From 80538e295361f818acbed6b60aa5cd6829a06b32 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Thu, 9 Apr 2020 23:13:08 -0700 Subject: [PATCH] Add support for Fedora CoreOS on DigitalOcean * Add `digital-ocean/fedora-coreos/kubernetes` module * DigitalOcean custom uploaded images do not permit droplet IPv6 networking --- CHANGES.md | 11 +- README.md | 5 +- .../fedora-coreos/kubernetes/LICENSE | 23 ++ .../fedora-coreos/kubernetes/README.md | 23 ++ .../fedora-coreos/kubernetes/bootstrap.tf | 25 ++ .../fedora-coreos/kubernetes/controllers.tf | 100 +++++++ .../kubernetes/fcc/controller.yaml | 214 +++++++++++++++ .../fedora-coreos/kubernetes/fcc/worker.yaml | 117 +++++++++ .../fedora-coreos/kubernetes/network.tf | 117 +++++++++ .../fedora-coreos/kubernetes/outputs.tf | 47 ++++ digital-ocean/fedora-coreos/kubernetes/ssh.tf | 87 ++++++ .../fedora-coreos/kubernetes/variables.tf | 114 ++++++++ .../fedora-coreos/kubernetes/versions.tf | 12 + .../fedora-coreos/kubernetes/workers.tf | 77 ++++++ digital-ocean/ignore/.gitkeep | 0 docs/cl/digital-ocean.md | 4 +- docs/fedora-coreos/digitalocean.md | 247 ++++++++++++++++++ docs/fedora-coreos/google-cloud.md | 12 +- docs/index.md | 5 +- 19 files changed, 1226 insertions(+), 14 deletions(-) create mode 100644 digital-ocean/fedora-coreos/kubernetes/LICENSE create mode 100644 digital-ocean/fedora-coreos/kubernetes/README.md create mode 100644 digital-ocean/fedora-coreos/kubernetes/bootstrap.tf create mode 100644 digital-ocean/fedora-coreos/kubernetes/controllers.tf create mode 100644 digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml create mode 100644 digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml create mode 100644 digital-ocean/fedora-coreos/kubernetes/network.tf create mode 100644 digital-ocean/fedora-coreos/kubernetes/outputs.tf create mode 100644 digital-ocean/fedora-coreos/kubernetes/ssh.tf create mode 100644 digital-ocean/fedora-coreos/kubernetes/variables.tf create mode 100644 digital-ocean/fedora-coreos/kubernetes/versions.tf create mode 100644 digital-ocean/fedora-coreos/kubernetes/workers.tf delete mode 100644 digital-ocean/ignore/.gitkeep create mode 100644 docs/fedora-coreos/digitalocean.md diff --git a/CHANGES.md b/CHANGES.md index d11990ba..6957ee58 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -11,14 +11,21 @@ Notable changes between versions. * Change `kube-proxy` and `calico` or `flannel` to tolerate specific taints ([#682](https://github.com/poseidon/typhoon/pull/682)) * Tolerate master and not-ready taints, rather than tolerating all taints * Update flannel from v0.11.0 to v0.12.0 ([#690](https://github.com/poseidon/typhoon/pull/690)) +* Fix bootstrap when `networking` mode `flannel` (non-default) is chosen ([#689](https://github.com/poseidon/typhoon/pull/689)) + * Regressed in v1.18.0 changes for Calico ([#675](https://github.com/poseidon/typhoon/pull/675)) * Rename Container Linux `controller_clc_snippets` to `controller_snippets` for consistency ([#688](https://github.com/poseidon/typhoon/pull/688)) * Rename Container Linux `worker_clc_snippets` to `worker_snippets` for consistency * Rename Container Linux `clc_snippets` (bare-metal) to `snippets` for consistency -* Fix bootstrap when `networking` mode `flannel` (non-default) is chosen ([#689](https://github.com/poseidon/typhoon/pull/689)) - * Regressed in v1.18.0 changes for Calico ([#675](https://github.com/poseidon/typhoon/pull/675)) + +#### Azure + * Fix Azure worker UDP outbound connections ([#691](https://github.com/poseidon/typhoon/pull/691)) * Fix Azure worker clock sync timeouts +#### DigitalOcean + +* Add support for Fedora CoreOS ([#699](https://github.com/poseidon/typhoon/pull/699)) + #### Addons * Refresh Prometheus rules/alerts and Grafana dashboards ([#692](https://github.com/poseidon/typhoon/pull/692)) diff --git a/README.md b/README.md index bb053dda..079f5f25 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ Typhoon is available for [Fedora CoreOS](https://getfedora.org/coreos/). |---------------|------------------|------------------|--------| | AWS | Fedora CoreOS | [aws/fedora-coreos/kubernetes](aws/fedora-coreos/kubernetes) | stable | | Bare-Metal | Fedora CoreOS | [bare-metal/fedora-coreos/kubernetes](bare-metal/fedora-coreos/kubernetes) | beta | +| DigitalOcean | Fedora CoreOS | [digital-ocean/fedora-coreos/kubernetes](digital-ocean/fedora-coreos/kubernetes) | alpha | | Google Cloud | Fedora CoreOS | [google-cloud/fedora-coreos/kubernetes](google-cloud/fedora-coreos/kubernetes) | beta | Typhoon is available for [Flatcar Container Linux](https://www.flatcar-linux.org/releases/). @@ -44,14 +45,14 @@ Typhoon is available for [Flatcar Container Linux](https://www.flatcar-linux.org | AWS | Flatcar Linux | [aws/container-linux/kubernetes](aws/container-linux/kubernetes) | stable | | Azure | Flatcar Linux | [azure/container-linux/kubernetes](azure/container-linux/kubernetes) | alpha | | Bare-Metal | Flatcar Linux | [bare-metal/container-linux/kubernetes](bare-metal/container-linux/kubernetes) | stable | +| DigitalOcean | Flatcar Linux | [digital-ocean/container-linux/kubernetes](digital-ocean/container-linux/kubernetes) | alpha | | Google Cloud | Flatcar Linux | [google-cloud/container-linux/kubernetes](google-cloud/container-linux/kubernetes) | alpha | -| Digital Ocean | Flatcar Linux | [digital-ocean/container-linux/kubernetes](digital-ocean/container-linux/kubernetes) | alpha | ## Documentation * [Docs](https://typhoon.psdn.io) * Architecture [concepts](https://typhoon.psdn.io/architecture/concepts/) and [operating systems](https://typhoon.psdn.io/architecture/operating-systems/) -* Fedora CoreOS tutorials for [AWS](docs/fedora-coreos/aws.md), [Bare-Metal](docs/fedora-coreos/bare-metal.md), and [Google Cloud](docs/fedora-coreos/google-cloud.md) +* Fedora CoreOS tutorials for [AWS](docs/fedora-coreos/aws.md), [Bare-Metal](docs/fedora-coreos/bare-metal.md), [DigitalOcean](docs/fedora-coreos/digitalocean.md), and [Google Cloud](docs/fedora-coreos/google-cloud.md) * Flatcar Linux tutorials for [AWS](docs/cl/aws.md), [Azure](docs/cl/azure.md), [Bare-Metal](docs/cl/bare-metal.md), [DigitalOcean](docs/cl/digital-ocean.md), and [Google Cloud](docs/cl/google-cloud.md) ## Usage diff --git a/digital-ocean/fedora-coreos/kubernetes/LICENSE b/digital-ocean/fedora-coreos/kubernetes/LICENSE new file mode 100644 index 00000000..658b1c46 --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/LICENSE @@ -0,0 +1,23 @@ +The MIT License (MIT) + +Copyright (c) 2020 Typhoon Authors +Copyright (c) 2020 Dalton Hubble + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + diff --git a/digital-ocean/fedora-coreos/kubernetes/README.md b/digital-ocean/fedora-coreos/kubernetes/README.md new file mode 100644 index 00000000..18cd0c6b --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/README.md @@ -0,0 +1,23 @@ +# Typhoon + +Typhoon is a minimal and free Kubernetes distribution. + +* Minimal, stable base Kubernetes distribution +* Declarative infrastructure and configuration +* Free (freedom and cost) and privacy-respecting +* Practical for labs, datacenters, and clouds + +Typhoon distributes upstream Kubernetes, architectural conventions, and cluster addons, much like a GNU/Linux distribution provides the Linux kernel and userspace components. + +## Features + +* Kubernetes v1.18.1 (upstream) +* Single or multi-master, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking +* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) +* Advanced features like [snippets](https://typhoon.psdn.io/advanced/customization/) customization +* Ready for Ingress, Prometheus, Grafana, CSI, and other [addons](https://typhoon.psdn.io/addons/overview/) + +## Docs + +Please see the [official docs](https://typhoon.psdn.io) and the Digital Ocean [tutorial](https://typhoon.psdn.io/fedora-coreos/digitalocean/). + diff --git a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf new file mode 100644 index 00000000..17847ce7 --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf @@ -0,0 +1,25 @@ +# Kubernetes assets (kubeconfig, manifests) +module "bootstrap" { + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=1ad53d3b1c1ad75a4ed27f124f772fc5dc025245" + + cluster_name = var.cluster_name + api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] + etcd_servers = digitalocean_record.etcds.*.fqdn + asset_dir = var.asset_dir + + networking = var.networking + + # only effective with Calico networking + network_encapsulation = "vxlan" + network_mtu = "1450" + + pod_cidr = var.pod_cidr + service_cidr = var.service_cidr + cluster_domain_suffix = var.cluster_domain_suffix + enable_reporting = var.enable_reporting + enable_aggregation = var.enable_aggregation + + # Fedora CoreOS + trusted_certs_dir = "/etc/pki/tls/certs" +} + diff --git a/digital-ocean/fedora-coreos/kubernetes/controllers.tf b/digital-ocean/fedora-coreos/kubernetes/controllers.tf new file mode 100644 index 00000000..5bf2c18a --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/controllers.tf @@ -0,0 +1,100 @@ +# Controller Instance DNS records +resource "digitalocean_record" "controllers" { + count = var.controller_count + + # DNS zone where record should be created + domain = var.dns_zone + + # DNS record (will be prepended to domain) + name = var.cluster_name + type = "A" + ttl = 300 + + # IPv4 addresses of controllers + value = digitalocean_droplet.controllers.*.ipv4_address[count.index] +} + +# Discrete DNS records for each controller's private IPv4 for etcd usage +resource "digitalocean_record" "etcds" { + count = var.controller_count + + # DNS zone where record should be created + domain = var.dns_zone + + # DNS record (will be prepended to domain) + name = "${var.cluster_name}-etcd${count.index}" + type = "A" + ttl = 300 + + # private IPv4 address for etcd + value = digitalocean_droplet.controllers.*.ipv4_address_private[count.index] +} + +# Controller droplet instances +resource "digitalocean_droplet" "controllers" { + count = var.controller_count + + name = "${var.cluster_name}-controller-${count.index}" + region = var.region + + image = var.os_image + size = var.controller_type + + # network + # TODO: Only official DigitalOcean images support IPv6 + ipv6 = false + private_networking = true + + user_data = data.ct_config.controller-ignitions.*.rendered[count.index] + ssh_keys = var.ssh_fingerprints + + tags = [ + digitalocean_tag.controllers.id, + ] + + lifecycle { + ignore_changes = [user_data] + } +} + +# Tag to label controllers +resource "digitalocean_tag" "controllers" { + name = "${var.cluster_name}-controller" +} + +# Controller Ignition configs +data "ct_config" "controller-ignitions" { + count = var.controller_count + content = data.template_file.controller-configs.*.rendered[count.index] + strict = true + snippets = var.controller_snippets +} + +# Controller Fedora CoreOS configs +data "template_file" "controller-configs" { + count = var.controller_count + + template = file("${path.module}/fcc/controller.yaml") + + vars = { + # Cannot use cyclic dependencies on controllers or their DNS records + etcd_name = "etcd${count.index}" + etcd_domain = "${var.cluster_name}-etcd${count.index}.${var.dns_zone}" + # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... + etcd_initial_cluster = join(",", data.template_file.etcds.*.rendered) + cluster_dns_service_ip = cidrhost(var.service_cidr, 10) + cluster_domain_suffix = var.cluster_domain_suffix + } +} + +data "template_file" "etcds" { + count = var.controller_count + template = "etcd$${index}=https://$${cluster_name}-etcd$${index}.$${dns_zone}:2380" + + vars = { + index = count.index + cluster_name = var.cluster_name + dns_zone = var.dns_zone + } +} + diff --git a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml new file mode 100644 index 00000000..916ed266 --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml @@ -0,0 +1,214 @@ +--- +variant: fcos +version: 1.0.0 +systemd: + units: + - name: etcd-member.service + enabled: true + contents: | + [Unit] + Description=etcd (System Container) + Documentation=https://github.com/coreos/etcd + Wants=network-online.target network.target + After=network-online.target + [Service] + # https://github.com/opencontainers/runc/pull/1807 + # Type=notify + # NotifyAccess=exec + Type=exec + Restart=on-failure + RestartSec=10s + TimeoutStartSec=0 + LimitNOFILE=40000 + ExecStartPre=/bin/mkdir -p /var/lib/etcd + ExecStartPre=-/usr/bin/podman rm etcd + #--volume $${NOTIFY_SOCKET}:/run/systemd/notify \ + ExecStart=/usr/bin/podman run --name etcd \ + --env-file /etc/etcd/etcd.env \ + --network host \ + --volume /var/lib/etcd:/var/lib/etcd:rw,Z \ + --volume /etc/ssl/etcd:/etc/ssl/certs:ro,Z \ + quay.io/coreos/etcd:v3.4.7 + ExecStop=/usr/bin/podman stop etcd + [Install] + WantedBy=multi-user.target + - name: docker.service + enabled: true + - name: wait-for-dns.service + enabled: true + contents: | + [Unit] + Description=Wait for DNS entries + Before=kubelet.service + [Service] + Type=oneshot + RemainAfterExit=true + ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done' + [Install] + RequiredBy=kubelet.service + RequiredBy=etcd-member.service + - name: kubelet.service + contents: | + [Unit] + Description=Kubelet via Hyperkube (System Container) + Requires=afterburn.service + After=afterburn.service + Wants=rpc-statd.service + [Service] + EnvironmentFile=/run/metadata/afterburn + ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d + ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests + ExecStartPre=/bin/mkdir -p /opt/cni/bin + ExecStartPre=/bin/mkdir -p /var/lib/calico + ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins + ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt" + ExecStartPre=-/usr/bin/podman rm kubelet + ExecStart=/usr/bin/podman run --name kubelet \ + --privileged \ + --pid host \ + --network host \ + --volume /etc/kubernetes:/etc/kubernetes:ro,z \ + --volume /usr/lib/os-release:/etc/os-release:ro \ + --volume /etc/ssl/certs:/etc/ssl/certs:ro \ + --volume /lib/modules:/lib/modules:ro \ + --volume /run:/run \ + --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ + --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \ + --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \ + --volume /var/lib/calico:/var/lib/calico:ro \ + --volume /var/lib/docker:/var/lib/docker \ + --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \ + --volume /var/log:/var/log \ + --volume /var/run/lock:/var/run/lock:z \ + --volume /opt/cni/bin:/opt/cni/bin:z \ + quay.io/poseidon/kubelet:v1.18.1 \ + --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ + --cgroup-driver=systemd \ + --cgroups-per-qos=true \ + --enforce-node-allocatable=pods \ + --client-ca-file=/etc/kubernetes/ca.crt \ + --cluster_dns=${cluster_dns_service_ip} \ + --cluster_domain=${cluster_domain_suffix} \ + --cni-conf-dir=/etc/kubernetes/cni/net.d \ + --exit-on-lock-contention \ + --healthz-port=0 \ + --hostname-override=$${AFTERBURN_DIGITALOCEAN_IPV4_PRIVATE_0} \ + --kubeconfig=/etc/kubernetes/kubeconfig \ + --lock-file=/var/run/lock/kubelet.lock \ + --network-plugin=cni \ + --node-labels=node.kubernetes.io/master \ + --node-labels=node.kubernetes.io/controller="true" \ + --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ + --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ + --volume-plugin-dir=/var/lib/kubelet/volumeplugins + ExecStop=-/usr/bin/podman stop kubelet + Delegate=yes + Restart=always + RestartSec=10 + [Install] + WantedBy=multi-user.target + - name: kubelet.path + enabled: true + contents: | + [Unit] + Description=Watch for kubeconfig + [Path] + PathExists=/etc/kubernetes/kubeconfig + [Install] + WantedBy=multi-user.target + - name: bootstrap.service + contents: | + [Unit] + Description=Kubernetes control plane + ConditionPathExists=!/opt/bootstrap/bootstrap.done + [Service] + Type=oneshot + RemainAfterExit=true + WorkingDirectory=/opt/bootstrap + ExecStartPre=-/usr/bin/podman rm bootstrap + ExecStart=/usr/bin/podman run --name bootstrap \ + --network host \ + --volume /etc/kubernetes/bootstrap-secrets:/etc/kubernetes/secrets:ro,Z \ + --volume /opt/bootstrap/assets:/assets:ro,Z \ + --volume /opt/bootstrap/apply:/apply:ro,Z \ + --entrypoint=/apply \ + quay.io/poseidon/kubelet:v1.18.1 + ExecStartPost=/bin/touch /opt/bootstrap/bootstrap.done + ExecStartPost=-/usr/bin/podman stop bootstrap +storage: + directories: + - path: /etc/kubernetes + - path: /opt/bootstrap + files: + - path: /opt/bootstrap/layout + mode: 0544 + contents: + inline: | + #!/bin/bash -e + mkdir -p -- auth tls/etcd tls/k8s static-manifests manifests/coredns manifests-networking + awk '/#####/ {filename=$2; next} {print > filename}' assets + mkdir -p /etc/ssl/etcd/etcd + mkdir -p /etc/kubernetes/bootstrap-secrets + mv tls/etcd/{peer*,server*} /etc/ssl/etcd/etcd/ + mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ + chown -R etcd:etcd /etc/ssl/etcd + chmod -R 500 /etc/ssl/etcd + mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ + sudo mkdir -p /etc/kubernetes/manifests + sudo mv static-manifests/* /etc/kubernetes/manifests/ + sudo mkdir -p /opt/bootstrap/assets + sudo mv manifests /opt/bootstrap/assets/manifests + sudo mv manifests-networking/* /opt/bootstrap/assets/manifests/ + rm -rf assets auth static-manifests tls manifests-networking + - path: /opt/bootstrap/apply + mode: 0544 + contents: + inline: | + #!/bin/bash -e + export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + until kubectl version; do + echo "Waiting for static pod control plane" + sleep 5 + done + until kubectl apply -f /assets/manifests -R; do + echo "Retry applying manifests" + sleep 5 + done + - path: /etc/sysctl.d/max-user-watches.conf + contents: + inline: | + fs.inotify.max_user_watches=16184 + - path: /etc/systemd/system.conf.d/accounting.conf + contents: + inline: | + [Manager] + DefaultCPUAccounting=yes + DefaultMemoryAccounting=yes + DefaultBlockIOAccounting=yes + - path: /etc/etcd/etcd.env + mode: 0644 + contents: + inline: | + # TODO: Use a systemd dropin once podman v1.4.5 is avail. + NOTIFY_SOCKET=/run/systemd/notify + ETCD_NAME=${etcd_name} + ETCD_DATA_DIR=/var/lib/etcd + ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379 + ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380 + ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379 + ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380 + ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381 + ETCD_INITIAL_CLUSTER=${etcd_initial_cluster} + ETCD_STRICT_RECONFIG_CHECK=true + ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt + ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt + ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key + ETCD_CLIENT_CERT_AUTH=true + ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt + ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt + ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key + ETCD_PEER_CLIENT_CERT_AUTH=true diff --git a/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml b/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml new file mode 100644 index 00000000..3d2f48e3 --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/fcc/worker.yaml @@ -0,0 +1,117 @@ +--- +variant: fcos +version: 1.0.0 +systemd: + units: + - name: docker.service + enabled: true + - name: wait-for-dns.service + enabled: true + contents: | + [Unit] + Description=Wait for DNS entries + Before=kubelet.service + [Service] + Type=oneshot + RemainAfterExit=true + ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done' + [Install] + RequiredBy=kubelet.service + - name: kubelet.service + enabled: true + contents: | + [Unit] + Description=Kubelet via Hyperkube (System Container) + Requires=afterburn.service + After=afterburn.service + Wants=rpc-statd.service + [Service] + EnvironmentFile=/run/metadata/afterburn + ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d + ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests + ExecStartPre=/bin/mkdir -p /opt/cni/bin + ExecStartPre=/bin/mkdir -p /var/lib/calico + ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins + ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt" + ExecStartPre=-/usr/bin/podman rm kubelet + ExecStart=/usr/bin/podman run --name kubelet \ + --privileged \ + --pid host \ + --network host \ + --volume /etc/kubernetes:/etc/kubernetes:ro,z \ + --volume /usr/lib/os-release:/etc/os-release:ro \ + --volume /etc/ssl/certs:/etc/ssl/certs:ro \ + --volume /lib/modules:/lib/modules:ro \ + --volume /run:/run \ + --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ + --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \ + --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \ + --volume /var/lib/calico:/var/lib/calico:ro \ + --volume /var/lib/docker:/var/lib/docker \ + --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \ + --volume /var/log:/var/log \ + --volume /var/run/lock:/var/run/lock:z \ + --volume /opt/cni/bin:/opt/cni/bin:z \ + quay.io/poseidon/kubelet:v1.18.1 \ + --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ + --cgroup-driver=systemd \ + --cgroups-per-qos=true \ + --enforce-node-allocatable=pods \ + --client-ca-file=/etc/kubernetes/ca.crt \ + --cluster_dns=${cluster_dns_service_ip} \ + --cluster_domain=${cluster_domain_suffix} \ + --cni-conf-dir=/etc/kubernetes/cni/net.d \ + --exit-on-lock-contention \ + --healthz-port=0 \ + --hostname-override=$${AFTERBURN_DIGITALOCEAN_IPV4_PRIVATE_0} \ + --kubeconfig=/etc/kubernetes/kubeconfig \ + --lock-file=/var/run/lock/kubelet.lock \ + --network-plugin=cni \ + --node-labels=node.kubernetes.io/node \ + --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ + --volume-plugin-dir=/var/lib/kubelet/volumeplugins + ExecStop=-/usr/bin/podman stop kubelet + Delegate=yes + Restart=always + RestartSec=10 + [Install] + WantedBy=multi-user.target + - name: kubelet.path + enabled: true + contents: | + [Unit] + Description=Watch for kubeconfig + [Path] + PathExists=/etc/kubernetes/kubeconfig + [Install] + WantedBy=multi-user.target + - name: delete-node.service + enabled: true + contents: | + [Unit] + Description=Delete Kubernetes node on shutdown + [Service] + Type=oneshot + RemainAfterExit=true + ExecStart=/bin/true + ExecStop=/bin/bash -c '/usr/bin/podman run --volume /etc/kubernetes:/etc/kubernetes:ro,z --entrypoint /usr/local/bin/kubectl quay.io/poseidon/kubelet:v1.18.1 --kubeconfig=/etc/kubernetes/kubeconfig delete node $HOSTNAME' + [Install] + WantedBy=multi-user.target +storage: + directories: + - path: /etc/kubernetes + files: + - path: /etc/sysctl.d/max-user-watches.conf + contents: + inline: | + fs.inotify.max_user_watches=16184 + - path: /etc/systemd/system.conf.d/accounting.conf + contents: + inline: | + [Manager] + DefaultCPUAccounting=yes + DefaultMemoryAccounting=yes + DefaultBlockIOAccounting=yes diff --git a/digital-ocean/fedora-coreos/kubernetes/network.tf b/digital-ocean/fedora-coreos/kubernetes/network.tf new file mode 100644 index 00000000..bc543485 --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/network.tf @@ -0,0 +1,117 @@ +resource "digitalocean_firewall" "rules" { + name = var.cluster_name + + tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] + + # allow ssh, internal flannel, internal node-exporter, internal kubelet + inbound_rule { + protocol = "tcp" + port_range = "22" + source_addresses = ["0.0.0.0/0", "::/0"] + } + + inbound_rule { + protocol = "udp" + port_range = "4789" + source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name] + } + + # Allow Prometheus to scrape node-exporter + inbound_rule { + protocol = "tcp" + port_range = "9100" + source_tags = [digitalocean_tag.workers.name] + } + + # Allow Prometheus to scrape kube-proxy + inbound_rule { + protocol = "tcp" + port_range = "10249" + source_tags = [digitalocean_tag.workers.name] + } + + inbound_rule { + protocol = "tcp" + port_range = "10250" + source_tags = [digitalocean_tag.controllers.name, digitalocean_tag.workers.name] + } + + # allow all outbound traffic + outbound_rule { + protocol = "tcp" + port_range = "1-65535" + destination_addresses = ["0.0.0.0/0", "::/0"] + } + + outbound_rule { + protocol = "udp" + port_range = "1-65535" + destination_addresses = ["0.0.0.0/0", "::/0"] + } + + outbound_rule { + protocol = "icmp" + port_range = "1-65535" + destination_addresses = ["0.0.0.0/0", "::/0"] + } +} + +resource "digitalocean_firewall" "controllers" { + name = "${var.cluster_name}-controllers" + + tags = ["${var.cluster_name}-controller"] + + # etcd + inbound_rule { + protocol = "tcp" + port_range = "2379-2380" + source_tags = [digitalocean_tag.controllers.name] + } + + # etcd metrics + inbound_rule { + protocol = "tcp" + port_range = "2381" + source_tags = [digitalocean_tag.workers.name] + } + + # kube-apiserver + inbound_rule { + protocol = "tcp" + port_range = "6443" + source_addresses = ["0.0.0.0/0", "::/0"] + } + + # kube-scheduler metrics, kube-controller-manager metrics + inbound_rule { + protocol = "tcp" + port_range = "10251-10252" + source_tags = [digitalocean_tag.workers.name] + } +} + +resource "digitalocean_firewall" "workers" { + name = "${var.cluster_name}-workers" + + tags = ["${var.cluster_name}-worker"] + + # allow HTTP/HTTPS ingress + inbound_rule { + protocol = "tcp" + port_range = "80" + source_addresses = ["0.0.0.0/0", "::/0"] + } + + inbound_rule { + protocol = "tcp" + port_range = "443" + source_addresses = ["0.0.0.0/0", "::/0"] + } + + inbound_rule { + protocol = "tcp" + port_range = "10254" + source_addresses = ["0.0.0.0/0"] + } +} + diff --git a/digital-ocean/fedora-coreos/kubernetes/outputs.tf b/digital-ocean/fedora-coreos/kubernetes/outputs.tf new file mode 100644 index 00000000..429893c5 --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/outputs.tf @@ -0,0 +1,47 @@ +output "kubeconfig-admin" { + value = module.bootstrap.kubeconfig-admin +} + +output "controllers_dns" { + value = digitalocean_record.controllers[0].fqdn +} + +output "workers_dns" { + # Multiple A and AAAA records with the same FQDN + value = digitalocean_record.workers-record-a[0].fqdn +} + +output "controllers_ipv4" { + value = digitalocean_droplet.controllers.*.ipv4_address +} + +output "controllers_ipv6" { + value = digitalocean_droplet.controllers.*.ipv6_address +} + +output "workers_ipv4" { + value = digitalocean_droplet.workers.*.ipv4_address +} + +output "workers_ipv6" { + value = digitalocean_droplet.workers.*.ipv6_address +} + +# Outputs for worker pools + +output "kubeconfig" { + value = module.bootstrap.kubeconfig-kubelet +} + +# Outputs for custom firewalls + +output "controller_tag" { + description = "Tag applied to controller droplets" + value = digitalocean_tag.controllers.name +} + +output "worker_tag" { + description = "Tag applied to worker droplets" + value = digitalocean_tag.workers.name +} + diff --git a/digital-ocean/fedora-coreos/kubernetes/ssh.tf b/digital-ocean/fedora-coreos/kubernetes/ssh.tf new file mode 100644 index 00000000..f4888fe0 --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/ssh.tf @@ -0,0 +1,87 @@ +locals { + # format assets for distribution + assets_bundle = [ + # header with the unpack location + for key, value in module.bootstrap.assets_dist : + format("##### %s\n%s", key, value) + ] +} + +# Secure copy assets to controllers. Activates kubelet.service +resource "null_resource" "copy-controller-secrets" { + count = var.controller_count + + depends_on = [ + module.bootstrap, + digitalocean_firewall.rules + ] + + connection { + type = "ssh" + host = digitalocean_droplet.controllers.