diff --git a/charts/etcdctl-utility/Chart.yaml b/charts/etcdctl-utility/Chart.yaml new file mode 100644 index 00000000..8082df41 --- /dev/null +++ b/charts/etcdctl-utility/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: etcdctl Client +name: etcdctl-utility +version: 0.1.0 diff --git a/charts/etcdctl-utility/requirements.yaml b/charts/etcdctl-utility/requirements.yaml new file mode 100644 index 00000000..e69c985d --- /dev/null +++ b/charts/etcdctl-utility/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/charts/etcdctl-utility/templates/bin/_bootstrap.sh.tpl b/charts/etcdctl-utility/templates/bin/_bootstrap.sh.tpl new file mode 100644 index 00000000..4b5d093a --- /dev/null +++ b/charts/etcdctl-utility/templates/bin/_bootstrap.sh.tpl @@ -0,0 +1,19 @@ +#!/bin/bash +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +set -ex +sudo /tmp/start.sh +tail -f /var/log/syslog diff --git a/charts/etcdctl-utility/templates/bin/_start.sh.tpl b/charts/etcdctl-utility/templates/bin/_start.sh.tpl new file mode 100644 index 00000000..c7288d2f --- /dev/null +++ b/charts/etcdctl-utility/templates/bin/_start.sh.tpl @@ -0,0 +1,24 @@ +#!/bin/bash +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +set -ex +sed -i 's/$PrivDropToUser syslog/$PrivDropToUser nobody/' /etc/rsyslog.conf +/etc/init.d/rsyslog start + +sed -i "/rootwrap_logger.setLevel/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py +sed -i "/handler.setFormatter/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py +sed -i "/os.path.basename/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py +sed -i "/rootwrap_logger.addHandler/s/.*/#&/" /usr/lib/python2.7/dist-packages/oslo_rootwrap/wrapper.py diff --git a/charts/etcdctl-utility/templates/bin/_utilscli-sudo.tpl b/charts/etcdctl-utility/templates/bin/_utilscli-sudo.tpl new file mode 100644 index 00000000..1d2920c6 --- /dev/null +++ b/charts/etcdctl-utility/templates/bin/_utilscli-sudo.tpl @@ -0,0 +1,16 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +nobody ALL=SETENV: NOPASSWD: /tmp/start.sh, /tmp/bootstrap.sh, /usr/local/bin/etcdctl-utility-rootwrap /etc/etcdctl-utility/rootwrap.conf * diff --git a/charts/etcdctl-utility/templates/bin/utility/_etcdctl-utility-rootwrap.tpl b/charts/etcdctl-utility/templates/bin/utility/_etcdctl-utility-rootwrap.tpl new file mode 100644 index 00000000..77c25c8f --- /dev/null +++ b/charts/etcdctl-utility/templates/bin/utility/_etcdctl-utility-rootwrap.tpl @@ -0,0 +1,59 @@ +#!/usr/bin/python +{{/* + Copyright 2019 The Openstack-Helm Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +# PBR Generated from u'console_scripts' +import logging +import os +import sys + +from oslo_rootwrap.cmd import main + +exec_name = sys.argv[0] +host_name = os.environ.get("HOSTNAME") +log_level = {{ + .Values.conf.etcdctlrootwrapconf.DEFAULT.syslog_log_level | quote}} +facility = {{ + .Values.conf.etcdctlrootwrapconf.DEFAULT.syslog_log_facility | quote}} + +if "AUSER" in os.environ: + user_id = os.environ["AUSER"] +elif {{.Values.conf.utility.always_log_user | quote}} == 'true': + user_id = 'development site' +else: + print("No username set in AUSER environment variable, " + + "for security reasons access restricted from " + + "connecting to container.") + exit() + +try: + handler = logging.handlers.SysLogHandler( + address='/dev/log', facility=facility) +except IOError: + print("Unable to setup logging, for security " + + "reasons access restricted from connecting to container.") + exit() + +formatter = logging.Formatter( + '%(asctime)s ' + host_name + ' ' + + '%(levelname)s' + os.path.basename(exec_name) + ': ' + + 'ActualUser=' + user_id + ': %(message)s') +handler.setFormatter(formatter) +root = logging.getLogger() +root.setLevel(log_level) +root.addHandler(handler) + +if __name__ == "__main__": + sys.exit(main()) diff --git a/charts/etcdctl-utility/templates/bin/utility/_utilscli.tpl b/charts/etcdctl-utility/templates/bin/utility/_utilscli.tpl new file mode 100644 index 00000000..8701005d --- /dev/null +++ b/charts/etcdctl-utility/templates/bin/utility/_utilscli.tpl @@ -0,0 +1,17 @@ +#!