github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f4989a45a5
kubernetes/federation/pkg/kubefed/init/init.go
Chao Xu f4989a45a5 run root-rewrite-v1-..., compile
2017-06-22 10:25:57 -07:00

1184 lines
41 KiB
Go
Raw Blame History

/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// TODO(madhusdancs):
// 1. Make printSuccess prepend protocol/scheme to the IPs/hostnames.
// 2. Separate etcd container from API server pod as a first step towards enabling HA.
// 3. Make API server and controller manager replicas customizable via the HA work.
package init
import (
"fmt"
"io"
"io/ioutil"
"net"
"os"
"sort"
"strconv"
"strings"
"time"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
certutil "k8s.io/client-go/util/cert"
triple "k8s.io/client-go/util/cert/triple"
kubeconfigutil "k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
"k8s.io/kubernetes/federation/apis/federation"
"k8s.io/kubernetes/federation/pkg/dnsprovider/providers/coredns"
"k8s.io/kubernetes/federation/pkg/kubefed/util"
"k8s.io/kubernetes/pkg/api"
"k8s.io/api/core/v1"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/rbac"
client "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
"github.com/golang/glog"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"gopkg.in/gcfg.v1"
)
const (
APIServerCN = "federation-apiserver"
ControllerManagerCN = "federation-controller-manager"
AdminCN = "admin"
HostClusterLocalDNSZoneName = "cluster.local."
APIServerNameSuffix = "apiserver"
CMNameSuffix = "controller-manager"
CredentialSuffix = "credentials"
KubeconfigNameSuffix = "kubeconfig"
// User name used by federation controller manager to make
// calls to federation API server.
ControllerManagerUser = "federation-controller-manager"
// Name of the ServiceAccount used by the federation controller manager
// to access the secrets in the host cluster.
ControllerManagerSA = "federation-controller-manager"
// Group name of the legacy/core API group
legacyAPIGroup = ""
lbAddrRetryInterval = 5 * time.Second
podWaitInterval = 2 * time.Second
apiserverServiceTypeFlag = "api-server-service-type"
apiserverAdvertiseAddressFlag = "api-server-advertise-address"
dnsProviderSecretName = "federation-dns-provider.conf"
apiServerSecurePortName = "https"
// Set the secure port to 8443 to avoid requiring root privileges
// to bind to port < 1000. The apiserver's service will still
// expose on port 443.
apiServerSecurePort = 8443
)
var (
init_long = templates.LongDesc(`
Initialize a federation control plane.
Federation control plane is hosted inside a Kubernetes
cluster. The host cluster must be specified using the
--host-cluster-context flag.`)
init_example = templates.Examples(`
# Initialize federation control plane for a federation
# named foo in the host cluster whose local kubeconfig
# context is bar.
kubefed init foo --host-cluster-context=bar`)
componentLabel = map[string]string{
"app": "federated-cluster",
}
apiserverSvcSelector = map[string]string{
"app": "federated-cluster",
"module": "federation-apiserver",
}
apiserverPodLabels = map[string]string{
"app": "federated-cluster",
"module": "federation-apiserver",
}
controllerManagerPodLabels = map[string]string{
"app": "federated-cluster",
"module": "federation-controller-manager",
}
)
type initFederation struct {
commonOptions util.SubcommandOptions
options initFederationOptions
}
type initFederationOptions struct {
dnsZoneName string
serverImage string
dnsProvider string
dnsProviderConfig string
etcdImage string
etcdPVCapacity string
etcdPVStorageClass string
etcdPersistentStorage bool
dryRun bool
apiServerOverridesString string
apiServerOverrides map[string]string
controllerManagerOverridesString string
controllerManagerOverrides map[string]string
apiServerServiceTypeString string
apiServerServiceType v1.ServiceType
apiServerAdvertiseAddress string
apiServerEnableHTTPBasicAuth bool
apiServerEnableTokenAuth bool
}
func (o *initFederationOptions) Bind(flags *pflag.FlagSet, defaultServerImage, defaultEtcdImage string) {
flags.StringVar(&o.dnsZoneName, "dns-zone-name", "", "DNS suffix for this federation. Federated Service DNS names are published with this suffix.")
flags.StringVar(&o.serverImage, "image", defaultServerImage, "Image to use for federation API server and controller manager binaries.")
flags.StringVar(&o.dnsProvider, "dns-provider", "", "Dns provider to be used for this deployment.")
flags.StringVar(&o.dnsProviderConfig, "dns-provider-config", "", "Config file path on local file system for configuring DNS provider.")
flags.StringVar(&o.etcdImage, "etcd-image", defaultEtcdImage, "Image to use for etcd server.")
flags.StringVar(&o.etcdPVCapacity, "etcd-pv-capacity", "10Gi", "Size of persistent volume claim to be used for etcd.")
flags.StringVar(&o.etcdPVStorageClass, "etcd-pv-storage-class", "", "The storage class of the persistent volume claim used for etcd. Must be provided if a default storage class is not enabled for the host cluster.")
flags.BoolVar(&o.etcdPersistentStorage, "etcd-persistent-storage", true, "Use persistent volume for etcd. Defaults to 'true'.")
flags.BoolVar(&o.dryRun, "dry-run", false, "dry run without sending commands to server.")
