This PR fixes the `kops replace --force` flag which was introduce in [#PR3099](https://github.com/kubernetes/kops/pull/3089). The `--force` stopped working when 65aea59418 was merged and the api started returning an actual error for NotFound
Added new overide capability to set all etcd version dynamically. This
is needed for HA testing. For example following flag can now be used with
create cluster.
--override "cluster.spec.etcdClusters*.version=3.0.17"
This avoids the need to list directories, which is problematic on GCE.
It also makes for a more consistent experience; we can move nodeup to
use the bundle always, and we can move writing to the Mirror task, so
that VFS & kops-server are more similar.
Adding the capbility for kops validate cluster command to output YAML or JSON.
The validate.ValidationCluster struct is used as body of the JSON or
YAML document.
Automatic merge from submit-queue.
Add --subnets and --utility-subnets to kops create cluster
This change adds two new options to `kops create cluster`
When specifying `--vpc`, `--subnets` can be specified as an unordered array of subnet ids. Kops will then look up the zones of the subnets to find which zone to add the subnet id to.
If `--topology private` is also specified, `--utility-subnets` can similarly be specified.
~If a zone was specified but a subnet wasn't given that matches the zone, then the subnet will be allocated a CIDR with the current behaviour.~ This case fails validation here 7bd0a6a703/pkg/apis/kops/validation/validation.go (L151)
I can add unit tests and docs changes if required, but I am keen to get feedback before I proceed much further.
I have only added support for AWS.
I have tested this by running a command similar to this:
```bash
kops create cluster \
--zones=us-east-1a,us-east-1b,us-east-1c \
--topology private \
--master-zones=us-east-1a,us-east-1b,us-east-1c \
--vpc $vpc_id \
--subnets subnet-111111,subnet-222222,subnet-333333 \
--utility-subnets subnet-444444,subnet-555555,subnet-666666 \
$cluster_hosted_zone_name
```
And the cluster spec was as expected.
Automatic merge from submit-queue.
work on using files assets
Basic MVP for file assests.
- using file assest builder
- able to upload files
- using URL structs instead of strings everywhere
File assets and the SHA files are uploaded to the new location. Files
when are users uses s3 are upload public read only. The copyfile task
uses only the existing SHA value.
This PR include major refactoring of the use of URLs. Strings are no
longer categnated, but converted into a URL struct and path.Join is
utlilized.
A new values.go file is included so that we can start refactoring more
code out of the "fi" package.
A
We've done this in the API already, but we had a single CAStore
interface that did Keysets and SSHCredentials. Separate out
SSHCredentials into SSHCredentialStore, and start using API objects as
our primary representation.
Automatic merge from submit-queue.
Improving UX for placeholder IP Address
Before the `kops validate cluster` attempts to connect to the K8s API
endpoint, the code now checks to see if the API DNS Entry is the kops
placeholder IP Address 203.0.113.123. It prints a message to the user
and err's. There is a new init func in validate cluster that disables
CGO based DNS for Darwin OS. Darwin does two things with kops
validates; it caches the IP address, and it does not return the
placeholder IP address. We cannot use CGO base DNS with kops validate with OSX.
Before the `kops validate cluster` attempts to connect to the K8s API
endpoint, the code now checks to see if the API DNS Entry is the kops
placeholder IP Address 203.0.113.123. It prints a message to the user
and err's. There is a new init func in validate cluster that disables
CGO based DNS for Darwin OS. Darwin does two things with kops
validates; it caches the IP address, and it does not return the
placeholder IP address. We cannot use CGO base DNS with kops validate.
Automatic merge from submit-queue.
Add edit flag so create instancegroup command is usable on scripts
Until now, the opening of an interactive editor when creating a new instance group was mandatory.
This this commit, a new flag is added, so this is now optional.
This commit is backwards compatible.
Automatic merge from submit-queue.
Add a default NodeLabel with the InstanceGroup name
As requested in https://github.com/kubernetes/kops/issues/2999, this change just auto-populates new InstanceGroup specs with a default node label containing the name of the instance group. It would be really useful for those of us managing environments with multiple instance groups.
It allows an admin to easily view the instance groups using kubectl:
```
kubectl get nodes --label-columns kops.k8s.io/instancegroup
NAME STATUS AGE VERSION INSTANCEGROUP
ip-172-20-108-120.eu-west-1.compute.internal Ready,node 3m v1.7.4 xtra-large
ip-172-20-117-133.eu-west-1.compute.internal Ready,master 14m v1.7.4 master-eu-west-1c
ip-172-20-32-139.eu-west-1.compute.internal Ready,master 14m v1.7.4 master-eu-west-1a
ip-172-20-32-92.eu-west-1.compute.internal Ready,node 12m v1.7.4 nodes
ip-172-20-67-184.eu-west-1.compute.internal Ready,master 13m v1.7.4 master-eu-west-1b
```
Automatic merge from submit-queue.
