Add clusterctl support

.gitignore

@@ -22,3 +22,6 @@ bin
 *.swp
 *.swo
 *~
+
+# Release manifests
+/release/infrastructure-components.yaml

Makefile

@@ -35,7 +35,9 @@ uninstall: manifests
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 deploy: manifests
 	cd config/manager && kustomize edit set image controller=${IMG}
-	kustomize build config/default | kubectl apply -f -
+	kustomize build config | kubectl apply -f -
+	# TODO: use aggregation label when available
+	kubectl apply -f release/kubeadm-control-plane-rbac.yaml
 
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
@@ -57,6 +59,10 @@ test: generate fmt vet manifests
 e2e: docker-build
 	go test -v ./e2e/... -coverprofile cover.out
 
+release_manifests:
+	cd config/manager && kustomize edit set image controller=${IMG}
+	kustomize build config > release/infrastructure-components.yaml
+
 # Generate code
 generate: controller-gen
 	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths="./..."

README.md

@@ -46,147 +46,27 @@ kubectl apply -f hack/forward-ipencap.yaml
 ### Installation
 
 ```sh
-# Install cert-manager
-kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.13.1/cert-manager.yaml
-kubectl wait --for=condition=Available deployment/cert-manager-webhook -n cert-manager --timeout=600s
-
-# Install cluster api manager
-kubectl apply -f https://github.com/kubernetes-sigs/cluster-api/releases/download/v0.3.0/cluster-api-components.yaml
-
-# Install kubernetes infrastructure provider
-kubectl apply -f https://github.com/dippynark/cluster-api-provider-kubernetes/releases/download/v0.3.0/infrastructure-components.yaml
+# Add the Kubernetes infrastructure provider
+mkdir -p $HOME/.cluster-api
+cat > $HOME/.cluster-api/clusterctl.yaml <<EOF
+providers:
+- name: kubernetes
+  url: https://github.com/dippynark/cluster-api-provider-kubernetes/releases/latest/infrastructure-components.yaml
+  type: InfrastructureProvider
+EOF
 
-# Allow cluster api controller to interact with kubernetes infrastructure resources
-# If the kubernetes provider were SIG-sponsored this would not be necesarry ;)
-kubectl apply -f https://github.com/dippynark/cluster-api-provider-kubernetes/releases/download/v0.3.0/capi-kubernetes-rbac.yaml
+# Initialise
+clusterctl init --infrastructure kubernetes
+# TODO: use aggregation label when available
+kubectl apply -f https://github.com/dippynark/cluster-api-provider-kubernetes/releases/download/v0.3.0/kubeadm-control-plane-rbac.yaml
 ```
 
