Commit b5f3bb47 authored by Dmytro Bogatov's avatar Dmytro Bogatov 💕

Migrate to K8S 1.11.3. Migrate Typhoon to latest. Deploy status site.

parent f67e3836
......@@ -9,7 +9,8 @@ infra/dashboard/
.secret.sh
infra/sources/shevastream/appsettings.json
infra/sources/status-site/do-secret.yaml
infra/sources/do-volume-provisioner/do-secret.yaml
infra/sources/gitlab-runner/config.yaml
infra/terraform/spaces/
......
......@@ -100,7 +100,7 @@ generate-service () {
if [ "$service" == "webcam-dbogatov-org" ]
then
auth="ingress.kubernetes.io/auth-type: basic"
auth="nginx.ingress.kubernetes.io/auth-type: basic"
fi
if [ "$service" == "moon-travel-com-ua" ]
......
......@@ -11,16 +11,17 @@ CWD=$(pwd)
# Checks
usage () {
printf "usage: ./$0 <certDirPath> <statusSiteConfig> <name>\n"
printf "usage: $0 <certDirPath> <statusSiteConfig> <name> <gitlab-runner-token>\n"
printf "where\n"
printf "\t certDirPath - absolute path to directory with SSL cert (certificate.crt) and key (certificate.key) file\n"
printf "\t statusSiteConfig - absolute path to appsettings.production.yml file\n"
printf "\t name - cluster name (e.g. sandor in sandor.dbogatov.org)\n"
printf "\t gitlab-runner-token - runner's (not registration) token; if runner is not setup, use register-k8s-runner script;\n"
exit 1;
}
if ! [ $# -eq 3 ]
if ! [ $# -eq 4 ]
then
usage
fi
......@@ -30,6 +31,7 @@ source .secret.sh
CERTDIRPATH=$1
STATUSSITECONFIG=$2
NAME=$3
GITLAB_TOKEN=$4
# Initiate cluster
......@@ -39,7 +41,12 @@ echo "Initializing cluster on DigitalOcean"
ssh-add ~/.ssh/id_rsa
cd $CWD/terraform/clusters/
terraform destroy -force
terraform destroy -force || true # might be that there is nothin to destroy
echo "Waiting 30 secs..."
sleep 30
terraform init
terraform apply -auto-approve
......@@ -53,8 +60,8 @@ echo "Adding SWAP file to the nodes"
cd "$CWD"
IPS=("$(dig @ns1.digitalocean.com +short A dolores-workers.$NAME.dbogatov.org)")
IPS+=("$(dig @ns1.digitalocean.com +short A dolores.$NAME.dbogatov.org)")
IPS=("$(dig @ns1.digitalocean.com +short A alice-workers.$NAME.dbogatov.org)")
IPS+=("$(dig @ns1.digitalocean.com +short A alice.$NAME.dbogatov.org)")
cat >var-vm-swapfile1.swap <<EOL
[Unit]
......@@ -70,6 +77,9 @@ EOL
for ip in ${IPS[@]}
do
if [ "$ip" != "165.227.218.138" ] && [ "$ip" != "167.99.48.97" ] && [ "$ip" != "142.93.75.184" ]
then
echo "Adding space for node $ip"
ssh -o "StrictHostKeyChecking no" -o "UserKnownHostsFile=/dev/null" core@$ip "sudo mkdir -p /var/vm"
......@@ -85,7 +95,7 @@ do
echo "Enabling SWAP support for kubelet"
ssh -o "StrictHostKeyChecking no" -o "UserKnownHostsFile=/dev/null" core@$ip "sudo sed -i '/kubelet-wrapper/a \ --fail-swap-on=false \\\' /etc/systemd/system/kubelet.service"
fi
done
rm var-vm-swapfile1.swap
......@@ -100,7 +110,7 @@ cd "$CWD"
echo "Creating namespaces and saving SSL certs"
NAMESPACES=("websites" "monitoring" "ingress" "status-site" "kube-system")
