From a3cfe8d098a2fefeee2243cf16e717998eb81e5a Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Tue, 15 Jun 2021 08:50:33 +0200 Subject: [PATCH 1/2] Don't try to build etcd-manager secrets for cilium twice --- nodeup/pkg/model/etcd_manager_tls.go | 6 ++ nodeup/pkg/model/networking/BUILD.bazel | 14 +++- nodeup/pkg/model/networking/cilium_test.go | 85 ++++++++++++++++++++++ 3 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 nodeup/pkg/model/networking/cilium_test.go diff --git a/nodeup/pkg/model/etcd_manager_tls.go b/nodeup/pkg/model/etcd_manager_tls.go index fd2417d5db..ae8ea8d6a5 100644 --- a/nodeup/pkg/model/etcd_manager_tls.go +++ b/nodeup/pkg/model/etcd_manager_tls.go @@ -43,6 +43,12 @@ func (b *EtcdManagerTLSBuilder) Build(ctx *fi.ModelBuilderContext) error { for _, etcdCluster := range b.Cluster.Spec.EtcdClusters { k := etcdCluster.Name + + // The certs for cilium etcd is managed by CiliumBuilder + if k == "cilium" { + continue + } + d := "/etc/kubernetes/pki/etcd-manager-" + k keys := make(map[string]string) diff --git a/nodeup/pkg/model/networking/BUILD.bazel b/nodeup/pkg/model/networking/BUILD.bazel index 78d7328a24..9ee113cc69 100644 --- a/nodeup/pkg/model/networking/BUILD.bazel +++ b/nodeup/pkg/model/networking/BUILD.bazel @@ -1,4 +1,4 @@ -load("@io_bazel_rules_go//go:def.bzl", "go_library") +load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "go_default_library", @@ -27,3 +27,15 @@ go_library( "//vendor/k8s.io/klog/v2:go_default_library", ], ) + +go_test( + name = "go_default_test", + srcs = ["cilium_test.go"], + embed = [":go_default_library"], + deps = [ + "//nodeup/pkg/model:go_default_library", + "//pkg/apis/kops:go_default_library", + "//pkg/pki:go_default_library", + "//upup/pkg/fi:go_default_library", + ], +) diff --git a/nodeup/pkg/model/networking/cilium_test.go b/nodeup/pkg/model/networking/cilium_test.go new file mode 100644 index 0000000000..1ea7bec6ea --- /dev/null +++ b/nodeup/pkg/model/networking/cilium_test.go @@ -0,0 +1,85 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package networking + +import ( + "runtime" + "testing" + + "k8s.io/kops/nodeup/pkg/model" + "k8s.io/kops/pkg/apis/kops" + "k8s.io/kops/pkg/pki" + "k8s.io/kops/upup/pkg/fi" +) + +func TestCiliumBuilder(t *testing.T) { + if runtime.GOOS != "linux" { + t.Skipf("cilium nodeup test will only work on linux") + } + context := &model.NodeupModelContext{ + Cluster: &kops.Cluster{ + Spec: kops.ClusterSpec{ + CloudProvider: "aws", + EtcdClusters: []kops.EtcdClusterSpec{ + { + Name: "cilium", + Provider: kops.EtcdProviderTypeManager, + }, + }, + KubernetesVersion: "1.19.0", + Networking: &kops.NetworkingSpec{ + Cilium: &kops.CiliumNetworkingSpec{ + EtcdManaged: true, + }, + }, + }, + }, + HasAPIServer: true, + KeyStore: &fakeKeyStore{}, + IsMaster: true, + } + etcdBuilder := &model.EtcdManagerTLSBuilder{ + NodeupModelContext: context, + } + ciliumBuilder := &CiliumBuilder{ + NodeupModelContext: context, + } + + modelContext := &fi.ModelBuilderContext{ + Tasks: make(map[string]fi.Task), + } + + if err := etcdBuilder.Build(modelContext); err != nil { + t.Errorf("unexpected error building etcd: %v", err) + } + + if err := ciliumBuilder.Build(modelContext); err != nil { + t.Errorf("unexpected error building cilium: %v", err) + } +} + +type fakeKeyStore struct { + fi.CAStore +} + +func (*fakeKeyStore) FindCert(name string) (*pki.Certificate, error) { + return &pki.Certificate{}, nil +} + +func (*fakeKeyStore) FindPrivateKey(name string) (*pki.PrivateKey, error) { + return &pki.PrivateKey{}, nil +} From f80b550c7a79cc398cdd1fd92113822f77e25331 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Tue, 15 Jun 2021 14:21:02 +0200 Subject: [PATCH 2/2] Use internal name for cilium etcd if we do not enable api server nodes --- nodeup/pkg/model/etcd_manager_tls.go | 2 +- pkg/model/components/etcdmanager/model.go | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/nodeup/pkg/model/etcd_manager_tls.go b/nodeup/pkg/model/etcd_manager_tls.go index ae8ea8d6a5..cfb86acc07 100644 --- a/nodeup/pkg/model/etcd_manager_tls.go +++ b/nodeup/pkg/model/etcd_manager_tls.go @@ -44,7 +44,7 @@ func (b *EtcdManagerTLSBuilder) Build(ctx *fi.ModelBuilderContext) error { for _, etcdCluster := range b.Cluster.Spec.EtcdClusters { k := etcdCluster.Name - // The certs for cilium etcd is managed by CiliumBuilder + // The certs for cilium etcd are managed by CiliumBuilder if k == "cilium" { continue } diff --git a/pkg/model/components/etcdmanager/model.go b/pkg/model/components/etcdmanager/model.go index 3be766ed44..269f567b62 100644 --- a/pkg/model/components/etcdmanager/model.go +++ b/pkg/model/components/etcdmanager/model.go @@ -315,6 +315,9 @@ func (b *EtcdManagerBuilder) buildPod(etcdCluster kops.EtcdClusterSpec) (*v1.Pod peerPort = 2382 grpcPort = wellknownports.EtcdCiliumGRPC quarantinedClientPort = wellknownports.EtcdCiliumQuarantinedClientPort + if !featureflag.APIServerNodes.Enabled() { + clientHost = b.Cluster.Spec.MasterInternalName + } default: return nil, fmt.Errorf("unknown etcd cluster key %q", etcdCluster.Name) }