kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into add-aws-x1e-series

This commit is contained in:
Justin Santa Barbara 2018-03-10 17:02:13 -05:00 committed by GitHub
parent 928840dea3 6606ab4ff9
commit 4614789ef6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
87 changed files with 851 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Makefile
View File

@ -600,30 +600,29 @@ bazel-test:
.PHONY: bazel-build
bazel-build:
bazel build //cmd/... //pkg/... //channels/... //nodeup/... //protokube/... //dns-controller/... //util/...
bazel build --features=pure //cmd/... //pkg/... //channels/... //nodeup/... //protokube/... //dns-controller/... //util/...
.PHONY: bazel-build-cli
bazel-build-cli:
bazel build //cmd/kops/...
bazel build --features=pure //cmd/kops/...
# Not working yet, but we can hope
.PHONY: bazel-crossbuild-kops
bazel-crossbuild-kops:
bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:darwin_amd64 //cmd/kops/...
bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/kops/...
bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:windows_amd64 //cmd/kops/...
bazel build --features=pure --experimental_platforms=@io_bazel_rules_go//go/toolchain:darwin_amd64 //cmd/kops/...
bazel build --features=pure --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/kops/...
bazel build --features=pure --experimental_platforms=@io_bazel_rules_go//go/toolchain:windows_amd64 //cmd/kops/...
.PHONY: bazel-crossbuild-nodeup
bazel-crossbuild-nodeup:
bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/nodeup/...
bazel build --features=pure --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //cmd/nodeup/...
.PHONY: bazel-crossbuild-protokube
bazel-crossbuild-protokube:
bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //protokube/...
bazel build --features=pure --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //protokube/...
.PHONY: bazel-crossbuild-dns-controller
bazel-crossbuild-dns-controller:
bazel build --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //dns-controller/...
bazel build --features=pure --experimental_platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //dns-controller/...
.PHONY: bazel-crossbuild-dns-controller-image
bazel-crossbuild-dns-controller-image:
@ -689,11 +688,11 @@ bazel-version-dist: bazel-crossbuild-nodeup bazel-crossbuild-kops bazel-protokub
mkdir -p ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/
mkdir -p ${BAZELUPLOAD}/kops/${VERSION}/images/
mkdir -p ${BAZELUPLOAD}/utils/${VERSION}/linux/amd64/
cp bazel-bin/cmd/nodeup/linux_amd64_stripped/nodeup ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup
cp bazel-bin/cmd/nodeup/linux_amd64_pure_stripped/nodeup ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup
(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/nodeup.sha1
cp ${BAZELIMAGES}/protokube.tar.gz ${BAZELUPLOAD}/kops/${VERSION}/images/protokube.tar.gz
cp ${BAZELIMAGES}/protokube.tar.gz.sha1 ${BAZELUPLOAD}/kops/${VERSION}/images/protokube.tar.gz.sha1
cp bazel-bin/cmd/kops/linux_amd64_stripped/kops ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops
cp bazel-bin/cmd/kops/linux_amd64_pure_stripped/kops ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops
(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/linux/amd64/kops.sha1
cp bazel-bin/cmd/kops/darwin_amd64_pure_stripped/kops ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops
(${SHASUMCMD} ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops | cut -d' ' -f1) > ${BAZELUPLOAD}/kops/${VERSION}/darwin/amd64/kops.sha1

221
README-ES.md Normal file
View File

@ -0,0 +1,221 @@
# kops - Operaciones con Kubernetes
[![Build Status](https://travis-ci.org/kubernetes/kops.svg?branch=master)](https://travis-ci.org/kubernetes/kops) [![Go Report Card](https://goreportcard.com/badge/k8s.io/kops)](https://goreportcard.com/report/k8s.io/kops) [![GoDoc Widget]][GoDoc]
[GoDoc]: https://godoc.org/k8s.io/kops
[GoDoc Widget]: https://godoc.org/k8s.io/kops?status.svg
La forma más fácil de poner en marcha un cluster Kubernetes en producción.
## ¿Qué es kops?
Queremos pensar que es algo como `kubectl` para clusters.
`kops` ayuda a crear, destruir, mejorar y mantener un grado de producción, altamente
disponible, desde las líneas de comando de Kubernetes clusters. AWS (Amazon Web Services)
está oficialmente soportado actualmente, con GCE en soporte beta , y VMware vSphere
en alpha, y otras plataformas planeadas.
## ¿Puedo verlo en acción?
<p align="center">
<a href="https://asciinema.org/a/97298">
<img src="https://asciinema.org/a/97298.png" width="885"></image>
</a>
</p>
## Lanzando un anfitrión de Kubernetes cluster en AWS o GCE
Para reproducir exactamente el demo anterior, visualizalo en el [tutorial](/docs/aws.md) para
lanzar un anfitrión de Kubernetes cluster en AWS.
Para instalar un Kubernetes cluster en GCE por fabor siga esta [guide](/docs/tutorial/gce.md).
## Caracteristicas
* Automatiza el aprovisionamiento de Kubernetes clusters en [AWS](/docs/aws.md) y [GCE](/docs/tutorial/gce.md)
* Un Despliegue Altamente Disponible (HA) Kubernetes Masters
* Construye en un modelo de estado sincronizado para **dry-runs** y **idempotency** automático
* Capacidad de generar [Terraform](/docs/terraform.md)
* Soporta un Kubernetes personalizado [add-ons](/docs/addons.md)
* Línea de comando [autocompletion](/docs/cli/kops_completion.md)
* YAML Archivo de Manifiesto Basado en API [Configuration](/docs/manifests_and_customizing_via_api.md)
* [Templating](/docs/cluster_template.md) y ejecutar modos de simulacro para crear
Manifiestos
* Escoge de ocho proveedores CNI diferentes [Networking](/docs/networking.md)
* Soporta Actualizarse desde [kube-up](/docs/upgrade_from_kubeup.md)
* Capacidad para añadir contenedores, como enganches, y archivos a nodos vía [cluster manifest](/docs/cluster_spec.md)
## Documentación
La documentación está en el directorio `/docs`, [and the index is here.](docs/README.md)
## Compatibilidad de Kubernetes con el Lanzamiento
### Soporte de la Versión Kubernetes
kops está destinado a ser compatible con versiones anteriores. Siempre es recomendado utilizar la
última versión de kops con cualquier versión de Kubernetes que estés utilizando. Siempre
utilize la última versión de kops.
Una excepción, en lo que respecta a la compatibilidad, kops soporta el equivalente a
un número de versión menor de Kubernetes. Una versión menor es el segundo dígito en el
número de versión. la versión de kops 1.8.0 tiene una versión menor de 8. La numeración
sigue la especificación de versión semántica, MAJOR.MINOR.PATCH.
Por ejemplo kops, 1.8.0 no soporta Kubernetes 1.9.2, pero kops 1.9.0
soporta Kubernetes 1.9.2 y versiones anteriores de Kubernetes. Sólo cuando coincide la versión
menor de kops, La versión menor de kubernetes hace que kops soporte oficialmente
el lanzamiento de kubernetes. kops no impide que un usuario instale versiones
no coincidentes de K8, pero las versiones de Kubernetes siempre requieren kops para instalar
versiones de componentes como docker, probado contra la versión
particular de Kubernetes.
#### Compatibilidad Matrix
| kops version | k8s 1.5.x | k8s 1.6.x | k8s 1.7.x | k8s 1.8.x |
|--------------|-----------|-----------|-----------|-----------|
| 1.8.x | Y | Y | Y | Y |
| 1.7.x | Y | Y | Y | N |
| 1.6.x | Y | Y | N | N |
Utilice la última versión de kops para todas las versiones de Kubernetes, con la advertencia de que las versiones más altas de Kubernetes no cuentan con el respaldo _oficial_ de kops.
### Cronograma de Lanzamiento de kops
Este proyecto no sigue el cronograma de lanzamiento de Kubernetes. `kops` tiene como objetivo
proporcionar una experiencia de instalación confiable para Kubernetes, y, por lo general, se lanza
aproximadamente un mes después de la publicación correspondiente de Kubernetes. Esta vez, permite que el proyecto Kubernetes resuelva los problemas que presenta la nueva versión y garantiza que podamos admitir las funciones más recientes. kops lanzará pre-lanzamientos alfa y beta para las personas que están ansiosas por probar la última versión de Kubernetes.
Utilice únicamente lanzamientos pre-GA kops en ambientes que puedan tolerar las peculiaridades de las nuevas versiones, e informe cualquier problema que surja.
## Instalación
### Requisito previo
`kubectl` es requerido, visualize [here](http://kubernetes.io/docs/user-guide/prereqs/).
### OSX desde Homebrew
```console
brew update && brew install kops
```
El binario `kops` también está disponible a través de nuestro [releases](https://github.com/kubernetes/kops/releases/latest).
### Linux
```console
curl -LO https://github.com/kubernetes/kops/releases/download/$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4)/kops-linux-amd64
chmod +x kops-linux-amd64
sudo mv kops-linux-amd64 /usr/local/bin/kops
```
## Historial de Versiones
visualize el [releases](https://github.com/kubernetes/kops/releases) para más
información sobre cambios entre lanzamientos.
## Involucrarse y Contribuir
¿Estás interesado en contribuir con kops? Nosotros, los mantenedores y la comunidad,
nos encantaría sus sugerencias, contribuciones y ayuda.
Tenemos una guía de inicio rápido en [adding a feature](/docs/development/adding_a_feature.md). Además, se
puede contactar a los mantenedores en cualquier momento para obtener más información sobre
cómo involucrarse.
Con el interés de involucrar a más personas con kops, estamos comenzando a
etiquetar los problemas con `good-starter-issue`. Por lo general, se trata de problemas que tienen
un alcance menor, pero que son buenas maneras de familiarizarse con la base de código.
También alentamos a TODOS los participantes activos de la comunidad a actuar como si fueran
mantenedores, incluso si no tiene permisos de escritura "oficiales".Este es un
esfuerzo de la comunidad, estamos aquí para servir a la comunidad de Kubernetes.
Si tienes un interés activo y quieres involucrarte, ¡tienes verdadero poder!
No asuma que las únicas personas que pueden hacer cosas aquí son los "mantenedores".
También nos gustaría agregar más mantenedores "oficiales", así que
¡muéstranos lo que puedes hacer!
Lo que esto significa:
__Issues__
* Ayude a leer y clasifique los problemas, ayúdelo cuando sea posible.
* Señale los problemas que son duplicados, desactualizados, etc.
- Incluso si no tiene permisos para etiquetar, tome nota y etiquete mantenedores (`/close`,`/dupe #127`).
__Pull Requests__
* Lee y revisa el código. Deja comentarios, preguntas y críticas (`/lgtm` ).
* Descargue, compile y ejecute el código y asegúrese de que las pruebas pasen (make test).
- También verifique que la nueva característica parezca cuerda, siga los mejores patrones arquitectónicos e incluya pruebas.
Este repositorio usa los bots de Kubernetes. Visualize una lista completa de los comandos [here](
https://github.com/kubernetes/test-infra/blob/master/commands.md).
## Horas de Oficina
Los mantenedores de Kops reservaron una hora cada dos semanas para **horas de oficina** públicas. Los horarios de oficina se alojan en un [zoom video chat](https://zoom.us/my/k8ssigaws) los viernes en [5 pm UTC/12 noon ET/9 am US Pacific](http://www.worldtimebuddy.com/?pl=1&lid=100,5,8,12), en semanas impares numeradas. Nos esforzamos por conocer y ayudar a los programadores, ya sea trabajando en `kops` o interesados en conocer más sobre el proyecto.
### Temas Abiertos en Horas de Oficina
Incluye pero no limitado a:
- Ayuda y guía para aquellos que asisten, que están interesados en contribuir.
- Discuta el estado actual del proyecto kops, incluidas las versiones.
- Diseña estrategias para mover `kops` hacia adelante.
- Colabora sobre PRs abiertos y próximos.
- Presenta demos.
Esta vez se enfoca en los programadores, aunque nunca rechazaremos a un participante cortés. Pase por alto, incluso si nunca ha instalado Kops.
Le recomendamos que se comunique **de antemano** si planea asistir. Puedes unirte a cualquier sesión y no dudes en agregar un elemento a la [agenda](https://docs.google.com/document/d/12QkyL0FkNbWPcLFxxRGSPt_tNPBHbmni3YLY-lHny7E/edit) donde rastreamos notas en el horario de oficina.
Los horarios de oficina están alojados en una [Zoom](https://zoom.us/my/k8ssigaws) video conferencia, celebrada los viernes a las [5 pm UTC/12 noon ET/9 am US Pacific](http://www.worldtimebuddy.com/?pl=1&lid=100,5,8,12) cada otra semana impare numerada.
Puede verificar su número de semana utilizando:
```bash
date +%V
```
Los mantenedores y otros miembros de la comunidad están generalmente disponibles en [kubernetes slack](https://github.com/kubernetes/community/blob/master/communication.md#social-media) en [#kops](https://kubernetes.slack.com/messages/kops/), ¡así que ven y conversa con nosotros sobre cómo los kops pueden ser mejores para ti!
## GitHub Issues
### Errores
Si cree que ha encontrado un error, siga las instrucciones a continuación.
- Dedique una pequeña cantidad de tiempo a prestar la debida diligencia al rastreador de problemas. Tu problema puede ser un duplicado.
- Establezca la `-v 10` línea de comando y guarde la salida de los registros. Por favor pegue esto en su issue.
- Note the version of kops you are running (from `kops version`), and the command line options you are using.
- Abra un [new issue](https://github.com/kubernetes/kops/issues/new).
- Recuerde que los usuarios pueden estar buscando su issue en el futuro, por lo que debe darle un título significativo para ayudar a otros.
- No dude en comunicarse con la comunidad de kops en [kubernetes slack](https://github.com/kubernetes/community/blob/master/communication.md#social-media).
### Caracteristicas
También usamos el rastreador de problemas para rastrear características. Si tiene una idea para una función, o cree que puede ayudar a que los kops se vuelvan aún más impresionantes, siga los pasos a continuación.
- Abra un [new issue](https://github.com/kubernetes/kops/issues/new).
- Recuerde que los usuarios pueden estar buscando su issue en el futuro, por lo que debe darle un título significativo para ayudar a otros.
- Defina claramente el caso de uso, usando ejemplos concretos. P EJ: Escribo `esto` y kops hace `eso`.
- Algunas de nuestras características más grandes requerirán algún diseño. Si desea incluir un diseño técnico para su función, inclúyalo en el problema.
- Después de que la nueva característica sea bien comprendida, y el diseño acordado, podemos comenzar a codificar la característica. Nos encantaría que lo codificaras. Por lo tanto, abra una **WIP** *(trabajo en progreso)* solicitud de extracción, y que tenga una feliz codificación.

