Embedding static assets [Fixes #31]

banzaicloud · Jun 24, 2019 · dbd4c10 · dbd4c10
1 parent a670940
commit dbd4c10
Show file tree

Hide file tree

Showing 50 changed files with 2,614 additions and 1,113 deletions.
diff --git a/Makefile b/Makefile
@@ -22,14 +22,17 @@ GOLANGCI_VERSION = 1.16.0
 LICENSEI_VERSION = 0.1.0
 GORELEASER_VERSION = 0.105.0
 OPENAPI_GENERATOR_VERSION = PR1869
+TEMPLIFY_VERSION = 7fafacc
 
 GOLANG_VERSION = 1.12
 
+export GOTMPL = ${PWD}/go.tmpl
+
 .PHONY: build
 build: pke ## Build project
 
 .PHONY: pke
-pke: ## Build PKE binary
+pke: gogenerate ## Build PKE binary
 ifneq (${IGNORE_GOLANG_VERSION_REQ}, 1)
 	@printf "${GOLANG_VERSION}\n$$(go version | awk '{sub(/^go/, "", $$3);print $$3}')" | sort -t '.' -k 1,1 -k 2,2 -k 3,3 -g | head -1 | grep -q -E "^${GOLANG_VERSION}$$" || (printf "Required Go version is ${GOLANG_VERSION}\nInstalled: `go version`" && exit 1)
 endif
@@ -40,6 +43,14 @@ pke-docs: ## Generate documentation for PKE
 	rm -rf cmd/pke/docs/*.md
 	cd cmd/pke/docs/ && go run -v generate.go
 
+.PHONY: gogenerate
+gogenerate: bin/templify ## Generate go files from template
+	export GOOS=linux && PATH=${PATH}:${PWD}/bin/ go generate ./cmd/...
+
+bin/templify:
+	GOPATH=${BUILD_DIR}/templify go get github.com/wlbr/templify@${TEMPLIFY_VERSION}
+	@ln -sf ${BUILD_DIR}/templify/bin/templify bin/templify
+
 .PHONY: check
 check: test lint ## Run tests and linters
 

diff --git a/cmd/pke/app/phases/kubeadm/common.go b/cmd/pke/app/phases/kubeadm/common.go
@@ -37,6 +37,8 @@ const (
 	EncryptionProviderConfig = "/etc/kubernetes/admission-control/encryption-provider-config.yaml"
 )
 
+//go:generate templify -t ${GOTMPL} -p kubeadm -f kubeadmAzureConfig kubeadm_azure_config.json.tmpl
+
 func WriteKubeadmAzureConfig(out io.Writer, filename, cloudProvider, tenantID, subnetName, securityGroupName, vnetName, vnetResourceGroup, vmType, loadBalancerSku, routeTableName string, excludeMasterFromStandardLB bool) error {
 	if cloudProvider == constants.CloudProviderAzure {
 		if http.DefaultClient.Timeout < 10*time.Second {
@@ -83,26 +85,7 @@ func WriteKubeadmAzureConfig(out io.Writer, filename, cloudProvider, tenantID, s
 			loadBalancerSku = "basic"
 		}
 
-		conf := `{
-    "cloud":"{{ .Cloud }}",
-    "tenantId": "{{ .TenantId }}",
-    "subscriptionId": "{{ .SubscriptionId }}",
-    "resourceGroup": "{{ .ResourceGroup }}",
-    "location": "{{ .Location }}",
-    "subnetName": "{{ .SubnetName }}",
-    "securityGroupName": "{{ .SecurityGroupName }}",
-    "vnetName": "{{ .VNetName }}",
-    "vnetResourceGroup": "{{ .VNetResourceGroup }}",
-    "vmType": "{{ .VMType }}",
-    "loadBalancerSku": "{{ .LoadBalancerSku }}",
-    "routeTableName": "{{ .RouteTableName }}",
-    "cloudProviderBackoff": false,
-    "useManagedIdentityExtension": true,
-    "useInstanceMetadata": true,
-    "excludeMasterFromStandardLB": {{ .ExcludeMasterFromStandardLB }}
-}`
-
-		tmpl, err := template.New("azure-config").Parse(conf)
+		tmpl, err := template.New("azure-config").Parse(kubeadmAzureConfigTemplate())
 		if err != nil {
 			return err
 		}
@@ -151,6 +134,8 @@ func WriteKubeadmAzureConfig(out io.Writer, filename, cloudProvider, tenantID, s
 	return nil
 }
 
+//go:generate templify -t ${GOTMPL} -p kubeadm -f encryptionProvider encryption_provider.yaml.tmpl
+
 // WriteEncryptionProviderConfig creates configuration to encrypt Kubernetes secrets.
 // If encryptionSecret is not provided, but the configuration is already in place
 // secret will NOT be replaced with a newly generated one.
@@ -187,20 +172,7 @@ func WriteEncryptionProviderConfig(out io.Writer, filename, kubernetesVersion, e
 		apiVersion = "v1"
 	}
 
-	conf := `kind: {{ .Kind }}
-apiVersion: {{ .APIVersion }}
-resources:
-  - resources:
-    - secrets
-    providers:
-    - aescbc:
-        keys:
-        - name: key1
-          secret: "{{ .EncryptionSecret }}"
-    - identity: {}
-`
-
-	tmpl, err := template.New("admission-config").Parse(conf)
+	tmpl, err := template.New("admission-config").Parse(encryptionProviderTemplate())
 	if err != nil {
 		return err
 	}

diff --git a/cmd/pke/app/phases/kubeadm/controlplane/admission_configuration.yaml.go b/cmd/pke/app/phases/kubeadm/controlplane/admission_configuration.yaml.go
@@ -0,0 +1,26 @@
+// Copyright © 2019 Banzai Cloud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controlplane
+
+// admissionConfigurationTemplate is a generated function returning the template as a string.
+func admissionConfigurationTemplate() string {
+	var tmpl = "kind: AdmissionConfiguration\n" +
+		"apiVersion: apiserver.k8s.io/v1alpha1\n" +
+		"plugins:\n" +
+		"- name: EventRateLimit\n" +
+		"  path: {{ .RateLimitConfigFile }}\n" +
+		""
+	return tmpl
+}
diff --git a/cmd/pke/app/phases/kubeadm/controlplane/admission_configuration.yaml.tmpl b/cmd/pke/app/phases/kubeadm/controlplane/admission_configuration.yaml.tmpl
@@ -0,0 +1,5 @@
+kind: AdmissionConfiguration
+apiVersion: apiserver.k8s.io/v1alpha1
+plugins:
+- name: EventRateLimit
+  path: {{ .RateLimitConfigFile }}
diff --git a/cmd/pke/app/phases/kubeadm/controlplane/audit_v1beta1.yaml.go b/cmd/pke/app/phases/kubeadm/controlplane/audit_v1beta1.yaml.go
@@ -0,0 +1,201 @@
+// Copyright © 2019 Banzai Cloud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controlplane
+
+// auditV1Beta1Template is a generated function returning the template as a string.
+func auditV1Beta1Template() string {
+	var tmpl = "apiVersion: audit.k8s.io/v1beta1\n" +
+		"kind: Policy\n" +
+		"rules:\n" +
+		"  - level: None\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"        resources:\n" +
+		"          - endpoints\n" +
+		"          - services\n" +
+		"          - services/status\n" +
+		"    users:\n" +
+		"      - 'system:kube-proxy'\n" +
+		"      - 'system:apiserver'\n" +
+		"    verbs:\n" +
+		"      - watch\n" +
+		"\n" +
+		"  - level: None\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"        resources:\n" +
+		"          - nodes\n" +
+		"          - nodes/status\n" +
+		"    userGroups:\n" +
+		"      - 'system:nodes'\n" +
+		"    verbs:\n" +
+		"      - get\n" +
+		"\n" +
+		"  - level: None\n" +
+		"    namespaces:\n" +
+		"      - kube-system\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"        resources:\n" +
+		"          - endpoints\n" +
+		"    users:\n" +
+		"      - 'system:kube-controller-manager'\n" +
+		"      - 'system:kube-scheduler'\n" +
+		"      - 'system:serviceaccount:kube-system:endpoint-controller'\n" +
+		"      - 'system:serviceaccount:kube-system:local-path-provisioner-service-account'\n" +
+		"      - 'system:apiserver'\n" +
+		"    verbs:\n" +
+		"      - get\n" +
+		"      - update\n" +
+		"\n" +
+		"  - level: None\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"        resources:\n" +
+		"          - namespaces\n" +
+		"          - namespaces/status\n" +
+		"          - namespaces/finalize\n" +
+		"    users:\n" +
+		"      - 'system:apiserver'\n" +
+		"    verbs:\n" +
+		"      - get\n" +
+		"\n" +
