kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
22,237 Commits 117 Branches 250 Tags 533 MiB
Commit Graph

38 Commits

Author SHA1 Message Date
justinsb 0963d73cc5 metal: initial support for adding hosts 
The bulk of this work is implementing a clientset for use in kops-controller.
 2024-09-18 09:03:43 -04:00
justinsb 6a2a723bd2 refactor: give clear error message if challenge endpoint cannot be found 
We were not handling this particularly clearly before, although it should only happen in development.
 2024-08-29 05:32:51 -04:00
John Gardiner Myers 1ea0fd3004 AWS always uses resource-based names 2023-09-04 16:08:48 -07:00
John Gardiner Myers e04fc1314f Use NewVFSContext in kops-controller 2023-07-15 15:48:56 -07:00
Ciprian Hacman 505c0c87de kops-controller: Return `http.StatusConflict` only when node is ready 2023-05-27 12:58:50 +03:00
Ciprian Hacman 7b545dde4b kops-controller: Return `http.StatusConflict` when node already exists 2023-05-27 09:47:40 +03:00
justinsb c89f434f1b Only use node challenge on hetzner 
DigitalOcean (and others) will follow shortly.

Also create a method for CloudProvider, so that we are more ambivalent
towards bootstrapping methods.
 2023-05-06 08:57:21 -04:00
Justin SB c67f895226 Perform challenge callbacks into a node 
In order to verify that the caller is running on the specified node,
we source the expected IP address from the cloud, and require that the
node set up a simple challenge/response server to answer requests.

Because the challenge server runs on a port outside of the nodePort
range, this also makes it harder for pods to impersonate their host
nodes - though we do combine this with TPM and similar functionality
where it is available.
 2023-05-06 08:03:21 -04:00
justinsb 868823bbcf Block bootstrap when the node already exists 
We now do this across all clouds, as it has been demonstrated on
OpenStack.
 2023-04-27 11:47:42 -04:00
Jesse Haka a765191898 use http.StatusConflict 2023-02-20 13:01:43 +02:00
Jesse Haka 8e6199fa39 exit gracefully if server already exists in k8s 2023-02-12 16:52:13 +02:00
Justin SB 9b02017059 openstack verifier: support IPv6 
Add IPv6 support to the openstack verifier and polish up a few error messages.
 2023-01-28 10:54:48 -05:00
Jesse Haka b3c134be06 make openstack kops-controller boostrap auth better 2023-01-19 10:07:11 +02:00
John Gardiner Myers 775ed65820 Run kops-controller server on non-leaders as well 2023-01-14 10:20:04 -08:00
justinsb 817c1e63b3 FindKeyset can return nil 
We had missed a case in nodeup; add a Context argument to force us to
revisit the codepaths.
 2022-12-24 16:12:21 -05:00
Ciprian Hacman 61eaeddb9b Serve secrets from kops-controller for nodes without state store access 2022-11-15 14:51:54 +02:00
justinsb f60f2476ed kops-controller: use controller-runtime manager 
This gives us access to a managed client, and it lets us hook into the
lifecycle.
 2021-12-18 19:38:53 -05:00
John Gardiner Myers 73f164e229 Use instance ID as node name when AWS CCM supports it 2021-11-30 17:54:54 -08:00
justinsb 813f2f1431 kops-controller should log port it is listening on 2021-11-14 10:45:13 -05:00
Eng Zer Jun 425173ae9f
refactor: move from io/ioutil to io and os packages 
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2021-11-12 15:37:18 +08:00
justinsb 4dc2c062fd Support GCE TPM verification 2021-10-06 08:40:20 -04:00
justinsb fad6db8beb Refactor bootstrap verifier/authenticator into its own package 
No code changes, but this avoids a circular package dependency that we
would otherwise introduce in the GCE logic.
 2021-09-26 09:43:53 -04:00
Ole Markus With ad16042a1f Add IPs to kubelet server cert 
Since AWS does not resolve instance hostnames to ipv6, ipv6-only pods that talk to kubelet API has to use node IP, not hostname. Thus we need to add IPs to kubelet server cert.
 2021-08-26 20:54:02 +02:00
John Gardiner Myers 191df58267 Verify CA keypair IDs for kops-controller-issued certs 2021-07-14 08:15:28 -07:00
Justin SB 4ac9d5c17b Boot nodes without state store access 
kops-controller can now serve the instance group & cluster config to
nodes, as part of the bootstrap process.

This enables nodes to boot without access to the state
store (i.e. without S3 / GCS / etc permissions)

Feature-flagged behind the KopsControllerStateStore feature-flag.
 2021-01-09 13:08:48 -05:00
Ole Markus With 466dcd001e Apply suggestions from code review 
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
 2020-10-09 08:27:08 +02:00
Ole Markus With 809aa93634 Make use of kubelet service certificate 2020-10-09 08:27:08 +02:00
John Gardiner Myers 07220797b4 Issue the cilium etcd client cert out of kops-controller 2020-08-17 21:15:34 -07:00
Peter Rifel bae8150e12
Update more klog v1 references to v2 
I missed these in the previous PR. This removes the direct dependency on v1 entirely.
The kubernetes 1.19 upgrade will remove the indirect reference on v1.
 2020-08-17 07:44:48 -05:00
John Gardiner Myers d05f9a3eff Don't issue certs for features not enabled 2020-08-16 23:40:43 -07:00
John Gardiner Myers b6947ccaee Use kops-controller to issue kube-router cert 2020-08-16 23:40:38 -07:00
John Gardiner Myers 8e43c1d637 Use kops-controller to issue kube-proxy cert 2020-08-16 23:36:42 -07:00
John Gardiner Myers 9e99f76a6e Address review comments 2020-08-15 10:30:21 -07:00
John Gardiner Myers bec273ebf1 Implement signing of kubelet cert in kops-controller 2020-08-15 10:30:20 -07:00
John Gardiner Myers 9cfa169740 Add server code to kops-controller 2020-08-15 10:30:15 -07:00
John Gardiner Myers cfa262a81a Authenticate from nodeup to kops-controller 2020-08-15 09:50:08 -07:00
John Gardiner Myers 9c01e1f44d Send bootstrap query from nodeup to kops-controller 2020-08-15 09:50:08 -07:00
John Gardiner Myers 00c60ddff6 Add server code to kops-controller 2020-08-15 09:46:30 -07:00