/bin/bash +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +script -f -a -q /var/log/syslog -c "sudo -E /usr/local/bin/etcdctl-utility-rootwrap /etc/etcdctl-utility/rootwrap.conf $*" diff --git a/charts/etcdctl-utility/templates/configmap-bin.yaml b/charts/etcdctl-utility/templates/configmap-bin.yaml new file mode 100644 index 00000000..d90c9d2d --- /dev/null +++ b/charts/etcdctl-utility/templates/configmap-bin.yaml @@ -0,0 +1,50 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.configmap_bin .Values.deployment.etcdctl }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} +data: +{{- if .Values.images.local_registry.active }} + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} +{{- end }} + + start.sh: | +{{ tuple "bin/_start.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + + etcdctl-utility-rootwrap: | +{{ tuple "bin/utility/_etcdctl-utility-rootwrap.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }} +data: + utilscli: | +{{ tuple "bin/utility/_utilscli.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + +{{- if .Values.bootstrap.enabled }} + bootstrap.sh: | +{{ tuple "bin/_bootstrap.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} + +{{- end }} + diff --git a/charts/etcdctl-utility/templates/configmap-etc-sudoers.yaml b/charts/etcdctl-utility/templates/configmap-etc-sudoers.yaml new file mode 100644 index 00000000..0523230f --- /dev/null +++ b/charts/etcdctl-utility/templates/configmap-etc-sudoers.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.configmap_etc_sudoers .Values.deployment.etcdctl }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} +data: + utilscli-sudo: | +{{ tuple "bin/_utilscli-sudo.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/etcdctl-utility/templates/configmap-etc.yaml b/charts/etcdctl-utility/templates/configmap-etc.yaml new file mode 100644 index 00000000..35ad0649 --- /dev/null +++ b/charts/etcdctl-utility/templates/configmap-etc.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.configmap_etc_client .Values.deployment.etcdctl }} +{{- $envAll := . }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} +data: + rootwrap.conf: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.etcdctlrootwrapconf | indent 4 }} + etcdctl-rootwrap-filter: | +{{ include "helm-toolkit.utils.to_ini" .Values.conf.etcdctlfilter | indent 4 }} + + etcdctl.cfg: | + apiVersion: v1 + kind: ConfigMap + metadata: + spec: + datastoreType: "etcdv3" + etcdEndpoints: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + etcdCertFile: {{ .Values.endpoints.etcd.auth.client.path.crt }} + etcdCACertFile: {{ .Values.endpoints.etcd.auth.client.path.ca }} + etcdKeyFile: {{ .Values.endpoints.etcd.auth.client.path.key }} + +{{- end }} diff --git a/charts/etcdctl-utility/templates/deployment-etcdctl-utility.yaml b/charts/etcdctl-utility/templates/deployment-etcdctl-utility.yaml new file mode 100644 index 00000000..ed1d5120 --- /dev/null +++ b/charts/etcdctl-utility/templates/deployment-etcdctl-utility.yaml @@ -0,0 +1,168 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.manifests.deployment_etcdctl_utility ( and .Values.deployment.etcdctl) }} +{{- $envAll := . }} + +{{- $serviceAccountName := printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "utility" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: [""] + resources: + - namespaces + - nodes + - pods + - persistentvolumeclaims + - persistentvolumes + verbs: + - get + - list + - watch + - create +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ printf "%s" $envAll.Release.Name }} + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll "utility" "etcdctl-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ .Values.pod.replicas.utility }} + selector: + matchLabels: +{{ tuple $envAll "utility" "etcdctl-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + template: + metadata: + name: {{ printf "%s" $envAll.Release.Name }} + labels: +{{ tuple $envAll "utility" "etcdctl-util" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + spec: + securityContext: + runAsUser: 65534 + serviceAccountName: {{ $serviceAccountName }} + affinity: +{{ tuple $envAll "etcdctl" "utility" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} + nodeSelector: + {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }} + containers: + - name: {{ printf "%s" $envAll.Release.Name }} +{{ tuple $envAll "etcdctl_utility" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.etcdctl_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: ETCDCTL_API + value: "{{ .Values.conf.etcd.etcdctl_api }}" + - name: ETCDCTL_DIAL_TIMEOUT + value: 10s + - name: ETCDCTL_CACERT + value: /etc/kubernetes/apiserver/pki/etcd-client-ca.pem + - name: ETCDCTL_CERT + value: /etc/kubernetes/apiserver/pki/etcd-client.pem + - name: ETCDCTL_KEY + value: /etc/kubernetes/apiserver/pki/etcd-client-key.pem + - name: ETCDCTL_ENDPOINTS + value: https://{{ .Values.conf.etcd.endpoints }}:{{ .Values.endpoints.etcd.port.client.default }} + command: + - /tmp/bootstrap.sh + volumeMounts: + - name: etcdctl-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }} + subPath: tls.ca + readOnly: true + - name: etcdctl-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }} + subPath: tls.crt + readOnly: true + - name: etcdctl-etcd-secrets + mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }} + subPath: tls.key + readOnly: true + - name: etcdctl-utility-bin-utilscli + mountPath: /tmp/bootstrap.sh + subPath: bootstrap.sh + readOnly: true + - name: etcdctl-utility-bin + mountPath: /tmp/start.sh + subPath: start.sh + readOnly: true + - name: etcdctl-utility-bin-utilscli + mountPath: /usr/local/bin/utilscli + subPath: utilscli + readOnly: true + - name: etcdctl-utility-bin + mountPath: /usr/local/bin/etcdctl-utility-rootwrap + subPath: etcdctl-utility-rootwrap + readOnly: true + - name: etcdctl-utility-sudoers + mountPath: /etc/sudoers.d/utilscli-sudo + subPath: utilscli-sudo + readOnly: true + - name: etcdctl-utility-etc + mountPath: /etc/etcdctl-utility/rootwrap.d/etcdctl-rootwrap-filter + subPath: etcdctl-rootwrap-filter + readOnly: true + - name: etcdctl-utility-etc + mountPath: /etc/etcdctl-utility/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + - name: etcdctl-utility-etc + mountPath: /etc/etcd/etcdctl.cfg + subPath: etcdctl.cfg + readOnly: true + volumes: + - name: etcdctl-utility-sudoers + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "sudoers" }} + defaultMode: 0644 + - name: etcdctl-utility-bin + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin" }} + defaultMode: 0500 + - name: etcdctl-utility-etc + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "etc" }} + defaultMode: 0400 + - name: etcdctl-utility-bin-utilscli + configMap: + name: {{ printf "%s-%s" $envAll.Release.Name "bin-utilscli" }} + defaultMode: 0755 + - name: etcdctl-etcd-secrets + secret: + secretName: etcdctl-etcd-secrets + defaultMode: 0444 +{{- end }} diff --git a/charts/etcdctl-utility/templates/job-image-repo-sync.yaml b/charts/etcdctl-utility/templates/job-image-repo-sync.yaml new file mode 100644 index 00000000..f7671f4f --- /dev/null +++ b/charts/etcdctl-utility/templates/job-image-repo-sync.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} + +{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "etcdctl-utility" -}} +{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} +{{- end }} diff --git a/charts/etcdctl-utility/templates/secret-etcd-certificates.yaml b/charts/etcdctl-utility/templates/secret-etcd-certificates.yaml new file mode 100644 index 00000000..742cfbec --- /dev/null +++ b/charts/etcdctl-utility/templates/secret-etcd-certificates.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_certificates }} +{{- $envAll := . }} +--- + +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: etcdctl-etcd-secrets +data: + tls.ca: {{ .Values.endpoints.etcd.auth.client.tls.ca | default "" | b64enc }} + tls.key: {{ .Values.endpoints.etcd.auth.client.tls.key | default "" | b64enc }} + tls.crt: {{ .Values.endpoints.etcd.auth.client.tls.crt | default "" | b64enc }} +{{- end }} diff --git a/charts/etcdctl-utility/values.yaml b/charts/etcdctl-utility/values.yaml new file mode 100644 index 00000000..a7ed8cbc --- /dev/null +++ b/charts/etcdctl-utility/values.yaml @@ -0,0 +1,199 @@ +# Copyright 2019 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for etcdctl-utility. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +# name: value + + +deployment: + etcdctl: true + +release_group: null + +images: + pull_policy: IfNotPresent + tags: + etcdctl_utility: 'quay.io/airshipit/porthole-etcdctl-utility:latest-ubuntu_xenial' + image_repo_sync: docker.io/docker:18.09.02 + pull_policy: "IfNotPresent" + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +labels: + utility: + node_selector_key: util-etcdctl + node_selector_value: enabled + job: + node_selector_key: openstack-helm-node-class + node_selector_value: primary + +pod: + dns_policy: "ClusterFirstWithHostNet" + replicas: + utility: 1 + affinity: + anti: + type: + default: preferredDuringSchedulingIgnoredDuringExecution + topologyKey: + default: kubernetes.io/hostname + resources: + enabled: false + utility: + requests: + memory: "128Mi" + cpu: "250m" + limits: + memory: "1024Mi" + cpu: "2000m" + jobs: + bootstrap: + limits: + memory: "1024Mi" + cpu: "2000m" + requests: + memory: "128Mi" + cpu: "500m" + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + test: + etcdctl: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" +conf: + etcdctlfilter: + Filters: + # etcdctl-rootwrap command filters for etcdctl utility container + # This file should be owned by (and only-writeable by) the root user + etcdctl: CommandFilter, etcdctl, root + etcdctlrootwrapconf: + DEFAULT: + # Configuration for etcdctl-rootwrap + # This file should be owned by (and only-writeable by) the root user + # List of directories to load filter definitions from (separated by ','). + # These directories MUST all be only writeable by root ! + filters_path: /etc/etcdctl-utility/rootwrap.d + # List of directories to search executables in, in case filters do not + # explicitely specify a full path (separated by ',') + # If not specified, defaults to system PATH environment variable. + # These directories MUST all be only writeable by root ! + exec_dirs: /sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin + # Enable logging to syslog + # Default value is False + use_syslog: True + # Which syslog facility to use. + # Valid values include auth, authpriv, syslog, local0, local1... + # Default value is 'syslog' + syslog_log_facility: syslog + # Which messages to log. + # INFO means log all usage + # ERROR means only log unsuccessful attempts + syslog_log_level: INFO + etcd: + endpoints: kubernetes-etcd.kube-system.svc.cluster.local + etcdctl_api: "3" + utility: + location_corridor: c1 + # Set to true for development sites, + # Set to false otherwise + always_log_user: true + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - etcdctl-utility-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + etcdctl_utility: + services: + - endpoint: internal + service: kubernetes-etcd + +bootstrap: + enabled: true + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + etcd: + auth: + client: + tls: + crt: null + ca: null + key: null + path: + crt: /etc/kubernetes/apiserver/pki/etcd-client.pem + ca: /etc/kubernetes/apiserver/pki/etcd-client-ca.pem + key: /etc/kubernetes/apiserver/pki/etcd-client-key.pem + scheme: + default: https + path: + default: ' ' # space required to provide a truly empty path + hosts: + default: 10.96.0.2 + host_fqdn_override: + default: null + service: + name: null + port: + client: + default: 2379 + peer: + default: 2380 + +monitoring: + prometheus: + enabled: true + +manifests: + configmap_bin: true + configmap_etc_client: true + configmap_etc_sudoers: true + deployment_etcdctl_utility: true + job_image_repo_sync: false + secret_certificates: true diff --git a/images/etcdctl-utility/Dockerfile.ubuntu_xenial b/images/etcdctl-utility/Dockerfile.ubuntu_xenial new file mode 100644 index 00000000..34918045 --- /dev/null +++ b/images/etcdctl-utility/Dockerfile.ubuntu_xenial @@ -0,0 +1,42 @@ +ARG FROM=ubuntu:16.04 +FROM ${FROM} + +LABEL org.opencontainers.image.authors='airship-discuss@lists.airshipit.org, irc://#airshipit@freenode' \ + org.opencontainers.image.url='https://airshipit.org' \ + org.opencontainers.image.documentation='https://opendev.org/airship/porthole' \ + org.opencontainers.image.source='https://opendev.org/airship/porthole' \ + org.opencontainers.image.vendor='The Airship Authors' \ + org.opencontainers.image.licenses='Apache-2.0' + +ARG ETCDCTL_VERSION=3.3.12 + +RUN set -xe && \ + export DEBIAN_FRONTEND=noninteractive && \ + sed -i '/nobody/d' /etc/passwd && \ + echo "nobody:x:65534:65534:nobody:/nonexistent:/bin/bash" >> /etc/passwd && \ + apt-get update && \ + apt-get install -y \ + wget curl \ + apt-transport-https \ + ca-certificates \ + gnupg && \ + apt-get install -y \ + bash \ + moreutils \ + python-oslo.rootwrap \ + python3-oslo.rootwrap \ + screen \ + sudo \ + rsyslog \ + vim && \ + TMP_DIR=$(mktemp --directory) && \ + cd ${TMP_DIR} && \ + curl -sSL https://github.com/coreos/etcd/releases/download/v${ETCDCTL_VERSION}/etcd-v${ETCDCTL_VERSION}-linux-amd64.tar.gz \ + | tar xfz - && \ + mv ${TMP_DIR}/etcd-v${ETCDCTL_VERSION}-linux-amd64/etcdctl /usr/local/bin/etcdctl && \ + chmod +xr /usr/local/bin/etcdctl && \ + apt-get clean -y && \ + rm -rf \ + /var/lib/apt/lists/* \ + ${TMP_DIR} +CMD ["/bin/bash"] diff --git a/images/etcdctl-utility/README.md b/images/etcdctl-utility/README.md new file mode 100644 index 00000000..ec5d3e07 --- /dev/null +++ b/images/etcdctl-utility/README.md @@ -0,0 +1,70 @@ +# etcdctl utility Container + +## Prerequisites: Deploy Airship in a Bottle(AIAB) + +To get started, run the following in a fresh Ubuntu 16.04 VM (minimum 4vCPU/20GB RAM/32GB disk). +This will deploy Airship and Openstack Helm (OSH). + +1. Add the below to /etc/sudoers + +``` +root ALL=(ALL) NOPASSWD: ALL +ubuntu ALL=(ALL) NOPASSWD: ALL +``` + +2. Install the latest versions of Git, CA Certs & bundle & Make if necessary + +``` +set -xe \ +sudo apt-get update \ +sudo apt-get install --no-install-recommends -y \ +ca-certificates \ +git \ +make \ +jq \ +nmap \ +curl \ +uuid-runtime +``` + +## Deploy Airship in a Bottle(AIAB) + +Deploy AirShip in a Bottle(AIAB) which will deploy etcdctl-utility pod. + +``` +sudo -i \ +mkdir -p root/deploy && cd "$_" \ +git clone https://opendev.org/airship/treasuremap \ +cd /root/deploy/treasuremap/tools/deployment/aiab \ +./airship-in-a-bottle.sh +``` + +## Usage and Test + +Get in to the etcdctl-utility pod using kubectl exec. +To perform any operation use the below example. + +``` +$kubectl exec -it -n utility -- /bin/bash +``` + +example: + +``` +utilscli etcdctl member list +utilscli etcdctl endpoint health +utilscli etcdctl endpoint status + +nobody@airship-etcdctl-utility-998b4f4d6-65x6d:/$ utilscli etcdctl member list +90d1b75fa1b31b89, started, ubuntu, https://10.0.2.15:2380, https://10.0.2.15:2379 +ab1f60375c5ef1d3, started, auxiliary-1, https://10.0.2.15:22380, https://10.0.2.15:22379 +d8ed590018245b3c, started, auxiliary-0, https://10.0.2.15:12380, https://10.0.2.15:12379 +nobody@airship-etcdctl-utility-998b4f4d6-65x6d:/$ utilscli etcdctl endpoint health +https://kubernetes-etcd.kube-system.svc.cluster.local:2379 is healthy: +successfully committed proposal: took = 1.787714ms +nobody@airship-etcdctl-utility-998b4f4d6-65x6d:/$ utilscli etcdctl alarm list +nobody@airship-etcdctl-utility-998b4f4d6-65x6d:/$ utilscli etcdctl version +etcdctl version: 3.3.12 +API version: 3.3 +nobody@airship-etcdctl-utility-998b4f4d6-65x6d:/$ +``` diff --git a/zuul.d/base.yaml b/zuul.d/base.yaml index fb58c129..d1fda61c 100644 --- a/zuul.d/base.yaml +++ b/zuul.d/base.yaml @@ -16,19 +16,22 @@ check: jobs: - airship-porthole-linter - - airship-porthole-images-build-gate-mysqlclient-utility - airship-porthole-images-build-gate-ceph-utility + - airship-porthole-images-build-gate-etcdctl-utility + - airship-porthole-images-build-gate-mysqlclient-utility gate: jobs: - airship-porthole-linter - - airship-porthole-images-build-gate-mysqlclient-utility - airship-porthole-images-build-gate-ceph-utility + - airship-porthole-images-build-gate-etcdctl-utility + - airship-porthole-images-build-gate-mysqlclient-utility post: jobs: - - airship-porthole-images-publish-mysqlclient-utility - airship-porthole-images-publish-ceph-utility + - airship-porthole-images-publish-etcdctl-utility + - airship-porthole-images-publish-mysqlclient-utility - nodeset: name: airship-porthole-single-node diff --git a/zuul.d/etcdctl-utility.yaml b/zuul.d/etcdctl-utility.yaml new file mode 100644 index 00000000..9ca7d514 --- /dev/null +++ b/zuul.d/etcdctl-utility.yaml @@ -0,0 +1,41 @@ +# Copyright 2019 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- job: + name: airship-porthole-images-build-gate-etcdctl-utility + parent: &parent airship-porthole-images + vars: + image_name: &image_name porthole-etcdctl-utility + distro_suffix: &distro_suffix ubuntu_xenial + files: + - ^images/etcdctl-utility/.*$ + - ^charts/etcdctl-utility/.*$ + - ^Makefile$ + - ^tools/.*$ + - ^zuul.d/.*$ + +- job: + name: airship-porthole-images-publish-etcdctl-utility + parent: *parent + secrets: + - name: quay_credentials + secret: quay_credentials + pass-to-parent: true + vars: + image_name: *image_name + distro_suffix: *distro_suffix + publish: true + tags: + dynamic: + commit: true