 ### Configuration
 
 ```sh
-# Apply cluster infrastructure
-kubectl apply -f <(cat <<EOF
-apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3
-kind: KubernetesCluster
-metadata:
-  name: example
-spec:
-  # Change for clusters that do not support LoadBalancer Service types
-  controlPlaneServiceType: LoadBalancer
----
-apiVersion: cluster.x-k8s.io/v1alpha3
-kind: Cluster
-metadata:
-  name: example
-spec:
-  clusterNetwork:
-    services:
-      cidrBlocks: ["172.16.0.0/12"]
-    pods:
-      cidrBlocks: ["192.168.0.0/16"]
-    serviceDomain: "cluster.local"
-  infrastructureRef:
-    apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3
-    kind: KubernetesCluster
-    name: example
-  controlPlaneRef:
-    apiVersion: controlplane.cluster.x-k8s.io/v1alpha3
-    kind: KubeadmControlPlane
-    name: example
-EOF
-)
-
-# Apply machine template
-kubectl apply -f <(cat <<EOF
-apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3
-kind: KubernetesMachineTemplate
-metadata:
-  name: example
-spec:
-  template:
-    spec: {}
-EOF
-)
-
-# Apply control plane
-kubectl apply -f <(cat <<EOF
-apiVersion: controlplane.cluster.x-k8s.io/v1alpha3
-kind: KubeadmControlPlane
-metadata:
-  name: example
-spec:
-  replicas: 1
-  version: v1.17.0
-  infrastructureTemplate:
-    kind: KubernetesMachineTemplate
-    apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3
-    name: example
-  kubeadmConfigSpec:
-    initConfiguration:
-      nodeRegistration:
-        kubeletExtraArgs:
-          eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%
-          cgroups-per-qos: "false"
-          enforce-node-allocatable: ""
-    clusterConfiguration:
-      controllerManager:
-        extraArgs:
-          enable-hostpath-provisioner: "true"
-    joinConfiguration:
-      nodeRegistration:
-        kubeletExtraArgs:
-          eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%
-          cgroups-per-qos: "false"
-          enforce-node-allocatable: ""
-EOF
-)
-
-# Apply workers
-kubectl apply -f <(cat <<EOF
-apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
-kind: KubeadmConfigTemplate
-metadata:
-  name: worker
-spec:
-  template:
-    spec:
-      joinConfiguration:
-        nodeRegistration:
-          kubeletExtraArgs:
-            eviction-hard: nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%
-            cgroups-per-qos: "false"
-            enforce-node-allocatable: ""
----
-apiVersion: cluster.x-k8s.io/v1alpha3
-kind: MachineDeployment
-metadata:
-  name: workers
-  labels:
-    nodepool: default
-spec:
-  clusterName: example
-  replicas: 3
-  selector:
-    matchLabels:
-      nodepool: default
-  template:
-    metadata:
-      labels:
-        nodepool: default
-    spec:
-      clusterName: example
-      version: v1.17.0
-      bootstrap:
-        configRef:
-          apiVersion: bootstrap.cluster.x-k8s.io/v1alpha3
-          kind: KubeadmConfigTemplate
-          name: worker
-      infrastructureRef:
-        apiVersion: infrastructure.lukeaddison.co.uk/v1alpha3
-        kind: KubernetesMachineTemplate
-        name: example
-EOF
-)
+export KUBERNETES_CONTROL_PLANE_SERVICE_TYPE=LoadBalancer
+clusterctl config cluster example --kubernetes-version=v1.17.0 --control-plane-machine-count=3 --worker-machine-count=3 \
+  | kubectl apply -f -
 
 # Retrieve kubeconfig
 until [ -n "`kubectl get secret example-kubeconfig -o jsonpath='{.data.value}' 2>/dev/null`" ] ; do
@@ -195,7 +75,7 @@ done
 kubectl get secret example-kubeconfig -o jsonpath='{.data.value}' | base64 --decode > example-kubeconfig
 
 # Switch to example cluster
-# If the cluster api endpoint is not reachable from your machine you can exec into the
+# If the cluster api endpoint is not reachable from your machine you can exec into a
 # controller Node (Pod) and run `export KUBECONFIG=/etc/kubernetes/admin.conf` instead
 export KUBECONFIG=example-kubeconfig
 

config/crd/kustomization.yaml

@@ -27,6 +27,5 @@ configurations:
 - kustomizeconfig.yaml
 
 commonLabels:
-  cluster.x-k8s.io/provider: infrastructure-kubernetes
   cluster.x-k8s.io/v1alpha2: v1alpha2
   cluster.x-k8s.io/v1alpha3: v1alpha3

config/default/kustomization.yaml

@@ -1,75 +1,8 @@
-# Adds namespace to all resources.
 namespace: capk-system
 
-# Value of this field is prepended to the
-# names of all resources, e.g. a deployment named
-# "wordpress" becomes "alices-wordpress".
-# Note that it should also match with the prefix (text before '-') of the namespace
-# field above.
-namePrefix: capk-
-
-# Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
