From ba307ec053f3420b508aa6d077c65b5973dd136d Mon Sep 17 00:00:00 2001 From: Arnaud Tincelin Date: Sun, 30 May 2021 01:13:49 +0200 Subject: [PATCH] Deploy with Kustomize --- deployment/aks-periscope.yaml | 4 +- deployment/cluster-role-binding.yaml | 23 +++++++++ deployment/cluster-role.yaml | 11 ++++ deployment/config-map.yaml | 20 ++++++++ deployment/crd.yaml | 28 +++++++++++ deployment/daemon-set.yaml | 48 ++++++++++++++++++ .../kustomization_storage_account.yaml | 34 +++++++++++++ deployment/kustomization.yaml | 17 +++++++ deployment/namespace.yaml | 4 ++ deployment/service-account.yaml | 4 ++ docs/kustomize.md | 50 +++++++++++++++++++ 11 files changed, 242 insertions(+), 1 deletion(-) create mode 100644 deployment/cluster-role-binding.yaml create mode 100644 deployment/cluster-role.yaml create mode 100644 deployment/config-map.yaml create mode 100644 deployment/crd.yaml create mode 100644 deployment/daemon-set.yaml create mode 100644 deployment/examples/kustomization_storage_account.yaml create mode 100644 deployment/kustomization.yaml create mode 100644 deployment/namespace.yaml create mode 100644 deployment/service-account.yaml create mode 100644 docs/kustomize.md diff --git a/deployment/aks-periscope.yaml b/deployment/aks-periscope.yaml index 03ef1167..ef8fb3f9 100644 --- a/deployment/aks-periscope.yaml +++ b/deployment/aks-periscope.yaml @@ -1,3 +1,5 @@ +# Note: this file is deprecated and will be removed in a future release +# Use Kustomize to deploy the project apiVersion: v1 kind: Namespace metadata: @@ -159,4 +161,4 @@ spec: singular: diagnostic kind: Diagnostic shortNames: - - apd \ No newline at end of file + - apd diff --git a/deployment/cluster-role-binding.yaml b/deployment/cluster-role-binding.yaml new file mode 100644 index 00000000..bbc83ca4 --- /dev/null +++ b/deployment/cluster-role-binding.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aks-periscope-role-binding +subjects: +- kind: ServiceAccount + name: aks-periscope-service-account +roleRef: + kind: ClusterRole + name: aks-periscope-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aks-periscope-role-binding-view +subjects: +- kind: ServiceAccount + name: aks-periscope-service-account +roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io diff --git a/deployment/cluster-role.yaml b/deployment/cluster-role.yaml new file mode 100644 index 00000000..cd58e155 --- /dev/null +++ b/deployment/cluster-role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aks-periscope-role +rules: +- apiGroups: ["","metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "watch", "list"] +- apiGroups: ["aks-periscope.azure.github.com"] + resources: ["diagnostics"] + verbs: ["get", "watch", "list", "create", "patch"] diff --git a/deployment/config-map.yaml b/deployment/config-map.yaml new file mode 100644 index 00000000..1f82a9b1 --- /dev/null +++ b/deployment/config-map.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: containerlogs-config +data: + DIAGNOSTIC_CONTAINERLOGS_LIST: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubeobjects-config +data: + DIAGNOSTIC_KUBEOBJECTS_LIST: kube-system/pod kube-system/service kube-system/deployment +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nodelogs-config +data: + DIAGNOSTIC_NODELOGS_LIST: /var/log/azure/cluster-provision.log /var/log/cloud-init.log diff --git a/deployment/crd.yaml b/deployment/crd.yaml new file mode 100644 index 00000000..143a7662 --- /dev/null +++ b/deployment/crd.yaml @@ -0,0 +1,28 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: diagnostics.aks-periscope.azure.github.com +spec: + group: aks-periscope.azure.github.com + versions: + - name: v1 + served: true + storage: true + validation: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + dns: + type: string + networkoutbound: + type: string + scope: Namespaced + names: + plural: diagnostics + singular: diagnostic + kind: Diagnostic + shortNames: + - apd diff --git a/deployment/daemon-set.yaml b/deployment/daemon-set.yaml new file mode 100644 index 00000000..7d2cb971 --- /dev/null +++ b/deployment/daemon-set.