11
README.md
View File

@ -81,11 +81,12 @@ Kubernetes version.
#### Compatibility Matrix
| kops version | k8s 1.5.x | k8s 1.6.x | k8s 1.7.x | k8s 1.8.x |
|--------------|-----------|-----------|-----------|-----------|
| 1.8.x | Y | Y | Y | Y |
| 1.7.x | Y | Y | Y | N |
| 1.6.x | Y | Y | N | N |
| kops version | k8s 1.5.x | k8s 1.6.x | k8s 1.7.x | k8s 1.8.x | k8s 1.9.x |
|--------------------|-----------|-----------|-----------|-----------|-----------|
| 1.9.x (unreleased) | Y | Y | Y | Y | Y |
| 1.8.x | Y | Y | Y | Y | N |
| 1.7.x | Y | Y | Y | N | N |
| 1.6.x | Y | Y | N | N | N |
Use the latest version of kops for all releases of Kubernetes, with the caveat
that higher versions of Kubernetes are not _officially_ supported by kops.

4
WORKSPACE
View File

@ -42,13 +42,13 @@ container_pull(
)
git_repository(
name = "distroless_rules",
name = "distroless",
remote = "https://github.com/googlecloudplatform/distroless.git",
commit = "886114394dfed219001ec3b068b139a3456e49d4"
)
load(
"@distroless_rules//package_manager:package_manager.bzl",
"@distroless//package_manager:package_manager.bzl",
"package_manager_repositories",
"dpkg_src",
"dpkg_list",

2
addons/kube-ingress-aws-controller/README.md
View File

@ -174,7 +174,7 @@ aws ec2 authorize-security-group-ingress --group-id $sgidingress --protocol tcp
aws ec2 authorize-security-group-ingress --group-id $sgidingress --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id $sgidnode --protocol all --port -1 --source-group $sgidingress
aws ec2 create-tags --resources $sgidingress--tags "kubernetes.io/cluster/id=owned" "kubernetes:application=kube-ingress-aws-controller"
aws ec2 create-tags --resources $sgidingress --tags '[{"Key": "kubernetes.io/cluster/id", "Value": "owned"}, {"Key": "kubernetes:application", "Value": "kube-ingress-aws-controller"}]'
```
### AWS Certificate Manager (ACM)

5
cmd/kops/root.go
View File

@ -126,9 +126,10 @@ func NewCmdRoot(f *util.Factory, out io.Writer) *cobra.Command {
if strings.HasSuffix(defaultStateStore, "/") {
defaultStateStore = strings.TrimSuffix(defaultStateStore, "/")
}
cmd.PersistentFlags().StringVarP(&rootCommand.RegistryPath, "state", "", defaultStateStore, "Location of state storage")
cmd.PersistentFlags().StringVarP(&rootCommand.RegistryPath, "state", "", defaultStateStore, "Location of state storage. Overrides KOPS_STATE_STORE environment variable")
cmd.PersistentFlags().StringVarP(&rootCommand.clusterName, "name", "", "", "Name of cluster")
defaultClusterName := os.Getenv("KOPS_CLUSTER_NAME")
cmd.PersistentFlags().StringVarP(&rootCommand.clusterName, "name", "", defaultClusterName, "Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable")
// create subcommands
cmd.AddCommand(NewCmdCompletion(f, out))

2
docs/advisories/cve_2017_14491.md
View File

@ -31,7 +31,7 @@ kubectl get deployment -n kube-system kube-dns \
-o jsonpath='{.spec.template.spec.containers[?(@.name == "dnsmasq")].image}'
```
The upgrade is will occur once the channels utilty picks up the change within a
The upgrade will occur once the channels utility picks up the change within a
few minutes.
## Tested Kubernetes Versions

2
docs/arguments.md
View File

@ -35,7 +35,7 @@ You do have to set up the DNS nameservers so your hosted zone resolves. kops us
zone for you, but now (as you have to set up the nameservers anyway), there doesn't seem much reason to do so!
If you don't specify a dns-zone, kops will list all your hosted zones, and choose the longest that
is a a suffix of your cluster name. So for `dev.kubernetes.example.com`, if you have `kubernetes.example.com`,
is a suffix of your cluster name. So for `dev.kubernetes.example.com`, if you have `kubernetes.example.com`,
`example.com` and `somethingelse.example.com`, it would choose `kubernetes.example.com`. `example.com` matches
but is shorter; `somethingelse.example.com` is not a suffix-match.

