2022-09-05 09:06:08 +02:00
|
|
|
/*
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
*/
|
|
|
|
|
2022-03-22 16:03:15 +01:00
|
|
|
package kubernetes
|
|
|
|
|
|
|
|
import (
|
2022-05-19 17:18:22 +02:00
|
|
|
"context"
|
2022-08-29 16:41:09 +02:00
|
|
|
"encoding/hex"
|
2022-08-12 15:59:45 +02:00
|
|
|
"encoding/json"
|
2022-03-22 16:03:15 +01:00
|
|
|
"fmt"
|
2022-07-15 09:33:11 +02:00
|
|
|
"net"
|
2022-08-29 16:41:09 +02:00
|
|
|
"strconv"
|
2022-03-22 16:03:15 +01:00
|
|
|
"strings"
|
|
|
|
|
2022-06-29 15:26:29 +02:00
|
|
|
"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi"
|
|
|
|
"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi/resources"
|
2022-06-28 18:23:24 +02:00
|
|
|
"github.com/edgelesssys/constellation/internal/cloud/metadata"
|
2022-07-19 09:25:44 +02:00
|
|
|
"github.com/edgelesssys/constellation/internal/constants"
|
2022-07-14 13:30:44 +02:00
|
|
|
"github.com/edgelesssys/constellation/internal/logger"
|
2022-08-26 09:42:40 +00:00
|
|
|
"github.com/edgelesssys/constellation/internal/role"
|
2022-07-18 12:28:02 +02:00
|
|
|
"github.com/edgelesssys/constellation/internal/versions"
|
2022-03-22 16:03:15 +01:00
|
|
|
"github.com/spf13/afero"
|
2022-07-07 11:43:35 +02:00
|
|
|
"go.uber.org/zap"
|
2022-07-18 12:28:02 +02:00
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2022-03-22 16:03:15 +01:00
|
|
|
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
|
|
|
)
|
|
|
|
|
|
|
|
// configReader provides kubeconfig as []byte.
|
|
|
|
type configReader interface {
|
|
|
|
ReadKubeconfig() ([]byte, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// configurationProvider provides kubeadm init and join configuration.
|
|
|
|
type configurationProvider interface {
|
2022-07-22 15:05:04 +02:00
|
|
|
InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) k8sapi.KubeadmInitYAML
|
2022-04-27 16:37:05 +02:00
|
|
|
JoinConfiguration(externalCloudProvider bool) k8sapi.KubeadmJoinYAML
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
2022-05-24 10:04:42 +02:00
|
|
|
// KubeWrapper implements Cluster interface.
|
2022-03-22 16:03:15 +01:00
|
|
|
type KubeWrapper struct {
|
2022-06-15 16:00:48 +02:00
|
|
|
cloudProvider string
|
|
|
|
clusterUtil clusterUtil
|
|
|
|
configProvider configurationProvider
|
|
|
|
client k8sapi.Client
|
|
|
|
kubeconfigReader configReader
|
|
|
|
cloudControllerManager CloudControllerManager
|
|
|
|
cloudNodeManager CloudNodeManager
|
|
|
|
clusterAutoscaler ClusterAutoscaler
|
|
|
|
providerMetadata ProviderMetadata
|
|
|
|
initialMeasurementsJSON []byte
|
2022-06-28 18:23:24 +02:00
|
|
|
getIPAddr func() (string, error)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// New creates a new KubeWrapper with real values.
|
2022-05-24 10:04:42 +02:00
|
|
|
func New(cloudProvider string, clusterUtil clusterUtil, configProvider configurationProvider, client k8sapi.Client, cloudControllerManager CloudControllerManager,
|
2022-08-31 20:10:49 +02:00
|
|
|
cloudNodeManager CloudNodeManager, clusterAutoscaler ClusterAutoscaler, providerMetadata ProviderMetadata, initialMeasurementsJSON []byte,
|
2022-05-24 10:04:42 +02:00
|
|
|
) *KubeWrapper {
|
2022-03-22 16:03:15 +01:00
|
|
|
return &KubeWrapper{
|
2022-06-15 16:00:48 +02:00
|
|
|
cloudProvider: cloudProvider,
|
|
|
|
clusterUtil: clusterUtil,
|
|
|
|
configProvider: configProvider,
|
|
|
|
client: client,
|
|
|
|
kubeconfigReader: &KubeconfigReader{fs: afero.Afero{Fs: afero.NewOsFs()}},
|
|
|
|
cloudControllerManager: cloudControllerManager,
|
|
|
|
cloudNodeManager: cloudNodeManager,
|
|
|
|
clusterAutoscaler: clusterAutoscaler,
|
|
|
|
providerMetadata: providerMetadata,
|
|
|
|
initialMeasurementsJSON: initialMeasurementsJSON,
|
2022-08-26 09:44:05 +00:00
|
|
|
getIPAddr: getIPAddr,
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-26 11:22:21 +02:00
|
|
|
// InitCluster initializes a new Kubernetes cluster and applies pod network provider.
|
2022-06-15 16:00:48 +02:00
|
|
|
func (k *KubeWrapper) InitCluster(
|
2022-09-15 16:51:07 +02:00
|
|
|
ctx context.Context, cloudServiceAccountURI, versionString string, measurementSalt []byte, enforcedPCRs []uint32,
|
|
|
|
enforceIdKeyDigest bool, idKeyDigest []byte, azureCVM bool, kmsConfig resources.KMSConfig, sshUsers map[string]string,
|
|
|
|
helmDeployments []byte, conformanceMode bool, log *logger.Logger,
|
2022-06-28 18:33:27 +02:00
|
|
|
) ([]byte, error) {
|
2022-07-22 15:05:04 +02:00
|
|
|
k8sVersion, err := versions.NewValidK8sVersion(versionString)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
log.With(zap.String("version", string(k8sVersion))).Infof("Installing Kubernetes components")
|
2022-06-21 17:59:12 +02:00
|
|
|
if err := k.clusterUtil.InstallComponents(ctx, k8sVersion); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, err
|
2022-05-19 17:18:22 +02:00
|
|
|
}
|
|
|
|
|
2022-06-28 18:23:24 +02:00
|
|
|
ip, err := k.getIPAddr()
|
2022-06-21 17:59:12 +02:00
|
|
|
if err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, err
|
2022-06-21 17:59:12 +02:00
|
|
|
}
|
|
|
|
nodeName := ip
|
2022-05-24 10:04:42 +02:00
|
|
|
var providerID string
|
2022-06-28 18:23:24 +02:00
|
|
|
var instance metadata.InstanceMetadata
|
2022-05-24 10:04:42 +02:00
|
|
|
var publicIP string
|
|
|
|
var nodePodCIDR string
|
|
|
|
var subnetworkPodCIDR string
|
2022-08-01 16:51:34 +02:00
|
|
|
var controlPlaneEndpoint string // this is the endpoint in "kubeadm init --control-plane-endpoint=<IP/DNS>:<port>"
|
2022-05-24 10:04:42 +02:00
|
|
|
var nodeIP string
|
2022-07-15 09:33:11 +02:00
|
|
|
var validIPs []net.IP
|
2022-05-24 10:04:42 +02:00
|
|
|
|
|
|
|
// Step 1: retrieve cloud metadata for Kubernetes configuration
|
|
|
|
if k.providerMetadata.Supported() {
|
2022-07-14 13:30:44 +02:00
|
|
|
log.Infof("Retrieving node metadata")
|
2022-06-21 17:59:12 +02:00
|
|
|
instance, err = k.providerMetadata.Self(ctx)
|
2022-05-24 10:04:42 +02:00
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return nil, fmt.Errorf("retrieving own instance metadata: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
2022-08-04 11:08:20 +02:00
|
|
|
if instance.VPCIP != "" {
|
|
|
|
validIPs = append(validIPs, net.ParseIP(instance.VPCIP))
|
2022-07-15 09:33:11 +02:00
|
|
|
}
|
2022-08-04 11:08:20 +02:00
|
|
|
if instance.PublicIP != "" {
|
|
|
|
validIPs = append(validIPs, net.ParseIP(instance.PublicIP))
|
2022-07-15 09:33:11 +02:00
