Merge pull request #43 from vatesfr/fix-leader-election

fix: remove leader election when 1 replica and add useDaemonSet for the CCM

Author: gCyrille

Makefile

@@ -118,6 +118,10 @@ docs:
 	helm template -n kube-system xenorchestra-cloud-controller-manager \
 		--set-string image.tag=$(TAG) \
 		charts/xenorchestra-cloud-controller-manager > docs/deploy/cloud-controller-manager.yml
+	helm template -n kube-system xenorchestra-cloud-controller-manager \
+		--set-string image.tag=$(TAG) \
+		--set useDaemonSet=true \
+		charts/xenorchestra-cloud-controller-manager > docs/deploy/cloud-controller-manager-daemonset.yml
 	helm-docs --sort-values-order=file charts/xenorchestra-cloud-controller-manager
 
 release-update:

charts/xenorchestra-cloud-controller-manager/Chart.yaml

@@ -10,5 +10,5 @@ keywords:
   - ccm
   - xenorchestra
   - kubernetes
-version: 1.0.0-rc.1
+version: 1.0.0-rc.2
 appVersion: v1.0.0-rc.1

charts/xenorchestra-cloud-controller-manager/README.md

@@ -1,6 +1,6 @@
 # xenorchestra-cloud-controller-manager
 
-![Version: 1.0.0-rc.1](https://img.shields.io/badge/Version-1.0.0--rc.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0-rc.1](https://img.shields.io/badge/AppVersion-v1.0.0--rc.1-informational?style=flat-square)
+![ChartVersion: 1.0.0-rc.2](https://img.shields.io/badge/ChartVersion-1.0.0--rc.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.0-rc.1](https://img.shields.io/badge/AppVersion-v1.0.0--rc.1-informational?style=flat-square)
 
 Cloud Controller Manager plugin for Xen Orchestra
 
@@ -69,6 +69,16 @@ tolerations:
     effect: NoSchedule
 ```
 
+Using a daemonset:
+```yaml
+
+useDaemonSet: true
+
+# Set nodeSelector in daemonset mode is required
+nodeSelector:
+  node-role.kubernetes.io/control-plane: "true"
+```
+
 Deploy chart:
 
 ```shell
@@ -102,10 +112,11 @@ helm upgrade -i --namespace=kube-system -f xo-ccm.yaml \
 | podSecurityContext | object | `{"fsGroup":10258,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":10258,"runAsNonRoot":true,"runAsUser":10258}` | Pods Security Context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"seccompProfile":{"type":"RuntimeDefault"}}` | Container Security Context. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
 | resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resource requests and limits. ref: https://kubernetes.io/docs/user-guide/compute-resources/ |
+| useDaemonSet | bool | `false` | Deploy CCM  in Daemonset mode. |
 | updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | Deployment update strategy type. ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment |
 | nodeSelector | object | `{}` | Node labels for data pods assignment.  ref: https://kubernetes.io/docs/user-guide/node-selection/ |
 | tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane","operator":"Exists"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","operator":"Exists"}]` | Tolerations for data pods assignment. ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
 | affinity | object | `{}` | Affinity for data pods assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
 | extraVolumes | list | `[]` | Additional volumes for Pods |
 | extraVolumeMounts | list | `[]` | Additional volume mounts for Pods |
-| useHostNetwork | bool | `false` | Host networking requested for the CCM Pod |
+| useHostNetwork | bool | `false` | Host networking requested for the CCM Pod. CCM will use hostNetwork. It allows to use CCM without CNI plugins. |

charts/xenorchestra-cloud-controller-manager/README.md.gotmpl

@@ -74,6 +74,16 @@ tolerations:
     effect: NoSchedule
 ```
 
+Using a daemonset:
+```yaml
+
+useDaemonSet: true
+
+# Set nodeSelector in daemonset mode is required
+nodeSelector:
+  node-role.kubernetes.io/control-plane: "true"
+```
+
 Deploy chart:
 
 ```shell

charts/xenorchestra-cloud-controller-manager/templates/deployment.yaml

@@ -1,14 +1,23 @@
 apiVersion: apps/v1
+{{- if .Values.useDaemonSet }}
+kind: DaemonSet
+{{- else }}
 kind: Deployment
+{{- end }}
 metadata:
   name: {{ include "xenorchestra-cloud-controller-manager.fullname" . }}
   labels:
     {{- include "xenorchestra-cloud-controller-manager.labels" . | nindent 4 }}
   namespace: {{ .Release.Namespace }}
 spec:
+  {{- if not .Values.useDaemonSet }}
   replicas: {{ .Values.replicaCount }}
   strategy:
     type: {{ .Values.updateStrategy.type }}
+  {{- else }}
+  updateStrategy:
+    type: {{ .Values.updateStrategy.type }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "xenorchestra-cloud-controller-manager.selectorLabels" . | nindent 6 }}
@@ -59,6 +68,9 @@ spec:
             - --use-service-account-credentials
             - --secure-port=10258
             - --authorization-always-allow-paths=/healthz,/livez,/readyz,/metrics
+            {{- if and (eq (int .Values.replicaCount) 1) (not .Values.useDaemonSet) }}
+            - --leader-elect=false
+            {{- end }}
           {{- with .Values.extraArgs }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -108,13 +120,20 @@ spec:
       {{- with .Values.tolerations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.useDaemonSet }}
+        - effect: NoSchedule
+          key: node.kubernetes.io/not-ready
+          operator: Exists
+      {{- end }}
+      {{- if not .Values.useDaemonSet }}
       topologySpreadConstraints:
         - maxSkew: 1
           topologyKey: kubernetes.io/hostname
           whenUnsatisfiable: DoNotSchedule
           labelSelector:
             matchLabels:
               {{- include "xenorchestra-cloud-controller-manager.selectorLabels" . | nindent 14 }}
+      {{- end }}
       volumes:
         {{- if .Values.existingConfigSecret }}
         - name: cloud-config

charts/xenorchestra-cloud-controller-manager/values.yaml

@@ -111,6 +111,9 @@ resources:
     cpu: 10m
     memory: 32Mi
 
+# -- Deploy CCM  in Daemonset mode.
+useDaemonSet: false
+
 # -- Deployment update strategy type.
 # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment
 updateStrategy:
@@ -149,5 +152,7 @@ extraVolumes: []
 # -- Additional volume mounts for Pods
 extraVolumeMounts: []
 
-# --  Host networking requested for the CCM Pod
+# --  Host networking requested for the CCM Pod.
+# CCM will use hostNetwork.
+# It allows to use CCM without CNI plugins.
 useHostNetwork: false

docs/deploy/cloud-controller-manager-daemonset.yml

@@ -0,0 +1,203 @@
+---
+# Source: xenorchestra-cloud-controller-manager/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: xenorchestra-cloud-controller-manager
+  labels:
+    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.2
+    app.kubernetes.io/name: xenorchestra-cloud-controller-manager
+    app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
+    app.kubernetes.io/version: "v1.0.0-rc.1"
+    app.kubernetes.io/managed-by: Helm
+  namespace: kube-system
+---
+# Source: xenorchestra-cloud-controller-manager/templates/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:xenorchestra-cloud-controller-manager
+  labels:
+    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.2
+    app.kubernetes.io/name: xenorchestra-cloud-controller-manager
+    app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
+    app.kubernetes.io/version: "v1.0.0-rc.1"
+    app.kubernetes.io/managed-by: Helm
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - create
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts/token
+    verbs:
+      - create
+---
+# Source: xenorchestra-cloud-controller-manager/templates/rolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:xenorchestra-cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:xenorchestra-cloud-controller-manager
+subjects:
+  - kind: ServiceAccount
+    name: xenorchestra-cloud-controller-manager
+    namespace: kube-system
+---
+# Source: xenorchestra-cloud-controller-manager/templates/rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system:xenorchestra-cloud-controller-manager:extension-apiserver-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - kind: ServiceAccount
+    name: xenorchestra-cloud-controller-manager
+    namespace: kube-system
+---
+# Source: xenorchestra-cloud-controller-manager/templates/deployment.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: xenorchestra-cloud-controller-manager
+  labels:
+    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.2
+    app.kubernetes.io/name: xenorchestra-cloud-controller-manager
+    app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
+    app.kubernetes.io/version: "v1.0.0-rc.1"
+    app.kubernetes.io/managed-by: Helm
+  namespace: kube-system
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: xenorchestra-cloud-controller-manager
+      app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
+  template:
+    metadata:
+      annotations:
+      labels:
+        app.kubernetes.io/name: xenorchestra-cloud-controller-manager
+        app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
+    spec:
+      enableServiceLinks: false
+      priorityClassName: system-cluster-critical
+      serviceAccountName: xenorchestra-cloud-controller-manager
+      securityContext:
+        fsGroup: 10258
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 10258
+        runAsNonRoot: true
+        runAsUser: 10258
+      dnsPolicy: Default
+      initContainers: []
+      containers:
+        - name: xenorchestra-cloud-controller-manager
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          image: "ghcr.io/vatesfr/xenorchestra-cloud-controller-manager:v1.0.0-rc.1"
+          imagePullPolicy: IfNotPresent
+          args:
+            - --v=2
+            - --cloud-provider=xenorchestra
+            - --cloud-config=/etc/xenorchestra/config.yaml
+            - --controllers=cloud-node,cloud-node-lifecycle,cloud-node-label-sync
+            - --leader-elect-resource-name=cloud-controller-manager-xenorchestra
+            - --use-service-account-credentials
+            - --secure-port=10258
+            - --authorization-always-allow-paths=/healthz,/livez,/readyz,/metrics
+          ports:
+            - name: metrics
+              containerPort: 10258
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics
+              scheme: HTTPS
+            initialDelaySeconds: 20
+            periodSeconds: 30
+            timeoutSeconds: 5
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+          volumeMounts:
+            - name: cloud-config
+              mountPath: /etc/xenorchestra
+              readOnly: true
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: xenorchestra-cloud-controller-manager
+                    app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
+                topologyKey: topology.kubernetes.io/zone
+              weight: 1
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoSchedule
+          key: node.cloudprovider.kubernetes.io/uninitialized
+          operator: Exists
+        - effect: NoSchedule
+          key: node.kubernetes.io/not-ready
+          operator: Exists
+      volumes:
+        - name: cloud-config
+          secret:
+            secretName: xenorchestra-cloud-controller-manager
+            defaultMode: 416

docs/deploy/cloud-controller-manager-edge.yml

@@ -5,7 +5,7 @@ kind: ServiceAccount
 metadata:
   name: xenorchestra-cloud-controller-manager
   labels:
-    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.1
+    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.2
     app.kubernetes.io/name: xenorchestra-cloud-controller-manager
     app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
     app.kubernetes.io/version: "v1.0.0-rc.1"
@@ -18,7 +18,7 @@ kind: ClusterRole
 metadata:
   name: system:xenorchestra-cloud-controller-manager
   labels:
-    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.1
+    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.2
     app.kubernetes.io/name: xenorchestra-cloud-controller-manager
     app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
     app.kubernetes.io/version: "v1.0.0-rc.1"
@@ -105,7 +105,7 @@ kind: Deployment
 metadata:
   name: xenorchestra-cloud-controller-manager
   labels:
-    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.1
+    helm.sh/chart: xenorchestra-cloud-controller-manager-1.0.0-rc.2
     app.kubernetes.io/name: xenorchestra-cloud-controller-manager
     app.kubernetes.io/instance: xenorchestra-cloud-controller-manager
     app.kubernetes.io/version: "v1.0.0-rc.1"
@@ -157,6 +157,7 @@ spec:
             - --use-service-account-credentials
             - --secure-port=10258
             - --authorization-always-allow-paths=/healthz,/livez,/readyz,/metrics
+            - --leader-elect=false
           ports:
             - name: metrics
               containerPort: 10258