2
docs/aws-china.md
View File

@ -88,7 +88,7 @@ ${GOPATH}/bin/imagebuilder --config aws.yaml --v=8 --publish=false --replicate=f
*NOTE*
`imagebuilder` may complain `image not found after build` and the execution failes. But from the logs ahead the exception, we can find the AMI has been registered actually. It seems that the AMI newly created not available yet despite `bootstrap-vz` claims so. [kubernetes/kube-deploy#293](https://github.com/kubernetes/kube-deploy/issues/293).
`imagebuilder` may complain `image not found after build` and the execution fails. But from the logs ahead the exception, we can find the AMI has been registered actually. It seems that the AMI newly created not available yet despite `bootstrap-vz` claims so. [kubernetes/kube-deploy#293](https://github.com/kubernetes/kube-deploy/issues/293).
Wait one minute or so, the AMI should be available finally.

2
docs/aws.md
View File

@ -204,7 +204,7 @@ ID=$(uuidgen) && aws route53 create-hosted-zone --name subdomain.example.com --c
#### Using Public/Private DNS (Kops 1.5+)
By default the assumption is that NS records are publically available. If you
By default the assumption is that NS records are publicly available. If you
require private DNS records you should modify the commands we run later in this
guide to include:

4
docs/cli/kops.md
View File

@ -22,8 +22,8 @@ kops helps you create, destroy, upgrade and maintain production-grade, highly av
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_completion.md
View File

@ -54,8 +54,8 @@ kops completion
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create.md
View File

@ -58,8 +58,8 @@ kops create -f FILENAME
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create_cluster.md
View File

@ -116,8 +116,8 @@ kops create cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create_instancegroup.md
View File

@ -48,8 +48,8 @@ kops create instancegroup
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create_secret.md
View File

@ -32,8 +32,8 @@ Create a secret
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create_secret_dockerconfig.md
View File

@ -40,8 +40,8 @@ kops create secret dockerconfig
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create_secret_encryptionconfig.md
View File

@ -40,8 +40,8 @@ kops create secret encryptionconfig
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create_secret_keypair.md
View File

@ -27,8 +27,8 @@ Create a secret keypair
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create_secret_keypair_ca.md
View File

@ -38,8 +38,8 @@ kops create secret keypair ca
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_create_secret_sshpublickey.md
View File

@ -36,8 +36,8 @@ kops create secret sshpublickey
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_delete.md
View File

@ -43,8 +43,8 @@ kops delete -f FILENAME [--yes]
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_delete_cluster.md
View File

@ -39,8 +39,8 @@ kops delete cluster CLUSTERNAME [--yes]
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_delete_instancegroup.md
View File

@ -37,8 +37,8 @@ kops delete instancegroup
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_delete_secret.md
View File

@ -28,8 +28,8 @@ kops delete secret
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_describe.md
View File

@ -24,8 +24,8 @@ Get additional information about cloud and cluster resources.
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_describe_secrets.md
View File

@ -34,8 +34,8 @@ kops describe secrets
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_edit.md
View File

@ -34,8 +34,8 @@ Edit a resource configuration. This command changes the desired configuration in
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_edit_cluster.md
View File

@ -36,8 +36,8 @@ kops edit cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_edit_instancegroup.md
View File

@ -36,8 +36,8 @@ kops edit instancegroup
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_export.md
View File

@ -25,8 +25,8 @@ Export configurations from a cluster.
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_export_kubecfg.md
View File

@ -29,8 +29,8 @@ kops export kubecfg CLUSTERNAME
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_get.md
View File

@ -54,8 +54,8 @@ kops get
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_get_clusters.md
View File

@ -44,9 +44,9 @@ kops get clusters
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
-o, --output string output format. One of: table, yaml, json (default "table")
--state string Location of state storage
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_get_instancegroups.md
View File

@ -35,9 +35,9 @@ kops get instancegroups
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
-o, --output string output format. One of: table, yaml, json (default "table")
--state string Location of state storage
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_get_secrets.md
View File

@ -38,9 +38,9 @@ kops get secrets
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
-o, --output string output format. One of: table, yaml, json (default "table")
--state string Location of state storage
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_import.md
View File

@ -26,8 +26,8 @@ Imports a kubernetes cluster created by kube-up.sh into a state store. This com
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_import_cluster.md
View File

@ -36,8 +36,8 @@ kops import cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_replace.md
View File

@ -39,8 +39,8 @@ kops replace -f FILENAME
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_rolling-update.md
View File

@ -69,8 +69,8 @@ Note: terraform users will need to run all of the following commands from the sa
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_rolling-update_cluster.md
View File

@ -88,8 +88,8 @@ kops rolling-update cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_set.md
View File

@ -27,8 +27,8 @@ kops set does not update the cloud resources, to apply the changes use "kops upd
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_set_cluster.md
View File

@ -33,8 +33,8 @@ kops set cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_toolbox.md
View File

@ -25,8 +25,8 @@ Misc infrequently used commands.
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_toolbox_bundle.md
View File

@ -35,8 +35,8 @@ kops toolbox bundle
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_toolbox_convert-imported.md
View File

@ -40,8 +40,8 @@ kops toolbox convert-imported
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_toolbox_dump.md
View File

@ -35,8 +35,8 @@ kops toolbox dump
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_toolbox_template.md
View File

@ -46,8 +46,8 @@ kops toolbox template
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_update.md
View File

@ -25,8 +25,8 @@ Creates or updates cloud resources to match cluster desired configuration.
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_update_cluster.md
View File

@ -44,8 +44,8 @@ kops update cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_upgrade.md
View File

@ -25,8 +25,8 @@ Automates checking for and applying Kubernetes updates. This upgrades a cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_upgrade_cluster.md
View File

@ -36,8 +36,8 @@ kops upgrade cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_validate.md
View File

@ -32,8 +32,8 @@ This commands validates the following components:
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_validate_cluster.md
View File

@ -42,8 +42,8 @@ kops validate cluster
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

4
docs/cli/kops_version.md
View File

@ -28,8 +28,8 @@ kops version
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files (default false)
--name string Name of cluster
--state string Location of state storage
--name string Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
--state string Location of state storage. Overrides KOPS_STATE_STORE environment variable
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging

2
docs/cluster_spec.md
View File

@ -106,7 +106,7 @@ ID of a subnet to share in an existing VPC.
#### egress
The resource identifier (ID) of something in your existing VPC that you would like to use as "egress" to the outside world.
This feature was originally envisioned to allow re-use of NAT Gateways. In this case, the usage is as follows. Although NAT gateways are "public"-facing resources, in the Cluster spec, you must specify them in the private subnet section. One way to think about this is that you are specifying "egress", which is the default route out from this private subnet.
This feature was originally envisioned to allow re-use of NAT gateways. In this case, the usage is as follows. Although NAT gateways are "public"-facing resources, in the Cluster spec, you must specify them in the private subnet section. One way to think about this is that you are specifying "egress", which is the default route out from this private subnet.
```
spec:

2
docs/development/Docker.md
View File

@ -1,5 +1,5 @@
In order to develop inside a Docker container you must mount your local copy of
the Kops repo into the container's `GOPATH`. For the offical Golang Docker
the Kops repo into the container's `GOPATH`. For the official Golang Docker
image this is simply a matter of running the following command:
```bash

4
docs/etcd/roadmap.md
View File

@ -25,7 +25,7 @@ it matures.
To make adoption easier, the etcd-manager has added a standalone backup tool, that can backup etcd into the
[expected structure](https://github.com/kopeio/etcd-manager/blob/master/docs/backupstructure.md), even if you are not running the etcd-manager. It should be possible to then use
the etcd manager from that backup.
the etcd-manager from that backup.
## Roadmap
@ -52,4 +52,4 @@ Goal: Users are fully able to manage etcd - moving between versions or resizing
### _untargeted_
* Remove the protokube-integrated etcd support (_untargeted_)
* Remove the protokube-integrated etcd support (_untargeted_)

2
docs/examples/basic-requirements.md
View File

@ -9,7 +9,7 @@ Ensure that the following points are covered and working in your environment:
- Region set to us-east-1 (az's: us-east-1a, us-east-1b, us-east-1c, us-east-1d and us-east-1e). For most of our exercises we'll deploy our clusters in "us-east-1". For real HA at kubernetes master level, you need 3 masters. If you want to ensure that each master is deployed on a different availability zone, then a region with "at least" 3 availabity zones is required here. You can still deploy a multi-master kubernetes setup on regions with just 2 az's or even 1 az but this mean that two or all your masters will be deployed on a single az and if this az goes offline then you'll lose two or all your masters. If possible, always pick a region with at least 3 different availability zones for real H.A. You always can check amazon regions and az's on the link: [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). Remember: The masters are Kubernetes control plane. If your masters die, you loose control of your Kubernetes cluster.
- kubectl and kops installed. For this last part, you can do this with using following commnads. Next commands asume you are running a amd64/x86_64 linux distro:
As root (either ssh directly to root, local root console, or by using "sudo su -" previouslly):
As root (either ssh directly to root, local root console, or by using "sudo su -" previously):
```bash
cd ~

4
docs/examples/coreos-kops-tests-multimaster.md
View File

@ -47,7 +47,7 @@ export KOPS_STATE_STORE=s3://my-kops-s3-bucket-for-cluster-state
Some things to note from here:
- "NAME" will be an environment variable that we'll use from now in order to refer to our cluster name. For this practical exercise, our cluster name is "coreosbasedkopscluster.k8s.local".
- Because we'll use gossip DNS instead of a valid DNS domain on AWS ROUTE53 service, our cluster name need to include the string **".k8s.local"** at the end (this is covered on our AWS tutorials). You can see more about this on our [Getting Started Doc.](https://github.com/kubernetes/kops/blob/master/docs/aws.md)
- Because we'll use gossip DNS instead of a valid DNS domain on AWS ROUTE53 service, our cluster name needs to include the string **".k8s.local"** at the end (this is covered on our AWS tutorials). You can see more about this on our [Getting Started Doc.](https://github.com/kubernetes/kops/blob/master/docs/aws.md)
## COREOS IMAGE INFORMATION:
@ -187,7 +187,7 @@ Your cluster coreosbasedkopscluster.k8s.local is ready
```
Before continuing, let's note something interesting here: Can you see your masters ?. Two of them (master-us-east-1a and master-us-east-1c) are using "m3.medium" "aws instance type", but "master-us-east-1b" is using "c4.large". This happens because KOPS uses the AWS API in order to determine if the required instance type is available on the "az". At the moment we launched this cluster, "m3.medium" was unavailable on "us-east-1b". This forced KOPS to choose the nearest instance type candidate on the AZ.
Before continuing, let's note something interesting here: Can you see your masters? Two of them (master-us-east-1a and master-us-east-1c) are using "m3.medium" "aws instance type", but "master-us-east-1b" is using "c4.large". This happens because KOPS uses the AWS API in order to determine if the required instance type is available on the "az". At the moment we launched this cluster, "m3.medium" was unavailable on "us-east-1b". This forced KOPS to choose the nearest instance type candidate on the AZ.
If you don't want KOPS to auto-select the instance type, you can use the following arguments in order to enforce the instance types for both masters and nodes:

4
docs/examples/kops-test-route53-subdomain.md
View File

@ -37,7 +37,7 @@ For our setup we already have a hosted DNS domain in AWS:
||+-------------------------------------------------------------------+----------------------------------------+||
```
We can also check our that our domain is reacheable from the Internet using "dig". You can use other "dns" tools too, but we recommend to use dig (available on all modern linux distributions and other unix-like operating systems. Normally, dig is part of bind-tools and other bind-related packages):
We can also check that our domain is reachable from the Internet using "dig". You can use other "dns" tools too, but we recommend to use dig (available on all modern linux distributions and other unix-like operating systems. Normally, dig is part of bind-tools and other bind-related packages):
```bash
dig +short example.org soa
@ -851,4 +851,4 @@ The output:
All kops-created resource records are deleted too. Only the NS records added by us are still there.
END.-
END.-

2
docs/http_proxy.md
View File

@ -2,7 +2,7 @@
HTTP Forward Proxy Support
==========================
It is possible to launch a kubernetes cluster from behind an http forward proxy ("corporate proxy"). To do so, you will need to configure the `egressProxy` for the cluster.
It is possible to launch a Kubernetes cluster from behind an http forward proxy ("corporate proxy"). To do so, you will need to configure the `egressProxy` for the cluster.
It is assumed the proxy is already existing. If you want a private topology on AWS, for example, with an proxy instead of a NAT instance, you'll need to create the proxy yourself. See [Running in a shared VPC](run_in_existing_vpc.md).

4
docs/instance_groups.md
View File

@ -129,8 +129,8 @@ So the procedure is:
* `kops edit ig nodes`
* Remove two of the subnets, e.g. `eu-central-1b` and `eu-central-1c`
* Alternatively you can also delete the existing IG and create a new one with a more suitable name
* `kops create ig nodes-eu-central-1b --subnet us-central-1b`
* `kops create ig nodes-eu-central-1c --subnet us-central-1c`
* `kops create ig nodes-eu-central-1b --subnet eu-central-1b`
* `kops create ig nodes-eu-central-1c --subnet eu-central-1c`
* Preview: `kops update cluster <clustername>`
* Apply: `kops update cluster <clustername> --yes`
* Rolling update to update existing instances: `kops rolling-update cluster --yes`

2
docs/releases/1.8.1.md
View File

@ -1,6 +1,6 @@
Release 1.8.1 is a small patch release, which updates network plugins, but also tolerates a new schema
file that will be added in kops 1.9.0. This will provide a downgrade option from kops 1.9.0.
* Ignore keyset.yaml files; provides a downgrade option from (upcoming) kops 1.9.0
* Ignore keyset.yaml files; provide a downgrade option from (upcoming) kops 1.9.0
* Update flannel, weave, romana, kopeio-networking, calico, canal
* Stop passing deprecated require-kubeconfig flag for kubernetes >= 1.9

8
docs/tutorial/working-with-instancegroups.md
View File

@ -8,7 +8,7 @@ We'll assume you have a working cluster - if not, you probably want to read [how
## Changing the number of nodes
If you `kops get ig` you should see that you have instance groups for your nodes and for your master:
If you `kops get ig` you should see that you have InstanceGroups for your nodes and for your master:
```
> kops get ig
@ -17,9 +17,9 @@ master-us-central1-a Master n1-standard-1 1 1 us-central1
nodes Node n1-standard-2 2 2 us-central1
```
Let's change the number of nodes to 3. We'll edit the instancegroup configuration using `kops edit` (which
Let's change the number of nodes to 3. We'll edit the InstanceGroup configuration using `kops edit` (which
should be very familiar to you if you've used `kubectl edit`). `kops edit ig nodes` will open
the instancegroup in your editor, looking a bit like this:
the InstanceGroup in your editor, looking a bit like this:
```
apiVersion: kops/v1alpha2
@ -183,4 +183,4 @@ nodes-wbb2 Ready 5m v1.7.2 35.194.56.129 Contai
```
Next steps: learn how to perform cluster-wide operations, like [upgrading kubernetes](upgrading-kubernetes.md).
Next steps: learn how to perform cluster-wide operations, like [upgrading kubernetes](upgrading-kubernetes.md).

4
docs/update_kops.md
View File

@ -17,7 +17,7 @@ chmod +x ./kops
sudo mv ./kops /usr/local/bin/
```
You can also rerun rerun [these steps](development/building.md) if previously built from source.
You can also rerun [these steps](development/building.md) if previously built from source.
## Linux
@ -30,4 +30,4 @@ chmod +x ./kops
sudo mv ./kops /usr/local/bin/
```
You can also rerun rerun [these steps](development/building.md) if previously built from source.
You can also rerun [these steps](development/building.md) if previously built from source.

1
hack/.packages
View File

@ -123,6 +123,7 @@ k8s.io/kops/protokube/pkg/gossip/gce
k8s.io/kops/protokube/pkg/gossip/mesh
k8s.io/kops/protokube/pkg/protokube
k8s.io/kops/protokube/tests/integration/build_etcd_manifest
k8s.io/kops/tests
k8s.io/kops/tests/codecs
k8s.io/kops/tests/integration/channel
k8s.io/kops/tests/integration/conversion

4
pkg/kubeconfig/create_kubecfg.go
View File

@ -69,7 +69,7 @@ func BuildKubecfg(cluster *kops.Cluster, keyStore fi.Keystore, secretStore fi.Se
b.Context = clusterName
{
cert, _, err := keyStore.FindKeypair(fi.CertificateId_CA)
cert, _, _, err := keyStore.FindKeypair(fi.CertificateId_CA)
if err != nil {
return nil, fmt.Errorf("error fetching CA keypair: %v", err)
}
@ -84,7 +84,7 @@ func BuildKubecfg(cluster *kops.Cluster, keyStore fi.Keystore, secretStore fi.Se
}
{
cert, key, err := keyStore.FindKeypair("kubecfg")
cert, key, _, err := keyStore.FindKeypair("kubecfg")
if err != nil {
return nil, fmt.Errorf("error fetching kubecfg keypair: %v", err)
}

2
pkg/model/network.go
View File

@ -235,6 +235,7 @@ func (b *NetworkModelBuilder) Build(c *fi.ModelBuilderContext) error {
AssociatedRouteTable: b.LinkToPrivateRouteTableInZone(zone),
// If we're here, it means this NatGateway was specified, so we are Shared
Shared: fi.Bool(true),
Tags: b.CloudTags(zone+"."+b.ClusterName(), true),
}
c.AddTask(ngw)
@ -276,6 +277,7 @@ func (b *NetworkModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subnet: utilitySubnet,
ElasticIP: eip,
AssociatedRouteTable: b.LinkToPrivateRouteTableInZone(zone),
Tags: b.CloudTags(zone+"."+b.ClusterName(), false),
}
c.AddTask(ngw)
}

39
pkg/model/pki.go
View File

@ -20,6 +20,7 @@ import (
"fmt"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/tokens"
"k8s.io/kops/upup/pkg/fi"
"k8s.io/kops/upup/pkg/fi/fitasks"
@ -34,15 +35,21 @@ type PKIModelBuilder struct {
var _ fi.ModelBuilder = &PKIModelBuilder{}
// Build is responsible for generating the various pki assets
// Build is responsible for generating the various pki assets.
func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
// Note: the fitasks.Keypair structs are created with a Format that == fitasks.KeypairType
// to denote that these tasks are using the newer Keypar API Type. This value is used
// to upgrade a legacy Keypair to the newer Keypair API object.
// TODO: Only create the CA via this task
defaultCA := &fitasks.Keypair{
Name: fi.String(fi.CertificateId_CA),
Lifecycle: b.Lifecycle,
Subject: "cn=kubernetes",
Type: "ca",
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(defaultCA)
@ -55,6 +62,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "o=" + user.NodesGroup + ",cn=kubelet",
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}
@ -68,6 +77,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=kubelet-api",
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
})
}
{
@ -77,6 +88,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=" + user.KubeScheduler,
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}
@ -88,6 +101,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=" + user.KubeProxy,
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}
@ -99,6 +114,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=" + user.KubeControllerManager,
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}
@ -118,6 +135,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=etcd",
Type: "clientServer",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
})
c.AddTask(&fitasks.Keypair{
Name: fi.String("etcd-client"),
@ -125,6 +144,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=etcd-client",
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
})
// @check if calico is enabled as the CNI provider
@ -135,6 +156,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=calico-client",
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
})
}
}
@ -145,6 +168,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=" + "system:kube-router",
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}
@ -156,6 +181,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "o=" + user.SystemPrivilegedGroup + ",cn=kubecfg",
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}
@ -167,6 +194,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=apiserver-proxy-client",
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}
@ -177,6 +206,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Lifecycle: b.Lifecycle,
Subject: "cn=apiserver-aggregator-ca",
Type: "ca",
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(aggregatorCA)
@ -187,6 +218,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "cn=aggregator",
Type: "client",
Signer: aggregatorCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(aggregator)
}
@ -199,6 +232,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Subject: "o=" + user.SystemPrivilegedGroup + ",cn=kops",
Type: "client",
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}
@ -236,6 +271,8 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
Type: "server",
AlternateNames: alternateNames,
Signer: defaultCA,
Format: string(kops.SecretTypeKeypair),
}
c.AddTask(t)
}

