Use a single chrony server that is frequently queried by agents

MacroPower · Nov 27, 2023 · d4a3d75 · d4a3d75
1 parent a225dcd
commit d4a3d75
Show file tree

Hide file tree

Showing 9 changed files with 124 additions and 110 deletions.
diff --git a/applications/base/chronyd/application.libsonnet b/applications/base/chronyd/application.libsonnet
@@ -11,4 +11,10 @@ app.new(
   targetRevision='0.2.0',
   releaseName='chronyd',
   values='values.yaml'
+).withChart(
+  name='template',
+  repoURL='https://jacobcolvin.com/helm-charts',
+  targetRevision='0.2.0',
+  releaseName='chronyd-agent',
+  values='values-agent.yaml'
 )
diff --git a/applications/base/chronyd/config/agent.conf b/applications/base/chronyd/config/agent.conf
@@ -0,0 +1,9 @@
+server chronyd.chronyd.svc iburst trust minpoll 2 maxpoll 4
+
+driftfile /var/lib/chrony/chrony.drift
+makestep 0.1 3
+
+allow all
+
+logdir /var/log/chrony
+log statistics measurements tracking
diff --git a/applications/base/chronyd/config/main.libsonnet b/applications/base/chronyd/config/main.libsonnet
@@ -1,7 +1,10 @@
 local k = import '../../../lib/k.libsonnet';
 
 [
+  k.core.v1.configMap.new('chrony-agent', data={
+    'chrony.conf': (importstr 'agent.conf'),
+  }),
   k.core.v1.configMap.new('chrony', data={
-    'run.sh': (importstr 'run.sh'),
+    'chrony.conf': (importstr 'server.conf'),
   }),
 ]
diff --git a/applications/base/chronyd/config/run.sh b/applications/base/chronyd/config/run.sh
diff --git a/applications/base/chronyd/config/server.conf b/applications/base/chronyd/config/server.conf
@@ -0,0 +1,12 @@
+server 0.pool.ntp.org iburst
+server 1.pool.ntp.org iburst
+server 2.pool.ntp.org iburst
+server 3.pool.ntp.org iburst
+
+driftfile /var/lib/chrony/chrony.drift
+makestep 0.1 3
+
+allow all
+
+logdir /var/log/chrony
+log statistics measurements tracking
diff --git a/applications/base/chronyd/main.jsonnet b/applications/base/chronyd/main.jsonnet
@@ -2,6 +2,5 @@
 
 local ns = import 'namespace.libsonnet';
 local config = import 'config/main.libsonnet';
-local netPolicy = std.parseYaml(importstr 'network-policy.yaml');
 
-[ns] + config + netPolicy
+[ns] + config
diff --git a/applications/base/chronyd/network-policy.yaml b/applications/base/chronyd/network-policy.yaml
@@ -8,12 +8,6 @@ spec:
   ingress:
     - {}
   egress:
-    - toFQDNs:
-        - matchPattern: "*.pool.ntp.org"
-      toPorts:
-        - ports:
-            - port: "123"
-              protocol: UDP
     - toEndpoints:
         - matchLabels:
             k8s:io.kubernetes.pod.namespace: kube-system
@@ -22,6 +16,16 @@ spec:
         - ports:
             - port: "53"
               protocol: ANY
+            - port: "9153"
+              protocol: ANY
           rules:
             dns:
+              - matchPattern: "pool.ntp.org"
               - matchPattern: "*.pool.ntp.org"
+    - toFQDNs:
+        - matchPattern: "pool.ntp.org"
+        - matchPattern: "*.pool.ntp.org"
+      toPorts:
+        - ports:
+            - port: "123"
+              protocol: UDP
diff --git a/applications/base/chronyd/values-agent.yaml b/applications/base/chronyd/values-agent.yaml
@@ -0,0 +1,67 @@
+controller:
+  type: daemonset
+
+image:
+  repository: cturra/ntp
+  tag: latest
+  pullPolicy: IfNotPresent
+
+command:
+  - /bin/sh
+  - -c
+  - >-
+    exec /usr/sbin/chronyd
+    -f /etc/chrony.conf
+    -d
+    -L 0
+
+tolerations:
+  - effect: NoSchedule
+    operator: Exists
+  - key: CriticalAddonsOnly
+    operator: Exists
+  - effect: NoExecute
+    operator: Exists
+
+resources:
+  limits:
+    memory: 20Mi
+    cpu: 10m
+  requests:
+    cpu: 1m
+    memory: 10Mi
+
+securityContext:
+  privileged: true
+  runAsUser: 0
+  runAsGroup: 0
+  capabilities:
+    add:
+      - CAP_SYS_TIME
+
+persistence:
+  config:
+    enabled: true
+    name: chrony-agent
+    type: configMap
+    subPath:
+      - path: chrony.conf
+        mountPath: /etc/chrony.conf
+        readOnly: true
+  state:
+    enabled: true
+    name: state
+    type: hostPath
+    hostPath: /var/lib/cronyd
+
+service:
+  main:
+    enabled: false
+
+probes:
+  liveness:
+    enabled: false
+  readiness:
+    enabled: false
+  startup:
+    enabled: false
diff --git a/applications/base/chronyd/values.yaml b/applications/base/chronyd/values.yaml
@@ -1,20 +1,21 @@
 controller:
-  type: daemonset
+  type: statefulset
+  replicas: 1
 
 image:
   repository: cturra/ntp
   tag: latest
   pullPolicy: IfNotPresent
 
-command: [/bin/sh, /tmp/run.sh]
-
-tolerations:
-  - effect: NoSchedule
-    operator: Exists
-  - key: CriticalAddonsOnly
-    operator: Exists
-  - effect: NoExecute
-    operator: Exists
+command:
+  - /bin/sh
+  - -c
+  - >-
+    exec /usr/sbin/chronyd
+    -f /etc/chrony.conf
+    -d
+    -L 0
+    -x
 
 resources:
   limits:
@@ -26,24 +27,18 @@ resources:
 
 securityContext:
   privileged: true
-  capabilities:
-    add:
-      - CAP_SYS_TIME
+  runAsUser: 0
+  runAsGroup: 0
 
 persistence:
   config:
     enabled: true
     name: chrony
     type: configMap
     subPath:
-      - path: run.sh
-        mountPath: /tmp/run.sh
+      - path: chrony.conf
+        mountPath: /etc/chrony.conf
         readOnly: true
-  state:
-    enabled: true
-    name: state
-    type: hostPath
-    hostPath: /var/lib/cronyd
 
 service:
   main: