feat(t8s-cluster): add support for HCP (#962)

teutonet · Aug 8, 2024 · 4307b0b · 4307b0b
1 parent c2b6ef1
commit 4307b0b
Show file tree

Hide file tree

Showing 32 changed files with 473 additions and 222 deletions.
diff --git a/charts/t8s-cluster/ci/hcp-values.yaml b/charts/t8s-cluster/ci/hcp-values.yaml
@@ -0,0 +1,2 @@
+controlPlane:
+  hosted: true
diff --git a/charts/t8s-cluster/templates/_etcd-defrag.yaml b/charts/t8s-cluster/templates/_etcd-defrag.yaml
@@ -0,0 +1,89 @@
+{{- define "t8s-cluster.etcd-defrag" -}}
+  {{- $_ := mustMerge . (pick .context "Values" "Release" "Chart") -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: kube-etcd-defrag
+  namespace: {{ .hosted | ternary .Release.Namespace "kube-system" }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 10
+  successfulJobsHistoryLimit: 1
+  schedule: '42 * * * *'
+  jobTemplate:
+    spec:
+      backoffLimit: 6
+      template:
+        spec:
+          automountServiceAccountToken: false
+          containers:
+            - command:
+                - etcdctl
+                - defrag
+                - --cluster
+                - --cacert=/etc/kubernetes/pki/etcd/ca.crt
+                - --cert=/etc/kubernetes/pki/etcd/peer.crt
+                - --key=/etc/kubernetes/pki/etcd/peer.key
+              env:
+                - name: ETCDCTL_API
+                  value: "3"
+                - name: ETCDCTL_ENDPOINTS
+                  value: {{ .hosted | ternary (printf "kmc-%s-etcd:2379" .Release.Name) "localhost:2379" }}
+              image: {{ include "common.images.image" (dict "imageRoot" .Values.global.etcd.image "global" .Values.global) }}
+              imagePullPolicy: IfNotPresent
+              name: etcd-defrag
+              securityContext:
+                runAsGroup: 1000
+                runAsUser: {{ .hosted | ternary 1000 0 }}
+                runAsNonRoot: {{ .hosted }}
+                privileged: false
+                allowPrivilegeEscalation: false
+                seccompProfile:
+                  type: RuntimeDefault
+                capabilities:
+                  drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+              volumeMounts:
+                - mountPath: /etc/kubernetes/pki/etcd
+                  name: etcd-certs
+                  readOnly: true
+          dnsPolicy: ClusterFirst
+          restartPolicy: OnFailure
+          {{- if not .hosted }}
+          hostNetwork: true
+          nodeSelector:
+            node-role.kubernetes.io/control-plane: ""
+          tolerations:
+            - effect: NoSchedule
+              key: node-role.kubernetes.io/control-plane
+              operator: Exists
+            - effect: NoSchedule
+              key: node-role.kubernetes.io/master
+              operator: Exists
+          {{- end }}
+          volumes:
+            - name: etcd-certs
+              {{- if .hosted }}
+              projected:
+                defaultMode: 420
+                sources:
+                  - secret:
+                      items:
+                        - key: tls.crt
+                          path: ca.crt
+                      name: {{ printf "%s-etcd" .Release.Name }}
+                  - secret:
+                      items:
+                        - key: tls.crt
+                          path: peer.crt
+                        - key: tls.key
+                          path: peer.key
+                      name: {{ printf "%s-etcd-peer" .Release.Name }}
+              {{- else }}
+              hostPath:
+                path: /etc/kubernetes/pki/etcd
+                type: Directory
+              {{- end }}
+{{- end -}}
diff --git a/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl b/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl
@@ -13,13 +13,12 @@ openstack
 