NAMESPACES=("websites" "monitoring" "ingress" "status-site" "kube-system" "gitlab")
for namespace in ${NAMESPACES[@]}
do
......@@ -127,10 +137,6 @@ echo "Deploying dashboard"
kubectl apply -R -f addons/dashboard/
# echo "Deploying cluo"
# kubectl apply -R -f addons/cluo/
echo "Deploying prometheus"
kubectl apply -R -f addons/prometheus/
......@@ -147,10 +153,20 @@ echo "Deploying NGINX Ingress"
kubectl apply -R -f addons/nginx-ingress/digital-ocean/
echo "Deploying the websites"
cd $CWD
echo "Deploying Gitlab Runner"
./sources/gitlab-runner/gen-config.sh $GITLAB_TOKEN
kubectl apply -R -f ./sources/gitlab-runner/
echo "Deploying DO volume provisioner"
./sources/do-volume-provisioner/gen-secret.sh
kubectl apply -R -f ./sources/do-volume-provisioner/
kubectl apply -f https://raw.githubusercontent.com/digitalocean/csi-digitalocean/master/deploy/kubernetes/releases/csi-digitalocean-v0.2.0.yaml
echo "Deploying websites' settings"
kubectl create secret -n status-site generic appsettings.production.yml --from-file=$STATUSSITECONFIG
......@@ -168,14 +184,11 @@ kubectl apply -R -f services/
kubectl apply -R -f dashboard/
echo "Deploying status site SKIPPED"
# TODO should be master
# BRANCH="49-move-to-kubernetes-deployment"
echo "Deploying status site"
# kubectl apply -f https://git.dbogatov.org/dbogatov/status-site/-/jobs/artifacts/$BRANCH/raw/deployment/config.yaml?job=release-deployment
kubectl apply -f https://git.dbogatov.org/dbogatov/status-site/-/jobs/artifacts/master/raw/deployment/config.yaml?job=release-deployment
# kubectl apply -R -f sources/status-site/
kubectl apply -R -f sources/status-site/
echo "Done!"
......
......@@ -3,10 +3,10 @@ kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "public"
ingress.kubernetes.io/auth-signin: https://$host/oauth2/start
ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
ingress.kubernetes.io/secure-backends: "true"
ingress.kubernetes.io/configuration-snippet: |
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Authorization "Bearer __DASHBOARD_TOKEN__";
name: external-auth-oauth2
namespace: kube-system
......
......@@ -12,6 +12,7 @@ SERVICES["dns-dbogatov-org"]="registry.dbogatov.org/dbogatov/nginx-proxies/dns-d
SERVICES["webcam-dbogatov-org"]="registry.dbogatov.org/dbogatov/nginx-proxies/webcam-dbogatov-org:latest"
SERVICES["ore-dbogatov-org"]="registry.dbogatov.org/bu/ore-benchmark/project-code/docs:master"
# SERVICES["status-dbogatov-org"]="registry.dbogatov.org/dbogatov/nginx-proxies/status-dbogatov-org:latest"
SERVICES["k8sapi-dbogatov-org"]="registry.dbogatov.org/dbogatov/nginx-proxies/k8sapi-dbogatov-org:latest"
SERVICES["nigmatullina-org"]="registry.dbogatov.org/dbogatov/inara-cv:latest"
......@@ -43,7 +44,7 @@ SERVICES["blog-bogatov-kiev-ua"]="registry.dbogatov.org/daddy/blog-bogatov-kiev-
declare -A DOMAINS
AVALUE="dolores-workers.sandor.dbogatov.org"
AVALUE="alice-workers.dontos.dbogatov.org"
DOMAINS["dbogatov.org"]=$AVALUE
DOMAINS["dmytro.app"]=$AVALUE
......
