-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use MachineConfigOperator instead of TNCO #232
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -42,8 +42,8 @@ const ( | |
rootCAKeyPath = "generated/tls/root-ca.key" | ||
serviceServingCACertPath = "generated/tls/service-serving-ca.crt" | ||
serviceServingCAKeyPath = "generated/tls/service-serving-ca.key" | ||
tncCertPath = "generated/tls/tnc.crt" | ||
tncKeyPath = "generated/tls/tnc.key" | ||
machineConfigServerCertPath = "generated/tls/machine-config-server.crt" | ||
machineConfigServerKeyPath = "generated/tls/machine-config-server.key" | ||
serviceAccountPubkeyPath = "generated/tls/service-account.pub" | ||
serviceAccountPrivateKeyPath = "generated/tls/service-account.key" | ||
) | ||
|
@@ -239,18 +239,18 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error { | |
return fmt.Errorf("failed to generate kubelet certificate: %v", err) | ||
} | ||
|
||
// TNC certs | ||
tncDomain := fmt.Sprintf("%s-tnc.%s", c.Name, c.BaseDomain) | ||
// MachineConfigServer certs | ||
mcsDomain := fmt.Sprintf("%s-tnc.%s", c.Name, c.BaseDomain) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we want to update the template to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. +1 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. https://jira.coreos.com/browse/CORS-833 is going to consolidate the api endpoints. So left it for now. |
||
cfg = &tls.CertCfg{ | ||
ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, | ||
DNSNames: []string{tncDomain}, | ||
Subject: pkix.Name{CommonName: tncDomain}, | ||
DNSNames: []string{mcsDomain}, | ||
Subject: pkix.Name{CommonName: mcsDomain}, | ||
Validity: tls.ValidityTenYears, | ||
IsCA: false, | ||
} | ||
|
||
if _, _, err := generateCert(clusterDir, caKey, caCert, tncKeyPath, tncCertPath, cfg, false); err != nil { | ||
return fmt.Errorf("failed to generate tnc certificate: %v", err) | ||
if _, _, err := generateCert(clusterDir, caKey, caCert, machineConfigServerKeyPath, machineConfigServerCertPath, cfg, false); err != nil { | ||
return fmt.Errorf("failed to generate machine-config-server certificate: %v", err) | ||
} | ||
|
||
// Cluster API cert | ||
|
Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -11,20 +11,32 @@ echo "Rendering Kubernetes core manifests..." | |||||||||||||||||||||||||||
--config=/assets/kco-config.yaml \ | ||||||||||||||||||||||||||||
--output=/assets | ||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
echo "Rendering TNC manifests..." | ||||||||||||||||||||||||||||
echo "Rendering MCO manifests..." | ||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
# shellcheck disable=SC2154 | ||||||||||||||||||||||||||||
/usr/bin/podman run \ | ||||||||||||||||||||||||||||
--user 0 \ | ||||||||||||||||||||||||||||
--volume "$PWD:/assets:z" \ | ||||||||||||||||||||||||||||
"${tnc_operator_image}" \ | ||||||||||||||||||||||||||||
--config=/assets/tnco-config.yaml \ | ||||||||||||||||||||||||||||
--render-bootstrap=true \ | ||||||||||||||||||||||||||||
--render-output=/assets/tnc-bootstrap | ||||||||||||||||||||||||||||
"${machine_config_operator_image}" \ | ||||||||||||||||||||||||||||
bootstrap \ | ||||||||||||||||||||||||||||
--etcd-ca=/assets/tls/etcd-client-ca.crt \ | ||||||||||||||||||||||||||||
--root-ca=/assets/tls/root-ca.crt \ | ||||||||||||||||||||||||||||
--config-file=/assets/manifests/cluster-config.yaml \ | ||||||||||||||||||||||||||||
--dest-dir=/assets/mco-bootstrap \ | ||||||||||||||||||||||||||||
--images-json-configmap=/assets/manifests/machine-config-operator-01-images-configmap.yaml | ||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
mkdir -p /etc/kubernetes/manifests/ | ||||||||||||||||||||||||||||
cp "$PWD/tnc-bootstrap/tectonic-node-controller-pod.yaml" /etc/kubernetes/manifests/ | ||||||||||||||||||||||||||||
cp "$PWD/tnc-bootstrap/tectonic-node-controller-config.yaml" /etc/kubernetes/tnc-config | ||||||||||||||||||||||||||||
mkdir -p /etc/mcc/bootstrap/ | ||||||||||||||||||||||||||||
mkdir -p /etc/ssl/mcs/ | ||||||||||||||||||||||||||||
