From 425553d390635816a942144f67c758b5d8526485 Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Thu, 9 Nov 2017 11:02:12 +0000
Subject: [PATCH 1/6] kubernetes: better tolerate bad contents of
 /etc/kubeadm/kube-system.init/

Specifically ignore present-but-empty files entirely and ignore (but log)
failure to apply any one file.

Ignoring an empty file is useful because it means you can clobber a file which
might be referenced from an images binds without needing to override those
binds (since that generally means duplicating the whole lot which is annoying).

Ignoring any failures to apply means the rest gets applied and the rest of the
script (including untaint and the stamp file creation) still happen, resulting
in a system where the admin just has to address the failures rather than the
remaining updates. We touch a file to indicate failure generally plus one to
indicate the specific yaml which failed to apply.

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 projects/kubernetes/kubernetes/kubeadm-init.sh | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/projects/kubernetes/kubernetes/kubeadm-init.sh b/projects/kubernetes/kubernetes/kubeadm-init.sh
index 87feee6f6..61530c671 100755
--- a/projects/kubernetes/kubernetes/kubeadm-init.sh
+++ b/projects/kubernetes/kubernetes/kubeadm-init.sh
@@ -11,9 +11,19 @@ else
     kubeadm init --skip-preflight-checks --kubernetes-version @KUBERNETES_VERSION@ $@
 fi
 for i in /etc/kubeadm/kube-system.init/*.yaml ; do
+    n=$(basename "$i")
     if [ -e "$i" ] ; then
-	echo "Applying "$(basename "$i")
-	kubectl create -n kube-system -f "$i"
+	if [ ! -s "$i" ] ; then # ignore zero sized files
+	    echo "Ignoring zero size file $n"
+	    continue
+	fi
+	echo "Applying $n"
+	if ! kubectl create -n kube-system -f "$i" ; then
+	    touch /var/lib/kubeadm/.kubeadm-init.sh-kube-system.init-failed
+	    touch /var/lib/kubeadm/.kubeadm-init.sh-kube-system.init-"$n"-failed
+	    echo "Failed to apply $n"
+	    continue
+	fi
     fi
 done
 if [ -f /var/config/kubeadm/untaint-master ] ; then

From 22cdd22184223770d07707af90b02e634f3c3131 Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Thu, 9 Nov 2017 11:23:45 +0000
Subject: [PATCH 2/6] kubernetes: Only build the relevant image for the
 platform

Building both BIOS and EFI variants is a waste of time in most cases, instead
just build whichever one is relevant to the platform (which currently means EFI
on Darwin and BIOS everywhere else).

At the same time make it possible to pass "KUBE_FORMATS" (a space separated
list of targets) to the build e.g. `make KUBE_FORMATS="iso-efi iso-bios"` will
preserve the behaviour prior to this patch.

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 projects/kubernetes/Makefile | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/projects/kubernetes/Makefile b/projects/kubernetes/Makefile
index b0b5b4f29..f76c47b92 100644
--- a/projects/kubernetes/Makefile
+++ b/projects/kubernetes/Makefile
@@ -4,6 +4,13 @@ KUBE_NETWORK ?= weave-v2.0.5
 INIT_YAML ?=
 INIT_YAML += network.yaml
 
+ifeq ($(shell uname -s),"Darwin")
+KUBE_FORMATS ?= iso-efi
+endif
+KUBE_FORMATS ?= iso-bios
+
+KUBE_FORMAT_ARGS := $(patsubst %,-format %,$(KUBE_FORMATS))
+
 all: build-container-images build-vm-images
 
 build-container-images:
@@ -20,10 +27,10 @@ build-vm-images: kube-master.iso kube-node.iso
 
 # NB cannot use $^ because $(INIT_YAML) is not for consumption by "moby build"
 kube-master.iso: kube.yml $(KUBE_RUNTIME).yml $(KUBE_RUNTIME)-master.yml $(INIT_YAML)
-	moby build -name kube-master -format iso-efi -format iso-bios kube.yml $(KUBE_RUNTIME).yml $(KUBE_RUNTIME)-master.yml
+	moby build -name kube-master $(KUBE_FORMAT_ARGS) kube.yml $(KUBE_RUNTIME).yml $(KUBE_RUNTIME)-master.yml
 
 kube-node.iso: kube.yml $(KUBE_RUNTIME).yml
-	moby build -name kube-node -format iso-efi -format iso-bios $^
+	moby build -name kube-node $(KUBE_FORMAT_ARGS) $^
 
 network.yaml: $(KUBE_NETWORK).yaml
 	ln -nf $< $@

From ed0e79aa9d4120fa21991ab09d4840a60429b36a Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Thu, 9 Nov 2017 11:34:26 +0000
Subject: [PATCH 3/6] kubernetes: Refactor network provider selection

KUBE_NETWORK now specifies a yml which is passed to the Moby tool, which can
introduce files into /etc/kubeadm/kube-system.init/ or do other things as it
likes.