apiVersion: v1
kind: ConfigMap
metadata:
name: gitlab-runner
namespace: gitlab
data:
config.toml: |
concurrent = 4
[[runners]]
name = "Kubernetes Runner"
url = "https://git.dbogatov.org/ci"
token = "__TOKEN__"
executor = "kubernetes"
[runners.kubernetes]
namespace = "gitlab"
image = "alpine"
allow_privileged = true
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: gitlab-runner
namespace: gitlab
spec:
replicas: 1
selector:
matchLabels:
name: gitlab-runner
template:
metadata:
labels:
name: gitlab-runner
spec:
containers:
- args:
- run
image: gitlab/gitlab-runner:latest
imagePullPolicy: Always
name: gitlab-runner
volumeMounts:
- mountPath: /etc/gitlab-runner
name: config
- mountPath: /etc/ssl/certs
name: cacerts
readOnly: true
restartPolicy: Always
volumes:
- configMap:
name: gitlab-runner
name: config
- hostPath:
path: /usr/share/ca-certificates/mozilla
name: cacerts
#!/usr/bin/env bash
set -e
shopt -s globstar
# Ensure that the CWD is set to script's location
cd "${0%/*}"
CWD=$(pwd)
if ! [ $# -eq 1 ]
then
echo "TOKEN required"
exit 1
fi
TOKEN=$1
cp config.template config.yaml
sed -i -e "s#__TOKEN__#$TOKEN#g" config.yaml
rm ./*-e
echo "Done!"
#!/usr/bin/env bash
set -e
shopt -s globstar
# Ensure that the CWD is set to script's location
cd "${0%/*}"
CWD=$(pwd)
if ! [ $# -eq 1 ]
then
echo "registration TOKEN required"
exit 1
fi
TOKEN=$1
sudo gitlab-runner register \
--non-interactive \
--url "https://git.dbogatov.org" \
--registration-token "$TOKEN" \
--executor "kubernetes" \
--docker-image alpine \
--kubernetes-image alpine \
--description "k8s" \
--tag-list "docker,k8s" \
--run-untagged \
--locked="false" \
--request-concurrency 4 \
--kubernetes-namespace "gitlab"
sudo cat /etc/gitlab-runner/config.toml
echo "Done!"
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: gitlab
name: gitlab-admin
rules:
- apiGroups: [""] # The API group "" indicates the core API Group.
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab-admin
namespace: gitlab
subjects:
- kind: ServiceAccount # May be "User", "Group" or "ServiceAccount"
name: default
namespace: gitlab
roleRef:
kind: Role
name: gitlab-admin
apiGroup: rbac.authorization.k8s.io
---
......@@ -5,9 +5,9 @@ metadata:
namespace: monitoring
annotations:
kubernetes.io/ingress.class: "public"
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/from-to-www-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
tls:
- hosts:
......
......@@ -5,14 +5,14 @@ metadata:
namespace: websites
annotations:
kubernetes.io/ingress.class: "public"
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/from-to-www-redirect: "true"
ingress.kubernetes.io/affinity: "cookie"
ingress.kubernetes.io/session-cookie-name: "route"
ingress.kubernetes.io/session-cookie-hash: "md5"
ingress.kubernetes.io/auth-secret: basic-auth
ingress.kubernetes.io/auth-realm: "Authentication Required!"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
nginx.ingress.kubernetes.io/session-cookie-hash: "md5"
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required!"
__AUTH__
spec:
tls:
......
volumeMounts:
- name: appsettings
mountPath: "/run/secrets/"
mountPath: "/run/secrets/settings/"
volumes:
- name: appsettings
secret:
......
......@@ -5,14 +5,16 @@ metadata:
namespace: status-site
annotations:
kubernetes.io/ingress.class: "public"
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/from-to-www-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
tls:
- hosts:
- status-dbogatov-org.cluster.dbogatov.org
- status.dbogatov.org
- status.dmytro.app
- status.bogatov.app
secretName: lets-encrypt
rules:
- host: "status-dbogatov-org.cluster.dbogatov.org"
......@@ -29,3 +31,17 @@ spec:
backend:
serviceName: nginx
servicePort: 80
- host: "status.dmytro.app"
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
- host: "status.bogatov.app"
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: reboot-coordinator
roleRef:
......
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: reboot-coordinator
......
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: container-linux-update-agent
......@@ -8,6 +8,9 @@ spec:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
selector:
matchLabels:
app: container-linux-update-agent
template:
metadata:
labels:
......@@ -15,7 +18,7 @@ spec:
spec:
containers:
- name: update-agent
image: quay.io/coreos/container-linux-update-operator:v0.4.1
image: quay.io/coreos/container-linux-update-operator:v0.7.0
command:
- "/bin/update-agent"
volumeMounts:
......