 {{- define "t8s-cluster.clusterClass.tlsCipherSuites" -}}
   {{- $cipherSuites := list "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_RSA_WITH_AES_256_GCM_SHA384" "TLS_RSA_WITH_AES_128_GCM_SHA256" -}}
-  {{- join "," $cipherSuites -}}
+  {{- $cipherSuites | toYaml -}}
 {{- end -}}
 
 {{- define "t8s-cluster.clusterClass.preKubeadmCommands" -}}
   {{- $_ := mustMerge . (pick .context "Values") -}}
   {{- $commands := list -}}
-  {{- $commands = append $commands "bash /etc/kube-proxy-patch.sh" }}
   {{- if .Values.global.injectedCertificateAuthorities -}}
     {{- $commands = append $commands "update-ca-certificates" -}}
   {{- end -}}
@@ -35,3 +34,137 @@ openstack
   {{- $args := dict "cloud-provider" "external" -}}
   {{- toYaml $args -}}
 {{- end -}}
+
+{{- define "t8s-cluster.clusterClass.containerdConfig.plugins" -}}
+  {{- $_ := mustMerge . (pick .context "Values") -}}
+[plugins]
+  [plugins."io.containerd.grpc.v1.cri"]
+    {{- if .Values.containerRegistryMirror.mirrorEndpoint }}
+    [plugins."io.containerd.grpc.v1.cri".registry]
+      config_path = "/etc/containerd/registries.conf.d"
+    {{- end }}
+    [plugins."io.containerd.grpc.v1.cri".containerd]
+      default_runtime_name = "runc"
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+        # TODO: this is only needed because of https://github.com/containerd/containerd/issues/5837
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          runtime_type = "io.containerd.runc.v2"
+          # TODO: this is only needed because of https://github.com/containerd/containerd/issues/5837
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            SystemdCgroup = true
+        {{- if .gpu }}
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
+          privileged_without_host_devices = false
+          runtime_engine = ""
+          runtime_root = ""
+          runtime_type = "io.containerd.runc.v2"
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia.options]
+            BinaryName = "/usr/local/nvidia/toolkit/nvidia-container-runtime"
+        {{- end -}}
+{{- end -}}
+
+{{- define "t8s-cluster.clusterClass.containerdConfig.containerRegistryMirrorConfigs.content" -}}
+server = {{ printf "https://%s" .registry | quote }}
+{{ printf `[host."%s"]` .endpoint }}
+  capabilities = ["pull", "resolve"]
+{{- end -}}
+
+{{- define "t8s-cluster.featureGates" -}}
+{{/*  {{- (dict "SeccompDefault" (list "kubelet")) | toYaml -}}*/}}
+  {{- (dict) | toYaml -}}
+{{- end -}}
+
+{{- define  "t8s-cluster.featureGates.forComponent" -}}
+  {{- $featureGates := dict -}}
+  {{- $component := .component -}}
+  {{- range $featureGate, $components := include "t8s-cluster.featureGates" (dict) | fromYaml -}}
+    {{- if $components | has $component -}}
+      {{- $featureGates = set $featureGates $featureGate true -}}
+    {{- end -}}
+  {{- end -}}
+  {{- $featureGates | toYaml -}}
+{{- end -}}
+
+{{- define "t8s-cluster.clusterClass.containerdConfig.containerRegistryMirrorConfigs" -}}
+  {{- $_ := mustMerge . (pick .context "Values") -}}
+  {{- $defaultMirroredRegistries := list
+    "gcr.io"
+    "ghcr.io"
+    "k8s.gcr.io"
+    "nvcr.io"
+    "quay.io"
+    "registry.gitlab.com"
+    "registry.k8s.io"
+    "registry.opensource.zalan.do"
+    "registry.teuto.io"
+    -}}
+  {{- $mirroredRegistries := concat $defaultMirroredRegistries (.Values.containerRegistryMirror.additionallyMirroredRegistries | default list) | sortAlpha | uniq -}}
+  {{- $files := list -}}
+  {{- range $registry := $mirroredRegistries }}
+    {{- $files = append $files (dict "content" (include "t8s-cluster.clusterClass.containerdConfig.containerRegistryMirrorConfigs.content" (dict "registry" $registry "endpoint" $.Values.containerRegistryMirror.mirrorEndpoint)) "path" (printf `/etc/containerd/registries.conf.d/%s/hosts.toml` $registry)) -}}
