Move KubeletConfig into the NodeupConfig

nodeup/pkg/model/BUILD.bazel

@@ -63,7 +63,6 @@ go_library(
         "//util/pkg/architectures:go_default_library",
         "//util/pkg/exec:go_default_library",
         "//util/pkg/proxy:go_default_library",
-        "//util/pkg/reflectutils:go_default_library",
         "//util/pkg/vfs:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws/ec2metadata:go_default_library",

nodeup/pkg/model/context.go

@@ -355,31 +355,9 @@ func (c *NodeupModelContext) UseBootstrapTokens() bool {
 	return c.Cluster.Spec.Kubelet != nil && c.Cluster.Spec.Kubelet.BootstrapKubeconfig != ""
 }
 
-// UseSecureKubelet checks if the kubelet api should be protected by a client certificate. Note: the settings are
-// in one of three section, master specific kubelet, cluster wide kubelet or the InstanceGroup. Though arguably is
-// doesn't make much sense to unset this on a per InstanceGroup level, but hey :)
+// UseSecureKubelet checks if the kubelet api should be protected by a client certificate.
 func (c *NodeupModelContext) UseSecureKubelet() bool {
-	cluster := &c.Cluster.Spec // just to shorten the typing
-	group := &c.InstanceGroup.Spec
-
-	// @check on the InstanceGroup itself
-	if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && !*group.Kubelet.AnonymousAuth {
-		return true
-	}
-
-	// @check if we have anything specific to master kubelet
-	if c.IsMaster {
-		if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && !*cluster.MasterKubelet.AnonymousAuth {
-			return true
-		}
-	}
-
-	// @check the default settings for master and kubelet
-	if cluster.Kubelet != nil && cluster.Kubelet.AnonymousAuth != nil && !*cluster.Kubelet.AnonymousAuth {
-		return true
-	}
-
-	return false
+	return c.NodeupConfig.KubeletConfig.AnonymousAuth != nil && !*c.NodeupConfig.KubeletConfig.AnonymousAuth
 }
 
 // KubectlPath returns distro based path for kubectl

nodeup/pkg/model/kubelet.go

@@ -38,7 +38,6 @@ import (
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
-	"k8s.io/kops/util/pkg/reflectutils"
 )
 
 const (
@@ -422,12 +421,7 @@ func (b *KubeletBuilder) buildKubeletConfigSpec() (*kops.KubeletConfigSpec, erro
 	isMaster := b.IsMaster
 
 	// Merge KubeletConfig for NodeLabels
-	c := &kops.KubeletConfigSpec{}
-	if isMaster {
-		reflectutils.JSONMergeStruct(c, b.Cluster.Spec.MasterKubelet)
-	} else {
-		reflectutils.JSONMergeStruct(c, b.Cluster.Spec.Kubelet)
-	}
+	c := b.NodeupConfig.KubeletConfig
 
 	// check if we are using secure kubelet <-> api settings
 	if b.UseSecureKubelet() {
@@ -486,15 +480,6 @@ func (b *KubeletBuilder) buildKubeletConfigSpec() (*kops.KubeletConfigSpec, erro
 
 		// Write back values that could have changed
 		c.MaxPods = &maxPods
-		if b.InstanceGroup.Spec.Kubelet != nil {
-			if b.InstanceGroup.Spec.Kubelet.MaxPods == nil {
-				b.InstanceGroup.Spec.Kubelet.MaxPods = &maxPods
-			}
-		}
-	}
-
-	if b.InstanceGroup.Spec.Kubelet != nil {
-		reflectutils.JSONMergeStruct(c, b.InstanceGroup.Spec.Kubelet)
 	}
 
 	// Use --register-with-taints
@@ -546,7 +531,7 @@ func (b *KubeletBuilder) buildKubeletConfigSpec() (*kops.KubeletConfigSpec, erro
 		c.NodeLabels = nodeLabels
 	}
 
-	return c, nil
+	return &c, nil
 }
 
 // buildMasterKubeletKubeconfig builds a kubeconfig for the master kubelet, self-signing the kubelet cert

pkg/apis/nodeup/BUILD.bazel

@@ -7,6 +7,8 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/apis/kops:go_default_library",
+        "//upup/pkg/fi:go_default_library",
         "//util/pkg/architectures:go_default_library",
+        "//util/pkg/reflectutils:go_default_library",
     ],
 )

pkg/apis/nodeup/config.go

@@ -18,7 +18,9 @@ package nodeup
 
 import (
 	"k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/util/pkg/architectures"
+	"k8s.io/kops/util/pkg/reflectutils"
 )
 