8
pkg/resources/aws.go
View File

@ -700,10 +700,10 @@ func ListKeypairs(cloud fi.Cloud, clusterName string) ([]*Resource, error) {
keypairName := "kubernetes." + clusterName
glog.V(2).Infof("Listing EC2 Keypairs")
request := &ec2.DescribeKeyPairsInput{
// We need to match both the name and a prefix
//Filters: []*ec2.Filter{awsup.NewEC2Filter("key-name", keypairName)},
}
// TODO: We need to match both the name and a prefix
// TODO: usee 'Filters: []*ec2.Filter{awsup.NewEC2Filter("key-name", keypairName)},'
request := &ec2.DescribeKeyPairsInput{}
response, err := c.EC2().DescribeKeyPairs(request)
if err != nil {
return nil, fmt.Errorf("error listing KeyPairs: %v", err)

12
tests/BUILD.bazel Normal file
View File

@ -0,0 +1,12 @@
load("@io_bazel_rules_go//go:def.bzl", "go_test")
go_test(
name = "go_default_test",
srcs = ["keypair_test.go"],
deps = [
"//pkg/apis/kops:go_default_library",
"//upup/pkg/fi:go_default_library",
"//upup/pkg/fi/fitasks:go_default_library",
"//util/pkg/vfs:go_default_library",
],
)

6
tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf
View File

@ -375,6 +375,12 @@ resource "aws_launch_configuration" "nodes-bastionuserdata-example-com" {
resource "aws_nat_gateway" "us-test-1a-bastionuserdata-example-com" {
allocation_id = "${aws_eip.us-test-1a-bastionuserdata-example-com.id}"
subnet_id = "${aws_subnet.utility-us-test-1a-bastionuserdata-example-com.id}"
tags = {
KubernetesCluster = "bastionuserdata.example.com"
Name = "us-test-1a.bastionuserdata.example.com"
"kubernetes.io/cluster/bastionuserdata.example.com" = "owned"
}
}
resource "aws_route" "0-0-0-0--0" {

6
tests/integration/update_cluster/lifecycle_phases/network-kubernetes.tf
View File

@ -31,6 +31,12 @@ resource "aws_internet_gateway" "privateweave-example-com" {
resource "aws_nat_gateway" "us-test-1a-privateweave-example-com" {
allocation_id = "${aws_eip.us-test-1a-privateweave-example-com.id}"
subnet_id = "${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"
tags = {
KubernetesCluster = "privateweave.example.com"
Name = "us-test-1a.privateweave.example.com"
"kubernetes.io/cluster/privateweave.example.com" = "owned"
}
}
resource "aws_route" "0-0-0-0--0" {

6
tests/integration/update_cluster/privatecalico/kubernetes.tf
View File

@ -374,6 +374,12 @@ resource "aws_launch_configuration" "nodes-privatecalico-example-com" {
resource "aws_nat_gateway" "us-test-1a-privatecalico-example-com" {
allocation_id = "${aws_eip.us-test-1a-privatecalico-example-com.id}"
subnet_id = "${aws_subnet.utility-us-test-1a-privatecalico-example-com.id}"
tags = {
KubernetesCluster = "privatecalico.example.com"
Name = "us-test-1a.privatecalico.example.com"
"kubernetes.io/cluster/privatecalico.example.com" = "owned"
}
}
resource "aws_route" "0-0-0-0--0" {

6
tests/integration/update_cluster/privatecanal/kubernetes.tf
View File

@ -374,6 +374,12 @@ resource "aws_launch_configuration" "nodes-privatecanal-example-com" {
resource "aws_nat_gateway" "us-test-1a-privatecanal-example-com" {
allocation_id = "${aws_eip.us-test-1a-privatecanal-example-com.id}"
subnet_id = "${aws_subnet.utility-us-test-1a-privatecanal-example-com.id}"
tags = {
KubernetesCluster = "privatecanal.example.com"
Name = "us-test-1a.privatecanal.example.com"
"kubernetes.io/cluster/privatecanal.example.com" = "owned"
}
}
resource "aws_route" "0-0-0-0--0" {

6
tests/integration/update_cluster/privatedns1/kubernetes.tf
View File

@ -374,6 +374,12 @@ resource "aws_launch_configuration" "nodes-privatedns1-example-com" {
resource "aws_nat_gateway" "us-test-1a-privatedns1-example-com" {
allocation_id = "${aws_eip.us-test-1a-privatedns1-example-com.id}"
subnet_id = "${aws_subnet.utility-us-test-1a-privatedns1-example-com.id}"
tags = {
KubernetesCluster = "privatedns1.example.com"
Name = "us-test-1a.privatedns1.example.com"
"kubernetes.io/cluster/privatedns1.example.com" = "owned"
}
}
resource "aws_route" "0-0-0-0--0" {

6
tests/integration/update_cluster/privatedns2/kubernetes.tf
View File

@ -364,6 +364,12 @@ resource "aws_launch_configuration" "nodes-privatedns2-example-com" {
resource "aws_nat_gateway" "us-test-1a-privatedns2-example-com" {
allocation_id = "${aws_eip.us-test-1a-privatedns2-example-com.id}"
subnet_id = "${aws_subnet.utility-us-test-1a-privatedns2-example-com.id}"
tags = {
KubernetesCluster = "privatedns2.example.com"
Name = "us-test-1a.privatedns2.example.com"
"kubernetes.io/cluster/privatedns2.example.com" = "owned"
}
}
resource "aws_route" "0-0-0-0--0" {

6
tests/integration/update_cluster/privateflannel/kubernetes.tf
View File

@ -374,6 +374,12 @@ resource "aws_launch_configuration" "nodes-privateflannel-example-com" {
resource "aws_nat_gateway" "us-test-1a-privateflannel-example-com" {
allocation_id = "${aws_eip.us-test-1a-privateflannel-example-com.id}"
subnet_id = "${aws_subnet.utility-us-test-1a-privateflannel-example-com.id}"
tags = {
KubernetesCluster = "privateflannel.example.com"
Name = "us-test-1a.privateflannel.example.com"
"kubernetes.io/cluster/privateflannel.example.com" = "owned"
}
}
resource "aws_route" "0-0-0-0--0" {

6
tests/integration/update_cluster/privateweave/kubernetes.tf
View File

@ -374,6 +374,12 @@ resource "aws_launch_configuration" "nodes-privateweave-example-com" {
resource "aws_nat_gateway" "us-test-1a-privateweave-example-com" {
allocation_id = "${aws_eip.us-test-1a-privateweave-example-com.id}"
subnet_id = "${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"
tags = {
KubernetesCluster = "privateweave.example.com"
Name = "us-test-1a.privateweave.example.com"
"kubernetes.io/cluster/privateweave.example.com" = "owned"
}
}
resource "aws_route" "0-0-0-0--0" {

254
tests/keypair_test.go Normal file
View File

@ -0,0 +1,254 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package tests
import (
"bytes"
"math/big"
"reflect"
"sort"
"testing"
"time"
"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/upup/pkg/fi"
"k8s.io/kops/upup/pkg/fi/fitasks"
"k8s.io/kops/util/pkg/vfs"
)
type MockTarget struct {
}
func (t *MockTarget) Finish(taskMap map[string]fi.Task) error {
return nil
}
func (t *MockTarget) ProcessDeletions() bool {
return false
}
var _ fi.Target = &MockTarget{}
// Verifies that we regenerate keyset.yaml if they are deleted, which covers the upgrade scenario from kops 1.8 -> kops 1.9
func TestKeypairUpgrade(t *testing.T) {
lifecycle := fi.LifecycleSync
defaultDeadline := 2 * time.Second
target := &MockTarget{}
cluster := &kops.Cluster{}
vfs.Context.ResetMemfsContext(true)
basedir, err := vfs.Context.BuildVfsPath("memfs://keystore")
if err != nil {
t.Fatalf("error building vfs path: %v", err)
}
keystore := fi.NewVFSCAStore(cluster, basedir, true)
// Generate predictable sequence numbers for testing
var n int64
keystore.SerialGenerator = func() *big.Int {
n++
return big.NewInt(n)
}
// We define a function so we can rebuild the tasks, because we modify in-place when running
buildTasks := func() map[string]fi.Task {
ca := &fitasks.Keypair{
Name: fi.String(fi.CertificateId_CA),
Lifecycle: &lifecycle,
Subject: "cn=kubernetes",
Type: "ca",
Format: string(kops.SecretTypeKeypair),
}
kubelet := &fitasks.Keypair{
Name: fi.String("kubelet"),
Lifecycle: &lifecycle,
Subject: "o=nodes,cn=kubelet",
Type: "client",
Signer: ca,
Format: string(kops.SecretTypeKeypair),
}
tasks := make(map[string]fi.Task)
tasks["ca"] = ca
tasks["kubelet"] = kubelet
return tasks
}
t.Logf("Building some keypairs")
{
allTasks := buildTasks()
context, err := fi.NewContext(target, nil, nil, keystore, nil, nil, true, allTasks)
if err != nil {
t.Fatalf("error building context: %v", err)
}
if err := context.RunTasks(defaultDeadline); err != nil {
t.Fatalf("unexpected error during Run: %v", err)
}
}
// Check that the expected files were generated
expected := []string{
"memfs://keystore/issued/ca/1.crt",
"memfs://keystore/issued/ca/keyset.yaml",
"memfs://keystore/issued/kubelet/2.crt",
"memfs://keystore/issued/kubelet/keyset.yaml",
"memfs://keystore/private/ca/1.key",
"memfs://keystore/private/ca/keyset.yaml",
"memfs://keystore/private/kubelet/2.key",
"memfs://keystore/private/kubelet/keyset.yaml",
}
checkPaths(t, basedir, expected)
// Save the contents of those files
contents := make(map[string][]byte)
for _, k := range expected {
p, err := vfs.Context.BuildVfsPath(k)
if err != nil {
t.Fatalf("error building vfs path: %v", err)
}
b, err := p.ReadFile()
if err != nil {
t.Fatalf("error reading vfs path: %v", err)
}
contents[k] = b
}
t.Logf("verifying that rerunning tasks does not change keys")
{
allTasks := buildTasks()
context, err := fi.NewContext(target, nil, nil, keystore, nil, nil, true, allTasks)
if err != nil {
t.Fatalf("error building context: %v", err)
}
if err := context.RunTasks(defaultDeadline); err != nil {
t.Fatalf("unexpected error during Run: %v", err)
}
}
checkContents(t, basedir, contents)
t.Logf("deleting keyset.yaml files and verifying they are recreated")
FailOnError(t, basedir.Join("issued/ca/keyset.yaml").Remove())
FailOnError(t, basedir.Join("issued/kubelet/keyset.yaml").Remove())
FailOnError(t, basedir.Join("private/ca/keyset.yaml").Remove())
FailOnError(t, basedir.Join("private/kubelet/keyset.yaml").Remove())
{
allTasks := buildTasks()
context, err := fi.NewContext(target, nil, nil, keystore, nil, nil, true, allTasks)
if err != nil {
t.Fatalf("error building context: %v", err)
}
if err := context.RunTasks(defaultDeadline); err != nil {
t.Fatalf("unexpected error during Run: %v", err)
}
}
checkContents(t, basedir, contents)
}
// FailOnError calls t.Fatalf if err != nil
func FailOnError(t *testing.T, err error) {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
}
// checkPaths verifies that the path names in the tree rooted at basedir are exactly as expected
// Unlike checkContents, it only verifies the names, not the contents
func checkPaths(t *testing.T, basedir vfs.Path, expected []string) {
paths, err := basedir.ReadTree()
if err != nil {
t.Errorf("ReadTree failed: %v", err)
}
var actual []string
for _, p := range paths {
actual = append(actual, p.Path())
}
sort.Strings(actual)
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("unexpected paths: %v", actual)
}
}
// checkPaths verifies that the files and their contents in the tree rooted at basedir are exactly as expected
func checkContents(t *testing.T, basedir vfs.Path, expected map[string][]byte) {
paths, err := basedir.ReadTree()
if err != nil {
t.Errorf("ReadTree failed: %v", err)
}
actual := make(map[string][]byte)
for _, p := range paths {
b, err := p.ReadFile()
if err != nil {
t.Fatalf("error reading vfs path: %v", err)
}
actual[p.Path()] = b
}
var actualKeys []string
for k := range actual {
actualKeys = append(actualKeys, k)
}
sort.Strings(actualKeys)
var expectedKeys []string
for k := range expected {
expectedKeys = append(expectedKeys, k)
}
sort.Strings(expectedKeys)
if !reflect.DeepEqual(actualKeys, expectedKeys) {
t.Fatalf("unexpected paths: %v", actualKeys)
}
if !reflect.DeepEqual(actual, expected) {
for k := range actual {
if !bytes.Equal(actual[k], expected[k]) {
t.Logf("mismatch on key %q", k)
}
}
t.Fatalf("unexpected path contents: %v", actual)
}
}

7
upup/pkg/fi/ca.go
View File

@ -43,8 +43,11 @@ type KeystoreItem struct {
// Keystore contains just the functions we need to issue keypairs, not to list / manage them
type Keystore interface {
// FindKeypair finds a cert & private key, returning nil where either is not found
// (if the certificate is found but not keypair, that is not an error: only the cert will be returned)
FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, error)
// (if the certificate is found but not keypair, that is not an error: only the cert will be returned).
// This func returns a cert, private key and a string. The string value is the Format of the keystore which is either
// an empty string, which denotes a Legacy Keypair, or a value of "Keypair". This string is used by a keypair
// task convert a Legacy Keypair to the new Keypair API format.
FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, string, error)
CreateKeypair(signer string, name string, template *x509.Certificate, privateKey *pki.PrivateKey) (*pki.Certificate, error)

40
upup/pkg/fi/clientset_castore.go
View File

@ -85,7 +85,7 @@ func (c *ClientsetCAStore) readCAKeypairs(id string) (*keyset, error) {
return cached, nil
}
keyset, err := c.loadKeyset(id)
keyset, _, err := c.loadKeyset(id)
if err != nil {
return nil, err
}
@ -133,7 +133,7 @@ type keysetItem struct {
privateKey *pki.PrivateKey
}
func parseKeyset(o *kops.Keyset) (*keyset, error) {
func parseKeyset(o *kops.Keyset) (*keyset, string, error) {
name := o.Name
keyset := &keyset{
@ -148,7 +148,7 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
cert, err := pki.ParsePEMCertificate(key.PublicMaterial)
if err != nil {
glog.Warningf("key public material was %s", key.PublicMaterial)
return nil, fmt.Errorf("error loading certificate %s/%s: %v", name, key.Id, err)
return nil, "", fmt.Errorf("error loading certificate %s/%s: %v", name, key.Id, err)
}
ki.certificate = cert
}
@ -156,7 +156,7 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
if len(key.PrivateMaterial) != 0 {
privateKey, err := pki.ParsePEMPrivateKey(key.PrivateMaterial)
if err != nil {
return nil, fmt.Errorf("error loading private key %s/%s: %v", name, key.Id, err)
return nil, "", fmt.Errorf("error loading private key %s/%s: %v", name, key.Id, err)
}
ki.privateKey = privateKey
}
@ -166,17 +166,20 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
keyset.primary = keyset.findPrimary()
return keyset, nil
// This value == Keypair when using the API Keyset. When the keyset is a legacy value the o.Spec.Type value is
// not set. The keypair task is using this value to upgrade legacy keysets to keysets that use the API.
keypairType := string(o.Spec.Type)
return keyset, keypairType, nil
}
// loadKeyset gets the named keyset
func (c *ClientsetCAStore) loadKeyset(name string) (*keyset, error) {
// loadKeyset gets the named keyset and the format of the Keyset.
func (c *ClientsetCAStore) loadKeyset(name string) (*keyset, string, error) {
o, err := c.clientset.Keysets(c.namespace).Get(name, v1.GetOptions{})
if err != nil {
if errors.IsNotFound(err) {
return nil, nil
return nil, "", nil
}
return nil, fmt.Errorf("error reading keyset %q: %v", name, err)
return nil, "", fmt.Errorf("error reading keyset %q: %v", name, err)
}
return parseKeyset(o)
@ -186,6 +189,7 @@ func (c *ClientsetCAStore) loadKeyset(name string) (*keyset, error) {
func (k *keyset) findPrimary() *keysetItem {
var primary *keysetItem
var primaryVersion *big.Int
for _, item := range k.items {
version, ok := big.NewInt(0).SetString(item.id, 10)
if !ok {
@ -236,22 +240,22 @@ func (c *ClientsetCAStore) CertificatePool(id string, createIfMissing bool) (*Ce
}
// FindKeypair implements CAStore::FindKeypair
func (c *ClientsetCAStore) FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, error) {
keyset, err := c.loadKeyset(name)
func (c *ClientsetCAStore) FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, string, error) {
keyset, keysetType, err := c.loadKeyset(name)
if err != nil {
return nil, nil, err
return nil, nil, "", err
}
if keyset != nil && keyset.primary != nil {
return keyset.primary.certificate, keyset.primary.privateKey, nil
return keyset.primary.certificate, keyset.primary.privateKey, keysetType, nil
}
return nil, nil, nil
return nil, nil, "", nil
}
// FindCert implements CAStore::FindCert
func (c *ClientsetCAStore) FindCert(name string) (*pki.Certificate, error) {
keyset, err := c.loadKeyset(name)
keyset, _, err := c.loadKeyset(name)
if err != nil {
return nil, err
}
@ -266,7 +270,7 @@ func (c *ClientsetCAStore) FindCert(name string) (*pki.Certificate, error) {
// FindCertificatePool implements CAStore::FindCertificatePool
func (c *ClientsetCAStore) FindCertificatePool(name string) (*CertificatePool, error) {
keyset, err := c.loadKeyset(name)
keyset, _, err := c.loadKeyset(name)
if err != nil {
return nil, err
}
@ -388,7 +392,7 @@ func (c *ClientsetCAStore) storeAndVerifyKeypair(name string, cert *pki.Certific
}
// Make double-sure it round-trips
keyset, err := c.loadKeyset(name)
keyset, _, err := c.loadKeyset(name)
if err != nil {
return nil, fmt.Errorf("error fetching stored certificate: %v", err)
}
@ -427,7 +431,7 @@ func (c *ClientsetCAStore) AddCert(name string, cert *pki.Certificate) error {
// FindPrivateKey implements CAStore::FindPrivateKey
func (c *ClientsetCAStore) FindPrivateKey(name string) (*pki.PrivateKey, error) {
keyset, err := c.loadKeyset(name)
keyset, _, err := c.loadKeyset(name)
if err != nil {
return nil, err
}