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: container-linux-update-operator
namespace: reboot-coordinator
spec:
replicas: 1
selector:
matchLabels:
app: container-linux-update-operator
template:
metadata:
labels:
......@@ -12,7 +15,7 @@ spec:
spec:
containers:
- name: update-operator
image: quay.io/coreos/container-linux-update-operator:v0.4.1
image: quay.io/coreos/container-linux-update-operator:v0.7.0
command:
- "/bin/update-operator"
env:
......
......@@ -12,11 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# Configuration to deploy release version of the Dashboard UI compatible with
# Kubernetes 1.8.
#
# Example usage: kubectl create -f <this_file>
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
......@@ -114,7 +109,7 @@ spec:
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.2
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
ports:
- containerPort: 8443
protocol: TCP
......
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
......
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-dashboard-providers
namespace: monitoring
data:
dashboard-providers.yaml: |+
apiVersion: 1
providers:
- name: 'default'
ordId: 1
folder: ''
type: file
options:
path: /var/lib/grafana/dashboards
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-datasources
namespace: monitoring
data:
prometheus.yaml: |+
apiVersion: 1
datasources:
- name: prometheus
type: prometheus
access: proxy
orgId: 1
url: http://prometheus.monitoring.svc.cluster.local
version: 1
editable: false
apiVersion: apps/v1beta2
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
......@@ -21,7 +21,7 @@ spec:
spec:
containers:
- name: grafana
image: grafana/grafana:4.6.3
image: grafana/grafana:5.2.4
env:
- name: GF_SERVER_HTTP_PORT
value: "8080"
......@@ -31,6 +31,8 @@ spec:
value: "true"
- name: GF_AUTH_ANONYMOUS_ORG_ROLE
value: Viewer
- name: GF_ANALYTICS_REPORTING_ENABLED
value: "false"
ports:
- name: http
containerPort: 8080
......@@ -41,22 +43,20 @@ spec:
limits:
memory: 200Mi
cpu: 200m
- name: grafana-watcher
image: quay.io/coreos/grafana-watcher:v0.0.8
args:
- '--watch-dir=/etc/grafana/dashboards'
- '--grafana-url=http://localhost:8080'
resources:
requests:
memory: "16Mi"
cpu: "50m"
limits:
memory: "32Mi"
cpu: "100m"
volumeMounts:
- name: dashboards
mountPath: /etc/grafana/dashboards
- name: datasources
mountPath: /etc/grafana/provisioning/datasources
- name: dashboard-providers
mountPath: /etc/grafana/provisioning/dashboards
- name: dashboards
mountPath: /var/lib/grafana/dashboards
volumes:
- name: datasources
configMap:
name: grafana-datasources
- name: dashboard-providers
configMap:
name: grafana-dashboard-providers
- name: dashboards
configMap:
name: grafana-dashboards
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: grafana-dbogatov-org
namespace: monitoring
annotations:
kubernetes.io/ingress.class: "public"
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- hosts:
- grafana.dbogatov.org
secretName: lets-encrypt
rules:
- host: "grafana.dbogatov.org"
http:
paths:
- path: /
backend:
serviceName: grafana
servicePort: 80
......@@ -3,6 +3,9 @@ kind: Service
metadata:
name: grafana
namespace: monitoring
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '8080'
spec:
type: ClusterIP
selector:
......
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: heapster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:heapster
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
apiVersion: apps/v1beta2
apiVersion: apps/v1
kind: Deployment
metadata:
name: heapster
......@@ -15,11 +15,12 @@ spec:
name: heapster
phase: prod
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
serviceAccountName: heapster
containers:
- name: heapster
image: gcr.io/google_containers/heapster-amd64:v1.5.0
image: k8s.gcr.io/heapster-amd64:v1.5.4
command:
- /heapster
- --source=kubernetes.summary_api:''
......@@ -31,7 +32,7 @@ spec:
initialDelaySeconds: 180
timeoutSeconds: 5
- name: heapster-nanny
image: gcr.io/google_containers/addon-resizer:1.7
image: k8s.gcr.io/addon-resizer:1.7
command:
- /pod_nanny
- --cpu=80m
......
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: heapster
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: system:pod-nanny
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: system:pod-nanny
namespace: kube-system
rules: