Commit Graph

78 Commits

Author SHA1 Message Date
justinsb 05f8618306 metal: simple IPAM for IPv6 2025-07-26 20:01:12 -04:00
justinsb be5c325918 Introduce flag use-kubeconfig which allows loading from the local kubeconfig
This supports workflows that modify the local kubeconfig for advanced configurations,
which were accidentally broken by trying to always generate the config.

Issue #17262
2025-07-12 12:54:15 -04:00
justinsb 138e14b1ad Create flag override-api-endpoint which allows for custom DNS setups
Issue #17262
2025-06-28 17:39:56 -04:00
Arnaud Meukam 1ed0cde748
Increase the key size for KubeConfig private key
It's now required to have a minimum of 1024 bits the RSA private key.
https://pkg.go.dev/crypto/rsa@master#GenerateKey.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
2025-03-10 15:32:51 +01:00
justinsb 324117cc52 chore: generate kubeconfig on the fly
Some kOps actions require connecting to the cluster, but
we don't always have a kubeconfig available.

This commit adds a function to generate a client config on the fly
(including a certificate) when needed.
2024-12-27 16:37:59 -05:00
justinsb ab613ff114 Add `kops reconcile cluster` command
This all-in-one command is a replacement for having to run multiple commands,
while still respecting the version skew policy.

It does the same thing as `kops update cluster --reconcile`:

* Updates the control plane nodes
* Does a rolling update of the control plane nodes
* Updates "normal" nodes and bastion nodes
* Does a rolling update of these nodes
* Prunes old resources that are no longer used
2024-12-05 12:27:08 -05:00
Ciprian Hacman 86f5d455e5
Release 1.30.0-alpha.1 (#16563)
* Release 1.30.0-alpha.1

* Update tests for K8s v1.30

* Remove mentions of K8s v1.24
2024-05-11 23:40:27 -07:00
justinsb 573c410846 Prefer external endpoints when building kubeconfig
This means that if/when we have multiple load balancers, we will go
through the external one by default.
2024-01-12 11:29:25 -05:00
Ciprian Hacman 8d76b6e573 Use API internal name as TLS server name in kubeconfig 2023-06-02 14:13:01 +03:00
Ciprian Hacman 8f703f5509 Fix behaviour for `kops export kubeconfig --internal` 2023-03-17 06:51:26 +02:00
John Gardiner Myers c051198f85 Pull pki.Keystore out of fi.KeystoreReader 2023-01-02 10:39:24 -08:00
justinsb 817c1e63b3 FindKeyset can return nil
We had missed a case in nodeup; add a Context argument to force us to
revisit the codepaths.
2022-12-24 16:12:21 -05:00
justinsb 90cbf75584 Context threading: more wiring
We're aiming to use this for testing immediately and better
logging/tracing in future, but to make the changes manageable breaking
them into a smaller series that don't directly achieve much.
2022-12-22 17:52:22 -05:00
Ciprian Hacman a23282b0f7 Always use load balancer address in kubeconfig 2022-12-16 08:53:22 +02:00
John Gardiner Myers 235aa61594 v1alpha3: move networking fields under networking 2022-12-02 19:19:59 -08:00
John Gardiner Myers 5fca16aa30 v1alpha3: Move API-related settings under API 2022-11-19 10:27:12 -08:00
John Gardiner Myers 8473e8b2e7 Stop making MasterInternalName configurable 2022-11-16 22:06:02 -08:00
John Gardiner Myers 64be690211 Update TopologySpec for v1alpha3 API 2022-11-06 09:10:38 -08:00
Ciprian Hacman 4e5ded6dc3 hetzner: Create cluster without DNS or Gossip 2022-10-27 11:29:37 +03:00
Ciprian Hacman dc98c74428 Move Gossip check to cluster struct 2022-10-21 09:48:07 +03:00
Ciprian Hacman 85026145a1 Always infer gossip DNS from cluster name 2022-10-02 12:54:37 +03:00
Ole Markus With 014f3d3e68 Remove CAS 1.19 2022-06-07 15:47:26 +02:00
Ole Markus With ce2e877aeb Remove bazel files from vendor 2022-04-12 13:29:03 +02:00
Jesse Haka b88d110f58 Drain OpenStack loadbalancers 2021-12-31 13:16:02 +02:00
John Gardiner Myers c5e1dea184 Remove code for no-longer-supported k8s version 2021-12-11 16:30:51 -08:00
justinsb e3ed4bb483 kops auth-plugin: need to clear any existing password / key
Otherwise the password / key is used in preference to the auth plugin,
so these are used even if they have expired.
2021-12-10 08:48:23 -05:00
Ciprian Hacman ea7df00719 Run hack/update-gofmt.sh 2021-12-01 22:39:50 +02:00
John Gardiner Myers be8933b577 Remove code for unsupported features 2021-08-28 13:49:55 -07:00
John Gardiner Myers 5a2aac4cfd Add "all" variants of key rotation commands 2021-07-10 05:51:31 -07:00
John Gardiner Myers f93ac8730a Include multiple CA certs in exported kubeconfigs 2021-06-21 07:36:33 -07:00
John Gardiner Myers 896330be88 Create fi.NewKeyset() 2021-06-20 14:09:46 -07:00
Alexander Block 6ae8d8cc9e Also set haveUserInfo=true in case --user was provided in "kops export kubecfg"
Without setting it to true, --user is completely ignored.
2021-06-16 09:36:47 +02:00
John Gardiner Myers fa77f8b964 Rename fi.Keystore.StoreKeypair to StoreKeyset 2021-06-05 16:38:26 -07:00
John Gardiner Myers 2300d89591 Rename pki.FindKeypair to FindPrimaryKeypair 2021-06-05 16:38:26 -07:00
John Gardiner Myers ed1f6ff79e Refactor StoreKeypair and AddCert 2021-06-05 16:38:25 -07:00
John Gardiner Myers 0364a3af25 Refactor FindKeypair interfaces 2021-06-05 16:38:24 -07:00
Justin Santa Barbara b60a45beba Only update kubeconfig user when we have user info
This preserves existing user configuration.

Issue #11537
2021-05-23 17:16:30 -04:00
John Gardiner Myers dd605fdbc3 Subsume StatusStore into fi.Cloud 2021-05-15 17:39:32 -07:00
Kubernetes Prow Robot e43efbe102
Merge pull request #10157 from rifelpet/acm-nlb
Setup a second NLB listener when an AWS ACM certificate is used
2020-11-10 10:36:41 -08:00
Peter Rifel 30f3d14979
Use the secondary ELB port when exporting kubecfg w/ --admin and sslCertificate 2020-11-06 11:09:37 -06:00
Peter Rifel aebe742291
Remove unused bearer token field from kubeconfig builder
```
$ grep -r KubeBearerToken . | wc -l
0
```
2020-11-06 08:07:55 -06:00
Ole Markus With 6797998ac1 Consolidate all buildMinimalClusters into a generic test cluster builder 2020-09-19 19:55:19 +02:00
Justin SB 8757a2ce2a kubeconfig generation: add tests for kops plugin
Also slightly simplify the tests and Kubecfg Builder signature by
passing in the ConfigAccess only when needed.
2020-08-30 15:17:36 -04:00
Justin SB 0cda0f5068 Support authentication helper for kubectl
We create a simple exec plugin command which can create and renew
short-lived admin credentials on the fly, essentially leveraging the
security of the underlying cloud credentials.

Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
2020-08-30 15:16:20 -04:00
Peter Rifel d0b8c654bd
Add --internal flag for export kubecfg that targets the internal dns name
Kops creates an "api.internal.$clustername" dns A record that points to the master IP(s)

This adds a flag that will use that name and force the CA cert to be included.
This is a workaround for client certificate authentication not working on API ELBs with ACM certificates.
The ELB has a TLS listener rather than TCP, so the client certificate is not passed through to the apiserver.
Using --internal will bypass the API ELB so that the client certificate will be passed directly to the apiserver.
This also requires that the masters' security groups allow 443 access from the client which this does not handle automatically.
2020-08-26 21:15:18 -05:00
John Gardiner Myers 7ab0a63571 Put userid in kubecfg cert CommonName 2020-08-18 14:04:42 -07:00
Peter Rifel 4d9f0128a3
Upgrade to klog2
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
2020-08-16 20:56:48 -05:00
John Gardiner Myers a45b07c156 Reduce the lifetime of exported kubecfg credentials 2020-07-17 22:39:01 -07:00
Ole Markus With 72fd007acf Don't export admin user by default. Allow specifying existing user when exporting context 2020-06-24 19:54:25 +02:00
ZouYu 2fc52ec6be fix some go-lint warning
Signed-off-by: ZouYu <zouy.fnst@cn.fujitsu.com>
2020-06-09 08:52:50 +08:00