21
upup/pkg/fi/cloudup/awstasks/natgateway.go
View File

@ -42,6 +42,9 @@ type NatGateway struct {
// Shared is set if this is a shared NatGateway
Shared *bool
// Tags is a map of aws tags that are added to the NatGateway
Tags map[string]string
// We can't tag NatGateways, so we have to find through a surrogate
AssociatedRouteTable *RouteTable
}
@ -107,10 +110,13 @@ func (e *NatGateway) Find(c *fi.Context) (*NatGateway, error) {
return nil, fmt.Errorf("found multiple elastic IPs attached to NatGateway %q", aws.StringValue(ngw.NatGatewayId))
}
// NATGateways don't have a Name (no tags), so we set the name to avoid spurious changes
actual.Name = e.Name
// NATGateways now have names and tags so lets pull from there instead.
actual.Name = findNameTag(ngw.Tags)
actual.Tags = intersectTags(ngw.Tags, e.Tags)
actual.Lifecycle = e.Lifecycle
actual.Shared = e.Shared
actual.AssociatedRouteTable = e.AssociatedRouteTable
e.ID = actual.ID
@ -303,6 +309,11 @@ func (_ *NatGateway) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *NatGateway)
id = a.ID
}
err := t.AddAWSTags(*e.ID, e.Tags)
if err != nil {
return fmt.Errorf("unable to tag NatGateway")
}
// Tag the associated subnet
if e.Subnet == nil {
return fmt.Errorf("Subnet not set")
@ -313,7 +324,7 @@ func (_ *NatGateway) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *NatGateway)
// TODO: AssociatedNatgateway tag is obsolete - we can get from the route table instead
tags := make(map[string]string)
tags["AssociatedNatgateway"] = *id
err := t.AddAWSTags(*e.Subnet.ID, tags)
err = t.AddAWSTags(*e.Subnet.ID, tags)
if err != nil {
return fmt.Errorf("unable to tag subnet %v", err)
}
@ -340,6 +351,7 @@ func (_ *NatGateway) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *NatGateway)
type terraformNATGateway struct {
AllocationID *terraform.Literal `json:"allocation_id,omitempty"`
SubnetID *terraform.Literal `json:"subnet_id,omitempty"`
Tag map[string]string `json:"tags,omitempty"`
}
func (_ *NatGateway) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *NatGateway) error {
@ -355,6 +367,7 @@ func (_ *NatGateway) RenderTerraform(t *terraform.TerraformTarget, a, e, changes
tf := &terraformNATGateway{
AllocationID: e.ElasticIP.TerraformLink(),
SubnetID: e.Subnet.TerraformLink(),
Tag: e.Tags,
}
return t.RenderResource("aws_nat_gateway", *e.Name, tf)
@ -375,6 +388,7 @@ func (e *NatGateway) TerraformLink() *terraform.Literal {
type cloudformationNATGateway struct {
AllocationID *cloudformation.Literal `json:"AllocationId,omitempty"`
SubnetID *cloudformation.Literal `json:"SubnetId,omitempty"`
Tag map[string]string `json:"tags,omitempty"`
}
func (_ *NatGateway) RenderCloudformation(t *cloudformation.CloudformationTarget, a, e, changes *NatGateway) error {
@ -390,6 +404,7 @@ func (_ *NatGateway) RenderCloudformation(t *cloudformation.CloudformationTarget
tf := &cloudformationNATGateway{
AllocationID: e.ElasticIP.CloudformationAllocationID(),
SubnetID: e.Subnet.CloudformationLink(),
Tag: e.Tags,
}
return t.RenderResource("AWS::EC2::NatGateway", *e.Name, tf)

34
upup/pkg/fi/fitasks/keypair.go
View File

@ -51,6 +51,9 @@ type Keypair struct {
Subject string `json:"subject"`
// Type the type of certificate i.e. CA, server, client etc
Type string `json:"type"`
// Format stores the api version of kops.Keyset. We are using this info in order to determine if kops
// is accessing legacy secrets that do not use keyset.yaml.
Format string `json:"keypairType"`
}
var _ fi.HasCheckExisting = &Keypair{}
@ -73,7 +76,7 @@ func (e *Keypair) Find(c *fi.Context) (*Keypair, error) {
return nil, nil
}
cert, key, err := c.Keystore.FindKeypair(name)
cert, key, keySetType, err := c.Keystore.FindKeypair(name)
if err != nil {
return nil, err
}
@ -97,6 +100,8 @@ func (e *Keypair) Find(c *fi.Context) (*Keypair, error) {
AlternateNames: alternateNames,
Subject: pkixNameToString(&cert.Subject),
Type: buildTypeDescription(cert.Certificate),
Format: keySetType,
}
actual.Signer = &Keypair{Subject: pkixNameToString(&cert.Certificate.Issuer)}
@ -173,14 +178,21 @@ func (_ *Keypair) Render(c *fi.Context, a, e, changes *Keypair) error {
createCertificate := false
if a == nil {
createCertificate = true
glog.V(8).Infof("creating brand new certificate")
} else if changes != nil {
glog.V(8).Infof("creating certificate as changes are not nil")
if changes.AlternateNames != nil {
createCertificate = true
glog.V(8).Infof("creating certificate new AlternateNames")
} else if changes.Subject != "" {
createCertificate = true
glog.V(8).Infof("creating certificate new Subject")
} else if changes.Type != "" {
createCertificate = true
} else {
glog.V(8).Infof("creating certificate new Type")
} else if a.Format != "" {
// We only want to log that we are ignoring the changes if we are not going to save a new
// keypair.yaml file. If a.Format is empty we are going to save a new keypar.yaml file.
glog.Warningf("Ignoring changes in key: %v", fi.DebugAsJsonString(changes))
}
}
@ -188,7 +200,7 @@ func (_ *Keypair) Render(c *fi.Context, a, e, changes *Keypair) error {
if createCertificate {
glog.V(2).Infof("Creating PKI keypair %q", name)
cert, privateKey, err := c.Keystore.FindKeypair(name)
cert, privateKey, _, err := c.Keystore.FindKeypair(name)
if err != nil {
return err
}
@ -197,6 +209,8 @@ func (_ *Keypair) Render(c *fi.Context, a, e, changes *Keypair) error {
// if we change keys we often have to regenerate e.g. the service accounts
// TODO: Eventually rotate keys / don't always reuse?
if privateKey == nil {
glog.V(2).Infof("Creating privateKey %q", name)
privateKey, err = pki.GeneratePrivateKey()
if err != nil {
return err
@ -207,12 +221,26 @@ func (_ *Keypair) Render(c *fi.Context, a, e, changes *Keypair) error {
if e.Signer != nil {
signer = fi.StringValue(e.Signer.Name)
}
cert, err = c.Keystore.CreateKeypair(signer, name, template, privateKey)
if err != nil {
return err
}
glog.V(8).Infof("created certificate %v", cert)
} else if a.Format == "" {
// The a.KeypairType will == "" when the keyset is a legacy keyset and does not have a keypair.yaml
// file API object in the state store
cert, privateKey, _, err := c.Keystore.FindKeypair(name)
if err != nil {
return err
}
err = c.Keystore.StoreKeypair(name, cert, privateKey)
if err != nil {
return err
}
glog.Infof("updated Legacy Keypair for: %q, to newer Keypair API format", name)
}
// TODO: Check correct subject / flags

15
upup/pkg/fi/k8sapi/k8s_keystore.go
View File

@ -57,7 +57,7 @@ func (c *KubernetesKeystore) issueCert(signer string, id string, serial *big.Int
template.SerialNumber = serial
caCert, caKey, err := c.FindKeypair(signer)
caCert, caKey, _, err := c.FindKeypair(signer)
if err != nil {
return nil, err
}
@ -90,22 +90,25 @@ func (c *KubernetesKeystore) findSecret(id string) (*v1.Secret, error) {
return secret, nil
}
func (c *KubernetesKeystore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, error) {
func (c *KubernetesKeystore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, string, error) {
secret, err := c.findSecret(id)
if err != nil {
return nil, nil, err
return nil, nil, "", err
}
if secret == nil {
return nil, nil, nil
return nil, nil, "", nil
}
keypair, err := ParseKeypairSecret(secret)
if err != nil {
return nil, nil, fmt.Errorf("error parsing secret %s/%s from kubernetes: %v", c.namespace, id, err)
return nil, nil, "", fmt.Errorf("error parsing secret %s/%s from kubernetes: %v", c.namespace, id, err)
}
return keypair.Certificate, keypair.PrivateKey, nil
// This value is when using the API Keyset. When the keyset is a legacy value the secret.Type value is
// not set. The keypair task is using this value to upgrade legacy keysets to keysets that use the API.
keypairType := string(secret.Type)
return keypair.Certificate, keypair.PrivateKey, keypairType, nil
}
func (c *KubernetesKeystore) CreateKeypair(signer string, id string, template *x509.Certificate, privateKey *pki.PrivateKey) (*pki.Certificate, error) {

