Merge pull request #15 from gardener/dev

Utility improvements and separation of image and project version

.ci/pipeline_definitions

@@ -1,4 +1,4 @@
-gardener-setup-image:
+gardener-setup-release-and-image:
   template: 'default'
   base_definition:
     traits:
@@ -15,6 +15,27 @@ gardener-setup-image:
             image: 'eu.gcr.io/gardener-project/gardener/gardener-setup'
     repo:
       trigger: false
+    steps:
+      update_image_version: 
+        publish_to: ['source']
+  variants:
+    create-minor-release:
+      traits:
+        release:
+          nextversion: 'bump_minor'
+    create-patch-release:
+      traits:
+        release:
+          nextversion: 'bump_patch'
+gardener-setup-release:
+  template: 'default'
+  base_definition:
+    traits:
+      version:
+        preprocess:
+          'finalise'
+    repo:
+      trigger: false
     steps: ~
   variants:
     create-minor-release:
@@ -24,4 +45,4 @@ gardener-setup-image:
     create-patch-release:
       traits:
         release:
-          nextversion: 'bump_patch'
+          nextversion: 'bump_patch'

.ci/update_image_version

@@ -0,0 +1,31 @@
+#!/bin/bash -eu
+#
+# Copyright (c) 2018 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [[ -z ${SOURCE_PATH:-""} ]]; then
+  export SOURCE_PATH="$(readlink -f $(dirname ${0})/..)"
+else
+  export SOURCE_PATH="$(readlink -f "$SOURCE_PATH")"
+fi
+
+NEW_IMAGE_VERSION=$(<$SOURCE_PATH/VERSION)
+echo $NEW_IMAGE_VERSION > $SOURCE_PATH/IMAGE_VERSION
+
+echo "Image version is now $NEW_IMAGE_VERSION!"
+
+echo "Preparing commit ..."
+git add $SOURCE_PATH/IMAGE_VERSION
+git commit -m "updating image version to $NEW_IMAGE_VERSION"
+echo $(git log -1)

IMAGE_VERSION

@@ -0,0 +1 @@
+0.2.1

README.md

@@ -43,9 +43,6 @@ k8s/bin/tf destroy -force
 setup/cleanup.sh
 ```
 
-Don't forget the [workaround](#workaround)!
-
-
 ## Step 1: Clone the Repositories and get Dependencies
 
 Get the `landscape-setup-template` from GitHub and initialize the
@@ -127,19 +124,13 @@ kube-system     kube-apiserver-hcdnc
 [...]
 ```
 
-## <a name="workaround"></a>Step 4.5: Workaround
+## <a name="workaround"></a>Step 4.5: Workaround (Automated)
 
 There is currently an issue with session affinities in Kubernetes, which can break your cluster. 
 While the problem has been fixed (see https://github.com/kubernetes/kubernetes/commit/f2405cf2942739996af2bb76347c2cb0641153aa), 
-this commit is not yet included in a release. 
-
-Until that happens, use the following workaround:
-
-```
-kubectl edit svc kubernetes
-```
+the corresponding Kubernetes version is not yet included in this project.
 
-Delete the following lines: 
+Until that happens, the workaround is to remove the following lines from the `kubernetes` service:
 
 ```
   sessionAffinity: ClientIP
@@ -148,7 +139,9 @@ Delete the following lines:
       timeoutSeconds: 10800
 ```
 
-Kubernetes will automatically add `sessionAffinity: None`.
+Kubernetes will add `sessionAffinity: None` on itself.
+
+This will happen automatically at the end of the `deploy_kubify.sh` script.
 
 ## Step 5-9: Gardener Setup (Automated)
 
@@ -306,6 +299,13 @@ letsencrypt certificates for both the identity and dashboard ingresses:
 
 After one to two minutes valid certificates should be installed.
 
+Letsencrypt [limits](https://letsencrypt.org/docs/rate-limits/) how many certificates you can get 
+for the same host within a short time. To avoid hitting these limits, you can use the letsencrypt 
+staging server for testing, which has a significantly higher rate limit but produces untrusted 
+certificates.  
+To use the staging server, change the URL in `components/certmanager/cert-manager-issuer.yaml.tmpl` 
+to `https://acme-staging-v02.api.letsencrypt.org/directory`.
+
 # Tearing Down the Landscape
 
 Make sure that you delete all shoot clusters prior to tearing down the

components/certmanager/deploy

@@ -59,9 +59,8 @@ if [ $# -gt 1 ] && [ $2 == "-u" -o $2 == "--uninstall" ]; then # uninstall certm
     $LANDSCAPE_COMPONENTS_HOME/deploy.sh dashboard
 