flags.StringVar(&o.apiServerOverridesString, "apiserver-arg-overrides", "", "comma separated list of federation-apiserver arguments to override: Example \"--arg1=value1,--arg2=value2...\"")
flags.StringVar(&o.controllerManagerOverridesString, "controllermanager-arg-overrides", "", "comma separated list of federation-controller-manager arguments to override: Example \"--arg1=value1,--arg2=value2...\"")
flags.StringVar(&o.apiServerServiceTypeString, apiserverServiceTypeFlag, string(v1.ServiceTypeLoadBalancer), "The type of service to create for federation API server. Options: 'LoadBalancer' (default), 'NodePort'.")
flags.StringVar(&o.apiServerAdvertiseAddress, apiserverAdvertiseAddressFlag, "", "Preferred address to advertise api server nodeport service. Valid only if '"+apiserverServiceTypeFlag+"=NodePort'.")
flags.BoolVar(&o.apiServerEnableHTTPBasicAuth, "apiserver-enable-basic-auth", false, "Enables HTTP Basic authentication for the federation-apiserver. Defaults to false.")
flags.BoolVar(&o.apiServerEnableTokenAuth, "apiserver-enable-token-auth", false, "Enables token authentication for the federation-apiserver. Defaults to false.")
}
// NewCmdInit defines the `init` command that bootstraps a federation
// control plane inside a set of host clusters.
func NewCmdInit(cmdOut io.Writer, config util.AdminConfig, defaultServerImage, defaultEtcdImage string) *cobra.Command {
opts := &initFederation{}
cmd := &cobra.Command{
Use: "init FEDERATION_NAME --host-cluster-context=HOST_CONTEXT",
Short: "init initializes a federation control plane",
Long: init_long,
Example: init_example,
Run: func(cmd *cobra.Command, args []string) {
cmdutil.CheckErr(opts.Complete(cmd, args))
cmdutil.CheckErr(opts.Run(cmdOut, config))
},
}
flags := cmd.Flags()
opts.commonOptions.Bind(flags)
opts.options.Bind(flags, defaultServerImage, defaultEtcdImage)
return cmd
}
type entityKeyPairs struct {
ca *triple.KeyPair
server *triple.KeyPair
controllerManager *triple.KeyPair
admin *triple.KeyPair
}
type credentials struct {
username string
password string
token string
certEntKeyPairs *entityKeyPairs
}
// Complete ensures that options are valid and marshals them if necessary.
func (i *initFederation) Complete(cmd *cobra.Command, args []string) error {
if len(i.options.dnsProvider) == 0 {
return fmt.Errorf("--dns-provider is mandatory")
}
err := i.commonOptions.SetName(cmd, args)
if err != nil {
return err
}
i.options.apiServerServiceType = v1.ServiceType(i.options.apiServerServiceTypeString)
if i.options.apiServerServiceType != v1.ServiceTypeLoadBalancer && i.options.apiServerServiceType != v1.ServiceTypeNodePort {
return fmt.Errorf("invalid %s: %s, should be either %s or %s", apiserverServiceTypeFlag, i.options.apiServerServiceType, v1.ServiceTypeLoadBalancer, v1.ServiceTypeNodePort)
}
if i.options.apiServerAdvertiseAddress != "" {
ip := net.ParseIP(i.options.apiServerAdvertiseAddress)
if ip == nil {
return fmt.Errorf("invalid %s: %s, should be a valid ip address", apiserverAdvertiseAddressFlag, i.options.apiServerAdvertiseAddress)
}
if i.options.apiServerServiceType != v1.ServiceTypeNodePort {
return fmt.Errorf("%s should be passed only with '%s=NodePort'", apiserverAdvertiseAddressFlag, apiserverServiceTypeFlag)
}
}
i.options.apiServerOverrides, err = marshallOverrides(i.options.apiServerOverridesString)
if err != nil {
return fmt.Errorf("error marshalling --apiserver-arg-overrides: %v", err)
}
i.options.controllerManagerOverrides, err = marshallOverrides(i.options.controllerManagerOverridesString)
if err != nil {
return fmt.Errorf("error marshalling --controllermanager-arg-overrides: %v", err)
}
if i.options.dnsProviderConfig != "" {
if _, err := os.Stat(i.options.dnsProviderConfig); err != nil {
return fmt.Errorf("error reading file provided to --dns-provider-config flag, err: %v", err)
}
}
return nil
}
// Run initializes a federation control plane.
// See the design doc in https://github.com/kubernetes/kubernetes/pull/34484
// for details.
func (i *initFederation) Run(cmdOut io.Writer, config util.AdminConfig) error {
hostFactory := config.ClusterFactory(i.commonOptions.Host, i.commonOptions.Kubeconfig)
hostClientset, err := hostFactory.ClientSet()
if err != nil {
return err
}
rbacAvailable := true
rbacVersionedClientset, err := util.GetVersionedClientForRBACOrFail(hostFactory)
if err != nil {
if _, ok := err.(*util.NoRBACAPIError); !ok {
return err
}
// If the error is type NoRBACAPIError, We continue to create the rest of
// the resources, without the SA and roles (in the abscense of RBAC support).
rbacAvailable = false
}
serverName := fmt.Sprintf("%s-%s", i.commonOptions.Name, APIServerNameSuffix)
serverCredName := fmt.Sprintf("%s-%s", serverName, CredentialSuffix)
cmName := fmt.Sprintf("%s-%s", i.commonOptions.Name, CMNameSuffix)
cmKubeconfigName := fmt.Sprintf("%s-%s", cmName, KubeconfigNameSuffix)
var dnsProviderConfigBytes []byte
if i.options.dnsProviderConfig != "" {
dnsProviderConfigBytes, err = ioutil.ReadFile(i.options.dnsProviderConfig)
if err != nil {
return fmt.Errorf("Error reading file provided to --dns-provider-config flag, err: %v", err)
}
}
fmt.Fprintf(cmdOut, "Creating a namespace %s for federation system components...", i.commonOptions.FederationSystemNamespace)
glog.V(4).Infof("Creating a namespace %s for federation system components", i.commonOptions.FederationSystemNamespace)
_, err = createNamespace(hostClientset, i.commonOptions.Name, i.commonOptions.FederationSystemNamespace, i.options.dryRun)
if err != nil {
return err
}
fmt.Fprintln(cmdOut, " done")
fmt.Fprint(cmdOut, "Creating federation control plane service...")
glog.V(4).Info("Creating federation control plane service")
svc, ips, hostnames, err := createService(cmdOut, hostClientset, i.commonOptions.FederationSystemNamespace, serverName, i.commonOptions.Name, i.options.apiServerAdvertiseAddress, i.options.apiServerServiceType, i.options.dryRun)
if err != nil {
return err
}
fmt.Fprintln(cmdOut, " done")
glog.V(4).Infof("Created service named %s with IP addresses %v, hostnames %v", svc.Name, ips, hostnames)
fmt.Fprint(cmdOut, "Creating federation control plane objects (credentials, persistent volume claim)...")
glog.V(4).Info("Generating TLS certificates and credentials for communicating with the federation API server")
credentials, err := generateCredentials(i.commonOptions.FederationSystemNamespace, i.commonOptions.Name, svc.Name, HostClusterLocalDNSZoneName, serverCredName, ips, hostnames, i.options.apiServerEnableHTTPBasicAuth, i.options.apiServerEnableTokenAuth, i.options.dryRun)
if err != nil {
return err
}
// Create the secret containing the credentials.
_, err = createAPIServerCredentialsSecret(hostClientset, i.commonOptions.FederationSystemNamespace, serverCredName, i.commonOptions.Name, credentials, i.options.dryRun)
if err != nil {
return err
}
glog.V(4).Info("Certificates and credentials generated")
glog.V(4).Info("Creating an entry in the kubeconfig file with the certificate and credential data")
_, err = createControllerManagerKubeconfigSecret(hostClientset, i.commonOptions.FederationSystemNamespace, i.commonOptions.Name, svc.Name, cmKubeconfigName, credentials.certEntKeyPairs, i.options.dryRun)
if err != nil {
return err
}
glog.V(4).Info("Credentials secret successfully created")
glog.V(4).Info("Creating a persistent volume and a claim to store the federation API server's state, including etcd data")
var pvc *api.PersistentVolumeClaim
if i.options.etcdPersistentStorage {
pvc, err = createPVC(hostClientset, i.commonOptions.FederationSystemNamespace, svc.Name, i.commonOptions.Name, i.options.etcdPVCapacity, i.options.etcdPVStorageClass, i.options.dryRun)
if err != nil {
return err
}
}
glog.V(4).Info("Persistent volume and claim created")
fmt.Fprintln(cmdOut, " done")
// Since only one IP address can be specified as advertise address,
// we arbitrarily pick the first available IP address
// Pick user provided apiserverAdvertiseAddress over other available IP addresses.
advertiseAddress := i.options.apiServerAdvertiseAddress
if advertiseAddress == "" && len(ips) > 0 {
advertiseAddress = ips[0]
}
fmt.Fprint(cmdOut, "Creating federation component deployments...")
glog.V(4).Info("Creating federation control plane components")
_, err = createAPIServer(hostClientset, i.commonOptions.FederationSystemNamespace, serverName, i.commonOptions.Name, i.options.serverImage, i.options.etcdImage, advertiseAddress, serverCredName, i.options.apiServerEnableHTTPBasicAuth, i.options.apiServerEnableTokenAuth, i.options.apiServerOverrides, pvc, i.options.dryRun)
if err != nil {
return err
}
glog.V(4).Info("Successfully created federation API server")
sa := &api.ServiceAccount{}
sa.Name = ""
// Create a service account and related RBAC roles if the host cluster has RBAC support.
// TODO: We must evaluate creating a separate service account even when RBAC support is missing
if rbacAvailable {
glog.V(4).Info("Creating service account for federation controller manager in the host cluster")
sa, err = createControllerManagerSA(rbacVersionedClientset, i.commonOptions.FederationSystemNamespace, i.commonOptions.Name, i.options.dryRun)
if err != nil {
return err
}
glog.V(4).Info("Successfully created federation controller manager service account")
glog.V(4).Info("Creating RBAC role and role bindings for the federation controller manager's service account")
_, _, err = createRoleBindings(rbacVersionedClientset, i.commonOptions.FederationSystemNamespace, sa.Name, i.commonOptions.Name, i.options.dryRun)
if err != nil {
return err
}
glog.V(4).Info("Successfully created RBAC role and role bindings")
}
glog.V(4).Info("Creating a DNS provider config secret")
dnsProviderSecret, err := createDNSProviderConfigSecret(hostClientset, i.commonOptions.FederationSystemNamespace, dnsProviderSecretName, i.commonOptions.Name, dnsProviderConfigBytes, i.options.dryRun)
if err != nil {
return err
}
glog.V(4).Info("Successfully created DNS provider config secret")
glog.V(4).Info("Creating federation controller manager deployment")
_, err = createControllerManager(hostClientset, i.commonOptions.FederationSystemNamespace, i.commonOptions.Name, svc.Name, cmName, i.options.serverImage, cmKubeconfigName, i.options.dnsZoneName, i.options.dnsProvider, i.options.dnsProviderConfig, sa.Name, dnsProviderSecret, i.options.controllerManagerOverrides, i.options.dryRun)
if err != nil {
return err
}
glog.V(4).Info("Successfully created federation controller manager deployment")
fmt.Fprintln(cmdOut, " done")
fmt.Fprint(cmdOut, "Updating kubeconfig...")
glog.V(4).Info("Updating kubeconfig")
// Pick the first ip/hostname to update the api server endpoint in kubeconfig and also to give information to user
// In case of NodePort Service for api server, ips are node external ips.
endpoint := ""
if len(ips) > 0 {
endpoint = ips[0]
} else if len(hostnames) > 0 {
endpoint = hostnames[0]
}
// If the service is nodeport, need to append the port to endpoint as it is non-standard port
if i.options.apiServerServiceType == v1.ServiceTypeNodePort {
endpoint = endpoint + ":" + strconv.Itoa(int(svc.Spec.Ports[0].NodePort))
}
err = updateKubeconfig(config, i.commonOptions.Name, endpoint, i.commonOptions.Kubeconfig, credentials, i.options.dryRun)
if err != nil {
glog.V(4).Infof("Failed to update kubeconfig: %v", err)
return err
}
fmt.Fprintln(cmdOut, " done")
glog.V(4).Info("Successfully updated kubeconfig")
if !i.options.dryRun {
fmt.Fprint(cmdOut, "Waiting for federation control plane to come up...")
glog.V(4).Info("Waiting for federation control plane to come up")
fedPods := []string{serverName, cmName}
err = waitForPods(cmdOut, hostClientset, fedPods, i.commonOptions.FederationSystemNamespace)
if err != nil {
return err
}
err = waitSrvHealthy(cmdOut, config, i.commonOptions.Name, i.commonOptions.Kubeconfig)
if err != nil {
return err
}
glog.V(4).Info("Federation control plane running")
fmt.Fprintln(cmdOut, " done")
return printSuccess(cmdOut, ips, hostnames, svc)
}
_, err = fmt.Fprintln(cmdOut, "Federation control plane runs (dry run)")
glog.V(4).Info("Federation control plane runs (dry run)")
return err
}
func createNamespace(clientset client.Interface, federationName, namespace string, dryRun bool) (*api.Namespace, error) {
ns := &api.Namespace{
ObjectMeta: metav1.ObjectMeta{
Name: namespace,
Annotations: map[string]string{federation.FederationNameAnnotation: federationName},
},
}
if dryRun {
return ns, nil
}
return clientset.Core().Namespaces().Create(ns)
}
func createService(cmdOut io.Writer, clientset client.Interface, namespace, svcName, federationName, apiserverAdvertiseAddress string, apiserverServiceType v1.ServiceType, dryRun bool) (*api.Service, []string, []string, error) {
svc := &api.Service{
ObjectMeta: metav1.ObjectMeta{
Name: svcName,
Namespace: namespace,
Labels: componentLabel,
Annotations: map[string]string{federation.FederationNameAnnotation: federationName},
},
Spec: api.ServiceSpec{
Type: api.ServiceType(apiserverServiceType),
Selector: apiserverSvcSelector,
Ports: []api.ServicePort{
{
Name: "https",
Protocol: "TCP",
Port: 443,
TargetPort: intstr.FromString(apiServerSecurePortName),
},
},
},
}
if dryRun {
return svc, nil, nil, nil
}
var err error
svc, err = clientset.Core().Services(namespace).Create(svc)
ips := []string{}
hostnames := []string{}
if apiserverServiceType == v1.ServiceTypeLoadBalancer {
ips, hostnames, err = waitForLoadBalancerAddress(cmdOut, clientset, svc, dryRun)
} else {
if apiserverAdvertiseAddress != "" {
ips = append(ips, apiserverAdvertiseAddress)
} else {
ips, err = getClusterNodeIPs(clientset)
}
}
if err != nil {
return svc, nil, nil, err
}
return svc, ips, hostnames, err
}
func getClusterNodeIPs(clientset client.Interface) ([]string, error) {
preferredAddressTypes := []api.NodeAddressType{
api.NodeExternalIP,
api.NodeInternalIP,
}
nodeList, err := clientset.Core().Nodes().List(metav1.ListOptions{})
if err != nil {
return nil, err
}
nodeAddresses := []string{}
for _, node := range nodeList.Items {
OuterLoop:
for _, addressType := range preferredAddressTypes {
for _, address := range node.Status.Addresses {
if address.Type == addressType {
nodeAddresses = append(nodeAddresses, address.Address)
break OuterLoop
}
}
}
}
return nodeAddresses, nil
}
func waitForLoadBalancerAddress(cmdOut io.Writer, clientset client.Interface, svc *api.Service, dryRun bool) ([]string, []string, error) {
ips := []string{}
hostnames := []string{}
if dryRun {
return ips, hostnames, nil
}
err := wait.PollImmediateInfinite(lbAddrRetryInterval, func() (bool, error) {
fmt.Fprint(cmdOut, ".")
