Initial commit

bootstrap.sh

@@ -0,0 +1,114 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CILIUM_VESRION=1.18.4
+
+# TODO: Check that all tools are installed
+
+CLUSTERNAME="${1:-}"
+if [ -z "${CLUSTERNAME}" ]; then
+	echo "No cluster name has been specified."
+	exit -1
+fi
+
+BOOTSTRAP_IP="${2:-}"
+if [ -z "${BOOTSTRAP_IP}" ]; then
+	echo "No bootstrap ip has been specified."
+	exit -1
+fi
+
+TALOSCONFIG=${TALOSCONFIG:-}
+if [ -z "${TALOSCONFIG}" ]; then
+	echo "TALOSCONFIG is not set, please make sure to run \`. ./rendered/source.sh\` in the metal repository."
+	exit -1
+fi
+if [ ! -f "${TALOSCONFIG}" ]; then
+	echo "File specified in TALOSCONFIG (${TALOSCONFIG}) does not exist, make sure to generate it using \`./rendered/generate_configs.sh\` in the metal repository."
+fi
+CLUSTERS=($(cat $TALOSCONFIG | yq '.contexts | keys' -o csv | tr ',' ' '))
+
+if [[ ! "${CLUSTERS[*]}" =~ "${CLUSTERNAME}" ]]; then
+	echo "Cluster '${CLUSTERNAME}' does not exist."
+	echo "Available clusters:"
+	for (( i=0; i<${#CLUSTERS[@]}; i++ )); do
+		echo -e "\t${CLUSTERS[$i]}"
+	done
+	exit -1
+fi
+
+KUBECONFIG=${KUBECONFIG:-}
+if [ -z "${KUBECONFIG}" ]; then
+	echo "KUBECONFIG is not set, please make sure to run \`. ./rendered/source.sh\` in the metal repository."
+	exit -1
+fi
+KUBECONFIG=$(echo $KUBECONFIG | tr ':' '\n' | grep ${CLUSTERNAME}/kubeconfig)
+if [ -z "${KUBECONFIG}" ]; then
+	echo "KUBECONFIG does not contain a path for the current cluster, please make sure to run \`. ./rendered/source.sh\` in the metal repository."
+	exit -1
+fi
+
+VIP=$(cat $TALOSCONFIG | yq ".contexts.${CLUSTERNAME}.endpoints[0]")
+if [ "${VIP}" = "null" ]; then
+	echo "Failed to get VIP of cluster."
+	exit -1
+fi
+
+echo -n "Checking connection to ${BOOTSTRAP_IP}... "
+if nmap -Pn ${BOOTSTRAP_IP} -p 50000 | grep -q 'open'; then
+	echo "[Success]"
+else
+	echo "[Failure]"
+	exit -1
+fi
+
+count=0
+max_retries=20
+while ! nmap -Pn ${VIP} -p 50000 | grep -q 'open' && [ ${count} -lt ${max_retries} ]; do
+	if [ $count -eq 0 ]; then
+		echo -n "Bootstrapping Kubernetes"
+	fi
+	echo -n "."
+	count=$((count+1))
+	sleep 5
+	talosctl --context ${CLUSTERNAME} -e "${BOOTSTRAP_IP}" -n "${BOOTSTRAP_IP}" bootstrap 2> /dev/null || true
+done
+if [ ${count} -ge ${max_retries} ]; then
+	echo " [Failure]"
+	exit -1
+elif [ ! $count -eq 0 ]; then
+	echo " [Success]"
+fi
+
+count=0
+max_retries=20
+while [ -z "$(kubectl get nodes 2> /dev/null)" ]; do
+	if [ $count -eq 0 ]; then
+		echo -n "Waiting for apiserver"
+	fi
+	echo -n "."
+	count=$((count+1))
+	sleep 15
+done
+if [ ${count} -ge ${max_retries} ]; then
+	echo " [Failure]"
+	exit -1
+elif [ ! $count -eq 0 ]; then
+	echo " [Success]"
+fi
+
+if ! helm status -n kube-system cilium &> /dev/null; then
+	echo "Installing cilium..."
+	helm repo add cilium https://helm.cilium.io/ > /dev/null
+	helm repo update > /dev/null
+	helm install \
+		cilium \
+		cilium/cilium \
+		--version ${CILIUM_VESRION} \
+		--namespace kube-system \
+		--values cilium.yaml
+fi
+
+cilium-cli status --wait
+
+echo "Running connectivity test..."
+cilium-cli connectivity test --namespace-labels pod-security.kubernetes.io/enforce=privileged

cilium.yaml

@@ -0,0 +1,36 @@
+ipam:
+  mode: kubernetes
+kubeProxyReplacement: true
+securityContext:
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE
+cgroup:
+  autoMount:
+    enabled: false
+  hostRoot: /sys/fs/cgroup
+k8sServiceHost: localhost
+k8sServicePort: 7445
+gatewayAPI:
+  enabled: true
+  enableAlpn: true
+  enableAppProtocol: true
+operator:
+  replicas: 1
+hubble:
+  relay:
+    enabled: true