justinsb
05f8618306
metal: simple IPAM for IPv6
2025-07-26 20:01:12 -04:00
justinsb
be5c325918
Introduce flag use-kubeconfig which allows loading from the local kubeconfig
...
This supports workflows that modify the local kubeconfig for advanced configurations,
which were accidentally broken by trying to always generate the config.
Issue #17262
2025-07-12 12:54:15 -04:00
justinsb
138e14b1ad
Create flag override-api-endpoint which allows for custom DNS setups
...
Issue #17262
2025-06-28 17:39:56 -04:00
Arnaud Meukam
1ed0cde748
Increase the key size for KubeConfig private key
...
It's now required to have a minimum of 1024 bits the RSA private key.
https://pkg.go.dev/crypto/rsa@master#GenerateKey .
Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
2025-03-10 15:32:51 +01:00
justinsb
324117cc52
chore: generate kubeconfig on the fly
...
Some kOps actions require connecting to the cluster, but
we don't always have a kubeconfig available.
This commit adds a function to generate a client config on the fly
(including a certificate) when needed.
2024-12-27 16:37:59 -05:00
justinsb
ab613ff114
Add `kops reconcile cluster` command
...
This all-in-one command is a replacement for having to run multiple commands,
while still respecting the version skew policy.
It does the same thing as `kops update cluster --reconcile`:
* Updates the control plane nodes
* Does a rolling update of the control plane nodes
* Updates "normal" nodes and bastion nodes
* Does a rolling update of these nodes
* Prunes old resources that are no longer used
2024-12-05 12:27:08 -05:00
Ciprian Hacman
86f5d455e5
Release 1.30.0-alpha.1 ( #16563 )
...
* Release 1.30.0-alpha.1
* Update tests for K8s v1.30
* Remove mentions of K8s v1.24
2024-05-11 23:40:27 -07:00
justinsb
573c410846
Prefer external endpoints when building kubeconfig
...
This means that if/when we have multiple load balancers, we will go
through the external one by default.
2024-01-12 11:29:25 -05:00
Ciprian Hacman
8d76b6e573
Use API internal name as TLS server name in kubeconfig
2023-06-02 14:13:01 +03:00
Ciprian Hacman
8f703f5509
Fix behaviour for `kops export kubeconfig --internal`
2023-03-17 06:51:26 +02:00
John Gardiner Myers
c051198f85
Pull pki.Keystore out of fi.KeystoreReader
2023-01-02 10:39:24 -08:00
justinsb
817c1e63b3
FindKeyset can return nil
...
We had missed a case in nodeup; add a Context argument to force us to
revisit the codepaths.
2022-12-24 16:12:21 -05:00
justinsb
90cbf75584
Context threading: more wiring
...
We're aiming to use this for testing immediately and better
logging/tracing in future, but to make the changes manageable breaking
them into a smaller series that don't directly achieve much.
2022-12-22 17:52:22 -05:00
Ciprian Hacman
a23282b0f7
Always use load balancer address in kubeconfig
2022-12-16 08:53:22 +02:00
John Gardiner Myers
235aa61594
v1alpha3: move networking fields under networking
2022-12-02 19:19:59 -08:00
John Gardiner Myers
5fca16aa30
v1alpha3: Move API-related settings under API
2022-11-19 10:27:12 -08:00
John Gardiner Myers
8473e8b2e7
Stop making MasterInternalName configurable
2022-11-16 22:06:02 -08:00
John Gardiner Myers
64be690211
Update TopologySpec for v1alpha3 API
2022-11-06 09:10:38 -08:00
Ciprian Hacman
4e5ded6dc3
hetzner: Create cluster without DNS or Gossip
2022-10-27 11:29:37 +03:00
Ciprian Hacman
dc98c74428
Move Gossip check to cluster struct
2022-10-21 09:48:07 +03:00
Ciprian Hacman
85026145a1
Always infer gossip DNS from cluster name
2022-10-02 12:54:37 +03:00
Ole Markus With
014f3d3e68
Remove CAS 1.19
2022-06-07 15:47:26 +02:00
Ole Markus With
ce2e877aeb
Remove bazel files from vendor
2022-04-12 13:29:03 +02:00
Jesse Haka
b88d110f58
Drain OpenStack loadbalancers
2021-12-31 13:16:02 +02:00
John Gardiner Myers
c5e1dea184
Remove code for no-longer-supported k8s version
2021-12-11 16:30:51 -08:00
justinsb
e3ed4bb483
kops auth-plugin: need to clear any existing password / key
...
