From ef2a61850882eb90494524aa6ab601716dffffef Mon Sep 17 00:00:00 2001 From: Dmitri Fedotov Date: Mon, 27 May 2024 14:09:02 +0300 Subject: [PATCH 1/3] [cc-cluster] flatcar<->gardenlinux compatible template --- system/cc-cluster/Chart.yaml | 2 +- .../templates/kubeadmconfigtemplate.yaml | 74 ++++++++++++++++--- 2 files changed, 64 insertions(+), 12 deletions(-) diff --git a/system/cc-cluster/Chart.yaml b/system/cc-cluster/Chart.yaml index e04ad44de1..e4b4065eea 100644 --- a/system/cc-cluster/Chart.yaml +++ b/system/cc-cluster/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 name: cc-cluster description: A Helm chart for the cc clusters. type: application -version: 1.0.15 +version: 1.0.16 diff --git a/system/cc-cluster/templates/kubeadmconfigtemplate.yaml b/system/cc-cluster/templates/kubeadmconfigtemplate.yaml index 88d40e61f2..8c4c21749f 100644 --- a/system/cc-cluster/templates/kubeadmconfigtemplate.yaml +++ b/system/cc-cluster/templates/kubeadmconfigtemplate.yaml @@ -49,6 +49,33 @@ spec: runtime_type = "io.containerd.runc.v2" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] SystemdCgroup = true + - path: /etc/ssh/sshd_config + filesystem: root + mode: 393 + overwrite: true + contents: + inline: | + # Use most defaults for sshd configuration. + #Subsystem sftp internal-sftp + ClientAliveInterval 180 + UseDNS no + UsePAM yes + + # handled by PAM + PrintLastLog no + + # handled by PAM + PrintMotd no + + Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com + MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com + KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 + - path: /etc/modprobe.d/blacklist.conf + filesystem: root + mode: 393 + contents: + inline: | + blacklist nfs_layout_nfsv41_files - path: /opt/bin/kube.sh filesystem: root mode: 393 @@ -267,6 +294,25 @@ spec: inline: | net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 + - path: /opt/bin/kubeadm_patch.sh + filesystem: root + mode: 0744 + contents: + inline: | + #!/bin/bash + PATH=$PATH:/bin + + /usr/bin/mkdir --parent /etc/systemd/system/kubeadm.service.d + + /bin/cat > /etc/systemd/system/kubeadm.service.d/10-flatcar.conf << EOF + [Unit] + # kubeadm must run after coreos-metadata populated /run/metadata directory. + Requires=kube_up.service + After=kube_up.service + [Service] + # Make metadata environment variables available for pre-kubeadm commands. + EnvironmentFile=/run/metadata/* + EOF - path: /opt/network_up.sh filesystem: root mode: 0744 @@ -353,18 +399,21 @@ spec: {{- end }} systemd: units: - - name: kubeadm.service + - name: kubeadm-patch.service enabled: true - dropins: - - name: 10-flatcar.conf - contents: | - [Unit] - # kubeadm must run after coreos-metadata populated /run/metadata directory. - Requires=kube_up.service - After=kube_up.service - [Service] - # Make metadata environment variables available for pre-kubeadm commands. - EnvironmentFile=/run/metadata/* + contents: | + [Unit] + Description=Patch kubeadm + Before=kubeadm.service + + [Service] + Type=oneshot + ExecStart=/opt/bin/kubeadm_patch.sh + ExecStartPost=systemctl daemon-reload + ExecStartPost=systemctl disable kubeadm-patch.service + + [Install] + WantedBy=multi-user.target kubeadm.service - name: kubelet.service enable: true contents: | @@ -470,6 +519,8 @@ spec: ExecStartPre=/usr/bin/sleep 10 ExecStart=/opt/bin/kube.sh ExecStartPost=systemctl disable kube_up.service + [Install] + WantedBy=kubeadm.service # needed to register node after kubeadm - name: kubelet_restart.service enabled: true @@ -494,6 +545,7 @@ spec: users: - name: {{ $cluster.userName | default $.Values.user.name }} passwd: {{ $cluster.userPasswordhash | default $.Values.user.passwordhash }} + groups: "sudo" sshAuthorizedKeys: - {{ $cluster.userKey | default $.Values.user.key | quote }} {{- if $cluster.additionalUsers }} From d815b4aa53ef73500a433b1341df479dea31c16b Mon Sep 17 00:00:00 2001 From: Dmitri Fedotov Date: Mon, 27 May 2024 15:58:13 +0300 Subject: [PATCH 2/3] switch kubeadm.service dropin to file --- .../templates/kubeadmconfigtemplate.yaml | 28 ++++--------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/system/cc-cluster/templates/kubeadmconfigtemplate.yaml b/system/cc-cluster/templates/kubeadmconfigtemplate.yaml index 8c4c21749f..f4f9f7a705 100644 --- a/system/cc-cluster/templates/kubeadmconfigtemplate.yaml +++ b/system/cc-cluster/templates/kubeadmconfigtemplate.yaml @@ -23,6 +23,9 @@ spec: directories: - path: /etc/kubernetes/manifests overwrite: true + - path: /etc/systemd/system/kubeadm.service.d + mode: 0755 + overwrite: true {{- if $cluster.ignitionDirectories }} {{- toYaml $cluster.ignitionDirectories | nindent 14 }} {{- end }} @@ -294,17 +297,12 @@ spec: inline: | net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 - - path: /opt/bin/kubeadm_patch.sh + - path: /etc/systemd/system/kubeadm.service.d/10-flatcar.conf filesystem: root - mode: 0744 + mode: 0644 contents: inline: | #!/bin/bash - PATH=$PATH:/bin - - /usr/bin/mkdir --parent /etc/systemd/system/kubeadm.service.d - - /bin/cat > /etc/systemd/system/kubeadm.service.d/10-flatcar.conf << EOF [Unit] # kubeadm must run after coreos-metadata populated /run/metadata directory. Requires=kube_up.service @@ -312,7 +310,6 @@ spec: [Service] # Make metadata environment variables available for pre-kubeadm commands. EnvironmentFile=/run/metadata/* - EOF - path: /opt/network_up.sh filesystem: root mode: 0744 @@ -399,21 +396,6 @@ spec: {{- end }} systemd: units: - - name: kubeadm-patch.service - enabled: true - contents: | - [Unit] - Description=Patch kubeadm - Before=kubeadm.service - - [Service] - Type=oneshot - ExecStart=/opt/bin/kubeadm_patch.sh - ExecStartPost=systemctl daemon-reload - ExecStartPost=systemctl disable kubeadm-patch.service - - [Install] - WantedBy=multi-user.target kubeadm.service - name: kubelet.service enable: true contents: | From 760cf222d3e1ce116aacb201cbafac5501177875 Mon Sep 17 00:00:00 2001 From: Dmitri Fedotov Date: Tue, 28 May 2024 14:32:37 +0200 Subject: [PATCH 3/3] rm /bin/bash from dropin --- system/cc-cluster/templates/kubeadmconfigtemplate.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/system/cc-cluster/templates/kubeadmconfigtemplate.yaml b/system/cc-cluster/templates/kubeadmconfigtemplate.yaml index f4f9f7a705..b633e843d3 100644 --- a/system/cc-cluster/templates/kubeadmconfigtemplate.yaml +++ b/system/cc-cluster/templates/kubeadmconfigtemplate.yaml @@ -302,7 +302,6 @@ spec: mode: 0644 contents: inline: | - #!/bin/bash [Unit] # kubeadm must run after coreos-metadata populated /run/metadata directory. Requires=kube_up.service