 // Config is the configuration for the nodeup binary
@@ -51,6 +53,8 @@ type Config struct {
 	// StaticManifests describes generic static manifests
 	// Using this allows us to keep complex logic out of nodeup
 	StaticManifests []*StaticManifest `json:"staticManifests,omitempty"`
+	// KubeletConfig defines the kubelet configuration.
+	KubeletConfig kops.KubeletConfigSpec
 	// SysctlParameters will configure kernel parameters using sysctl(8). When
 	// specified, each parameter must follow the form variable=value, the way
 	// it would appear in sysctl.conf.
@@ -78,9 +82,34 @@ type StaticManifest struct {
 }
 
 func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) *Config {
-	return &Config{
-		InstanceGroupRole: instanceGroup.Spec.Role,
+	role := instanceGroup.Spec.Role
+
+	config := Config{
+		InstanceGroupRole: role,
 		SysctlParameters:  instanceGroup.Spec.SysctlParameters,
 		VolumeMounts:      instanceGroup.Spec.VolumeMounts,
 	}
+
+	if role == kops.InstanceGroupRoleMaster {
+		reflectutils.JSONMergeStruct(&config.KubeletConfig, cluster.Spec.MasterKubelet)
+
+		// A few settings in Kubelet override those in MasterKubelet. I'm not sure why.
+		if cluster.Spec.Kubelet != nil && cluster.Spec.Kubelet.AnonymousAuth != nil && !*cluster.Spec.Kubelet.AnonymousAuth {
+			config.KubeletConfig.AnonymousAuth = fi.Bool(false)
+		}
+	} else {
+		reflectutils.JSONMergeStruct(&config.KubeletConfig, cluster.Spec.Kubelet)
+	}
+
+	if instanceGroup.Spec.Kubelet != nil {
+		useSecureKubelet := config.KubeletConfig.AnonymousAuth != nil && !*config.KubeletConfig.AnonymousAuth
+
+		reflectutils.JSONMergeStruct(&config.KubeletConfig, instanceGroup.Spec.Kubelet)
+
+		if useSecureKubelet {
+			config.KubeletConfig.AnonymousAuth = fi.Bool(false)
+		}
+	}
+
+	return &config
 }

pkg/model/bootstrapscript.go

@@ -281,7 +281,6 @@ func (b *BootstrapScript) Run(c *fi.Context) error {
 
 		"IGSpec": func() (string, error) {
 			spec := make(map[string]interface{})
-			spec["kubelet"] = b.ig.Spec.Kubelet
 			spec["nodeLabels"] = b.ig.Spec.NodeLabels
 			spec["taints"] = b.ig.Spec.Taints
 

upup/pkg/fi/nodeup/command.go

@@ -153,7 +153,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 		klog.Warningf("No instance group defined in nodeup config")
 	}
 
-	err := evaluateSpec(c.cluster)
+	err := evaluateSpec(c)
 	if err != nil {
 		return err
 	}
@@ -328,32 +328,37 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 	return nil
 }
 
-func evaluateSpec(c *api.Cluster) error {
+func evaluateSpec(c *NodeUpCommand) error {
 	var err error
 
-	c.Spec.Kubelet.HostnameOverride, err = evaluateHostnameOverride(c.Spec.Kubelet.HostnameOverride)
+	c.cluster.Spec.Kubelet.HostnameOverride, err = evaluateHostnameOverride(c.cluster.Spec.Kubelet.HostnameOverride)
 	if err != nil {
 		return err
 	}
 
-	c.Spec.MasterKubelet.HostnameOverride, err = evaluateHostnameOverride(c.Spec.MasterKubelet.HostnameOverride)
+	c.cluster.Spec.MasterKubelet.HostnameOverride, err = evaluateHostnameOverride(c.cluster.Spec.MasterKubelet.HostnameOverride)
 	if err != nil {
 		return err
 	}
 
-	if c.Spec.KubeProxy != nil {
-		c.Spec.KubeProxy.HostnameOverride, err = evaluateHostnameOverride(c.Spec.KubeProxy.HostnameOverride)
+	c.config.KubeletConfig.HostnameOverride, err = evaluateHostnameOverride(c.config.KubeletConfig.HostnameOverride)
+	if err != nil {
+		return err
+	}
+
+	if c.cluster.Spec.KubeProxy != nil {
+		c.cluster.Spec.KubeProxy.HostnameOverride, err = evaluateHostnameOverride(c.cluster.Spec.KubeProxy.HostnameOverride)
 		if err != nil {
 			return err
 		}
-		c.Spec.KubeProxy.BindAddress, err = evaluateBindAddress(c.Spec.KubeProxy.BindAddress)
+		c.cluster.Spec.KubeProxy.BindAddress, err = evaluateBindAddress(c.cluster.Spec.KubeProxy.BindAddress)
 		if err != nil {
 			return err
 		}
 	}
 
-	if c.Spec.Docker != nil {
-		err = evaluateDockerSpecStorage(c.Spec.Docker)
+	if c.cluster.Spec.Docker != nil {
+		err = evaluateDockerSpecStorage(c.cluster.Spec.Docker)
 		if err != nil {
 			return err
 		}