*.ipv4_address[count.index] + user = "core" + timeout = "15m" + } + + provisioner "file" { + content = module.bootstrap.kubeconfig-kubelet + destination = "$HOME/kubeconfig" + } + + provisioner "file" { + content = join("\n", local.assets_bundle) + destination = "$HOME/assets" + } + + provisioner "remote-exec" { + inline = [ + "sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig", + "sudo /opt/bootstrap/layout", + ] + } +} + +# Secure copy kubeconfig to all workers. Activates kubelet.service. +resource "null_resource" "copy-worker-secrets" { + count = var.worker_count + + connection { + type = "ssh" + host = digitalocean_droplet.workers.*.ipv4_address[count.index] + user = "core" + timeout = "15m" + } + + provisioner "file" { + content = module.bootstrap.kubeconfig-kubelet + destination = "$HOME/kubeconfig" + } + + provisioner "remote-exec" { + inline = [ + "sudo mv $HOME/kubeconfig /etc/kubernetes/kubeconfig", + ] + } +} + +# Connect to a controller to perform one-time cluster bootstrap. +resource "null_resource" "bootstrap" { + depends_on = [ + null_resource.copy-controller-secrets, + null_resource.copy-worker-secrets, + ] + + connection { + type = "ssh" + host = digitalocean_droplet.controllers[0].ipv4_address + user = "core" + timeout = "15m" + } + + provisioner "remote-exec" { + inline = [ + "sudo systemctl start bootstrap", + ] + } +} + diff --git a/digital-ocean/fedora-coreos/kubernetes/variables.tf b/digital-ocean/fedora-coreos/kubernetes/variables.tf new file mode 100644 index 00000000..a2719233 --- /dev/null +++ b/digital-ocean/fedora-coreos/kubernetes/variables.tf @@ -0,0 +1,114 @@ +variable "cluster_name" { + type = string + description = "Unique cluster name (prepended to dns_zone)" +} + +# Digital Ocean + +variable "region" { + type = string + description = "Digital Ocean region (e.g. nyc1, sfo2, fra1, tor1)" +} + +variable "dns_zone" { + type = string + description = "Digital Ocean domain (i.e. DNS zone) (e.g. do.example.com)" +} + +# instances + +variable "controller_count" { + type = number + description = "Number of controllers (i.e. masters)" + default = 1 +} + +variable "worker_count" { + type = number + description = "Number of workers" + default = 1 +} + +variable "controller_type" { + type = string + description = "Droplet type for controllers (e.g. s-2vcpu-2gb, s-2vcpu-4gb, s-4vcpu-8gb)." + default = "s-2vcpu-2gb" +} + +variable "worker_type" { + type = string + description = "Droplet type for workers (e.g. s-1vcpu-2gb, s-2vcpu-2gb)" + default = "s-1vcpu-2gb" +} + +variable "os_image" { + type = string + description = "Fedora CoreOS image for instances" +} + +variable "controller_snippets" { + type = list(string) + description = "Controller Fedora CoreOS Config snippets" + default = [] +} + +variable "worker_snippets" { + type = list(string) + description = "Worker Fedora CoreOS Config snippets" + default = [] +} + +# configuration + +variable "ssh_fingerprints" { + type = list(string) + description = "SSH public key fingerprints. (e.g. see `ssh-add -l -E md5`)" +} + +variable "networking" { + type = string + description = "Choice of networking provider (flannel or calico)" + default = "calico" +} + +variable "pod_cidr" { + type = string + description = "CIDR IPv4 range to assign Kubernetes pods" + default = "10.2.0.0/16" +} + +variable "service_cidr" { + type = string + description = < ~/.config/digital-ocean/token +``` + +Configure the DigitalOcean provider to use your token in a `providers.tf` file. + +```tf +provider "digitalocean" { + version = "1.15.1" + token = "${chomp(file("~/.config/digital-ocean/token"))}" +} + +provider "ct" { + version = "0.5.0" +} +``` + +## Fedora CoreOS Images + +Fedora CoreOS publishes images for DigitalOcean, but does not yet upload them. DigitalOcean allows [custom images](https://blog.digitalocean.com/custom-images/) to be uploaded via URL or file. + +Import a [Fedora CoreOS](https://getfedora.org/en/coreos/download?tab=cloud_operators&stream=stable) image via URL to desired a region(s). Reference the DigitalOcean image and set the `os_image` in the next step. + +```tf +data "digitalocean_image" "fedora-coreos-31-20200323-3-2" { + name = "fedora-coreos-31.20200323.3.2-digitalocean.x86_64.qcow2.gz" +} +``` + +## Cluster + +Define a Kubernetes cluster using the module `digital-ocean/fedora-coreos/kubernetes`. + +```tf +module "nemo" { + source = "git::https://github.com/poseidon/typhoon//digital-ocean/fedora-coreos/kubernetes?ref=v1.18.1" + + # Digital Ocean + cluster_name = "nemo" + region = "nyc3" + dns_zone = "digital-ocean.example.com" + os_image = data.digitalocean_image.fedora-coreos-31-20200323-3-2.id + + # configuration + ssh_fingerprints = ["d7:9d:79:ae:56:32:73:79:95:88:e3:a2:ab:5d:45:e7"] + + # optional + worker_count = 2 +} +``` + +Reference the [variables docs](#variables) or the [variables.tf](https://github.com/poseidon/typhoon/blob/master/digital-ocean/fedora-coreos/kubernetes/variables.tf) source. + +## ssh-agent + +Initial bootstrapping requires `bootstrap.service` be started on one controller node. Terraform uses `ssh-agent` to automate this step. Add your SSH private key to `ssh-agent`. + +```sh +ssh-add ~/.ssh/id_rsa +ssh-add -L +``` + +## Apply + +Initialize the config