pollSvc, err := clientset.Core().Services(svc.Namespace).Get(svc.Name, metav1.GetOptions{})
if err != nil {
return false, nil
}
if ings := pollSvc.Status.LoadBalancer.Ingress; len(ings) > 0 {
for _, ing := range ings {
if len(ing.IP) > 0 {
ips = append(ips, ing.IP)
}
if len(ing.Hostname) > 0 {
hostnames = append(hostnames, ing.Hostname)
}
}
if len(ips) > 0 || len(hostnames) > 0 {
return true, nil
}
}
return false, nil
})
if err != nil {
return nil, nil, err
}
return ips, hostnames, nil
}
func generateCredentials(svcNamespace, name, svcName, localDNSZoneName, serverCredName string, ips, hostnames []string, enableHTTPBasicAuth, enableTokenAuth, dryRun bool) (*credentials, error) {
credentials := credentials{
username: AdminCN,
}
if enableHTTPBasicAuth {
credentials.password = string(uuid.NewUUID())
}
if enableTokenAuth {
credentials.token = string(uuid.NewUUID())
}
entKeyPairs, err := genCerts(svcNamespace, name, svcName, localDNSZoneName, ips, hostnames)
if err != nil {
return nil, err
}
credentials.certEntKeyPairs = entKeyPairs
return &credentials, nil
}
func genCerts(svcNamespace, name, svcName, localDNSZoneName string, ips, hostnames []string) (*entityKeyPairs, error) {
ca, err := triple.NewCA(name)
if err != nil {
return nil, fmt.Errorf("failed to create CA key and certificate: %v", err)
}
server, err := triple.NewServerKeyPair(ca, APIServerCN, svcName, svcNamespace, localDNSZoneName, ips, hostnames)
if err != nil {
return nil, fmt.Errorf("failed to create federation API server key and certificate: %v", err)
}
cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN, nil)
if err != nil {
return nil, fmt.Errorf("failed to create federation controller manager client key and certificate: %v", err)
}
admin, err := triple.NewClientKeyPair(ca, AdminCN, nil)
if err != nil {
return nil, fmt.Errorf("failed to create client key and certificate for an admin: %v", err)
}
return &entityKeyPairs{
ca: ca,
server: server,
controllerManager: cm,
admin: admin,
}, nil
}
func createAPIServerCredentialsSecret(clientset client.Interface, namespace, credentialsName, federationName string, credentials *credentials, dryRun bool) (*api.Secret, error) {
// Build the secret object with API server credentials.
data := map[string][]byte{
"ca.crt": certutil.EncodeCertPEM(credentials.certEntKeyPairs.ca.Cert),
"server.crt": certutil.EncodeCertPEM(credentials.certEntKeyPairs.server.Cert),
"server.key": certutil.EncodePrivateKeyPEM(credentials.certEntKeyPairs.server.Key),
}
if credentials.password != "" {
data["basicauth.csv"] = authFileContents(credentials.username, credentials.password)
}
if credentials.token != "" {
data["token.csv"] = authFileContents(credentials.username, credentials.token)
}
secret := &api.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: credentialsName,
Namespace: namespace,
Annotations: map[string]string{federation.FederationNameAnnotation: federationName},
},
Data: data,
}
if dryRun {
return secret, nil
}
// Boilerplate to create the secret in the host cluster.
return clientset.Core().Secrets(namespace).Create(secret)
}
func createControllerManagerKubeconfigSecret(clientset client.Interface, namespace, name, svcName, kubeconfigName string, entKeyPairs *entityKeyPairs, dryRun bool) (*api.Secret, error) {
config := kubeconfigutil.CreateWithCerts(
fmt.Sprintf("https://%s", svcName),
name,
ControllerManagerUser,
certutil.EncodeCertPEM(entKeyPairs.ca.Cert),
certutil.EncodePrivateKeyPEM(entKeyPairs.controllerManager.Key),
certutil.EncodeCertPEM(entKeyPairs.controllerManager.Cert),
)
return util.CreateKubeconfigSecret(clientset, config, namespace, kubeconfigName, name, "", dryRun)
}
func createPVC(clientset client.Interface, namespace, svcName, federationName, etcdPVCapacity, etcdPVStorageClass string, dryRun bool) (*api.PersistentVolumeClaim, error) {
capacity, err := resource.ParseQuantity(etcdPVCapacity)
if err != nil {
return nil, err
}
var storageClassName *string
if len(etcdPVStorageClass) > 0 {
storageClassName = &etcdPVStorageClass
}
pvc := &api.PersistentVolumeClaim{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("%s-etcd-claim", svcName),
Namespace: namespace,
Labels: componentLabel,
Annotations: map[string]string{
federation.FederationNameAnnotation: federationName,
},
},
Spec: api.PersistentVolumeClaimSpec{
AccessModes: []api.PersistentVolumeAccessMode{
api.ReadWriteOnce,
},
Resources: api.ResourceRequirements{
Requests: api.ResourceList{
api.ResourceStorage: capacity,
},
},
StorageClassName: storageClassName,
},
}
if dryRun {
return pvc, nil
}
return clientset.Core().PersistentVolumeClaims(namespace).Create(pvc)
}
func createAPIServer(clientset client.Interface, namespace, name, federationName, serverImage, etcdImage, advertiseAddress, credentialsName string, hasHTTPBasicAuthFile, hasTokenAuthFile bool, argOverrides map[string]string, pvc *api.PersistentVolumeClaim, dryRun bool) (*extensions.Deployment, error) {
command := []string{
"/hyperkube",
"federation-apiserver",
}
argsMap := map[string]string{
"--bind-address": "0.0.0.0",
"--etcd-servers": "http://localhost:2379",
"--secure-port": fmt.Sprintf("%d", apiServerSecurePort),
"--client-ca-file": "/etc/federation/apiserver/ca.crt",
"--tls-cert-file": "/etc/federation/apiserver/server.crt",
"--tls-private-key-file": "/etc/federation/apiserver/server.key",
"--admission-control": "NamespaceLifecycle",
}
if advertiseAddress != "" {
argsMap["--advertise-address"] = advertiseAddress
}
if hasHTTPBasicAuthFile {
argsMap["--basic-auth-file"] = "/etc/federation/apiserver/basicauth.csv"
}
if hasTokenAuthFile {
argsMap["--token-auth-file"] = "/etc/federation/apiserver/token.csv"
}
args := argMapsToArgStrings(argsMap, argOverrides)
command = append(command, args...)