|
|
|
}
|
2022-05-24 10:04:42 +02:00
|
|
|
nodeName = k8sCompliantHostname(instance.Name)
|
|
|
|
providerID = instance.ProviderID
|
2022-08-04 11:08:20 +02:00
|
|
|
nodeIP = instance.VPCIP
|
|
|
|
publicIP = instance.PublicIP
|
|
|
|
|
2022-05-24 10:04:42 +02:00
|
|
|
if len(instance.AliasIPRanges) > 0 {
|
|
|
|
nodePodCIDR = instance.AliasIPRanges[0]
|
|
|
|
}
|
2022-06-21 17:59:12 +02:00
|
|
|
subnetworkPodCIDR, err = k.providerMetadata.GetSubnetworkCIDR(ctx)
|
2022-05-24 10:04:42 +02:00
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return nil, fmt.Errorf("retrieving subnetwork CIDR: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
2022-08-01 16:51:34 +02:00
|
|
|
controlPlaneEndpoint = publicIP
|
2022-05-24 10:04:42 +02:00
|
|
|
if k.providerMetadata.SupportsLoadBalancer() {
|
2022-08-01 16:51:34 +02:00
|
|
|
controlPlaneEndpoint, err = k.providerMetadata.GetLoadBalancerEndpoint(ctx)
|
2022-05-24 10:04:42 +02:00
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return nil, fmt.Errorf("retrieving load balancer endpoint: %w", err)
|
2022-07-05 14:14:11 +02:00
|
|
|
}
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
|
|
|
}
|
2022-07-14 13:30:44 +02:00
|
|
|
log.With(
|
|
|
|
zap.String("nodeName", nodeName),
|
|
|
|
zap.String("providerID", providerID),
|
|
|
|
zap.String("nodeIP", nodeIP),
|
2022-08-01 16:51:34 +02:00
|
|
|
zap.String("controlPlaneEndpointEndpoint", controlPlaneEndpoint),
|
2022-07-14 13:30:44 +02:00
|
|
|
zap.String("podCIDR", subnetworkPodCIDR),
|
|
|
|
).Infof("Setting information for node")
|
2022-05-24 10:04:42 +02:00
|
|
|
|
|
|
|
// Step 2: configure kubeadm init config
|
2022-07-18 12:28:02 +02:00
|
|
|
initConfig := k.configProvider.InitConfiguration(k.cloudControllerManager.Supported(), k8sVersion)
|
2022-05-24 10:04:42 +02:00
|
|
|
initConfig.SetNodeIP(nodeIP)
|
|
|
|
initConfig.SetCertSANs([]string{publicIP, nodeIP})
|
|
|
|
initConfig.SetNodeName(nodeName)
|
|
|
|
initConfig.SetProviderID(providerID)
|
2022-08-01 16:51:34 +02:00
|
|
|
initConfig.SetControlPlaneEndpoint(controlPlaneEndpoint)
|
2022-03-22 16:03:15 +01:00
|
|
|
initConfigYAML, err := initConfig.Marshal()
|
|
|
|
if err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("encoding kubeadm init configuration as YAML: %w", err)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
2022-07-14 13:30:44 +02:00
|
|
|
log.Infof("Initializing Kubernetes cluster")
|
2022-09-20 10:07:55 +02:00
|
|
|
if err := k.clusterUtil.InitCluster(ctx, initConfigYAML, nodeName, validIPs, controlPlaneEndpoint, conformanceMode, log); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("kubeadm init: %w", err)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
kubeConfig, err := k.GetKubeconfig()
|
|
|
|
if err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("reading kubeconfig after cluster initialization: %w", err)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
k.client.SetKubeconfig(kubeConfig)
|
2022-05-24 10:04:42 +02:00
|
|
|
|
|
|
|
// Step 3: configure & start kubernetes controllers
|
2022-07-14 13:30:44 +02:00
|
|
|
log.Infof("Starting Kubernetes controllers and deployments")
|
2022-05-24 10:04:42 +02:00
|
|
|
setupPodNetworkInput := k8sapi.SetupPodNetworkInput{
|
2022-08-31 15:37:07 +02:00
|
|
|
CloudProvider: k.cloudProvider,
|
|
|
|
NodeName: nodeName,
|
|
|
|
FirstNodePodCIDR: nodePodCIDR,
|
|
|
|
SubnetworkPodCIDR: subnetworkPodCIDR,
|
|
|
|
LoadBalancerEndpoint: controlPlaneEndpoint,
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
2022-08-12 10:20:19 +02:00
|
|
|
if err = k.clusterUtil.SetupHelmDeployments(ctx, k.client, helmDeployments, setupPodNetworkInput, log); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("setting up pod network: %w", err)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
2022-09-01 03:40:29 +02:00
|
|
|
var controlPlaneIP string
|
|
|
|
if strings.Contains(controlPlaneEndpoint, ":") {
|
|
|
|
controlPlaneIP, _, err = net.SplitHostPort(controlPlaneEndpoint)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("parsing control plane endpoint: %w", err)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
controlPlaneIP = controlPlaneEndpoint
|
|
|
|
}
|
|
|
|
if err = k.clusterUtil.SetupKonnectivity(k.client, resources.NewKonnectivityAgents(controlPlaneIP)); err != nil {
|
|
|
|
return nil, fmt.Errorf("setting up konnectivity: %w", err)
|
|
|
|
}
|
|
|
|
|
2022-07-29 09:52:47 +02:00
|
|
|
kms := resources.NewKMSDeployment(k.cloudProvider, kmsConfig)
|
2022-04-12 14:07:17 +00:00
|
|
|
if err = k.clusterUtil.SetupKMS(k.client, kms); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("setting up kms: %w", err)
|
2022-04-12 14:07:17 +00:00
|
|
|
}
|
|
|
|
|
2022-08-31 20:10:49 +02:00
|
|
|
if err := k.setupInternalConfigMap(ctx, strconv.FormatBool(azureCVM)); err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to setup internal ConfigMap: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := k.setupJoinService(k.cloudProvider, k.initialMeasurementsJSON, measurementSalt, enforcedPCRs, idKeyDigest, enforceIdKeyDigest); err != nil {
|
2022-07-05 14:13:19 +02:00
|
|
|
return nil, fmt.Errorf("setting up join service failed: %w", err)
|
2022-06-15 16:00:48 +02:00
|
|
|
}
|
|
|
|
|
2022-07-21 14:41:07 +02:00
|
|
|
if err := k.setupCCM(ctx, subnetworkPodCIDR, cloudServiceAccountURI, instance, k8sVersion); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("setting up cloud controller manager: %w", err)
|
2022-03-25 10:42:27 +01:00
|
|
|
}
|
2022-07-21 14:41:07 +02:00
|
|
|
if err := k.setupCloudNodeManager(k8sVersion); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("setting up cloud node manager: %w", err)
|
2022-03-25 10:49:18 +01:00
|
|
|
}
|
|
|
|
|
2022-09-15 16:51:07 +02:00
|
|
|
if err := k.setupClusterAutoscaler(instance, cloudServiceAccountURI, k8sVersion); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("setting up cluster autoscaler: %w", err)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
2022-06-13 16:23:19 +02:00
|
|
|
accessManager := resources.NewAccessManagerDeployment(sshUsers)
|
|
|
|
if err := k.clusterUtil.SetupAccessManager(k.client, accessManager); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("failed to setup access-manager: %w", err)
|
2022-06-13 16:23:19 +02:00
|
|
|
}
|
|
|
|
|
2022-06-28 17:03:28 +02:00
|
|
|
if err := k.clusterUtil.SetupVerificationService(
|
2022-09-01 15:01:23 +02:00
|
|
|
k.client, resources.NewVerificationDaemonSet(k.cloudProvider, controlPlaneEndpoint),
|
2022-06-28 17:03:28 +02:00
|
|
|
); err != nil {
|
2022-06-28 18:33:27 +02:00
|
|
|
return nil, fmt.Errorf("failed to setup verification service: %w", err)
|
2022-06-28 17:03:28 +02:00
|
|
|
}
|
|
|
|
|
2022-08-31 13:39:58 +02:00
|
|
|
if err := k.setupOperators(ctx); err != nil {
|
|
|
|
return nil, fmt.Errorf("setting up operators: %w", err)
|
2022-08-04 16:15:52 +02:00
|
|
|
}
|
|
|
|
|
2022-07-05 14:14:11 +02:00
|
|
|
if k.cloudProvider == "gcp" {
|
|
|
|
if err := k.clusterUtil.SetupGCPGuestAgent(k.client, resources.NewGCPGuestAgentDaemonset()); err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to setup gcp guest agent: %w", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-07-26 10:58:39 +02:00
|
|
|
// Store the received k8sVersion in a ConfigMap, overwriting existing values (there shouldn't be any).
