UseKopsControllerForNodeBootstrap instead of k8s versoin to determine secure tls

2020-10-09 08:50:42 +02:00 · 2020-10-09 08:50:42 +02:00 · fdaf5eb38d
parent 259d15cc6a
commit fdaf5eb38d
5 changed files with 8 additions and 359 deletions
--- a/upup/models/bindata.go
+++ b/upup/models/bindata.go
@ -28,7 +28,6 @@
 // upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/addon.yaml
 // upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml
 // upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template
-// upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template
 // upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.10.yaml.template
 // upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.12.yaml.template
 // upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template
@ -3932,7 +3931,9 @@ spec:
        args:
          - --cert-dir=/tmp
          - --secure-port=4443
+        {{ if not UseKopsControllerForNodeBootstrap }}
          - --kubelet-insecure-tls
+        {{ end }}
        ports:
        - name: main-port
          containerPort: 4443
@ -4020,185 +4021,6 @@ func cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s111YamlTemplate() (*asset,
 	return a, nil
 }

-var _cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate = []byte(`# sourced from https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.7/components.yaml
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: system:aggregated-metrics-reader
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- apiGroups: ["metrics.k8s.io"]
-  resources: ["pods", "nodes"]
-  verbs: ["get", "list", "watch"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: metrics-server:system:auth-delegator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
- kind: ServiceAccount
-  name: metrics-server
-  namespace: kube-system
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: metrics-server-auth-reader
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: extension-apiserver-authentication-reader
-subjects:
- kind: ServiceAccount
-  name: metrics-server
-  namespace: kube-system
---
-apiVersion: apiregistration.k8s.io/v1beta1
-kind: APIService
-metadata:
-  name: v1beta1.metrics.k8s.io
-spec:
-  service:
-    name: metrics-server
-    namespace: kube-system
-  group: metrics.k8s.io
-  version: v1beta1
-  insecureSkipTLSVerify: true
-  groupPriorityMinimum: 100
-  versionPriority: 100
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: metrics-server
-  namespace: kube-system
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: metrics-server
-  namespace: kube-system
-  labels:
-    k8s-app: metrics-server
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      k8s-app: metrics-server
-  template:
-    metadata:
-      name: metrics-server
-      labels:
-        k8s-app: metrics-server
-    spec:
-      serviceAccountName: metrics-server
-      volumes:
-      # mount in tmp so we can safely use from-scratch images and/or read-only containers
-      - name: tmp-dir
-        emptyDir: {}
-      containers:
-      - name: metrics-server
-        image: {{ or .MetricsServer.Image "k8s.gcr.io/metrics-server/metrics-server:v0.3.7" }}
-        imagePullPolicy: IfNotPresent
-        args:
-          - --cert-dir=/tmp
-          - --secure-port=4443
-        ports:
-        - name: main-port
-          containerPort: 4443
-          protocol: TCP
-        securityContext:
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 1000
-        volumeMounts:
-        - name: tmp-dir
-          mountPath: /tmp
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: metrics-server
-  namespace: kube-system
-  labels:
-    kubernetes.io/name: "Metrics-server"
-    kubernetes.io/cluster-service: "true"
-spec:
-  selector:
-    k8s-app: metrics-server
-  ports:
-  - port: 443
-    protocol: TCP
-    targetPort: main-port
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: system:metrics-server
-rules:
- apiGroups:
-  - ""
-  resources:
-  - pods
-  - nodes
-  - nodes/stats
-  - namespaces
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: system:metrics-server
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:metrics-server
-subjects:
- kind: ServiceAccount
-  name: metrics-server
-  namespace: kube-system
---
-apiVersion: policy/v1beta1
-kind: PodDisruptionBudget
-metadata:
-  name: metrics-server
-  namespace: kube-system
-  labels:
-    k8s-app: metrics-server
-spec:
-  minAvailable: 1
-  selector:
-    matchLabels:
-      k8s-app: metrics-server`)
-
-func cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplateBytes() ([]byte, error) {
-	return _cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate, nil
-}
-
-func cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate() (*asset, error) {
-	bytes, err := cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplateBytes()
-	if err != nil {
-		return nil, err
-	}
-
-	info := bindataFileInfo{name: "cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
-	a := &asset{bytes: bytes, info: info}
-	return a, nil
-}
-
 var _cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s110YamlTemplate = []byte(`# Vendored from https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.3.3/config/v1.3/aws-k8s-cni.yaml

