4 SCRIPTDIR="$(readlink -f $(dirname ${BASH_SOURCE[0]}))"
5 LIBDIR="$(dirname $(dirname ${SCRIPTDIR}))/env/lib"
7 source $LIBDIR/logging.sh
8 source $LIBDIR/common.sh
10 function build_source_flannel {
11 curl -sL https://raw.githubusercontent.com/coreos/flannel/${FLANNEL_VERSION}/Documentation/kube-flannel.yml -o ${SCRIPTDIR}/addons/flannel.yaml
12 cat <<EOF >${SCRIPTDIR}/templates/flannel-addon.yaml
13 {{- if eq .Values.cni "flannel" }}
15 $(kubectl create configmap flannel-addon --from-file=${SCRIPTDIR}/addons/flannel.yaml -o yaml --dry-run=client)
18 sed -i -e 's/ name: flannel-addon/ name: {{ .Values.clusterName }}-flannel-addon/' ${SCRIPTDIR}/templates/flannel-addon.yaml
19 sed -i -e 's/10.244.0.0\/16/{{ .Values.podCidr }}/' ${SCRIPTDIR}/templates/flannel-addon.yaml
22 function build_source_flux {
23 # NOTE: This reaches outside this directory to
24 # deploy/site/cluster-addons/flux-system. This is to ensure that
25 # the day-0 config of a cluster using deploy/site/cluster-addons
26 # is in sync with the chart.
27 flux install --export >${SCRIPTDIR}/../site/cluster-addons/flux-system/gotk-components.yaml
28 kustomize build ${SCRIPTDIR}/../site/cluster-addons/flux-system >${SCRIPTDIR}/addons/flux-system.yaml
29 cat <<EOF >>${SCRIPTDIR}/addons/flux-system.yaml
31 apiVersion: rbac.authorization.k8s.io/v1
34 name: psp:privileged:flux-system
35 namespace: flux-system
37 apiGroup: rbac.authorization.k8s.io
42 name: system:serviceaccounts:flux-system
43 apiGroup: rbac.authorization.k8s.io
45 # The name "sync" must be sorted after "flux-system" to ensure
46 # CRDs are instantiated first
47 cat <<'EOF' >${SCRIPTDIR}/addons/sync.yaml
48 {{- if .Values.flux.decryptionSecret }}
54 name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
55 namespace: flux-system
57 sops.asc: {{ .Values.flux.decryptionSecret | b64enc }}
60 apiVersion: source.toolkit.fluxcd.io/v1beta1
63 name: {{ .Values.flux.repositoryName }}
64 namespace: flux-system
66 gitImplementation: go-git
69 branch: {{ .Values.flux.branch }}
71 url: {{ .Values.flux.url }}
73 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
76 name: {{ .Values.clusterName }}-flux-sync
77 namespace: flux-system
80 path: {{ .Values.flux.path }}
84 name: {{ .Values.flux.repositoryName }}
85 {{- if .Values.flux.decryptionSecret }}
89 name: {{ .Values.flux.repositoryName }}-{{ .Values.flux.branch }}-sops-gpg
92 cat <<EOF >${SCRIPTDIR}/templates/flux-addon.yaml
93 {{- if .Values.flux }}
95 $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-system.yaml,${SCRIPTDIR}/addons/sync.yaml -o yaml --dry-run=client)
98 sed -i -e 's/ name: flux-addon/ name: {{ .Values.clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml
101 function build_source_podsecurity {
102 # PodSecurityPolicy is being replaced in future versions of K8s.
103 # The recommended practice is described by K8s at
104 # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice
105 # - https://kubernetes.io/docs/concepts/security/pod-security-standards/
106 # and provides three levels: privileged, baseline, and restricted.
108 # The question to answer here is how to reconcile the K8s levels
109 # against the Akraino security requirements.
111 # For the time being, the below populates the cluster with the K8s
112 # recommended levels and provides an additional policy (icn) bound
113 # to the system:authenticated group to meet the Akraino
115 cat <<EOF >${SCRIPTDIR}/addons/podsecurity.yaml
117 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml)
119 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml)
121 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml)
123 $(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml |
124 sed -e 's/ name: privileged/ name: icn/' |
125 sed -e '/^ allowedCapabilities:/,/^ [!-]/d')
131 requiredDropCapabilities:
134 apiVersion: rbac.authorization.k8s.io/v1
139 addonmanager.kubernetes.io/mode: Reconcile
146 - podsecuritypolicies
150 apiVersion: rbac.authorization.k8s.io/v1
155 addonmanager.kubernetes.io/mode: Reconcile
162 - podsecuritypolicies
166 apiVersion: rbac.authorization.k8s.io/v1
171 addonmanager.kubernetes.io/mode: Reconcile
178 - podsecuritypolicies
182 apiVersion: rbac.authorization.k8s.io/v1
187 addonmanager.kubernetes.io/mode: Reconcile
194 - podsecuritypolicies
198 apiVersion: rbac.authorization.k8s.io/v1
201 name: psp:privileged:nodes
202 namespace: kube-system
204 addonmanager.kubernetes.io/mode: Reconcile
206 apiGroup: rbac.authorization.k8s.io
212 apiGroup: rbac.authorization.k8s.io
214 apiVersion: rbac.authorization.k8s.io/v1
217 name: psp:privileged:kube-system
218 namespace: kube-system
