diff --git a/CHANGELOG.md b/CHANGELOG.md index aace9c90..80ffadd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,141 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### **Breaking change**. + +> [!CAUTION] +> It is important that you check each of the sections in the upgrade guide below. Note that some may not apply to your specific cluster configuration. However, the cleanup section must always be run against the cluster values. + +
+VALUES MIGRATION GUIDE (from v0.60.0) + +Use the snippets below if the section applies to your chart's values: + +## Control plane machineTemplate creation + +`v0.61.0` moves certain values from `.Values.global.controlPlane` to `.Values.global.controlPlane.machineTemplate`. + +**This applies to all clusters, do not skip this**. + +``` +yq eval --inplace 'with(select(.global.controlPlane.catalog != null); .global.controlPlane.machineTemplate.catalog = .global.controlPlane.catalog) | + with(select(.global.controlPlane.diskSizeGB != null); .global.controlPlane.machineTemplate.diskSizeGB = .global.controlPlane.diskSizeGB) | + with(select(.global.controlPlane.placementPolicy != null); .global.controlPlane.machineTemplate.placementPolicy = .global.controlPlane.placementPolicy) | + with(select(.global.controlPlane.sizingPolicy != null); .global.controlPlane.machineTemplate.sizingPolicy = .global.controlPlane.sizingPolicy) | + with(select(.global.controlPlane.storageProfile != null); .global.controlPlane.machineTemplate.storageProfile = .global.controlPlane.storageProfile) | + with(select(.global.controlPlane.template != null); .global.controlPlane.machineTemplate.template = .global.controlPlane.template)' values.yaml +``` + +## Control plane endpoint address + +If the controlPlane endpoint IP (loadbalancer for the Kubernetes API) has been statically assigned (**this likely will not apply to workload clusters**) then this value will need to be duplicated to the extraCertificateSANs list. + +``` +yq eval --inplace 'with(select(.global.connectivity.network.controlPlaneEndpoint.host != null); .cluster.internal.advancedConfiguration.controlPlane.apiServer.extraCertificateSANs += [ .global.connectivity.network.controlPlaneEndpoint.host ])' values.yaml +``` + +## API server admission plugins + +The default list is [here](https://github.com/giantswarm/cluster/blob/main/helm/cluster/templates/clusterapi/controlplane/_helpers_clusterconfiguration_apiserver.tpl#L104). If you have not extended this list then you do not need to provide a list of admission plugins at all (defaults will be used from the cluster chart). If you have enabled additional plugins then you will need to run the command below. + +``` +yq eval --inplace 'with(select(.internal.apiServer.enableAdmissionPlugins != null); .cluster.providerIntegration.controlPlane.kubeadmConfig.clusterConfiguration.apiServer.additionalAdmissionPlugins = .internal.apiServer.enableAdmissionPlugins)' values.yaml +``` + +## API server feature gates + +There is no default list of feature gates in the shared cluster chart, so if you have any values under `.internal.apiServer.featureGates` then these must be migrated to the new location. + +``` +yq eval --inplace 'with(select(.internal.apiServer.featureGates != null); .cluster.providerIntegration.controlPlane.kubeadmConfig.clusterConfiguration.apiServer.featureGates = .internal.apiServer.featureGates)' values.yaml +``` + +## Controller manager feature gates + +There is no default list of feature gates in the shared cluster chart, so if you have any values under `.internal.controllerManager.featureGates` then these must be migrated to the new location. + +``` +yq eval --inplace 'with(select(.internal.controllerManager.featureGates != null); .cluster.providerIntegration.controlPlane.kubeadmConfig.clusterConfiguration.controllerManager.featureGates = .internal.controllerManager.featureGates)' values.yaml +``` + +### Extra certificate SANs for Kubernetes API + +Any additional certificate SANs must be added to the extraCertificateSANs list. + +``` +yq eval --inplace 'with(select(.internal.apiSserver.certSANs != null); .cluster.internal.advancedConfiguration.controlPlane.apiServer.extraCertificateSANs += [ .internal.apiServer.certSANs[] ])' values.yaml +``` + +## OIDC config + +`caFile` has been renamed to `caPem`. + +``` +yq eval --inplace 'with(select(.global.controlPlane.oidc.caFile != null); .global.controlPlane.oidc.caPem = .global.controlPlane.oidc.caFile)' values.yaml +``` + +## SSH trusted CA keys + +If you are providing additional trusted CA keys for SSH authentication (other than the default Giant Swarm key) then these need to migrated to the new location. + +``` +yq eval --inplace 'with(select(.global.connectivity.shell.sshTrustedUserCAKeys != null); .cluster.providerIntegration.connectivity.sshSsoPublicKey = .global.connectivity.shell.sshTrustedUserCAKeys)' values.yaml +``` + +## NTP servers + +If provided, NTP server addresses need to be migrated to the new location. + +``` +yq eval --inplace 'with(select(.global.connectivity.ntp.servers != null); .cluster.providerIntegration.components.systemd.timesyncd.ntp = .global.connectivity.ntp.servers)' values.yaml +``` + +## Upstream proxy settings + +Upstream proxy configuration is no longer read from the `.global.connectivity.proxy.secretName` value so this must be removed (see the **Cleanup** section below). + +## Additional notes + +* `.global.connectivity.shell` is no longer used; this is deleted. +* `.global.connectivity.ntp` is no longer used; this is deleted. +* `.global.controlPlane.certSANs` is no longer used; this is deleted. +* `.global.controlPlane.image` is no longer used; this is deleted. +* `.global.controlPlane.resourceRatio` is no longer used; this is deleted. +* `.internal.sandboxContainerImage` is no longer used; this is deleted. + +## Cleanup + +Final tidyup to remove deprecated values: + +``` +yq eval --inplace 'del(.global.controlPlane.catalog) | + del(.global.controlPlane.diskSizeGB) | + del(.global.controlPlane.placementPolicy) | + del(.global.controlPlane.sizingPolicy) | + del(.global.controlPlane.storageProfile) | + del(.global.controlPlane.template) | + del(.global.controlPlane.certSANs) | + del(.internal.apiServer) | + del(.internal.controllerManager) | + del(.global.controlPlane.oidc.caFile) | + del(.global.connectivity.ntp) | + del(.global.connectivity.shell) | + del(.global.connectivity.proxy.secretName) | + del(.internal.sandboxContainerImage) | + del(.global.controlPlane.image) | + del(.global.controlPlane.resourceRatio)' values.yaml +``` + +> [!NOTE] +> End of upgrade guide. +--- +
+ +### Changed + +- Use `giantswarm/cluster` chart to render `KubeadmControlPlane` resource. +- Fix disk size calculation for worker nodes. + ## [0.60.0] - 2024-10-07 ### **Breaking change**. diff --git a/examples/cluster-manifest.yaml b/examples/cluster-manifest.yaml index 6931b299..e04968c1 100644 --- a/examples/cluster-manifest.yaml +++ b/examples/cluster-manifest.yaml @@ -5,6 +5,13 @@ metadata: namespace: org-multi-project data: values: | + cluster: + providerIntegration: + components: + systemd: + timesyncd: + ntp: + - 10.10.10.123 global: connectivity: network: @@ -17,6 +24,9 @@ data: via: 172.32.150.1 proxy: enabled: true + httpProxy: "http://10.205.105.253:3128" + httpsProxy: "http://10.205.105.253:3128" + noProxy: "my.domain.com,10.205.105.0/24" ntp: servers: - "10.10.10.123" @@ -27,12 +37,13 @@ data: organization: multi-project servicePriority: highest controlPlane: - catalog: giantswarm replicas: 3 - sizingPolicy: m1.medium + machineTemplate: + catalog: giantswarm + sizingPolicy: m1.medium oidc: issuerUrl: https://dex.testing.test.gigantic.io - caFile: "" + caPem: "" clientId: "dex-k8s-authenticator" usernameClaim: "email" groupsClaim: "groups" @@ -82,7 +93,7 @@ spec: name: cluster-cloud-director namespace: org-multi-project catalog: cluster - version: 0.13.1 + version: 0.61.0 kubeConfig: inCluster: true userConfig: @@ -102,7 +113,7 @@ spec: name: default-apps-cloud-director namespace: org-multi-project catalog: cluster - version: 0.6.4 + version: 0.10.0 kubeConfig: inCluster: true userConfig: diff --git a/helm/cluster-cloud-director/Chart.lock b/helm/cluster-cloud-director/Chart.lock index 840d230e..3c9b52cb 100644 --- a/helm/cluster-cloud-director/Chart.lock +++ b/helm/cluster-cloud-director/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: cluster repository: https://giantswarm.github.io/cluster-catalog - version: 1.5.1 + version: 1.6.0 - name: cluster-shared repository: https://giantswarm.github.io/cluster-catalog version: 0.7.1 -digest: sha256:7c36f03fbfef9c0204a27b4e5806e91b0654b343132efe0a3685cbdde2dca3f2 -generated: "2024-10-03T16:05:10.03564332+01:00" +digest: sha256:4b4dafe83fbdcb4acb6d5705b1558840b6acbf88519bf1c9ee7f61fe794da24c +generated: "2024-10-11T08:48:55.093532683+01:00" diff --git a/helm/cluster-cloud-director/Chart.yaml b/helm/cluster-cloud-director/Chart.yaml index aad820bd..645d1f9a 100644 --- a/helm/cluster-cloud-director/Chart.yaml +++ b/helm/cluster-cloud-director/Chart.yaml @@ -23,7 +23,7 @@ restrictions: - cloud-director dependencies: - name: cluster - version: "1.5.1" + version: "1.6.0" repository: "https://giantswarm.github.io/cluster-catalog" - name: cluster-shared version: "0.7.1" diff --git a/helm/cluster-cloud-director/README.md b/helm/cluster-cloud-director/README.md index 0d6cddb5..c040f044 100644 --- a/helm/cluster-cloud-director/README.md +++ b/helm/cluster-cloud-director/README.md @@ -7,22 +7,8 @@ Properties within the `.internal` top-level object | **Property** | **Description** | **More Details** | | :----------- | :-------------- | :--------------- | -| `internal.apiServer` |**None**|**Type:** `object`
| -| `internal.apiServer.certSANs` | **Subject alternative names (SAN)** - Alternative names to encode in the API server's certificate.|**Type:** `array`
| -| `internal.apiServer.certSANs[*]` | **SAN**|**Type:** `string`
| -| `internal.apiServer.enableAdmissionPlugins` | **Admission plugins** - List of admission plugins to be passed to the API server via the --enable-admission-plugins flag.|**Type:** `array`
**Default:** `["DefaultStorageClass","DefaultTolerationSeconds","LimitRanger","MutatingAdmissionWebhook","NamespaceLifecycle","PersistentVolumeClaimResize","Priority","ResourceQuota","ServiceAccount","ValidatingAdmissionWebhook"]`| -| `internal.apiServer.enableAdmissionPlugins[*]` | **Plugin**|**Type:** `string`
**Examples:** `"DefaultStorageClass", "Priority"`
**Value pattern:** `^[A-Za-z0-9]+$`
| -| `internal.apiServer.featureGates` | **Feature gates** - API server feature gate activation/deactivation.|**Type:** `array`
**Default:** `[]`| -| `internal.apiServer.featureGates[*]` | **Feature gate**|**Type:** `object`
| -| `internal.apiServer.featureGates[*].enabled` | **Enabled**|**Type:** `boolean`
| -| `internal.apiServer.featureGates[*].name` | **Name**|**Type:** `string`
**Example:** `"UserNamespacesStatelessPodsSupport"`
**Value pattern:** `^[A-Za-z0-9]+$`
| | `internal.ciliumNetworkPolicy` | **CiliumNetworkPolicies**|**Type:** `object`
| | `internal.ciliumNetworkPolicy.enabled` | **Enable CiliumNetworkPolicies** - Installs the network-policies-app (deny all by default) if set to true|**Type:** `boolean`
**Default:** `true`| -| `internal.controllerManager` | **Controller manager**|**Type:** `object`
| -| `internal.controllerManager.featureGates` | **Feature gates** - Controller manager feature gate activation/deactivation.|**Type:** `array`
**Default:** `[]`| -| `internal.controllerManager.featureGates[*]` | **Feature gate**|**Type:** `object`
| -| `internal.controllerManager.featureGates[*].enabled` | **Enabled**|**Type:** `boolean`
| -| `internal.controllerManager.featureGates[*].name` | **Name**|**Type:** `string`
**Example:** `"UserNamespacesStatelessPodsSupport"`
**Value pattern:** `^[A-Za-z0-9]+$`
| | `internal.kubectlImage` | **Kubectl image** - Used by cluster-shared library chart to configure coredns in-cluster.|**Type:** `object`
| | `internal.kubectlImage.name` | **Repository**|**Type:** `string`
**Default:** `"giantswarm/kubectl"`| | `internal.kubectlImage.registry` | **Registry**|**Type:** `string`
**Default:** `"gsoci.azurecr.io"`| @@ -30,10 +16,6 @@ Properties within the `.internal` top-level object | `internal.kubernetesVersion` | **Kubernetes version** - For cloud-init (Ubuntu), append the version with '+vmware.1'.|**Type:** `string`
**Default:** `"v1.27.14"`| | `internal.parentUid` | **Management cluster UID** - If set, create the cluster from a specific management cluster associated with this UID.|**Type:** `string`
| | `internal.rdeId` | **Runtime defined entity (RDE) identifier** - This cluster's RDE ID in the VCD API.|**Type:** `string`
| -| `internal.sandboxContainerImage` | **Sandbox Container image (pause container)**|**Type:** `object`
| -| `internal.sandboxContainerImage.name` | **Repository**|**Type:** `string`
**Default:** `"giantswarm/pause"`| -| `internal.sandboxContainerImage.registry` | **Registry**|**Type:** `string`
**Default:** `"gsoci.azurecr.io"`| -| `internal.sandboxContainerImage.tag` | **Tag**|**Type:** `string`
**Default:** `"3.9"`| | `internal.skipRde` | **Skip RDE** - Set to true if the API schema extension is installed in the correct version in VCD to create CAPVCD entities in the API. Set to false otherwise.|**Type:** `boolean`
| | `internal.teleport` | **Teleport**|**Type:** `object`
| | `internal.teleport.enabled` | **Enable teleport**|**Type:** `boolean`
**Default:** `true`| @@ -99,52 +81,35 @@ Configurations related to cluster connectivity such as container registries. | `global.connectivity.network.staticRoutes[*]` |**None**|**Type:** `object`
| | `global.connectivity.network.staticRoutes[*].destination` | **Destination** - IPv4 address range in CIDR notation.|**Type:** `string`
**Example:** `"10.128.0.0/16"`
| | `global.connectivity.network.staticRoutes[*].via` | **Via**|**Type:** `string`
| -| `global.connectivity.ntp` | **Time synchronization (NTP)** - Servers/pools to synchronize this cluster's clocks with.|**Type:** `object`
| -| `global.connectivity.ntp.pools` | **Pools**|**Type:** `array`
| -| `global.connectivity.ntp.pools[*]` | **Pool**|**Type:** `string`
**Example:** `"ntp.ubuntu.com"`
| -| `global.connectivity.ntp.servers` | **Servers**|**Type:** `array`
| -| `global.connectivity.ntp.servers[*]` | **Server**|**Type:** `string`
| | `global.connectivity.proxy` | **Proxy** - Whether/how outgoing traffic is routed through proxy servers.|**Type:** `object`
| | `global.connectivity.proxy.enabled` | **Enable**|**Type:** `boolean`
| | `global.connectivity.proxy.httpProxy` | **HTTP proxy** - HTTP proxy - To be passed to the HTTP_PROXY environment variable in all hosts.|**Type:** `string`
| | `global.connectivity.proxy.httpsProxy` | **HTTPS proxy** - HTTPS proxy - To be passed to the HTTPS_PROXY environment variable in all hosts.|**Type:** `string`
| | `global.connectivity.proxy.noProxy` | **No proxy** - No proxy - Comma-separated addresses to be passed to the NO_PROXY environment variable in all hosts.|**Type:** `string`
| -| `global.connectivity.proxy.secretName` | **Secret name** - Name of a secret resource used by containerd to obtain the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. If empty the value will be defaulted to -cluster-values.|**Type:** `string`
**Value pattern:** `^[a-z0-9-]{0,63}$`
| -| `global.connectivity.shell` | **Shell access**|**Type:** `object`
| -| `global.connectivity.shell.osUsers` | **OS Users** - Configuration for OS users in cluster nodes.|**Type:** `array`
**Default:** `[{"name":"giantswarm","sudo":"ALL=(ALL) NOPASSWD:ALL"}]`| -| `global.connectivity.shell.osUsers[*]` | **User**|**Type:** `object`
| -| `global.connectivity.shell.osUsers[*].name` | **Name** - Username of the user.|**Type:** `string`
**Value pattern:** `^[a-z][-a-z0-9]+$`
| -| `global.connectivity.shell.osUsers[*].sudo` | **Sudoers configuration** - Permissions string to add to /etc/sudoers for this user.|**Type:** `string`