+resources:
+- namespace.yaml
 
 bases:
-- ../crd
 - ../rbac
 - ../manager
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
-- ../webhook
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-- ../certmanager
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. 
-#- ../prometheus
-
-patchesStrategicMerge:
-  # Protect the /metrics endpoint by putting it behind auth.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
-- manager_auth_proxy_patch.yaml
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, uncomment the following line and
-  # comment manager_auth_proxy_patch.yaml.
-  # Only one of manager_auth_proxy_patch.yaml and
-  # manager_prometheus_metrics_patch.yaml should be enabled.
-#- manager_prometheus_metrics_patch.yaml
-
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
-- manager_webhook_patch.yaml
-
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-- mutatingwebhookcainjection_patch.yaml
-#- validatingwebhookcainjection_patch.yaml
-
-# the following config is for teaching kustomize how to do var substitution
-vars:
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-  objref:
-    kind: Certificate
-    group: cert-manager.io
-    version: v1alpha2
-    name: serving-cert # this name should match the one in certificate.yaml
-  fieldref:
-    fieldpath: metadata.namespace
-- name: CERTIFICATE_NAME
-  objref:
-    kind: Certificate
-    group: cert-manager.io
-    version: v1alpha2
-    name: serving-cert # this name should match the one in certificate.yaml
-- name: SERVICE_NAMESPACE # namespace of the service
-  objref:
-    kind: Service
-    version: v1
-    name: webhook-service
-  fieldref:
-    fieldpath: metadata.namespace
-- name: SERVICE_NAME
-  objref:
-    kind: Service
-    version: v1
-    name: webhook-service

config/default/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: system

config/kustomization.yaml

@@ -0,0 +1,29 @@
+namePrefix: capk-
+
+commonLabels:
+  cluster.x-k8s.io/provider: infrastructure-kubernetes
+
+bases:
+- crd
+- webhook # Disable this if you're not using the webhook functionality.
+- default
+
+patchesJson6902:
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+    name: kubernetesclusters.infrastructure.lukeaddison.co.uk
+  path: patch_crd_webhook_namespace.yaml
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+    name: kubernetesmachines.infrastructure.lukeaddison.co.uk
+  path: patch_crd_webhook_namespace.yaml
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+    name: kubernetesmachinetemplates.infrastructure.lukeaddison.co.uk
+  path: patch_crd_webhook_namespace.yaml

config/manager/kustomization.yaml

@@ -1,8 +1,13 @@
-resources:
-- manager.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-images:
-- name: controller
-  newName: dippynark/cluster-api-kubernetes-controller
-  newTag: dev
+resources:
+- manager.yaml
+patchesStrategicMerge:
+- manager_pull_policy.yaml
+  # Protect the /metrics endpoint by putting it behind auth. Only one of
+  # manager_auth_proxy_patch.yaml and manager_prometheus_metrics_patch.yaml should be enabled.
+- manager_auth_proxy_patch.yaml
+  # If you want your controller-manager to expose the /metrics endpoint w/o any authn/z, uncomment
+  # the following line and comment manager_auth_proxy_patch.yaml. Only one of
+  # manager_auth_proxy_patch.yaml and manager_prometheus_metrics_patch.yaml should be enabled.
+# - manager_prometheus_metrics_patch.yaml

config/manager/manager.yaml

@@ -1,10 +1,3 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    control-plane: controller-manager
-  name: system
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -32,5 +25,5 @@ spec:
         resources:
           requests:
             cpu: 100m
-            memory: 20Mi
+            memory: 100Mi
       terminationGracePeriodSeconds: 10

config/default/manager_auth_proxy_patch.yaml → config/manager/manager_auth_proxy_patch.yaml

@@ -7,6 +7,11 @@ metadata:
   namespace: system
 spec:
   template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: 'true'
+        prometheus.io/scheme: https
+        prometheus.io/port: '8443'
     spec:
       containers:
       - name: kube-rbac-proxy

config/manager/manager_prometheus_metrics_patch.yaml

@@ -0,0 +1,20 @@
+# This patch enables Prometheus scraping for the manager pod.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '8080'
+    spec:
+      containers:
+      # Expose the prometheus metrics on default port
+      - name: manager
+        ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP