From 392471995201ddb4000403135eb4c9805d240744 Mon Sep 17 00:00:00 2001 From: Masayuki Ishii Date: Mon, 11 Dec 2023 14:29:47 +0900 Subject: [PATCH] Migrate to ghcr.io (#683) * Push cke image to ghcr.io Signed-off-by: Masayuki Ishii * Use gh command Signed-off-by: Masayuki Ishii * Use ghcr containers Signed-off-by: Masayuki Ishii * Use ghcr containers for test Signed-off-by: Masayuki Ishii * Push branch tag * Fix image name --------- Signed-off-by: Masayuki Ishii --- .github/workflows/main.yaml | 4 +- .github/workflows/release-images.yaml | 57 +++++++++++-------- README.md | 6 +- RELEASE.md | 2 +- docker/Dockerfile | 2 +- docs/design.md | 2 +- example/docker-compose.yml | 4 +- images.go | 12 ++-- mtest/Makefile | 2 +- mtest/httpd.yml | 2 +- mtest/kubernetes_test.go | 4 +- mtest/node-ign.yml | 2 +- ...eboot-alittleslow-eviction-deployment.yaml | 2 +- mtest/reboot-deployment.yaml | 2 +- mtest/reboot-job-completed.yaml | 2 +- mtest/reboot-job-running.yaml | 2 +- mtest/reboot-slow-eviction-deployment.yaml | 2 +- mtest/suite_test.go | 2 +- sonobuoy/docker-compose.yml | 6 +- static/resources.go | 8 +-- 20 files changed, 68 insertions(+), 57 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 37073d0c5..7139ea91a 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -20,7 +20,7 @@ jobs: - run: docker run -d --network host gcr.io/etcd-development/etcd:v3.5.10 - run: make test - run: make install GOBIN=$(pwd)/docker - - run: docker build -t quay.io/cybozu/cke:latest ./docker + - run: docker build -t ghcr.io/cybozu-go/cke:latest ./docker mtest: name: Mtest runs-on: ubuntu-22.04 @@ -108,7 +108,7 @@ jobs: - name: Check image consistency run: | REV=$(awk '/const Version/ {print $4}' ../version.go | sed -E 's/^"(1.[[:digit:]]+).*/\1/') - COMPOSE_REV=$(sed -nE 's,.*quay.io/cybozu/cke:(.*)$,\1,p' docker-compose.yml) + COMPOSE_REV=$(sed -nE 's,.*ghcr.io/cybozu-go/cke:(.*)$,\1,p' docker-compose.yml) if [ "$REV" != "$COMPOSE_REV" ]; then echo Update CKE branch tag in example/docker-compose.yml fi diff --git a/.github/workflows/release-images.yaml b/.github/workflows/release-images.yaml index 7b854e808..581959975 100644 --- a/.github/workflows/release-images.yaml +++ b/.github/workflows/release-images.yaml @@ -4,7 +4,6 @@ on: tags: - 'v*' env: - tag: ${GITHUB_REF#refs/tags/v} prerelease: ${{ contains(github.ref, '-') }} jobs: sonobuoy: @@ -47,25 +46,34 @@ jobs: with: go-version-file: go.mod - run: make install GOBIN=$(pwd)/docker - - run: docker build -t quay.io/cybozu/cke:latest ./docker - - name: Push docker image to Quay.io - run: | - echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USER }} --password-stdin quay.io - echo "pushing CKE image ..." - docker tag quay.io/cybozu/cke:latest quay.io/cybozu/cke:${{ env.tag }} - docker push quay.io/cybozu/cke:${{ env.tag }} - if ${{ env.prerelease }} ; then - echo ===== Skip pushing branch tags for pre-release ${{ env.tag }} ===== - exit 0 - fi - BRANCH=$(echo ${{ env.tag }} | cut -d "." -f 1-2) - docker tag quay.io/cybozu/cke:latest quay.io/cybozu/cke:$BRANCH - docker push quay.io/cybozu/cke:$BRANCH + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + flavor: | + latest=false + images: | + ghcr.io/${{ github.repository_owner }}/cke + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}},enable=${{ env.prerelease == 'false' }} + - name: Log in to ghcr.io + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and Push cke + uses: docker/build-push-action@v5 + with: + context: ./docker + push: true + platforms: linux/amd64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} release-github: name: Release on GitHub runs-on: ubuntu-22.04 - container: - image: quay.io/cybozu/golang:1.20-jammy needs: release-cke-image steps: - uses: actions/checkout@v4 @@ -73,19 +81,22 @@ jobs: uses: actions/download-artifact@v3 with: name: sonobuoy-test + - name: Extract tag + id: extract-tag + run: echo "tag=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT - name: Prepare files run: | mkdir /tmp/upload cp ./sonobuoy.tar.gz /tmp/upload tar xzf ./sonobuoy.tar.gz -C /tmp/upload --strip-components=4 plugins/e2e/results/global/e2e.log plugins/e2e/results/global/junit_01.xml - sed "s/vX\.Y\.Z/v${{ env.tag }}/" sonobuoy/README.md > /tmp/upload/README.md - sed "s/vX\.Y\.Z/v${{ env.tag }}/" sonobuoy/PRODUCT.yaml > /tmp/upload/PRODUCT.yaml + sed "s/vX\.Y\.Z/v${{ steps.extract-tag.outputs.tag }}/" sonobuoy/README.md > /tmp/upload/README.md + sed "s/vX\.Y\.Z/v${{ steps.extract-tag.outputs.tag }}/" sonobuoy/PRODUCT.yaml > /tmp/upload/PRODUCT.yaml GOBIN=/tmp/upload CGO_ENABLED=0 go install -buildvcs=false ./pkg/cke ./pkg/ckecli - name: Create release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - OWNER=$(echo ${{ github.repository }} | cut -d '/' -f 1) - REPOSITORY=$(echo ${{ github.repository }} | cut -d '/' -f 2) if ${{ env.prerelease }}; then - PRERELEASE="-prerelease" + PRERELEASE="--prerelease" fi - ghr -t ${{ secrets.GITHUB_TOKEN }} -u ${OWNER} -r ${REPOSITORY} -n v${{ env.tag }} ${PRERELEASE} -b "See [CHANGELOG.md](./CHANGELOG.md) for details." v${{ env.tag }} /tmp/upload/ + gh release create v${{ steps.extract-tag.outputs.tag }} ${PRERELEASE} -t v${{ steps.extract-tag.outputs.tag }} -n "See [CHANGELOG.md](./CHANGELOG.md) for details." /tmp/upload/* diff --git a/README.md b/README.md index 5f4987c44..0b889089a 100644 --- a/README.md +++ b/README.md @@ -133,7 +133,7 @@ Usage ```console $ docker run -d --read-only \ --network host --name cke \ - quay.io/cybozu/cke:1.18 [options...] + ghcr.io/cybozu-go/cke:1.27 [options...] ``` ### Install `ckecli` and `cke-localproxy` to a host directory @@ -142,13 +142,13 @@ $ docker run -d --read-only \ $ docker run --rm -u root:root \ --entrypoint /usr/local/cke/install-tools \ --mount type=bind,src=DIR,target=/host \ - quay.io/cybozu/cke:1.18 + ghcr.io/cybozu-go/cke:1.27 ``` Docker images ------------- -Docker images are available on [Quay.io](https://quay.io/repository/cybozu/cke) +Docker images are available on [ghcr.io](https://github.com/cybozu-go/cke/pkgs/container/cke) Feedback -------- diff --git a/RELEASE.md b/RELEASE.md index ba9fb9ebe..bacf4b0b8 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -74,7 +74,7 @@ It should look like: $ git push origin "v$VERSION" ``` -Then GitHub Actions automatically builds and pushes the tagged container image to [quay.io](https://quay.io/cybozu/cke). +Then GitHub Actions automatically builds and pushes the tagged container image to [ghcr.io](https://github.com/cybozu-go/cke/pkgs/container/cke). GitHub Actions also creates a GitHub release automatically after running [sonobuoy](./sonobuoy) tests. So, **DO NOT MANUALLY CREATE GITHUB RELEASES**. The test results will be attached to the GitHub diff --git a/docker/Dockerfile b/docker/Dockerfile index 5bea646ef..cbef97ac0 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,5 @@ # CKE container -FROM quay.io/cybozu/ubuntu:22.04 +FROM ghcr.io/cybozu/ubuntu:22.04 COPY cke /usr/local/cke/bin/cke COPY ckecli /usr/local/cke/bin/ckecli diff --git a/docs/design.md b/docs/design.md index c5ea4de44..c19b40657 100644 --- a/docs/design.md +++ b/docs/design.md @@ -80,7 +80,7 @@ Implementation policies * Assets are compiled into Docker images. - * Third-party docker images should be mirrored on `quay.io/cybozu`. + * Third-party docker images should be mirrored on `ghcr.io/cybozu`. * CKE does not install any tools onto node OS other than containers. diff --git a/example/docker-compose.yml b/example/docker-compose.yml index f1df162c2..5749a7b57 100644 --- a/example/docker-compose.yml +++ b/example/docker-compose.yml @@ -19,7 +19,7 @@ services: - /entrypoint.sh setup: container_name: setup - image: quay.io/cybozu/ubuntu-debug:22.04 + image: ghcr.io/cybozu/ubuntu-debug:22.04 networks: app_net: ipv4_address: 172.30.0.12 @@ -56,7 +56,7 @@ services: - /entrypoint.sh etcd: container_name: etcd - image: quay.io/cybozu/etcd:3.5 + image: ghcr.io/cybozu/etcd:3.5 networks: app_net: ipv4_address: 172.30.0.14 diff --git a/images.go b/images.go index b10b5f55d..f33fc82ea 100644 --- a/images.go +++ b/images.go @@ -10,13 +10,13 @@ func (i Image) Name() string { // Container image definitions const ( - EtcdImage = Image("quay.io/cybozu/etcd:3.5.10.1") - KubernetesImage = Image("quay.io/cybozu/kubernetes:1.27.8.1") - ToolsImage = Image("quay.io/cybozu/cke-tools:1.27.0") - PauseImage = Image("quay.io/cybozu/pause:3.9.0.2") - CoreDNSImage = Image("quay.io/cybozu/coredns:1.11.1.1") + EtcdImage = Image("ghcr.io/cybozu/etcd:3.5.10.2") + KubernetesImage = Image("ghcr.io/cybozu/kubernetes:1.27.8.2") + ToolsImage = Image("ghcr.io/cybozu-go/cke-tools:1.27.1") + PauseImage = Image("ghcr.io/cybozu/pause:3.9.0.4") + CoreDNSImage = Image("ghcr.io/cybozu/coredns:1.11.1.2") UnboundImage = Image("ghcr.io/cybozu/unbound:1.18.0.2") - UnboundExporterImage = Image("quay.io/cybozu/unbound_exporter:0.4.4.1") + UnboundExporterImage = Image("ghcr.io/cybozu/unbound_exporter:0.4.4.2") ) // AllImages return container images list used by CKE diff --git a/mtest/Makefile b/mtest/Makefile index cd0500e7b..ef87dd8fc 100644 --- a/mtest/Makefile +++ b/mtest/Makefile @@ -42,7 +42,7 @@ OUTPUT := ./output DATA_DIR := $(abspath $(OUTPUT))/data FLATCAR_IMAGE := flatcar_production_qemu_image.img CKE_IMAGE := $(abspath $(OUTPUT))/cke.img -CKE_IMAGE_URL := quay.io/cybozu/cke:dev +CKE_IMAGE_URL := ghcr.io/cybozu-go/cke:dev CKECLUSTER := $(DATA_DIR)/cluster.yml CKECONFIG := $(abspath $(OUTPUT))/cke.yml KUBECTL := $(abspath $(OUTPUT))/kubectl diff --git a/mtest/httpd.yml b/mtest/httpd.yml index 27a935634..249b8e120 100644 --- a/mtest/httpd.yml +++ b/mtest/httpd.yml @@ -7,5 +7,5 @@ metadata: spec: containers: - name: httpd - image: quay.io/cybozu/testhttpd:0 + image: ghcr.io/cybozu/testhttpd:0 hostNetwork: true diff --git a/mtest/kubernetes_test.go b/mtest/kubernetes_test.go index 7df7af153..a0dabc648 100644 --- a/mtest/kubernetes_test.go +++ b/mtest/kubernetes_test.go @@ -123,7 +123,7 @@ func