dep := &extensions.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: componentLabel,
Annotations: map[string]string{federation.FederationNameAnnotation: federationName},
},
Spec: extensions.DeploymentSpec{
Replicas: 1,
Template: api.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Labels: apiserverPodLabels,
Annotations: map[string]string{federation.FederationNameAnnotation: federationName},
},
Spec: api.PodSpec{
Containers: []api.Container{
{
Name: "apiserver",
Image: serverImage,
Command: command,
Ports: []api.ContainerPort{
{
Name: apiServerSecurePortName,
ContainerPort: apiServerSecurePort,
},
{
Name: "local",
ContainerPort: 8080,
},
},
VolumeMounts: []api.VolumeMount{
{
Name: credentialsName,
MountPath: "/etc/federation/apiserver",
ReadOnly: true,
},
},
},
{
Name: "etcd",
Image: etcdImage,
Command: []string{
"/usr/local/bin/etcd",
"--data-dir",
"/var/etcd/data",
},
},
},
Volumes: []api.Volume{
{
Name: credentialsName,
VolumeSource: api.VolumeSource{
Secret: &api.SecretVolumeSource{
SecretName: credentialsName,
},
},
},
},
},
},
},
}
if pvc != nil {
dataVolumeName := "etcddata"
etcdVolume := api.Volume{
Name: dataVolumeName,
VolumeSource: api.VolumeSource{
PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{
ClaimName: pvc.Name,
},
},
}
etcdVolumeMount := api.VolumeMount{
Name: dataVolumeName,
MountPath: "/var/etcd",
}
dep.Spec.Template.Spec.Volumes = append(dep.Spec.Template.Spec.Volumes, etcdVolume)
for i, container := range dep.Spec.Template.Spec.Containers {
if container.Name == "etcd" {
dep.Spec.Template.Spec.Containers[i].VolumeMounts = append(dep.Spec.Template.Spec.Containers[i].VolumeMounts, etcdVolumeMount)
}
}
}
if dryRun {
return dep, nil
}
createdDep, err := clientset.Extensions().Deployments(namespace).Create(dep)
return createdDep, err
}
func createControllerManagerSA(clientset client.Interface, namespace, federationName string, dryRun bool) (*api.ServiceAccount, error) {
sa := &api.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: ControllerManagerSA,
Namespace: namespace,
Labels: componentLabel,
Annotations: map[string]string{federation.FederationNameAnnotation: federationName},
},
}
if dryRun {
return sa, nil
}
return clientset.Core().ServiceAccounts(namespace).Create(sa)
}
func createRoleBindings(clientset client.Interface, namespace, saName, federationName string, dryRun bool) (*rbac.Role, *rbac.RoleBinding, error) {
roleName := "federation-system:federation-controller-manager"
role := &rbac.Role{
// a role to use for bootstrapping the federation-controller-manager so it can access
// secrets in the host cluster to access other clusters.
ObjectMeta: metav1.ObjectMeta{
Name: roleName,
Namespace: namespace,
Labels: componentLabel,
Annotations: map[string]string{federation.FederationNameAnnotation: federationName},
},
Rules: []rbac.PolicyRule{
rbac.NewRule("get", "list", "watch").Groups(legacyAPIGroup).Resources("secrets").RuleOrDie(),
},
}
rolebinding, err := rbac.NewRoleBinding(roleName, namespace).SAs(namespace, saName).Binding()
if err != nil {
return nil, nil, err
}
rolebinding.Labels = componentLabel
rolebinding.Annotations = map[string]string{federation.FederationNameAnnotation: federationName}
if dryRun {
return role, &rolebinding, nil
}
newRole, err := clientset.Rbac().Roles(namespace).Create(role)
if err != nil {
return nil, nil, err
}
newRolebinding, err := clientset.Rbac().RoleBindings(namespace).Create(&rolebinding)
return newRole, newRolebinding, err
}
func createControllerManager(clientset client.Interface, namespace, name, svcName, cmName, image, kubeconfigName, dnsZoneName, dnsProvider, dnsProviderConfig, saName string, dnsProviderSecret *api.Secret, argOverrides map[string]string, dryRun bool) (*extensions.Deployment, error) {
command := []string{
"/hyperkube",
"federation-controller-manager",
}
argsMap := map[string]string{
"--kubeconfig": "/etc/federation/controller-manager/kubeconfig",
}
argsMap["--master"] = fmt.Sprintf("https://%s", svcName)
argsMap["--dns-provider"] = dnsProvider
argsMap["--federation-name"] = name
argsMap["--zone-name"] = dnsZoneName
args := argMapsToArgStrings(argsMap, argOverrides)
command = append(command, args...)
