diff --git a/charts/virtual-kubelet-0.2.0.tgz b/charts/virtual-kubelet-0.2.0.tgz new file mode 100644 index 000000000..3fa8bfbc6 Binary files /dev/null and b/charts/virtual-kubelet-0.2.0.tgz differ diff --git a/charts/virtual-kubelet/Chart.yaml b/charts/virtual-kubelet/Chart.yaml index 1ff43f4be..fddfc59d8 100644 --- a/charts/virtual-kubelet/Chart.yaml +++ b/charts/virtual-kubelet/Chart.yaml @@ -1,6 +1,8 @@ name: virtual-kubelet -version: 0.1.3 -description: a Helm chart to install virtual kubelet inside a Kubernetes cluster. +version: 0.2.0 +appVersion: 0.3 +description: A Helm chart to install virtual kubelet inside a Kubernetes cluster. +icon: https://avatars2.githubusercontent.com/u/34250142 sources: - https://github.com/virtual-kubelet/virtual-kubelet maintainers: diff --git a/charts/virtual-kubelet/templates/NOTES.txt b/charts/virtual-kubelet/templates/NOTES.txt index dd159ca76..ae4fc0943 100644 --- a/charts/virtual-kubelet/templates/NOTES.txt +++ b/charts/virtual-kubelet/templates/NOTES.txt @@ -1,28 +1,12 @@ -{{- if and .Values.env.azureClientId .Values.env.azureClientKey .Values.env.azureTenantId .Values.env.azureSubscriptionId .Values.env.aciResourceGroup -}} - The virtual kubelet is getting deployed on your cluster. To verify that virtual kubelet has started, run: - kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "fullname" . }}" - -{{- else -}} -############################################################################## -#### ERROR: You are missing required values in the values.yaml file. #### -############################################################################## - -This deployment will be incomplete until all the required fields in the values.yaml file have been provided. - -To update, run: - - helm upgrade {{ .Release.Name }} \ - --set env.azureClientId=,env.azureClientKey=,env.azureTenantId=,env.azureSubscriptionId=,env.aciResourceGroup=,ev.aciOsType=,rbac.install= - -{{- end }} + kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "vk.name" . }}" {{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} Note: TLS key pair not provided for VK HTTP listener. A key pair was generated for you. This generated key pair is not suitable for production use. -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/virtual-kubelet/templates/_helpers.tpl b/charts/virtual-kubelet/templates/_helpers.tpl index c199f18f0..4b0b69928 100644 --- a/charts/virtual-kubelet/templates/_helpers.tpl +++ b/charts/virtual-kubelet/templates/_helpers.tpl @@ -2,7 +2,7 @@ {{/* Expand the name of the chart. */}} -{{- define "name" -}} +{{- define "vk.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -10,7 +10,20 @@ Expand the name of the chart. Create a default fully qualified app name. We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} -{{- define "fullname" -}} +{{- define "vk.fullname" -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Standard labels for helm resources +*/}} +{{- define "vk.labels" -}} +labels: + heritage: "{{ .Release.Service }}" + release: "{{ .Release.Name }}" + revision: "{{ .Release.Revision }}" + chart: "{{ .Chart.Name }}" + chartVersion: "{{ .Chart.Version }}" + app: {{ template "vk.name" . }} +{{- end -}} diff --git a/charts/virtual-kubelet/templates/clusterrolebinding.yaml b/charts/virtual-kubelet/templates/clusterrolebinding.yaml index ec9903577..5f80001f6 100644 --- a/charts/virtual-kubelet/templates/clusterrolebinding.yaml +++ b/charts/virtual-kubelet/templates/clusterrolebinding.yaml @@ -1,14 +1,15 @@ {{ if .Values.rbac.install }} -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: "rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}" kind: ClusterRoleBinding metadata: - name: {{ template "fullname" . }}-role-binding + name: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 2 }} subjects: - kind: ServiceAccount - name: {{ template "fullname" . }}-service-account - namespace: default + name: {{ template "vk.fullname" . }} + namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ .Values.rbac.roleRef }} -{{ end }} \ No newline at end of file +{{ end }} diff --git