From 0f77055f63ff8c28d8f275e4c4cfbc6c78c84237 Mon Sep 17 00:00:00 2001 From: John Gardiner Myers Date: Thu, 11 Jun 2020 22:47:53 -0700 Subject: [PATCH] Issue kops cert in nodeup --- nodeup/pkg/model/protokube.go | 10 +- nodeup/pkg/model/protokube_test.go | 62 +++--------- .../tests/protokube/containerd/cluster.yaml | 9 +- .../protokube/containerd/tasks-protokube.yaml | 99 +++++++++++++++++++ .../tests/protokube/containerd/tasks.yaml | 21 ---- .../model/tests/protokube/docker/cluster.yaml | 5 +- .../protokube/docker/tasks-protokube.yaml | 26 +++++ .../model/tests/protokube/docker/tasks.yaml | 21 ---- pkg/model/pki.go | 12 --- 9 files changed, 155 insertions(+), 110 deletions(-) create mode 100644 nodeup/pkg/model/tests/protokube/containerd/tasks-protokube.yaml delete mode 100644 nodeup/pkg/model/tests/protokube/containerd/tasks.yaml create mode 100644 nodeup/pkg/model/tests/protokube/docker/tasks-protokube.yaml delete mode 100644 nodeup/pkg/model/tests/protokube/docker/tasks.yaml diff --git a/nodeup/pkg/model/protokube.go b/nodeup/pkg/model/protokube.go index 98ed29c305..342c82f4fc 100644 --- a/nodeup/pkg/model/protokube.go +++ b/nodeup/pkg/model/protokube.go @@ -29,6 +29,7 @@ import ( "k8s.io/kops/pkg/assets" "k8s.io/kops/pkg/dns" "k8s.io/kops/pkg/flagbuilder" + "k8s.io/kops/pkg/rbac" "k8s.io/kops/pkg/systemd" "k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi/nodeup/nodetasks" @@ -65,14 +66,15 @@ func (t *ProtokubeBuilder) Build(c *fi.ModelBuilderContext) error { } if t.IsMaster { - kubeconfig, err := t.BuildPKIKubeconfig("kops") - if err != nil { - return err + name := nodetasks.PKIXName{ + CommonName: "kops", + Organization: []string{rbac.SystemPrivilegedGroup}, } + kubeconfig := t.BuildIssuedKubeconfig("kops", name, c) c.AddTask(&nodetasks.File{ Path: "/var/lib/kops/kubeconfig", - Contents: fi.NewStringResource(kubeconfig), + Contents: kubeconfig, Type: nodetasks.FileType_File, Mode: s("0400"), }) diff --git a/nodeup/pkg/model/protokube_test.go b/nodeup/pkg/model/protokube_test.go index 0094df6863..f1a8ca3b7a 100644 --- a/nodeup/pkg/model/protokube_test.go +++ b/nodeup/pkg/model/protokube_test.go @@ -17,65 +17,33 @@ limitations under the License. package model import ( - "path" - "path/filepath" "testing" - "k8s.io/kops/pkg/apis/kops" "k8s.io/kops/pkg/apis/nodeup" - "k8s.io/kops/pkg/testutils" "k8s.io/kops/upup/pkg/fi" ) func TestProtokubeBuilder_Docker(t *testing.T) { - runProtokubeBuilderTest(t, "docker") + RunGoldenTest(t, "tests/protokube/docker", "protokube", func(nodeupModelContext *NodeupModelContext, target *fi.ModelBuilderContext) error { + builder := ProtokubeBuilder{NodeupModelContext: nodeupModelContext} + populateImage(nodeupModelContext) + return builder.Build(target) + }) } func TestProtokubeBuilder_containerd(t *testing.T) { - runProtokubeBuilderTest(t, "containerd") + RunGoldenTest(t, "tests/protokube/containerd", "protokube", func(nodeupModelContext *NodeupModelContext, target *fi.ModelBuilderContext) error { + builder := ProtokubeBuilder{NodeupModelContext: nodeupModelContext} + populateImage(nodeupModelContext) + return builder.Build(target) + }) } -func runProtokubeBuilderTest(t *testing.T, key string) { - basedir := path.Join("tests/protokube/", key) - - context := &fi.ModelBuilderContext{ - Tasks: make(map[string]fi.Task), +func populateImage(ctx *NodeupModelContext) { + if ctx.NodeupConfig == nil { + ctx.NodeupConfig = &nodeup.Config{} } - nodeUpModelContext, err := BuildNodeupModelContext(basedir) - if err != nil { - t.Fatalf("error loading model %q: %v", basedir, err) - return + ctx.NodeupConfig.ProtokubeImage = &nodeup.Image{ + Name: "protokube image name", } - - cluster := nodeUpModelContext.Cluster - if cluster.Spec.MasterKubelet == nil { - cluster.Spec.MasterKubelet = &kops.KubeletConfigSpec{} - } - if cluster.Spec.MasterKubelet == nil { - cluster.Spec.MasterKubelet = &kops.KubeletConfigSpec{} - } - cluster.Spec.Kubelet.HostnameOverride = "example-hostname" - - nodeUpModelContext.IsMaster = true - - nodeUpModelContext.NodeupConfig = &nodeup.Config{} - - // These trigger use of etcd-manager - nodeUpModelContext.NodeupConfig.EtcdManifests = []string{ - "memfs://clusters.example.com/minimal.example.com/manifests/etcd/main.yaml", - "memfs://clusters.example.com/minimal.example.com/manifests/etcd/events.yaml", - } - - nodeUpModelContext.NodeupConfig.ProtokubeImage = &nodeup.Image{} - nodeUpModelContext.NodeupConfig.ProtokubeImage.Name = "protokube:test" - - builder := &ProtokubeBuilder{NodeupModelContext: nodeUpModelContext} - - if task, err := builder.buildSystemdService(); err != nil { - t.Fatalf("error from buildSystemdService: %v", err) - } else { - context.AddTask(task) - } - - testutils.ValidateTasks(t, filepath.Join(basedir, "tasks.yaml"), context) } diff --git a/nodeup/pkg/model/tests/protokube/containerd/cluster.yaml b/nodeup/pkg/model/tests/protokube/containerd/cluster.yaml index dcb956258a..24017910f9 100644 --- a/nodeup/pkg/model/tests/protokube/containerd/cluster.yaml +++ b/nodeup/pkg/model/tests/protokube/containerd/cluster.yaml @@ -9,6 +9,8 @@ spec: channel: stable cloudProvider: aws configBase: memfs://clusters.example.com/minimal.example.com + containerd: + version: 1.3.4 containerRuntime: containerd etcdClusters: - etcdMembers: @@ -21,7 +23,8 @@ spec: name: master-us-test-1a name: events provider: Manager - kubelet: {} + kubelet: + hostnameOverride: master.hostname.invalid kubernetesVersion: v1.17.0 masterInternalName: api.internal.minimal.example.com masterPublicName: api.minimal.example.com @@ -46,7 +49,7 @@ apiVersion: kops.k8s.io/v1alpha2 kind: InstanceGroup metadata: creationTimestamp: "2016-12-10T22:42:28Z" - name: nodes + name: master-1a labels: kops.k8s.io/cluster: minimal.example.com spec: @@ -55,6 +58,6 @@ spec: machineType: t2.medium maxSize: 2 minSize: 2 - role: Node + role: Master subnets: - us-test-1a diff --git a/nodeup/pkg/model/tests/protokube/containerd/tasks-protokube.yaml b/nodeup/pkg/model/tests/protokube/containerd/tasks-protokube.yaml new file mode 100644 index 0000000000..e129f6bf68 --- /dev/null +++ b/nodeup/pkg/model/tests/protokube/containerd/tasks-protokube.yaml @@ -0,0 +1,99 @@ +contents: + task: + CA: + task: + Name: kops + signer: ca + subject: + CommonName: kops + Organization: + - system:masters + type: client + Cert: + task: + Name: kops + signer: ca + subject: + CommonName: kops + Organization: + - system:masters + type: client + Key: + task: + Name: kops + signer: ca + subject: + CommonName: kops + Organization: + - system:masters + type: client + Name: kops + ServerURL: https://127.0.0.1 +mode: "0400" +path: /var/lib/kops/kubeconfig +type: file +--- +Name: kops +signer: ca +subject: + CommonName: kops + Organization: + - system:masters +type: client +--- +CA: + task: + Name: kops + signer: ca + subject: + CommonName: kops + Organization: + - system:masters + type: client +Cert: + task: + Name: kops + signer: ca + subject: + CommonName: kops + Organization: + - system:masters + type: client +Key: + task: + Name: kops + signer: ca + subject: + CommonName: kops + Organization: + - system:masters + type: client +Name: kops +ServerURL: https://127.0.0.1 +--- +Hash: "" +Name: protokube +Runtime: containerd +Sources: null +--- +Name: protokube.service +definition: | + [Unit] + Description=Kubernetes Protokube Service + Documentation=https://github.com/kubernetes/kops + + [Service] + ExecStartPre=/bin/true + ExecStartPre=-/usr/bin/ctr --namespace k8s.io container rm protokube + ExecStartPre=/bin/true + ExecStart=/usr/bin/ctr --namespace k8s.io run --net-host --with-ns pid:/proc/1/ns/pid --privileged --mount type=bind,src=/,dst=/rootfs,options=rbind:rslave --mount type=bind,src=/var/run/dbus,dst=/var/run/dbus,options=rbind:rprivate --mount type=bind,src=/run/systemd,dst=/run/systemd,options=rbind:rprivate --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --mount type=bind,src=/usr/local/bin,dst=/opt/kops/bin,options=rbind:ro:rprivate --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kops/bin docker.io/library/protokube image name protokube /usr/bin/protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=.internal.minimal.example.com --dns=aws-route53 --etcd-backup-store=memfs://clusters.example.com/minimal.example.com/backups/etcd/main --etcd-image=k8s.gcr.io/etcd:3.4.3 --initialize-rbac=true --manage-etcd=true --master=true --node-name=master.hostname.invalid --peer-ca=/srv/kubernetes/ca.crt --peer-cert=/srv/kubernetes/etcd-peer.pem --peer-key=/srv/kubernetes/etcd-peer-key.pem --tls-auth=true --tls-ca=/srv/kubernetes/ca.crt --tls-cert=/srv/kubernetes/etcd.pem --tls-key=/srv/kubernetes/etcd-key.pem --v=4 --zone=*/Z1AFAKE1ZON3YO + Restart=always + RestartSec=2s + StartLimitInterval=0 + + [Install] + WantedBy=multi-user.target +enabled: true +manageState: true +running: true +smartRestart: true diff --git a/nodeup/pkg/model/tests/protokube/containerd/tasks.yaml b/nodeup/pkg/model/tests/protokube/containerd/tasks.yaml deleted file mode 100644 index 079ef2559a..0000000000 --- a/nodeup/pkg/model/tests/protokube/containerd/tasks.yaml +++ /dev/null @@ -1,21 +0,0 @@ -Name: protokube.service -definition: | - [Unit] - Description=Kubernetes Protokube Service - Documentation=https://github.com/kubernetes/kops - - [Service] - ExecStartPre=/bin/true - ExecStartPre=-/usr/bin/ctr --namespace k8s.io container rm protokube - ExecStartPre=/bin/true - ExecStart=/usr/bin/ctr --namespace k8s.io run --net-host --with-ns pid:/proc/1/ns/pid --privileged --mount type=bind,src=/,dst=/rootfs,options=rbind:rslave --mount type=bind,src=/var/run/dbus,dst=/var/run/dbus,options=rbind:rprivate --mount type=bind,src=/run/systemd,dst=/run/systemd,options=rbind:rprivate --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --mount type=bind,src=/usr/local/bin,dst=/opt/kops/bin,options=rbind:ro:rprivate --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kops/bin docker.io/library/protokube:test protokube /usr/bin/protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=.internal.minimal.example.com --dns=aws-route53 --initialize-rbac=true --manage-etcd=false --master=true --node-name=example-hostname --remove-dns-names=etcd-master-us-test-1a.internal.minimal.example.com,etcd-events-master-us-test-1a.internal.minimal.example.com --v=4 - Restart=always - RestartSec=2s - StartLimitInterval=0 - - [Install] - WantedBy=multi-user.target -enabled: true -manageState: true -running: true -smartRestart: true diff --git a/nodeup/pkg/model/tests/protokube/docker/cluster.yaml b/nodeup/pkg/model/tests/protokube/docker/cluster.yaml index 127d0c8adf..d2acdf03c9 100644 --- a/nodeup/pkg/model/tests/protokube/docker/cluster.yaml +++ b/nodeup/pkg/model/tests/protokube/docker/cluster.yaml @@ -21,9 +21,10 @@ spec: name: master-us-test-1a name: events provider: Manager - kubelet: {} + kubelet: + hostnameOverride: master.override.invalid kubernetesVersion: v1.17.0 - masterInternalName: api.internal.minimal.example.com + masterInternalName: api.internal.minimal.k8s.local masterPublicName: api.minimal.example.com networkCIDR: 