def set_label(label, value):
nodename = get_node_name()
cmd = 'kubectl --kubeconfig={0} label node {1} {2}={3} --overwrite'
cmd = cmd.format(kubeconfig_path, nodename, label, value)
cmd = cmd.split()
retry = 'Failed to apply label %s=%s. Will retry.' % (label, value)
if not persistent_call(cmd, retry):
raise ApplyNodeLabelFailed(retry)
def remove_label(label):
nodename = get_node_name()
cmd = 'kubectl --kubeconfig={0} label node {1} {2}-'
cmd = cmd.format(kubeconfig_path, nodename, label)
cmd = cmd.split()
retry = 'Failed to remove label {0}. Will retry.'.format(label)
if not persistent_call(cmd, retry):
raise ApplyNodeLabelFailed(retry)
def request_kubelet_and_proxy_credentials(kube_control):
""" Request kubelet node authorization with a well formed kubelet user.
This also implies that we are requesting kube-proxy auth. """
# The kube-cotrol interface is created to support RBAC.
# At this point we might as well do the right thing and return the hostname
# even if it will only be used when we enable RBAC
nodeuser = '******'.format(get_node_name().lower())
kube_control.set_auth_request(nodeuser)
def shutdown():
''' When this unit is destroyed:
- delete the current node
- stop the worker services
'''
try:
if os.path.isfile(kubeconfig_path):
kubectl('delete', 'node', get_node_name())
except CalledProcessError:
hookenv.log('Failed to unregister node.')
service_stop('snap.kubelet.daemon')
service_stop('snap.kube-proxy.daemon')
def catch_change_in_creds(kube_control):
"""Request a service restart in case credential updates were detected."""
nodeuser = '******'.format(get_node_name().lower())
creds = kube_control.get_auth_credentials(nodeuser)
if creds and creds['user'] == nodeuser:
# We need to cache the credentials here because if the
# master changes (master leader dies and replaced by a new one)
# the new master will have no recollection of our certs.
db.set('credentials', creds)
set_state('worker.auth.bootstrapped')
if data_changed('kube-control.creds', creds):
set_state('kubernetes-worker.restart-needed')
def shutdown():
"""When this unit is destroyed:
- delete the current node
- stop the worker services
"""
try:
if os.path.isfile(kubelet_kubeconfig_path):
kubectl("delete", "node", get_node_name())
except CalledProcessError:
hookenv.log("Failed to unregister node.")
service_stop("snap.kubelet.daemon")
service_stop("snap.kube-proxy.daemon")
def catch_change_in_creds(kube_control):
"""Request a service restart in case credential updates were detected."""
nodeuser = "******".format(get_node_name().lower())
creds = kube_control.get_auth_credentials(nodeuser)
if creds and creds["user"] == nodeuser:
# We need to cache the credentials here because if the
# control-plane changes (control-plane leader dies and replaced by a new one)
# the new control-plane will have no recollection of our certs.
db.set("credentials", creds)
set_state("worker.auth.bootstrapped")
if data_changed("kube-control.creds", creds):
set_state("kubernetes-worker.restart-needed")
def configure_kube_proxy(api_servers, cluster_cidr):
kube_proxy_opts = {}
kube_proxy_opts['cluster-cidr'] = cluster_cidr
kube_proxy_opts['kubeconfig'] = kubeproxyconfig_path
kube_proxy_opts['logtostderr'] = 'true'
kube_proxy_opts['v'] = '0'
kube_proxy_opts['master'] = random.choice(api_servers)
kube_proxy_opts['hostname-override'] = get_node_name()
if b'lxc' in check_output('virt-what', shell=True):
kube_proxy_opts['conntrack-max-per-core'] = '0'
configure_kubernetes_service(configure_prefix, 'kube-proxy',
kube_proxy_opts, 'proxy-extra-args')
def pre_series_upgrade():
# NB: We use --force here because unmanaged pods are going to die anyway
# when the node is shut down, and it's better to let drain cleanly
# terminate them. We use --delete-local-data because the dashboard, at
# least, uses local data (emptyDir); but local data is documented as being
# ephemeral anyway, so we can assume it should be ok.
kubectl(
"drain",
get_node_name(),
"--ignore-daemonsets",
"--force",
"--delete-local-data",
)
service_pause("snap.kubelet.daemon")
service_pause("snap.kube-proxy.daemon")
def update_nrpe_config():
services = ["snap.{}.daemon".format(s) for s in worker_services]
data = render("nagios_plugin.py", None, {"node_name": get_node_name()})
plugin_path = install_nagios_plugin_from_text(data, "check_k8s_worker.py")
hostname = nrpe.get_nagios_hostname()
current_unit = nrpe.get_nagios_unit_name()
nrpe_setup = nrpe.NRPE(hostname=hostname)
nrpe_setup.add_check("node", "Node registered with API Server", str(plugin_path))
nrpe.add_init_service_checks(nrpe_setup, services, current_unit)
nrpe_setup.write()
creds = db.get("credentials")
servers = get_kube_api_servers()
if creds and servers:
server = servers[get_unit_number() % len(servers)]
create_kubeconfig(
nrpe_kubeconfig_path,
server,
ca_crt_path,
token=creds["client_token"],
user="******",
)
# Make sure Nagios dirs are the correct permissions.
cmd = ["chown", "-R", "nagios:nagios"]
for p in ["/var/lib/nagios/", os.path.dirname(nrpe_kubeconfig_path)]:
if os.path.exists(p):
check_call(cmd + [p])
remove_state("nrpe-external-master.reconfigure")
set_state("nrpe-external-master.initial-config")
# request CPU governor check from nrpe relation to be performance
rel_settings = {
"requested_cpu_governor": "performance",
}
for rid in hookenv.relation_ids("nrpe-external-master"):
hookenv.relation_set(relation_id=rid, relation_settings=rel_settings)
def post_series_upgrade():
service_resume("snap.kubelet.daemon")
service_resume("snap.kube-proxy.daemon")
kubectl("uncordon", get_node_name())
def __init__(self, kubeconfig_path: Union[PathLike, str]):
self.kubeconfig_path = kubeconfig_path
self.node = get_node_name()
