From de1a1e826f667ae5d32e2fcb00847b9af4fa5fe0 Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Fri, 26 Aug 2022 20:15:09 +0200 Subject: [PATCH] added initial state for kubernetes --- states/kubernetes/config.sls | 2 + states/kubernetes/defaults.yaml | 7 + states/kubernetes/init.sls | 5 + states/kubernetes/install.sls | 10 + states/kubernetes/kernelmap.yaml | 3 + states/kubernetes/map.jinja | 14 ++ states/kubernetes/osarchmap.yaml | 21 ++ states/kubernetes/prepare.sls | 29 +++ states/kubernetes/service.sls | 2 + states/kubernetes/templates/config.toml.j2 | 251 +++++++++++++++++++++ states/kubernetes/templates/sysctl.conf.j2 | 5 + 11 files changed, 349 insertions(+) create mode 100644 states/kubernetes/config.sls create mode 100644 states/kubernetes/defaults.yaml create mode 100644 states/kubernetes/init.sls create mode 100644 states/kubernetes/install.sls create mode 100644 states/kubernetes/kernelmap.yaml create mode 100644 states/kubernetes/map.jinja create mode 100644 states/kubernetes/osarchmap.yaml create mode 100644 states/kubernetes/prepare.sls create mode 100644 states/kubernetes/service.sls create mode 100644 states/kubernetes/templates/config.toml.j2 create mode 100644 states/kubernetes/templates/sysctl.conf.j2 diff --git a/states/kubernetes/config.sls b/states/kubernetes/config.sls new file mode 100644 index 0000000..3f9dbe1 --- /dev/null +++ b/states/kubernetes/config.sls @@ -0,0 +1,2 @@ +--- +{%- from "kubernetes/map.jinja" import kubernetes with context %} diff --git a/states/kubernetes/defaults.yaml b/states/kubernetes/defaults.yaml new file mode 100644 index 0000000..c02aa33 --- /dev/null +++ b/states/kubernetes/defaults.yaml @@ -0,0 +1,7 @@ +--- +kubernetes: + enabled: true + os: linux + arch: amd64 + required_modules: + - br_netfilter diff --git a/states/kubernetes/init.sls b/states/kubernetes/init.sls new file mode 100644 index 0000000..e91769e --- /dev/null +++ b/states/kubernetes/init.sls @@ -0,0 +1,5 @@ +--- +include: + - repos + - .install + - .prepare diff --git a/states/kubernetes/install.sls b/states/kubernetes/install.sls new file mode 100644 index 0000000..0c90089 --- /dev/null +++ b/states/kubernetes/install.sls @@ -0,0 +1,10 @@ +--- +{%- from "kubernetes/map.jinja" import kubernetes with context %} +kubernetes-install-pkgs: + pkg.installed: + - pkgs: + - kubelet + - kubeadm + - kubectl + - containerd + - wireguard-tools diff --git a/states/kubernetes/kernelmap.yaml b/states/kubernetes/kernelmap.yaml new file mode 100644 index 0000000..40943f2 --- /dev/null +++ b/states/kubernetes/kernelmap.yaml @@ -0,0 +1,3 @@ +--- +Linux: + os: "linux" diff --git a/states/kubernetes/map.jinja b/states/kubernetes/map.jinja new file mode 100644 index 0000000..c57f84e --- /dev/null +++ b/states/kubernetes/map.jinja @@ -0,0 +1,14 @@ +{%- import_yaml "kubernetes/defaults.yaml" as default_settings -%} + +{%- import_yaml "kubernetes/kernelmap.yaml" as kernelmap -%} +{%- import_yaml "kubernetes/osarchmap.yaml" as osarchmap -%} + +{%- set defaults = salt['grains.filter_by'](default_settings, + default='kubernetes', + merge=salt['grains.filter_by'](osarchmap, grain='osarch', + merge=salt['grains.filter_by'](kernelmap, grain='kernel') + ) + ) +-%} + +{%- set kubernetes = salt['pillar.get']('kubernetes', default=defaults, merge=True) -%} \ No newline at end of file diff --git a/states/kubernetes/osarchmap.yaml b/states/kubernetes/osarchmap.yaml new file mode 100644 index 0000000..4bd82f8 --- /dev/null +++ b/states/kubernetes/osarchmap.yaml @@ -0,0 +1,21 @@ +--- +amd64: + arch: "amd64" + +x86_64: + arch: "amd64" + +386: + arch: "386" + +arm64: + arch: "arm64" + +armv6l: + arch: "arm" + +armv7l: + arch: "arm" + +armhf: + arch: "arm" diff --git a/states/kubernetes/prepare.sls b/states/kubernetes/prepare.sls new file mode 100644 index 0000000..d0e2195 --- /dev/null +++ b/states/kubernetes/prepare.sls @@ -0,0 +1,29 @@ +--- +{%- from "kubernetes/map.jinja" import kubernetes with context %} +kubernetes-prepare-containerd-conf: + file.managed: + - name: /etc/containerd/config.toml + - source: salt://kubernetes/templates/config.toml.j2 + - template: jinja + +kubernetes-prepare-reset-cni: + file.absent: + - name: /etc/cni/net.d/10-flannel.conflist + +{% for module in kubernetes.required_modules %} +kubernetes-modules-load-{{ module }}: + cmd.run: + - name: modprobe {{ module }} +{% endfor %} + +kubernetes-modules-loadatstartup-{{ module }}: + file.managed: + - name: /etc/sysctl.d/10-kube.conf + - source: salt///kubernetes/templates/sysctl.conf.j2 + - template: jinja + +{% for name in ['iptables', 'ip6tables'] %} +kubernetes-alternatives-{{ name }}: + cmd.run: + - name: "update-alternatives --set {{ name }} /usr/sbin/{{ name }}" +{% endfor %} \ No newline at end of file diff --git a/states/kubernetes/service.sls b/states/kubernetes/service.sls new file mode 100644 index 0000000..3f9dbe1 --- /dev/null +++ b/states/kubernetes/service.sls @@ -0,0 +1,2 @@ +--- +{%- from "kubernetes/map.jinja" import kubernetes with context %} diff --git a/states/kubernetes/templates/config.toml.j2 b/states/kubernetes/templates/config.toml.j2 new file mode 100644 index 0000000..2e2b01e --- /dev/null +++ b/states/kubernetes/templates/config.toml.j2 @@ -0,0 +1,251 @@ +## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} +disabled_plugins = [] +imports = [] +oom_score = 0 +plugin_dir = "" +required_plugins = [] +root = "/var/lib/containerd" +state = "/run/containerd" +temp = "" +version = 2 + +[cgroup] + path = "" + +[debug] + address = "" + format = "" + gid = 0 + level = "" + uid = 0 + +[grpc] + address = "/run/containerd/containerd.sock" + gid = 0 + max_recv_message_size = 16777216 + max_send_message_size = 16777216 + tcp_address = "" + tcp_tls_ca = "" + tcp_tls_cert = "" + tcp_tls_key = "" + uid = 0 + +[metrics] + address = "" + grpc_histogram = false + +[plugins] + + [plugins."io.containerd.gc.v1.scheduler"] + deletion_threshold = 0 + mutation_threshold = 100 + pause_threshold = 0.02 + schedule_delay = "0s" + startup_delay = "100ms" + + [plugins."io.containerd.grpc.v1.cri"] + device_ownership_from_security_context = false + disable_apparmor = false + disable_cgroup = false + disable_hugetlb_controller = true + disable_proc_mount = false + disable_tcp_service = true + enable_selinux = false + enable_tls_streaming = false + enable_unprivileged_icmp = false + enable_unprivileged_ports = false + ignore_image_defined_volumes = false + max_concurrent_downloads = 3 + max_container_log_line_size = 16384 + netns_mounts_under_state_dir = false + restrict_oom_score_adj = false + sandbox_image = "k8s.gcr.io/pause:3.6" + selinux_category_range = 1024 + stats_collect_period = 10 + stream_idle_timeout = "4h0m0s" + stream_server_address = "127.0.0.1" + stream_server_port = "0" + systemd_cgroup = false + tolerate_missing_hugetlb_controller = true + unset_seccomp_profile = "" + + [plugins."io.containerd.grpc.v1.cri".cni] + bin_dir = "/opt/cni/bin" + conf_dir = "/etc/cni/net.d" + conf_template = "" + ip_pref = "" + max_conf_num = 1 + + [plugins."io.containerd.grpc.v1.cri".containerd] + default_runtime_name = "runc" + disable_snapshot_annotations = true + discard_unpacked_layers = false + ignore_rdt_not_enabled_errors = false + no_pivot = false + snapshotter = "overlayfs" + + [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] + base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 + container_annotations = [] + pod_annotations = [] + privileged_without_host_devices = false + runtime_engine = "" + runtime_path = "" + runtime_root = "" + runtime_type = "" + + [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options] + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 + container_annotations = [] + pod_annotations = [] + privileged_without_host_devices = false + runtime_engine = "" + runtime_path = "" + runtime_root = "" + runtime_type = "io.containerd.runc.v2" + + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + BinaryName = "" + CriuImagePath = "" + CriuPath = "" + CriuWorkPath = "" + IoGid = 0 + IoUid = 0 + NoNewKeyring = false + NoPivotRoot = false + Root = "" + ShimCgroup = "" + SystemdCgroup = true + + [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] + base_runtime_spec = "" + cni_conf_dir = "" + cni_max_conf_num = 0 + container_annotations = [] + pod_annotations = [] + privileged_without_host_devices = false + runtime_engine = "" + runtime_path = "" + runtime_root = "" + runtime_type = "" + + [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options] + + [plugins."io.containerd.grpc.v1.cri".image_decryption] + key_model = "node" + + [plugins."io.containerd.grpc.v1.cri".registry] + config_path = "" + + [plugins."io.containerd.grpc.v1.cri".registry.auths] + + [plugins."io.containerd.grpc.v1.cri".registry.configs] + + [plugins."io.containerd.grpc.v1.cri".registry.headers] + + [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + + [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] + tls_cert_file = "" + tls_key_file = "" + + [plugins."io.containerd.internal.v1.opt"] + path = "/opt/containerd" + + [plugins."io.containerd.internal.v1.restart"] + interval = "10s" + + [plugins."io.containerd.internal.v1.tracing"] + sampling_ratio = 1.0 + service_name = "containerd" + + [plugins."io.containerd.metadata.v1.bolt"] + content_sharing_policy = "shared" + + [plugins."io.containerd.monitor.v1.cgroups"] + no_prometheus = false + + [plugins."io.containerd.runtime.v1.linux"] + no_shim = false + runtime = "runc" + runtime_root = "" + shim = "containerd-shim" + shim_debug = false + + [plugins."io.containerd.runtime.v2.task"] + platforms = ["linux/amd64"] + sched_core = false + + [plugins."io.containerd.service.v1.diff-service"] + default = ["walking"] + + [plugins."io.containerd.service.v1.tasks-service"] + rdt_config_file = "" + + [plugins."io.containerd.snapshotter.v1.aufs"] + root_path = "" + + [plugins."io.containerd.snapshotter.v1.btrfs"] + root_path = "" + + [plugins."io.containerd.snapshotter.v1.devmapper"] + async_remove = false + base_image_size = "" + discard_blocks = false + fs_options = "" + fs_type = "" + pool_name = "" + root_path = "" + + [plugins."io.containerd.snapshotter.v1.native"] + root_path = "" + + [plugins."io.containerd.snapshotter.v1.overlayfs"] + root_path = "" + upperdir_label = false + + [plugins."io.containerd.snapshotter.v1.zfs"] + root_path = "" + + [plugins."io.containerd.tracing.processor.v1.otlp"] + endpoint = "" + insecure = false + protocol = "" + +[proxy_plugins] + +[stream_processors] + + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] + accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] + args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] + env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] + path = "ctd-decoder" + returns = "application/vnd.oci.image.layer.v1.tar" + + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"] + accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] + args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] + env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] + path = "ctd-decoder" + returns = "application/vnd.oci.image.layer.v1.tar+gzip" + +[timeouts] + "io.containerd.timeout.bolt.open" = "0s" + "io.containerd.timeout.shim.cleanup" = "5s" + "io.containerd.timeout.shim.load" = "5s" + "io.containerd.timeout.shim.shutdown" = "3s" + "io.containerd.timeout.task.state" = "2s" + +[ttrpc] + address = "" + gid = 0 + uid = 0 diff --git a/states/kubernetes/templates/sysctl.conf.j2 b/states/kubernetes/templates/sysctl.conf.j2 new file mode 100644 index 0000000..7bf420c --- /dev/null +++ b/states/kubernetes/templates/sysctl.conf.j2 @@ -0,0 +1,5 @@ +## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} +{%- from "kubernetes/map.jinja" import kubernetes with context %} +{% for module in kubernetes.required_modules %} +{{ module }} +{% endfor %} \ No newline at end of file