directory if this is the first use with Terraform. + +```sh +terraform init +``` + +Plan the resources to be created. + +```sh +$ terraform plan +Plan: 54 to add, 0 to change, 0 to destroy. +``` + +Apply the changes to create the cluster. + +```sh +$ terraform apply +module.nemo.null_resource.bootstrap: Still creating... (30s elapsed) +module.nemo.null_resource.bootstrap: Provisioning with 'remote-exec'... +... +module.nemo.null_resource.bootstrap: Still creating... (6m20s elapsed) +module.nemo.null_resource.bootstrap: Creation complete (ID: 7599298447329218468) + +Apply complete! Resources: 42 added, 0 changed, 0 destroyed. +``` + +In 3-6 minutes, the Kubernetes cluster will be ready. + +## Verify + +[Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on your system. Obtain the generated cluster `kubeconfig` from module outputs (e.g. write to a local file). + +``` +resource "local_file" "kubeconfig-nemo" { + content = module.nemo.kubeconfig-admin + filename = "/home/user/.kube/configs/nemo-config" +} +``` + +List nodes in the cluster. + +``` +$ export KUBECONFIG=/home/user/.kube/configs/nemo-config +$ kubectl get nodes +NAME STATUS ROLES AGE VERSION +10.132.110.130 Ready 10m v1.18.1 +10.132.115.81 Ready 10m v1.18.1 +10.132.124.107 Ready 10m v1.18.1 +``` + +List the pods. + +``` +NAMESPACE NAME READY STATUS RESTARTS AGE +kube-system coredns-1187388186-ld1j7 1/1 Running 0 11m +kube-system coredns-1187388186-rdhf7 1/1 Running 0 11m +kube-system calico-node-1m5bf 2/2 Running 0 11m +kube-system calico-node-7jmr1 2/2 Running 0 11m +kube-system calico-node-bknc8 2/2 Running 0 11m +kube-system kube-apiserver-ip-10.132.115.81 1/1 Running 0 11m +kube-system kube-controller-manager-ip-10.132.115.81 1/1 Running 0 11m +kube-system kube-proxy-6kxjf 1/1 Running 0 11m +kube-system kube-proxy-fh3td 1/1 Running 0 11m +kube-system kube-proxy-k35rc 1/1 Running 0 11m +kube-system kube-scheduler-ip-10.132.115.81 1/1 Running 0 11m +``` + +## Going Further + +Learn about [maintenance](/topics/maintenance/) and [addons](/addons/overview/). + +## Variables + +Check the [variables.tf](https://github.com/poseidon/typhoon/blob/master/digital-ocean/fedora-coreos/kubernetes/variables.tf) source. + +### Required + +| Name | Description | Example | +|:-----|:------------|:--------| +| cluster_name | Unique cluster name (prepended to dns_zone) | "nemo" | +| region | Digital Ocean region | "nyc1", "sfo2", "fra1", tor1" | +| dns_zone | Digital Ocean domain (i.e. DNS zone) | "do.example.com" | +| os_image | Fedora CoreOS image for instances | "custom-image-id" | +| ssh_fingerprints | SSH public key fingerprints | ["d7:9d..."] | + +#### DNS Zone + +Clusters create DNS A records `${cluster_name}.${dns_zone}` to resolve to controller droplets (round robin). This FQDN is used by workers and `kubectl` to access the apiserver(s). In this example, the cluster's apiserver would be accessible at `nemo.do.example.com`. + +You'll need a registered domain name or delegated subdomain in DigitalOcean Domains (i.e. DNS zones). You can set this up once and create many clusters with unique names. + +```tf +# Declare a DigitalOcean record to also create a zone file +resource "digitalocean_domain" "zone-for-clusters" { + name = "do.example.com" + ip_address = "8.8.8.8" +} +``` + +!!! tip "" + If you have an existing domain name with a zone file elsewhere, just delegate a subdomain that can be managed on DigitalOcean (e.g. do.mydomain.com) and [update nameservers](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-host-name-with-digitalocean). + +#### SSH Fingerprints + +DigitalOcean droplets are created with your SSH public key "fingerprint" (i.e. MD5 hash) to allow access. If your SSH public key is at `~/.ssh/id_rsa`, find the fingerprint with, + +```bash +ssh-keygen -E md5 -lf ~/.ssh/id_rsa.pub | awk '{print $2}' +MD5:d7:9d:79:ae:56:32:73:79:95:88:e3:a2:ab:5d:45:e7 +``` + +If you use `ssh-agent` (e.g. Yubikey for SSH), find the fingerprint with, + +``` +ssh-add -l -E md5 +2048 MD5:d7:9d:79:ae:56:32:73:79:95:88:e3:a2:ab:5d:45:e7 cardno:000603633110 (RSA) +``` + +Digital Ocean requires the SSH public key be uploaded to your account, so you may also find the fingerprint under Settings -> Security. Finally, if you don't have an SSH key, [create one now](https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/). + +### Optional + +| Name | Description | Default | Example | +|:-----|:------------|:--------|:--------| +| controller_count | Number of controllers (i.e. masters) | 1 | 1 | +| worker_count | Number of workers | 1 | 3 | +| controller_type | Droplet type for controllers | "s-2vcpu-2gb" | s-2vcpu-2gb, s-2vcpu-4gb, s-4vcpu-8gb, ... | +| worker_type | Droplet type for workers | "s-1vcpu-2gb" | s-1vcpu-2gb, s-2vcpu-2gb, ... | +| controller_snippets | Controller Fedora CoreOS Config snippets | [] | [example](/advanced/customization/) | +| worker_snippets | Worker Fedora CoreOS Config snippets | [] | [example](/advanced/customization/) | +| networking | Choice of networking provider | "calico" | "flannel" or "calico" | +| pod_cidr | CIDR IPv4 range to assign to Kubernetes pods | "10.2.0.0/16" | "10.22.0.0/16" | +| service_cidr | CIDR IPv4 range to assign to Kubernetes services | "10.3.0.0/16" | "10.3.0.0/24" | + +Check the list of valid [droplet types](https://developers.digitalocean.com/documentation/changelog/api-v2/new-size-slugs-for-droplet-plan-changes/) or use `doctl compute size list`. + +!!! warning + Do not