* refactor TargetLoadBalancer to use DNSTarget interface instead of LoadBalancer
* add LoadBalancerClass fields into api
* make api machinery
* WIP: Implemented API loadbalancer class, allowing NLB and ELB support on AWS for new clusters.
* perform vendoring related tasks and apply fixes identified from hack/
dissallow spotinst + nlb
remove reflection in status_discovery.go
Add precreated additional security groups to the Master nodes in case of NLB
Remove support for attaching individual instances to NLB; only rely on ASG attachments
Don't specify Classic loadbalancer in GCE integration test
* add utility function to the kops model context to make LoadBalancer comparisons simpler
* use DNSTarget interface when locating DNSName of API ELB
* wip: create target group task
* Consolidate TargetGroup tasks
* Use context helper for determining api load balancer type to avoid nil pointers
* Update NLB creation to use target group ARN from separate task rather than creating a TG in-line
* Address staticcheck and bazel failures
* Removing NLB Attachment tasks because they're not used since we switched to defining them as a part of the ASGs
* Address PR review feedback
* Only set LB Class field for AWS clusters, fix nil pointer
* Move target group attributes from NLB task to TG task, removing unused attributes
* Add terraform and cloudformation support for NLBs, listeners, and target groups
* Update integration test for NLB support
* Fix NLB name format to pass terraform validation
* Preserve security group rule names when switching ELB to NLB to reduce destructive terraform changes
* Use elbv2 enums and address some TODOs
* Set healthcheck values in target group
* Find TG tags, fix NLB name detection
* Fix more spurious changes reported by lifecycle integration test
* Fix spotinst validation, more code cleanup
* Address more PR feedback
* ReconcileTargetGroups unit test + more code simplification
* Addressing PR feedback Renaming task 1. awstasks.LoadBalancer -> awstasks.ClassicLoadBalancer
* Addressing PR feedback Renaming task: ELBName() -> CLBName() / LinkToELB() -> LinkToCLB()
* Addressing PR feedback: Various text changes
* fix export of kubecfg
* address TargetGroup should have the same name as the NLB
* should address error when fetching tags due to missing ARN
* Update expected and crds
* Add feature table to NLB docs
* Address more feedback and remove some TODOs that arent applicable anymore
* Update spotinst validation error message
Co-authored-by: Peter Rifel <pgrifel@gmail.com>
We create a simple exec plugin command which can create and renew
short-lived admin credentials on the fly, essentially leveraging the
security of the underlying cloud credentials.
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
Kops creates an "api.internal.$clustername" dns A record that points to the master IP(s)
This adds a flag that will use that name and force the CA cert to be included.
This is a workaround for client certificate authentication not working on API ELBs with ACM certificates.
The ELB has a TLS listener rather than TCP, so the client certificate is not passed through to the apiserver.
Using --internal will bypass the API ELB so that the client certificate will be passed directly to the apiserver.
This also requires that the masters' security groups allow 443 access from the client which this does not handle automatically.
Adding support for 'secret-name' flag
Adding instructions to enable encryption
Updating docs for cli
Addressing comments
Adding ciliumpassword subcommand to 'kops create secret'
Updating command to generate ciliumpassword secret
With this argument, kops validate will poll until the timeout expires,
waiting for readiness. On readiness or on timer expiration, it exits
as if wait was not present.
We reduce the amount of time we wait on a purely scheduled basis
during a rolling-update, and instead increase the timeout on the
validation.
This will be a behavioural change - particularly for `--cloudonly`
mode, but that mode seems more useful when things are going wrong
anyway, when people will likely set _even lower_ timeouts.
We upload to a location that includes the version, but we need to
specify the version in KOPS_BASE_URL. We expose an option to make
`kops version` more amenable to this scripting.
We also have to stop passing the flag on ContainerOS, because it's set
in /etc/docker/default.json and it's now an error to pass the flag.
That in turn means we move those options to code, which are the last of
those legacy config options. (We still have a few tasks declaratively
defined though)
- implementing as new subcommand keypair to secret
- rename of LoadPEMCertificate to ParsePEMCertificate to have
the same naming of parsing of certificate/private key bytes in
the same package result is
pki.ParsePEMPrivateKey(privateKeyBytes)
pki.ParsePEMCertificate(certBytes)
Introduce an experimental kops set cluster command, for setting
individual fields in the same style as the kops create cluster
--override flags.
For now, feature flag gated by the same SpecOverrideFlag feature flag.
Also split out pkg/commands package to facilitate testing.
It can happen that, if one is accustomed to target the configuration to
terraform (for example), one does not expect it to be applied automatically,
but perform a `kops update cluster --target=terraform` followed by a `terraform
apply`. It's a disruption of common flow and it should be clarified.
Automatic merge from submit-queue.
Add --subnets and --utility-subnets to kops create cluster
This change adds two new options to `kops create cluster`
When specifying `--vpc`, `--subnets` can be specified as an unordered array of subnet ids. Kops will then look up the zones of the subnets to find which zone to add the subnet id to.