| -| `global.connectivity.shell.sshTrustedUserCAKeys` | **Trusted SSH cert issuers** - CA certificates of issuers that are trusted to sign SSH user certificates.|**Type:** `array`
**Default:** `["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4cvZ01fLmO9cJbWUj7sfF+NhECgy+Cl0bazSrZX7sU vault-ca@vault.operations.giantswarm.io"]`| -| `global.connectivity.shell.sshTrustedUserCAKeys[*]` |**None**|**Type:** `string`
| ### Control plane Properties within the `.global.controlPlane` object | **Property** | **Description** | **More Details** | | :----------- | :-------------- | :--------------- | -| `global.controlPlane.catalog` | **Catalog** - Name of the VCD catalog in which the VM template is stored.|**Type:** `string`
**Default:** `"giantswarm"`| -| `global.controlPlane.certSANs` | **Subject alternative names (SAN)** - Alternative names to encode in the API server's certificate.|**Type:** `array`
| -| `global.controlPlane.certSANs[*]` | **SAN**|**Type:** `string`
| | `global.controlPlane.customNodeLabels` | **Node labels**|**Type:** `array`
| | `global.controlPlane.customNodeLabels[*]` | **Custom node label**|**Type:** `string`
**Example:** `"key=value"`
**Value pattern:** `^[A-Za-z0-9-_\./]{1,63}=[A-Za-z0-9-_\.]{0,63}$`
| -| `global.controlPlane.diskSizeGB` | **Disk size**|**Type:** `integer`
**Example:** `30`
| -| `global.controlPlane.image` | **Node container image** - Set to 'gsoci.azurecr.io/giantswarm' for ignition (Flatcar) and 'projects.registry.vmware.com/tkg' for cloud-init (Ubuntu).|**Type:** `object`
| -| `global.controlPlane.image.repository` | **Repository**|**Type:** `string`
**Default:** `"gsoci.azurecr.io/giantswarm"`| +| `global.controlPlane.machineTemplate` | **Template to define control plane nodes**|**Type:** `object`
| +| `global.controlPlane.machineTemplate.catalog` | **Catalog** - Name of the VCD catalog in which the VM template is stored.|**Type:** `string`
**Default:** `"giantswarm"`| +| `global.controlPlane.machineTemplate.diskSizeGB` | **Disk size**|**Type:** `integer`
**Example:** `30`
| +| `global.controlPlane.machineTemplate.placementPolicy` | **VM placement policy** - Name of the VCD VM placement policy to use.|**Type:** `string`
| +| `global.controlPlane.machineTemplate.sizingPolicy` | **Sizing policy** - Name of the VCD sizing policy to use.|**Type:** `string`
**Example:** `"m1.medium"`
| +| `global.controlPlane.machineTemplate.storageProfile` | **Storage profile** - Name of the VCD storage profile to use.|**Type:** `string`
| +| `global.controlPlane.machineTemplate.template` | **Template** - Name of the template used to create the node VMs.|**Type:** `string`
**Default:** `"flatcar-stable-3815.2.2-kube-v1.27.14-gs"`| | `global.controlPlane.oidc` | **OIDC authentication**|**Type:** `object`
| -| `global.controlPlane.oidc.caFile` | **Certificate authority file** - Path to identity provider's CA certificate in PEM format.|**Type:** `string`
| +| `global.controlPlane.oidc.caPem` | **Certificate authority file** - Path to identity provider's CA certificate in PEM format.|**Type:** `string`
| | `global.controlPlane.oidc.clientId` | **Client ID** - OIDC client identifier to identify with.|**Type:** `string`
| | `global.controlPlane.oidc.groupsClaim` | **Groups claim** - Name of the identity token claim bearing the user's group memberships.|**Type:** `string`
| | `global.controlPlane.oidc.groupsPrefix` | **Groups prefix** - Prefix prepended to groups values to prevent clashes with existing names.|**Type:** `string`
| | `global.controlPlane.oidc.issuerUrl` | **Issuer URL** - URL of the provider which allows the API server to discover public signing keys, not including any path. Discovery URL without the '/.well-known/openid-configuration' part.|**Type:** `string`
| | `global.controlPlane.oidc.usernameClaim` | **Username claim** - Name of the identity token claim bearing the unique user identifier.|**Type:** `string`
| | `global.controlPlane.oidc.usernamePrefix` | **Username prefix** - Prefix prepended to username values to prevent clashes with existing names.|**Type:** `string`
| -| `global.controlPlane.placementPolicy` | **VM placement policy** - Name of the VCD VM placement policy to use.|**Type:** `string`
| | `global.controlPlane.replicas` | **Number of nodes** - Number of control plane instances to create. Must be an odd number.|**Type:** `integer`
**Default:** `1`| -| `global.controlPlane.resourceRatio` | **Resource ratio** - Ratio between node resources and apiserver resource requests.|**Type:** `integer`
**Default:** `8`| -| `global.controlPlane.sizingPolicy` | **Sizing policy** - Name of the VCD sizing policy to use.|**Type:** `string`
**Example:** `"m1.medium"`
| -| `global.controlPlane.storageProfile` | **Storage profile** - Name of the VCD storage profile to use.|**Type:** `string`
| -| `global.controlPlane.template` | **Template** - Name of the template used to create the node VMs.|**Type:** `string`
**Default:** `"flatcar-stable-3815.2.2-kube-v1.27.14-gs"`| ### Metadata Properties within the `.global.metadata` object @@ -242,7 +207,7 @@ Properties within the `.global.providerSpecific` object | **Property** | **Description** | **More Details** | | :----------- | :-------------- | :--------------- | | `baseDomain` | **Base DNS domain**|**Type:** `string`
| -| `cluster` | **Cluster** - Helm values for the provider-independent cluster chart.|**Type:** `object`
**Default:** `{"providerIntegration":{"controlPlane":{"resources":{"infrastructureMachineTemplate":{"group":"infrastructure.cluster.x-k8s.io","kind":"VCDMachineTemplate","version":"v1beta2"},"infrastructureMachineTemplateSpecTemplateName":"controlplane-vcdmachinetemplate-spec"}},"environmentVariables":{"hostName":"COREOS_CUSTOM_HOSTNAME","ipv4":"COREOS_CUSTOM_IPV4"},"kubeadmConfig":{"enableGiantswarmUser":true,"files":[{"contentFrom":{"secret":{"key":"set-hostname.sh","name":"provider-specific-files-1","prependClusterNameAsPrefix":true}},"path":"/opt/bin/set-hostname.sh","permissions":"0755"}],"ignition":{"containerLinuxConfig":{"additionalConfig":{"systemd":{"units":[{"contents":{"after":["network-online.target"],"install":{"wantedBy":["multi-user.target"]},"requires":["network-online.target"],"service":{"execStart":["/usr/bin/bash -cv 'echo \"$(\"$(find /usr/bin /usr/share/oem -name vmtoolsd -type f -executable 2\u003e/dev/null | head -n 1)\" --cmd \"info-get guestinfo.ignition.network\")\" \u003e /opt/bin/set-networkd-units.sh'","/usr/bin/bash -cv 'chmod u+x /opt/bin/set-networkd-units.sh'","/opt/bin/set-networkd-units.sh"],"remainAfterExit":"yes","type":"oneshot"},"unit":{"description":"Install the systemd-networkd interface configuration."}},"enabled":true,"name":"set-networkd-units.service"},{"contents":{"install":{"wantedBy":["multi-user.target"]},"service":{"additionalFields":"{{- if $.global.connectivity.network.staticRoutes }}\nExecStart=/usr/bin/bash -cv 'sleep 3'\n{{- range $.global.connectivity.network.staticRoutes }}\nExecStart=/usr/bin/bash -cv 'ip route add {{ .destination }} via {{ .via }}'\n{{- end }}\n{{- else }}\necho \"No static routes provided, exiting.\"\nexit 0\n{{- end }}","remainAfterExit":"yes","type":"oneshot"},"unit":{"after":["set-networkd-units.service","systemd-networkd.service"],"bindsTo":"systemd-networkd.service","description":"Add static network routes."}},"enabled":true,"name":"static-routes.service"},{"contents":{"install":{"wantedBy":["multi-user.target"]},"service":{"environment":["OUTPUT=/run/metadata/coreos"],"execStart":["/usr/bin/mkdir --parent /run/metadata","/usr/bin/bash -cv 'echo \"COREOS_CUSTOM_HOSTNAME=$(\"$(find /usr/bin /usr/share/oem -name vmtoolsd -type f -executable 2\u003e/dev/null | head -n 1)\" --cmd \"info-get guestinfo.ignition.vmname\")\" \u003e ${OUTPUT}'","/usr/bin/bash -cv 'echo \"COREOS_CUSTOM_IPV4=$(ip -4 addr show ens192 | awk \\'/inet / {print $2}\\' | cut -d \\'/\\' -f1)\" \u003e\u003e ${OUTPUT}'"],"remainAfterExit":"yes","restart":"on-failure","type":"oneshot"},"unit":{"after":["set-networkd-units.service"],"description":"Provides CoreOS metadata for dependent services."