From 7391e44b48d67d1b8de405be56d8f37e42360213 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Mon, 16 Jul 2018 13:27:52 -0400 Subject: [PATCH 01/10] Consolidate helm charts CHANGES: - Added an appVersion and icon to helm Chart.yaml - Refactored to use `required` in chart manifests rather than outputting an error message in notes - Namespaced `name` and `fullname` template partials to `vk` - Enabled rbac apiVersion configuration - Removed role-binding and service-account suffixes from resource names - Fixed bug where virtual-kubelet service account would not be bound to cluster role if chart was installed outside the default namespace - Removed hardcoded `azure` provider BREAKING CHANGES: - Virtual-Kubelet specific values previously nested under `env` are now declared at the top level of the values file. - Azure provider configuration values previously nested under `env` are now at `providers.azure` --- charts/virtual-kubelet-for-aks/Chart.yaml | 8 -- .../templates/NOTES.txt | 12 --- .../templates/_helpers.tpl | 16 ---- .../templates/clusterrolebinding.yaml | 14 ---- .../templates/deployment.yaml | 63 ---------------- .../templates/secrets.yaml | 19 ----- .../templates/serviceaccount.yaml | 6 -- charts/virtual-kubelet-for-aks/values.yaml | 25 ------- charts/virtual-kubelet/Chart.yaml | 6 +- charts/virtual-kubelet/templates/NOTES.txt | 20 +---- charts/virtual-kubelet/templates/_helpers.tpl | 4 +- .../templates/clusterrolebinding.yaml | 10 +-- .../virtual-kubelet/templates/deployment.yaml | 74 +++++++++++++++---- charts/virtual-kubelet/templates/secret.yaml | 30 ++++++++ charts/virtual-kubelet/templates/secrets.yaml | 22 ------ .../templates/serviceaccount.yaml | 4 +- charts/virtual-kubelet/values.yaml | 47 +++++++----- providers/azure/README.md | 14 +--- 18 files changed, 133 insertions(+), 261 deletions(-) delete mode 100644 charts/virtual-kubelet-for-aks/Chart.yaml delete mode 100644 charts/virtual-kubelet-for-aks/templates/NOTES.txt delete mode 100644 charts/virtual-kubelet-for-aks/templates/_helpers.tpl delete mode 100644 charts/virtual-kubelet-for-aks/templates/clusterrolebinding.yaml delete mode 100644 charts/virtual-kubelet-for-aks/templates/deployment.yaml delete mode 100644 charts/virtual-kubelet-for-aks/templates/secrets.yaml delete mode 100644 charts/virtual-kubelet-for-aks/templates/serviceaccount.yaml delete mode 100644 charts/virtual-kubelet-for-aks/values.yaml create mode 100644 charts/virtual-kubelet/templates/secret.yaml delete mode 100644 charts/virtual-kubelet/templates/secrets.yaml diff --git a/charts/virtual-kubelet-for-aks/Chart.yaml b/charts/virtual-kubelet-for-aks/Chart.yaml deleted file mode 100644 index ca157f8e3..000000000 --- a/charts/virtual-kubelet-for-aks/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -name: virtual-kubelet-for-aks -version: 0.1.6 -description: a Helm chart to install virtual kubelet in an AKS or ACS cluster. -sources: - - https://github.com/virtual-kubelet/virtual-kubelet -maintainers: - - name: Robbie Zhang - email: junjiez@microsoft.com diff --git a/charts/virtual-kubelet-for-aks/templates/NOTES.txt b/charts/virtual-kubelet-for-aks/templates/NOTES.txt deleted file mode 100644 index 94a7e22b8..000000000 --- a/charts/virtual-kubelet-for-aks/templates/NOTES.txt +++ /dev/null @@ -1,12 +0,0 @@ -The virtual kubelet is getting deployed on your cluster. - -To verify that virtual kubelet has started, run: - - kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "fullname" . }}" - -{{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} - -Note: -TLS key pair not provided for VK HTTP listener. A key pair was generated for you. This generated key pair is not suitable for production use. - -{{- end }} \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/templates/_helpers.tpl b/charts/virtual-kubelet-for-aks/templates/_helpers.tpl deleted file mode 100644 index c199f18f0..000000000 --- a/charts/virtual-kubelet-for-aks/templates/_helpers.tpl +++ /dev/null @@ -1,16 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/charts/virtual-kubelet-for-aks/templates/clusterrolebinding.yaml b/charts/virtual-kubelet-for-aks/templates/clusterrolebinding.yaml deleted file mode 100644 index 620072e25..000000000 --- a/charts/virtual-kubelet-for-aks/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{ if .Values.rbac.install }} -apiVersion: "rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}" -kind: ClusterRoleBinding -metadata: - name: {{ template "fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "fullname" . }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.rbac.roleRef }} -{{ end }} \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/templates/deployment.yaml b/charts/virtual-kubelet-for-aks/templates/deployment.yaml deleted file mode 100644 index 9b88283b3..000000000 --- a/charts/virtual-kubelet-for-aks/templates/deployment.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: {{ template "fullname" . }} -spec: - replicas: 1 - template: - metadata: - labels: - app: {{ template "fullname" . }} - spec: - containers: - - name: {{ template "fullname" . }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: KUBELET_PORT - value: "10250" - - name: ACS_CREDENTIAL_LOCATION - value: /etc/acs/azure.json - - name: AZURE_TENANT_ID - value: {{ .Values.env.azureTenantId }} - - name: AZURE_SUBSCRIPTION_ID - value: {{ .Values.env.azureSubscriptionId }} - - name: AZURE_CLIENT_ID - value: {{ .Values.env.azureClientId }} - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ template "fullname" . }} - key: clientSecret - - name: ACI_RESOURCE_GROUP - value: {{ .Values.env.aciResourceGroup }} - - name: ACI_REGION - value: {{ default "westus" .Values.env.aciRegion }} - - name: APISERVER_CERT_LOCATION - value: /etc/virtual-kubelet/cert.pem - - name: APISERVER_KEY_LOCATION - value: /etc/virtual-kubelet/key.pem - - name: VKUBELET_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - volumeMounts: - - name: credentials - mountPath: "/etc/virtual-kubelet" - - name: acs-credential - mountPath: "/etc/acs/azure.json" - command: ["virtual-kubelet"] - args: ["--provider", "azure", "--namespace", {{ default "" .Values.env.monitoredNamespace | quote }}, "--nodename", {{ default "virtual-kubelet" .Values.env.nodeName | quote }} , "--os", {{ default "Linux" .Values.env.nodeOsType | quote }}, "--taint", {{ default "azure.com/aci" .Values.env.nodeTaint | quote }}] - volumes: - - name: credentials - secret: - secretName: {{ template "fullname" . }} - - name: acs-credential - hostPath: - path: /etc/kubernetes/azure.json - type: File - {{ if .Values.rbac.install }} - serviceAccountName: {{ template "fullname" . }} - {{ end }} - nodeSelector: - beta.kubernetes.io/os: linux \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/templates/secrets.yaml b/charts/virtual-kubelet-for-aks/templates/secrets.yaml deleted file mode 100644 index 26e616500..000000000 --- a/charts/virtual-kubelet-for-aks/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "fullname" . }} -type: Opaque -data: - {{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} - {{- $ca := genCA "virtual-kubelet-ca" 3650 }} - {{- $cn := printf "%s-virtual-kubelet-apiserver" .Release.Name }} - {{- $altName1 := printf "%s-virtual-kubelet-apiserver.%s" .Release.Name .Release.Namespace }} - {{- $altName2 := printf "%s-virtual-kubelet-apiserver.%s.svc" .Release.Name .Release.Namespace }} - {{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} - cert.pem: {{ b64enc $cert.Cert }} - key.pem: {{ b64enc $cert.Key }} - {{ else }} - cert.pem: {{ quote .Values.env.apiserverCert }} - key.pem: {{ quote .Values.env.apiserverKey }} - {{ end}} - clientSecret: {{ default "" .Values.env.azureClientKey | b64enc | quote }} \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/templates/serviceaccount.yaml b/charts/virtual-kubelet-for-aks/templates/serviceaccount.yaml deleted file mode 100644 index 31eb4650d..000000000 --- a/charts/virtual-kubelet-for-aks/templates/serviceaccount.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{ if .Values.rbac.install }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "fullname" . }} -{{ end }} \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/values.yaml b/charts/virtual-kubelet-for-aks/values.yaml deleted file mode 100644 index e34f51a6f..000000000 --- a/charts/virtual-kubelet-for-aks/values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -image: - repository: microsoft/virtual-kubelet - tag: latest - pullPolicy: Always -env: - azureClientId: - azureClientKey: - azureTenantId: - azureSubscriptionId: - aciResourceGroup: - aciRegion: - nodeName: - nodeTaint: - nodeOsType: - apiserverCert: - apiserverKey: - monitoredNamespace: - -# Install Default RBAC roles and bindings -rbac: - install: true - ## RBAC api version - apiVersion: v1beta1 - # Cluster role reference - roleRef: cluster-admin \ No newline at end of file diff --git a/charts/virtual-kubelet/Chart.yaml b/charts/virtual-kubelet/Chart.yaml index 1ff43f4be..fddfc59d8 100644 --- a/charts/virtual-kubelet/Chart.yaml +++ b/charts/virtual-kubelet/Chart.yaml @@ -1,6 +1,8 @@ name: virtual-kubelet -version: 0.1.3 -description: a Helm chart to install virtual kubelet inside a Kubernetes cluster. +version: 0.2.0 +appVersion: 0.3 +description: A Helm chart to install virtual kubelet inside a Kubernetes cluster. +icon: https://avatars2.githubusercontent.com/u/34250142 sources: - https://github.com/virtual-kubelet/virtual-kubelet maintainers: diff --git a/charts/virtual-kubelet/templates/NOTES.txt b/charts/virtual-kubelet/templates/NOTES.txt index dd159ca76..173aded51 100644 --- a/charts/virtual-kubelet/templates/NOTES.txt +++ b/charts/virtual-kubelet/templates/NOTES.txt @@ -1,28 +1,12 @@ -{{- if and .Values.env.azureClientId .Values.env.azureClientKey .Values.env.azureTenantId .Values.env.azureSubscriptionId .Values.env.aciResourceGroup -}} - The virtual kubelet is getting deployed on your cluster. To verify that virtual kubelet has started, run: - kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "fullname" . }}" - -{{- else -}} -############################################################################## -#### ERROR: You are missing required values in the values.yaml file. #### -############################################################################## - -This deployment will be incomplete until all the required fields in the values.yaml file have been provided. - -To update, run: - - helm upgrade {{ .Release.Name }} \ - --set env.azureClientId=,env.azureClientKey=,env.azureTenantId=,env.azureSubscriptionId=,env.aciResourceGroup=,ev.aciOsType=,rbac.install= - -{{- end }} + kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "vk.fullname" . }}" {{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} Note: TLS key pair not provided for VK HTTP listener. A key pair was generated for you. This generated key pair is not suitable for production use. -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/virtual-kubelet/templates/_helpers.tpl b/charts/virtual-kubelet/templates/_helpers.tpl index c199f18f0..2f07d9545 100644 --- a/charts/virtual-kubelet/templates/_helpers.tpl +++ b/charts/virtual-kubelet/templates/_helpers.tpl @@ -2,7 +2,7 @@ {{/* Expand the name of the chart. */}} -{{- define "name" -}} +{{- define "vk.