+  {{- end }}
+  {{- $files = append $files (dict "content" (include "t8s-cluster.clusterClass.containerdConfig.containerRegistryMirrorConfigs.content" (dict "registry" "registry-1.docker.io" "endpoint" $.Values.containerRegistryMirror.mirrorEndpoint)) "path" "/etc/containerd/registries.conf.d/docker.io/hosts.toml") -}}
+  {{- $files | toYaml -}}
+{{- end -}}
+
+{{- define "t8s-cluster.clusterClass.configTemplate.files" -}}
+  {{- $_ := mustMerge . (pick .context "Values") -}}
+  {{- $files := list -}}
+  {{- if not .excludePatches -}}
+    {{- $files = concat $files (include "t8s-cluster.patches.kubelet.patches" (dict "context" .context) | fromYamlArray) -}}
+  {{- end -}}
+  {{- if .Values.containerRegistryMirror.mirrorEndpoint -}}
+    {{- $files = concat $files (include "t8s-cluster.clusterClass.containerdConfig.containerRegistryMirrorConfigs" (dict "context" .context) | fromYamlArray) -}}
+  {{- end -}}
+  {{- $files = append $files (dict "content" (include "t8s-cluster.clusterClass.containerdConfig.plugins" (dict "context" .context "gpu" .gpu)) "path" "/etc/containerd/conf.d/plugins.toml" ) -}}
+  {{- if .Values.global.injectedCertificateAuthorities }}
+    {{- $files = append $files (dict "content" .Values.global.injectedCertificateAuthorities "path" "/usr/local/share/ca-certificates/injected-ca-certs.crt" ) -}}
+  {{- end }}
+  {{- $files | toYaml -}}
+{{- end -}}
+
+{{- define "t8s-cluster.clusterClass.args.base" -}}
+  {{- dict "profiling" "false" | toYaml -}}
+{{- end -}}
+
+{{- define "t8s-cluster.clusterClass.args.shared" -}}
+  {{- $args := include "t8s-cluster.clusterClass.args.base" (dict) | fromYaml -}}
+  {{- $args = mustMerge (dict
+    "authorization-always-allow-paths" (list "/healthz" "/readyz" "/livez" "/metrics" | join ",")
+    "bind-address" "0.0.0.0"
+    ) $args -}}
+  {{- $args | toYaml -}}
+{{- end -}}
+
+{{- define "t8s-cluster.clusterClass.args.scheduler" -}}
+  {{- include "t8s-cluster.clusterClass.args.shared" (dict) -}}
+{{- end }}
+
+{{- define "t8s-cluster.clusterClass.args.sharedController" -}}
+  {{- $args := dict "cloud-provider" "external" -}}
+  {{- toYaml $args -}}
+{{- end }}
+
+{{- define "t8s-cluster.clusterClass.args.controllerManager" -}}
+  {{- $args := include "t8s-cluster.clusterClass.args.shared" (dict) | fromYaml -}}
+  {{- $args = mustMerge (include "t8s-cluster.clusterClass.args.sharedController" (dict "context" .context) | fromYaml) $args -}}
+  {{- $args = set $args "terminated-pod-gc-threshold" "100" -}}
+  {{- $args | toYaml -}}
+{{- end }}
+
+{{- define "t8s-cluster.clusterClass.apiServer.admissionPlugins" -}}
+  {{- $admissionPlugins := list "AlwaysPullImages" "NodeRestriction" -}}
+  {{- if not .excludePatches -}}
+    {{- $admissionPlugins = concat $admissionPlugins (list "EventRateLimit") -}}
+  {{- end -}}
+  {{- $admissionPlugins | toYaml -}}
+{{- end -}}
+
+{{- define "t8s-cluster.clusterClass.args.apiServer" -}}
+  {{- $args := include "t8s-cluster.clusterClass.args.base" (dict "context" .context) | fromYaml -}}
+  {{- $args = mustMerge (include "t8s-cluster.clusterClass.args.sharedController" (dict "context" .context) | fromYaml) $args -}}
+  {{- $args = set $args "enable-admission-plugins" (include "t8s-cluster.clusterClass.apiServer.admissionPlugins" (dict "excludePatches" .excludePatches) | fromYamlArray | join ",") -}}
+  {{- $args = set $args "event-ttl" "4h" -}}
+  {{- $args = set $args "tls-cipher-suites" (include "t8s-cluster.clusterClass.tlsCipherSuites" (dict) | fromYamlArray | join ",") -}}
+  {{- $args | toYaml -}}
+{{- end }}
diff --git a/...tes/management-cluster/clusterClass/bootstrapConfigTemplate/_bootstrapConfigTemplate.yaml b/...tes/management-cluster/clusterClass/bootstrapConfigTemplate/_bootstrapConfigTemplate.yaml
@@ -0,0 +1,12 @@