dep := &extensions.Deployment{
ObjectMeta: metav1.ObjectMeta{
Name: cmName,
Namespace: namespace,
Labels: componentLabel,
// We additionally update the details (in annotations) about the
// kube-dns config map which needs to be created in the clusters
// registering to this federation (at kubefed join).
// We wont otherwise have this information available at kubefed join.
Annotations: map[string]string{
// TODO: the name/domain name pair should ideally be checked for naming convention
// as done in kube-dns federation flags check.
// https://github.com/kubernetes/dns/blob/master/pkg/dns/federation/federation.go
// TODO v2: Until kube-dns can handle trailing periods we strip them all.
// See https://github.com/kubernetes/dns/issues/67
util.FedDomainMapKey: fmt.Sprintf("%s=%s", name, strings.TrimRight(dnsZoneName, ".")),
federation.FederationNameAnnotation: name,
},
},
Spec: extensions.DeploymentSpec{
Replicas: 1,
Template: api.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Name: cmName,
Labels: controllerManagerPodLabels,
Annotations: map[string]string{federation.FederationNameAnnotation: name},
},
Spec: api.PodSpec{
Containers: []api.Container{
{
Name: "controller-manager",
Image: image,
Command: command,
VolumeMounts: []api.VolumeMount{
{
Name: kubeconfigName,
MountPath: "/etc/federation/controller-manager",
ReadOnly: true,
},
},
Env: []api.EnvVar{
{
Name: "POD_NAMESPACE",
ValueFrom: &api.EnvVarSource{
FieldRef: &api.ObjectFieldSelector{
FieldPath: "metadata.namespace",
},
},
},
},
},
},
Volumes: []api.Volume{
{
Name: kubeconfigName,
VolumeSource: api.VolumeSource{
Secret: &api.SecretVolumeSource{
SecretName: kubeconfigName,
},
},
},
},
},
},
},
}
if saName != "" {
dep.Spec.Template.Spec.ServiceAccountName = saName
}
if dnsProviderSecret != nil {
dep = addDNSProviderConfig(dep, dnsProviderSecret.Name)
if dnsProvider == util.FedDNSProviderCoreDNS {
var err error
dep, err = addCoreDNSServerAnnotation(dep, dnsZoneName, dnsProviderConfig)
if err != nil {
return nil, err
}
}
}
if dryRun {
return dep, nil
}
return clientset.Extensions().Deployments(namespace).Create(dep)
}
func marshallOverrides(overrideArgString string) (map[string]string, error) {
if overrideArgString == "" {
return nil, nil
}
argsMap := make(map[string]string)
overrideArgs := strings.Split(overrideArgString, ",")
for _, overrideArg := range overrideArgs {
splitArg := strings.SplitN(overrideArg, "=", 2)
if len(splitArg) != 2 {
return nil, fmt.Errorf("wrong format for override arg: %s", overrideArg)
}
key := strings.TrimSpace(splitArg[0])
val := strings.TrimSpace(splitArg[1])
if len(key) == 0 {
return nil, fmt.Errorf("wrong format for override arg: %s, arg name cannot be empty", overrideArg)
}
argsMap[key] = val
}
return argsMap, nil
}
func argMapsToArgStrings(argsMap, overrides map[string]string) []string {
for key, val := range overrides {
argsMap[key] = val
}
args := []string{}
for key, value := range argsMap {
args = append(args, fmt.Sprintf("%s=%s", key, value))
}
// This is needed for the unit test deep copy to get an exact match
sort.Strings(args)
return args
}
func waitForPods(cmdOut io.Writer, clientset client.Interface, fedPods []string, namespace string) error {
err := wait.PollInfinite(podWaitInterval, func() (bool, error) {
fmt.Fprint(cmdOut, ".")
podCheck := len(fedPods)
podList, err := clientset.Core().Pods(namespace).List(metav1.ListOptions{})
if err != nil {
return false, nil
}
for _, pod := range podList.Items {
for _, fedPod := range fedPods {
if strings.HasPrefix(pod.Name, fedPod) && pod.Status.Phase == "Running" {
podCheck -= 1
}
}
//ensure that all pods are in running state or keep waiting
if podCheck == 0 {
return true, nil
}
}
return false, nil
})
return err
}
func waitSrvHealthy(cmdOut io.Writer, config util.AdminConfig, context, kubeconfig string) error {
fedClientSet, err := config.FederationClientset(context, kubeconfig)
if err != nil {
return err
}
fedDiscoveryClient := fedClientSet.Discovery()
err = wait.PollInfinite(podWaitInterval, func() (bool, error) {
fmt.Fprint(cmdOut, ".")
body, err := fedDiscoveryClient.RESTClient().Get().AbsPath("/healthz").Do().Raw()
if err != nil {
return false, nil
}
if strings.EqualFold(string(body), "ok") {
return true, nil
}
return false, nil
})
return err
}
func printSuccess(cmdOut io.Writer, ips, hostnames []string, svc *api.Service) error {
svcEndpoints := append(ips, hostnames...)
endpoints := strings.Join(svcEndpoints, ", ")
if svc.Spec.Type == api.ServiceTypeNodePort {
endpoints = ips[0] + ":" + strconv.Itoa(int(svc.Spec.Ports[0].NodePort))
if len(ips) > 1 {
endpoints = endpoints + ", ..."
