Skip to content

brainfood / k8s-bootstrap

Go to a project
Toggle navigation
Toggle navigation pinning
Switch branch/tag
k8s-bootstrap.yaml 4.75 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: k8s-bootstrap-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k8s-bootstrap-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: k8s-bootstrap-admin
    namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: k8s-bootstrap-config
  namespace: kube-system
data:
  HOME: /tmp/cluster-home
  SSH_CONFIG: |
    StrictHostKeyChecking no
    LogLevel VERBOSE
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: k8s-bootstrap-scripts
  namespace: kube-system
data:
  clone-start-of-day: |
    #!/bin/sh
    set -ex
    # FIXME: don't hard-code this.
    rm -rf /tmp/git-storage/k8s-start-of-day
    git clone --recurse-submodules git@gitlab.brainfood.com:brainfood/k8s-start-of-day.git /tmp/git-storage/k8s-start-of-day
    cd /tmp/git-storage/k8s-start-of-day
    if [ -e helmfile.yaml ]; then
      echo helmfile > /tmp/git-storage/repo-type
    elif [ -e kustomization.yaml ]; then
      echo kustomize > /tmp/git-storage/repo-type
    else
      echo unknown > /tmp/git-storage/repo-type
    fi
  check-mode: |
    #!/bin/sh
    set -ex
    wanted_type="$1"
    if [ $(cat /tmp/git-storage/repo-type) = $wanted_type ]; then
      shift
      /tmp/k8s-bootstrap-scripts/run-$wanted_type "$@"
    fi
  run-helmfile: |
    #!/bin/sh
    set -ex
    mkdir -p $HOME/.config/kustomize/plugin
    helm plugin install https://github.com/mumoshu/helm-x
    helm plugin install https://github.com/databus23/helm-diff
    helm plugin install https://github.com/aslafy-z/helm-git.git
    "$@"

---
apiVersion: batch/v1
kind: Job
metadata:
  name: k8s-bootstrap
  namespace: kube-system
spec:
  template:
    spec:
      restartPolicy: OnFailure
      securityContext:
        runAsUser: 1234
        runAsGroup: 1234
        fsGroup: 1234

      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master

      serviceAccountName: k8s-bootstrap-admin

      volumes:
        - name: k8s-bootstrap-ssh-config
          configMap:
            name: k8s-bootstrap-config
            defaultMode: 0600
            items:
              - key: SSH_CONFIG
                path: config

        - name: k8s-bootstrap-ssh-auth
          secret:
            secretName: cluster-ssh
            defaultMode: 0600
            items:
              - key: ssh-private-key
                path: id_rsa

        - name: k8s-bootstrap-scripts
          configMap:
            name: k8s-bootstrap-scripts
            defaultMode: 0755
        - name: cluster-home
          emptyDir: {}
        - name: cluster-ssh
          emptyDir: {}
        - name: git-storage
          emptyDir: {}

      initContainers:
        - name: clone-k8s-start-of-day
          image: bitnami/git
          envFrom:
            - configMapRef:
                name: k8s-bootstrap-config
          volumeMounts:
            - name: k8s-bootstrap-scripts
              mountPath: /tmp/k8s-bootstrap-scripts
            - name: cluster-home
              mountPath: /tmp/cluster-home
            - name: cluster-ssh
              mountPath: /tmp/cluster-home/.ssh
            - name: k8s-bootstrap-ssh-auth
              mountPath: /tmp/cluster-home/.ssh/id_rsa
              subPath: id_rsa
            - name: k8s-bootstrap-ssh-config
              mountPath: /tmp/cluster-home/.ssh/config
              subPath: config
            - name: git-storage
              mountPath: /tmp/git-storage
          command: ["/tmp/k8s-bootstrap-scripts/clone-start-of-day"]

        - name: try-helmfile
          image: quay.io/roboll/helmfile:v0.143.5-stable-slim
          workingDir: /tmp/git-storage/k8s-start-of-day
          command: ["/tmp/k8s-bootstrap-scripts/check-mode", "helmfile", "/usr/local/bin/helmfile"]
          args: ["apply"]
          envFrom:
            - configMapRef:
                name: k8s-bootstrap-config
          volumeMounts:
            - name: git-storage
              mountPath: /tmp/git-storage
            - name: k8s-bootstrap-scripts
              mountPath: /tmp/k8s-bootstrap-scripts
            - name: cluster-home
              mountPath: /tmp/cluster-home
            - name: cluster-ssh
              mountPath: /tmp/cluster-home/.ssh
            - name: k8s-bootstrap-ssh-auth
              mountPath: /tmp/cluster-home/.ssh/id_rsa
              subPath: id_rsa
            - name: k8s-bootstrap-ssh-config
              mountPath: /tmp/cluster-home/.ssh/config
              subPath: config

      containers:
        - name: show-status
          image: bash
          command: ["bash", "-exc", "ls -Ral /tmp"]
          volumeMounts:
            - name: git-storage
              mountPath: /tmp/git-storage
---