a87b7894db
* add current chart add current helm chart * disable service controller for aws ccm * add new iam roles * doc AWS internet LB + add to LB test * pass clusterName to helm for AWS LB * fix update-aws-lb chart to also include .helmignore * move chart outside services * working state * add subnet tags for AWS subnet discovery * fix .helmignore load rule with file in subdirectory * upgrade iam profile * revert new loader impl since cilium is not correctly loaded * install chart if not already present during `upgrade apply` * cleanup PR + fix build + add todos cleanup PR + add todos * shared helm pkg for cli install and bootstrapper * add link to eks docs * refactor iamMigrationCmd * delete unused helm.symwallk * move iammigrate to upgrade pkg * fixup! delete unused helm.symwallk * add to upgradecheck * remove nodeSelector from go code (Otto) * update iam docs and sort permission + remove duplicate roles * fix bug in `upgrade check` * better upgrade check output when svc version upgrade not possible * pr feedback * remove force flag in upgrade_test * use upgrader.GetUpgradeID instead of extra type * remove todos + fix check * update doc lb (leo) * remove bootstrapper helm package * Update cli/internal/cmd/upgradecheck.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * final nits * add docs for e2e upgrade test setup * Apply suggestions from code review Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/helm/loader.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/cmd/tfmigrationclient.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * fix daniel review * link to the iam permissions instead of manually updating them (agreed with leo) * disable iam upgrade in upgrade apply --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Malte Poll |
||
|---|---|---|
| .. | ||
| cmd/bootstrapper | ||
| initproto | ||
| internal | ||
| bootstrapping_arch.svg | ||
| README.md | ||
Bootstrapper
The bootstrapper integrates the instance it is running on as node into the Kubernetes cluster. It is running on every new instance that is created.
The bootstrapper has two active components:
Init Flow
The InitServer is a gRPC server that is listening for initialization requests. The first instance needs to be initialized by the user, see the initproto for a description of the initialization protocol. The client that talks to this server is part of Constellation's CLI.
On an initialization request, the InitServer initializes a new Kubernetes cluster, essentially
calling the InitCluster function of our Kubernetes library, which does a kubeadm init.
Join Flow
The JoinClient is a gRPC client that tries to connect to a JoinService of an already existing cluster. The JoinService validates the instance using aTLS. For details on the used protocol, see the joinservice package.
If the JoinService successfully verifies the instance, it issues a join ticket. The JoinClient then
joins the cluster by calling the kubeadm join command, using the token and other needed information
from the join ticket.
Synchronization, state machine, lifetime
The bootstrapper is automatically started on every new instance. Both InitServer and JoinClient are started and running in parallel. At some point during either the initialization or the join, a shared lock between the two components is acquired. This lock is used as point of no return. It is a state machine with two states (unlocked, locked) and a single transition from unlocked to locked. There is no way to unlock the node afterward (see nodelock package).
After the bootstrapping, the bootstrapper is stopped.