testKubernetes() { }`, node) overrideFile := remoteTempFile(overrides) _, stderr, err = kubectl("run", - "-n="+namespace, "--image=quay.io/cybozu/ubuntu:22.04", "--overrides=\"$(cat "+overrideFile+")\"", "--restart=Never", + "-n="+namespace, "--image=ghcr.io/cybozu/ubuntu:22.04", "--overrides=\"$(cat "+overrideFile+")\"", "--restart=Never", "client", "--", "pause") Expect(err).NotTo(HaveOccurred(), "stderr: %s, err: %v", stderr, err) @@ -251,7 +251,7 @@ func testKubernetes() { }).Should(Succeed()) By("querying www.cybozu.com using node DNS from ubuntu pod") - _, stderr, err = kubectl("run", "-n="+namespace, "--image=quay.io/cybozu/ubuntu:22.04", "--restart=Never", + _, stderr, err = kubectl("run", "-n="+namespace, "--image=ghcr.io/cybozu/ubuntu:22.04", "--restart=Never", "client", "--", "pause") Expect(err).NotTo(HaveOccurred(), "stderr: %s", stderr) Eventually(func() error { diff --git a/mtest/node-ign.yml b/mtest/node-ign.yml index 40512d4b9..3befcd012 100644 --- a/mtest/node-ign.yml +++ b/mtest/node-ign.yml @@ -99,7 +99,7 @@ storage: stream_server_port = "10010" stream_idle_timeout = "4h0m0s" enable_selinux = false - sandbox_image = "quay.io/cybozu/pause:3.1" + sandbox_image = "ghcr.io/cybozu/pause:3.9" stats_collect_period = 10 systemd_cgroup = false enable_tls_streaming = false diff --git a/mtest/reboot-alittleslow-eviction-deployment.yaml b/mtest/reboot-alittleslow-eviction-deployment.yaml index 1f3d492bf..9c4554887 100644 --- a/mtest/reboot-alittleslow-eviction-deployment.yaml +++ b/mtest/reboot-alittleslow-eviction-deployment.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: ubuntu - image: quay.io/cybozu/ubuntu:22.04 + image: ghcr.io/cybozu/ubuntu:22.04 # Because sleep command ignores SIGTERM, # this Pod will stay Terminating state after deletion # for the time specified by terminationGracePeriodSeconds. diff --git a/mtest/reboot-deployment.yaml b/mtest/reboot-deployment.yaml index 6188b1a31..7d25efbba 100644 --- a/mtest/reboot-deployment.yaml +++ b/mtest/reboot-deployment.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: httpd - image: quay.io/cybozu/testhttpd:0 + image: ghcr.io/cybozu/testhttpd:0 --- apiVersion: policy/v1 kind: PodDisruptionBudget diff --git a/mtest/reboot-job-completed.yaml b/mtest/reboot-job-completed.yaml index 3969300f9..49cb1d3bc 100644 --- a/mtest/reboot-job-completed.yaml +++ b/mtest/reboot-job-completed.yaml @@ -8,7 +8,7 @@ spec: spec: containers: - name: ubuntu - image: quay.io/cybozu/ubuntu:22.04 + image: ghcr.io/cybozu/ubuntu:22.04 command: ["true"] restartPolicy: Never backoffLimit: 1 diff --git a/mtest/reboot-job-running.yaml b/mtest/reboot-job-running.yaml index 186273d3f..b34398c71 100644 --- a/mtest/reboot-job-running.yaml +++ b/mtest/reboot-job-running.yaml @@ -8,7 +8,7 @@ spec: spec: containers: - name: ubuntu - image: quay.io/cybozu/ubuntu:22.04 + image: ghcr.io/cybozu/ubuntu:22.04 command: ["sleep", "3600"] restartPolicy: Never backoffLimit: 1 diff --git a/mtest/reboot-slow-eviction-deployment.yaml b/mtest/reboot-slow-eviction-deployment.yaml index eb6e16a11..cef2d9876 100644 --- a/mtest/reboot-slow-eviction-deployment.yaml +++ b/mtest/reboot-slow-eviction-deployment.yaml @@ -15,7 +15,7 @@ spec: spec: containers: - name: ubuntu - image: quay.io/cybozu/ubuntu:22.04 + image: ghcr.io/cybozu/ubuntu:22.04 # Because sleep command