+{{- define "t8s-cluster.clusterClass.bootstrapConfigTemplate" -}}
+  {{- $_ := mustMerge . (pick .context "Values" "Release" "Chart") -}}
+apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
+kind: {{ .Values.controlPlane.hosted | ternary "K0sWorkerConfigTemplate" "KubeadmConfigTemplate" }}
+metadata:
+  name: {{ printf "%s-%s-compute-plane" .Release.Name (.gpu | ternary "gpu" "standard") }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+spec:
+  template:
+    spec: {{- include (printf "t8s-cluster.clusterClass.bootstrapConfigTemplate.%s.spec" (.Values.controlPlane.hosted | ternary "k0smotron" "kubeadm")) (dict "gpu" .gpu "context" .context) | nindent 6 }}
+{{- end -}}
diff --git a/...management-cluster/clusterClass/bootstrapConfigTemplate/_k0smotronConfigTemplateSpec.yaml b/...management-cluster/clusterClass/bootstrapConfigTemplate/_k0smotronConfigTemplateSpec.yaml
@@ -0,0 +1,23 @@
+{{- define "t8s-cluster.clusterClass.bootstrapConfigTemplate.k0smotron.spec" -}}
+  {{- $_ := mustMerge . (pick .context "Values") -}}
+  {{- $kubeletExtraArgs := list -}}
+  {{- range $key, $value := include "t8s-cluster.clusterClass.kubeletExtraArgs" (dict "context" .context) | fromYaml -}}
+    {{- $kubeletExtraArgs = append $kubeletExtraArgs (printf "--%s=%s" $key $value) -}}
+  {{- end -}}
+args:
+  - --cri-socket=remote:/run/containerd/containerd.sock
+  {{- if le (.Values.version.minor | int) 28 }}
+  - --enable-cloud-provider
+  {{- end }}
+  - {{ printf `--kubelet-extra-args="%s"` ($kubeletExtraArgs | join " ") }}
+files: {{- include "t8s-cluster.clusterClass.configTemplate.files" (dict "context" .context "gpu" .gpu "excludePatches" true) | nindent 2 }}
+  {{/* this service isn't needed by k0s */}}
+  {{- $preStartCommands := list
+    "systemctl disable --now kubelet.service"
+  }}
+  {{- $preStartCommands = concat $preStartCommands
+    (include "t8s-cluster.clusterClass.preKubeadmCommands" (dict "context" .context) | fromYamlArray)
+    (include "t8s-cluster.clusterClass.postKubeadmCommands" (dict) | fromYamlArray)
+  }}
+preStartCommands: {{- $preStartCommands | default (list) | toYaml | nindent 2 }}
+{{- end -}}
diff --git a/...s/management-cluster/clusterClass/bootstrapConfigTemplate/_kubeadmConfigTemplateSpec.yaml b/...s/management-cluster/clusterClass/bootstrapConfigTemplate/_kubeadmConfigTemplateSpec.yaml
@@ -0,0 +1,11 @@
+{{- define "t8s-cluster.clusterClass.bootstrapConfigTemplate.kubeadm.spec" -}}
+  {{- $_ := mustMerge . (pick .context "Values") -}}
+joinConfiguration:
+  nodeRegistration:
+    kubeletExtraArgs: {{- include "t8s-cluster.clusterClass.kubeletExtraArgs" (dict "context" .context) | nindent 6 }}
+  patches:
+    directory: /etc/kubernetes/patches
+files: {{- include "t8s-cluster.clusterClass.configTemplate.files" (dict "context" .context "gpu" .gpu) | nindent 2 }}
+preKubeadmCommands: {{- include "t8s-cluster.clusterClass.preKubeadmCommands" (dict "context" .context) | nindent 2 }}
+postKubeadmCommands: {{- include "t8s-cluster.clusterClass.postKubeadmCommands" (dict) | nindent 2 }}
+{{- end -}}
diff --git a/...ment-cluster/clusterClass/bootstrapConfigTemplate/gpuNodePoolBootstrapConfigTemplate.yaml b/...ment-cluster/clusterClass/bootstrapConfigTemplate/gpuNodePoolBootstrapConfigTemplate.yaml
@@ -0,0 +1 @@
+{{- include "t8s-cluster.clusterClass.bootstrapConfigTemplate" (dict "gpu" true "context" $) -}}
diff --git a/...cluster/clusterClass/bootstrapConfigTemplate/standardNodePoolBootstrapConfigTemplate.yaml b/...cluster/clusterClass/bootstrapConfigTemplate/standardNodePoolBootstrapConfigTemplate.yaml
@@ -0,0 +1 @@
+{{- include "t8s-cluster.clusterClass.bootstrapConfigTemplate" (dict "gpu" false "context" $) -}}
diff --git a/charts/t8s-cluster/templates/management-cluster/clusterClass/clusterClass.yaml b/charts/t8s-cluster/templates/management-cluster/clusterClass/clusterClass.yaml