a/charts/virtual-kubelet/templates/deployment.yaml b/charts/virtual-kubelet/templates/deployment.yaml index 046b86a2f..5470efe2c 100644 --- a/charts/virtual-kubelet/templates/deployment.yaml +++ b/charts/virtual-kubelet/templates/deployment.yaml @@ -1,48 +1,96 @@ apiVersion: extensions/v1beta1 kind: Deployment metadata: - name: {{ template "fullname" . }} + name: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 2 }} + component: kubelet spec: replicas: 1 template: metadata: - labels: - app: {{ template "fullname" . }} +{{ include "vk.labels" . | indent 6 }} + component: kubelet + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} spec: containers: - - name: {{ template "fullname" . }} + - name: {{ template "vk.fullname" . }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: KUBELET_PORT value: "10250" - - name: AZURE_AUTH_LOCATION - value: /etc/virtual-kubelet/credentials.json - - name: ACI_RESOURCE_GROUP - value: {{ .Values.env.aciResourceGroup }} - - name: ACI_REGION - value: {{ default "westus" .Values.env.aciRegion }} - name: APISERVER_CERT_LOCATION value: /etc/virtual-kubelet/cert.pem - name: APISERVER_KEY_LOCATION value: /etc/virtual-kubelet/key.pem - {{ if .Values.loganalytics.enabled }} - - name: LOG_ANALYTICS_AUTH_LOCATION - value: /etc/virtual-kubelet/loganalytics.json - {{ end }} - name: VKUBELET_POD_IP valueFrom: fieldRef: fieldPath: status.podIP +{{- if eq .Values.provider "azure" }} +{{- with .Values.providers.azure }} +{{- if .loganalytics.enabled }} + - name: LOG_ANALYTICS_AUTH_LOCATION + value: /etc/virtual-kubelet/loganalytics.json +{{- end }} +{{- if .targetAKS }} + - name: ACS_CREDENTIAL_LOCATION + value: /etc/acs/azure.json + - name: AZURE_TENANT_ID + value: {{ .tenantId }} + - name: AZURE_SUBSCRIPTION_ID + value: {{ .subscriptionId }} + - name: AZURE_CLIENT_ID + value: {{ .clientId }} + - name: AZURE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "vk.fullname" $ }} + key: clientSecret + - name: ACI_RESOURCE_GROUP + value: {{ .aciResourceGroup }} + - name: ACI_REGION + value: {{ .aciRegion }} +{{- else }} + - name: AZURE_AUTH_LOCATION + value: /etc/virtual-kubelet/credentials.json + - name: ACI_RESOURCE_GROUP + value: {{ required "aciResourceGroup is required" .aciResourceGroup }} + - name: ACI_REGION + value: {{ required "aciRegion is required" .aciRegion }} +{{- end }} +{{- end }} +{{- end }} volumeMounts: - name: credentials mountPath: "/etc/virtual-kubelet" +{{- if eq .Values.provider "azure" }} +{{- if .Values.providers.azure.targetAKS }} + - name: acs-credential + mountPath: "/etc/acs/azure.json" +{{- end }} +{{- end }} command: ["virtual-kubelet"] - args: ["--provider", "azure", "--namespace", {{ default "" .Values.env.monitoredNamespace | quote }}, "--nodename", {{ default "virtual-kubelet" .Values.env.nodeName | quote }} , "--os", {{ default "Linux" .Values.env.nodeOsType | quote }}, "--taint", {{ default "azure.com/aci" .Values.env.nodeTaint | quote }}] + args: [ + "--provider", "{{ required "provider is required" .Values.provider }}", + "--namespace", "{{ .Values.monitoredNamespace }}", + "--nodename", "{{ required "nodeName is required" .Values.nodeName }}", + "--os", "{{ .Values.nodeOsType }}", + "--taint", "{{ .Values.nodeTaint }}" + ] volumes: - name: credentials secret: - secretName: {{ template "fullname" . }} - serviceAccountName: {{ if .Values.rbac.install }} "{{ template "fullname" . }}-service-account" {{ end }} + secretName: {{ template "vk.fullname" . }} +{{- if eq .Values.provider "azure" }} +{{- if .Values.providers.azure.targetAKS }} + - name: acs-credential + hostPath: + path: /etc/kubernetes/azure.json + type: File +{{- end }} +{{- end }} + serviceAccountName: {{ if .Values.rbac.install }} "{{ template "vk.fullname" . }}" {{ end }} nodeSelector: beta.kubernetes.io/os: linux diff --git a/charts/virtual-kubelet/templates/secret.yaml b/charts/virtual-kubelet/templates/secret.yaml new file mode 100644 index 000000000..3ee607a46 --- /dev/null +++ b/charts/virtual-kubelet/templates/secret.