We previously needed them to allow list operations; however we now use a
keyset.yaml file instead of listing keys. That should be the sole use,
so we should no longer need this permission.
If not, we can re-enable the code easily.
Automatic merge from submit-queue.
Force nodeup to use the bundle
We disable fallback entirely for nodeup, so we can still share code, but
won't accidentally be using the wrong code path.
Builds on #3839
Automatic merge from submit-queue.
Fix null pointer issues when custom PROTOKUBE_IMAGE is specified.
When setting a custom protokube location via the environment variable `PROTOKUBE_IMAGE`, this appeared to not be getting set properly at the time of applying Cluster updates (via `kops update cluster ${KOPS_CLUSTER_NAME} --yes`), resulting in a runtime exception.
This PR resolves the above issue, so cluster updates are correctly applied with reference to a custom protokube image location (if provided).
This avoids the need to list directories, which is problematic on GCE.
It also makes for a more consistent experience; we can move nodeup to
use the bundle always, and we can move writing to the Mirror task, so
that VFS & kops-server are more similar.
Automatic merge from submit-queue.
Refactor VFS CA store to reuse keyset from clientset
This ensures the two behave more similarly, but also will help us parse a
serialized keyset.
Builds on #3836
Automatic merge from submit-queue.
Refactor: clean up SecretStore to not use KeystoreItem
More moving to use API objects, except in this case we eventually want to
deprecate SecretStore entirely.
Builds on #3833
Automatic merge from submit-queue.
Add --subnets and --utility-subnets to kops create cluster
This change adds two new options to `kops create cluster`
When specifying `--vpc`, `--subnets` can be specified as an unordered array of subnet ids. Kops will then look up the zones of the subnets to find which zone to add the subnet id to.
If `--topology private` is also specified, `--utility-subnets` can similarly be specified.
~If a zone was specified but a subnet wasn't given that matches the zone, then the subnet will be allocated a CIDR with the current behaviour.~ This case fails validation here 7bd0a6a703/pkg/apis/kops/validation/validation.go (L151)
I can add unit tests and docs changes if required, but I am keen to get feedback before I proceed much further.
I have only added support for AWS.
I have tested this by running a command similar to this:
```bash
kops create cluster \
--zones=us-east-1a,us-east-1b,us-east-1c \
--topology private \
--master-zones=us-east-1a,us-east-1b,us-east-1c \
--vpc $vpc_id \
--subnets subnet-111111,subnet-222222,subnet-333333 \
--utility-subnets subnet-444444,subnet-555555,subnet-666666 \
$cluster_hosted_zone_name
```
And the cluster spec was as expected.
Automatic merge from submit-queue.
work on using files assets
Basic MVP for file assests.
- using file assest builder
- able to upload files
- using URL structs instead of strings everywhere
File assets and the SHA files are uploaded to the new location. Files
when are users uses s3 are upload public read only. The copyfile task
uses only the existing SHA value.
This PR include major refactoring of the use of URLs. Strings are no
longer categnated, but converted into a URL struct and path.Join is
utlilized.
A new values.go file is included so that we can start refactoring more
code out of the "fi" package.
A
Automatic merge from submit-queue.
Support for hostPort when using canal
Similar to: https://github.com/kubernetes/kops/pull/3206
Without this, we are unable to get `hostPort` working with `canal`. The same is true for `flannel`, but this does add support for plain flannel.
Kashif Saadat