}},"enabled":true,"name":"coreos-metadata.service"},{"contents":{"install":{"wantedBy":["multi-user.target"]},"service":{"environmentFile":["/run/metadata/coreos"],"execStart":["/opt/bin/set-hostname.sh"],"remainAfterExit":"yes","type":"oneshot"},"unit":{"after":["coreos-metadata.service"],"before":["teleport.service"],"description":"Set machine hostname","requires":["coreos-metadata.service"]}},"enabled":true,"name":"set-hostname.service"},{"contents":{"install":{"wantedBy":["default.target"]},"service":{"execStart":["/usr/sbin/ethtool -K ens192 tx-udp_tnl-csum-segmentation off","/usr/sbin/ethtool -K ens192 tx-udp_tnl-segmentation off"],"remainAfterExit":"yes","type":"oneshot"},"unit":{"after":["network.target"],"description":"Disable TCP segmentation offloading"}},"enabled":true,"name":"ethtool-segmentation.service"},{"dropins":[{"contents":"[Unit]\nUpholds=static-routes.service","name":"10-static-routes-dependency.conf"}],"enabled":true,"name":"systemd-networkd.service"}]}}}},"postKubeadmCommands":["usermod -aG root nobody"]},"kubernetesVersion":"1.27.14","provider":"cloud-director","resourcesApi":{"bastionResourceEnabled":false,"ciliumHelmReleaseResourceEnabled":false,"cleanupHelmReleaseResourcesEnabled":false,"clusterResourceEnabled":true,"controlPlaneResourceEnabled":false,"coreDnsHelmReleaseResourceEnabled":false,"helmRepositoryResourcesEnabled":false,"infrastructureCluster":{"group":"infrastructure.cluster.x-k8s.io","kind":"VCDCluster","version":"v1beta2"},"infrastructureMachinePool":{"group":"infrastructure.cluster.x-k8s.io","kind":"VCDMachineTemplate","version":"v1beta2"},"machineHealthCheckResourceEnabled":false,"machinePoolResourcesEnabled":true,"networkPoliciesHelmReleaseResourceEnabled":false,"nodePoolKind":"MachineDeployment","verticalPodAutoscalerCrdHelmReleaseResourceEnabled":false},"workers":{"defaultNodePools":{"def00":{"catalog":"giantswarm","diskSize":"32212254720","replicas":2,"sizingPolicy":"m1.large","template":"flatcar-stable-3815.2.2-kube-v1.27.14-gs"}},"resources":{"infrastructureMachineTemplateSpecTemplateName":"worker-vcdmachinetemplate-spec"}}}}`| +| `cluster` | **Cluster** - Helm values for the provider-independent cluster chart.|**Type:** `object`
**Default:** `{"providerIntegration":{"controlPlane":{"resources":{"infrastructureMachineTemplate":{"group":"infrastructure.cluster.x-k8s.io","kind":"VCDMachineTemplate","version":"v1beta2"},"infrastructureMachineTemplateSpecTemplateName":"controlplane-vcdmachinetemplate-spec"}},"environmentVariables":{"hostName":"COREOS_CUSTOM_HOSTNAME","ipv4":"COREOS_CUSTOM_IPV4"},"kubeadmConfig":{"enableGiantswarmUser":true,"files":[{"contentFrom":{"secret":{"key":"set-hostname.sh","name":"provider-specific-files-1","prependClusterNameAsPrefix":true}},"path":"/opt/bin/set-hostname.sh","permissions":"0755"}],"ignition":{"containerLinuxConfig":{"additionalConfig":{"systemd":{"units":[{"contents":{"after":["network-online.target"],"install":{"wantedBy":["multi-user.target"]},"requires":["network-online.target"],"service":{"execStart":["/usr/bin/bash -cv 'echo \"$(\"$(find /usr/bin /usr/share/oem -name vmtoolsd -type f -executable 2\u003e/dev/null | head -n 1)\" --cmd \"info-get guestinfo.ignition.network\")\" \u003e /opt/bin/set-networkd-units.sh'","/usr/bin/bash -cv 'chmod u+x /opt/bin/set-networkd-units.sh'","/opt/bin/set-networkd-units.sh"],"remainAfterExit":"yes","type":"oneshot"},"unit":{"description":"Install the systemd-networkd interface configuration."}},"enabled":true,"name":"set-networkd-units.service"},{"contents":{"install":{"wantedBy":["multi-user.target"]},"service":{"additionalFields":"{{- if $.global.connectivity.network.staticRoutes -}}\nExecStart=/usr/bin/bash -cv 'sleep 3'\n{{- range $.global.connectivity.network.staticRoutes }}\nExecStart=/usr/bin/bash -cv 'ip route add {{ .destination }} via {{ .via }}'\n{{- end }}\n{{- else -}}\necho \"No static routes provided, exiting.\"\nexit 0\n{{- end -}}","remainAfterExit":"yes","type":"oneshot"},"unit":{"after":["set-networkd-units.service","systemd-networkd.service"],"bindsTo":"systemd-networkd.service","description":"Add static network routes."}},"enabled":true,"name":"static-routes.service"},{"contents":{"install":{"wantedBy":["multi-user.target"]},"service":{"environment":["OUTPUT=/run/metadata/coreos"],"execStart":["/usr/bin/mkdir --parent /run/metadata","/usr/bin/bash -cv 'echo \"COREOS_CUSTOM_HOSTNAME=$(\"$(find /usr/bin /usr/share/oem -name vmtoolsd -type f -executable 2\u003e/dev/null | head -n 1)\" --cmd \"info-get guestinfo.ignition.vmname\")\" \u003e ${OUTPUT}'","/usr/bin/bash -cv 'echo \"COREOS_CUSTOM_IPV4=$(ip -4 addr show ens192 | awk \\'/inet / {print $2}\\' | cut -d \\'/\\' -f1)\" \u003e\u003e ${OUTPUT}'"],"remainAfterExit":"yes","restart":"on-failure","type":"oneshot"},"unit":{"after":["set-networkd-units.service"],"description":"Provides CoreOS metadata for dependent services."}},"enabled":true,"name":"coreos-metadata.service"},{"contents":{"install":{"wantedBy":["multi-user.target"]},"service":{"environmentFile":["/run/metadata/coreos"],"execStart":["/opt/bin/set-hostname.sh"],"remainAfterExit":"yes","type":"oneshot"},"unit":{"after":["coreos-metadata.service"],"before":["teleport.service"],"description":"Set machine hostname","requires":["coreos-metadata.service"]}},"enabled":true,"name":"set-hostname.service"},{"contents":{"install":{"wantedBy":["default.target"]},"service":{"execStart":["/usr/sbin/ethtool -K ens192 tx-udp_tnl-csum-segmentation off","/usr/sbin/ethtool -K ens192 tx-udp_tnl-segmentation off"],"remainAfterExit":"yes","type":"oneshot"},"unit":{"after":["network.target"],"description":"Disable TCP segmentation offloading"}},"enabled":true,"name":"ethtool-segmentation.service"},{"dropins":[{"contents":"[Unit]\nUpholds=static-routes.service","name":"10-static-routes-dependency.conf"}],"enabled":true,"name":"systemd-networkd.service"}]}}}},"postKubeadmCommands":["usermod -aG root nobody"]},"kubernetesVersion":"1.27.14","provider":"cloud-director","resourcesApi":{"bastionResourceEnabled":false,"ciliumHelmReleaseResourceEnabled":false,"cleanupHelmReleaseResourcesEnabled":false,"clusterResourceEnabled":true,"controlPlaneResourceEnabled":true,"coreDnsHelmReleaseResourceEnabled":false,"helmRepositoryResourcesEnabled":false,"infrastructureCluster":{"group":"infrastructure.cluster.x-k8s.io","kind":"VCDCluster","version":"v1beta2"},"infrastructureMachinePool":{"group":"infrastructure.cluster.x-k8s.io","kind":"VCDMachineTemplate","version":"v1beta2"},"machineHealthCheckResourceEnabled":false,"machinePoolResourcesEnabled":true,"networkPoliciesHelmReleaseResourceEnabled":false,"nodePoolKind":"MachineDeployment","verticalPodAutoscalerCrdHelmReleaseResourceEnabled":false},"workers":{"defaultNodePools":{"def00":{"catalog":"giantswarm","diskSize":"32212254720","replicas":2,"sizingPolicy":"m1.large","template":"flatcar-stable-3815.2.2-kube-v1.27.14-gs"}},"resources":{"infrastructureMachineTemplateSpecTemplateName":"worker-vcdmachinetemplate-spec"}}}}`| | `cluster-shared` | **Library chart**|**Type:** `object`
| | `managementCluster` | **Management cluster name** - The Cluster API management cluster that manages this cluster.|**Type:** `string`
| | `provider` | **Cluster API provider name**|**Type:** `string`