# Bootstrap MachineConfigController uses /etc/mcc/bootstrap/manifests/ dir to | ||||||||||||||||||||||||||||
# 1. read the controller config rendered by MachineConfigOperator | ||||||||||||||||||||||||||||
# 2. read the default MachineConfigPools rendered by MachineConfigOperator | ||||||||||||||||||||||||||||
# 3. read any additional MachineConfigs that are needed for the default MachineConfigPools. | ||||||||||||||||||||||||||||
cp -r "$PWD/mco-bootstrap/manifests" /etc/mcc/bootstrap/manifests | ||||||||||||||||||||||||||||
# /etc/ssl/mcs/tls.{crt, key} are locations for MachineConfigServer's tls assets. | ||||||||||||||||||||||||||||
cp "$PWD/tls/machine-config-server.crt" /etc/ssl/mcs/tls.crt | ||||||||||||||||||||||||||||
cp "$PWD/tls/machine-config-server.key" /etc/ssl/mcs/tls.key | ||||||||||||||||||||||||||||
cp "$PWD/mco-bootstrap/machineconfigoperator-bootstrap-pod.yaml" /etc/kubernetes/manifests/ | ||||||||||||||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This doesn't appear to be a local file. Is it created by the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We need special logic for some operators that we need for bootstrapping the cluster: installer/modules/bootkube/resources/bootkube.sh Lines 16 to 27 in 77cc46f
Everything else is already present in the correct directory There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
yes |
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
# We originally wanted to run the etcd cert signer as | ||||||||||||||||||||||||||||
# a static pod, but kubelet could't remove static pod | ||||||||||||||||||||||||||||
|
@@ -87,7 +99,7 @@ done | |||||||||||||||||||||||||||
echo "etcd cluster up. Killing etcd certificate signer..." | ||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
/usr/bin/podman kill "$SIGNER" | ||||||||||||||||||||||||||||
rm /etc/kubernetes/manifests/tectonic-node-controller-pod.yaml | ||||||||||||||||||||||||||||
rm /etc/kubernetes/manifests/machineconfigoperator-bootstrap-pod.yaml | ||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
cp -r "$PWD/bootstrap-configs" /etc/kubernetes/bootstrap-configs | ||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: openshift-machine-config-operator | ||
labels: | ||
name: openshift-machine-config-operator | ||
openshift.io/run-level: "1" |
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
# name must match the spec fields below, and be in the form: <plural>.<group> | ||
name: mcoconfigs.machineconfiguration.openshift.io | ||
spec: | ||
# group name to use for REST API: /apis/<group>/<version> | ||
group: machineconfiguration.openshift.io | ||
# list of versions supported by this CustomResourceDefinition | ||
versions: | ||
- name: v1 | ||
# Each version can be enabled/disabled by Served flag. | ||
served: true | ||
# One and only one version must be marked as the storage version. | ||
storage: true | ||
# either Namespaced or Cluster | ||
scope: Namespaced | ||
names: | ||
# plural name to be used in the URL: /apis/<group>/<version>/<plural> | ||
plural: mcoconfigs | ||
# singular name to be used as an alias on the CLI and for display | ||
singular: mcoconfig | ||
# kind is normally the CamelCased singular type. Your resource manifests use this. | ||
kind: MCOConfig |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: machine-config-operator-images | ||
namespace: openshift-machine-config-operator | ||
data: | ||
images.json: '{"machineConfigController": "openshift/origin-machine-config-controller:v4.0.0", "machineConfigDaemon": "openshift/origin-machine-config-daemon:v4.0.0", "machineConfigServer": "openshift/origin-machine-config-server:v4.0.0"}' |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
metadata: | ||
name: default-account-openshift-machine-config-operator | ||
subjects: | ||
- kind: ServiceAccount | ||
name: default | ||
namespace: openshift-machine-config-operator | ||
roleRef: | ||
kind: ClusterRole | ||
name: cluster-admin | ||
apiGroup: rbac.authorization.k8s.io |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You probably want a separate commit rebuilding
BUILD.bazel
and cleaning this our ofvendor/
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I used https://github.com/openshift/installer#go to create df62984. I didn't remove glide.lock, as i didn't want to update the whole world :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing
glide.lock
wasn't too bad when I did it in 2018-08-30 in 2e835b0. But I'm fine punting thevendor/
cleanup down the road if you want.