From 798b5c9f2a2b5d9f77caa9932d427d305b35cbaf Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Fri, 13 Nov 2020 08:52:23 +0100
Subject: [PATCH] Add missing steps to configure konnectivity-server (#24141)

* Add missing steps to configure konnectivity-server

* Update content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>

* Update content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>

* Update content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>

* update konnectivity manifests

* remove tcp configuration

Co-authored-by: Tim Bannister <tim@scalefactory.com>
---
 .../extend-kubernetes/setup-konnectivity.md   | 25 +++++++++++
 .../egress-selector-configuration.yaml        |  2 +-
 .../konnectivity/konnectivity-agent.yaml      |  6 ++-
 .../konnectivity/konnectivity-server.yaml     | 44 ++++++++++---------
 4 files changed, 53 insertions(+), 24 deletions(-)

diff --git a/content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md b/content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md
index da9dabb135..82eecc9c38 100644
--- a/content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md
+++ b/content/en/docs/tasks/extend-kubernetes/setup-konnectivity.md
@@ -24,10 +24,35 @@ The following steps require an egress configuration, for example:
 You need to configure the API Server to use the Konnectivity service
 and direct the network traffic to the cluster nodes:
 
+1. Make sure that
+the `ServiceAccountTokenVolumeProjection` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+is enabled. You can enable
+[service account token volume protection](/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
+by providing the following flags to the kube-apiserver:
+   ```
+   --service-account-issuer=api
+   --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
+   --api-audiences=system:konnectivity-server
+   ```
 1. Create an egress configuration file such as `admin/konnectivity/egress-selector-configuration.yaml`.
 1. Set the `--egress-selector-config-file` flag of the API Server to the path of
 your API Server egress configuration file.
 
