caos / orbos Goto Github PK

myorbmycluster_kubeconfig:
  encoding: Base64
  encryption: AES256
  value: xyz
myorbmyclustermyprovider_bootstrapkey:
  encoding: Base64
  encryption: AES256
  value: xyz
myorbmyclustermyprovider_maintenancekey:
  encoding: Base64
  encryption: AES256
  value: xyz
myorbmyclustermyprovider_maintenancekey_pub:
  encoding: Base64
  encryption: AES256
  value: xyz

becomes:

kind: orbiter.caos.ch/Secrets
version: v0
spec:
  myorb:
    mycluster:
      kubeconfig:
        encoding: Base64
        encryption: AES256
        value: xyz
      myprovider:
        bootstrapkey:
          encoding: Base64
          encryption: AES256
          value: xyz
        maintenancekey:
          encoding: Base64
          encryption: AES256
          value: xyz
        maintenancekey_pub:
          encoding: Base64
          encryption: AES256
          value: xyz

=> ubiquitous language

Upgrade from helm v2 to helm v3, for the aspects of using it tillerless and having the positive aspects of rollbacks per release.

The state should then be persistently managed in a git repository.

I think with each update of the Service Account we create a new boom-token.

This creates a lot of secrets and should be fixed 😁

yum install kubelet=1.16.4 does not overwrite installed package kubelet=1.17.0

we should provide a dashboard for calico in the first place

I think it would be best to remediate as much as possible in an automated manor.
So we could run something like kube-bench in our test pipeline and then remediate most of the issues.

Target should be that the kubeadm deployment is hardened automatically without a lot of customization from customers.

@thesephirot @eliobischof @stebenz inputs?

We should also collect log files of k8s and our tooling

• Kube-System (API Server, Controller Manager, Etcd, kube-proxy)
• Orbiter
• Boom
• Kubelet logs (systemd on node)
• Node-Agent logs (systemd on node)

@eliobischof additional inputs?

• Create better to use guides regarding k8s
• Document the API

Orbiter removes the cordon flag from a specific node in each iteration.

IMHO this should not behave like this 😁

to ease the download of a kubeconfig, orbctl shall have the option to list the secrets in its config.

In our testcluster orbiter should apply boom 0.9.13 as defined in the orbiter.yml.
However we still have 0.9.10 which was the last version applied.

This might be the root cause for caos/boom#48

Side note this does not affect orbiter version 0.12.2

(quickwin)
ambassador
cert-manager
argo

(the long run)
orbiter
boom

• PodDisruptionPolicies
• Taints
• Node Selectors
• Pod Priority and Preemption

To better support boom, we should cache and security scan the used images and substitute them.

AWS can be used as Static Provider to test static implementations @ customer sites.

In addition we will implement full AWS functionality.

I think we can split test and release & push from each other

Add comments to API structs so that crd definition has descriptions

Sometimes when setting up a 3 node master cluster, the third node does not have the proper role master applied in kubectl get nodes. Also the taints are missing.

@eliobischof a customer project is related to this.

To make cluster lifecycle easy we should implement a destroy flag and change the behaviour off takeoff.

This relates to a customer issue.

Prio 1

• Proxy Protocol Support between NGINX and Ambassador

Prio 2

• Proxy Protocol Support between NGINX and externalLB

Additional Infos

https://www.getambassador.io/reference/core/ambassador/

This links to #18