data/bootstrap: Pull content out of pkg/asset/ignition/bootstrap

.yamllint

@@ -0,0 +1,13 @@
+# Adjust the target to match the gopkg.in/yaml.v2 style used in the
+# Kubernetes ecosystem.
+
+extends: default
+
+rules:
+  document-start:
+    present: false
+  indentation:
+    indent-sequences: false
+  line-length:
+    level: warning
+    max: 120

CONTRIBUTING.md

@@ -43,6 +43,7 @@ For contributors who want to work up pull requests, the workflow is roughly:
     hack/shellcheck.sh
     hack/tf-fmt.sh -list -check
     hack/tf-lint.sh
+    hack/yaml-lint.sh
     ```
 7. Submit a pull request to the original repository.
 8. The [repo](OWNERS) [owners](OWNERS_ALIASES) will respond to your issue promptly, following [the ususal Prow workflow][prow-review].

data/data/bootstrap/files/opt/tectonic/bootkube-config-overrides/kube-apiserver-config-overrides.yaml

@@ -0,0 +1,4 @@
+apiVersion: kubecontrolplane.config.openshift.io/v1
+kind: KubeAPIServerConfig
+kubeletClientInfo:
+  ca: ""  # kubelet uses self-signed serving certs. TODO: fix kubelet pki

data/data/bootstrap/files/opt/tectonic/bootkube-config-overrides/kube-controller-manager-config-overrides.yaml

@@ -0,0 +1,2 @@
+apiVersion: kubecontrolplane.config.openshift.io/v1
+kind: KubeControllerManagerConfig

data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-daemonset.yaml

@@ -0,0 +1,61 @@
+# This is needed by kube-proxy.
+# TODO: move to the networking operator renderer.
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: kube-proxy
+    tier: node
+  name: kube-proxy
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kube-proxy
+      tier: node
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-proxy
+        tier: node
+    spec:
+      containers:
+      - command:
+        - ./hyperkube
+        - proxy
+        - --cluster-cidr=10.3.0.0/16
+        - --hostname-override=$(NODE_NAME)
+        - --kubeconfig=/etc/kubernetes/kubeconfig
+        - --proxy-mode=iptables
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        image: quay.io/coreos/hyperkube:v1.9.3_coreos.0
+        name: kube-proxy
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /etc/ssl/certs
+          name: ssl-certs-host
+          readOnly: true
+        - mountPath: /etc/kubernetes
+          name: kubeconfig
+          readOnly: true
+      hostNetwork: true
+      serviceAccountName: kube-proxy
+      tolerations:
+      - operator: Exists
+      volumes:
+      - hostPath:
+          path: /etc/ssl/certs
+        name: ssl-certs-host
+      - name: kubeconfig
+        secret:
+          defaultMode: 420
+          secretName: kube-proxy-kubeconfig
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate

data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-kube-system-rbac-role-binding.yaml

@@ -0,0 +1,14 @@
+# This is needed by kube-proxy.
+# TODO: move to the networking operator renderer.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:default-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kube-system

data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-kubeconfig.yaml.template

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kube-proxy-kubeconfig
+  namespace: kube-system
+data:
+  kubeconfig: {{ .AdminKubeConfigBase64 }}

data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-role-binding.yaml

@@ -0,0 +1,14 @@
+# This is needed by kube-proxy.
+# TODO: move to the networking operator renderer.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-proxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node-proxier  # Automatically created system role.
+subjects:
+- kind: ServiceAccount
+  name: kube-proxy
+  namespace: kube-system

data/data/bootstrap/files/opt/tectonic/manifest-overrides/kube-proxy-service-account.yaml

@@ -0,0 +1,7 @@
+# This is needed by kube-proxy.
+# TODO: move to the networking operator renderer.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: kube-system
+  name: kube-proxy

pkg/asset/ignition/bootstrap/content/bootkube.go → data/data/bootstrap/files/usr/local/bin/bootkube.sh.template

@@ -1,32 +1,4 @@
-package content
-
-import (
-	"text/template"
-)
-
-const (
-	// BootkubeSystemdContents is a service for running bootkube on the bootstrap
-	// nodes
-	BootkubeSystemdContents = `
-[Unit]
-Description=Bootstrap a Kubernetes cluster
-Wants=kubelet.service
-After=kubelet.service
-ConditionPathExists=!/opt/tectonic/.bootkube.done
-
-[Service]
-WorkingDirectory=/opt/tectonic
-ExecStart=/usr/local/bin/bootkube.sh
-
-Restart=on-failure
-RestartSec=5s
-`
-)
-
-var (
-	// BootkubeShFileTemplate is a script file for running bootkube on the
-	// bootstrap nodes.
-	BootkubeShFileTemplate = template.Must(template.New("bootkube.sh").Parse(`#!/usr/bin/env bash
+#!/usr/bin/env bash
 set -e
 
 mkdir --parents /etc/kubernetes/{manifests,bootstrap-configs,bootstrap-manifests}
@@ -122,9 +94,9 @@ then
 	cp kube-scheduler-bootstrap/manifests/* manifests/
 fi
 