Otherwise the password / key is used in preference to the auth plugin,
so these are used even if they have expired.
2021-12-10 08:48:23 -05:00
Ciprian Hacman
ea7df00719
Run hack/update-gofmt.sh
2021-12-01 22:39:50 +02:00
John Gardiner Myers
be8933b577
Remove code for unsupported features
2021-08-28 13:49:55 -07:00
John Gardiner Myers
5a2aac4cfd
Add "all" variants of key rotation commands
2021-07-10 05:51:31 -07:00
John Gardiner Myers
f93ac8730a
Include multiple CA certs in exported kubeconfigs
2021-06-21 07:36:33 -07:00
John Gardiner Myers
896330be88
Create fi.NewKeyset()
2021-06-20 14:09:46 -07:00
Alexander Block
6ae8d8cc9e
Also set haveUserInfo=true in case --user was provided in "kops export kubecfg"
...
Without setting it to true, --user is completely ignored.
2021-06-16 09:36:47 +02:00
John Gardiner Myers
fa77f8b964
Rename fi.Keystore.StoreKeypair to StoreKeyset
2021-06-05 16:38:26 -07:00
John Gardiner Myers
2300d89591
Rename pki.FindKeypair to FindPrimaryKeypair
2021-06-05 16:38:26 -07:00
John Gardiner Myers
ed1f6ff79e
Refactor StoreKeypair and AddCert
2021-06-05 16:38:25 -07:00
John Gardiner Myers
0364a3af25
Refactor FindKeypair interfaces
2021-06-05 16:38:24 -07:00
Justin Santa Barbara
b60a45beba
Only update kubeconfig user when we have user info
...
This preserves existing user configuration.
Issue #11537
2021-05-23 17:16:30 -04:00
John Gardiner Myers
dd605fdbc3
Subsume StatusStore into fi.Cloud
2021-05-15 17:39:32 -07:00
Kubernetes Prow Robot
e43efbe102
Merge pull request #10157 from rifelpet/acm-nlb
...
Setup a second NLB listener when an AWS ACM certificate is used
2020-11-10 10:36:41 -08:00
Peter Rifel
30f3d14979
Use the secondary ELB port when exporting kubecfg w/ --admin and sslCertificate
2020-11-06 11:09:37 -06:00
Peter Rifel
aebe742291
Remove unused bearer token field from kubeconfig builder
...
```
$ grep -r KubeBearerToken . | wc -l
0
```
2020-11-06 08:07:55 -06:00
Ole Markus With
6797998ac1
Consolidate all buildMinimalClusters into a generic test cluster builder
2020-09-19 19:55:19 +02:00
Justin SB
8757a2ce2a
kubeconfig generation: add tests for kops plugin
...
Also slightly simplify the tests and Kubecfg Builder signature by
passing in the ConfigAccess only when needed.
2020-08-30 15:17:36 -04:00
Justin SB
0cda0f5068
Support authentication helper for kubectl
...
We create a simple exec plugin command which can create and renew
short-lived admin credentials on the fly, essentially leveraging the
security of the underlying cloud credentials.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
2020-08-30 15:16:20 -04:00
Peter Rifel
d0b8c654bd
Add --internal flag for export kubecfg that targets the internal dns name
...
Kops creates an "api.internal.$clustername" dns A record that points to the master IP(s)
This adds a flag that will use that name and force the CA cert to be included.
This is a workaround for client certificate authentication not working on API ELBs with ACM certificates.
The ELB has a TLS listener rather than TCP, so the client certificate is not passed through to the apiserver.
Using --internal will bypass the API ELB so that the client certificate will be passed directly to the apiserver.
This also requires that the masters' security groups allow 443 access from the client which this does not handle automatically.
2020-08-26 21:15:18 -05:00
John Gardiner Myers
7ab0a63571
Put userid in kubecfg cert CommonName
2020-08-18 14:04:42 -07:00
Peter Rifel
4d9f0128a3
Upgrade to klog2
...
This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.
2020-08-16 20:56:48 -05:00
John Gardiner Myers
a45b07c156
Reduce the lifetime of exported kubecfg credentials
2020-07-17 22:39:01 -07:00
Ole Markus With
72fd007acf
Don't export admin user by default. Allow specifying existing user when exporting context
2020-06-24 19:54:25 +02:00
ZouYu
2fc52ec6be
fix some go-lint warning
...
Signed-off-by: ZouYu <zouy.fnst@cn.fujitsu.com>
2020-06-09 08:52:50 +08:00