Template Fixes
- fixing an issue in the way it handled inline yaml documents
- cleaning it up somewhat, the prior version was a little cryptic to read; it's easier to just split into docs, format if required and rejoin at the end.
Apologizes @justinsb ... the prior PR didn't handle YAML separators correctly; I've find it somewhat simpler by a split and join rather than using indexes and such
- fixing an issue in the way it handled inline yaml documents
- cleaning it up somewhat, the prior version was a little cryptic to read; it's easier to just split into docs, format and rejoin at the end
Automatic merge from submit-queue.
GCE Dump: Include instance IPs
The challenge here is that we normally only get the instance url. So we
have to do another call to GCE, but we also don't want to do one call per
instance.
Instead, we create a dump operation context object which we pass into the
dump.
Adding an extra option to the toolbox templating to format the YAML before writing out; which is usefull to cleanup formating issues and as detecting errors in the template
- added a formating options --format-yaml to the toolbox template which cleans up the yaml before writing out
- updated the cli documentation
- added the --config-value used to grab the configuration
The challenge here is that we normally only get the instance url. So we
have to do another call to GCE, but we also don't want to do one call
per instance.
Instead, we create a dump operation context object which we pass into the dump.
Automatic merge from submit-queue.
GCS: Use ACLs for GCE permissions
This needs less permissions, but also allows for more granular control over
access to files than whole-bucket permissions that IAM gives us.
This lets us configure cross-project permissions while ourselves needing
minimal permissions, but also gives us a nice hook for future lockdown
of object-level permissions.
Automatic merge from submit-queue.
Implement DigitalOcean Droplet FI Task
Implements cloudup fi tasks for DigitalOcean droplets. It makes a few assumptions to reduce the size of this PR, those will be addressed in future PRs.
Also does some cleanup in the DigitalOcean `dns` package.
The current implementation fails on template which reference unset variables, it is however useful at times to permit overriding this behavior and using sprig default() for example methods to handle it
- added a new command line option --fail-on-missing (defaults to true, so keeps the current behaviour)
- updated the unit test to reflect the changes
- updated the cli docs
Without this change, `kops get --name non-existing-cluster` will
exit with a status of `0`, which makes it difficult to check if
a cluster (and other resources) exist in a shell script.
Automatic merge from submit-queue.
bumping k8s versions in test files
updating k8s versions in test YAML files so that we do not get warnings during testing
Automatic merge from submit-queue.
Add Zones field to InstanceGroup
The Zones field can specify zones where they are not specified on a
Subnet, for example on GCE where we have regional subnets.
Automatic merge from submit-queue. .
promoting drain and validate by setting feature flag to true
I am unable to recreate https://github.com/kubernetes/kops/issues/2407, and frankly, it may be an edge case. We could warn a user if their wait times are low, but that would be another PR.
This PR moves Drain and Validate functionality for rolling-updates into the default user experience, setting the Feature Flag to true.
Per feedback, I am using the node and master interval times for the validation.
Automatic merge from submit-queue. .
Create GCE networks in auto mode, not legacy mode
auto mode allows for conversion to custom mode at the API level, and
legacy mode is deprecated.
- add a new kops secret command to store encryption config
- add the experimential-encryption-provider-config flag to the kube-apiserver
- add functionality to nodeup to create the stored encryption config in the correct path
Automatic merge from submit-queue
Add romana to built-in CNI options
This PR adds `romana` as a networking option for kops.
It installs the latest "preview" release of Romana v2.0, which provides the expected features in terms of IP allocations and route configuration. Network policy features are being ported to 2.0 and will be in the final release. (We intend to submit a followup PR for kops as part of that rolling out that release.)
Note: in this setup, we're using the etcd cluster that kops deploys for k8s. This isn't ideal, but some possibilities (eg: StatefulSets) aren't practical for the CNI itself, and creating a parallel etcd cluster via manifests seemed to be a more-intrusive approach than using the existing one.
If this is a concern or problem, then I'm very open to discussing and implementing it based on your suggestions.
Also, some functionality is exclusive to AWS environments. Other cloud platforms are on Romana's roadmap but not developed yet. Let me know that restriction needs to be enforced in code or directly documented.
Automatic merge from submit-queue
Flannel: change default backend type
We support udp, which has to the default for backwards-compatibility,
but also new clusters will now use vxlan.
Automatic merge from submit-queue
Toolbox template
Extending the current implementation of toolbox template to include multiple files and snippets. Note, I've removed the requirements for defaults as I think people should be forced to specifically pass them
- allowing the users to use a snippets directory for reusable templates
- allows the users to specify multiple templates files via multiple --template <path>, use a directory or both
- allows the users to specify multiple configuration files via multiple --values <path>, use a directory or both
- adding a safety check to ensure templates don't reference an unknown values
- fixing the vetting issues to the method YamlToJson -> YAMLToJSON
- as usual anything a saw on the journey which doesn't comply with go-vet got changed
Examples of a snippet
```YAML
hooks:
- name: some_service.service
manifest: |
{{ include "some_service.service" . | indent 6 }}
```
We currently use something similar to template our cluster and instances group documents, handling the differences between prod, ci and ephemeral
Extending the current implementation of toolbox template to include multiple files and snippets. Note, i've removed the requirements for defaults as I think people should be forced to specifically pass them.