| diff --git a/helm/cluster-cloud-director/ci/ci-values.yaml b/helm/cluster-cloud-director/ci/ci-values.yaml index 77781db5..6a9cf44f 100644 --- a/helm/cluster-cloud-director/ci/ci-values.yaml +++ b/helm/cluster-cloud-director/ci/ci-values.yaml @@ -14,23 +14,21 @@ global: via: 10.9.8.7 - destination: 10.20.30.0/24 via: 10.9.8.7 - ntp: - servers: - - "10.10.10.10" proxy: enabled: true - secretName: "" + httpProxy: "http://proxy.test.gigantic.io:3128" + httpsProxy: "http://proxy.test.gigantic.io:3128" + noProxy: "test.gigantic.io,some.other.domain,10.0.0.0/24" controlPlane: - catalog: giantswarm replicas: 1 oidc: issuerUrl: https://dex.gerbil.test.gigantic.io - caFile: "" clientId: "dex-k8s-authenticator" usernameClaim: "email" groupsClaim: "groups" - usernamePrefix: "" - groupsPrefix: "" + caPem: "" + machineTemplate: + catalog: giantswarm metadata: description: "test cluster" name: "test" @@ -47,3 +45,10 @@ global: userContext: secretRef: secretName: vcd-credentials +cluster: + providerIntegration: + components: + systemd: + timesyncd: + ntp: + - "10.10.10.10" diff --git a/helm/cluster-cloud-director/ci/test-multiple-mirrors-with-auth-and-local-caching.yaml b/helm/cluster-cloud-director/ci/test-multiple-mirrors-with-auth-and-local-caching.yaml index 64b6bdb1..ba8f202d 100644 --- a/helm/cluster-cloud-director/ci/test-multiple-mirrors-with-auth-and-local-caching.yaml +++ b/helm/cluster-cloud-director/ci/test-multiple-mirrors-with-auth-and-local-caching.yaml @@ -26,18 +26,17 @@ global: organization: giantswarm servicePriority: highest controlPlane: - catalog: giantswarm replicas: 1 - sizingPolicy: m1.medium - diskSizeGB: 30 oidc: issuerUrl: https://dex.gerbil.test.gigantic.io - caFile: "" clientId: "dex-k8s-authenticator" usernameClaim: "email" groupsClaim: "groups" - usernamePrefix: "" - groupsPrefix: "" + caPem: "" + machineTemplate: + catalog: giantswarm + diskSizeGB: 30 + sizingPolicy: m1.medium nodePools: worker: catalog: giantswarm @@ -52,4 +51,3 @@ global: userContext: secretRef: secretName: vcd-credentials - diff --git a/helm/cluster-cloud-director/ci/test-wc-values.yaml b/helm/cluster-cloud-director/ci/test-wc-values.yaml index 21d34f50..10b419fb 100644 --- a/helm/cluster-cloud-director/ci/test-wc-values.yaml +++ b/helm/cluster-cloud-director/ci/test-wc-values.yaml @@ -10,18 +10,17 @@ global: organization: giantswarm servicePriority: highest controlPlane: - catalog: giantswarm replicas: 1 - sizingPolicy: m1.medium - diskSizeGB: 30 oidc: issuerUrl: https://dex.gerbil.test.gigantic.io - caFile: "" clientId: "dex-k8s-authenticator" usernameClaim: "email" groupsClaim: "groups" - usernamePrefix: "" - groupsPrefix: "" + caPem: "" + machineTemplate: + catalog: giantswarm + diskSizeGB: 30 + sizingPolicy: m1.medium nodePools: worker: catalog: giantswarm diff --git a/helm/cluster-cloud-director/templates/_ignition.tpl b/helm/cluster-cloud-director/templates/_ignition.tpl deleted file mode 100644 index 7dab4048..00000000 --- a/helm/cluster-cloud-director/templates/_ignition.tpl +++ /dev/null @@ -1,119 +0,0 @@ -{{- define "ignitionSpec" -}} -format: ignition -ignition: - containerLinuxConfig: - additionalConfig: |- - storage: - files: - {{- include "ntpIgnition" . | nindent 8 }} - - path: /opt/set-hostname - filesystem: root - mode: 0744 - contents: - inline: | - #!/bin/sh - set -x - echo "${COREOS_CUSTOM_HOSTNAME}" > /etc/hostname - hostname "${COREOS_CUSTOM_HOSTNAME}" - echo "::1 ipv6-localhost ipv6-loopback" >/etc/hosts - echo "127.0.0.1 localhost" >>/etc/hosts - echo "127.0.0.1 ${COREOS_CUSTOM_HOSTNAME}" >>/etc/hosts - systemd: - units: - - name: coreos-metadata.service - contents: | - [Unit] - Description=VMware metadata agent - After=nss-lookup.target - After=network-online.target - Wants=network-online.target - [Service] - Type=oneshot - Restart=on-failure - RemainAfterExit=yes - Environment=OUTPUT=/run/metadata/coreos - ExecStart=/usr/bin/mkdir --parent /run/metadata - ExecStart=/usr/bin/bash -cv 'echo "COREOS_CUSTOM_HOSTNAME=$("$(find /usr/bin /usr/share/oem -name vmtoolsd -type f -executable 2>/dev/null | head -n 1)" --cmd "info-get guestinfo.ignition.vmname")" > ${OUTPUT}' - - name: set-hostname.service - enabled: true - contents: | - [Unit] - Description=Set the hostname - Requires=coreos-metadata.service - After=coreos-metadata.service - [Service] - Type=oneshot - RemainAfterExit=yes - EnvironmentFile=/run/metadata/coreos - ExecStart=/opt/set-hostname - [Install] - WantedBy=multi-user.target - - name: set-networkd-units.service - enabled: true - contents: | - [Unit] - Description=Install the networkd unit files - Requires=coreos-metadata.service - After=set-hostname.service - [Service] - Type=oneshot - RemainAfterExit=yes - ExecStart=/usr/bin/bash -cv 'echo "$("$(find /usr/bin /usr/share/oem -name vmtoolsd -type f -executable 2>/dev/null | head -n 1)" --cmd "info-get guestinfo.ignition.network")" > /opt/set-networkd-units' - ExecStart=/usr/bin/bash -cv 'chmod u+x /opt/set-networkd-units' - ExecStart=/opt/set-networkd-units - [Install] - WantedBy=multi-user.target - {{- if $.Values.global.connectivity.network.staticRoutes }} - - name: set-static-routes.service - enabled: true - contents: | - [Unit] - Description=Install the static routes - After=systemd-networkd.service set-networkd-units.service - BindsTo=systemd-networkd.service - [Service] - Type=oneshot - RemainAfterExit=yes - ExecStart=/usr/bin/bash -cv 'sleep 3' - {{- range $.Values.global.connectivity.network.staticRoutes}} - ExecStart=/usr/bin/bash -cv 'ip route add {{ .destination }} via {{ .via }}' - {{- end }} - [Install] - WantedBy=multi-user.target - - name: systemd-networkd.service - enabled: true - dropins: - - name: 10-static-routes-dependency.conf - contents: | - [Unit] - Upholds=set-static-routes.service - {{- end }} - - name: ethtool-segmentation.service - enabled: true - contents: | - [Unit] - After=network.target - [Service] - Type=oneshot - RemainAfterExit=yes - ExecStart=/usr/sbin/ethtool -K ens192 tx-udp_tnl-csum-segmentation off - ExecStart=/usr/sbin/ethtool -K ens192 tx-udp_tnl-segmentation off - [Install] - WantedBy=default.target - - name: kubeadm.service - enabled: true - dropins: - - name: 10-flatcar.conf - contents: | - [Unit] - # kubeadm must run after coreos-metadata populated /run/metadata directory. - Requires=coreos-metadata.service - {{- if $.Values.global.connectivity.network.staticRoutes }} - After=set-static-routes.service - {{- else }} - After=set-networkd-units.service - {{- end }} - [Service] - # Make metadata environment variables available for pre-kubeadm commands. - EnvironmentFile=/run/metadata/* -{{- end -}} \ No newline at end of file diff --git a/helm/cluster-cloud-director/templates/_ntp.tpl b/helm/cluster-cloud-director/templates/_ntp.tpl deleted file mode 100644 index 1f4726c2..00000000 --- a/helm/cluster-cloud-director/templates/_ntp.tpl +++ /dev/null @@ -1,55 +0,0 @@ -# The helper functions here can be called in templates and _helpers.tpl -# This file should be self-sufficient. Don't call any functions from _helpers.tpl - -{{- define "ntpFiles" -}} -{{- if or $.Values.global.connectivity.ntp.pools $.Values.global.connectivity.ntp.servers -}} -- path: /etc/chrony/chrony.conf - permissions: "0644" - content: | - {{- range $.Values.global.connectivity.ntp.pools }} - pool {{.}} iburst - {{- end }} - - {{- range $.Values.global.connectivity.ntp.servers }} - server {{.}} iburst - {{- end }} - - keyfile /etc/chrony/chrony.keys - - driftfile /var/lib/chrony/chrony.drift - - logdir /var/log/chrony - - maxupdateskew 100.0 - - rtcsync - - makestep 1 3 -{{- end -}} -{{- end }} - -{{- define "ntpPostKubeadmCommands" -}} -{{- if or $.Values.global.connectivity.ntp.pools $.Values.global.connectivity.ntp.servers }} -- systemctl daemon-reload -- systemctl restart chrony -{{- end -}} -{{- end -}} - -{{- define "ntpIgnition" -}} -{{- with $.Values.global.connectivity.ntp }} -{{- if or .pools .servers -}} -- path: /etc/systemd/timesyncd.conf - mode: 0644 - contents: - inline: | - [Time] - {{- if and .pools .servers }} - NTP={{ join " " .pools }} {{ join " " .servers }} - {{- else if .pools }} - NTP={{ join " " .pools }} - {{- else }} - NTP={{ join " " .servers }} - {{- end }} -{{- end -}} -{{- end }} -{{- end }} diff --git a/helm/cluster-cloud-director/templates/_ssh.tpl b/helm/cluster-cloud-director/templates/_ssh.tpl deleted file mode 100644 index cfa7cb64..00000000 --- a/helm/cluster-cloud-director/templates/_ssh.tpl +++ /dev/null @@ -1,29 +0,0 @@ -# The helper functions here can be called in templates and _helpers.tpl -# This file should be self-sufficient. Don't call any functions from _helpers.tpl - - -{{- define "sshFiles" -}} -{{- if $.Values.global.connectivity.shell.sshTrustedUserCAKeys -}} -- path: /etc/ssh/trusted-user-ca-keys.pem - permissions: "0600" - content: | - {{- range $.Values.global.connectivity.shell.sshTrustedUserCAKeys }} - {{.