We previously needed them to allow list operations; however we now use a
keyset.yaml file instead of listing keys. That should be the sole use,
so we should no longer need this permission.
If not, we can re-enable the code easily.
Automatic merge from submit-queue.
Add audit log format flag for api server
In kubernetes 1.8, a flag for audit-log format has been added, this flag can be set to `legacy` or `json` format on the kubernetes API server.
Adding the capbility for kops validate cluster command to output YAML or JSON.
The validate.ValidationCluster struct is used as body of the JSON or
YAML document.
Automatic merge from submit-queue.
Support for OIDC 'username-prefix' and 'groups-prefix' flags
### What
Added support for `--oidc-username-prefix` and `--oidc-groups-prefix`.
By passing these it's possible to override the default prefixes used to map the OIDC user with the username in kubernetes.
### See
See: https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server
### IMPORTANT
I'm far from a kubernetes/KOPS, this is not tested so someone needs to have a look and see if something is missing or if this can cause troubles! (don't want to accidentally cause the destruction of the universe 💥 )
It's basically the same done in this other PR: https://github.com/kubernetes/kops/pull/1438/files
I did **not** change the `zz_generated.conversion.go` files as according to comment at the top of them they're autogenerated:
```go
// This file was autogenerated by conversion-gen. Do not edit it manually!
```
(I wonder if they should be `.gitignore`d)
### Fixes
This should fix [#4007: field oidcUsernamePrefix is not recognized in cluster configuration file](https://github.com/kubernetes/kops/issues/4007)
Automatic merge from submit-queue.
work on using files assets
Basic MVP for file assests.
- using file assest builder
- able to upload files
- using URL structs instead of strings everywhere
Automatic merge from submit-queue.
Adds permissions for ELB and NLB req'd by 1.9
Adds appropriate IAM permissions to Masters (in restrictive mode) for ELB and NLB.
Closes https://github.com/kubernetes/kops/issues/3883
File assets and the SHA files are uploaded to the new location. Files
when are users uses s3 are upload public read only. The copyfile task
uses only the existing SHA value.
This PR include major refactoring of the use of URLs. Strings are no
longer categnated, but converted into a URL struct and path.Join is
utlilized.
A new values.go file is included so that we can start refactoring more
code out of the "fi" package.
A
Automatic merge from submit-queue.
add imagePullProgressDeadline to kubelet config
Support the kubelet runtime flag `--image-pull-progress-deadline` by mapping the config key `imagePullProgressDeadline`
This supports extending the deadline to pull new images, as detailed in [this issue](https://github.com/openshift/origin/issues/13122)
Automatic merge from submit-queue.
Fix node counts
When running `kops validate`, and the cluster size is greater than the minimum configuration, the display message is
<img width="153" alt="screen shot 2017-12-07 at 1 10 14 pm" src="https://user-images.githubusercontent.com/11003242/33738958-1571943e-db50-11e7-9156-f034c9af7d9c.png">
This PR sets the NodeCount value to the length of the nodes array instead of the configuration.
Automatic merge from submit-queue.
Allow additional SGs to be added to API loadbalancer
Allow adding precreated additional security groups to the API loadbalancer using cluster spec:
```yaml
spec:
api:
loadBalancer:
type: Public
additionalSecurityGroups:
- sg-exampleid3
- sg-exampleid4
```
- [x] Adding additionalSecurityGroups cluster spec
- [x] Adding validation for repeated security groups
- [x] Adding validation for API loadbalancer security groups
- [x] Integration test for API loadbalancer and its security groups
- [x] Update API docs and cluster.spec docs
Automatic merge from submit-queue.
Add additionalNetworkCIDRs to support VPCs with multiple CIDRs in AWS
Add additionalNetworkCIDRs to support VPCs with multiple CIDRs in AWS.
@justinsb I cannot find anywhere that does a check on an existing VPC to see if the networkCIDR matches what is on the VPC defined, I was looking for that so I can add a similar check for this. Am I missing something or is there really no check like that?
Automatic merge from submit-queue.
Let a user set a hostnameOverride when the cloud provider is aws.
Let a user use the hostname or set a hostnameOverride when the cloud provider is aws. This would allow for a more descriptive name to be used. The name of the hosts when using @hostname can be set by using a hook or some other method.
We've done this in the API already, but we had a single CAStore
interface that did Keysets and SSHCredentials. Separate out
SSHCredentials into SSHCredentialStore, and start using API objects as
our primary representation.
Automatic merge from submit-queue.
Fix spurious shared InternetGateway renaming
This fixes the original issue described in #476 where `kops update cluster` would continuously report renaming a shared IGW even though it never actually renames it. I also added tests to confirm the behavior change.
I removed the bug mention from the docs although if you would prefer to keep it and instead say `In kops versions before X, ...` I can do that too
Automatic merge from submit-queue.
When using private DNS add ELB name to the api certificate
This fixes issue #2032 by using the gossip paths with private dns as well:
* When creating the api server certificate, include the ELB hostname
* When generating kubeconfig, use the ELB hostname as the api server name
Automatic merge from submit-queue.
Add missing permissions for NLB creation
Without this permissions is not possible to create a network load balancer (alpha in k8s >= 1.9)
Johannes Würbach