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -10,7 +10,7 @@ Expand the name of the chart. Create a default fully qualified app name. We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} -{{- define "fullname" -}} +{{- define "vk.fullname" -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/charts/virtual-kubelet/templates/clusterrolebinding.yaml b/charts/virtual-kubelet/templates/clusterrolebinding.yaml index ec9903577..a00bf6a83 100644 --- a/charts/virtual-kubelet/templates/clusterrolebinding.yaml +++ b/charts/virtual-kubelet/templates/clusterrolebinding.yaml @@ -1,14 +1,14 @@ {{ if .Values.rbac.install }} -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: "rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}" kind: ClusterRoleBinding metadata: - name: {{ template "fullname" . }}-role-binding + name: {{ template "vk.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "fullname" . }}-service-account - namespace: default + name: {{ template "vk.fullname" . }} + namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ .Values.rbac.roleRef }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/charts/virtual-kubelet/templates/deployment.yaml b/charts/virtual-kubelet/templates/deployment.yaml index 046b86a2f..4a7d15d2f 100644 --- a/charts/virtual-kubelet/templates/deployment.yaml +++ b/charts/virtual-kubelet/templates/deployment.yaml @@ -1,48 +1,90 @@ apiVersion: extensions/v1beta1 kind: Deployment metadata: - name: {{ template "fullname" . }} + name: {{ template "vk.fullname" . }} + annotations: + virtual-kubelet/provider: {{ required "provider is required" .Values.provider }} spec: replicas: 1 template: metadata: labels: - app: {{ template "fullname" . }} + app: {{ template "vk.fullname" . }} spec: containers: - - name: {{ template "fullname" . }} + - name: {{ template "vk.fullname" . }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: KUBELET_PORT value: "10250" - - name: AZURE_AUTH_LOCATION - value: /etc/virtual-kubelet/credentials.json - - name: ACI_RESOURCE_GROUP - value: {{ .Values.env.aciResourceGroup }} - - name: ACI_REGION - value: {{ default "westus" .Values.env.aciRegion }} - name: APISERVER_CERT_LOCATION value: /etc/virtual-kubelet/cert.pem - name: APISERVER_KEY_LOCATION value: /etc/virtual-kubelet/key.pem - {{ if .Values.loganalytics.enabled }} - - name: LOG_ANALYTICS_AUTH_LOCATION - value: /etc/virtual-kubelet/loganalytics.json - {{ end }} - name: VKUBELET_POD_IP valueFrom: fieldRef: fieldPath: status.podIP +{{- if eq .Values.provider "azure" }} +{{- with .Values.providers.azure }} + - name: ACI_RESOURCE_GROUP + value: {{ required "aciResourceGroup is required" .aciResourceGroup }} + - name: ACI_REGION + value: {{ required "aciRegion is required" .aciRegion }} +{{- if .loganalytics.enabled }} + - name: LOG_ANALYTICS_AUTH_LOCATION + value: /etc/virtual-kubelet/loganalytics.json +{{- end }} +{{- if .targetAKS }} + - name: ACS_CREDENTIAL_LOCATION + value: /etc/acs/azure.json + - name: AZURE_TENANT_ID + value: {{ required "tenantId is required" .tenantId }} + - name: AZURE_SUBSCRIPTION_ID + value: {{ required "subscriptionId is required" .subscriptionId }} + - name: AZURE_CLIENT_ID + value: {{ required "clientId is required" .clientId }} + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "vk.fullname" $ }} + key: clientSecret +{{- else }} + - name: AZURE_AUTH_LOCATION + value: /etc/virtual-kubelet/credentials.json +{{- end }} +{{- end }} +{{- end }} volumeMounts: - name: credentials mountPath: "/etc/virtual-kubelet" +{{- if eq .Values.provider "azure" }} +{{- if .Values.providers.azure.targetAKS }} + - name: acs-credential + mountPath: "/etc/acs/azure.json" +{{- end }} +{{- end }} command: ["virtual-kubelet"] - args: ["--provider", "azure", "--namespace", {{ default "" .Values.env.monitoredNamespace | quote }}, "--nodename", {{ default "virtual-kubelet" .Values.env.nodeName | quote }} , "--os", {{ default "Linux" .Values.env.nodeOsType | quote }}, "--taint", {{ default "azure.com/aci" .Values.env.nodeTaint | quote }}] + args: [ + "--provider", "{{ .Values.provider }}", + "--namespace", "{{ .Values.monitoredNamespace }}", + "--nodename", "{{ required "nodeName is required" .Values.nodeName }}", + "--os", "{{ .Values.nodeOsType }}", + "--taint", "{{ .Values.nodeTaint }}" + ] volumes: - name: credentials secret: - secretName: {{ template "fullname" . }} - serviceAccountName: {{ if .Values.rbac.install }} "{{ template "fullname" . }}-service-account" {{ end }} + secretName: {{ template "vk.fullname" . }} +{{- if eq .Values.provider "azure" }} +{{- if .Values.providers.azure.targetAKS }} + - name: acs-credential + hostPath: + path: /etc/kubernetes/azure.json + type: File +{{- end }} +{{- end }} + serviceAccountName: {{ if .Values.rbac.install }} "{{ template "vk.fullname" . }}" {{ end }} nodeSelector: beta.kubernetes.io/os: linux diff --git a/charts/virtual-kubelet/templates/secret.yaml b/charts/virtual-kubelet/templates/secret.yaml new file mode 100644 index 000000000..5975cbcec --- /dev/null +++ b/charts/virtual-kubelet/templates/secret.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "vk.fullname" . }} +type: Opaque +data: +{{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} +{{- $ca := genCA "virtual-kubelet-ca" 3650 }} +{{- $cn := printf "%s-virtual-kubelet-apiserver" .Release.Name }} +{{- $altName1 := printf "%s-virtual-kubelet-apiserver.%s" .Release.Name .Release.Namespace }} +{{- $altName2 := printf "%s-virtual-kubelet-apiserver.