     # delete certmanager stuff
-    kubectl delete clusterissuer --all
-    kubectl -n certmanager delete secret --all
     kubectl delete ns certmanager
+    rm -rf $COMPONENT_STATE_HOME
 else
     # render issuer file
     mako-render ${COMPONENT_TEMPLATE_HOME}/cert-manager-issuer.yaml.tmpl >${COMPONENT_STATE_HOME}/cert-manager-issuer.yaml
@@ -103,4 +102,20 @@ else
     else
         echo "INFO: Line '--oidc-ca-file=/etc/kubernetes/secrets/ca.crt' not found in daemonset kube-apiserver."
     fi
+
+    # wait until secrets have been recreated
+    max_retry_time=300
+    retry_stop=$(($(date +%s) + max_retry_time))
+    success=false
+    while [[ $(date +%s) -lt $retry_stop ]]; do
+        sleep 10
+        if $(kubectl -n garden get secret gardener-dashboard-tls &> /dev/null) && $(kubectl -n kube-system get secret identity-tls &> /dev/null); then
+        success=true
+        break;
+        fi
+        debug "Secrets gardener-dashboard-tls and identity-tls not recreated yet. Waiting ..."
+    done
+    if ! $success; then
+        fail "Secrets gardener-dashboard-tls and identity-tls not created within $max_retry_time seconds!"
+    fi
 fi

components/gardener/deploy

@@ -66,7 +66,7 @@ else # install gardener
       success=true
       break;
     fi
-    echo -e "$(debug Gardener API server not yet reachable. Waiting...)"
+    debug "Gardener API server not yet reachable. Waiting..."
   done
   if ! $success; then
     fail "Gardener API server did not become reachable within $max_retry_time seconds!"

components/kubify/wait_for_cluster.sh

@@ -29,7 +29,7 @@ while [[ $(date +%s) -lt $retry_stop ]]; do
     success=true
     break;
   fi
-  echo "Cluster not yet reachable. Waiting ..."
+  debug "Cluster not yet reachable. Waiting ..."
   sleep 30
 done
 if ! $success; then
@@ -53,7 +53,7 @@ while [[ $(date +%s) -lt $retry_stop ]]; do
       ((phase=$phase-1)) || true
       continue;
     fi
-    echo "Amount of api server pods ($api_count) doesn't equal specified amount of master nodes ($master_count) yet. Waiting ..."
+    debug "Amount of api server pods ($api_count) doesn't equal specified amount of master nodes ($master_count) yet. Waiting ..."
     ;;
   (2) # check: #etcd == #master nodes
     etcd_count=$(kubectl -n kube-system get pods | grep -i -E "kube-etcd-.... " | wc -l) &> /dev/null
@@ -62,7 +62,7 @@ while [[ $(date +%s) -lt $retry_stop ]]; do
       ((phase=$phase-1)) || true
       continue;
     fi
-    echo "Amount of etcd pods ($etcd_count) doesn't equal specified amount of master nodes ($master_count) yet. Waiting ..."
+    debug "Amount of etcd pods ($etcd_count) doesn't equal specified amount of master nodes ($master_count) yet. Waiting ..."
     ;;
   (1) # check: #ingress == #worker nodes
     ingress_count=$(kubectl -n nginx-ingress get pods | grep -i nginx-ingress-controller | wc -l) &> /dev/null
@@ -71,7 +71,7 @@ while [[ $(date +%s) -lt $retry_stop ]]; do
       ((phase=$phase-1)) || true
       continue;
     fi
-    echo "Amount of ingress pods ($ingress_count) doesn't equal specified amount of worker nodes ($worker_count) yet. Waiting ..."
+    debug "Amount of ingress pods ($ingress_count) doesn't equal specified amount of worker nodes ($worker_count) yet. Waiting ..."
     ;;
   (0) # check: #pods == #running pods
     pod_count=$(kubectl get pods --all-namespaces | wc -l) &> /dev/null
@@ -83,7 +83,7 @@ while [[ $(date +%s) -lt $retry_stop ]]; do
       success=true
       break;
     fi
-    echo "$running_pod_count of $pod_count pods are running. Waiting ..."
+    debug "$running_pod_count of $pod_count pods are running. Waiting ..."
     ;;
   (*) # just decrease phase
     echo "No valid phase: $phase"

components/seed-config/deploy

@@ -14,20 +14,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+for i in ${COMPONENT_TEMPLATE_HOME}/${CLOUD_VARIANT}/*.tmpl ; do
+    filet=$(basename $i)
+    file=${filet::-5}
+    if [ ! -f ${COMPONENT_STATE_HOME}/$file ]; then # create yaml if it doesn't exist
+        mako-render $i > ${COMPONENT_STATE_HOME}/$file
+    fi
+done
+
 if [ $# -gt 1 ] && [ $2 == "-u" -o $2 == "--uninstall" ]; then # uninstall seed-config
     for i in $(ls -r ${COMPONENT_STATE_HOME}/*.yaml); do # iterate over files in reverse order
         kubectl delete -f $i --ignore-not-found
     done
     rm -rf $COMPONENT_STATE_HOME
 else # install seed-config
-    for i in ${COMPONENT_TEMPLATE_HOME}/${CLOUD_VARIANT}/*.tmpl ; do
-        filet=$(basename $i)
-        file=${filet::-5}
-        mako-render $i > ${COMPONENT_STATE_HOME}/$file
-    done
-
-    # deploy
-
     for i in ${COMPONENT_STATE_HOME}/*.yaml ; do
         echo deploying $i
         kubectl apply -f $i

deploy_gardener.sh

@@ -23,29 +23,41 @@ echo "Setting up the cluster ..."
 
 pushd "$LANDSCAPE_COMPONENTS_HOME" 1> /dev/null
 
-# kubify - not yet automated
-#./deploy.sh kubify
-
-# certificates
-./deploy.sh cert
-
-# helm-tiller
-./deploy.sh helm-tiller
-
-# gardener
-./deploy.sh gardener
-
-# register garden cluster as seed cluster
-./deploy.sh seed-config
-
-# identity
-./deploy.sh identity
-
-# dashboard 
-./deploy.sh dashboard
-
-# certmanager - there's an extra script for that
-#./deploy.sh certmanager
+if [ $# -gt 0 ]; then 
+    arg="$1"
+else 
+    arg=cert
+fi
+case $arg in
+    (cert) 
+        # certificates
+        ./deploy.sh cert
+        ;&
+    (helm-tiller) 
+        # helm-tiller
+        ./deploy.sh helm-tiller
+        ;&
+    (gardener) 
+        # gardener
+        ./deploy.sh gardener
+        ;&
+    (seed-config)
+        # register garden cluster as seed cluster
+        ./deploy.sh seed-config
+        ;&
+    (identity)
+        # identity
+        ./deploy.sh identity
+        ;&
+    (dashboard)
+        # dashboard 
+        ./deploy.sh dashboard
+        ;;
+    (*)
+        # something else
+        fail "Unknown argument: $arg"
+        ;;
+esac
 
 popd 1> /dev/null
 

deploy_kubify.sh

@@ -14,8 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-cd components
+pushd "$LANDSCAPE_COMPONENTS_HOME" 1> /dev/null
+
 ./deploy.sh kubify
-cd ..
 
-echo "Cluster successfully set up!"
+echo "Cluster successfully set up!"
+
+echo ""
+$SETUP_REPO_PATH/session_affinity_fix.sh
+
+popd 1> /dev/null

docker_build.sh

@@ -14,8 +14,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+pushd $(dirname ${0}) 1> /dev/null
+
 # read latest version from file
-CURRENT_IMAGE_VERSION=$(<VERSION)
+CURRENT_IMAGE_VERSION=$(<IMAGE_VERSION)
 
 # Build docker image with name "gardener_landscape"
 docker build . -t "eu.gcr.io/gardener-project/gardener/gardener-setup:$CURRENT_IMAGE_VERSION"
+
+popd 1> /dev/null

docker_run.sh

@@ -14,8 +14,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+pushd $(dirname ${0}) 1> /dev/null
+
 # read latest version from file
-CURRENT_IMAGE_VERSION=$(<VERSION)
+CURRENT_IMAGE_VERSION=$(<IMAGE_VERSION)
 IMAGE_NAME="eu.gcr.io/gardener-project/gardener/gardener-setup"
 
 # check if image exists - if not, pull from repo
@@ -27,4 +29,6 @@ fi
 
 # Run the docker container with interactive shell, cd to the mounted folder, and source the init.sh file
 # the "&& bash" keeps the interactive mode of the docker container alive
-docker run -it -v $(pwd)/..:/landscape -w /landscape/setup "$IMAGE_NAME:$CURRENT_IMAGE_VERSION" bash -c "source /landscape/setup/init.sh && bash"
+docker run -it -v $(pwd)/..:/landscape -w /landscape/setup "$IMAGE_NAME:$CURRENT_IMAGE_VERSION" bash -c "source /landscape/setup/init.sh && bash"
+
+popd 1> /dev/null

init.sh

@@ -68,5 +68,6 @@ source ${SETUP_REPO_PATH}/bin/common
 export -f fail
 export -f error
 export -f color
+export -f debug
 
 echo "Environment variables configured!"