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 2 }} +type: Opaque +data: +{{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} +{{- $ca := genCA "virtual-kubelet-ca" 3650 }} +{{- $cn := printf "%s-virtual-kubelet-apiserver" .Release.Name }} +{{- $altName1 := printf "%s-virtual-kubelet-apiserver.%s" .Release.Name .Release.Namespace }} +{{- $altName2 := printf "%s-virtual-kubelet-apiserver.%s.svc" .Release.Name .Release.Namespace }} +{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} + cert.pem: {{ b64enc $cert.Cert }} + key.pem: {{ b64enc $cert.Key }} +{{- else }} + cert.pem: {{ quote .Values.env.apiserverCert }} + key.pem: {{ quote .Values.env.apiserverKey }} +{{- end }} +{{- if eq .Values.provider "azure" }} +{{- with .Values.providers.azure }} +{{- if .loganalytics.enabled }} + loganalytics.json: {{ printf "{\"workspaceID\": \"%s\",\"workspaceKey\": \"%s\"}" (required "workspaceID is required for loganalytics" .loganalytics.workspaceID ) (required "workspaceKey is required for loganalytics" .loganalytics.workspaceKey ) }} +{{- end }} +{{- if .targetAKS }} + clientSecret: {{ default "" .clientKey | b64enc | quote }} +{{- else }} + credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .clientId) (default "MISSING" .clientKey) (default "MISSING" .subscriptionId) (default "MISSING" .tenantId) | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/virtual-kubelet/templates/secrets.yaml b/charts/virtual-kubelet/templates/secrets.yaml deleted file mode 100644 index 2231caf6c..000000000 --- a/charts/virtual-kubelet/templates/secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "fullname" . }} -type: Opaque -data: - credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .Values.env.azureClientId) (default "MISSING" .Values.env.azureClientKey) (default "MISSING" .Values.env.azureSubscriptionId) (default "MISSING" .Values.env.azureTenantId) | b64enc | quote }} - {{- if (not .Values.env.apiserverCert) and (not .Values.env.apiserverKey) }} - {{- $ca := genCA "virtual-kubelet-ca" 3650 }} - {{- $cn := printf "%s-virtual-kubelet-apiserver" .Release.Name }} - {{- $altName1 := printf "%s-virtual-kubelet-apiserver.%s" .Release.Name .Release.Namespace }} - {{- $altName2 := printf "%s-virtual-kubelet-apiserver.%s.svc" .Release.Name .Release.Namespace }} - {{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} - cert.pem: {{ b64enc $cert.Cert }} - key.pem: {{ b64enc $cert.Key }} - {{ else }} - cert.pem: {{ quote .Values.env.apiserverCert }} - key.pem: {{ quote .Values.env.apiserverKey }} - {{ end}} - {{ if .Values.loganalytics.enabled }} - loganalytics.json: {{ printf "{\"workspaceID\": \"%s\",\"workspaceKey\": \"%s\"}" (required "workspaceID is required for loganalytics" .Values.loganalytics.workspaceID ) (required "workspaceKey is required for loganalytics" .Values.loganalytics.workspaceKey ) }} - {{ end }} diff --git a/charts/virtual-kubelet/templates/serviceaccount.yaml b/charts/virtual-kubelet/templates/serviceaccount.yaml index 450120aa9..dcc9f926e 100644 --- a/charts/virtual-kubelet/templates/serviceaccount.yaml +++ b/charts/virtual-kubelet/templates/serviceaccount.yaml @@ -2,5 +2,6 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "fullname" . }}-service-account -{{ end }} \ No newline at end of file + name: {{ template "vk.fullname" . }} +{{ include "vk.labels" . | indent 2 }} +{{ end }} diff --git a/charts/virtual-kubelet/templates/tests/helloworld.yaml b/charts/virtual-kubelet/templates/tests/helloworld.yaml new file mode 100644 index 000000000..4ce276f0f --- /dev/null +++ b/charts/virtual-kubelet/templates/tests/helloworld.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-{{ .Release.Revision }}-test" +{{ include "vk.labels" . | indent 2 }} + component: test + annotations: + "helm.sh/hook": test-success +spec: + containers: + - image: hello-world:linux + imagePullPolicy: Always + name: helloworld + resources: + requests: + memory: "0.1G" + cpu: 10m + limits: + memory: "0.1G" + cpu: 10m + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/hostname: "{{ .Values.nodeName }}" + restartPolicy: Never + tolerations: + - key: "{{ .Values.nodeTaint }}" + effect: NoSchedule diff --git a/charts/virtual-kubelet/values.yaml b/charts/virtual-kubelet/values.yaml index b1e04a6da..f126e0806 100644 --- a/charts/virtual-kubelet/values.yaml +++ b/charts/virtual-kubelet/values.yaml @@ -2,29 +2,37 @@ image: repository: microsoft/virtual-kubelet tag: latest pullPolicy: Always -env: - azureClientId: - azureClientKey: - azureTenantId: - azureSubscriptionId: - aciResourceGroup: - aciRegion: - nodeName: - nodeTaint: - nodeOsType: - apiserverCert: - apiserverKey: - monitoredNamespace: -loganalytics: - enabled: false - workspaceID: - workspaceKey: -# Install Default RBAC roles and bindings +## `provider` should be one of aws, azure, azurebatch, etc... +provider: +nodeName: "virtual-kubelet" +nodeTaint: "azure.com/aci" +nodeOsType: "Linux" +monitoredNamespace: "" +apiserverCert: +apiserverKey: + +providers: + azure: + ## Set to true if deploying to Azure Kubernetes Service (AKS), otherwise false + targetAKS: true + clientId: + clientKey: + tenantId: + subscriptionId: + ## `aciResourceGroup` and `aciRegion` are required only for non-AKS deployments + aciResourceGroup: + aciRegion: + loganalytics: + enabled: false + workspaceID: + workspaceKey: + +## Install Default RBAC roles and bindings rbac: - install: false + install: true serviceAccountName: virtual-kubelet - # RBAC api version (currently v1beta1) + ## RBAC api version apiVersion: v1beta1 - # Cluster role reference + ## Cluster role reference roleRef: cluster-admin diff --git a/providers/azure/README.md b/providers/azure/README.md index 55ec036aa..3d58eba2d 100644 --- a/providers/azure/README.md +++ b/providers/azure/README.md @@ -186,26 +186,19 @@ resources on your account on behalf of Kubernetes. You will need to enable ACI in your subscription: - ```cli - az provider register -n Microsoft.ContainerInstance - ``` +```cli +az provider register -n Microsoft.ContainerInstance +``` ## Deployment of the ACI provider in your cluster Run these commands to deploy the virtual kubelet which connects your Kubernetes cluster to Azure Container Instances. -If your cluster is an AKS cluster: - ```cli -export VK_RELEASE=virtual-kubelet-for-aks-0.1.3 -```` - -For any other type of Kubernetes cluster: - -```cli -export VK_RELEASE=virtual-kubelet-0.1.1 +export VK_RELEASE=virtual-kubelet-0.2.0 ``` +If your cluster is an AKS cluster: ```cli RELEASE_NAME=virtual-kubelet NODE_NAME=virtual-kubelet @@ -216,7 +209,37 @@ chmod +x createCertAndKey.sh . ./createCertAndKey.sh helm install "$CHART_URL" --name "$RELEASE_NAME" \ - --set env.azureClientId="$AZURE_CLIENT_ID",env.azureClientKey="$AZURE_CLIENT_SECRET",env.azureTenantId="$AZURE_TENANT_ID",env.azureSubscriptionId="$AZURE_SUBSCRIPTION_ID",env.aciRegion="$ACI_REGION",env.aciResourceGroup="$AZURE_RG",env.nodeName="$NODE_NAME",env.nodeOsType=,env.apiserverCert=$cert,env.apiserverKey=$key,rbac.install=false + --set provider=azure \ + --set providers.azure.targetAKS=true \ + --set providers.azure.tenantId=$AZURE_TENANT_ID \ + --set providers.azure.subscriptionId=$AZURE_SUBSCRIPTION_ID \ + --set providers.azure.clientId=$AZURE_CLIENT_ID \ + --set apiserverCert=$cert \ + --set apiserverKey=$key +``` + +For any other type of Kubernetes cluster: +```cli +RELEASE_NAME=virtual-kubelet +NODE_NAME=virtual-kubelet +CHART_URL=https://github.com/virtual-kubelet/virtual-kubelet/raw/master/charts/$VK_RELEASE.tgz + +curl https://raw.githubusercontent.com/virtual-kubelet/virtual-kubelet/master/scripts/createCertAndKey.sh > createCertAndKey.sh +chmod +x createCertAndKey.sh +. ./createCertAndKey.sh + +helm install "$CHART_URL" --name "$RELEASE_NAME" \ + --set provider=azure \ + --set rbac.install=true \ + --set providers.azure.targetAKS=false \ + --set providers.azure.tenantId=$AZURE_TENANT_ID \ + --set providers.azure.subscriptionId=$AZURE_SUBSCRIPTION_ID \ + --set providers.azure.clientId=$AZURE_CLIENT_ID \ + --set providers.azure.clientKey=$AZURE_CLIENT_SECRET \ + --set providers.azure.aciResourceGroup=$AZURE_RG \ + --set providers.azure.aciRegion=$ACI_REGION \ + --set apiserverCert=$cert \ + --set apiserverKey=$key ``` If your cluster has RBAC enabled set ```rbac.install=true```