|
2022-07-18 12:28:02 +02:00
|
|
|
// Joining nodes determine the kubernetes version they will install based on this ConfigMap.
|
2022-07-20 16:44:41 +02:00
|
|
|
if err := k.setupK8sVersionConfigMap(ctx, k8sVersion); err != nil {
|
2022-08-31 20:10:49 +02:00
|
|
|
return nil, fmt.Errorf("failed to setup k8s version ConfigMap: %w", err)
|
2022-07-18 12:28:02 +02:00
|
|
|
}
|
|
|
|
|
2022-09-08 14:45:27 +02:00
|
|
|
k.clusterUtil.FixCilium(log)
|
2022-06-13 16:01:21 +02:00
|
|
|
|
2022-06-28 18:33:27 +02:00
|
|
|
return k.GetKubeconfig()
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
2022-04-26 11:22:21 +02:00
|
|
|
// JoinCluster joins existing Kubernetes cluster.
|
2022-07-22 15:05:04 +02:00
|
|
|
func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, peerRole role.Role, versionString string, log *logger.Logger) error {
|
|
|
|
k8sVersion, err := versions.NewValidK8sVersion(versionString)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
log.With(zap.String("version", string(k8sVersion))).Infof("Installing Kubernetes components")
|
2022-07-18 12:28:02 +02:00
|
|
|
if err := k.clusterUtil.InstallComponents(ctx, k8sVersion); err != nil {
|
2022-05-19 17:18:22 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-05-24 10:04:42 +02:00
|
|
|
// Step 1: retrieve cloud metadata for Kubernetes configuration
|
2022-06-28 18:23:24 +02:00
|
|
|
nodeInternalIP, err := k.getIPAddr()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
nodeName := nodeInternalIP
|
2022-05-24 10:04:42 +02:00
|
|
|
var providerID string
|
2022-08-01 16:51:34 +02:00
|
|
|
var loadbalancerEndpoint string
|
2022-05-24 10:04:42 +02:00
|
|
|
if k.providerMetadata.Supported() {
|
2022-07-14 13:30:44 +02:00
|
|
|
log.Infof("Retrieving node metadata")
|
2022-06-28 18:23:24 +02:00
|
|
|
instance, err := k.providerMetadata.Self(ctx)
|
2022-05-24 10:04:42 +02:00
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("retrieving own instance metadata: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
|
|
|
providerID = instance.ProviderID
|
|
|
|
nodeName = instance.Name
|
2022-08-04 11:08:20 +02:00
|
|
|
nodeInternalIP = instance.VPCIP
|
2022-09-02 20:19:20 +02:00
|
|
|
if k.providerMetadata.SupportsLoadBalancer() {
|
|
|
|
loadbalancerEndpoint, err = k.providerMetadata.GetLoadBalancerEndpoint(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("retrieving loadbalancer endpoint: %w", err)
|
|
|
|
}
|
2022-08-01 16:51:34 +02:00
|
|
|
}
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
|
|
|
nodeName = k8sCompliantHostname(nodeName)
|
|
|
|
|
2022-07-14 13:30:44 +02:00
|
|
|
log.With(
|
|
|
|
zap.String("nodeName", nodeName),
|
|
|
|
zap.String("providerID", providerID),
|
|
|
|
zap.String("nodeIP", nodeInternalIP),
|
|
|
|
).Infof("Setting information for node")
|
|
|
|
|
2022-09-01 03:40:29 +02:00
|
|
|
// Step 2: configure kubeadm join config
|
2022-05-24 10:04:42 +02:00
|
|
|
joinConfig := k.configProvider.JoinConfiguration(k.cloudControllerManager.Supported())
|
2022-07-08 10:59:59 +02:00
|
|
|
joinConfig.SetAPIServerEndpoint(args.APIServerEndpoint)
|
2022-03-22 16:03:15 +01:00
|
|
|
joinConfig.SetToken(args.Token)
