kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
22,377 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

30 Commits

Author SHA1 Message Date
justinsb 7f58570a04 metal: stub out functions to enable cluster creation 
Start adding the minimal implementation such that we can `kops create cluster`
 2024-08-29 22:39:48 -04:00
Peter Rifel 62df0dba04
Migrate AWS Verifier to aws-sdk-go-v2 2024-05-05 08:39:20 -04:00
Ciprian Hacman 0be02417df gce: Remove custom resolver 2023-12-23 08:17:47 +02:00
justinsb 010a0d5e4c feat: Support PKI bootstrap 
Similar to the TPM bootstrapping on GCE (indeed, a lot of the code is
modified from there), but we verify the PKI signature against a public
key in a Host CRD object.
 2023-11-30 18:35:58 -05:00
John Gardiner Myers 977aacc356 Remove dead code for non-kops-controller bootstrap 2023-07-16 07:40:25 -07:00
Ciprian Hacman 83d14d4343 azure: Add support for dns=none 2023-07-13 09:04:06 +03:00
Leïla MARABESE dab001c3e9 scaleway authenticator and verifier 2023-06-14 15:15:17 +02:00
justinsb 1faee9dd8c digitalocean: bootstrap nodes through kops-controller. 
We start with a simple node verifier.
 2023-05-07 13:17:56 -04:00
justinsb c89f434f1b Only use node challenge on hetzner 
DigitalOcean (and others) will follow shortly.

Also create a method for CloudProvider, so that we are more ambivalent
towards bootstrapping methods.
 2023-05-06 08:57:21 -04:00
Justin SB c67f895226 Perform challenge callbacks into a node 
In order to verify that the caller is running on the specified node,
we source the expected IP address from the cloud, and require that the
node set up a simple challenge/response server to answer requests.

Because the challenge server runs on a port outside of the nodePort
range, this also makes it harder for pods to impersonate their host
nodes - though we do combine this with TPM and similar functionality
where it is available.
 2023-05-06 08:03:21 -04:00
justinsb 29d3a6f2f9 Refactor authenticator building 
Prefer explicit error checking to the "fallthrough" pattern.
 2023-02-11 11:04:32 -05:00
Justin SB 0b699832ec Use cloud-discovery on GCE in gossip mode 
It's a little simpler and should speed up our boot.
 2023-02-11 11:03:12 -05:00
Jesse Haka 3dab0eb807 Use kops-controller to boostrap nodes in OpenStack 2023-01-14 13:54:14 +02:00
John Gardiner Myers 8aeefe23ed Use NodeupConfig for cluster name 2023-01-01 13:48:01 -08:00
John Gardiner Myers b38c55a2b9 Simplify nodeup references to CloudProvider 2022-12-20 19:44:32 -08:00
Justin SB d18e663397 Move kops-controller client into its own package 
This should allow more reuse.
 2022-12-19 10:30:13 -05:00
John Gardiner Myers 7c3e32369a Refactor Context into separate cloudup and nodeup types 2022-12-17 17:42:46 -08:00
Ciprian Hacman c9d1eb9761 hetzner: Use kops-controller for node bootstrap 2022-11-02 12:43:25 +02:00
justinsb 8220211655 nodeup: store the CloudProvider in the context 
This is a bit simpler than fetching it from the cluster every time,
and also can allow things like mixed-cloud clusters (in future).
 2021-12-11 09:16:03 -05:00
justinsb 4cf52d0e51 GCE: Support kops-controller, including in gossip mode 
We discover the kops-controller in gossip mode using seeding code that
calls into the GCE API, just like gossip itself does.

We refactor the gossip code into a shared gcediscovery library with
minimal dependencies.
 2021-12-04 11:51:41 -05:00
justinsb 4dc2c062fd Support GCE TPM verification 2021-10-06 08:40:20 -04:00
justinsb fad6db8beb Refactor bootstrap verifier/authenticator into its own package 
No code changes, but this avoids a circular package dependency that we
would otherwise introduce in the GCE logic.
 2021-09-26 09:43:53 -04:00
John Gardiner Myers 191df58267 Verify CA keypair IDs for kops-controller-issued certs 2021-07-14 08:15:28 -07:00
John Gardiner Myers 0dee785ebf Pass multiple CA certs to kops-controller client 2021-06-19 10:50:53 -07:00
John Gardiner Myers 42bf3ee85b Seed the random number generator on AWS 2021-06-17 22:59:43 -07:00
Justin SB 4ac9d5c17b Boot nodes without state store access 
kops-controller can now serve the instance group & cluster config to
nodes, as part of the bootstrap process.

This enables nodes to boot without access to the state
store (i.e. without S3 / GCS / etc permissions)

Feature-flagged behind the KopsControllerStateStore feature-flag.
 2021-01-09 13:08:48 -05:00
John Gardiner Myers 1a253dc574 Send the STS queries to the local region 2020-08-15 10:30:22 -07:00
John Gardiner Myers c5871df319 Get kubelet certificate from kops-controller 2020-08-15 10:30:20 -07:00
John Gardiner Myers cfa262a81a Authenticate from nodeup to kops-controller 2020-08-15 09:50:08 -07:00
John Gardiner Myers 9c01e1f44d Send bootstrap query from nodeup to kops-controller 2020-08-15 09:50:08 -07:00