If `--topology private` is also specified, `--utility-subnets` can similarly be specified.
~If a zone was specified but a subnet wasn't given that matches the zone, then the subnet will be allocated a CIDR with the current behaviour.~ This case fails validation here 7bd0a6a703/pkg/apis/kops/validation/validation.go (L151)
I can add unit tests and docs changes if required, but I am keen to get feedback before I proceed much further.
I have only added support for AWS.
I have tested this by running a command similar to this:
```bash
kops create cluster \
--zones=us-east-1a,us-east-1b,us-east-1c \
--topology private \
--master-zones=us-east-1a,us-east-1b,us-east-1c \
--vpc $vpc_id \
--subnets subnet-111111,subnet-222222,subnet-333333 \
--utility-subnets subnet-444444,subnet-555555,subnet-666666 \
$cluster_hosted_zone_name
```
And the cluster spec was as expected.
Adding an extra option to the toolbox templating to format the YAML before writing out; which is usefull to cleanup formating issues and as detecting errors in the template
- added a formating options --format-yaml to the toolbox template which cleans up the yaml before writing out
- updated the cli documentation
- added the --config-value used to grab the configuration
The current implementation fails on template which reference unset variables, it is however useful at times to permit overriding this behavior and using sprig default() for example methods to handle it
- added a new command line option --fail-on-missing (defaults to true, so keeps the current behaviour)
- updated the unit test to reflect the changes
- updated the cli docs
- add a new kops secret command to store encryption config
- add the experimential-encryption-provider-config flag to the kube-apiserver
- add functionality to nodeup to create the stored encryption config in the correct path
Automatic merge from submit-queue
Flannel: change default backend type
We support udp, which has to the default for backwards-compatibility,
but also new clusters will now use vxlan.
Extending the current implementation of toolbox template to include multiple files and snippets. Note, i've removed the requirements for defaults as I think people should be forced to specifically pass them.
- fixing the vetting iseues to the method YamlToJson -> YAMLToJSON
- adding a safety check to ensure templates don't reference an unknown value
- extending the unit test to ensure the above works on main and snippets
- include the ability to specify multiple configuration files, useful for common.yaml and prod.yaml etc
Requested Changes - Toolbox Templating
Added the requested changes
- moved the templater into it's own package rather than using base util
- moved to using the sprig library for additional template function
- @note: i couldn't find a native way in sprig to do snippets, also the i've overloaded the indent as it appears to do the indent on all lines rather than on the newline, meaning i'd have to shift my first line back by the indent to get it to work, which seems ugly
In the S3 bucket, the file cluster.spec is not actually the spec, but the
actual configuration. The file config is the spec. To avoid confusion,
this commit changes spec/specification into 'desired configuration' in
the documentation, to avoid associating cluster.spec with a cluster
'specification' that the users should use.
* Use the pretty.LongDesc function (which doesn't pipe it through
markdown -> ascii)
* Use pretty.Bash helper to avoid problems with backticks in
go-backtick-quoted-strings
* Make sure indentation is consistent
fixes#2606
Most part of the changes are similar to current supported CNI networking
provider. Kube-router also support IPVS bassed service proxy which can
be used as replacement for kube-proxy. So the manifest for kube-router
included with this patch enables kube-router to provide pod-to-pod
networking, IPVS based service proxy and ingress pod firewall.
axpraka
John Gardiner Myers
Christian Joun
Ciprian Hacman
Justin SB
Derrik Campau
Ole Markus With
Peter Rifel
Kubernetes Prow Robot
Brandon Wagner
Brandon Wagner
Ciprian Hacman
Zhou Hao
MoShitrit
Jesse Haka
eric-hole
vvbogdanov87
Josh Branham
Adam Yang
Derek Lemon -T (delemon - AEROTEK INC at Cisco)
Rodrigo Menezes
mikesplain
Kenjiro Nakayama
Ian Hoegen
Sean Johnson
Byungjin Park
AdamDang
Justin Santa Barbara
Christian Kampka
Gijs Kunze
Marceli-Wac
Raffaele Di Fazio
Kashif Saadat
Noi Narisak
Julien SENON
sunlintong
Przemysław Dąbek
Maciej Kwiek
Kyle Rockman
Alexander Brandstedt
chrislovecnm
klaus993
Daniel Heitmann
Todd Lyons
Kubernetes Submit Queue
Manuel de Brito Fontes
Henry Muru Paenga
Julio Chana
Rohith
John Laswell
georgebuckerfield
Marius Davidsen
Caleb Gilmour
Alexander Brandstedt
lichuqiang
Orr Chen
Quentin Nerden
asifdxtreme
Blake
craigmonson
Alexander Brandstedt
Bradley
Frederik Nordahl Jul Sabroe
Benedict Hartley
Giancarlo Rubio
Arve Knudsen
Matt Marchetti
Murali Reddy
Eric Hole
Willem Mali