 apiVersion: rbac.authorization.k8s.io/v1
@ -21046,7 +20868,6 @@ var _bindata = map[string]func() (*asset, error){
 	"cloudup/resources/addons/metadata-proxy.addons.k8s.io/addon.yaml":                                    cloudupResourcesAddonsMetadataProxyAddonsK8sIoAddonYaml,
 	"cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml":                                  cloudupResourcesAddonsMetadataProxyAddonsK8sIoV0112Yaml,
 	"cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template":                        cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s111YamlTemplate,
-	"cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template":                        cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate,
 	"cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.10.yaml.template":                    cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s110YamlTemplate,
 	"cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.12.yaml.template":                    cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s112YamlTemplate,
 	"cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template":                    cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s116YamlTemplate,
@ -21187,7 +21008,6 @@ var _bintree = &bintree{nil, map[string]*bintree{
 				}},
 				"metrics-server.addons.k8s.io": {nil, map[string]*bintree{
 					"k8s-1.11.yaml.template": {cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s111YamlTemplate, map[string]*bintree{}},
-					"k8s-1.19.yaml.template": {cloudupResourcesAddonsMetricsServerAddonsK8sIoK8s119YamlTemplate, map[string]*bintree{}},
 				}},
 				"networking.amazon-vpc-routed-eni": {nil, map[string]*bintree{
 					"k8s-1.10.yaml.template": {cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s110YamlTemplate, map[string]*bintree{}},
--- a/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template
+++ b/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.11.yaml.template
@ -90,7 +90,9 @@ spec:
        args:
          - --cert-dir=/tmp
          - --secure-port=4443
+        {{ if not UseKopsControllerForNodeBootstrap }}
          - --kubelet-insecure-tls
+        {{ end }}
        ports:
        - name: main-port
          containerPort: 4443
--- a/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template
+++ b/upup/models/cloudup/resources/addons/metrics-server.addons.k8s.io/k8s-1.19.yaml.template
@ -1,163 +0,0 @@
-# sourced from https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.7/components.yaml
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: system:aggregated-metrics-reader
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
- apiGroups: ["metrics.k8s.io"]
-  resources: ["pods", "nodes"]
-  verbs: ["get", "list", "watch"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: metrics-server:system:auth-delegator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
- kind: ServiceAccount
-  name: metrics-server
-  namespace: kube-system
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: metrics-server-auth-reader
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: extension-apiserver-authentication-reader
-subjects:
- kind: ServiceAccount
-  name: metrics-server
-  namespace: kube-system
---
-apiVersion: apiregistration.k8s.io/v1beta1
-kind: APIService
-metadata:
-  name: v1beta1.metrics.k8s.io
-spec:
-  service:
-    name: metrics-server
-    namespace: kube-system
-  group: metrics.k8s.io
-  version: v1beta1
-  insecureSkipTLSVerify: true
-  groupPriorityMinimum: 100
-  versionPriority: 100
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: metrics-server
-  namespace: kube-system
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: metrics-server
-  namespace: kube-system
-  labels:
-    k8s-app: metrics-server
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      k8s-app: metrics-server
-  template:
-    metadata:
-      name: metrics-server
-      labels:
-        k8s-app: metrics-server
-    spec:
-      serviceAccountName: metrics-server
-      volumes:
-      # mount in tmp so we can safely use from-scratch images and/or read-only containers
-      - name: tmp-dir
-        emptyDir: {}
-      containers:
-      - name: metrics-server
-        image: {{ or .MetricsServer.Image "k8s.gcr.io/metrics-server/metrics-server:v0.3.7" }}
-        imagePullPolicy: IfNotPresent
-        args:
-          - --cert-dir=/tmp
-          - --secure-port=4443
-        ports:
-        - name: main-port
-          containerPort: 4443
-          protocol: TCP
-        securityContext:
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 1000
-        volumeMounts:
-        - name: tmp-dir
-          mountPath: /tmp
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: metrics-server
-  namespace: kube-system
-  labels:
-    kubernetes.io/name: "Metrics-server"
-    kubernetes.io/cluster-service: "true"
-spec:
-  selector:
-    k8s-app: metrics-server
-  ports:
-  - port: 443
-    protocol: TCP
-    targetPort: main-port
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: system:metrics-server
-rules:
- apiGroups:
-  - ""
-  resources:
-  - pods
-  - nodes
-  - nodes/stats
-  - namespaces
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: system:metrics-server
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:metrics-server
-subjects:
- kind: ServiceAccount
-  name: metrics-server
-  namespace: kube-system
---
-apiVersion: policy/v1beta1
-kind: PodDisruptionBudget
-metadata:
-  name: metrics-server
-  namespace: kube-system
-  labels:
-    k8s-app: metrics-server
-spec:
-  minAvailable: 1
-  selector:
-    matchLabels:
-      k8s-app: metrics-server
--- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
+++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@ -577,20 +577,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann
 					Version:           fi.String(version),
 					Selector:          map[string]string{"k8s-app": "metrics-server"},
 					Manifest:          fi.String(location),
-					KubernetesVersion: "<1.19.0",
-					Id:                id,
-				})
-			}
-			{
-				location := key + "/k8s-1.19.yaml"
-				id := "k8s-1.19"
-
-				addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
-					Name:              fi.String(key),
-					Version:           fi.String(version),
-					Selector:          map[string]string{"k8s-app": "metrics-server"},
-					Manifest:          fi.String(location),
-					KubernetesVersion: ">=1.19.0",
+					KubernetesVersion: ">=1.11.0",
 					Id:                id,
 				})
 			}
--- a/upup/pkg/fi/cloudup/template_functions.go
+++ b/upup/pkg/fi/cloudup/template_functions.go
@ -131,6 +131,9 @@ func (tf *TemplateFunctions) AddTo(dest template.FuncMap, secretStore fi.SecretS
 	dest["ProxyEnv"] = tf.ProxyEnv

 	dest["KopsSystemEnv"] = tf.KopsSystemEnv
+	dest["UseKopsControllerForNodeBootstrap"] = func() bool {
+		return tf.UseKopsControllerForNodeBootstrap()
+	}

 	dest["DO_TOKEN"] = func() string {
 		return os.Getenv("DIGITALOCEAN_ACCESS_TOKEN")