## Remove all generated binaries - rm -rf $(BIN_DIR) +.PHONY: clean-output +clean-output: ## Remove all generated binaries + rm -rf $(OUTPUT_DIR) #.PHONY: clean-release #clean-release: ## Remove the release folder @@ -560,43 +570,18 @@ $(SETUP_ENVTEST_BIN): $(SETUP_ENVTEST) ## Build a local copy of setup-envtest. $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint $(CONTROLLER_GEN): # Build controller-gen from tools folder. - GOBIN=$(BIN_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER) + GOBIN=$(OUTPUT_TOOLS_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER) $(GOTESTSUM): # Build gotestsum from tools folder. - GOBIN=$(BIN_DIR) $(GO_INSTALL) $(GOTESTSUM_PKG) $(GOTESTSUM_BIN) $(GOTESTSUM_VER) + GOBIN=$(OUTPUT_TOOLS_DIR) $(GO_INSTALL) $(GOTESTSUM_PKG) $(GOTESTSUM_BIN) $(GOTESTSUM_VER) $(KUSTOMIZE): # Build kustomize from tools folder. - CGO_ENABLED=0 GOBIN=$(BIN_DIR) $(GO_INSTALL) $(KUSTOMIZE_PKG) $(KUSTOMIZE_BIN) $(KUSTOMIZE_VER) + CGO_ENABLED=0 GOBIN=$(OUTPUT_TOOLS_DIR) $(GO_INSTALL) $(KUSTOMIZE_PKG) $(KUSTOMIZE_BIN) $(KUSTOMIZE_VER) $(SETUP_ENVTEST): # Build setup-envtest from tools folder. - GOBIN=$(BIN_DIR) $(GO_INSTALL) $(SETUP_ENVTEST_PKG) $(SETUP_ENVTEST_BIN) $(SETUP_ENVTEST_VER) + GOBIN=$(OUTPUT_TOOLS_DIR) $(GO_INSTALL) $(SETUP_ENVTEST_PKG) $(SETUP_ENVTEST_BIN) $(SETUP_ENVTEST_VER) $(GOLANGCI_LINT): .github/workflows/golangci-lint.yml # Download golangci-lint using hack script into tools folder. hack/ensure-golangci-lint.sh \ - -b $(BIN_DIR) \ + -b $(OUTPUT_TOOLS_DIR) \ $(shell cat .github/workflows/golangci-lint.yml | grep [[:space:]]version | sed 's/.*version: //') - -# build the artifact of repository iso -#ISO_ARCH ?= amd64 -#ISO_OUTPUT_DIR ?= ./output -#ISO_BUILD_WORKDIR := hack/gen-repository-iso -#ISO_OS_NAMES := centos7 debian9 debian10 ubuntu1604 ubuntu1804 ubuntu2004 ubuntu2204 -#ISO_BUILD_NAMES := $(addprefix build-iso-,$(ISO_OS_NAMES)) -#build-iso-all: $(ISO_BUILD_NAMES) -#.PHONY: $(ISO_BUILD_NAMES) -#$(ISO_BUILD_NAMES): -# @export DOCKER_BUILDKIT=1 -# docker build \ -# --platform linux/$(ISO_ARCH) \ -# --build-arg TARGETARCH=$(ISO_ARCH) \ -# -o type=local,dest=$(ISO_OUTPUT_DIR) \ -# -f $(ISO_BUILD_WORKDIR)/dockerfile.$(subst build-iso-,,$@) \ -# $(ISO_BUILD_WORKDIR) -# -#go-releaser-test: -# goreleaser release --rm-dist --skip-publish --snapshot - - -# Format all import, `goimports` is required. -goimports: ## Format all import, `goimports` is required. - @hack/update-goimports.sh diff --git a/builtin/playbooks/certs_renew.yaml b/builtin/playbooks/certs_renew.yaml index f43d7702..8b5476dd 100644 --- a/builtin/playbooks/certs_renew.yaml +++ b/builtin/playbooks/certs_renew.yaml @@ -9,18 +9,18 @@ tags: ["certs"] roles: - role: certs/renew-etcd - when: groups['etcd']|length > 0 && renew_etcd|default_if_none:true + when: groups['etcd']|length > 0 && renew_etcd - hosts: - image_registry tags: ["certs"] roles: - role: certs/renew-registry - when: groups['image_registry']|length > 0 && renew_image_registry|default_if_none:true + when: groups['image_registry']|length > 0 && renew_image_registry - hosts: - kube_control_plane tags: ["certs"] roles: - role: certs/renew-kubernetes - when: groups['kube_control_plane']|length > 0 && renew_kubernetes|default_if_none:true + when: groups['kube_control_plane']|length > 0 && renew_kubernetes diff --git a/builtin/playbooks/create_cluster.yaml b/builtin/playbooks/create_cluster.yaml index 5ebf153e..3283c176 100644 --- a/builtin/playbooks/create_cluster.yaml +++ b/builtin/playbooks/create_cluster.yaml @@ -26,6 +26,8 @@ - hosts: - k8s_cluster + var_files: + - vars/create_cluster_kubernetes.yaml gather_facts: true roles: - install/cri diff --git a/builtin/playbooks/vars/certs_renew.yaml b/builtin/playbooks/vars/certs_renew.yaml new file mode 100644 index 00000000..5c0c9930 --- /dev/null +++ b/builtin/playbooks/vars/certs_renew.yaml @@ -0,0 +1,10 @@ +renew_etcd: true +renew_image_registry: true +renew_kubernetes: true +kubernetes: + etcd: + deployment_type: external +cri: + container_manager: docker +image_registry: + type: harbor diff --git a/builtin/playbooks/vars/create_cluster_kubernetes.yaml b/builtin/playbooks/vars/create_cluster_kubernetes.yaml new file mode 100644 index 00000000..1d430484 --- /dev/null +++ b/builtin/playbooks/vars/create_cluster_kubernetes.yaml @@ -0,0 +1,7 @@ +global_registry: "" +dockerio_registry: "{% if (global_registry != '') %}{{ global_registry }}{% else %}docker.io{% endif %}" +quayio_registry: "{% if (global_registry != '') %}{{ global_registry }}{% else %}quay.io{% endif %}" +ghcrio_registry: "{% if (global_registry != '') %}{{ global_registry }}{% else %}ghcr.io{% endif %}" +k8s_registry: "{% if (global_registry != '') %}{{ global_registry }}{% else %}registry.k8s.io{% endif %}" + +security_enhancement: false diff --git a/builtin/roles/addons/cni/defaults/main.yaml b/builtin/roles/addons/cni/defaults/main.yaml index 9ad0fa74..b28f48a0 100644 --- a/builtin/roles/addons/cni/defaults/main.yaml +++ b/builtin/roles/addons/cni/defaults/main.yaml @@ -12,7 +12,7 @@ cni: kube_svc_cidr: "{{ kubernetes.networking.service_cidr|default_if_none:'10.233.0.0/18' }}" multus: enabled: false - image: kubesphere/multus-cni:v3.8 + image: "{{ dockerio_registry }}/kubesphere/multus-cni:v3.8" calico: # when cluster node > 50. it default true. typha: "{%if (groups['k8s_cluster']|length > 50) %}true{% else %}false{% endif %}" @@ -24,26 +24,38 @@ cni: # true is enabled default_ip_pool: true # image - cni_image: "calico/cni:{{ calico_version }}" - node_image: "calico/node:{{ calico_version }}" - kube_controller_image: "calico/kube-controllers:{{ calico_version }}" - typha_image: "calico/typha:{{ calico_version }}" + cni_image: "{{ dockerio_registry }}/calico/cni:{{ calico_version }}" + node_image: "{{ dockerio_registry }}/calico/node:{{ calico_version }}" + kube_controller_image: "{{ dockerio_registry }}/calico/kube-controllers:{{ calico_version }}" + typha_image: "{{ dockerio_registry }}/calico/typha:{{ calico_version }}" replicas: 1 node_selector: {} flannel: # https://github.com/flannel-io/flannel/blob/master/Documentation/backends.md backend: vxlan - cni_plugin_image: docker.io/flannel/flannel-cni-plugin:v1.4.0-flannel1 - flannel_image: "docker.io/flannel/flannel:{{ flannel_version }}" + cni_plugin_image: "{{ dockerio_registry }}/flannel/flannel-cni-plugin:v1.4.0-flannel1" + flannel_image: "{{ dockerio_registry }}/flannel/flannel:{{ flannel_version }}" cilium: - operator_image: cilium/operator-generic:1.15.3 - cilium_image: cilium/cilium:1.15.3 + # image repo + cilium_repository: "{{ quayio_registry }}/cilium/cilium" + certgen_repository: "{{ quayio_registry }}/cilium/certgen" + hubble_relay_repository: "{{ quayio_registry }}/cilium/hubble-relay" + hubble_ui_backend_repository: "{{ quayio_registry }}/cilium/hubble-ui-backend" + hubble_ui_repository: "{{ quayio_registry }}/cilium/hubble-ui" + cilium_envoy_repository: "{{ quayio_registry }}/cilium/cilium-envoy" + cilium_etcd_operator_repository: "{{ quayio_registry }}/cilium/cilium-etcd-operator" + operator_repository: "{{ quayio_registry }}/cilium/operator" + startup_script_repository: "{{ quayio_registry }}/cilium/startup-script" + clustermesh_apiserver_repository: "{{ quayio_registry }}/cilium/clustermesh-apiserver" + busybox_repository: "{{ dockerio_registry }}/library/busybox" + spire_agent_repository: "{{ ghcrio_registry }}/spiffe/spire-agent" + spire_server_repository: "{{ ghcrio_registry }}/spiffe/spire-server" k8s_endpoint: "{% if kubernetes.control_plane_endpoint %}{{ kubernetes.control_plane_endpoint }}{% else %}{{ groups['kube_control_plane']|first }}{% endif %}" k8s_port: "{{ kubernetes.apiserver.port|default_if_none:6443 }}" kubeovn: replica: 1 - registry: docker.io/kubeovn + registry: "{{ dockerio_registry }}/kubeovn" hybridnet: - registryURL: docker.io + registry: "{{ dockerio_registry }}" # hybridnet_image: hybridnetdev/hybridnet # hybridnet_tag: v0.8.8 diff --git a/builtin/roles/addons/cni/tasks/cilium.yaml b/builtin/roles/addons/cni/tasks/cilium.yaml index efaed117..5440ee5d 100644 --- a/builtin/roles/addons/cni/tasks/cilium.yaml +++ b/builtin/roles/addons/cni/tasks/cilium.yaml @@ -8,14 +8,26 @@ - name: Install cilium command: | helm install cilium /etc/kubernetes/cni/cilium-{{ cilium_version }}.tgz --namespace kube-system \ - --set operator.image.override={{ cni.cilium.operator_image }} \ + --set image.repository={{ cilium_repository }} \ + --set preflight.image.repository={{ cilium_repository }} \ + --set certgen.image.repository={{ certgen_repository }} \ + --set hubble.relay.image.repository={{ hubble_relay_repository }} \ + --set hubble.ui.backend.image.repository={{ hubble_ui_backend_repository }} \ + --set hubble.ui.frontend.image.repository={{ hubble_ui_repository }} \ + --set envoy.image.repository={{ cilium_envoy_repository }} \ + --set etcd.image.repository={{ cilium_etcd_operator_repository }} \ + --set operator.image.repository={{ operator_repository }} \ + --set nodeinit.image.repository={{ startup_script_repository }} \ + --set clustermesh.apiserver.image.repository={{ clustermesh_apiserver_repository }} \ + --set authentication.mutual.spire.install.initImage.image.repository={{ busybox_repository }} \ + --set authentication.mutual.spire.install.agent.image.repository={{ spire_agent_repository }} \ + --set authentication.mutual.spire.install.server.image.repository={{ spire_server_repository }} \ --set operator.replicas={{ cni.cilium.operator_replicas }} \ - --set image.override={{ cni.cilium.cilium_image }} \ - --set ipv6.enabled={% if (cni.ipv6_support=="true") %}true{%else%}false{% endif %} \ + --set ipv6.enabled={{ cni.ipv6_support }} \ --set ipv4NativeRoutingCIDR: {{ cni.kube_pods_v4_cidr }} \ - {% if (cni.ipv6_support=="true") %} + {% if (cni.ipv6_support) %} --set ipv6NativeRoutingCIDR: {{ cni.kube_pods_v6_cidr }} \ {% endif %} - {% if (cni.kube_proxy=="true") %} + {% if (cni.kube_proxy) %} --set kubeProxyReplacement=strict --set k8sServiceHost={{ cni.cilium.k8s_endpoint }} --set k8sServicePort={{ cni.cilium.k8s_port }} {% endif %} diff --git a/builtin/roles/addons/cni/tasks/hybridnet.yaml b/builtin/roles/addons/cni/tasks/hybridnet.yaml index 2280d5cf..9cdd95fd 100644 --- a/builtin/roles/addons/cni/tasks/hybridnet.yaml +++ b/builtin/roles/addons/cni/tasks/hybridnet.yaml @@ -8,10 +8,10 @@ - name: Install hybridnet command: | helm install hybridnet /etc/kubernetes/cni/hybridnet-{{ hybridnet_version }}.tgz --namespace kube-system \ - {% if cni.hybridnet.hybridnet_image %} + {% if (cni.hybridnet.hybridnet_image|defined && cni.hybridnet.hybridnet_image != '') %} --set images.hybridnet.image={{ cni.hybridnet.hybridnet_image }} \ {% endif %} - {% if cni.hybridnet.hybridnet_tag %} + {% if (cni.hybridnet.hybridnet_tag|defined && cni.hybridnet.hybridnet_tag != '') %} --set images.hybridnet.tag={{ cni.hybridnet.hybridnet_tag }} \ {% endif %} - --set image.registryURL={{ cni.hybridnet.registryURL }} \ + --set image.registryURL={{ cni.hybridnet.registry }} \ diff --git a/builtin/roles/addons/cni/tasks/kubeovn.yaml b/builtin/roles/addons/cni/tasks/kubeovn.yaml index 2fc6ba8a..8e81955a 100644 --- a/builtin/roles/addons/cni/tasks/kubeovn.yaml +++ b/builtin/roles/addons/cni/tasks/kubeovn.yaml @@ -17,7 +17,7 @@ --set MASTER_NODES={% for h in groups['kube_control_plane'] %}{% set hv=inventory_hosts[h] %}"{{ hv.internal_ipv4 }}"{% if (not forloop.Last) %},{% endif %}{% endfor %} \ --set global.registry.address={{ cni.kubeovn.registry }} \ --set ipv4.POD_CIDR={{ cni.kubeovn.kube_pods_v4_cidr }} --set ipv4.SVC_CIDR={{ cni.kubeovn.kube_svc_cidr }} \ - {% if (cni.ipv6_support=="true") %} + {% if (cni.ipv6_support) %} --set networking.NET_STACK=dual_stack \ --set dual_stack.POD_CIDR={{ cni.kubeovn.kube_pods_v4_cidr }},{{ cni.kubeovn.kube_pods_v6_cidr }} \ --set dual_stack.SVC_CIDR={{ cni.kubeovn.kube_svc_cidr }} \ diff --git a/builtin/roles/addons/cni/templates/calico/pdg.yaml b/builtin/roles/addons/cni/templates/calico/pdg.yaml index e35cebc9..e2eb7e52 100644 --- a/builtin/roles/addons/cni/templates/calico/pdg.yaml +++ b/builtin/roles/addons/cni/templates/calico/pdg.yaml @@ -15,7 +15,7 @@ spec: matchLabels: k8s-app: calico-kube-controllers -{% if (cni.calico.typha=="true") %} +{% if (cni.calico.typha) %} --- # Source: calico/templates/calico-typha.yaml # This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict diff --git a/builtin/roles/addons/cni/templates/calico/v3.27.yaml b/builtin/roles/addons/cni/templates/calico/v3.27.yaml index 7f7928c8..999dea79 100644 --- a/builtin/roles/addons/cni/templates/calico/v3.27.yaml +++ b/builtin/roles/addons/cni/templates/calico/v3.27.yaml @@ -29,7 +29,7 @@ metadata: namespace: kube-system data: # You must set a non-zero value for Typha replicas below. - typha_service_name: {% if (cni.calico.typha=="true") %}"calico-typha"{% else %}"none"{% endif %} + typha_service_name: {% if (cni.calico.typha) %}"calico-typha"{% else %}"none"{% endif %} # Configure the backend to use. calico_backend: "bird" @@ -4715,7 +4715,7 @@ subjects: name: calico-cni-plugin namespace: kube-system -{% if (cni.calico.typha=="true") %} +{% if (cni.calico.typha) %} --- # Source: calico/templates/calico-typha.yaml # This manifest creates a Service, which will be backed by Calico's Typha daemon. @@ -4893,7 +4893,7 @@ spec: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE value: "kubernetes" - {% if (cni.calico.typha=="true") %} + {% if (cni.calico.typha) %} # Typha support: controlled by the ConfigMap. - name: FELIX_TYPHAK8SSERVICENAME valueFrom: @@ -4927,7 +4927,7 @@ spec: value: "can-reach=$(NODEIP)" - name: IP value: "autodetect" - {% if (cni.ipv6_support=="true") %} + {% if (cni.ipv6_support) %} - name: IP6 value: "autodetect" {% endif %} @@ -4944,7 +4944,7 @@ spec: - name: CALICO_IPV4POOL_NAT_OUTGOING value: "false" {% endif %} - {% if (cni.ipv6_support=="true") %} + {% if (cni.ipv6_support) %} # Enable or Disable VXLAN on the default IPv6 IP pool. - name: CALICO_IPV6POOL_VXLAN value: "Always" @@ -4983,7 +4983,7 @@ spec: value: "{{ cni.kube_pods_v4_cidr }}" - name: CALICO_IPV4POOL_BLOCK_SIZE value: "{{ cni.node_cidr_mask_size }}" - {% if (cni.ipv6_support=="true") %} + {% if (cni.ipv6_support) %} - name: CALICO_IPV6POOL_CIDR value: "{{ cni.kube_pods_v6_cidr }}" - name: CALICO_IPV6POOL_BLOCK_SIZE @@ -4994,7 +4994,7 @@ spec: value: "true" - name: CALICO_IPV4POOL_CIDR value: "" - {% if (cni.ipv6_support=="true") %} + {% if (cni.ipv6_support) %} - name: CALICO_IPV6POOL_CIDR value: "" {% endif %} @@ -5005,7 +5005,7 @@ spec: - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" # Disable IPv6 on Kubernetes. - {% if (cni.ipv6_support=="true") %} + {% if (cni.ipv6_support) %} - name: FELIX_IPV6SUPPORT value: "true" {% else %} @@ -5199,7 +5199,7 @@ spec: - -r periodSeconds: 10 -{% if (cni.calico.typha=="true") %} +{% if (cni.calico.typha) %} --- # Source: calico/templates/calico-typha.yaml # This manifest creates a Deployment of Typha to back the above service. diff --git a/builtin/roles/addons/cni/templates/flannel/flannel.yaml b/builtin/roles/addons/cni/templates/flannel/flannel.yaml index 1657b78c..eb3127ec 100644 --- a/builtin/roles/addons/cni/templates/flannel/flannel.yaml +++ b/builtin/roles/addons/cni/templates/flannel/flannel.yaml @@ -91,7 +91,7 @@ data: net-conf.json: | { "Network": "{{ cni.kube_pods_v4_cidr }}", -{% if (cni.ipv6_support=="true") %} +{% if (cni.ipv6_support) %} "EnableIPv6": true, "IPv6Network":"{{ cni.kube_pods_v6_cidr }}", {% endif %} diff --git a/builtin/roles/addons/cni/templates/multus.deployment b/builtin/roles/addons/cni/templates/multus.deployment deleted file mode 100644 index 9ebfc8df..00000000 --- a/builtin/roles/addons/cni/templates/multus.deployment +++ /dev/null @@ -1,206 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: network-attachment-definitions.k8s.cni.cncf.io -spec: - group: k8s.cni.cncf.io - scope: Namespaced - names: - plural: network-attachment-definitions - singular: network-attachment-definition - kind: NetworkAttachmentDefinition - shortNames: - - net-attach-def - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing - Working Group to express the intent for attaching pods to one or more logical or physical - networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec' - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this represen - tation of an object. Servers should convert recognized schemas to the - latest internal value, and may reject unrecognized values. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment' - type: object - properties: - config: - description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration' - type: string ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: multus -rules: - - apiGroups: ["k8s.cni.cncf.io"] - resources: - - '*' - verbs: - - '*' - - apiGroups: - - "" - resources: - - pods - - pods/status - verbs: - - get - - update - - apiGroups: - - "" - - events.k8s.io - resources: - - events - verbs: - - create - - patch - - update ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: multus -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: multus -subjects: -- kind: ServiceAccount - name: multus - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: multus - namespace: kube-system ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: multus-cni-config - namespace: kube-system - labels: - tier: node - app: multus -data: - # NOTE: If