-# TODO: Remove this when kube-proxy is properly rendered by corresponding operator.
+# TODO: Remove this when manifest-overrides is empty.
 echo "Installing temporary bootstrap manifests..."
-cp kube-proxy-operator-bootstrap/* manifests/
+cp manifest-overrides/* manifests/
 
 if [ ! -d mco-bootstrap ]
 then
@@ -227,32 +199,3 @@ podman run \
 
 # Workaround for https://github.com/opencontainers/runc/pull/1807
 touch /opt/tectonic/.bootkube.done
-`))
-)
-
-var (
-	// BootkubeConfigOverrides contains the configuration override files passed to the render commands of the components.
-	// These are supposed to be customized by the installer where the config differs from the operator render default.
-	BootkubeConfigOverrides = []*template.Template{
-		KubeApiserverConfigOverridesTemplate,
-		KubeControllerManagerConfigOverridesTemplate,
-	}
-)
-
-var (
-	// KubeApiserverConfigOverridesTemplate are overrides that the installer passes to the default config of the
-	// kube-apiserver rendered by the cluster-kube-apiserver-operator.
-	KubeApiserverConfigOverridesTemplate = template.Must(template.New("kube-apiserver-config-overrides.yaml").Parse(`
-apiVersion: kubecontrolplane.config.openshift.io/v1
-kind: KubeAPIServerConfig
-kubeletClientInfo:
-  ca: "" # kubelet uses self-signed serving certs. TODO: fix kubelet pki
-`))
-
-	// KubeControllerManagerConfigOverridesTemplate are overrides that the installer passes to the default config of the
-	// kube-controller-manager rendered by the cluster-kube-controller-manager-operator.
-	KubeControllerManagerConfigOverridesTemplate = template.Must(template.New("kube-controller-manager-config-overrides.yaml").Parse(`
-apiVersion: kubecontrolplane.config.openshift.io/v1
-kind: KubeControllerManagerConfig
-`))
-)

data/data/bootstrap/files/usr/local/bin/report-progress.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -e
+
+KUBECONFIG="${1}"
+NAME="${2}"
+MESSAGE="${3}"
+TIMESTAMP="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+
+echo "Reporting install progress..."
+
+oc --config="$KUBECONFIG" create -f - <<EOF
+apiVersion: v1
+kind: Event
+metadata:
+  name: "${NAME}"
+  namespace: kube-system
+involvedObject:
+  namespace: kube-system
+message: "${MESSAGE}"
+firstTimestamp: "${TIMESTAMP}"
+lastTimestamp: "${TIMESTAMP}"
+count: 1
+source:
+  component: cluster
+  host: $(hostname)
+EOF

pkg/asset/ignition/bootstrap/content/tectonic.go → data/data/bootstrap/files/usr/local/bin/tectonic.sh

@@ -1,25 +1,4 @@
-package content
-
-const (
-	// TectonicSystemdContents is a service that runs tectonic on the masters.
-	TectonicSystemdContents = `
-[Unit]
-Description=Bootstrap a Tectonic cluster
-Wants=bootkube.service
-After=bootkube.service
-ConditionPathExists=!/opt/tectonic/.tectonic.done
-
-[Service]
-WorkingDirectory=/opt/tectonic/tectonic
-ExecStart=/usr/local/bin/tectonic.sh /opt/tectonic/auth/kubeconfig
-
-Restart=on-failure
-RestartSec=5s
-`
-
-	// TectonicShFileContents is a script file for running tectonic on bootstrap
-	// nodes.
-	TectonicShFileContents = `#!/usr/bin/env bash
+#!/usr/bin/env bash
 set -e
 
 KUBECONFIG="$1"
@@ -93,5 +72,3 @@ wait_for_pods tectonic-system
 touch /opt/tectonic/.tectonic.done
 
 echo "Tectonic installation is done"
-`
-)

data/data/bootstrap/systemd/units/bootkube.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Bootstrap a Kubernetes cluster
+Wants=kubelet.service
+After=kubelet.service
+ConditionPathExists=!/opt/tectonic/.bootkube.done
+
+[Service]
+WorkingDirectory=/opt/tectonic
+ExecStart=/usr/local/bin/bootkube.sh
+
+Restart=on-failure
+RestartSec=5s

pkg/asset/ignition/bootstrap/content/kubelet.go → data/data/bootstrap/systemd/units/kubelet.service.template

@@ -1,9 +1,3 @@
-package content
-
-var (
-	// KubeletSystemdContents is a service for running the kubelet on the
-	// bootstrap nodes.
-	KubeletSystemdContents = `
 [Unit]
 Description=Kubernetes Kubelet
 Wants=rpc-statd.service
@@ -36,5 +30,3 @@ RestartSec=10
 
 [Install]
 WantedBy=multi-user.target
-`
-)

data/data/bootstrap/systemd/units/progress.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Report the completion of the cluster bootstrap process
+# Workaround for https://github.com/systemd/systemd/issues/1312
+Wants=bootkube.service tectonic.service
+After=bootkube.service tectonic.service
+
+[Service]
+# Workaround for https://github.com/systemd/systemd/issues/1312 and https://github.com/opencontainers/runc/pull/1807
+ExecStartPre=/usr/bin/test -f /opt/tectonic/.bootkube.done
+ExecStartPre=/usr/bin/test -f /opt/tectonic/.tectonic.done
+ExecStart=/usr/local/bin/report-progress.sh /opt/tectonic/auth/kubeconfig bootstrap-complete "cluster bootstrapping has completed"
+
+Restart=on-failure
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target

data/data/bootstrap/systemd/units/tectonic.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Bootstrap a Tectonic cluster
+Wants=bootkube.service
+After=bootkube.service
+ConditionPathExists=!/opt/tectonic/.tectonic.done
+
+[Service]
+WorkingDirectory=/opt/tectonic/tectonic
+ExecStart=/usr/local/bin/tectonic.sh /opt/tectonic/auth/kubeconfig
+
+Restart=on-failure
+RestartSec=5s

hack/yaml-lint.sh

@@ -1,7 +1,6 @@
 #!/bin/sh
-exit 0  # temporarily disable while we work out whether to drop this
 if [ "$IS_CONTAINER" != "" ]; then
-  yamllint --config-data "{extends: default, rules: {line-length: {level: warning, max: 120}}}" .
+  yamllint .
 else
   podman run --rm \
     --env IS_CONTAINER=TRUE \