c15e4efef6
* terraform: add Azure marketplace variable Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * config: add Azure marketplace variable Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * cli: use Terraform variables from config Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform: pass down marketplace variable * image: pad Azure images to 1GiB * terraform: add version attribute to marketplace image * semver: allow versions to be exported without prefix * cli: boolean var to use marketplace images * config: remove dive key * dev-docs: add instructions on how to use marketplace images * terraform: fix unit test * terraform: only fetch image for non-marketplace images * mpimage: refactor image selection Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [remove] increase minor version for image build Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform: ignore changes to source_image_reference on upgrade * operator: add support for parsing Azure marketplace images Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * upgrade: fix imagefetcher call * docs: add info about azure marketplace * image: ensure more than 1GiB in size * image: test to pad to 2GiB * version: change back to v2.14.0-pre * image: GPT-conformant image size padding * [remove] increase version * mpimage: inline prefix func Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * ci: add marketplace image e2e test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [remove] register workflow * ci: fix workflow name * ci: only allow azure test * cli: add marketplace image input to interface * cli: fix argument passing * version: roll back to v2.14.0 * ci: add force-flag support * Update docs/docs/overview/license.md * Update dev-docs/workflows/marketplace-images.md Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| api | ||
| config | ||
| controllers | ||
| external/github.com/medik8s/node-maintenance-operator/config/crd/bases | ||
| hack | ||
| internal | ||
| sgreconciler | ||
| .dockerignore | ||
| .gitignore | ||
| BUILD.bazel | ||
| bundle.Dockerfile | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
| Makefile | ||
| PROJECT | ||
| README.md | ||
constellation-node-operator
The constellation node operator manages the lifecycle of constellation nodes after cluster initialization. In particular, it is responsible for updating the OS images of nodes by replacing nodes running old images with new nodes.
High level goals
- Admin or
constellation applycan create custom resources for node related components - The operator will manage nodes in the cluster by trying to ensure every node has the specified image
- If a node uses an outdated image, it will be replaced by a new node
- Admin can update the specified image at any point in time which will trigger a rolling upgrade through the cluster
- Nodes are replaced safely (cordon, drain, preservation of node labels)
Description
The operator has multiple controllers with corresponding custom resource definitions (CRDs) that are responsible for the following high level tasks:
NodeVersion
NodeVersion is the only user controlled CRD. The spec allows an administrator to update the desired image and trigger a rolling update.
Example for GCP:
apiVersion: update.edgeless.systems/v1alpha1
kind: NodeVersion
metadata:
name: constellation-version
spec:
image: "projects/constellation-images/global/images/<image-name>"
Example for Azure:
apiVersion: update.edgeless.systems/v1alpha1
kind: NodeVersion
metadata:
name: constellation-version
spec:
image: "/subscriptions/<subscription-id>/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/<image-definition-name>/versions/<image-version>"
AutoscalingStrategy
AutoscalingStrategy is used and modified by the NodeVersion controller to pause the cluster-autoscaler while an image update is in progress.
Example:
apiVersion: update.edgeless.systems/v1alpha1
kind: AutoscalingStrategy
metadata:
name: autoscalingstrategy
spec:
enabled: true
deploymentName: "cluster-autoscaler"
deploymentNamespace: "kube-system"
ScalingGroup
ScalingGroup represents one scaling group at the CSP. Constellation uses one scaling group for worker nodes and one for control-plane nodes.
The scaling group controller will automatically set the image used for newly created nodes to be the image set in the NodeVersion Spec. On cluster creation, one instance of the ScalingGroup resource per scaling group at the CSP is created. It does not need to be updated manually.
Example for GCP:
apiVersion: update.edgeless.systems/v1alpha1
kind: ScalingGroup
metadata:
name: scalinggroup-worker
spec:
nodeImage: "constellation-version"
groupId: "projects/<project-id>/zones/<zone>/instanceGroupManagers/<instance-group-name>"
autoscaling: true
Example for Azure:
apiVersion: update.edgeless.systems/v1alpha1
kind: ScalingGroup
metadata:
name: scalinggroup-worker
spec:
nodeImage: "constellation-version"
groupId: "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachineScaleSets/<scale-set-name>"
autoscaling: true
PendingNode
PendingNode represents a node that is either joining or leaving the cluster. These are nodes that are not part of the cluster (they do not have a corresponding node object). Instead, they are used to track the creation and deletion of nodes.
This resource is automatically managed by the operator.
For joining nodes, the deadline is used to delete the pending node if it fails to join before the deadline ends.
Example for GCP:
apiVersion: update.edgeless.systems/v1alpha1
kind: PendingNode
metadata:
name: pendingnode-sample
spec:
providerID: "gce://<project-id>/<zone>/<instance-name>"
groupID: "projects/<project-id>/zones/<zone>/instanceGroupManagers/<instance-group-name>"
nodeName: "<kubernetes-node-name>"
goal: Join
deadline: "2022-07-04T08:33:18+00:00"
Example for Azure:
apiVersion: update.edgeless.systems/v1alpha1
kind: PendingNode
metadata:
name: pendingnode-sample
spec:
providerID: "azure:///subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachineScaleSets/<scale-set-name>/virtualMachines/<instance-id>"
groupID: "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachineScaleSets/<scale-set-name>"
nodeName: "<kubernetes-node-name>"
goal: Join
deadline: "2022-07-04T08:33:18+00:00"
Getting Started
You’ll need a Kubernetes cluster to run against. You can use KIND to get a local cluster for testing, or run against a remote cluster.
Note: Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster kubectl cluster-info shows).
Running on the cluster
- Install Instances of Custom Resources:
kubectl apply -f config/samples/
- Build and push your image to the location specified by
IMG:
make docker-build docker-push IMG=<some-registry>/constellation/node-operator:tag
- Deploy the controller to the cluster with the image specified by
IMG:
make deploy IMG=<some-registry>/constellation/node-operator:tag
Uninstall CRDs
To delete the CRDs from the cluster:
make uninstall
Undeploy controller
UnDeploy the controller to the cluster:
make undeploy
How it works
This project aims to follow the Kubernetes Operator pattern
It uses Controllers which provides a reconcile function responsible for synchronizing resources until the desired state is reached on the cluster
Test It Out
- Install the CRDs into the cluster:
make install
- Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
make run
NOTE: You can also run this in one step by running: make install run
Modifying the API definitions
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifests
NOTE: Run make --help for more information on all potential make targets
More information can be found via the Kubebuilder Documentation
Production deployment
The operator is deployed automatically during constellation-init.
Prerequisite for this is that cert-manager is installed.
cert-manager is also installed during constellation-init.
To deploy you can use the Helm chart at /internal/constellation/helm/charts/edgeless/operators/constellation-operator.