you'd prefer to manually apply a configuration file, you may create one here. - # In the case you'd like to customize the Multus installation, you should change the arguments to the Multus pod - # change the "args" line below from - # - "--multus-conf-file=auto" - # to: - # "--multus-conf-file=/tmp/multus-conf/70-multus.conf" - # Additionally -- you should ensure that the name "70-multus.conf" is the alphabetically first name in the - # /etc/cni/net.d/ directory on each node, otherwise, it will not be used by the Kubelet. - cni-conf.json: | - { - "name": "multus-cni-network", - "type": "multus", - "capabilities": { - "portMappings": true - }, - "delegates": [ - { - "cniVersion": "0.3.1", - "name": "default-cni-network", - "plugins": [ - { - "type": "flannel", - "name": "flannel.1", - "delegate": { - "isDefaultGateway": true, - "hairpinMode": true - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - ], - "kubeconfig": "/etc/cni/net.d/multus.d/multus.kubeconfig" - } ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kube-multus-ds - namespace: kube-system - labels: - tier: node - app: multus - name: multus -spec: - selector: - matchLabels: - name: multus - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - tier: node - app: multus - name: multus - spec: - hostNetwork: true - tolerations: - - operator: Exists - effect: NoSchedule - serviceAccountName: multus - containers: - - name: kube-multus - image: {{ .MultusImage }} - command: ["/entrypoint.sh"] - args: - - "--multus-conf-file=auto" - - "--cni-version=0.3.1" - resources: - requests: - cpu: "100m" - memory: "50Mi" - limits: - cpu: "100m" - memory: "50Mi" - securityContext: - privileged: true - volumeMounts: - - name: cni - mountPath: /host/etc/cni/net.d - - name: cnibin - mountPath: /host/opt/cni/bin - - name: multus-cfg - mountPath: /tmp/multus-conf - terminationGracePeriodSeconds: 10 - volumes: - - name: cni - hostPath: - path: /etc/cni/net.d - - name: cnibin - hostPath: - path: /opt/cni/bin - - name: multus-cfg - configMap: - name: multus-cni-config - items: - - key: cni-conf.json - path: 70-multus.conf diff --git a/builtin/roles/certs/renew-kubernetes/defaults/main.yaml b/builtin/roles/certs/renew-kubernetes/defaults/main.yaml deleted file mode 100644 index 6309b500..00000000 --- a/builtin/roles/certs/renew-kubernetes/defaults/main.yaml +++ /dev/null @@ -1,5 +0,0 @@ -kubernetes: - etcd: - deployment_type: external -cri: - container_manager: docker diff --git a/builtin/roles/certs/renew-kubernetes/tasks/kube.yaml b/builtin/roles/certs/renew-kubernetes/tasks/kube.yaml index 109e6e0f..b55e7cf1 100644 --- a/builtin/roles/certs/renew-kubernetes/tasks/kube.yaml +++ b/builtin/roles/certs/renew-kubernetes/tasks/kube.yaml @@ -16,6 +16,11 @@ /usr/local/bin/kubeadm alpha certs renew admin.conf /usr/local/bin/kubeadm alpha certs renew controller-manager.conf /usr/local/bin/kubeadm alpha certs renew scheduler.conf + {% if (kubernetes.etcd.deployment_type=='internal' && renew_etcd ) %} + /usr/local/bin/kubeadm alpha certs renew etcd-healthcheck-client + /usr/local/bin/kubeadm alpha certs renew etcd-peer + /usr/local/bin/kubeadm alpha certs renew etcd-server + {% endif %} {% else %} /usr/local/bin/kubeadm certs renew apiserver /usr/local/bin/kubeadm certs renew apiserver-kubelet-client @@ -23,6 +28,11 @@ /usr/local/bin/kubeadm certs renew admin.conf /usr/local/bin/kubeadm certs renew controller-manager.conf /usr/local/bin/kubeadm certs renew scheduler.conf + {% if (kubernetes.etcd.deployment_type=='internal' && renew_etcd ) %} + /usr/local/bin/kubeadm certs renew etcd-healthcheck-client + /usr/local/bin/kubeadm certs renew etcd-peer + /usr/local/bin/kubeadm certs renew etcd-server + {% endif %} {% endif %} - name: Fetch kubeconfig to local diff --git a/builtin/roles/certs/renew-kubernetes/tasks/main.yaml b/builtin/roles/certs/renew-kubernetes/tasks/main.yaml index 0787588d..483b0884 100644 --- a/builtin/roles/certs/renew-kubernetes/tasks/main.yaml +++ b/builtin/roles/certs/renew-kubernetes/tasks/main.yaml @@ -6,17 +6,23 @@ tags: ["certs"] when: - kubernetes.etcd.deployment_type=='external' && groups['etcd']|length > 0 - - renew_etcd|default_if_none:true + - renew_etcd - name: Reload kubernetes pods tags: [ "certs" ] command: | {% if (cri.container_manager == "docker") %} - docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f - docker ps -af name=k8s_kube-controller-manager* -q | xargs --no-run-if-empty docker rm -f - docker ps -af name=k8s_ kube-scheduler* -q | xargs --no-run-if-empty docker rm -f - {% else %} - crictl ps --name kube-apiserver -q | xargs -I% --no-run-if-empty bash -c 'crictl stop % && crictl rm %' - crictl ps --name kube-controller-manager -q | xargs -I% --no-run-if-empty bash -c 'crictl stop % && crictl rm %' - crictl ps --name kube-scheduler -q | xargs -I% --no-run-if-empty bash -c 'crictl stop % && crictl rm %' + docker ps -af name=k8s_PODS_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f + docker ps -af name=k8s_PODS_kube-controller-manager* -q | xargs --no-run-if-empty docker rm -f + docker ps -af name=k8s_PODS_kube-scheduler* -q | xargs --no-run-if-empty docker rm -f + {% if (kubernetes.etcd.deployment_type=='internal' && renew_etcd ) %} + docker ps -af name=k8s_PODS_etcd* -q | xargs --no-run-if-empty docker rm -f + {% endif %} + {% else %} + crictl pods --name kube-apiserver-* -q | xargs -I% --no-run-if-empty bash -c 'crictl stopp % && crictl rmp %' + crictl pods --name kube-controller-manager-* -q | xargs -I% --no-run-if-empty bash -c 'crictl stopp % && crictl rmp %' + crictl pods --name kube-scheduler-* -q | xargs -I% --no-run-if-empty bash -c 'crictl stopp % && crictl rmp %' + {% if (kubernetes.etcd.deployment_type=='internal' && renew_etcd ) %} + crictl pods --name etcd-* -q | xargs -I% --no-run-if-empty bash -c 'crictl stopp % && crictl rmp %' + {% endif %} {% endif %} diff --git a/builtin/roles/install/certs/templates/renew_script.sh b/builtin/roles/install/certs/templates/renew_script.sh index a9672dc0..ec983531 100644 --- a/builtin/roles/install/certs/templates/renew_script.sh +++ b/builtin/roles/install/certs/templates/renew_script.sh @@ -1,5 +1,5 @@ #!/bin/bash -{% if (renew_certs.is_kubeadm_alpha=="true") %} +{% if (renew_certs.is_kubeadm_alpha) %} kubeadmCerts='/usr/local/bin/kubeadm alpha certs' {% else %} kubeadmCerts='/usr/local/bin/kubeadm certs' @@ -15,7 +15,7 @@ if [ $(getCertValidDays) -lt 30 ]; then echo "## Renewing certificates managed by kubeadm ##" ${kubeadmCerts} renew all echo "## Restarting control plane pods managed by kubeadm ##" -{% if (renew_certs.is_docker=="true") %} +{% if (renew_certs.is_docker) %} $(which docker | grep docker) ps -af 'name=k8s_POD_(kube-apiserver|kube-controller-manager|kube-scheduler|etcd)-*' -q | /usr/bin/xargs $(which docker | grep docker) rm -f {% else %} $(which crictl | grep crictl) pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | /usr/bin/xargs $(which crictl | grep crictl) rmp -f diff --git a/builtin/roles/install/cri/defaults/main.yaml b/builtin/roles/install/cri/defaults/main.yaml index e94eae55..aed597ce 100644 --- a/builtin/roles/install/cri/defaults/main.yaml +++ b/builtin/roles/install/cri/defaults/main.yaml @@ -1,7 +1,7 @@ cri: # support: systemd, cgroupfs cgroup_driver: systemd - sandbox_image: "k8s.gcr.io/pause:3.5" + sandbox_image: "{{ k8s_registry }}/pause:3.5" # support: containerd,docker,crio container_manager: docker # the endpoint of containerd @@ -10,3 +10,14 @@ cri: # data_root: /var/lib/containerd docker: data_root: /var/lib/docker + registry: + mirrors: ["https://registry-1.docker.io"] + insecure_registries: [] + auths: [] + +image_registry: + # ha_vip: 192.168.122.59 + auth: + registry: "{% if (image_registry.ha_vip|defined) %}{{ image_registry.ha_vip }}{% else %}{{ groups['image_registry']|first }}{% endif %}" + username: admin + password: Harbor12345 diff --git a/builtin/roles/install/cri/tasks/install_containerd.yaml b/builtin/roles/install/cri/tasks/install_containerd.yaml index 92212004..f5318296 100644 --- a/builtin/roles/install/cri/tasks/install_containerd.yaml +++ b/builtin/roles/install/cri/tasks/install_containerd.yaml @@ -39,6 +39,22 @@ dest: /etc/systemd/system/containerd.service when: containerd_install_version.stderr != "" +- name: Sync image registry tls to remote + when: groups['image_registry'] > 0 + block: + - name: Sync image registry cert file to remote + copy: + src: "{{ work_dir }}/kubekey/pki/root.crt" + dest: "/etc/containerd/certs.d/{{ image_registry.auth.registry }}/ca.crt" + - name: Sync image registry cert file to remote + copy: + src: "{{ work_dir }}/kubekey/pki/image_registry.crt" + dest: "/etc/containerd/certs.d/{{ image_registry.auth.registry }}/server.crt" + - name: Sync image registry key file to remote + copy: + src: "{{ work_dir }}/kubekey/pki/image_registry.key" + dest: "/etc/containerd/certs.d/{{ image_registry.auth.registry }}/server.key" + - name: Start containerd command: | systemctl daemon-reload && systemctl start containerd.service && systemctl enable containerd.service diff --git a/builtin/roles/install/cri/tasks/install_docker.yaml b/builtin/roles/install/cri/tasks/install_docker.yaml index 5ff46608..c3e9489b 100644 --- a/builtin/roles/install/cri/tasks/install_docker.yaml +++ b/builtin/roles/install/cri/tasks/install_docker.yaml @@ -33,6 +33,22 @@ dest: /etc/systemd/system/containerd.service when: docker_install_version.stderr != "" +- name: Sync image registry tls to remote + when: groups['image_registry'] > 0 + block: + - name: Sync image registry cert file to remote + copy: + src: "{{ work_dir }}/kubekey/pki/root.crt" + dest: "/etc/docker/certs.d/{{ image_registry.auth.registry }}/ca.crt" + - name: Sync image registry cert file to remote + copy: + src: "{{ work_dir }}/kubekey/pki/image_registry.crt" + dest: "/etc/docker/certs.d/{{ image_registry.auth.registry }}/server.crt" + - name: Sync image registry key file to remote + copy: + src: "{{ work_dir }}/kubekey/pki/image_registry.key" + dest: "/etc/docker/certs.d/{{ image_registry.auth.registry }}/server.key" + - name: Start docker service command: | systemctl daemon-reload && systemctl start containerd.service && systemctl enable containerd.service diff --git a/builtin/roles/install/cri/templates/containerd.config b/builtin/roles/install/cri/templates/containerd.config index 9f40e623..fd874942 100644 --- a/builtin/roles/install/cri/templates/containerd.config +++ b/builtin/roles/install/cri/templates/containerd.config @@ -48,29 +48,34 @@ state = "/run/containerd" conf_template = "" [plugins."io.containerd.grpc.v1.cri".registry] [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + {% if (cri.registry.mirrors|length > 0) %} [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] - {% if (registry.mirrors|defined) %} - endpoint = {{ registry.mirrors|to_json|safe }} - {% else %} - endpoint = ["https://registry-1.docker.io"] - {% endif %} - {% for ir in registry.insecure_registries %} + endpoint = {{ cri.registry.mirrors|to_json|safe }} + {% endif %} + {% for ir in cri.registry.insecure_registries %} [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ ir }}"] endpoint = ["http://{{ ir }}"] {% endfor %} - {% if (registry.auths|length > 0) %} + {% if (cri.registry.auths|length > 0 || groups['image_registry']|length>0) %} [plugins."io.containerd.grpc.v1.cri".registry.configs] - {% for ir in registry.auths %} + [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ image_registry.auth.registry }}".auth] + username = "{{ image_registry.auth.username }}" + password = "{{ image_registry.auth.password }}" + [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ image_registry.auth.registry }}".tls] + ca_file = "/etc/containerd/certs.d/{{ image_registry.auth.registry }}/ca.crt" + cert_file = "/etc/containerd/certs.d/{{ image_registry.auth.registry }}/server.crt" + key_file = "/etc/containerd/certs.d/{{ image_registry.auth.registry }}/server.key" + {% for ir in cri.registry.auths %} [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ ir.repo }}".auth] username = "{{ ir.username }}" password = "{{ ir.password }}" - {% if (ir.ca_file|defined) %} - [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ ir.repo }}".tls] - ca_file = "{{ ir.ca_file }}" - cert_file = "{{ ir.crt_file }}" - key_file = "{{ ir.key_file }}" - insecure_skip_verify = {{ ir.skip_ssl }} - {% endif %} + {% if (ir.ca_file|defined) %} + [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ ir.repo }}".tls] + ca_file = "{{ ir.ca_file }}" + cert_file = "{{ ir.crt_file }}" + key_file = "{{ ir.key_file }}" + insecure_skip_verify = {{ ir.skip_ssl }} + {% endif %} {% endfor %} {% endif %} diff --git a/builtin/roles/install/cri/templates/crictl.config b/builtin/roles/install/cri/templates/crictl.config index 10891f63..29ba9c1d 100644 --- a/builtin/roles/install/cri/templates/crictl.config +++ b/builtin/roles/install/cri/templates/crictl.config @@ -1,5 +1,5 @@ -runtime-endpoint: {{ cri.container_runtime_endpoint }} -image-endpoint: {{ cri.container_runtime_endpoint }} +runtime-endpoint: {{ cri.cri_socket }} +image-endpoint: {{ cri.cri_socket }} timeout: 5 debug: false pull-image-on-create: false diff --git a/builtin/roles/install/cri/templates/docker.config b/builtin/roles/install/cri/templates/docker.config index 5540fd1c..d2bc7f80 100644 --- a/builtin/roles/install/cri/templates/docker.config +++ b/builtin/roles/install/cri/templates/docker.config @@ -6,11 +6,11 @@ {% if (cri.docker.data_root|defined) %} "data-root": "{{ cri.docker.data_root }}", {% endif %} - {% if (registry.mirrors|defined) %} - "registry-mirrors": {{ registry.mirrors|to_json|safe }}, + {% if (cri.registry.mirrors|defined) %} + "registry-mirrors": {{ cri.registry.mirrors|to_json|safe }}, {% endif %} - {% if (registry.insecure_registries|defined) %} - "insecure-registries": {{ registry.insecure_registries|to_json|safe }}, + {% if (cri.registry.insecure_registries|defined) %} + "insecure-registries": {{ cri.registry.insecure_registries|to_json|safe }}, {% endif %} {% if (cri.docker.bridge_ip|defined) %} "bip": "{{ cri.docker.bridge_ip }}", diff --git a/builtin/roles/install/kubernetes/defaults/main.yaml b/builtin/roles/install/kubernetes/defaults/main.yaml index ed6c1ea2..c241c8a7 100644 --- a/builtin/roles/install/kubernetes/defaults/main.yaml +++ b/builtin/roles/install/kubernetes/defaults/main.yaml @@ -2,10 +2,8 @@ kubernetes: cluster_name: cluster.local # support: flannel, calico kube_network_plugin: calico - # the minimal version of kubernetes to be installed. - kube_version_min_required: v1.19.10 # the image repository of kubernetes. - image_repository: "registry.k8s.io" + image_repository: "{{ k8s_registry }}" # memory size for each kube_worker node.(unit kB) # should be greater than or equal to minimal_node_memory_mb. @@ -13,15 +11,14 @@ kubernetes: # the maximum number of pods that can be run on each node. max_pods: 110 audit: false - security_enhancement: "{{ security_enhancement|default_if_none:false }}" networking: dns_domain: cluster.local # it supports two value like value1,value2. # the first value is ipv4_cidr, the last value is ipv6_cidr. pod_cidr: 10.233.64.0/18 service_cidr: 10.233.0.0/18 - dns_image: "registry.k8s.io/coredns/coredns:v1.11.1" - dns_cache_image: "kubesphere/k8s-dns-node-cache:1.22.20" + dns_image: "{{ k8s_registry }}/coredns/coredns:v1.11.1" + dns_cache_image: "{{ dockerio_registry }}/kubesphere/k8s-dns-node-cache:1.22.20" dns_service_ip: "{{ kubernetes.networking.service_cidr|ip_range|slice:':3'|last }}" # Specify a stable IP address or DNS name for the control plane. # control_plane_endpoint: lb.kubesphere.local @@ -147,15 +144,15 @@ kubernetes: enabled: false # support:BGP, ARP mode: BGP - image: plndr/kube-vip:v0.7.2 + image: "{{ dockerio_registry }}/plndr/kube-vip:v0.7.2" haproxy: enabled: false health_port: 8081 - image: library/haproxy:2.9.6-alpine + image: "{{ dockerio_registry }}/library/haproxy:2.9.6-alpine" etcd: # todo should apply zone variable # It is possible to deploy etcd with three methods. # external: Deploy etcd cluster with external etcd cluster. # internal: Deploy etcd cluster by static pod. deployment_type: external - image: "k8s.gcr.io/etcd:3.5.0" + image: "{{ k8s_registry }}/etcd:3.5.0" custom_label: {} diff --git a/builtin/roles/install/kubernetes/templates/kubeadm/kubeadm-init.v1beta2 b/builtin/roles/install/kubernetes/templates/kubeadm/kubeadm-init.v1beta2 index f239c3e4..c7cb76d5 100644 --- a/builtin/roles/install/kubernetes/templates/kubeadm/kubeadm-init.v1beta2 +++ b/builtin/roles/install/kubernetes/templates/kubeadm/kubeadm-init.v1beta2 @@ -37,7 +37,7 @@ networking: serviceSubnet: {{ kubernetes.networking.service_cidr }} apiServer: extraArgs: -{% if (kubernetes.security_enhancement == "true") %} +{% if (security_enhancement) %} authorization-mode: Node,RBAC enable-admission-plugins: AlwaysPullImages,ServiceAccount,NamespaceLifecycle,NodeRestriction,LimitRanger,ResourceQuota,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,PodNodeSelector,PodSecurity profiling: false @@ -92,7 +92,7 @@ controllerManager: {% else %} experimental-cluster-signing-duration: 87600h {% endif %} -{% if (kubernetes.security_enhancement == "true") %} +{% if (security_enhancement) %} bind-address: 127.0.0.1 profiling: false terminated-pod-gc-threshold: 50 @@ -108,7 +108,7 @@ controllerManager: readOnly: true scheduler: extraArgs: -{% if (kubernetes.security_enhancement == "true") %} +{% if (security_enhancement) %} bind-address: 127.0.0.1 profiling: false {% else %} @@ -162,7 +162,7 @@ evictionSoftGracePeriod: evictionMaxPodGracePeriod: 120 evictionPressureTransitionPeriod: 30s -{% if (kubernetes.security_enhancement == "true") %} +{% if (security_enhancement) %} readOnlyPort: 0 protectKernelDefaults: true eventRecordQPS: 1 diff --git a/builtin/roles/install/kubernetes/templates/kubeadm/kubeadm-init.v1beta3 b/builtin/roles/install/kubernetes/templates/kubeadm/kubeadm-init.v1beta3 index 3e11bf87..a37eed3b 100644 --- a/builtin/roles/install/kubernetes/templates/kubeadm/kubeadm-init.v1beta3 +++ b/builtin/roles/install/kubernetes/templates/kubeadm/kubeadm-init.v1beta3 @@ -36,7 +36,7 @@ networking: serviceSubnet: {{ kubernetes.networking.service_cidr }} apiServer: extraArgs: -{% if (kubernetes.security_enhancement == "true") %} +{% if (security_enhancement) %} authorization-mode: Node,RBAC enable-admission-plugins: AlwaysPullImages,ServiceAccount,NamespaceLifecycle,NodeRestriction,LimitRanger,ResourceQuota,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,PodNodeSelector,PodSecurity profiling: false @@ -91,7 +91,7 @@ controllerManager: {% else %} experimental-cluster-signing-duration: 87600h {% endif %} -{% if (kubernetes.security_enhancement == "true") %} +{% if (security_enhancement) %} bind-address: 127.0.0.1 profiling: false terminated-pod-gc-threshold: 50 @@ -107,7 +107,7 @@ controllerManager: readOnly: true scheduler: extraArgs: -{% if (kubernetes.security_enhancement == "true") %} +{% if (security_enhancement) %} bind-address: 127.0.0.1 profiling: false {% else %} @@ -161,7 +161,7 @@ evictionSoftGracePeriod: evictionMaxPodGracePeriod: 120 evictionPressureTransitionPeriod: 30s -{% if (kubernetes.security_enhancement == "true") %} +{% if (security_enhancement) %} readOnlyPort: 0 protectKernelDefaults: true eventRecordQPS: 1 diff --git a/builtin/roles/install/security/defaults/main.yaml b/builtin/roles/install/security/defaults/main.yaml deleted file mode 100644 index 7376ffeb..00000000 --- a/builtin/roles/install/security/defaults/main.yaml +++ /dev/null @@ -1 +0,0 @@ -security_enhancement: false diff --git a/go.mod b/go.mod index 440c32aa..f8fa464b 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ require ( github.com/fsnotify/fsnotify v1.7.0 github.com/go-git/go-git/v5 v5.11.0 github.com/google/gops v0.3.28 + github.com/opencontainers/image-spec v1.1.0 github.com/pkg/errors v0.9.1 github.com/pkg/sftp v1.13.6 github.com/schollz/progressbar/v3 v3.14.3 @@ -77,7 +78,6 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0 // indirect github.com/pjbgf/sha1cd v0.3.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.18.0 // indirect diff --git a/pkg/apis/core/v1/base.go b/pkg/apis/core/v1/base.go index ca5c1e62..4aedd6bc 100644 --- a/pkg/apis/core/v1/base.go +++ b/pkg/apis/core/v1/base.go @@ -28,7 +28,7 @@ type Base struct { Vars map[string]any `yaml:"vars,omitempty"` // module default params - ModuleDefaults []map[string]map[string]any `yaml:"module_defaults,omitempty"` + //ModuleDefaults []map[string]map[string]any `yaml:"module_defaults,omitempty"` // flags and misc. settings Environment []map[string]string `yaml:"environment,omitempty"` diff --git a/pkg/apis/core/v1/play.go b/pkg/apis/core/v1/play.go index 5e636484..f1f3e4da 100644 --- a/pkg/apis/core/v1/play.go +++ b/pkg/apis/core/v1/play.go @@ -36,8 +36,8 @@ type Play struct { //FactPath string // Variable Attribute - VarsFiles []string `yaml:"vars_files,omitempty"` - VarsPrompt []string `yaml:"vars_prompt,omitempty"` + VarsFiles []string `yaml:"vars_files,omitempty"` + //VarsPrompt []string `yaml:"vars_prompt,omitempty"` // Role Attributes Roles []Role `yaml:"roles,omitempty"` diff --git a/pkg/apis/kubekey/v1/config_types_test.go b/pkg/apis/kubekey/v1/config_types_test.go index 45a176c6..0116b7df 100644 --- a/pkg/apis/kubekey/v1/config_types_test.go +++ b/pkg/apis/kubekey/v1/config_types_test.go @@ -55,8 +55,6 @@ func TestSetValue(t *testing.T) { t.Run(tc.name, func(t *testing.T) { err := in.SetValue(tc.key, tc.val) assert.NoError(t, err) - t.Logf("%s", in.Spec.Raw) - t.Logf("%s", tc.except.Spec.Raw) assert.Equal(t, tc.except, in) }) } diff --git a/pkg/executor/executor.go b/pkg/executor/executor.go index 886acc57..9a9e4fb2 100644 --- a/pkg/executor/executor.go +++ b/pkg/executor/executor.go @@ -48,7 +48,7 @@ type TaskExecutor interface { func NewTaskExecutor(client ctrlclient.Client, pipeline *kubekeyv1.Pipeline) TaskExecutor { // get variable - v, err := variable.GetVariable(client, *pipeline) + v, err := variable.New(client, *pipeline) if err != nil { klog.V(4).ErrorS(nil, "convert playbook error", "pipeline", ctrlclient.ObjectKeyFromObject(pipeline)) return nil diff --git a/pkg/project/helper.go b/pkg/project/helper.go index 0e2ae13a..f9366911 100644 --- a/pkg/project/helper.go +++ b/pkg/project/helper.go @@ -81,6 +81,33 @@ func loadPlaybook(baseFS fs.FS, pbPath string, pb *kkcorev1.Playbook) error { } } + // load var_files (optional) + for _, file := range p.VarsFiles { + varDefault := getYamlFile(baseFS, filepath.Join(filepath.Dir(pbPath), file)) + if varDefault != "" { + mainData, err := fs.ReadFile(baseFS, varDefault) + if err != nil { + klog.V(4).ErrorS(err, "Read var_files for playbook error", "playbook", pbPath, "var_file", varDefault) + return err + } + + var vars map[string]any + var node yaml.Node // marshal file on defined order + if err := yaml.Unmarshal(mainData, &vars); err != nil { + klog.V(4).ErrorS(err, "Unmarshal var_files for playbook error", "playbook", pbPath, "var_file", varDefault) + return err + } + if err := node.Decode(&vars); err != nil { + return err + } + + p.Vars, err = combineMaps(p.Vars, vars) + if err != nil { + return err + } + } + } + // fill block in roles for i, r := range p.Roles { roleBase := getRoleBaseFromPlaybook(baseFS, pbPath, r.Role) @@ -147,7 +174,7 @@ func convertRoles(baseFS fs.FS, pbPath string, pb *kkcorev1.Playbook) error { } var vars map[string]any - var node yaml.Node + var node yaml.Node // marshal file on defined order if err := yaml.Unmarshal(mainData, &node); err != nil { klog.V(4).ErrorS(err, "Unmarshal defaults variable for Role error", "playbook", pbPath, "Role", r.Role) return err @@ -155,7 +182,12 @@ func convertRoles(baseFS fs.FS, pbPath string, pb *kkcorev1.Playbook) error { if err := node.Decode(&vars); err != nil { return err } - p.Roles[i].Vars = vars + + p.Roles[i].Vars, err = combineMaps(p.Roles[i].Vars, vars) + if err != nil { + return err + } + } } pb.Play[i] = p @@ -305,3 +337,22 @@ func getYamlFile(baseFS fs.FS, base string) string { return "" } + +// combine v2 map to v1 if not repeat. +func combineMaps(v1, v2 map[string]any) (map[string]any, error) { + if len(v1) == 0 { + return v2, nil + } + + mv := make(map[string]any) + for k, v := range v1 { + mv[k] = v + } + for k, v := range v2 { + if _, ok := mv[k]; ok { + return nil, fmt.Errorf("duplicate key: %s", k) + } + mv[k] = v + } + return mv, nil +} diff --git a/pkg/project/helper_test.go b/pkg/project/helper_test.go index cb281a96..23eba15c 100644 --- a/pkg/project/helper_test.go +++ b/pkg/project/helper_test.go @@ -230,3 +230,58 @@ func TestMarshalPlaybook(t *testing.T) { }) } } + +func TestCombineMaps(t *testing.T) { + testcases := []struct { + name string + v1 map[string]any + v2 map[string]any + except map[string]any + err bool + }{ + { + name: "v1 is null", + v2: map[string]any{ + "a": "b", + }, + except: map[string]any{ + "a": "b", + }, + }, + { + name: "success", + v1: map[string]any{ + "a1": "b1", + }, + v2: map[string]any{ + "a2": "b2", + }, + except: map[string]any{ + "a1": "b1", + "a2": "b2", + }, + }, + { + name: "duplicate key", + v1: map[string]any{ + "a1": "b1", + }, + v2: map[string]any{ + "a1": "b2", + }, + err: true, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + maps, err := combineMaps(tc.v1, tc.v2) + if tc.err { + assert.Error(t, err) + } else { + assert.Equal(t, tc.except, maps) + } + + }) + } +} diff --git a/pkg/variable/helper.go b/pkg/variable/helper.go index 055938f5..089105cf 100644 --- a/pkg/variable/helper.go +++ b/pkg/variable/helper.go @@ -294,7 +294,14 @@ func parseVariable(v any, parseTmplFunc func(string) (string, error)) error { if err != nil { return err } - reflect.ValueOf(v).SetMapIndex(kv, reflect.ValueOf(newValue)) + switch { + case strings.ToUpper(newValue) == "TRUE": + reflect.ValueOf(v).SetMapIndex(kv, reflect.ValueOf(true)) + case strings.ToUpper(newValue) == "FALSE": + reflect.ValueOf(v).SetMapIndex(kv, reflect.ValueOf(false)) + default: + reflect.ValueOf(v).SetMapIndex(kv, reflect.ValueOf(newValue)) + } } } else { if err := parseVariable(val.Interface(), parseTmplFunc); err != nil { @@ -311,7 +318,15 @@ func parseVariable(v any, parseTmplFunc func(string) (string, error)) error { if err != nil { return err } - val.Set(reflect.ValueOf(newValue)) + switch { + case strings.ToUpper(newValue) == "TRUE": + + val.Set(reflect.ValueOf(true)) + case strings.ToUpper(newValue) == "FALSE": + val.Set(reflect.ValueOf(false)) + default: + val.Set(reflect.ValueOf(newValue)) + } } } else { if err := parseVariable(val.Interface(), parseTmplFunc); err != nil { diff --git a/pkg/variable/helper_test.go b/pkg/variable/helper_test.go index 0406520a..770d9081 100644 --- a/pkg/variable/helper_test.go +++ b/pkg/variable/helper_test.go @@ -249,6 +249,30 @@ func TestParseVariable(t *testing.T) { }, }, }, + { + name: "parse slice with bool value", + data: map[string]any{ + "a": []any{"{{ b }}"}, + }, + base: map[string]any{ + "b": "true", + }, + except: map[string]any{ + "a": []any{true}, + }, + }, + { + name: "parse map with bool value", + data: map[string]any{ + "a": "{{ b }}", + }, + base: map[string]any{ + "b": "true", + }, + except: map[string]any{ + "a": true, + }, + }, } for _, tc := range testcases { diff --git a/pkg/variable/variable.go b/pkg/variable/variable.go index 6e8abb38..df6eeabb 100644 --- a/pkg/variable/variable.go +++ b/pkg/variable/variable.go @@ -19,12 +19,10 @@ package variable import ( "context" "encoding/json" - "fmt" "path/filepath" "strings" "k8s.io/apimachinery/pkg/types" - cgcache "k8s.io/client-go/tools/cache" "k8s.io/klog/v2" ctrlclient "sigs.k8s.io/controller-runtime/pkg/client" @@ -97,42 +95,3 @@ func New(client ctrlclient.Client, pipeline kubekeyv1.Pipeline) (Variable, error return v, nil } - -// Cache is a cache for variable -var Cache = cgcache.NewStore(func(obj interface{}) (string, error) { - v, ok := obj.(Variable) - if !ok { - return "", fmt.Errorf("cannot convert %v to variable", obj) - } - return v.Key(), nil -}) - -func GetVariable(client ctrlclient.Client, pipeline kubekeyv1.Pipeline) (Variable, error) { - vars, ok, err := Cache.GetByKey(string(pipeline.UID)) - if err != nil { - klog.V(5).ErrorS(err, "get variable error", "pipeline", ctrlclient.ObjectKeyFromObject(&pipeline)) - return nil, err - } - if ok { - return vars.(Variable), nil - } - // add new variable to cache - nv, err := New(client, pipeline) - if err != nil { - klog.V(5).ErrorS(err, "create variable error", "pipeline", ctrlclient.ObjectKeyFromObject(&pipeline)) - return nil, err - } - if err := Cache.Add(nv); err != nil { - klog.V(5).ErrorS(err, "add variable to store error", "pipeline", ctrlclient.ObjectKeyFromObject(&pipeline)) - return nil, err - } - return nv, nil -} - -func CleanVariable(p *kubekeyv1.Pipeline) { - if _, ok, err := Cache.GetByKey(string(p.UID)); err == nil && ok { - if err := Cache.Delete(string(p.UID)); err != nil { - klog.ErrorS(err, "delete variable from cache error", "pipeline", ctrlclient.ObjectKeyFromObject(p)) - } - } -}