172.20.0.0/16 networking: diff --git a/nodeup/pkg/model/tests/protokube/docker/tasks-protokube.yaml b/nodeup/pkg/model/tests/protokube/docker/tasks-protokube.yaml new file mode 100644 index 0000000000..8bb1bb124c --- /dev/null +++ b/nodeup/pkg/model/tests/protokube/docker/tasks-protokube.yaml @@ -0,0 +1,26 @@ +Hash: "" +Name: protokube +Runtime: docker +Sources: null +--- +Name: protokube.service +definition: | + [Unit] + Description=Kubernetes Protokube Service + Documentation=https://github.com/kubernetes/kops + + [Service] + ExecStartPre=-/usr/bin/docker stop protokube + ExecStartPre=-/usr/bin/docker rm protokube + ExecStartPre=/bin/true + ExecStart=/usr/bin/docker run --net=host --pid=host --privileged --volume /:/rootfs/ --volume /var/run/dbus:/var/run/dbus --volume /run/systemd:/run/systemd --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --name protokube protokube image name /usr/bin/protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=internal.minimal.k8s.local --dns=gossip --etcd-backup-store=memfs://clusters.example.com/minimal.example.com/backups/etcd/main --etcd-image=k8s.gcr.io/etcd:3.4.3 --initialize-rbac=true --manage-etcd=true --master=false --node-name=master.override.invalid --peer-ca=/srv/kubernetes/ca.crt --peer-cert=/srv/kubernetes/etcd-peer.pem --peer-key=/srv/kubernetes/etcd-peer-key.pem --tls-auth=true --tls-ca=/srv/kubernetes/ca.crt --tls-cert=/srv/kubernetes/etcd.pem --tls-key=/srv/kubernetes/etcd-key.pem --v=4 --zone=*/Z1AFAKE1ZON3YO + Restart=always + RestartSec=2s + StartLimitInterval=0 + + [Install] + WantedBy=multi-user.target +enabled: true +manageState: true +running: true +smartRestart: true diff --git a/nodeup/pkg/model/tests/protokube/docker/tasks.yaml b/nodeup/pkg/model/tests/protokube/docker/tasks.yaml deleted file mode 100644 index f25d097aea..0000000000 --- a/nodeup/pkg/model/tests/protokube/docker/tasks.yaml +++ /dev/null @@ -1,21 +0,0 @@ -Name: protokube.service -definition: | - [Unit] - Description=Kubernetes Protokube Service - Documentation=https://github.com/kubernetes/kops - - [Service] - ExecStartPre=-/usr/bin/docker stop protokube - ExecStartPre=-/usr/bin/docker rm protokube - ExecStartPre=/bin/true - ExecStart=/usr/bin/docker run --net=host --pid=host --privileged --volume /:/rootfs/ --volume /var/run/dbus:/var/run/dbus --volume /run/systemd:/run/systemd --env KUBECONFIG=/rootfs/var/lib/kops/kubeconfig --volume /usr/local/bin:/opt/kops/bin:ro --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kops/bin --name protokube protokube:test /usr/bin/protokube --bootstrap-master-node-labels=true --cloud=aws --containerized=true --dns-internal-suffix=.internal.minimal.example.com --dns=aws-route53 --initialize-rbac=true --manage-etcd=false --master=true --node-name=example-hostname --remove-dns-names=etcd-master-us-test-1a.internal.minimal.example.com,etcd-events-master-us-test-1a.internal.minimal.example.com --v=4 - Restart=always - RestartSec=2s - StartLimitInterval=0 - - [Install] - WantedBy=multi-user.target -enabled: true -manageState: true -running: true -smartRestart: true diff --git a/pkg/model/pki.go b/pkg/model/pki.go index 6ecaed3466..400c8c359b 100644 --- a/pkg/model/pki.go +++ b/pkg/model/pki.go @@ -204,18 +204,6 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error { c.AddTask(aggregator) } - { - // Used by e.g. protokube - t := &fitasks.Keypair{ - Name: fi.String("kops"), - Lifecycle: b.Lifecycle, - Subject: "o=" + rbac.SystemPrivilegedGroup + ",cn=kops", - Type: "client", - Signer: defaultCA, - } - c.AddTask(t) - } - { // A few names used from inside the cluster, which all resolve the same based on our default suffixes alternateNames := []string{