- fixing the vetting iseues to the method YamlToJson -> YAMLToJSON
- adding a safety check to ensure templates don't reference an unknown value
- extending the unit test to ensure the above works on main and snippets
- include the ability to specify multiple configuration files, useful for common.yaml and prod.yaml etc
Requested Changes - Toolbox Templating
Added the requested changes
- moved the templater into it's own package rather than using base util
- moved to using the sprig library for additional template function
- @note: i couldn't find a native way in sprig to do snippets, also the i've overloaded the indent as it appears to do the indent on all lines rather than on the newline, meaning i'd have to shift my first line back by the indent to get it to work, which seems ugly
This will allow us to set CIDRs for nodeport access, which in turn will
allow e2e tests that require nodeport access to pass.
Then add a feature-flagged flag to `kops create cluster` to allow
arbitrary setting of spec values; currently the only value supported is
cluster.spec.nodePortAccess
Automatic merge from submit-queue
Implementing GCE as an interface - modelling aws cloud provider
GCE and other cloud providers are structs instead of an interface. AWS cloud provider implements an interface. This PR refactors `GCECloud` as an interface, and creates `gceCloudImplementation`.
- [x] Need to e2e test
Automatic merge from submit-queue
Kops command fixes
TrimSuffix() on defaultStateStore doesn't actually do anything, and there is an unused answer variable in the tests.
Automatic merge from submit-queue
Allow the strict IAM policies to be optional
The stricter IAM policies could potentially cause regression for some edge-cases, or may rely on nodeup image changes that haven't yet been deployed / tagged officially (currently the case on master branch since PR https://github.com/kubernetes/kops/pull/3158 was merged in).
This PR just wraps the new IAM policy rules around a cluster spec flag, `EnableStrictIAM`, so will default to the original behaviour (where the S3 policies were completely open). Could also be used to wrap PR https://github.com/kubernetes/kops/pull/3186 if it progresses any further.
- Or we could reject this and have the policies always strict! :)
Automatic merge from submit-queue
starting work on file assets builder
I refactored to the dockerassets pkg to assetstasks, in order to not add yet another package. Added file copy task, that I have tested with s3 locally, but not certain how to add memfs tests.
Fixes: https://github.com/kubernetes/kops/issues/3086
Automatic merge from submit-queue
Add cluster spec to node user data so component config changes are detected
Related to #3076
Some cluster changes such as component config modifications are not picked up when performing updates (nodes are not marked as `NEEDUPDATE`). This change introduces the ability to:
1. Include certain cluster specs within the node user data file ~(`enableClusterSpecInUserData: true`)~
2. ~Encode the cluster spec string before placing within the user data file (`enableClusterSpecInUserData: true`)~
~The above flags default to false so shouldn't cause any changes to existing clusters.~
Following feedback I've removed the optional API flags, so component config is included by default within the user data. This WILL cause all nodes to have a required update to their bootstrap scripts.
Automatic merge from submit-queue
Clarify docs: rename spec/specification into desired configuration
The cluster state in S3 has (among others) two files: `cluster.spec` and `config`.
When the documentation mentioned "create or update cluster spec" for example, it was confusing what was actually updated. It's not the cluster.spec file.
As I understand, `cluster.spec` should only be created/updated after `kops update --yes` is run.
I changed the docs for `kops get`, `kops create`, `kops replace`, `kops edit`.
I did NOT change those files: `kops_rolling-update.md`, `kops_rolling-update_cluster.md` as I think those actually use `cluster.spec`.
In the S3 bucket, the file cluster.spec is not actually the spec, but the
actual configuration. The file config is the spec. To avoid confusion,
this commit changes spec/specification into 'desired configuration' in
the documentation, to avoid associating cluster.spec with a cluster
'specification' that the users should use.
The current 'kops replace' fails if the resource does not exist, which is annoying if you want to use the feature to drive your CI. This PR adds a --create option to create any resource which does not exist. At the moment we limit this to instanceGroups only. I'd also like to see this command perhaps be renamed to kops apply?
Automatic merge from submit-queue
adding warning about --full
This starts work on https://github.com/kubernetes/kops/issues/2290. Adds a warning to deter users from using YAML generated by --full.
This adds a well-known secret name `nodedockercfg` which will automatically
be used if present to create /root/.docker/config.json on all nodes. This will
allow private registries to be used for kops hooks as well as any k8s images
without the need to define `imagePullSecrets` in every namespace.
closes https://github.com/kubernetes/kops/issues/2505
Rohith