chore: update local-up and manifest

crain-cn · Dec 29, 2023 · 0e050ef · 0e050ef
1 parent eeed9f3
commit 0e050ef
Show file tree

Hide file tree

Showing 55 changed files with 1,031 additions and 1,471 deletions.
diff --git a/cmd/hpa-aggregator/app/hpaaggregator.go b/cmd/hpa-aggregator/app/hpaaggregator.go
@@ -1,3 +1,19 @@
+/*
+Copyright 2023 The KubeAdmiral Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package app
 
 import (

diff --git a/config/crds/hpaaggregator.kubeadmiral.io_externalmetricadaptors.yaml b/config/crds/hpaaggregator.kubeadmiral.io_externalmetricadaptors.yaml
diff --git a/config/deploy/controlplane/kube-apiserver.yaml b/config/deploy/controlplane/kube-apiserver.yaml
@@ -39,6 +39,7 @@ spec:
             - --client-ca-file=/etc/kubeadmiral/pki/ca.crt
             - --enable-admission-plugins=NodeRestriction
             - --enable-bootstrap-token-auth=true
+            - --enable-aggregator-routing=false # make sure ExternalName svc can work for HPA aggregator
             - --etcd-cafile=/etc/kubeadmiral/pki/etcd-ca.crt
             - --etcd-certfile=/etc/kubeadmiral/pki/etcd-client.crt
             - --etcd-keyfile=/etc/kubeadmiral/pki/etcd-client.key