In the case of weave this just adds the weave yaml to that directory. To avoid
too much confusion between weave.yml (Moby tool input) and `weave.yaml` (the
kubernetes `ServiceAccount`, `DeamonsSet` etc object specs) name the latter
`kube-weave.yaml`.

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 projects/kubernetes/.gitignore |  3 +--
 projects/kubernetes/Makefile   | 21 +++++++++------------
 projects/kubernetes/kube.yml   |  4 ++--
 projects/kubernetes/weave.yml  |  3 +++
 4 files changed, 15 insertions(+), 16 deletions(-)
 create mode 100644 projects/kubernetes/weave.yml

diff --git a/projects/kubernetes/.gitignore b/projects/kubernetes/.gitignore
index 6af0a22b7..8c1442c10 100644
--- a/projects/kubernetes/.gitignore
+++ b/projects/kubernetes/.gitignore
@@ -2,5 +2,4 @@ image-cache/common/*.tar
 image-cache/common/Dockerfile
 image-cache/control-plane/*.tar
 image-cache/control-plane/Dockerfile
-weave.yaml
-network.yaml
+kube-weave.yaml
diff --git a/projects/kubernetes/Makefile b/projects/kubernetes/Makefile
index f76c47b92..52042d299 100644
--- a/projects/kubernetes/Makefile
+++ b/projects/kubernetes/Makefile
@@ -1,8 +1,7 @@
 KUBE_RUNTIME ?= docker
-KUBE_NETWORK ?= weave-v2.0.5
+KUBE_NETWORK ?= weave
 
-INIT_YAML ?=
-INIT_YAML += network.yaml
+KUBE_NETWORK_WEAVE ?= v2.0.5
 
 ifeq ($(shell uname -s),"Darwin")
 KUBE_FORMATS ?= iso-efi
@@ -25,21 +24,19 @@ push-container-images:
 
 build-vm-images: kube-master.iso kube-node.iso
 
-# NB cannot use $^ because $(INIT_YAML) is not for consumption by "moby build"
-kube-master.iso: kube.yml $(KUBE_RUNTIME).yml $(KUBE_RUNTIME)-master.yml $(INIT_YAML)
-	moby build -name kube-master $(KUBE_FORMAT_ARGS) kube.yml $(KUBE_RUNTIME).yml $(KUBE_RUNTIME)-master.yml
+kube-master.iso: kube.yml $(KUBE_RUNTIME).yml $(KUBE_RUNTIME)-master.yml $(KUBE_NETWORK).yml
+	moby build -name kube-master $(KUBE_FORMAT_ARGS) $^
 
-kube-node.iso: kube.yml $(KUBE_RUNTIME).yml
+kube-node.iso: kube.yml $(KUBE_RUNTIME).yml $(KUBE_NETWORK).yml
 	moby build -name kube-node $(KUBE_FORMAT_ARGS) $^
 
-network.yaml: $(KUBE_NETWORK).yaml
-	ln -nf $< $@
+weave.yml: kube-weave.yaml
 
-weave-%.yaml:
-	curl -L -o $@ https://cloud.weave.works/k8s/v1.8/net?v=$*
+kube-weave.yaml:
+	curl -L -o $@ https://cloud.weave.works/k8s/v1.8/net?v=$(KUBE_NETWORK_WEAVE)
 
 clean:
 	rm -f -r \
 	  kube-*-kernel kube-*-cmdline kube-*-state kube-*-initrd.img *.iso \
-	  weave-*.yaml network.yaml
+	  kube-weave.yaml
 	$(MAKE) -C image-cache clean
diff --git a/projects/kubernetes/kube.yml b/projects/kubernetes/kube.yml
index c8ee4edf5..a1e66c003 100644
--- a/projects/kubernetes/kube.yml
+++ b/projects/kubernetes/kube.yml
@@ -47,8 +47,8 @@ files:
       PRETTY_NAME="LinuxKit Kubernetes Project"
   - path: /usr/libexec/kubernetes/kubelet-plugins
     symlink: "/var/lib/kubelet-plugins"
-  - path: /etc/kubeadm/kube-system.init/50-network.yaml
-    source: network.yaml
+  - path: /etc/kubeadm/
+    directory: true
   - path: /etc/sysctl.d/01-kubernetes.conf
     contents: 'net.ipv4.ip_forward = 1'
   - path: /opt/cni
diff --git a/projects/kubernetes/weave.yml b/projects/kubernetes/weave.yml
new file mode 100644
index 000000000..c410bf747
--- /dev/null
+++ b/projects/kubernetes/weave.yml
@@ -0,0 +1,3 @@
+files:
+  - path: /etc/kubeadm/kube-system.init/50-weave.yaml
+    source: weave-sa.yaml

From cf01aa4c8d9bb3cf0a532c021e388339839fe288 Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Tue, 7 Nov 2017 10:51:54 +0000
Subject: [PATCH 4/6] kubernetes: Add a simple bridged option for KUBE_NETWORK

This has no kube object(s) but just arranges for the CNI configuration to be
written in the right place. The CNI bridge, loopback etc binaries are already
included since they are in the reference set.