}
}
_, err := fmt.Fprintf(cmdOut, "Federation API server is running at: %s\n", endpoints)
return err
}
func updateKubeconfig(config util.AdminConfig, name, endpoint, kubeConfigPath string, credentials *credentials, dryRun bool) error {
po := config.PathOptions()
po.LoadingRules.ExplicitPath = kubeConfigPath
kubeconfig, err := po.GetStartingConfig()
if err != nil {
return err
}
// Populate API server endpoint info.
cluster := clientcmdapi.NewCluster()
// Prefix "https" as the URL scheme to endpoint.
if !strings.HasPrefix(endpoint, "https://") {
endpoint = fmt.Sprintf("https://%s", endpoint)
}
cluster.Server = endpoint
cluster.CertificateAuthorityData = certutil.EncodeCertPEM(credentials.certEntKeyPairs.ca.Cert)
// Populate credentials.
authInfo := clientcmdapi.NewAuthInfo()
authInfo.ClientCertificateData = certutil.EncodeCertPEM(credentials.certEntKeyPairs.admin.Cert)
authInfo.ClientKeyData = certutil.EncodePrivateKeyPEM(credentials.certEntKeyPairs.admin.Key)
authInfo.Token = credentials.token
var httpBasicAuthInfo *clientcmdapi.AuthInfo
if credentials.password != "" {
httpBasicAuthInfo = clientcmdapi.NewAuthInfo()
httpBasicAuthInfo.Password = credentials.password
httpBasicAuthInfo.Username = credentials.username
}
// Populate context.
context := clientcmdapi.NewContext()
context.Cluster = name
context.AuthInfo = name
// Update the config struct with API server endpoint info,
// credentials and context.
kubeconfig.Clusters[name] = cluster
kubeconfig.AuthInfos[name] = authInfo
if httpBasicAuthInfo != nil {
kubeconfig.AuthInfos[fmt.Sprintf("%s-basic-auth", name)] = httpBasicAuthInfo
}
kubeconfig.Contexts[name] = context
if !dryRun {
// Write the update kubeconfig.
if err := clientcmd.ModifyConfig(po, *kubeconfig, true); err != nil {
return err
}
}
return nil
}
func createDNSProviderConfigSecret(clientset client.Interface, namespace, name, federationName string, dnsProviderConfigBytes []byte, dryRun bool) (*api.Secret, error) {
if dnsProviderConfigBytes == nil {
return nil, nil
}
secretSpec := &api.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{federation.FederationNameAnnotation: federationName},
},
Data: map[string][]byte{
name: dnsProviderConfigBytes,
},
}
var secret *api.Secret
var err error
if !dryRun {
secret, err = clientset.Core().Secrets(namespace).Create(secretSpec)
if err != nil {
return nil, err
}
}
return secret, nil
}
func addDNSProviderConfig(dep *extensions.Deployment, secretName string) *extensions.Deployment {
const (
dnsProviderConfigVolume = "config-volume"
dnsProviderConfigMountPath = "/etc/federation/dns-provider"
)
// Create a volume from dns-provider secret
volume := api.Volume{
Name: dnsProviderConfigVolume,
VolumeSource: api.VolumeSource{
Secret: &api.SecretVolumeSource{
SecretName: secretName,
},
},
}
dep.Spec.Template.Spec.Volumes = append(dep.Spec.Template.Spec.Volumes, volume)
// Mount dns-provider secret volume to controller-manager container
volumeMount := api.VolumeMount{
Name: dnsProviderConfigVolume,
MountPath: dnsProviderConfigMountPath,
ReadOnly: true,
}
dep.Spec.Template.Spec.Containers[0].VolumeMounts = append(dep.Spec.Template.Spec.Containers[0].VolumeMounts, volumeMount)
dep.Spec.Template.Spec.Containers[0].Command = append(dep.Spec.Template.Spec.Containers[0].Command, fmt.Sprintf("--dns-provider-config=%s/%s", dnsProviderConfigMountPath, secretName))
return dep
}
// authFileContents returns a CSV string containing the contents of an
// authentication file in the format required by the federation-apiserver.
func authFileContents(username, authSecret string) []byte {
return []byte(fmt.Sprintf("%s,%s,%s\n", authSecret, username, uuid.NewUUID()))
}
func addCoreDNSServerAnnotation(deployment *extensions.Deployment, dnsZoneName, dnsProviderConfig string) (*extensions.Deployment, error) {
var cfg coredns.Config
if err := gcfg.ReadFileInto(&cfg, dnsProviderConfig); err != nil {
return nil, err
}
deployment.Annotations[util.FedDNSZoneName] = dnsZoneName
deployment.Annotations[util.FedNameServer] = cfg.Global.CoreDNSEndpoints
deployment.Annotations[util.FedDNSProvider] = util.FedDNSProviderCoreDNS
return deployment, nil
}
Reference in New Issue View Git Blame Copy Permalink