Final tweaks for updated 1.19 configs.

geerlingguy · Jan 26, 2021 · 092ac11 · 092ac11
1 parent 845efb0
commit 092ac11
Show file tree

Hide file tree

Showing 4 changed files with 201 additions and 15 deletions.
diff --git a/k8s-manifests/kube-system/metrics-server.yml b/k8s-manifests/kube-system/metrics-server.yml
@@ -0,0 +1,189 @@
+# SOURCE: https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+# One patch applied: Added `--kubelet-insecure-tls` to Deployment spec command.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: system:aggregated-metrics-reader
+rules:
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - nodes/stats
+  - namespaces
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    k8s-app: metrics-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metrics-server
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        k8s-app: metrics-server
+    spec:
+      containers:
+      - args:
+        - --cert-dir=/tmp
+        - --secure-port=4443
+        - --kubelet-insecure-tls
+        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+        - --kubelet-use-node-status-port
+        image: k8s.gcr.io/metrics-server/metrics-server:v0.4.1
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+        name: metrics-server
+        ports:
+        - containerPort: 4443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /readyz
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-dir
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      serviceAccountName: metrics-server
+      volumes:
+      - emptyDir: {}
+        name: tmp-dir
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: v1beta1.metrics.k8s.io
+spec:
+  group: metrics.k8s.io
+  groupPriorityMinimum: 100
+  insecureSkipTLSVerify: true
+  service:
+    name: metrics-server
+    namespace: kube-system
+  version: v1beta1
+  versionPriority: 100
diff --git a/setup/networking/README.md b/setup/networking/README.md
@@ -29,12 +29,15 @@ If you ever need to change active Dramble networking info, it's easy! Just chang
 _If you don't want to use the automated playbook, you can do the following on each Raspberry Pi individually_:
 
   1. Set a unique hostname (e.g. `kube1.pidramble.com` for the first server, and `kube2.pidramble.com` for the second server):
-    1. Edit `/etc/hostname` and replace the existing hostname with the new hostname.
-    2. Enter `hostname [new-hostname]` to update the hostname immediately.
-    3. Edit `/etc/hosts` and replace the existing hostname with the new hostname.
+
+     1. Edit `/etc/hostname` and replace the existing hostname with the new hostname.
+     2. Enter `hostname [new-hostname]` to update the hostname immediately.
+     3. Edit `/etc/hosts` and replace the existing hostname with the new hostname.
+
   2. Set up the network settings for our Pi network:
-    1. TODO - these instructions changed with Rasbpian Stretch.
-    2. Restart the Pi: `sudo reboot`
-    3. You'll need to reconnect to the Pi on its new static IP address.
+
+     1. TODO - these instructions changed with Raspbian Stretch.
+     2. Restart the Pi: `sudo reboot`
+     3. You'll need to reconnect to the Pi on its new static IP address.
 
 The networking configuration may need to be a little different depending on the environment in which you're using your own Dramble (whether it's on an isolated private network, connected to another network/router, using bridged WiFi interfaces, etc.).
diff --git a/tasks/k8s-services.yml b/tasks/k8s-services.yml
@@ -7,15 +7,9 @@
   delegate_to: "{{ groups.dramble[0] }}"
   run_once: True
 
-- name: Download metrics-server manifest to the cluster.
-  get_url:
-    url: https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
-    dest: ~/metrics-server.yaml
-    mode: '0664'
-
 - name: Apply metrics-server manifest to the cluster.
   k8s:
     state: present
-    src: ~/metrics-server.yaml
+    src: ~/metrics-server.yml
   run_once: True
   delegate_to: "{{ groups.dramble[0] }}"
diff --git a/vars/main.yml b/vars/main.yml
@@ -23,8 +23,8 @@ k8s_manifests:
   - nfs/deployment
   - kube-system/ingress/rbac
   - kube-system/ingress/deployment
-  # - dir: docker-registry
-  #   namespace: registry
+  - dir: docker-registry
+    namespace: registry
   - dir: drupal/mysql
     namespace: drupal
   - dir: drupal/drupal