}} - {{- end }} -- path: /etc/ssh/sshd_config - permissions: "0600" - content: | - {{- .Files.Get "files/etc/ssh/sshd_config" | nindent 4 }} -{{- end -}} -{{- end }} - -{{- define "sshPostKubeadmCommands" -}} -- systemctl restart sshd -{{- end -}} - -{{- define "sshUsers" -}} -{{- if $.Values.global.connectivity.shell.osUsers -}} -users: - {{- $.Values.global.connectivity.shell.osUsers | toYaml | nindent 2 }} -{{- end }} -{{- end -}} diff --git a/helm/cluster-cloud-director/templates/containerd-config-secret.yaml b/helm/cluster-cloud-director/templates/containerd-config-secret.yaml deleted file mode 100644 index 1aae2932..00000000 --- a/helm/cluster-cloud-director/templates/containerd-config-secret.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "containerdConfigSecretName" $ }} -data: - registry-config.toml: {{ tpl ($.Files.Get "files/etc/containerd/config.toml") $ | b64enc | quote }} diff --git a/helm/cluster-cloud-director/templates/helpers/_controlplane.tpl b/helm/cluster-cloud-director/templates/helpers/_controlplane.tpl new file mode 100644 index 00000000..eb1bc3d0 --- /dev/null +++ b/helm/cluster-cloud-director/templates/helpers/_controlplane.tpl @@ -0,0 +1,19 @@ +{{/* +Generates template spec for controlplane machines. +*/}} +{{- define "controlplane-vcdmachinetemplate-spec" -}} +{{- $pool := $.Values.global.controlPlane.machineTemplate | deepCopy -}} +{{- $pool = set $pool "diskSize" ( include "calculateDiskBytes" $pool.diskSizeGB ) -}} +{{- $pool = unset $pool "diskSizeGB" -}} + +{{- if $pool }} +{{- $pool | toYaml }} +{{- end }} +vmNamingTemplate: {{ $.Values.global.providerSpecific.vmNamingTemplate }} +{{- if $.Values.global.connectivity.network.extraOvdcNetworks }} +extraOvdcNetworks: + {{- range $.Values.global.connectivity.network.extraOvdcNetworks }} + - {{ . }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/helm/cluster-cloud-director/templates/helpers/_helpers.tpl b/helm/cluster-cloud-director/templates/helpers/_helpers.tpl new file mode 100644 index 00000000..cccb9d3e --- /dev/null +++ b/helm/cluster-cloud-director/templates/helpers/_helpers.tpl @@ -0,0 +1,22 @@ +{{/* +Converts disk size from gigabytes to bytes. +*/}} +{{- define "calculateDiskBytes" -}} +{{- mul $ 1024 1024 1024 }} +{{- end -}} + +{{/* +Hash function based on data provided +Expects two arguments (as a `dict`) E.g. + {{ include "hash" (dict "data" . "salt" .Values.providerIntegration.hasSalt) }} +Where `data` is the data to hash and `global` is the top level scope. + +NOTE: this function has been copied from the giantswarm/cluster chart +(see `cluster.data.hash``) to ensure that resource naming is identical. +*/}} +{{- define "machineTemplateSpec.hash" -}} +{{- $data := mustToJson .data | toString }} +{{- $salt := "" }} +{{- if .salt }}{{ $salt = .salt}}{{end}} +{{- (printf "%s%s" $data $salt) | quote | sha1sum | trunc 8 }} +{{- end -}} diff --git a/helm/cluster-cloud-director/templates/helpers/_workers.tpl b/helm/cluster-cloud-director/templates/helpers/_workers.tpl index cef15e1f..358e0265 100644 --- a/helm/cluster-cloud-director/templates/helpers/_workers.tpl +++ b/helm/cluster-cloud-director/templates/helpers/_workers.tpl @@ -3,11 +3,15 @@ Generates template spec for worker machines. */}} {{- define "worker-vcdmachinetemplate-spec" -}} {{- $pool := $.nodePool.config | deepCopy -}} +{{- $pool = set $pool "diskSize" ( include "calculateDiskBytes" $pool.diskSizeGB ) -}} +{{- $pool = unset $pool "diskSizeGB" -}} {{- $pool = unset $pool "replicas" -}} {{- $pool = unset $pool "machineHealthCheck" -}} +{{- $pool = unset $pool "customNodeLabels" -}} +{{- $pool = unset $pool "customNodeTaints" -}} {{- if $pool }} -{{ $pool | toYaml }} +{{- $pool | toYaml }} {{- end }} vmNamingTemplate: {{ $.Values.global.providerSpecific.vmNamingTemplate }} {{- if $.Values.global.connectivity.network.extraOvdcNetworks }} @@ -18,18 +22,3 @@ extraOvdcNetworks: {{- end -}} {{- end -}} -{{/* -Hash function based on data provided -Expects two arguments (as a `dict`) E.g. - {{ include "hash" (dict "data" . "salt" .Values.providerIntegration.hasSalt) }} -Where `data` is the data to hash and `global` is the top level scope. - -NOTE: this function has been copied from the giantswarm/cluster chart -(see `cluster.data.hash``) to ensure that resource naming is identical. -*/}} -{{- define "machineTemplateSpec.hash" -}} -{{- $data := mustToJson .data | toString }} -{{- $salt := "" }} -{{- if .salt }}{{ $salt = .salt}}{{end}} -{{- (printf "%s%s" $data $salt) | quote | sha1sum | trunc 8 }} -{{- end -}} diff --git a/helm/cluster-cloud-director/templates/kubeadmcontrolplane.yaml b/helm/cluster-cloud-director/templates/kubeadmcontrolplane.yaml deleted file mode 100644 index 2f3294a3..00000000 --- a/helm/cluster-cloud-director/templates/kubeadmcontrolplane.yaml +++ /dev/null @@ -1,187 +0,0 @@ -apiVersion: controlplane.cluster.x-k8s.io/v1beta1 -kind: KubeadmControlPlane -metadata: - name: {{ include "resource.default.name" $ }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "labels.common" . | nindent 4 }} - {{- include "preventDeletionLabel" $ | nindent 4 }} -spec: - kubeadmConfigSpec: - clusterConfiguration: - apiServer: - certSANs: - - localhost - - 127.0.0.1 - - "api.{{ include "resource.default.name" $ }}.{{ .Values.global.connectivity.baseDomain }}" - {{- if .Values.internal.apiServer.certSANs }} - {{- range .Values.internal.apiServer.certSANs }} - - {{ . }} - {{- end }} - {{- end }} - extraArgs: - audit-log-maxage: "30" - audit-log-maxbackup: "30" - audit-log-maxsize: "100" - audit-log-path: /var/log/apiserver/audit.log - audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml - cloud-provider: external - {{- if .Values.internal.apiServer.enableAdmissionPlugins }} - enable-admission-plugins: {{ .Values.internal.apiServer.enableAdmissionPlugins | join "," | quote }} - {{- end }} - encryption-provider-config: /etc/kubernetes/encryption/config.yaml - {{- if .Values.internal.apiServer.featureGates }} - feature-gates: {{ range $index, $element := .Values.internal.apiServer.featureGates -}} - {{ if $index }},{{ end }}{{ $element.name }}={{ $element.enabled }} - {{- end }} - {{- end }} - kubelet-preferred-address-types: "InternalIP" - {{- if .Values.global.controlPlane.oidc.issuerUrl }} - {{- with .Values.global.controlPlane.oidc }} - oidc-issuer-url: {{ .issuerUrl }} - oidc-client-id: {{ .clientId }} - oidc-username-claim: {{ .usernameClaim }} - oidc-groups-claim: {{ .groupsClaim }} - {{- if .usernamePrefix }} - oidc-username-prefix: {{ .usernamePrefix | quote }} - {{- end }} - {{- if .groupsPrefix }} - oidc-groups-prefix: {{ .groupsPrefix | quote }} - {{- end }} - {{- if .caFile }} - oidc-ca-file: {{ .caFile }} - {{- end }} - {{- end }} - {{- end }} - profiling: "false" - requestheader-allowed-names: "front-proxy-client" - runtime-config: "api/all=true" - tls-cipher-suites: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" - extraVolumes: - - name: auditlog - hostPath: /var/log/apiserver - mountPath: /var/log/apiserver - pathType: DirectoryOrCreate - - name: policies - hostPath: /etc/kubernetes/policies - mountPath: /etc/kubernetes/policies - pathType: DirectoryOrCreate - - name: encryption - hostPath: /etc/kubernetes/encryption - mountPath: /etc/kubernetes/encryption - readOnly: false - pathType: DirectoryOrCreate - controllerManager: - extraArgs: - authorization-always-allow-paths: "/healthz,/readyz,/livez,/metrics" - bind-address: "0.0.0.0" - cloud-provider: external - enable-hostpath-provisioner: "true" - terminated-pod-gc-threshold: "125" - {{- if .Values.internal.controllerManager.featureGates }} - feature-gates: {{ range $index, $element := .Values.internal.controllerManager.featureGates -}} - {{ if $index }},{{ end }}{{ $element.name }}={{ $element.enabled }} - {{- end }} - {{- end }} - profiling: "false" - scheduler: - extraArgs: - authorization-always-allow-paths: "/healthz,/readyz,/livez,/metrics" - bind-address: "0.0.0.0" - etcd: - local: - extraArgs: - listen-metrics-urls: "http://0.0.0.0:2381" - imageRepository: {{ .Values.global.controlPlane.image.repository }} - {{- include "sshUsers" . | nindent 4 }} - {{- if eq $.Values.global.providerSpecific.vmBootstrapFormat "ignition" }} - {{- include "ignitionSpec" . | nindent 4 }} - {{- end }} - initConfiguration: - skipPhases: - - addon/coredns - - addon/kube-proxy - patches: - directory: "/etc/kubernetes/patches" - nodeRegistration: - criSocket: /run/containerd/containerd.sock - {{- include "taints" .Values.global.controlPlane.customNodeTaints | nindent 8 }} - kubeletExtraArgs: - {{- include "kubeletExtraArgs" . | nindent 10}} - joinConfiguration: - patches: - directory: "/etc/kubernetes/patches" - nodeRegistration: - criSocket: /run/containerd/containerd.sock - {{- include "taints" .Values.global.controlPlane.customNodeTaints | nindent 8 }} - kubeletExtraArgs: - {{- include "kubeletExtraArgs" . | nindent 10}} - {{- with .Values.global.controlPlane.customNodeLabels -}} - node-labels: "{{- join "," . }}" - {{- end }} - files: - {{- include "auditLogFiles" . | nindent 6 }} - {{- include "sshFiles" . | nindent 6 }} - {{- if eq $.Values.global.providerSpecific.vmBootstrapFormat "cloud-config" }} - {{- include "ntpFiles" . | nindent 6 }} - {{- end }} - {{- if $.Values.global.connectivity.proxy.enabled }} - {{- include "containerdProxyConfig" . | nindent 6 }} - {{- end }} - {{- if $.Values.internal.teleport.enabled }} - {{- include "teleportFiles" . | nindent 6 }} - {{- end }} - {{- if and $.Values.internal.teleport.enabled $.Values.global.connectivity.proxy.enabled }} - {{- include "teleportProxyConfig" . | nindent 6 }} - {{- end }} - {{- include "containerdConfig" . | nindent 6 }} - {{- range $kubeadmPatch, $_ := .Files.Glob "files/etc/kubernetes/**" }} - - path: {{ (printf "/etc/kubernetes/patches/%s" (base $kubeadmPatch)) }} - permissions: "0600" - content: |- - {{- $.Files.Get $kubeadmPatch | nindent 10 }} - {{- end }} - - path: /etc/kubernetes/encryption/config.yaml - permissions: "0600" - contentFrom: - secret: - name: {{ include "resource.default.name" $ }}-encryption-provider-config - key: encryption - {{- if $.Values.global.connectivity.network.staticRoutes }} - {{- if eq $.Values.global.providerSpecific.vmBootstrapFormat "cloud-config" }} - {{- include "staticRoutes" . | nindent 6}} - {{- end }} - {{- end }} - preKubeadmCommands: - - bash /etc/kubernetes/patches/kube-apiserver-patch.sh {{ .Values.global.controlPlane.resourceRatio }} - - /bin/test ! -d /var/lib/kubelet && (/bin/mkdir -p /var/lib/kubelet && /bin/chmod 0750 /var/lib/kubelet) - {{- if $.Values.global.connectivity.proxy.enabled }} - - systemctl daemon-reload - - systemctl restart containerd - {{- end }} - {{- if $.Values.global.connectivity.network.staticRoutes }} - {{- if eq $.Values.global.providerSpecific.vmBootstrapFormat "cloud-config" }} - - systemctl daemon-reload - - systemctl enable --now static-routes.service - {{- end }} - {{- end }} - {{- if $.Values.internal.teleport.enabled }} - - systemctl daemon-reload - - systemctl enable --now teleport.service - {{- end }} - {{- include "hostEntries" . | nindent 6}} - postKubeadmCommands: - {{- include "sshPostKubeadmCommands" . | nindent 6 }} - {{- if eq $.Values.global.providerSpecific.vmBootstrapFormat "cloud-config" }} - {{- include "ntpPostKubeadmCommands" . | nindent 6 }} - {{- end }} - machineTemplate: - metadata: - labels: {{- include "labels.common" . | nindent 8 }} - infrastructureRef: - apiVersion: {{ include "infrastructureApiVersion" . }} - kind: VCDMachineTemplate - name: {{ include "resource.default.name" . }}-control-plane-{{ include "mtRevisionByControlPlane" $ }} - namespace: {{ .Release.Namespace }} - replicas: {{ .Values.global.controlPlane.replicas }} - version: {{ .Values.internal.kubernetesVersion }} diff --git a/helm/cluster-cloud-director/templates/vcdmachinetemplate.yaml b/helm/cluster-cloud-director/templates/vcdmachinetemplate.yaml index 3134f04a..cf9cbbfd 100644 --- a/helm/cluster-cloud-director/templates/vcdmachinetemplate.yaml +++ b/helm/cluster-cloud-director/templates/vcdmachinetemplate.yaml @@ -14,18 +14,15 @@ spec: {{- include "worker-vcdmachinetemplate-spec" $ | nindent 6 -}} {{- end }} -{{- range $nodePoolName, $value := include "createMapOfClusterNodeSpecs" . | fromYaml }} -{{- $c := (merge (dict "currentPool" $value) (deepCopy $.Values)) }} --- apiVersion: {{ include "infrastructureApiVersion" . }} kind: VCDMachineTemplate metadata: - name: {{ include "resource.default.name" $ }}-{{ $nodePoolName }}-{{ include "mtRevision" $c }} + name: {{ include "resource.default.name" $ }}-control-plane-{{ include "machineTemplateSpec.hash" (dict "data" (include "controlplane-vcdmachinetemplate-spec" $) "salt" $.Values.cluster.providerIntegration.hashSalt) }} namespace: {{ $.Release.Namespace }} labels: {{- include "labels.common" $ | nindent 4 }} spec: template: spec: - {{- include "mtSpec" $c | nindent 6 -}} -{{- end }} + {{- include "controlplane-vcdmachinetemplate-spec" $ | nindent 6 -}} diff --git a/helm/cluster-cloud-director/values.schema.json b/helm/cluster-cloud-director/values.schema.json index c1312506..43515916 100644 --- a/helm/cluster-cloud-director/values.schema.json +++ b/helm/cluster-cloud-director/values.schema.json @@ -212,7 +212,7 @@ }, "service": { "type": "oneshot", - "additionalFields": "{{- if $.global.connectivity.network.staticRoutes }}\nExecStart=/usr/bin/bash -cv 'sleep 3'\n{{- range $.global.connectivity.network.staticRoutes }}\nExecStart=/usr/bin/bash -cv 'ip route add {{ .destination }} via {{ .via }}'\n{{- end }}\n{{- else }}\necho \"No static routes provided, exiting.\"\nexit 0\n{{- end }}", + "additionalFields": "{{- if $.global.connectivity.network.staticRoutes -}}\nExecStart=/usr/bin/bash -cv 'sleep 3'\n{{- range $.global.connectivity.network.staticRoutes }}\nExecStart=/usr/bin/bash -cv 'ip route add {{ .destination }} via {{ .via }}'\n{{- end }}\n{{- else -}}\necho \"No static routes provided, exiting.\"\nexit 0\n{{- end -}}", "remainAfterExit": "yes" }, "unit": { @@ -341,7 +341,7 @@ "ciliumHelmReleaseResourceEnabled": false, "cleanupHelmReleaseResourcesEnabled": false, "clusterResourceEnabled": true, - "controlPlaneResourceEnabled": false, + "controlPlaneResourceEnabled": true, "coreDnsHelmReleaseResourceEnabled": false, "helmRepositoryResourcesEnabled": false, "infrastructureCluster": { @@ -683,33 +683,6 @@ } } }, - "ntp": { - "type": "object", - "title": "Time synchronization (NTP)", - "description": "Servers/pools to synchronize this cluster's clocks with.", - "additionalProperties": false, - "properties": { - "pools": { - "type": "array", - "title": "Pools", - "items": { - "type": "string", - "title": "Pool", - "examples": [ - "ntp.ubuntu.com" - ] - } - }, - "servers": { - "type": "array", - "title": "Servers", - "items": { - "type": "string", - "title": "Server" - } - } - } - }, "proxy": { "type": "object", "title": "Proxy", @@ -734,63 +707,6 @@ "type": "string", "title": "No proxy", "description": "No proxy - Comma-separated addresses to be passed to the NO_PROXY environment variable in all hosts." - }, - "secretName": { - "type": "string", - "title": "Secret name", - "description": "Name of a secret resource used by containerd to obtain the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. If empty the value will be defaulted to -cluster-values.", - "pattern": "^[a-z0-9-]{0,63}$" - } - } - }, - "shell": { - "type": "object", - "title": "Shell access", - "additionalProperties": false, - "properties": { - "osUsers": { - "type": "array", - "title": "OS Users", - "description": "Configuration for OS users in cluster nodes.", - "items": { - "type": "object", - "title": "User", - "required": [ - "name" - ], - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "Username of the user.", - "minLength": 2, - "pattern": "^[a-z][-a-z0-9]+$" - }, - "sudo": { - "type": "string", - "title": "Sudoers