+Generate or obtain a certificate and kubeconfig for konnectivity-server.  
+For example, you can use the OpenSSL command line tool to issue a X.509 certificate,
+using the cluster CA certificate `/etc/kubernetes/pki/ca.crt` from a control-plane host.
+
+```bash
+openssl req -subj "/CN=system:konnectivity-server" -new -newkey rsa:2048 -nodes -out konnectivity.csr -keyout konnectivity.key -out konnectivity.csr
+openssl x509 -req -in konnectivity.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out konnectivity.crt -days 375 -sha256
+SERVER=$(kubectl config view -o jsonpath='{.clusters..server}')
+kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-credentials system:konnectivity-server --client-certificate konnectivity.crt --client-key konnectivity.key --embed-certs=true
+kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-cluster kubernetes --server "$SERVER" --certificate-authority /etc/kubernetes/pki/ca.crt --embed-certs=true
+kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-context system:konnectivity-server@kubernetes --cluster kubernetes --user system:konnectivity-server
+kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config use-context system:konnectivity-server@kubernetes
+rm -f konnectivity.crt konnectivity.key konnectivity.csr
+```
+
 Next, you need to deploy the Konnectivity server and agents.
 [kubernetes-sigs/apiserver-network-proxy](https://github.com/kubernetes-sigs/apiserver-network-proxy)
 is a reference implementation.
diff --git a/content/en/examples/admin/konnectivity/egress-selector-configuration.yaml b/content/en/examples/admin/konnectivity/egress-selector-configuration.yaml
index 6659ff3fbb..c85f25ea51 100644
--- a/content/en/examples/admin/konnectivity/egress-selector-configuration.yaml
+++ b/content/en/examples/admin/konnectivity/egress-selector-configuration.yaml
@@ -18,4 +18,4 @@ egressSelections:
       # The other supported transport is "tcp". You will need to set up TLS 
       # config to secure the TCP transport.
       uds:
-        udsName: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket
+        udsName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket
diff --git a/content/en/examples/admin/konnectivity/konnectivity-agent.yaml b/content/en/examples/admin/konnectivity/konnectivity-agent.yaml
index c3dc71040b..3c71999427 100644
--- a/content/en/examples/admin/konnectivity/konnectivity-agent.yaml
+++ b/content/en/examples/admin/konnectivity/konnectivity-agent.yaml
@@ -22,7 +22,7 @@ spec:
         - key: "CriticalAddonsOnly"
           operator: "Exists"
       containers:
-        - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.8
+        - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.12
           name: konnectivity-agent
           command: ["/proxy-agent"]
           args: [
@@ -32,6 +32,8 @@ spec:
                   # this is the IP address of the master machine.
                   "--proxy-server-host=35.225.206.7",
                   "--proxy-server-port=8132",
+                  "--admin-server-port=8133",
+                  "--health-server-port=8134",
                   "--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token"
                   ]
           volumeMounts:
@@ -39,7 +41,7 @@ spec:
               name: konnectivity-agent-token
           livenessProbe:
             httpGet:
-              port: 8093
+              port: 8134
               path: /healthz
             initialDelaySeconds: 15
             timeoutSeconds: 15
diff --git a/content/en/examples/admin/konnectivity/konnectivity-server.yaml b/content/en/examples/admin/konnectivity/konnectivity-server.yaml
index 730c26c66a..a0f45af5ff 100644
--- a/content/en/examples/admin/konnectivity/konnectivity-server.yaml
+++ b/content/en/examples/admin/konnectivity/konnectivity-server.yaml
@@ -8,34 +8,33 @@ spec:
   hostNetwork: true
   containers:
   - name: konnectivity-server-container
-    image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-server:v0.0.8
+    image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-server:v0.0.12
     command: ["/proxy-server"]
     args: [
-            "--log-file=/var/log/konnectivity-server.log",
-            "--logtostderr=false",
-            "--log-file-max-size=0",
+            "--logtostderr=true",
             # This needs to be consistent with the value set in egressSelectorConfiguration.
-            "--uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket",
+            "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",
             # The following two lines assume the Konnectivity server is
             # deployed on the same machine as the apiserver, and the certs and
             # key of the API Server are at the specified location.
-            "--cluster-cert=/etc/srv/kubernetes/pki/apiserver.crt",
-            "--cluster-key=/etc/srv/kubernetes/pki/apiserver.key",
+            "--cluster-cert=/etc/kubernetes/pki/apiserver.crt",
+            "--cluster-key=/etc/kubernetes/pki/apiserver.key",
             # This needs to be consistent with the value set in egressSelectorConfiguration.
             "--mode=grpc",
             "--server-port=0",
             "--agent-port=8132",
             "--admin-port=8133",
+            "--health-port=8134",
             "--agent-namespace=kube-system",
             "--agent-service-account=konnectivity-agent",
-            "--kubeconfig=/etc/srv/kubernetes/konnectivity-server/kubeconfig",
+            "--kubeconfig=/etc/kubernetes/konnectivity-server.conf",
             "--authentication-audience=system:konnectivity-server"
             ]
     livenessProbe:
       httpGet:
         scheme: HTTP
         host: 127.0.0.1
-        port: 8133
+        port: 8134
         path: /healthz
       initialDelaySeconds: 30
       timeoutSeconds: 60
@@ -46,25 +45,28 @@ spec:
     - name: adminport
       containerPort: 8133
       hostPort: 8133
+    - name: healthport
+      containerPort: 8134
+      hostPort: 8134
     volumeMounts:
-    - name: varlogkonnectivityserver
-      mountPath: /var/log/konnectivity-server.log
-      readOnly: false
-    - name: pki
-      mountPath: /etc/srv/kubernetes/pki
+    - name: k8s-certs
+      mountPath: /etc/kubernetes/pki
+      readOnly: true
+    - name: kubeconfig
+      mountPath: /etc/kubernetes/konnectivity-server.conf
       readOnly: true
     - name: konnectivity-uds
-      mountPath: /etc/srv/kubernetes/konnectivity-server
+      mountPath: /etc/kubernetes/konnectivity-server
       readOnly: false
   volumes:
-  - name: varlogkonnectivityserver
+  - name: k8s-certs
     hostPath:
-      path: /var/log/konnectivity-server.log
+      path: /etc/kubernetes/pki
+  - name: kubeconfig
+    hostPath:
+      path: /etc/kubernetes/konnectivity-server.conf
       type: FileOrCreate
-  - name: pki
-    hostPath:
-      path: /etc/srv/kubernetes/pki
   - name: konnectivity-uds
     hostPath:
-      path: /etc/srv/kubernetes/konnectivity-server
+      path: /etc/kubernetes/konnectivity-server
       type: DirectoryOrCreate