Extending the current implementation of toolbox template to include multiple files and snippets. Note, i've removed the requirements for defaults as I think people should be forced to specifically pass them.
- fixing the vetting iseues to the method YamlToJson -> YAMLToJSON
- adding a safety check to ensure templates don't reference an unknown value
- extending the unit test to ensure the above works on main and snippets
- include the ability to specify multiple configuration files, useful for common.yaml and prod.yaml etc
Requested Changes - Toolbox Templating
Added the requested changes
- moved the templater into it's own package rather than using base util
- moved to using the sprig library for additional template function
- @note: i couldn't find a native way in sprig to do snippets, also the i've overloaded the indent as it appears to do the indent on all lines rather than on the newline, meaning i'd have to shift my first line back by the indent to get it to work, which seems ugly
Automatic merge from submit-queue
Makefile clean
I'm interested in tightening up the kops Makefile.
This first step adds a "clean" recipe for deleting the .build directory and any files generated by go-bindatatool.
The two files generated by go-bindatatool get their own recipes, so now make can keep track of when they have been built and will not need to regenerate.
Automatic merge from submit-queue
Check actual EbsOptimized status during cluster update
Fixes#3313.
It seems like the actual EbsOptimized state of the LaunchConfiguration is not read during `kops update cluster` and always trigges a modification of instance-groups that have `rootVolumeOptimization: true`.
If any meaningful test can be created for this, please let me know.
Automatic merge from submit-queue
Create Keyset API type
A Keyset holds a set of keypairs or other secret cluster material.
It is a set to support rotation of keys.
This will allow us to store secrets on kops-server (and also is a step towards
separating where we manage secrets from how we communicate them to running
clusters, which will allow bare-metal or KMS)
Starting with just the API objects.
Automatic merge from submit-queue
refactor resource tracker to be usable across packages
Puts ResourceTracker into its own package `pkg/resources/tracker` so it can be called from different packges without hitting import cycle e.g. `pkg/reources/digitalocean/resource.go`. This is so that we can group cloud specific code into their own packages (`pkg/resources/aws/`. `pkg/resources/gce/`, etc) rather than dump all the resource code from all clouds into `pkg/resources`
Automatic merge from submit-queue
Fix broken link in aws.md
aws.md linked to advanced_create.md which was deleted in
https://github.com/kubernetes/kops/pull/2725. Its contents were added to
high_availability.md. Update the link to point to the relevant section in
high_availability.md.
aws.md linked to advanced_create.md which was deleted in
https://github.com/kubernetes/kops/pull/2725. Its contents were added to
high_availability.md. Update the link to point to the relevant section in
high_availability.md.
Signed-off-by: Steven Santos Erenst <stevenerenst@gmail.com>
Automatic merge from submit-queue
Adds DNSControllerSpec and WatchIngress flag
This PR is in reference to #2496, #2468 and the issues referenced in there relating to use of the watch-ingress flag.
This PR attempts to rectify this situation and gives users who want it, the option to turn on watch-ingress without forcing it on them. Also spits out a warning to the logs about potential side effects.
Includes notes in `docs/cluster_spec.md` to explain.
Automatic merge from submit-queue
Additional Kubelet Options
This PR add additional options to the kubelet spec allowing users to set the --runtime-request-timeout and -volume-stats-agg-period
In related to issue https://github.com/kubernetes/kops/issues/3265
Automatic merge from submit-queue
Kubelet Readonly Port
The current implementation does not permit the user to specify the kubelet read-only port (which unset defaults to 10255). For security reasons we need this port switched off i.e. 0. This PR retains the default behavior but adds the readOnlyPort as an option for those whom need to override.
```shell
podInfraContainerImage: gcr.io/google_containers/pause-amd64:3.0
podManifestPath: /etc/kubernetes/manifests
+ readOnlyPort: 0
registerSchedulable: false
requireKubeconfig: true
```
And tested on the box
```shell
core@ip-10-250-34-23 ~ $ egrep -o 'read-only-port=[0-9]+' /etc/sysconfig/kubelet
read-only-port=0
```
Automatic merge from submit-queue
Update aws.md pointing links to the k8s slack directly
pointing links to the k8s slack directly, single click enter to slack.
The current implementaton does not permit the user to specify the kubelet read-only port (which unset defaults to 10255). Note security reasons we need this port switched off i.e. 0. This PR retains the default behaviour but adds the readOnlyPort as an options for those whom need to override.
podInfraContainerImage: gcr.io/google_containers/pause-amd64:3.0
podManifestPath: /etc/kubernetes/manifests
+ readOnlyPort: 0
registerSchedulable: false
requireKubeconfig: true
Automatic merge from submit-queue
Implementing GCE as an interface - modelling aws cloud provider
GCE and other cloud providers are structs instead of an interface. AWS cloud provider implements an interface. This PR refactors `GCECloud` as an interface, and creates `gceCloudImplementation`.
- [x] Need to e2e test
Automatic merge from submit-queue
Allow user defined endpoint to host action for Canal
Adds ability to define `Networking.Canal.DefaultEndpointToHostAction` in the Cluster Spec. This allows you to customise the behaviour of traffic routing from a pod to the host (after calico iptables chains have been processed). `ACCEPT` is the default value and is left as-is.
`If you want to allow some or all traffic from endpoint to host, set this parameter to “RETURN” or “ACCEPT”. Use “RETURN” if you have your own rules in the iptables “INPUT” chain; Calico will insert its rules at the top of that chain, then “RETURN” packets to the “INPUT” chain once it has completed processing workload endpoint egress policy.`
Automatic merge from submit-queue
Limit the IAM EC2 policy for the master nodes
Related to: https://github.com/kubernetes/kops/pull/3158
The EC2 policy for the master nodes are quite open currently, allowing them to create/delete/modify resources that are not associated with the cluster the node originates from. I've come up with a potential solution using condition keys to validate that the `ec2:ResourceTag/KubernetesCluster` matches the cluster name.
Automatic merge from submit-queue
Kops command fixes
TrimSuffix() on defaultStateStore doesn't actually do anything, and there is an unused answer variable in the tests.
Rohith