220 apiGroup: rbac.authorization.k8s.io
225 name: system:serviceaccounts:kube-system
226 apiGroup: rbac.authorization.k8s.io
228 apiVersion: rbac.authorization.k8s.io/v1
229 kind: ClusterRoleBinding
235 apiGroup: rbac.authorization.k8s.io
238 name: system:authenticated
239 apiGroup: rbac.authorization.k8s.io
241 cat <<EOF >${SCRIPTDIR}/templates/podsecurity-addon.yaml
243 $(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client)
245 sed -i -e 's/ name: podsecurity-addon/ name: {{ .Values.clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml
248 function build_source_calico {
249 mkdir -p ${SCRIPTDIR}/addons/calico/{base,ipv4,dualstack,ipv6}
250 curl -sL https://docs.projectcalico.org/archive/${CALICO_VERSION%.*}/manifests/calico.yaml -o ${SCRIPTDIR}/addons/calico/base/calico.yaml
251 # Remove trailing whitespace so that kubectl create configmap
252 # doesn't insert explicit newlines
253 sed -i -r 's/\s+$//g' ${SCRIPTDIR}/addons/calico/base/calico.yaml
254 pushd ${SCRIPTDIR}/addons/calico/base && rm -f kustomization.yaml && kustomize create --autodetect && popd
256 # IPv4 only (the default)
257 cat <<EOF >${SCRIPTDIR}/addons/calico/ipv4/ip-autodetection-method-patch.yaml
262 namespace: kube-system
269 - name: IP_AUTODETECTION_METHOD
270 value: can-reach=www.google.com
272 cat <<EOF >${SCRIPTDIR}/addons/calico/ipv4/kustomization.yaml
276 - path: ip-autodetection-method-patch.yaml
278 kustomize build ${SCRIPTDIR}/addons/calico/ipv4 >${SCRIPTDIR}/addons/calico/ipv4.yaml
280 cat <<'EOF' >${SCRIPTDIR}/addons/calico/dualstack/configmap-patch.yaml
285 namespace: kube-system
287 cni_network_config: |-
289 "name": "k8s-pod-network",
290 "cniVersion": "0.3.1",
295 "log_file_path": "/var/log/calico/cni/cni.log",
296 "datastore_type": "kubernetes",
297 "nodename": "__KUBERNETES_NODE_NAME__",
300 "type": "calico-ipam",
301 "assign_ipv4": "true",
302 "assign_ipv6": "true"
308 "kubeconfig": "__KUBECONFIG_FILEPATH__"
314 "capabilities": {"portMappings": true}
318 "capabilities": {"bandwidth": true}
323 cat <<EOF >${SCRIPTDIR}/addons/calico/dualstack/ip-autodetection-method-patch.yaml
328 namespace: kube-system
335 - name: IP_AUTODETECTION_METHOD
336 value: can-reach=www.google.com
337 - name: IP6_AUTODETECTION_METHOD
338 value: can-reach=www.google.com
341 - name: FELIX_IPV6SUPPORT
344 cat <<EOF >${SCRIPTDIR}/addons/calico/dualstack/kustomization.yaml
348 - path: configmap-patch.yaml
349 - path: ip-autodetection-method-patch.yaml
351 kustomize build ${SCRIPTDIR}/addons/calico/dualstack >${SCRIPTDIR}/addons/calico/dualstack.yaml
353 cat <<'EOF' >${SCRIPTDIR}/addons/calico/ipv6/configmap-patch.yaml
358 namespace: kube-system
360 cni_network_config: |-
362 "name": "k8s-pod-network",
363 "cniVersion": "0.3.1",
368 "log_file_path": "/var/log/calico/cni/cni.log",
369 "datastore_type": "kubernetes",
370 "nodename": "__KUBERNETES_NODE_NAME__",
373 "type": "calico-ipam",
374 "assign_ipv4": "false",
375 "assign_ipv6": "true"
381 "kubeconfig": "__KUBECONFIG_FILEPATH__"
387 "capabilities": {"portMappings": true}
391 "capabilities": {"bandwidth": true}
396 cat <<EOF >${SCRIPTDIR}/addons/calico/ipv6/ip-autodetection-method-patch.yaml
401 namespace: kube-system
408 - name: IP6_AUTODETECTION_METHOD
409 value: can-reach=www.google.com
412 - name: FELIX_IPV6SUPPORT
416 - name: CALICO_ROUTER_ID
419 cat <<EOF >${SCRIPTDIR}/addons/calico/ipv6/kustomization.yaml
423 - path: configmap-patch.yaml
424 - path: ip-autodetection-method-patch.yaml
426 kustomize build ${SCRIPTDIR}/addons/calico/ipv6 >${SCRIPTDIR}/addons/calico/ipv6.yaml
428 cat <<EOF >${SCRIPTDIR}/templates/calico-addon.yaml
429 {{- if eq .Values.cni "calico" }}
430 {{- if eq .Values.ipam "ipv4" }}
432 $(kubectl create configmap calico-addon --from-file=calico.yaml=${SCRIPTDIR}/addons/calico/ipv4.yaml -o yaml --dry-run=client)
434 {{- if eq .Values.ipam "dualstack" }}
436 $(kubectl create configmap calico-addon --from-file=calico.yaml=${SCRIPTDIR}/addons/calico/dualstack.yaml -o yaml --dry-run=client)
438 {{- if eq .Values.ipam "ipv6" }}
440 $(kubectl create configmap calico-addon --from-file=calico.yaml=${SCRIPTDIR}/addons/calico/ipv6.yaml -o yaml --dry-run=client)
444 sed -i -e 's/ name: calico-addon/ name: {{ .Values.clusterName }}-calico-addon/' ${SCRIPTDIR}/templates/calico-addon.yaml
447 # This may be used to update the in-place addon YAML files from the
449 function build_source {
450 mkdir -p ${SCRIPTDIR}/addons
454 build_source_podsecurity
458 "build-source") build_source ;;
459 "foo") build_source_calico ;;
461 Usage: $(basename $0) COMMAND
464 build-source - Rebuild the in-tree addon YAML files