93
upup/pkg/fi/vfs_castore.go
View File

@ -47,6 +47,10 @@ type VFSCAStore struct {
mutex sync.Mutex
cachedCAs map[string]*cachedEntry
// SerialGenerator is the function for generating certificate serial numbers
// It can be replaced for testing purposes.
SerialGenerator func() *big.Int
}
type cachedEntry struct {
@ -57,7 +61,7 @@ type cachedEntry struct {
var _ CAStore = &VFSCAStore{}
var _ SSHCredentialStore = &VFSCAStore{}
func NewVFSCAStore(cluster *kops.Cluster, basedir vfs.Path, allowList bool) CAStore {
func NewVFSCAStore(cluster *kops.Cluster, basedir vfs.Path, allowList bool) *VFSCAStore {
c := &VFSCAStore{
basedir: basedir,
cluster: cluster,
@ -65,6 +69,11 @@ func NewVFSCAStore(cluster *kops.Cluster, basedir vfs.Path, allowList bool) CASt
allowList: allowList,
}
c.SerialGenerator = func() *big.Int {
t := time.Now().UnixNano()
return pki.BuildPKISerial(t)
}
return c
}
@ -94,7 +103,7 @@ func (s *VFSCAStore) readCAKeypairs(id string) (*keyset, *keyset, error) {
return cached.certificates, cached.privateKeys, nil
}
caCertificates, err := s.loadCertificates(s.buildCertificatePoolPath(id), true)
caCertificates, _, err := s.loadCertificates(s.buildCertificatePoolPath(id), true)
if err != nil {
return nil, nil, err
}
@ -157,8 +166,7 @@ func (c *VFSCAStore) generateCACertificate(name string) (*keyset, *keyset, error
return nil, nil, err
}
t := time.Now().UnixNano()
serial := pki.BuildPKISerial(t).String()
serial := c.SerialGenerator().String()
err = c.storePrivateKey(name, &keysetItem{id: serial, privateKey: caPrivateKey})
if err != nil {
@ -180,7 +188,7 @@ func (c *VFSCAStore) generateCACertificate(name string) (*keyset, *keyset, error
}
// Make double-sure it round-trips
certificates, err := c.loadCertificates(c.buildCertificatePoolPath(name), true)
certificates, _, err := c.loadCertificates(c.buildCertificatePoolPath(name), true)
if err != nil {
return nil, nil, err
}
@ -233,27 +241,27 @@ func (c *VFSCAStore) parseKeysetYaml(data []byte) (*kops.Keyset, error) {
// loadCertificatesBundle loads a keyset from the path
// Returns (nil, nil) if the file is not found
// Bundles avoid the need for a list-files permission, which can be tricky on e.g. GCE
func (c *VFSCAStore) loadKeysetBundle(p vfs.Path) (*keyset, error) {
func (c *VFSCAStore) loadKeysetBundle(p vfs.Path) (*keyset, string, error) {
data, err := p.ReadFile()
if err != nil {
if os.IsNotExist(err) {
return nil, nil
return nil, "", nil
} else {
return nil, fmt.Errorf("unable to read bundle %q: %v", p, err)
return nil, "", fmt.Errorf("unable to read bundle %q: %v", p, err)
}
}
o, err := c.parseKeysetYaml(data)
if err != nil {
return nil, fmt.Errorf("error parsing bundle %q: %v", p, err)
return nil, "", fmt.Errorf("error parsing bundle %q: %v", p, err)
}
keyset, err := parseKeyset(o)
keyset, version, err := parseKeyset(o)
if err != nil {
return nil, fmt.Errorf("error mapping bundle %q: %v", p, err)
return nil, "", fmt.Errorf("error mapping bundle %q: %v", p, err)
}
return keyset, nil
return keyset, version, nil
}
func (k *keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops.Keyset, error) {
@ -354,14 +362,14 @@ func SerializeKeyset(o *kops.Keyset) ([]byte, error) {
return objectData.Bytes(), nil
}
func (c *VFSCAStore) loadCertificates(p vfs.Path, useBundle bool) (*keyset, error) {
func (c *VFSCAStore) loadCertificates(p vfs.Path, useBundle bool) (*keyset, string, error) {
// Attempt to load prebuilt bundle, which avoids having to list files, which is a permission that can be hard to
// give on GCE / other clouds
if useBundle {
bundlePath := p.Join("keyset.yaml")
bundle, err := c.loadKeysetBundle(bundlePath)
bundle, version, err := c.loadKeysetBundle(bundlePath)
if !c.allowList {
return bundle, err
return bundle, version, err
}
if err != nil {
@ -369,7 +377,7 @@ func (c *VFSCAStore) loadCertificates(p vfs.Path, useBundle bool) (*keyset, erro
} else if bundle == nil {
glog.V(2).Infof("no certificate bundle %q, falling back to directory-list method", bundlePath)
} else {
return bundle, nil
return bundle, version, nil
}
}
@ -380,9 +388,9 @@ func (c *VFSCAStore) loadCertificates(p vfs.Path, useBundle bool) (*keyset, erro
files, err := p.ReadDir()
if err != nil {
if os.IsNotExist(err) {
return nil, nil
return nil, "", nil
}
return nil, err
return nil, "", err
}
for _, f := range files {
@ -395,7 +403,7 @@ func (c *VFSCAStore) loadCertificates(p vfs.Path, useBundle bool) (*keyset, erro
cert, err := c.loadOneCertificate(f)
if err != nil {
return nil, fmt.Errorf("error loading certificate %q: %v", f, err)
return nil, "", fmt.Errorf("error loading certificate %q: %v", f, err)
}
keyset.items[id] = &keysetItem{
@ -405,12 +413,12 @@ func (c *VFSCAStore) loadCertificates(p vfs.Path, useBundle bool) (*keyset, erro
}
if len(keyset.items) == 0 {
return nil, nil
return nil, "", nil
}
keyset.primary = keyset.findPrimary()
return keyset, nil
return keyset, "", nil
}
func (c *VFSCAStore) loadOneCertificate(p vfs.Path) (*pki.Certificate, error) {
@ -444,28 +452,25 @@ func (c *VFSCAStore) CertificatePool(id string, createIfMissing bool) (*Certific
}
func (c *VFSCAStore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, error) {
cert, err := c.FindCert(id)
func (c *VFSCAStore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, string, error) {
cert, keypairType, err := c.findCert(id)
if err != nil {
return nil, nil, err
return nil, nil, "", err
}
key, err := c.FindPrivateKey(id)
if err != nil {
return nil, nil, err
return nil, nil, "", err
}
return cert, key, nil
return cert, key, keypairType, nil
}
func (c *VFSCAStore) FindCert(name string) (*pki.Certificate, error) {
var certs *keyset
var err error
func (c *VFSCAStore) findCert(name string) (*pki.Certificate, string, error) {
p := c.buildCertificatePoolPath(name)
certs, err = c.loadCertificates(p, true)
certs, keypairType, err := c.loadCertificates(p, true)
if err != nil {
return nil, fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", name, err)
return nil, "", fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", name, err)
}
var cert *pki.Certificate
@ -473,7 +478,12 @@ func (c *VFSCAStore) FindCert(name string) (*pki.Certificate, error) {
cert = certs.primary.certificate
}
return cert, nil
return cert, keypairType, nil
}
func (c *VFSCAStore) FindCert(name string) (*pki.Certificate, error) {
cert, _, err := c.findCert(name)
return cert, err
}
func (c *VFSCAStore) FindCertificatePool(name string) (*CertificatePool, error) {
@ -481,7 +491,7 @@ func (c *VFSCAStore) FindCertificatePool(name string) (*CertificatePool, error)
var err error
p := c.buildCertificatePoolPath(name)
certs, err = c.loadCertificates(p, true)
certs, _, err = c.loadCertificates(p, true)
if err != nil {
return nil, fmt.Errorf("error in 'FindCertificatePool' attempting to load cert %q: %v", name, err)
}
@ -508,7 +518,7 @@ func (c *VFSCAStore) FindCertificatePool(name string) (*CertificatePool, error)
func (c *VFSCAStore) FindCertificateKeyset(name string) (*kops.Keyset, error) {
p := c.buildCertificatePoolPath(name)
certs, err := c.loadCertificates(p, true)
certs, _, err := c.loadCertificates(p, true)
if err != nil {
return nil, fmt.Errorf("error in 'FindCertificatePool' attempting to load cert %q: %v", name, err)
}
@ -805,7 +815,7 @@ func (c *VFSCAStore) loadPrivateKeys(p vfs.Path, useBundle bool) (*keyset, error
// give on GCE / other clouds
if useBundle {
bundlePath := p.Join("keyset.yaml")
bundle, err := c.loadKeysetBundle(bundlePath)
bundle, _, err := c.loadKeysetBundle(bundlePath)
if !c.allowList {
return bundle, err
@ -922,7 +932,7 @@ func (c *VFSCAStore) FindPrivateKeyset(name string) (*kops.Keyset, error) {
}
func (c *VFSCAStore) CreateKeypair(signer string, id string, template *x509.Certificate, privateKey *pki.PrivateKey) (*pki.Certificate, error) {
serial := c.buildSerial()
serial := c.SerialGenerator()
cert, err := c.IssueCert(signer, id, serial, privateKey, template)
if err != nil {
@ -982,7 +992,7 @@ func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
// Write the bundle
{
p := c.buildCertificatePoolPath(name)
ks, err := c.loadCertificates(p, false)
ks, _, err := c.loadCertificates(p, false)
if err != nil {
return err
}
@ -1050,7 +1060,7 @@ func (c *VFSCAStore) deleteCertificate(name string, id string) (bool, error) {
// Update the bundle
{
p := c.buildPrivateKeyPoolPath(name)
ks, err := c.loadCertificates(p, false)
ks, _, err := c.loadCertificates(p, false)
if err != nil {
return false, err
}
@ -1075,11 +1085,6 @@ func (c *VFSCAStore) deleteCertificate(name string, id string) (bool, error) {
}
}
func (c *VFSCAStore) buildSerial() *big.Int {
t := time.Now().UnixNano()
return pki.BuildPKISerial(t)
}
// AddSSHPublicKey stores an SSH public key
func (c *VFSCAStore) AddSSHPublicKey(name string, pubkey []byte) error {
id, err := sshcredentials.Fingerprint(string(pubkey))