@@ -10,6 +10,7 @@ metadata:
   labels: {{- include "common.labels.standard" $ | nindent 4 }}
 spec:
   controlPlane:
+    {{- if not .Values.controlPlane.hosted }}
     machineHealthCheck:
       maxUnhealthy: 1
       nodeStartupTimeout: 10m
@@ -26,10 +27,16 @@ spec:
         apiVersion: {{ include "t8s-cluster.clusterClass.infrastructureApiVersion" (dict) }}
         kind: OpenStackMachineTemplate
         name: {{ printf "%s-control-plane-%s" $.Release.Name (include "t8s-cluster.clusterClass.openStackMachineTemplate.specHashOfControlPlane" (dict "context" $)) }}
+    {{- end }}
     ref:
       apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+      {{- if .Values.controlPlane.hosted }}
+      kind: K0smotronControlPlaneTemplate
+      name: {{/* the full context is needed for .Files.Get */}}{{ printf "%s-%s" $.Release.Name (include "t8s-cluster.clusterClass.k0smotronControlPlaneTemplate.specHash" .) }}
+      {{- else }}
       kind: KubeadmControlPlaneTemplate
       name: {{/* the full context is needed for .Files.Get */}}{{ printf "%s-%s" $.Release.Name (include "t8s-cluster.clusterClass.kubeadmControlPlaneTemplate.specHash" .) }}
+      {{- end }}
   infrastructure:
     ref:
       apiVersion: {{ include "t8s-cluster.clusterClass.infrastructureApiVersion" (dict) }}
@@ -72,6 +79,7 @@ spec:
           type: string
           default: compute-plane-placeholder
   patches:
+    {{- if not .Values.controlPlane.hosted }}
     - name: controlPlaneServerGroupID
       description: Sets the ServerGroupID for Control Plane machines.
       definitions:
@@ -85,6 +93,7 @@ spec:
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
+    {{- end }}
     - name: machineDeploymentServerGroupID
       description: Sets the ServerGroupID for MachineDeployment machines.
       definitions:
@@ -127,6 +136,7 @@ spec:
             matchResources:
               machineDeploymentClass:
                 names: {{- $machineDeploymentClasses | keys | sortAlpha | toYaml | nindent 18 }}
+        {{- if not .Values.controlPlane.hosted }}
         - jsonPatches:
             - <<: *imagePatch
               valueFrom:
@@ -135,6 +145,8 @@ spec:
             <<: *imagePatchSelector
             matchResources:
               controlPlane: true
+        {{- end }}
+    {{- if not .Values.controlPlane.hosted }}
     - name: controlPlaneAvailabilityZones
       enabledIf: {{ `{{ if .controlPlaneAvailabilityZones }}true{{ end }}` | quote }}
       definitions:
@@ -148,6 +160,7 @@ spec:
               path: /spec/template/spec/controlPlaneAvailabilityZones
               valueFrom:
                 variable: controlPlaneAvailabilityZones
+    {{- end }}
     - name: dnsNameservers
       definitions:
         - selector:
@@ -190,7 +203,7 @@ spec:
           bootstrap:
             ref:
               apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
-              kind: KubeadmConfigTemplate
+              kind: {{ $.Values.controlPlane.hosted | ternary "K0sWorkerConfigTemplate" "KubeadmConfigTemplate" }}
               name: {{ printf "%s-%s-compute-plane" $.Release.Name ($isGpuDeploymentClass | ternary "gpu" "standard") }}
           infrastructure:
             ref:

diff --git a/...ster/templates/management-cluster/clusterClass/k0smotronControlPlaneTemplate/_helpers.tpl b/...ster/templates/management-cluster/clusterClass/k0smotronControlPlaneTemplate/_helpers.tpl
@@ -0,0 +1,7 @@
+{{- define "t8s-cluster.clusterClass.k0smotronControlPlaneTemplate.specHash" -}}
+  {{/* the full context is needed for .Files.Get */}}
+  {{- $inputs := (dict
+    "spec" (include "t8s-cluster.clusterClass.k0smotronControlPlaneTemplate.spec" $)
+    ) -}}
+  {{- mustToJson $inputs | toString | quote | sha1sum | trunc 8 -}}
+{{- end -}}