+		"  - level: None\n" +
+		"    resources:\n" +
+		"      - group: metrics.k8s.io\n" +
+		"    users:\n" +
+		"      - 'system:kube-controller-manager'\n" +
+		"    verbs:\n" +
+		"      - get\n" +
+		"      - list\n" +
+		"\n" +
+		"  - level: None\n" +
+		"    nonResourceURLs:\n" +
+		"      - '/healthz*'\n" +
+		"      - /version\n" +
+		"      - '/swagger*'\n" +
+		"\n" +
+		"  - level: None\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"        resources:\n" +
+		"          - events\n" +
+		"\n" +
+		"  - level: Request\n" +
+		"    omitStages:\n" +
+		"      - RequestReceived\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"        resources:\n" +
+		"          - nodes/status\n" +
+		"          - pods/status\n" +
+		"    users:\n" +
+		"      - kubelet\n" +
+		"      - 'system:node-problem-detector'\n" +
+		"      - 'system:serviceaccount:kube-system:node-problem-detector'\n" +
+		"    verbs:\n" +
+		"      - update\n" +
+		"      - patch\n" +
+		"\n" +
+		"  - level: Request\n" +
+		"    omitStages:\n" +
+		"      - RequestReceived\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"        resources:\n" +
+		"          - nodes/status\n" +
+		"          - pods/status\n" +
+		"    userGroups:\n" +
+		"      - 'system:nodes'\n" +
+		"    verbs:\n" +
+		"      - update\n" +
+		"      - patch\n" +
+		"\n" +
+		"  - level: Request\n" +
+		"    omitStages:\n" +
+		"      - RequestReceived\n" +
+		"    users:\n" +
+		"      - 'system:serviceaccount:kube-system:namespace-controller'\n" +
+		"    verbs:\n" +
+		"      - deletecollection\n" +
+		"\n" +
+		"  - level: Metadata\n" +
+		"    omitStages:\n" +
+		"      - RequestReceived\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"        resources:\n" +
+		"          - secrets\n" +
+		"          - configmaps\n" +
+		"      - group: authentication.k8s.io\n" +
+		"        resources:\n" +
+		"          - tokenreviews\n" +
+		"\n" +
+		"  - level: Request\n" +
+		"    omitStages:\n" +
+		"      - RequestReceived\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"      - group: admissionregistration.k8s.io\n" +
+		"      - group: apiextensions.k8s.io\n" +
+		"      - group: apiregistration.k8s.io\n" +
+		"      - group: apps\n" +
+		"      - group: authentication.k8s.io\n" +
+		"      - group: authorization.k8s.io\n" +
+		"      - group: autoscaling\n" +
+		"      - group: batch\n" +
+		"      - group: certificates.k8s.io\n" +
+		"      - group: extensions\n" +
+		"      - group: metrics.k8s.io\n" +
+		"      - group: networking.k8s.io\n" +
+		"      - group: policy\n" +
+		"      - group: rbac.authorization.k8s.io\n" +
+		"      - group: scheduling.k8s.io\n" +
+		"      - group: settings.k8s.io\n" +
+		"      - group: storage.k8s.io\n" +
+		"    verbs:\n" +
+		"      - get\n" +
+		"      - list\n" +
+		"      - watch\n" +
+		"\n" +
+		"  - level: RequestResponse\n" +
+		"    omitStages:\n" +
+		"      - RequestReceived\n" +
+		"    resources:\n" +
+		"      - group: \"\"\n" +
+		"      - group: admissionregistration.k8s.io\n" +
+		"      - group: apiextensions.k8s.io\n" +
+		"      - group: apiregistration.k8s.io\n" +
+		"      - group: apps\n" +
+		"      - group: authentication.k8s.io\n" +
+		"      - group: authorization.k8s.io\n" +
+		"      - group: autoscaling\n" +
+		"      - group: batch\n" +
+		"      - group: certificates.k8s.io\n" +
+		"      - group: extensions\n" +
+		"      - group: metrics.k8s.io\n" +
+		"      - group: networking.k8s.io\n" +
+		"      - group: policy\n" +
+		"      - group: rbac.authorization.k8s.io\n" +
+		"      - group: scheduling.k8s.io\n" +
+		"      - group: settings.k8s.io\n" +
+		"      - group: storage.k8s.io\n" +
+		"\n" +
+		"  - level: Metadata\n" +
+		"    omitStages:\n" +
+		"      - RequestReceived\n" +
+		""
+	return tmpl
+}