choose a `controller_type` smaller than 2GB. Smaller droplets are not sufficient for running a controller and bootstrapping will fail. + diff --git a/docs/fedora-coreos/google-cloud.md b/docs/fedora-coreos/google-cloud.md index 295f1a19..7ebcd2e1 100644 --- a/docs/fedora-coreos/google-cloud.md +++ b/docs/fedora-coreos/google-cloud.md @@ -73,13 +73,13 @@ Fedora CoreOS publishes images for Google Cloud, but does not yet upload them. G ``` gsutil list -gsutil cp fedora-coreos-31.20200310.3.0-gcp.x86_64.tar.gz gs://BUCKET +gsutil cp fedora-coreos-31.20200323.3.2-gcp.x86_64.tar.gz gs://BUCKET ``` Create a Compute Engine image from the file. ``` -gcloud compute images create fedora-coreos-31-20200310-3-0 --source-uri gs://BUCKET/fedora-coreos-31.20200310.3.0-gcp.x86_64.tar.gz +gcloud compute images create fedora-coreos-31-20200323-3-2 --source-uri gs://BUCKET/fedora-coreos-31.20200323.3.2-gcp.x86_64.tar.gz ``` ## Cluster @@ -97,7 +97,7 @@ module "yavin" { dns_zone_name = "example-zone" # custom image name from above - os_image = "fedora-coreos-31-20200310-3-0" + os_image = "fedora-coreos-31-20200323-3-2" # configuration ssh_authorized_key = "ssh-rsa AAAAB3Nz..." @@ -107,7 +107,7 @@ module "yavin" { } ``` -Reference the [variables docs](#variables) or the [variables.tf](https://github.com/poseidon/typhoon/blob/master/google-cloud/container-linux/kubernetes/variables.tf) source. +Reference the [variables docs](#variables) or the [variables.tf](https://github.com/poseidon/typhoon/blob/master/google-cloud/fedora-coreos/kubernetes/variables.tf) source. ## ssh-agent @@ -194,7 +194,7 @@ Learn about [maintenance](/topics/maintenance/) and [addons](/addons/overview/). ## Variables -Check the [variables.tf](https://github.com/poseidon/typhoon/blob/master/google-cloud/container-linux/kubernetes/variables.tf) source. +Check the [variables.tf](https://github.com/poseidon/typhoon/blob/master/google-cloud/fedora-coreos/kubernetes/variables.tf) source. ### Required @@ -204,6 +204,7 @@ Check the [variables.tf](https://github.com/poseidon/typhoon/blob/master/google- | region | Google Cloud region | "us-central1" | | dns_zone | Google Cloud DNS zone | "google-cloud.example.com" | | dns_zone_name | Google Cloud DNS zone name | "example-zone" | +| os_image | Fedora CoreOS image for compute instances | "fedora-coreos-31-20200323-3-2" | | ssh_authorized_key | SSH public key for user 'core' | "ssh-rsa AAAAB3NZ..." | Check the list of valid [regions](https://cloud.google.com/compute/docs/regions-zones/regions-zones) and list Fedora CoreOS [images](https://cloud.google.com/compute/docs/images) with `gcloud compute images list | grep fedora-coreos`. @@ -233,7 +234,6 @@ resource "google_dns_managed_zone" "zone-for-clusters" { | worker_count | Number of workers | 1 | 3 | | controller_type | Machine type for controllers | "n1-standard-1" | See below | | worker_type | Machine type for workers | "n1-standard-1" | See below | -| os_image | Fedora CoreOS image for compute instances | "" | "fedora-coreos-31-20200113-3-1" | | disk_size | Size of the disk in GB | 40 | 100 | | worker_preemptible | If enabled, Compute Engine will terminate workers randomly within 24 hours | false | true | | controller_snippets | Controller Fedora CoreOS Config snippets | [] | [examples](/advanced/customization/) | diff --git a/docs/index.md b/docs/index.md index 279d60f2..16a30729 100644 --- a/docs/index.md +++ b/docs/index.md @@ -35,6 +35,7 @@ Typhoon is available for [Fedora CoreOS](https://getfedora.org/coreos/). |---------------|------------------|------------------|--------| | AWS | Fedora CoreOS | [aws/fedora-coreos/kubernetes](fedora-coreos/aws.md) | stable | | Bare-Metal | Fedora CoreOS | [bare-metal/fedora-coreos/kubernetes](fedora-coreos/bare-metal.md) | beta | +| DigitalOcean | Fedora CoreOS | [digital-ocean/fedora-coreos/kubernetes](fedora-coreos/digitalocean.md) | alpha | | Google Cloud | Fedora CoreOS | [google-cloud/fedora-coreos/kubernetes](google-cloud/fedora-coreos/kubernetes) | beta | Typhoon is available for [Flatcar Container Linux](https://www.flatcar-linux.org/releases/). @@ -44,13 +45,13 @@ Typhoon is available for [Flatcar Container Linux](https://www.flatcar-linux.org | AWS | Flatcar Linux | [aws/container-linux/kubernetes](cl/aws.md) | stable | | Azure | Flatcar Linux | [azure/container-linux/kubernetes](cl/azure.md) | alpha | | Bare-Metal | Flatcar Linux | [bare-metal/container-linux/kubernetes](cl/bare-metal.md) | stable | +| DigitalOcean | Flatcar Linux | [digital-ocean/container-linux/kubernetes](cl/digital-ocean.md) | alpha | | Google Cloud | Flatcar Linux | [google-cloud/container-linux/kubernetes](cl/google-cloud.md) | alpha | -| Digital Ocean | Flatcar Linux | [digital-ocean/container-linux/kubernetes](cl/digital-ocean.md) | alpha | ## Documentation * Architecture [concepts](architecture/concepts.md) and [operating-systems](architecture/operating-systems.md) -* Fedora CoreOS tutorials for [AWS](fedora-coreos/aws.md), [Bare-Metal](fedora-coreos/bare-metal.md), and [Google Cloud](fedora-coreos/google-cloud.md) +* Fedora CoreOS tutorials for [AWS](fedora-coreos/aws.md), [Bare-Metal](fedora-coreos/bare-metal.md), [DigitalOcean](fedora-coreos/digitalocean.md), and [Google Cloud](fedora-coreos/google-cloud.md) * Flatcar Linux tutorials for [AWS](cl/aws.md), [Azure](cl/azure.md), [Bare-Metal](cl/bare-metal.md), [DigitalOcean](cl/digital-ocean.md), and [Google Cloud](cl/google-cloud.md) ## Example