Fixed cri-o and falco installation

jecnua · Mar 6, 2024 · f045379 · f045379
1 parent 342d172
commit f045379
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 45 deletions.
diff --git a/modules/controllers/scripts/bootstrap.sh b/modules/controllers/scripts/bootstrap.sh
@@ -164,16 +164,16 @@ EOF
 
 	cd /home/$KCTL_USER || exit
 	mkdir -p /home/$KCTL_USER/.kube
-	sudo cp -i /etc/kubernetes/admin.conf /home/$KCTL_USER/.kube/config
-	sudo chown "$KCTL_USER":"$KCTL_USER" -R /home/$KCTL_USER/.kube
+	cp -i /etc/kubernetes/admin.conf /home/$KCTL_USER/.kube/config
+	chown "$KCTL_USER":"$KCTL_USER" -R /home/$KCTL_USER/.kube
 	echo "export KUBECONFIG=/home/$KCTL_USER/.kube/config" | tee -a /home/$KCTL_USER/.bashrc
 
 	# So now this is tricky! Sometimes when starting up, when you try to apply what follows it will fails because
 	# the call through the load balancer does not go through. To fix this, I cam creating a copy of the kubeconfig file
 	# which doesn't use the LB and I will use this to configure the CNI and signer
 	cp /home/$KCTL_USER/.kube/config /home/$KCTL_USER/.kube/local
 	sed -i "s|$LB_DNS_NAME|127.0.0.1|g" /home/$KCTL_USER/.kube/local
-	sudo chown $KCTL_USER:$KCTL_USER /home/$KCTL_USER/.kube/local
+	chown $KCTL_USER:$KCTL_USER /home/$KCTL_USER/.kube/local
 
 	# Mabel the master
 	su "$KCTL_USER" -c "KUBECONFIG=/home/$KCTL_USER/.kube/local kubectl label --overwrite no $AWS_HOSTNAME node-role.kubernetes.io/master=true"

diff --git a/modules/cri/CHANGELOG.md b/modules/cri/CHANGELOG.md
@@ -6,13 +6,14 @@
 
 ### Features & Changes
 
-- Updated to version 1.29
+- Updated cri-o version to latest
+- Updated cri-o installation method
+- Generic cleanup of cri-o installation script
 
 ### Bugfixes
 
 ### Known bugs/issues
 
-
 ## 6.0.0
 
 ### Breaking changes

diff --git a/modules/cri/cri-o/00-variables_defaults.tf b/modules/cri/cri-o/00-variables_defaults.tf
@@ -1,4 +1,4 @@
-variable "crio_version" {
+variable "kubernetes_version" {
   type        = string
   description = "Version to install"
   default     = "1.29"

diff --git a/modules/cri/cri-o/01-main.tf b/modules/cri/cri-o/01-main.tf
@@ -1,7 +1,7 @@
 data "template_file" "bootstrap_k8s_cri_installation_docker" {
   template = file("${path.module}/scripts/cri-o.sh")
   vars = {
-    crio_version = var.crio_version
+    kubernetes_version = var.kubernetes_version
   }
 }
 

diff --git a/modules/cri/cri-o/scripts/cri-o.sh b/modules/cri/cri-o/scripts/cri-o.sh
@@ -18,46 +18,23 @@ EOF
 # Apply sysctl params without reboot
 sysctl --system
 
-## Compile crio-o
-
-DEBIAN_FRONTEND=noninteractive apt-get install -y \
-  libvirt-clients \
-  golang \
-  libdevmapper-dev \
-  lvm2 \
-  make
-#git clone https://github.com/cri-o/cri-o.git
-#cd cri-o || exit 1
-#git checkout v1.21.0
-#sed -i 's/- exclude_graphdriver_devicemapper/# - exclude_graphdriver_devicemapper/g' .golangci.yml
-#make install
-
-## Install via apt
-
-. /etc/lsb-release
-OS='x'$DISTRIB_ID'_'$DISTRIB_RELEASE
-VERSION=${crio_version}
-
-echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > "/etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list"
-
-curl -L "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key" | apt-key add -
-curl -L "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key" | apt-key add -
-
+# Install via apt
+# https://github.com/cri-o/packaging
 apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get install -y cri-o cri-o-runc cri-tools
-
-##
-
-sed -i 's|conmon = ""|conmon = "/usr/bin/conmon"|g' /etc/crio/crio.conf
-
-systemctl status crio
-
+apt-get install -y software-properties-common curl
+KUBERNETES_VERSION=v${kubernetes_version}
+PROJECT_PATH=prerelease:/main
+curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/$PROJECT_PATH/deb/Release.key |
+    gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
+echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/$PROJECT_PATH/deb/ /" |
+    tee /etc/apt/sources.list.d/cri-o.list
+apt-get update
+apt-get install -y cri-o
 systemctl enable crio.service
 systemctl start crio.service
 systemctl status crio.service
-
 crictl info
+crio status info
 
 # TODO: Move it to node configuration?
 # Preferably, the user should use

diff --git a/modules/nodes/CHANGELOG.md b/modules/nodes/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Features & Changes
 
 - Moved to opentofu. The last version tested on terraform (1.5.5) is v8.0.0.
+- Updated falco installation method
 
 ### Bugfixes
 

diff --git a/modules/nodes/scripts/bootstrap.sh b/modules/nodes/scripts/bootstrap.sh
@@ -75,10 +75,15 @@ apt install -y \
 apt-mark hold kubelet kubeadm kubectl kubernetes-cni
 
 # Install falco
-curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
-echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
+curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | \
+	gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | \
+	tee -a /etc/apt/sources.list.d/falcosecurity.list
 apt update -y
-apt -y install "linux-headers-$(uname -r)"
+apt install -y dkms make linux-headers-$(uname -r)
+# If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
+apt install -y clang llvm
+
 apt install -y falco
 systemctl start falco
 systemctl status falco