diff --git a/config/deploy/controlplane/kubeadmiral-hpa-aggregator-apiservice.yaml b/config/deploy/controlplane/kubeadmiral-hpa-aggregator-apiservice.yaml
@@ -0,0 +1,102 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubeadmiral-hpa-aggregator
+  namespace: kube-admiral-system
+spec:
+  externalName: kubeadmiral-hpa-aggregator
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 443
+  sessionAffinity: None
+  type: ExternalName
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    apiserver: "true"
+    app: kubeadmiral-hpa-aggregator
+  name: v1beta1.metrics.k8s.io
+spec:
+  group: metrics.k8s.io
+  groupPriorityMinimum: 2000
+  insecureSkipTLSVerify: true
+  service:
+    name: kubeadmiral-hpa-aggregator
+    namespace: kube-admiral-system
+    port: 443
+  version: v1beta1
+  versionPriority: 1
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    apiserver: "true"
+    app: kubeadmiral-hpa-aggregator
+  name: v1beta1.custom.metrics.k8s.io
+spec:
+  group: custom.metrics.k8s.io
+  groupPriorityMinimum: 2000
+  insecureSkipTLSVerify: true
+  service:
+    name: kubeadmiral-hpa-aggregator
+    namespace: kube-admiral-system
+    port: 443
+  version: v1beta1
+  versionPriority: 1
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    apiserver: "true"
+    app: kubeadmiral-hpa-aggregator
+  name: v1alpha1.hpaaggregator.kubeadmiral.io
+spec:
+  group: hpaaggregator.kubeadmiral.io
+  groupPriorityMinimum: 2000
+  insecureSkipTLSVerify: true
+  service:
+    name: kubeadmiral-hpa-aggregator
+    namespace: kube-admiral-system
+    port: 443
+  version: v1alpha1
+  versionPriority: 1
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: admiral-system:controller:horizontal-pod-autoscaler
+rules:
+  - apiGroups:
+      - hpaaggregator.kubeadmiral.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admiral-system:controller:horizontal-pod-autoscaler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admiral-system:controller:horizontal-pod-autoscaler
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:controller:horizontal-pod-autoscaler
+  - kind: ServiceAccount
+    name: horizontal-pod-autoscaler
+    namespace: kube-system
diff --git a/config/deploy/controlplane/kubeadmiral-hpa-aggregator.yaml b/config/deploy/controlplane/kubeadmiral-hpa-aggregator.yaml
@@ -0,0 +1,159 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubeadmiral-hpa-aggregator
+  namespace: kubeadmiral-system
+  labels:
+    app: kubeadmiral-hpa-aggregator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kubeadmiral-hpa-aggregator
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: kubeadmiral-hpa-aggregator
+    spec:
+      automountServiceAccountToken: false
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app
+                    operator: In
+                    values:
+                      - kubeadmiral-hpa-aggregator
+              topologyKey: kubernetes.io/hostname
+      containers:
+        - command:
+            - /kubeadmiral-hpa-aggregator
+            - --bind-address=0.0.0.0
+            - --client-ca-file=/etc/kubeadmiral/pki/ca.crt
+            - --requestheader-allowed-names=front-proxy-client
+            - --requestheader-client-ca-file=/etc/kubeadmiral/pki/front-proxy-ca.crt
+            - --requestheader-extra-headers-prefix=X-Remote-Extra-
+            - --requestheader-group-headers=X-Remote-Group
+            - --requestheader-username-headers=X-Remote-User
+            - --tls-cert-file=/etc/kubeadmiral/pki/apiserver.crt
+            - --tls-private-key-file=/etc/kubeadmiral/pki/apiserver.key
+            - --secure-port=443
+            - --kubeconfig=/etc/kubeconfig
+            - --authentication-kubeconfig=/etc/kubeconfig
+            - --authorization-kubeconfig=/etc/kubeconfig
+            - --kube-api-burst=100
+            - --kube-api-qps=50
+            - --feature-gates=APIPriorityAndFairness=false
+            - --klog-v=4
+          name: kubeadmiral-hpa-aggregator
+          image: ghcr.io/kubewharf/kubeadmiral-hpa-aggregator:latest
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 8
+            httpGet:
+              path: /livez
+              port: 443
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 15
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /readyz
+              port: 443
+              scheme: HTTPS
+            periodSeconds: 1
+            successThreshold: 1
+            timeoutSeconds: 15
+          resources:
+            requests:
+              cpu: 250m
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /etc/kubeadmiral/pki
+              name: kubeadmiral-certs
+              readOnly: true
+            - mountPath: /etc/kubeconfig
+              subPath: kubeconfig
+              name: kubeconfig
+        - command:
+            - kube-controller-manager
+            - --allocate-node-cidrs=true
+            - --authentication-kubeconfig=/etc/hpa-kubeconfig
+            - --authorization-kubeconfig=/etc/hpa-kubeconfig
+            - --bind-address=0.0.0.0
+            - --client-ca-file=/etc/kubeadmiral/pki/ca.crt
+            - --cluster-cidr=10.244.0.0/16
+            - --cluster-name=kubeadmiral
+            - --cluster-signing-cert-file=/etc/kubeadmiral/pki/ca.crt
+            - --cluster-signing-key-file=/etc/kubeadmiral/pki/ca.key
+            - --controllers=horizontalpodautoscaling
+            - --kubeconfig=/etc/hpa-kubeconfig
+            - --leader-elect=true
+            - --leader-elect-resource-name=hpa-controller
+            - --requestheader-client-ca-file=/etc/kubeadmiral/pki/front-proxy-ca.crt
+            - --root-ca-file=/etc/kubeadmiral/pki/ca.crt
+            - --service-cluster-ip-range=10.96.0.0/12
+            - --service-account-private-key-file=/etc/kubeadmiral/pki/kubeadmiral.key
+            - --use-service-account-credentials=true
+            - --v=4
+          image: registry.k8s.io/kube-controller-manager:v1.20.15
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 8
+            httpGet:
+              path: /healthz
+              port: 10257
+              scheme: HTTPS
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 15
+          name: hpa-controller
+          resources:
+            requests:
+              cpu: 200m
+          volumeMounts:
+            - mountPath: /etc/kubeadmiral/pki
+              name: kubeadmiral-certs
+              readOnly: true
+            - mountPath: /etc/hpa-kubeconfig
+              subPath: hpa-kubeconfig
+              name: kubeconfig
+      dnsPolicy: ClusterFirstWithHostNet
+      restartPolicy: Always
+      tolerations:
+        - effect: NoExecute
+          operator: Exists
+      volumes:
+        - name: kubeadmiral-certs
+          secret:
+            secretName: kubeadmiral-cert-secret
+        - name: kubeconfig
+          secret:
+            secretName: kubeconfig
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubeadmiral-hpa-aggregator
+  namespace: kubeadmiral-system
+  labels:
+    app: kubeadmiral-hpa-aggregator
+    apiserver: "true"
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 443
+  selector:
+    app: kubeadmiral-hpa-aggregator
diff --git a/config/deploy/controlplane/kubeconfig-secret.yaml b/config/deploy/controlplane/kubeconfig-secret.yaml
@@ -20,6 +20,26 @@ stringData:
       user:
         client-certificate-data: {{client_crt}}
         client-key-data: {{client_key}}
+  hpa-kubeconfig: |-
+    apiVersion: v1
+    clusters:
+    - cluster:
+        certificate-authority-data: {{ca_crt}}
+        server: https://kubeadmiral-apiserver.kubeadmiral-system.svc.cluster.local:5443/apis/hpaaggregator.kubeadmiral.io/v1alpha1/aggregations/hpa/proxy
+      name: kind-kubeadmiral
+    contexts:
+    - context:
+        cluster: kind-kubeadmiral
+        user: kind-kubeadmiral
+      name: kubeadmiral
+    current-context: kubeadmiral
+    kind: Config
+    preferences: {}
+    users:
+    - name: kind-kubeadmiral
+      user:
+        client-certificate-data: {{client_crt}}
+        client-key-data: {{client_key}}
 kind: Secret
 metadata:
   name: kubeconfig

diff --git a/go.mod b/go.mod
@@ -46,6 +46,7 @@ require (
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.4.0 // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect

diff --git a/hack/generate-groups.sh b/hack/generate-groups.sh
@@ -63,7 +63,7 @@ function codegen::join() {
 
 # generate manifests
 echo "Generating manifests"
-${GOBIN}/controller-gen crd paths=$(codegen::join ";" "${INPUT_DIRS[@]}") output:crd:artifacts:config=config/crds
+${GOBIN}/controller-gen crd paths=$(codegen::join ";" "${INPUT_BASE}/${groups[0]}") output:crd:artifacts:config=config/crds
 
 # patch CRDs with no-federate annotation
 for crd_file in config/crds/*.yaml; do