*: add kenc and bootstrap etcd

Author: squat

config.tf

@@ -40,6 +40,7 @@ variable "tectonic_container_images" {
     flannel                      = "quay.io/coreos/flannel:v0.7.1-amd64"
     etcd                         = "quay.io/coreos/etcd:v3.1.6"
     etcd_operator                = "quay.io/coreos/etcd-operator:v0.2.5"
+    kenc                         = "quay.io/coreos/kenc:48b6feceeee56c657ea9263f47b6ea091e8d3035"
     awscli                       = "quay.io/coreos/awscli:025a357f05242fdad6a81e8a6b520098aa65a600"
   }
 }

modules/bootkube/assets.tf

@@ -26,6 +26,7 @@ resource "template_dir" "bootkube" {
     kubedns_sidecar_image  = "${var.container_images["kubedns_sidecar"]}"
     flannel_image          = "${var.container_images["flannel"]}"
     etcd_operator_image    = "${var.container_images["etcd_operator"]}"
+    kenc_image             = "${var.container_images["kenc"]}"
 
     etcd_servers    = "${data.null_data_source.etcd.outputs.no_certs ? "http://127.0.0.1:2379" : join(",", formatlist("https://%s:2379", var.etcd_endpoints))}"
     etcd_ca_flag    = "${data.null_data_source.etcd.outputs.ca_flag}"
@@ -65,6 +66,7 @@ resource "template_dir" "bootkube-bootstrap" {
 
   vars {
     hyperkube_image = "${var.container_images["hyperkube"]}"
+    etcd_image      = "${var.container_images["etcd"]}"
 
     etcd_servers   = "${data.null_data_source.etcd.outputs.no_certs ? "http://127.0.0.1:2379" : join(",", formatlist("https://%s:2379", var.etcd_endpoints))}"
     etcd_ca_flag   = "${data.null_data_source.etcd.outputs.ca_flag}"

modules/bootkube/resources/bootstrap-manifests/bootstrap-etcd.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bootstrap-etcd
+  namespace: kube-system
+  labels:
+    k8s-app: boot-etcd
+spec:
+  containers:
+  - name: etcd
+    image: ${etcd_image}
+    command:
+    - /usr/local/bin/etcd
+    - --name=boot-etcd
+    - --listen-client-urls=http://0.0.0.0:12379
+    - --listen-peer-urls=http://0.0.0.0:12380
+    - --advertise-client-urls=http://$(MY_POD_IP):12379
+    - --initial-advertise-peer-urls=http://$(MY_POD_IP):12380
+    - --initial-cluster=boot-etcd=http://$(MY_POD_IP):12380
+    - --initial-cluster-token=bootkube
+    - --initial-cluster-state=new
+    - --data-dir=/var/etcd/data
+    env:
+      - name: MY_POD_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.podIP
+  hostNetwork: true
+  restartPolicy: Never

modules/bootkube/resources/manifests/kenc.yaml

@@ -0,0 +1,48 @@
+apiVersion: "extensions/v1beta1"
+kind: DaemonSet
+metadata:
+  name: kube-etcd-network-checkpointer
+  namespace: kube-system
+  labels:
+    tier: control-plane
+    component: kube-etcd-network-checkpointer
+spec:
+  template:
+    metadata:
+      labels:
+        tier: control-plane
+        component: kube-etcd-network-checkpointer
+      annotations:
+        checkpointer.alpha.coreos.com/checkpoint: "true"
+    spec:
+      containers:
+      - image: ${kenc-image}
+        name: kube-etcd-network-checkpointer
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /etc/kubernetes/selfhosted-etcd
+          name: checkpoint-dir
+          readOnly: false
+        - mountPath: /var/lock
+          name: var-lock
+          readOnly: false
+        command:
+        - /usr/bin/flock
+        - /var/lock/kenc.lock
+        - -c
+        - "kenc -r -m iptables && kenc -m iptables"
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: checkpoint-dir
+        hostPath:
+          path: /etc/kubernetes/checkpoint-iptables
+      - name: var-lock
+        hostPath:
+          path: /var/lock