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: aks-periscope + labels: + app: aks-periscope +spec: + selector: + matchLabels: + app: aks-periscope + template: + metadata: + labels: + app: aks-periscope + spec: + serviceAccountName: aks-periscope-service-account + hostPID: true + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - name: aks-periscope + image: aksrepos.azurecr.io/staging/aks-periscope + securityContext: + privileged: true + imagePullPolicy: Always + env: [] + envFrom: + - configMapRef: + name: containerlogs-config + - configMapRef: + name: kubeobjects-config + - configMapRef: + name: nodelogs-config + volumeMounts: + - mountPath: /aks-periscope + name: aks-periscope-storage + resources: + requests: + memory: "500Mi" + cpu: "250m" + limits: + memory: "2000Mi" + cpu: "1000m" + volumes: + - name: aks-periscope-storage + hostPath: + path: /var/log/aks-periscope + type: DirectoryOrCreate diff --git a/deployment/examples/kustomization_storage_account.yaml b/deployment/examples/kustomization_storage_account.yaml new file mode 100644 index 00000000..fe9516f8 --- /dev/null +++ b/deployment/examples/kustomization_storage_account.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- https://github.com/Azure/aks-periscope/blob/master/deployment/kustomization.yaml + +secretGenerator: +- name: azureblob-secret + literals: + - AZURE_BLOB_SAS_KEY= + +patches: +- target: + group: apps + kind: DaemonSet + name: aks-periscope + version: v1 + patch: |- + - op: add + path: '/spec/template/spec/containers/0/env/-' + value: + name: AZURE_BLOB_ACCOUNT_NAME + value: +- target: + group: apps + kind: DaemonSet + name: aks-periscope + version: v1 + patch: |- + - op: add + path: '/spec/template/spec/containers/0/envFrom/-' + value: + secretRef: + name: azureblob-secret diff --git a/deployment/kustomization.yaml b/deployment/kustomization.yaml new file mode 100644 index 00000000..73eb746c --- /dev/null +++ b/deployment/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: aks-periscope + +resources: +- namespace.yaml +- cluster-role.yaml +- cluster-role-binding.yaml +- config-map.yaml +- crd.yaml +- daemon-set.yaml +- service-account.yaml + +images: + - name: aksrepos.azurecr.io/staging/aks-periscope + newTag: v0.3 diff --git a/deployment/namespace.yaml b/deployment/namespace.yaml new file mode 100644 index 00000000..1c6ad0df --- /dev/null +++ b/deployment/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: aks-periscope diff --git a/deployment/service-account.yaml b/deployment/service-account.yaml new file mode 100644 index 00000000..712f51ec --- /dev/null +++ b/deployment/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aks-periscope-service-account diff --git a/docs/kustomize.md b/docs/kustomize.md new file mode 100644 index 00000000..d2d6f157 --- /dev/null +++ b/docs/kustomize.md @@ -0,0 +1,50 @@ +# Deploy with Kustomize + +To store the logs an Azure Blob Service account is required. + +Patch the DeamonSet to add the `AZURE_BLOB_ACCOUNT_NAME` env var: + +```yaml +patches: +- target: + group: apps + kind: DaemonSet + name: aks-periscope + version: v1 + patch: |- + - op: add + path: '/spec/template/spec/containers/0/env/-' + value: + name: AZURE_BLOB_ACCOUNT_NAME + value: your_account_name +``` + +## Connect to the Storage Account using a SAS key + +Create the following secret to connect to the Storage Account using a SAS Key: + +```yaml +secretGenerator: +- name: azureblob-secret + literals: + - AZURE_BLOB_SAS_KEY=your_sas_key_base_64_encoded + +patches: +- target: + group: apps + kind: DaemonSet + name: aks-periscope + version: v1 + patch: |- + - op: add + path: '/spec/template/spec/containers/0/envFrom/-' + value: | + secretRef: + name: azureblob-secret +``` + +## Apply + +```sh +kubectl apply -f <(kustomize build) +```