%s.svc" .Release.Name .Release.Namespace }} +{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} + cert.pem: {{ b64enc $cert.Cert }} + key.pem: {{ b64enc $cert.Key }} +{{- else }} + cert.pem: {{ quote .Values.env.apiserverCert }} + key.pem: {{ quote .Values.env.apiserverKey }} +{{- end }} +{{- if eq .Values.provider "azure" }} +{{- with .Values.providers.azure }} +{{- if .loganalytics.enabled }} + loganalytics.json: {{ printf "{\"workspaceID\": \"%s\",\"workspaceKey\": \"%s\"}" (required "workspaceID is required for loganalytics" .loganalytics.workspaceID ) (required "workspaceKey is required for loganalytics" .loganalytics.workspaceKey ) }} +{{- end }} +{{- if .targetAKS }} + clientSecret: {{ required "clientKey is required" .clientKey | b64enc | quote }} +{{- else }} + credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .clientId) (default "MISSING" .clientKey) (default "MISSING" .subscriptionId) (default "MISSING" .tenantId) | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/virtual-kubelet/templates/secrets.yaml b/charts/virtual-kubelet/templates/secrets.yaml deleted file mode 100644 index 2231caf6c..000000000 --- a/charts/virtual-kubelet/templates/secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "fullname" . }} -type: Opaque -data: - credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .Values.env.azureClientId) (default "MISSING" .Values.env.azureClientKey) (default "MISSING" .Values.env.azureSubscriptionId) (default "MISSING" .Values.env.azureTenantId) | b64enc | quote }} - {{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} - {{- $ca := genCA "virtual-kubelet-ca" 3650 }} - {{- $cn := printf "%s-virtual-kubelet-apiserver" .Release.Name }} - {{- $altName1 := printf "%s-virtual-kubelet-apiserver.%s" .Release.Name .Release.Namespace }} - {{- $altName2 := printf "%s-virtual-kubelet-apiserver.%s.svc" .Release.Name .Release.Namespace }} - {{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} - cert.pem: {{ b64enc $cert.Cert }} - key.pem: {{ b64enc $cert.Key }} - {{ else }} - cert.pem: {{ quote .Values.env.apiserverCert }} - key.pem: {{ quote .Values.env.apiserverKey }} - {{ end}} - {{ if .Values.loganalytics.enabled }} - loganalytics.json: {{ printf "{\"workspaceID\": \"%s\",\"workspaceKey\": \"%s\"}" (required "workspaceID is required for loganalytics" .Values.loganalytics.workspaceID ) (required "workspaceKey is required for loganalytics" .Values.loganalytics.workspaceKey ) }} - {{ end }} diff --git a/charts/virtual-kubelet/templates/serviceaccount.yaml b/charts/virtual-kubelet/templates/serviceaccount.yaml index 450120aa9..a25f8777f 100644 --- a/charts/virtual-kubelet/templates/serviceaccount.yaml +++ b/charts/virtual-kubelet/templates/serviceaccount.yaml @@ -2,5 +2,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "fullname" . }}-service-account -{{ end }} \ No newline at end of file + name: {{ template "vk.fullname" . }} +{{ end }} diff --git a/charts/virtual-kubelet/values.yaml b/charts/virtual-kubelet/values.yaml index b1e04a6da..b874909a6 100644 --- a/charts/virtual-kubelet/values.yaml +++ b/charts/virtual-kubelet/values.yaml @@ -2,29 +2,36 @@ image: repository: microsoft/virtual-kubelet tag: latest pullPolicy: Always -env: - azureClientId: - azureClientKey: - azureTenantId: - azureSubscriptionId: - aciResourceGroup: - aciRegion: - nodeName: - nodeTaint: - nodeOsType: - apiserverCert: - apiserverKey: - monitoredNamespace: -loganalytics: - enabled: false - workspaceID: - workspaceKey: -# Install Default RBAC roles and bindings +## `provider` should be one of aws, azure, azurebatch, etc... +provider: +nodeName: "virtual-kubelet" +nodeTaint: "azure.com/aci" +nodeOsType: "Linux" +monitoredNamespace: "" +apiserverCert: +apiserverKey: + +providers: + azure: + ## Set to true if deploying to Azure Kubernetes Service (AKS), otherwise false + targetAKS: true + clientId: + clientKey: + tenantId: + subscriptionId: + aciResourceGroup: + aciRegion: "westus" + loganalytics: + enabled: false + workspaceID: + workspaceKey: + +## Install Default RBAC roles and bindings rbac: install: false serviceAccountName: virtual-kubelet - # RBAC api version (currently v1beta1) + ## RBAC api version apiVersion: v1beta1 - # Cluster role reference + ## Cluster role reference roleRef: cluster-admin diff --git a/providers/azure/README.md b/providers/azure/README.md index 55ec036aa..7ac4d3d5d 100644 --- a/providers/azure/README.md +++ b/providers/azure/README.md @@ -186,22 +186,14 @@ resources on your account on behalf of Kubernetes. You will need to enable ACI in your subscription: - ```cli - az provider register -n Microsoft.ContainerInstance - ``` +```cli +az provider register -n Microsoft.ContainerInstance +``` ## Deployment of the ACI provider in your cluster Run these commands to deploy the virtual kubelet which connects your Kubernetes cluster to Azure Container Instances. -If your cluster is an AKS cluster: - -```cli -export VK_RELEASE=virtual-kubelet-for-aks-0.1.3 -```` - -For any other type of Kubernetes cluster: - ```cli export VK_RELEASE=virtual-kubelet-0.1.1 ``` From 845cefe4198c3aff907c788667a483f55edc9bb4 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Mon, 16 Jul 2018 13:28:28 -0400 Subject: [PATCH 02/10] Add helm test Usage: helm test --cleanup --- .../templates/tests/helloworld.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 charts/virtual-kubelet/templates/tests/helloworld.yaml diff --git a/charts/virtual-kubelet/templates/tests/helloworld.yaml b/charts/virtual-kubelet/templates/tests/helloworld.yaml new file mode 100644 index 000000000..41fa0173f --- /dev/null +++ b/charts/virtual-kubelet/templates/tests/helloworld.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-{{ .Release.Revision }}-test" + labels: + role: test + annotations: + "helm.sh/hook": test-success +spec: + containers: + - image: hello-world:linux + imagePullPolicy: Always + name: helloworld + resources: + requests: + memory: "0.1G" + cpu: 10m + limits: + memory: "0.1G" + cpu: 10m + dnsPolicy: ClusterFirst + nodeName: "{{ .Values.nodeName }}" + restartPolicy: Never + tolerations: + - key: "{{ .Values.nodeTaint }}" + effect: NoSchedule From 52308c3cba3fe2e3e5ba725d97ba38978f8e3b65 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Mon, 16 Jul 2018 17:03:19 -0400 Subject: [PATCH 03/10] Roll deployment when secret contents updated --- charts/virtual-kubelet/templates/deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/virtual-kubelet/templates/deployment.yaml b/charts/virtual-kubelet/templates/deployment.yaml index 4a7d15d2f..8bbdd304f 100644 --- a/charts/virtual-kubelet/templates/deployment.yaml +++ b/charts/virtual-kubelet/templates/deployment.yaml @@ -10,6 +10,8 @@ spec: metadata: labels: app: {{ template "vk.fullname" . }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} spec: containers: - name: {{ template "vk.fullname" . }} From cdb56fcb2acab8b292811942eb7f3fd4d9db40b1 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Mon, 16 Jul 2018 17:49:21 -0400 Subject: [PATCH 04/10] Add standard helm labels to resources --- charts/virtual-kubelet/templates/NOTES.txt | 2 +- charts/virtual-kubelet/templates/_helpers.tpl | 13 +++++++++++++ .../templates/clusterrolebinding.yaml | 1 + charts/virtual-kubelet/templates/deployment.yaml | 6 ++++-- charts/virtual-kubelet/templates/secret.yaml | 1 + .../virtual-kubelet/templates/serviceaccount.yaml | 1 + .../virtual-kubelet/templates/tests/helloworld.yaml | 4 ++-- 7 files changed, 23 insertions(+), 5 deletions(-) diff --git a/charts/virtual-kubelet/templates/NOTES.txt b/charts/virtual-kubelet/templates/NOTES.txt index 173aded51..ae4fc0943 100644 --- a/charts/virtual-kubelet/templates/NOTES.txt +++ b/charts/virtual-kubelet/templates/NOTES.txt @@ -2,7 +2,7 @@ The virtual kubelet is getting deployed on your cluster. To verify that virtual kubelet has started, run: - kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "vk.fullname" . }}" + kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "vk.name" . }}" {{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} diff --git a/charts/virtual-kubelet/templates/_helpers.tpl b/charts/virtual-kubelet/templates/_helpers.tpl index 2f07d9545..4b0b69928 100644 --- a/charts/virtual-kubelet/templates/_helpers.tpl +++ b/charts/virtual-kubelet/templates/_helpers.tpl @@ -14,3 +14,16 @@ We truncate at 24 chars because some Kubernetes name fields are limited to this {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Standard labels for helm resources +*/}} +{{- define "vk.labels" -}} +labels: + heritage: "{{ .Release.Service }}" + release: "{{ .Release.Name }}" + revision: "{{ .Release.Revision }}" + chart: "{{ .Chart.Name }}" + chartVersion: "{{ .Chart.Version }}" + app: {{ template "vk.name" . }} +{{- end -}} diff --git a/charts/virtual-kubelet/templates/clusterrolebinding.yaml b/charts/virtual-kubelet/templates/clusterrolebinding.yaml index a00bf6a83..5f80001f6 100644 --- a/charts/virtual-kubelet/templates/clusterrolebinding.yaml +++ b/charts/virtual-kubelet/templates/clusterrolebinding.yaml @@ -3,6 +3,7 @@ apiVersion: "rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}" kind: ClusterRoleBinding metadata: name: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 2 }} subjects: - kind: ServiceAccount name: {{ template "vk.fullname" . }} diff --git a/charts/virtual-kubelet/templates/deployment.yaml b/charts/virtual-kubelet/templates/deployment.yaml index 8bbdd304f..0d07189ea 100644 --- a/charts/virtual-kubelet/templates/deployment.yaml +++ b/charts/virtual-kubelet/templates/deployment.yaml @@ -2,14 +2,16 @@ apiVersion: extensions/v1beta1 kind: Deployment metadata: name: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 2 }} + component: kubelet annotations: virtual-kubelet/provider: {{ required "provider is required" .Values.provider }} spec: replicas: 1 template: metadata: - labels: - app: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 6 }} + component: kubelet annotations: checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} spec: diff --git a/charts/virtual-kubelet/templates/secret.yaml b/charts/virtual-kubelet/templates/secret.yaml index 5975cbcec..7df587009 100644 --- a/charts/virtual-kubelet/templates/secret.yaml +++ b/charts/virtual-kubelet/templates/secret.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 2 }} type: Opaque data: {{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} diff --git a/charts/virtual-kubelet/templates/serviceaccount.yaml b/charts/virtual-kubelet/templates/serviceaccount.yaml index a25f8777f..dcc9f926e 100644 --- a/charts/virtual-kubelet/templates/serviceaccount.yaml +++ b/charts/virtual-kubelet/templates/serviceaccount.yaml @@ -3,4 +3,5 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 2 }} {{ end }} diff --git a/charts/virtual-kubelet/templates/tests/helloworld.yaml b/charts/virtual-kubelet/templates/tests/helloworld.yaml index 41fa0173f..c29fb30a4 100644 --- a/charts/virtual-kubelet/templates/tests/helloworld.yaml +++ b/charts/virtual-kubelet/templates/tests/helloworld.yaml @@ -2,8 +2,8 @@ apiVersion: v1 kind: Pod metadata: name: "{{ .Release.Name }}-{{ .Release.Revision }}-test" - labels: - role: test +{{ include "vk.labels" . | indent 2 }} + component: test annotations: "helm.sh/hook": test-success spec: From 6d8493d9ec48fcfa29d38119a947fabb5f8fbcaf Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Thu, 19 Jul 2018 20:44:31 -0400 Subject: [PATCH 05/10] Switch nodeName to nodeSelector --- charts/virtual-kubelet/templates/tests/helloworld.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/virtual-kubelet/templates/tests/helloworld.yaml b/charts/virtual-kubelet/templates/tests/helloworld.yaml index c29fb30a4..4ce276f0f 100644 --- a/charts/virtual-kubelet/templates/tests/helloworld.yaml +++ b/charts/virtual-kubelet/templates/tests/helloworld.yaml @@ -19,7 +19,8 @@ spec: memory: "0.1G" cpu: 10m dnsPolicy: ClusterFirst - nodeName: "{{ .Values.nodeName }}" + nodeSelector: + kubernetes.io/hostname: "{{ .Values.nodeName }}" restartPolicy: Never tolerations: - key: "{{ .Values.nodeTaint }}" From 123a1b37c2bf43a6d72b1762faf590df08633920 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Thu, 19 Jul 2018 20:45:37 -0400 Subject: [PATCH 06/10] Require ACI region/resource group only for non-AKS deployments --- charts/virtual-kubelet/templates/deployment.yaml | 16 +++++++++------- charts/virtual-kubelet/templates/secret.yaml | 2 +- charts/virtual-kubelet/values.yaml | 3 ++- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/charts/virtual-kubelet/templates/deployment.yaml b/charts/virtual-kubelet/templates/deployment.yaml index 0d07189ea..93b2ad6ce 100644 --- a/charts/virtual-kubelet/templates/deployment.yaml +++ b/charts/virtual-kubelet/templates/deployment.yaml @@ -4,8 +4,6 @@ metadata: name: {{ template "vk.fullname" . }} {{ include "vk.labels" . | indent 2 }} component: kubelet - annotations: - virtual-kubelet/provider: {{ required "provider is required" .Values.provider }} spec: replicas: 1 template: @@ -32,10 +30,6 @@ spec: fieldPath: status.podIP {{- if eq .Values.provider "azure" }} {{- with .Values.providers.azure }} - - name: ACI_RESOURCE_GROUP - value: {{ required "aciResourceGroup is required" .aciResourceGroup }} - - name: ACI_REGION - value: {{ required "aciRegion is required" .aciRegion }} {{- if .loganalytics.enabled }} - name: LOG_ANALYTICS_AUTH_LOCATION value: /etc/virtual-kubelet/loganalytics.json @@ -54,9 +48,17 @@ spec: secretKeyRef: name: {{ template "vk.fullname" $ }} key: clientSecret + - name: ACI_RESOURCE_GROUP + value: {{ .aciResourceGroup }} + - name: ACI_REGION + value: {{ .aciRegion }} {{- else }} - name: AZURE_AUTH_LOCATION value: /etc/virtual-kubelet/credentials.json + - name: ACI_RESOURCE_GROUP + value: {{ required "aciResourceGroup is required" .aciResourceGroup }} + - name: ACI_REGION + value: {{ required "aciRegion is required" .aciRegion }} {{- end }} {{- end }} {{- end }} @@ -71,7 +73,7 @@ spec: {{- end }} command: ["virtual-kubelet"] args: [ - "--provider", "{{ .Values.provider }}", + "--provider", "{{ required "provider is required" .Values.provider }}", "--namespace", "{{ .Values.monitoredNamespace }}", "--nodename", "{{ required "nodeName is required" .Values.nodeName }}", "--os", "{{ .Values.nodeOsType }}", diff --git a/charts/virtual-kubelet/templates/secret.yaml b/charts/virtual-kubelet/templates/secret.yaml index 7df587009..3ee607a46 100644 --- a/charts/virtual-kubelet/templates/secret.yaml +++ b/charts/virtual-kubelet/templates/secret.yaml @@ -23,7 +23,7 @@ data: loganalytics.json: {{ printf "{\"workspaceID\": \"%s\",\"workspaceKey\": \"%s\"}" (required "workspaceID is required for loganalytics" .loganalytics.workspaceID ) (required "workspaceKey is required for loganalytics" .loganalytics.workspaceKey ) }} {{- end }} {{- if .targetAKS }} - clientSecret: {{ required "clientKey is required" .clientKey | b64enc | quote }} + clientSecret: {{ default "" .clientKey | b64enc | quote }} {{- else }} credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .clientId) (default "MISSING" .clientKey) (default "MISSING" .subscriptionId) (default "MISSING" .tenantId) | b64enc | quote }} {{- end }} diff --git a/charts/virtual-kubelet/values.yaml b/charts/virtual-kubelet/values.yaml index b874909a6..822a85cdc 100644 --- a/charts/virtual-kubelet/values.yaml +++ b/charts/virtual-kubelet/values.yaml @@ -20,8 +20,9 @@ providers: clientKey: tenantId: subscriptionId: + ## `aciResourceGroup` and `aciRegion` are required only for non-AKS deployments aciResourceGroup: - aciRegion: "westus" + aciRegion: loganalytics: enabled: false workspaceID: From 1f23e90e7dd9b2bc2f7def6c6efeff69ee8c5186 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Thu, 19 Jul 2018 20:46:30 -0400 Subject: [PATCH 07/10] Install RBAC bindings by default --- charts/virtual-kubelet/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/virtual-kubelet/values.yaml b/charts/virtual-kubelet/values.yaml index 822a85cdc..f126e0806 100644 --- a/charts/virtual-kubelet/values.yaml +++ b/charts/virtual-kubelet/values.yaml @@ -30,7 +30,7 @@ providers: ## Install Default RBAC roles and bindings rbac: - install: false + install: true serviceAccountName: virtual-kubelet ## RBAC api version apiVersion: v1beta1 From c61687bae0e1dac271c510f47b7efc1bde2de5c3 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Thu, 19 Jul 2018 20:57:01 -0400 Subject: [PATCH 08/10] Update installation instructions --- charts/virtual-kubelet-0.2.0.tgz | Bin 0 -> 2829 bytes providers/azure/README.md | 35 +++++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 charts/virtual-kubelet-0.2.0.tgz diff --git a/charts/virtual-kubelet-0.2.0.tgz b/charts/virtual-kubelet-0.2.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..3fa8bfbc67bf353b8608d12d53ffbcb6646de2cf GIT binary patch literal 2829 zcmV+o3-a_IiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH($Z`(N1`&qwYpzZ?gqLyFcBo71>c+%9{4bmoo?euWFJ*2cW zw%AalN>Wa}Y5x0x)T?DXZntgrc42;rLJnt!qnY8n$a5-nN?7YUoghQqK8}dg-h#yJ zhi^7IolfU)f8YM?bUMwyo&DOgo$vO$2Zukvx8vZRkt$8(51r1};%Of4Z!$=dyg{j` z;6At=Z_jl?RDq<4wo^y&E3y~@qZOb9P_8s#405%BTy4xe4G{>OrW2GLH7W>Lsx(T^ zp@BgaX`Lv)-6nIQiBvsrMs<`xdhP75$5 zl=<*Jbcu#OT9NOePfJw}|kWlT9^L+)*Nx0a}y=PZ=wge$ybD zyXS?pI$qD~IDhr~``WQ`T*6XR-_`+avHxzrzheLWz3$HbA7ap$%+PlLBql;pE#$(7 z(zI5zA3&3t4~%G3=D#Fm>_RXaEPOa(H)Nq4=g}j0mq;>!i8+^ESZEXC553a>xjh6&8TRKsJa7^U{1`u`LcJ~$;a%1FqPF%JNb9>EB$L)0=w zpi>AjVPZk~%uF5`$hs>Wp`6nI;qlSw=*d$MIzo9v6~dG-g%+hIa)$cobmUu{b}nEP zxjqSfsQsIgNDy_6zN-T~oZK0Tv?zXKu>Bz{P##1I5$ z3z!NCT=3S>=_o&2j9e>=vxzS!RpK*}d-MoS^1I>%PD#o%44)qzgA@#vr9YuOqT%WD=<@SIUF-a)ozS+F1gqGLZygNZnx*6KVQ1(6 zA7YFnTn*+F%us9N%reurP5~Aol~qvZjD@i`I$eN{h+aVw5d}uH8pEd`Q|>zs*u_9I zXtj9Zho9Zvf;U8lM4?xDXSlmFJU}8s1uX_HNfHBDs3*AdYtP_t!GpUy_aASk-)n5P z|EmaDf>L=p`N~jmYy5ZEZP@?8{$X!t{|_;4Z`(h^oW?#V)G(zC^&-J%u@OrUp$|W| z@9rD}*&qKi;cZSo6n>t4QyhK=7giHDtSz}Q0+0CSobDC!Wyd^(4+YM6u6 zBv@Ol>KqkJK9_@$B=KSMEwd!9zuIuW(b(+&^PAqp#d)ayXR89+;=hA~y=DL3>vs0~ zJOBR>zeY= zFEX#8VE8=KCnrWtLZXRZmhYOzSNY4_0D5?@Aq zw3JJJF1ZXWFBfczQ=KAn%+k(0Bi<-169qTrQRin#kU8r7=*IPYYtOUU{;RD2Ypa1< z?Ej$GY1n`FaId?I{~l!2EgU~;sumD1V^rYC~Nfz26=Uo z(SRr)x(<}|vSM7t(so)01+5MAvIWAq(AH>`UqMG0T&py0D-0xRd+>tVV;hUXkKQ=v z%zI80UJxCDo5Ncpa-UdcR786F2P%yVZi-`OTvbhvY^L?O-YOeeNjHmfa%W@U4yxg~s1EPdAiuD>7YmvUG zj`-s0Iw@{R)^AfmQ#Hcq^ zM=LhSNCt-v;r{dPGVT#W~3 zM`z=!lNYN%XK|F$eHB-fvkZ7F_=J8pLVm5R3dEx5!QO+%@83~o?WsU2^>Zw)J>#`oX z?ve%2w%Pp)Wq7X!uj{DZTL7>x=pJ#oP^G0A3G)_5$S}}CR);akgjXHHqoOU84~+8k z<3FX6_V*l{^Z#1f@|85UGyW||AUO>4<($UT4p1?@0IIk-s(IdA5wG* z0!6ZBi99ZvA@2B+jW0Xwe0cNhS#=RDeYf)jKEa1n=sXb2^Rq9*bBc>4G~Yefs)y8; z)soXPDLBOie1geAA9>K^t%`e_@v22uw1#fsZJBtyb$xj2{-oZzPs`bi{_@Il;b%LHeXXWwmQc#0O&Yr@G4eH{ath|&YiHhjDV7vV2(=2*7l!xL*c^q|)Lw#VcOA0GY7=4`(h4qcuz8PT* z?>TqJ;0%@Y;=~ zvDyALDy`ZPGA3?>WZ|Fp09)+8+wC7V?Z3aj`~Lqy###%%5aAlLUiW=YYr_{gEu%f| zpKSi+zb#nl!nqN$*i%tE65`s;;94pT0#vH(6fU>VT17X^>T$~|vY(Y5U|owV{|y6_ z#qvu3?PU2CR8iZI_#rihQq?+QjO~vo+>Y0MSrxK^B=w=&Df&kCGqNw*6>?Q@nSVO) z3zb$-t2LM9QcEP1uD!xF#XQ?#wO{KNB+hV-(gDzdp{!m)D{BbcU$?{Q6a($UnHU8T fhAG3H3*U|1*p1!zUmO1o00960PN&Mk06qW!BuJAq literal 0 HcmV?d00001 diff --git a/providers/azure/README.md b/providers/azure/README.md index 7ac4d3d5d..3d58eba2d 100644 --- a/providers/azure/README.md +++ b/providers/azure/README.md @@ -195,9 +195,10 @@ az provider register -n Microsoft.ContainerInstance Run these commands to deploy the virtual kubelet which connects your Kubernetes cluster to Azure Container Instances. ```cli -export VK_RELEASE=virtual-kubelet-0.1.1 +export VK_RELEASE=virtual-kubelet-0.2.0 ``` +If your cluster is an AKS cluster: ```cli RELEASE_NAME=virtual-kubelet NODE_NAME=virtual-kubelet @@ -208,7 +209,37 @@ chmod +x createCertAndKey.sh . ./createCertAndKey.sh helm install "$CHART_URL" --name "$RELEASE_NAME" \ - --set env.azureClientId="$AZURE_CLIENT_ID",env.azureClientKey="$AZURE_CLIENT_SECRET",env.azureTenantId="$AZURE_TENANT_ID",env.azureSubscriptionId="$AZURE_SUBSCRIPTION_ID",env.aciRegion="$ACI_REGION",env.aciResourceGroup="$AZURE_RG",env.nodeName="$NODE_NAME",env.nodeOsType=,env.apiserverCert=$cert,env.apiserverKey=$key,rbac.install=false + --set provider=azure \ + --set providers.azure.targetAKS=true \ + --set providers.azure.tenantId=$AZURE_TENANT_ID \ + --set providers.azure.subscriptionId=$AZURE_SUBSCRIPTION_ID \ + --set providers.azure.clientId=$AZURE_CLIENT_ID \ + --set apiserverCert=$cert \ + --set apiserverKey=$key +``` + +For any other type of Kubernetes cluster: +```cli +RELEASE_NAME=virtual-kubelet +NODE_NAME=virtual-kubelet +CHART_URL=https://github.com/virtual-kubelet/virtual-kubelet/raw/master/charts/$VK_RELEASE.tgz + +curl https://raw.githubusercontent.com/virtual-kubelet/virtual-kubelet/master/scripts/createCertAndKey.sh > createCertAndKey.sh +chmod +x createCertAndKey.sh +. ./createCertAndKey.sh + +helm install "$CHART_URL" --name "$RELEASE_NAME" \ + --set provider=azure \ + --set rbac.install=true \ + --set providers.azure.targetAKS=false \ + --set providers.azure.tenantId=$AZURE_TENANT_ID \ + --set providers.azure.subscriptionId=$AZURE_SUBSCRIPTION_ID \ + --set providers.azure.clientId=$AZURE_CLIENT_ID \ + --set providers.azure.clientKey=$AZURE_CLIENT_SECRET \ + --set providers.azure.aciResourceGroup=$AZURE_RG \ + --set providers.azure.aciRegion=$ACI_REGION \ + --set apiserverCert=$cert \ + --set apiserverKey=$key ``` If your cluster has RBAC enabled set ```rbac.install=true``` From 9bf226d02e2e3770e77afa46d3a2f2c7eda32c24 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Mon, 6 Aug 2018 16:06:40 -0400 Subject: [PATCH 09/10] Do not require tenant, subscription, or client IDs for AKS deployments --- charts/virtual-kubelet/templates/deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/virtual-kubelet/templates/deployment.yaml b/charts/virtual-kubelet/templates/deployment.yaml index 93b2ad6ce..5470efe2c 100644 --- a/charts/virtual-kubelet/templates/deployment.yaml +++ b/charts/virtual-kubelet/templates/deployment.yaml @@ -38,11 +38,11 @@ spec: - name: ACS_CREDENTIAL_LOCATION value: /etc/acs/azure.json - name: AZURE_TENANT_ID - value: {{ required "tenantId is required" .tenantId }} + value: {{ .tenantId }} - name: AZURE_SUBSCRIPTION_ID - value: {{ required "subscriptionId is required" .subscriptionId }} + value: {{ .subscriptionId }} - name: AZURE_CLIENT_ID - value: {{ required "clientId is required" .clientId }} + value: {{ .clientId }} - name: AZURE_CLIENT_SECRET valueFrom: secretKeyRef: From 5500055558244f32b2848aad1ea25cca6a388a57 Mon Sep 17 00:00:00 2001 From: Jacob LeGrone Date: Mon, 6 Aug 2018 17:42:37 -0400 Subject: [PATCH 10/10] Add back vk-for-aks --- charts/virtual-kubelet-for-aks/Chart.yaml | 8 +++ .../templates/NOTES.txt | 12 ++++ .../templates/_helpers.tpl | 16 +++++ .../templates/clusterrolebinding.yaml | 14 +++++ .../templates/deployment.yaml | 63 +++++++++++++++++++ .../templates/secrets.yaml | 19 ++++++ .../templates/serviceaccount.yaml | 6 ++ charts/virtual-kubelet-for-aks/values.yaml | 25 ++++++++ 8 files changed, 163 insertions(+) create mode 100644 charts/virtual-kubelet-for-aks/Chart.yaml create mode 100644 charts/virtual-kubelet-for-aks/templates/NOTES.txt create mode 100644 charts/virtual-kubelet-for-aks/templates/_helpers.tpl create mode 100644 charts/virtual-kubelet-for-aks/templates/clusterrolebinding.yaml create mode 100644 charts/virtual-kubelet-for-aks/templates/deployment.yaml create mode 100644 charts/virtual-kubelet-for-aks/templates/secrets.yaml create mode 100644 charts/virtual-kubelet-for-aks/templates/serviceaccount.yaml create mode 100644 charts/virtual-kubelet-for-aks/values.yaml diff --git a/charts/virtual-kubelet-for-aks/Chart.yaml b/charts/virtual-kubelet-for-aks/Chart.yaml new file mode 100644 index 000000000..ca157f8e3 --- /dev/null +++ b/charts/virtual-kubelet-for-aks/Chart.yaml @@ -0,0 +1,8 @@ +name: virtual-kubelet-for-aks +version: 0.1.6 +description: a Helm chart to install virtual kubelet in an AKS or ACS cluster. +sources: + - https://github.com/virtual-kubelet/virtual-kubelet +maintainers: + - name: Robbie Zhang + email: junjiez@microsoft.com diff --git a/charts/virtual-kubelet-for-aks/templates/NOTES.txt b/charts/virtual-kubelet-for-aks/templates/NOTES.txt new file mode 100644 index 000000000..94a7e22b8 --- /dev/null +++ b/charts/virtual-kubelet-for-aks/templates/NOTES.txt @@ -0,0 +1,12 @@ +The virtual kubelet is getting deployed on your cluster. + +To verify that virtual kubelet has started, run: + + kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "fullname" . }}" + +{{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} + +Note: +TLS key pair not provided for VK HTTP listener. A key pair was generated for you. This generated key pair is not suitable for production use. + +{{- end }} \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/templates/_helpers.tpl b/charts/virtual-kubelet-for-aks/templates/_helpers.tpl new file mode 100644 index 000000000..c199f18f0 --- /dev/null +++ b/charts/virtual-kubelet-for-aks/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/virtual-kubelet-for-aks/templates/clusterrolebinding.yaml b/charts/virtual-kubelet-for-aks/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..620072e25 --- /dev/null +++ b/charts/virtual-kubelet-for-aks/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{ if .Values.rbac.install }} +apiVersion: "rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}" +kind: ClusterRoleBinding +metadata: + name: {{ template "fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.rbac.roleRef }} +{{ end }} \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/templates/deployment.yaml b/charts/virtual-kubelet-for-aks/templates/deployment.yaml new file mode 100644 index 000000000..9b88283b3 --- /dev/null +++ b/charts/virtual-kubelet-for-aks/templates/deployment.yaml @@ -0,0 +1,63 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} +spec: + replicas: 1 + template: + metadata: + labels: + app: {{ template "fullname" . }} + spec: + containers: + - name: {{ template "fullname" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: KUBELET_PORT + value: "10250" + - name: ACS_CREDENTIAL_LOCATION + value: /etc/acs/azure.json + - name: AZURE_TENANT_ID + value: {{ .Values.env.azureTenantId }} + - name: AZURE_SUBSCRIPTION_ID + value: {{ .Values.env.azureSubscriptionId }} + - name: AZURE_CLIENT_ID + value: {{ .Values.env.azureClientId }} + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "fullname" . }} + key: clientSecret + - name: ACI_RESOURCE_GROUP + value: {{ .Values.env.aciResourceGroup }} + - name: ACI_REGION + value: {{ default "westus" .Values.env.aciRegion }} + - name: APISERVER_CERT_LOCATION + value: /etc/virtual-kubelet/cert.pem + - name: APISERVER_KEY_LOCATION + value: /etc/virtual-kubelet/key.pem + - name: VKUBELET_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + volumeMounts: + - name: credentials + mountPath: "/etc/virtual-kubelet" + - name: acs-credential + mountPath: "/etc/acs/azure.json" + command: ["virtual-kubelet"] + args: ["--provider", "azure", "--namespace", {{ default "" .Values.env.monitoredNamespace | quote }}, "--nodename", {{ default "virtual-kubelet" .Values.env.nodeName | quote }} , "--os", {{ default "Linux" .Values.env.nodeOsType | quote }}, "--taint", {{ default "azure.com/aci" .Values.env.nodeTaint | quote }}] + volumes: + - name: credentials + secret: + secretName: {{ template "fullname" . }} + - name: acs-credential + hostPath: + path: /etc/kubernetes/azure.json + type: File + {{ if .Values.rbac.install }} + serviceAccountName: {{ template "fullname" . }} + {{ end }} + nodeSelector: + beta.kubernetes.io/os: linux \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/templates/secrets.yaml b/charts/virtual-kubelet-for-aks/templates/secrets.yaml new file mode 100644 index 000000000..26e616500 --- /dev/null +++ b/charts/virtual-kubelet-for-aks/templates/secrets.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "fullname" . }} +type: Opaque +data: + {{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} + {{- $ca := genCA "virtual-kubelet-ca" 3650 }} + {{- $cn := printf "%s-virtual-kubelet-apiserver" .Release.Name }} + {{- $altName1 := printf "%s-virtual-kubelet-apiserver.%s" .Release.Name .Release.Namespace }} + {{- $altName2 := printf "%s-virtual-kubelet-apiserver.%s.svc" .Release.Name .Release.Namespace }} + {{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} + cert.pem: {{ b64enc $cert.Cert }} + key.pem: {{ b64enc $cert.Key }} + {{ else }} + cert.pem: {{ quote .Values.env.apiserverCert }} + key.pem: {{ quote .Values.env.apiserverKey }} + {{ end}} + clientSecret: {{ default "" .Values.env.azureClientKey | b64enc | quote }} \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/templates/serviceaccount.yaml b/charts/virtual-kubelet-for-aks/templates/serviceaccount.yaml new file mode 100644 index 000000000..31eb4650d --- /dev/null +++ b/charts/virtual-kubelet-for-aks/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +{{ if .Values.rbac.install }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }} +{{ end }} \ No newline at end of file diff --git a/charts/virtual-kubelet-for-aks/values.yaml b/charts/virtual-kubelet-for-aks/values.yaml new file mode 100644 index 000000000..e34f51a6f --- /dev/null +++ b/charts/virtual-kubelet-for-aks/values.yaml @@ -0,0 +1,25 @@ +image: + repository: microsoft/virtual-kubelet + tag: latest + pullPolicy: Always +env: + azureClientId: + azureClientKey: + azureTenantId: + azureSubscriptionId: + aciResourceGroup: + aciRegion: + nodeName: + nodeTaint: + nodeOsType: + apiserverCert: + apiserverKey: + monitoredNamespace: + +# Install Default RBAC roles and bindings +rbac: + install: true + ## RBAC api version + apiVersion: v1beta1 + # Cluster role reference + roleRef: cluster-admin \ No newline at end of file