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 projects/kubernetes/bridge.yml | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 projects/kubernetes/bridge.yml

diff --git a/projects/kubernetes/bridge.yml b/projects/kubernetes/bridge.yml
new file mode 100644
index 000000000..9f9c66aae
--- /dev/null
+++ b/projects/kubernetes/bridge.yml
@@ -0,0 +1,8 @@
+onboot:
+  - name: bridge
+    image: busybox:latest
+    command: ["/bin/sh", "-c", "set -ex; echo '{\"cniVersion\":\"0.3.1\",\"name\":\"default\",\"plugins\":[{\"type\":\"bridge\",\"bridge\":\"cni0\",\"isDefaultGateway\":true,\"ipMasq\":false,\"hairpinMode\":true,\"ipam\":{\"type\":\"host-local\",\"subnet\":\"10.1.0.0/16\",\"gateway\":\"10.1.0.1\"},\"dns\":{\"nameservers\":[\"10.1.0.1\"]}},{\"type\":\"portmap\",\"capabilities\":{\"portMappings\":true},\"snat\":true}]}' > /var/lib/cni/etc/net.d/10-default.conflist; echo '{\"cniVersion\":\"0.2.0\",\"type\":\"loopback\"}' > /var/lib/cni/etc/net.d/99-loopback.conf"]
+    runtime:
+      mkdir: ["/var/lib/cni/etc/net.d"]
+    binds:
+      - /var/lib:/var/lib

From c08c77e3c870f43aada295813ffbf5e90da00f93 Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Fri, 10 Nov 2017 10:07:39 +0000
Subject: [PATCH 5/6] kubernetes: bump to cri-containerd master

This includes a bump to use containerd v1.0.0-beta.3.

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 projects/kubernetes/cri-containerd/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/projects/kubernetes/cri-containerd/Dockerfile b/projects/kubernetes/cri-containerd/Dockerfile
index 12d02b7e0..9c71512f4 100644
--- a/projects/kubernetes/cri-containerd/Dockerfile
+++ b/projects/kubernetes/cri-containerd/Dockerfile
@@ -16,7 +16,7 @@ ENV GOPATH=/go PATH=$PATH:/go/bin
 
 ENV CRI_CONTAINERD_URL https://github.com/kubernetes-incubator/cri-containerd.git
 #ENV CRI_CONTAINERD_BRANCH pull/NNN/head
-ENV CRI_CONTAINERD_COMMIT v1.0.0-alpha.1
+ENV CRI_CONTAINERD_COMMIT ac8b0979fa634703e0a8d03df03eb51774fcff3d
 RUN mkdir -p $GOPATH/src/github.com/kubernetes-incubator && \
     cd $GOPATH/src/github.com/kubernetes-incubator && \
     git clone $CRI_CONTAINERD_URL cri-containerd

From e7327db49f2acd6670e58743e7326aa24124e4ac Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Fri, 10 Nov 2017 14:51:23 +0000
Subject: [PATCH 6/6] kubernetes: bump yaml

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 projects/kubernetes/cri-containerd.yml | 2 +-
 projects/kubernetes/kube.yml           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/projects/kubernetes/cri-containerd.yml b/projects/kubernetes/cri-containerd.yml
index 448dc763c..26f04c75f 100644
--- a/projects/kubernetes/cri-containerd.yml
+++ b/projects/kubernetes/cri-containerd.yml
@@ -1,6 +1,6 @@
 services:
   - name: cri-containerd
-    image: linuxkitprojects/cri-containerd:7059f247c4135c75722047a2ce2fe6119a0e1681
+    image: linuxkitprojects/cri-containerd:72863deaa81a749fe8ff72bd69f863bab719aa06
 files:
   - path: /etc/kubelet.sh.conf
     contents: |
diff --git a/projects/kubernetes/kube.yml b/projects/kubernetes/kube.yml
index a1e66c003..3cc61ca20 100644
--- a/projects/kubernetes/kube.yml
+++ b/projects/kubernetes/kube.yml
@@ -36,7 +36,7 @@ services:
   - name: sshd
     image: linuxkit/sshd:b7f21ef1b13300a994e35eac3644e4f84f0ada8a
   - name: kubelet
-    image: linuxkitprojects/kubernetes:4d8ef8789cc04cb0e8cf42dc3f34e03ec70daf3d
+    image: linuxkitprojects/kubernetes:a2693a182f9038d6ac5f7309f4678a9ad11d39ca
 files:
   - path: etc/linuxkit.yml
     metadata: yaml