configuration", - "description": "Permissions string to add to /etc/sudoers for this user." - } - } - }, - "default": [ - { - "name": "giantswarm", - "sudo": "ALL=(ALL) NOPASSWD:ALL" - } - ] - }, - "sshTrustedUserCAKeys": { - "type": "array", - "title": "Trusted SSH cert issuers", - "description": "CA certificates of issuers that are trusted to sign SSH user certificates.", - "items": { - "type": "string" - }, - "default": [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4cvZ01fLmO9cJbWUj7sfF+NhECgy+Cl0bazSrZX7sU vault-ca@vault.operations.giantswarm.io" - ] } } } @@ -800,46 +716,46 @@ "type": "object", "title": "Control plane", "required": [ - "catalog", - "template", - "replicas", - "resourceRatio" + "machineTemplate", + "replicas" ], "additionalProperties": false, "properties": { - "catalog": { - "$ref": "#/$defs/catalog", - "title": "Catalog", - "description": "VCD catalog where the VM template is stored." - }, - "certSANs": { - "type": "array", - "title": "Subject alternative names (SAN)", - "description": "Alternative names to encode in the API server's certificate.", - "items": { - "type": "string", - "title": "SAN" - } - }, "customNodeLabels": { "$ref": "#/$defs/nodeLabels", "title": "Custom node labels" }, - "diskSizeGB": { - "$ref": "#/$defs/diskSizeGB", - "title": "Disk size", - "description": "Control plane node root volume size, in GB." - }, - "image": { + "machineTemplate": { "type": "object", - "title": "Node container image", - "description": "Set to 'gsoci.azurecr.io/giantswarm' for ignition (Flatcar) and 'projects.registry.vmware.com/tkg' for cloud-init (Ubuntu).", + "title": "Template to define control plane nodes", + "required": [ + "catalog", + "template" + ], "additionalProperties": false, "properties": { - "repository": { - "type": "string", - "title": "Repository", - "default": "gsoci.azurecr.io/giantswarm" + "catalog": { + "$ref": "#/$defs/catalog", + "title": "Catalog", + "description": "VCD catalog where the VM template is stored." + }, + "diskSizeGB": { + "$ref": "#/$defs/diskSizeGB", + "title": "Disk size", + "description": "Control plane node root volume size, in gigabytes." + }, + "placementPolicy": { + "$ref": "#/$defs/placementPolicy" + }, + "sizingPolicy": { + "$ref": "#/$defs/sizingPolicy" + }, + "storageProfile": { + "$ref": "#/$defs/storageProfile" + }, + "template": { + "$ref": "#/$defs/template", + "title": "VM template" } } }, @@ -854,7 +770,7 @@ ], "additionalProperties": false, "properties": { - "caFile": { + "caPem": { "type": "string", "title": "Certificate authority file", "description": "Path to identity provider's CA certificate in PEM format." @@ -891,31 +807,11 @@ } } }, - "placementPolicy": { - "$ref": "#/$defs/placementPolicy" - }, "replicas": { "type": "integer", "title": "Number of nodes", "description": "Number of control plane instances to create. Must be an odd number.", "default": 1 - }, - "resourceRatio": { - "type": "integer", - "title": "Resource ratio", - "description": "Ratio between node resources and apiserver resource requests.", - "default": 8, - "minimum": 2 - }, - "sizingPolicy": { - "$ref": "#/$defs/sizingPolicy" - }, - "storageProfile": { - "$ref": "#/$defs/storageProfile" - }, - "template": { - "$ref": "#/$defs/template", - "title": "VM template" } } }, @@ -1230,56 +1126,6 @@ "type": "object", "additionalProperties": false, "properties": { - "apiServer": { - "type": "object", - "additionalProperties": false, - "properties": { - "certSANs": { - "type": "array", - "title": "Subject alternative names (SAN)", - "description": "Alternative names to encode in the API server's certificate.", - "items": { - "type": "string", - "title": "SAN" - } - }, - "enableAdmissionPlugins": { - "type": "array", - "title": "Admission plugins", - "description": "List of admission plugins to be passed to the API server via the --enable-admission-plugins flag.", - "items": { - "type": "string", - "title": "Plugin", - "examples": [ - "DefaultStorageClass", - "Priority" - ], - "pattern": "^[A-Za-z0-9]+$" - }, - "default": [ - "DefaultStorageClass", - "DefaultTolerationSeconds", - "LimitRanger", - "MutatingAdmissionWebhook", - "NamespaceLifecycle", - "PersistentVolumeClaimResize", - "Priority", - "ResourceQuota", - "ServiceAccount", - "ValidatingAdmissionWebhook" - ] - }, - "featureGates": { - "type": "array", - "title": "Feature gates", - "description": "API server feature gate activation/deactivation.", - "items": { - "$ref": "#/$defs/featureGate" - }, - "default": [] - } - } - }, "ciliumNetworkPolicy": { "type": "object", "title": "CiliumNetworkPolicies", @@ -1292,22 +1138,6 @@ } } }, - "controllerManager": { - "type": "object", - "title": "Controller manager", - "additionalProperties": false, - "properties": { - "featureGates": { - "type": "array", - "title": "Feature gates", - "description": "Controller manager feature gate activation/deactivation.", - "items": { - "$ref": "#/$defs/featureGate" - }, - "default": [] - } - } - }, "kubectlImage": { "type": "object", "title": "Kubectl image", @@ -1347,27 +1177,6 @@ "title": "Runtime defined entity (RDE) identifier", "description": "This cluster's RDE ID in the VCD API." }, - "sandboxContainerImage": { - "type": "object", - "title": "Sandbox Container image (pause container)", - "properties": { - "name": { - "type": "string", - "title": "Repository", - "default": "giantswarm/pause" - }, - "registry": { - "type": "string", - "title": "Registry", - "default": "gsoci.azurecr.io" - }, - "tag": { - "type": "string", - "title": "Tag", - "default": "3.9" - } - } - }, "skipRde": { "type": "boolean", "title": "Skip RDE", diff --git a/helm/cluster-cloud-director/values.yaml b/helm/cluster-cloud-director/values.yaml index 06c3ee39..37996426 100644 --- a/helm/cluster-cloud-director/values.yaml +++ b/helm/cluster-cloud-director/values.yaml @@ -52,15 +52,15 @@ cluster: - multi-user.target service: additionalFields: |- - {{- if $.global.connectivity.network.staticRoutes }} + {{- if $.global.connectivity.network.staticRoutes -}} ExecStart=/usr/bin/bash -cv 'sleep 3' {{- range $.global.connectivity.network.staticRoutes }} ExecStart=/usr/bin/bash -cv 'ip route add {{ .destination }} via {{ .via }}' {{- end }} - {{- else }} + {{- else -}} echo "No static routes provided, exiting." exit 0 - {{- end }} + {{- end -}} remainAfterExit: "yes" type: oneshot unit: @@ -144,7 +144,7 @@ cluster: ciliumHelmReleaseResourceEnabled: false cleanupHelmReleaseResourcesEnabled: false clusterResourceEnabled: true - controlPlaneResourceEnabled: false + controlPlaneResourceEnabled: true coreDnsHelmReleaseResourceEnabled: false helmRepositoryResourcesEnabled: false infrastructureCluster: @@ -189,22 +189,13 @@ global: services: cidrBlocks: - 172.31.0.0/16 - ntp: {} proxy: {} - shell: - osUsers: - - name: giantswarm - sudo: ALL=(ALL) NOPASSWD:ALL - sshTrustedUserCAKeys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4cvZ01fLmO9cJbWUj7sfF+NhECgy+Cl0bazSrZX7sU vault-ca@vault.operations.giantswarm.io controlPlane: - catalog: giantswarm - image: - repository: gsoci.azurecr.io/giantswarm + machineTemplate: + catalog: giantswarm + template: flatcar-stable-3815.2.2-kube-v1.27.14-gs oidc: {} replicas: 1 - resourceRatio: 8 - template: flatcar-stable-3815.2.2-kube-v1.27.14-gs metadata: preventDeletion: false servicePriority: highest @@ -233,32 +224,13 @@ global: secretRef: {} vmBootstrapFormat: ignition internal: - apiServer: - enableAdmissionPlugins: - - DefaultStorageClass - - DefaultTolerationSeconds - - LimitRanger - - MutatingAdmissionWebhook - - NamespaceLifecycle - - PersistentVolumeClaimResize - - Priority - - ResourceQuota - - ServiceAccount - - ValidatingAdmissionWebhook - featureGates: [] ciliumNetworkPolicy: enabled: true - controllerManager: - featureGates: [] kubectlImage: name: giantswarm/kubectl registry: gsoci.azurecr.io tag: 1.27.14 kubernetesVersion: v1.27.14 - sandboxContainerImage: - name: giantswarm/pause - registry: gsoci.azurecr.io - tag: "3.9" teleport: enabled: true proxyAddr: teleport.giantswarm.io:443