ignores SIGTERM, # this Pod will stay Terminating state after deletion # for the time specified by terminationGracePeriodSeconds. diff --git a/mtest/suite_test.go b/mtest/suite_test.go index 8e31a9d6d..7f70a8012 100644 --- a/mtest/suite_test.go +++ b/mtest/suite_test.go @@ -30,7 +30,7 @@ func TestMtest(t *testing.T) { var _ = BeforeSuite(func() { img := ckeImageURL if testSuite == "upgrade" { - img = "quay.io/cybozu/cke:" + cke.Version + img = "ghcr.io/cybozu-go/cke:" + cke.Version } fmt.Println("Preparing...") diff --git a/sonobuoy/docker-compose.yml b/sonobuoy/docker-compose.yml index 522ada768..242392d17 100644 --- a/sonobuoy/docker-compose.yml +++ b/sonobuoy/docker-compose.yml @@ -2,7 +2,7 @@ version: '2' services: cke: container_name: cke - image: quay.io/cybozu/ubuntu:22.04 + image: ghcr.io/cybozu/ubuntu:22.04 networks: app_net: ipv4_address: 172.30.0.11 @@ -19,7 +19,7 @@ services: - --loglevel=debug setup: container_name: setup - image: quay.io/cybozu/ubuntu-debug:22.04 + image: ghcr.io/cybozu/ubuntu-debug:22.04 networks: app_net: ipv4_address: 172.30.0.12 @@ -56,7 +56,7 @@ services: - /entrypoint.sh etcd: container_name: etcd - image: quay.io/cybozu/etcd:3.5 + image: ghcr.io/cybozu/etcd:3.5 networks: app_net: ipv4_address: 172.30.0.14 diff --git a/static/resources.go b/static/resources.go index a7404f11d..042f05f53 100644 --- a/static/resources.go +++ b/static/resources.go @@ -60,8 +60,8 @@ var Resources = []cke.ResourceDefinition{ Namespace: "kube-system", Name: "node-dns", Revision: 4, - Image: "ghcr.io/cybozu/unbound:1.18.0.2,quay.io/cybozu/unbound_exporter:0.4.4.1", - Definition: []byte("kind: DaemonSet\napiVersion: apps/v1\nmetadata:\n name: node-dns\n namespace: kube-system\n annotations:\n cke.cybozu.com/image: \"ghcr.io/cybozu/unbound:1.18.0.2,quay.io/cybozu/unbound_exporter:0.4.4.1\"\n cke.cybozu.com/revision: \"4\"\nspec:\n selector:\n matchLabels:\n cke.cybozu.com/appname: node-dns\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n maxSurge: 35%\n maxUnavailable: 0\n template:\n metadata:\n labels:\n cke.cybozu.com/appname: node-dns\n spec:\n priorityClassName: system-node-critical\n nodeSelector:\n kubernetes.io/os: linux\n hostNetwork: true\n tolerations:\n - operator: Exists\n terminationGracePeriodSeconds: 1\n containers:\n - name: unbound\n image: ghcr.io/cybozu/unbound:1.18.0.2\n args:\n - -c\n - /etc/unbound/unbound.conf\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n add:\n - NET_BIND_SERVICE\n drop:\n - all\n readOnlyRootFilesystem: true\n readinessProbe:\n tcpSocket:\n port: 53\n host: localhost\n periodSeconds: 1\n livenessProbe:\n tcpSocket:\n port: 53\n host: localhost\n periodSeconds: 1\n initialDelaySeconds: 1\n failureThreshold: 6\n volumeMounts:\n - name: config-volume\n mountPath: /etc/unbound\n - name: var-run-unbound\n mountPath: /var/run/unbound\n - name: reload\n image: ghcr.io/cybozu/unbound:1.18.0.2\n command:\n - /usr/local/bin/reload-unbound\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n volumeMounts:\n - name: config-volume\n mountPath: /etc/unbound\n - name: var-run-unbound\n mountPath: /var/run/unbound\n - name: exporter\n image: quay.io/cybozu/unbound_exporter:0.4.4.1\n args:\n # must be same with the path written in /op/nodedns/nodedns.go\n - --unbound.host=unix:///var/run/unbound/unbound.sock\n - --web.reuse-port=true\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n volumeMounts:\n - name: var-run-unbound\n mountPath: /var/run/unbound\n volumes:\n - name: config-volume\n configMap:\n name: node-dns\n items:\n - key: unbound.conf\n path: unbound.conf\n - name: var-run-unbound\n emptyDir: {}\n"), + Image: "ghcr.io/cybozu/unbound:1.18.0.2,ghcr.io/cybozu/unbound_exporter:0.4.4.2", + Definition: []byte("kind: DaemonSet\napiVersion: apps/v1\nmetadata:\n name: node-dns\n namespace: kube-system\n annotations:\n cke.cybozu.com/image: \"ghcr.io/cybozu/unbound:1.18.0.2,ghcr.io/cybozu/unbound_exporter:0.4.4.2\"\n cke.cybozu.com/revision: \"4\"\nspec:\n selector:\n matchLabels:\n cke.cybozu.com/appname: node-dns\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n maxSurge: 35%\n maxUnavailable: 0\n template:\n metadata:\n labels:\n cke.cybozu.com/appname: node-dns\n spec:\n priorityClassName: system-node-critical\n nodeSelector:\n kubernetes.io/os: linux\n hostNetwork: true\n tolerations:\n - operator: Exists\n terminationGracePeriodSeconds: 1\n containers:\n - name: unbound\n image: ghcr.io/cybozu/unbound:1.18.0.2\n args:\n - -c\n - /etc/unbound/unbound.conf\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n add:\n - NET_BIND_SERVICE\n drop:\n - all\n readOnlyRootFilesystem: true\n readinessProbe:\n tcpSocket:\n port: 53\n host: localhost\n periodSeconds: 1\n livenessProbe:\n tcpSocket:\n port: 53\n host: localhost\n periodSeconds: 1\n initialDelaySeconds: 1\n failureThreshold: 6\n volumeMounts:\n - name: config-volume\n mountPath: /etc/unbound\n - name: var-run-unbound\n mountPath: /var/run/unbound\n - name: reload\n image: ghcr.io/cybozu/unbound:1.18.0.2\n command:\n - /usr/local/bin/reload-unbound\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n volumeMounts:\n - name: config-volume\n mountPath: /etc/unbound\n - name: var-run-unbound\n mountPath: /var/run/unbound\n - name: exporter\n image: ghcr.io/cybozu/unbound_exporter:0.4.4.2\n args:\n # must be same with the path written in /op/nodedns/nodedns.go\n - --unbound.host=unix:///var/run/unbound/unbound.sock\n - --web.reuse-port=true\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n volumeMounts:\n - name: var-run-unbound\n mountPath: /var/run/unbound\n volumes:\n - name: config-volume\n configMap:\n name: node-dns\n items:\n - key: unbound.conf\n path: unbound.conf\n - name: var-run-unbound\n emptyDir: {}\n"), }, { Key: "Deployment/kube-system/cluster-dns", @@ -69,8 +69,8 @@ var Resources = []cke.ResourceDefinition{ Namespace: "kube-system", Name: "cluster-dns", Revision: 4, - Image: "quay.io/cybozu/coredns:1.11.1.1", - Definition: []byte("\nkind: Deployment\napiVersion: apps/v1\nmetadata:\n name: cluster-dns\n namespace: kube-system\n annotations:\n cke.cybozu.com/image: \"quay.io/cybozu/coredns:1.11.1.1\"\n cke.cybozu.com/revision: \"4\"\nspec:\n replicas: 2\n strategy:\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n selector:\n matchLabels:\n cke.cybozu.com/appname: cluster-dns\n template:\n metadata:\n labels:\n cke.cybozu.com/appname: cluster-dns\n k8s-app: coredns # sonobuoy requires\n annotations:\n prometheus.io/port: \"9153\"\n spec:\n priorityClassName: system-cluster-critical\n serviceAccountName: cke-cluster-dns\n tolerations:\n - key: node-role.kubernetes.io/master\n effect: NoSchedule\n - key: \"CriticalAddonsOnly\"\n operator: \"Exists\"\n - key: kubernetes.io/e2e-evict-taint-key\n operator: Exists\n # for sonobuoy https://github.com/vmware-tanzu/sonobuoy/pull/878\n containers:\n - name: coredns\n image: quay.io/cybozu/coredns:1.11.1.1\n imagePullPolicy: IfNotPresent\n resources:\n requests:\n cpu: 100m\n memory: 70Mi\n args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n lifecycle:\n preStop:\n exec:\n command: [\"sh\", \"-c\", \"sleep 5\"]\n volumeMounts:\n - name: config-volume\n mountPath: /etc/coredns\n readOnly: true\n ports:\n - containerPort: 1053\n name: dns\n protocol: UDP\n - containerPort: 1053\n name: dns-tcp\n protocol: TCP\n - containerPort: 9153\n name: metrics\n protocol: TCP\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n readinessProbe:\n httpGet:\n path: /ready\n port: 8181\n scheme: HTTP\n livenessProbe:\n httpGet:\n path: /health\n port: 8080\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n dnsPolicy: Default\n volumes:\n - name: config-volume\n configMap:\n name: cluster-dns\n items:\n - key: Corefile\n path: Corefile\n affinity:\n podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n cke.cybozu.com/appname: cluster-dns\n topologyKey: \"kubernetes.io/hostname\"\n"), + Image: "ghcr.io/cybozu/coredns:1.11.1.2", + Definition: []byte("\nkind: Deployment\napiVersion: apps/v1\nmetadata:\n name: cluster-dns\n namespace: kube-system\n annotations:\n cke.cybozu.com/image: \"ghcr.io/cybozu/coredns:1.11.1.2\"\n cke.cybozu.com/revision: \"4\"\nspec:\n replicas: 2\n strategy:\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n selector:\n matchLabels:\n cke.cybozu.com/appname: cluster-dns\n template:\n metadata:\n labels:\n cke.cybozu.com/appname: cluster-dns\n k8s-app: coredns # sonobuoy requires\n annotations:\n prometheus.io/port: \"9153\"\n spec:\n priorityClassName: system-cluster-critical\n serviceAccountName: cke-cluster-dns\n tolerations:\n - key: node-role.kubernetes.io/master\n effect: NoSchedule\n - key: \"CriticalAddonsOnly\"\n operator: \"Exists\"\n - key: kubernetes.io/e2e-evict-taint-key\n operator: Exists\n # for sonobuoy https://github.com/vmware-tanzu/sonobuoy/pull/878\n containers:\n - name: coredns\n image: ghcr.io/cybozu/coredns:1.11.1.2\n imagePullPolicy: IfNotPresent\n resources:\n requests:\n cpu: 100m\n memory: 70Mi\n args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n lifecycle:\n preStop:\n exec:\n command: [\"sh\", \"-c\", \"sleep 5\"]\n volumeMounts:\n - name: config-volume\n mountPath: /etc/coredns\n readOnly: true\n ports:\n - containerPort: 1053\n name: dns\n protocol: UDP\n - containerPort: 1053\n name: dns-tcp\n protocol: TCP\n - containerPort: 9153\n name: metrics\n protocol: TCP\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n readinessProbe:\n httpGet:\n path: /ready\n port: 8181\n scheme: HTTP\n livenessProbe:\n httpGet:\n path: /health\n port: 8080\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n dnsPolicy: Default\n volumes:\n - name: config-volume\n configMap:\n name: cluster-dns\n items:\n - key: Corefile\n path: Corefile\n affinity:\n podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n cke.cybozu.com/appname: cluster-dns\n topologyKey: \"kubernetes.io/hostname\"\n"), }, { Key: "PodDisruptionBudget/kube-system/cluster-dns-pdb",