|
|
|
|
joinConfig.AppendDiscoveryTokenCaCertHash(args.CACertHashes[0])
|
2022-04-25 17:24:48 +02:00
|
|
|
joinConfig.SetNodeIP(nodeInternalIP)
|
2022-03-22 16:03:15 +01:00
|
|
|
joinConfig.SetNodeName(nodeName)
|
|
|
|
joinConfig.SetProviderID(providerID)
|
2022-06-29 15:26:29 +02:00
|
|
|
if peerRole == role.ControlPlane {
|
2022-07-11 13:29:22 +02:00
|
|
|
joinConfig.SetControlPlane(nodeInternalIP)
|
2022-04-25 17:24:48 +02:00
|
|
|
}
|
2022-03-22 16:03:15 +01:00
|
|
|
joinConfigYAML, err := joinConfig.Marshal()
|
|
|
|
if err != nil {
|
2022-06-09 14:04:30 +00:00
|
|
|
return fmt.Errorf("encoding kubeadm join configuration as YAML: %w", err)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
2022-07-14 13:30:44 +02:00
|
|
|
log.With(zap.String("apiServerEndpoint", args.APIServerEndpoint)).Infof("Joining Kubernetes cluster")
|
2022-09-01 03:40:29 +02:00
|
|
|
if err := k.clusterUtil.JoinCluster(ctx, joinConfigYAML, peerRole, loadbalancerEndpoint, log); err != nil {
|
2022-06-09 14:04:30 +00:00
|
|
|
return fmt.Errorf("joining cluster: %v; %w ", string(joinConfigYAML), err)
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
2022-09-08 14:45:27 +02:00
|
|
|
k.clusterUtil.FixCilium(log)
|
2022-06-13 16:01:21 +02:00
|
|
|
|
2022-03-22 16:03:15 +01:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetKubeconfig returns the current nodes kubeconfig of stored on disk.
|
|
|
|
func (k *KubeWrapper) GetKubeconfig() ([]byte, error) {
|
2022-07-05 14:14:11 +02:00
|
|
|
return k.kubeconfigReader.ReadKubeconfig()
|
2022-03-22 16:03:15 +01:00
|
|
|
}
|
|
|
|
|
2022-08-12 15:59:45 +02:00
|
|
|
func (k *KubeWrapper) setupJoinService(
|
2022-08-29 16:41:09 +02:00
|
|
|
csp string, measurementsJSON, measurementSalt []byte, enforcedPCRs []uint32, initialIdKeyDigest []byte, enforceIdKeyDigest bool,
|
2022-08-12 15:59:45 +02:00
|
|
|
) error {
|
|
|
|
enforcedPCRsJSON, err := json.Marshal(enforcedPCRs)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("marshaling enforcedPCRs: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
joinConfiguration := resources.NewJoinServiceDaemonset(
|
2022-08-29 16:41:09 +02:00
|
|
|
csp, string(measurementsJSON), string(enforcedPCRsJSON), hex.EncodeToString(initialIdKeyDigest), strconv.FormatBool(enforceIdKeyDigest), measurementSalt,
|
2022-08-12 15:59:45 +02:00
|
|
|
)
|
2022-06-15 16:00:48 +02:00
|
|
|
|
2022-07-05 14:13:19 +02:00
|
|
|
return k.clusterUtil.SetupJoinService(k.client, joinConfiguration)
|
2022-06-15 16:00:48 +02:00
|
|
|
}
|
|
|
|
|
2022-07-22 15:05:04 +02:00
|
|
|
func (k *KubeWrapper) setupCCM(ctx context.Context, subnetworkPodCIDR, cloudServiceAccountURI string, instance metadata.InstanceMetadata, k8sVersion versions.ValidK8sVersion) error {
|
2022-05-24 10:04:42 +02:00
|
|
|
if !k.cloudControllerManager.Supported() {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
ccmConfigMaps, err := k.cloudControllerManager.ConfigMaps(instance)
|
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("defining ConfigMaps for CCM: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
2022-06-28 16:08:05 +02:00
|
|
|
ccmSecrets, err := k.cloudControllerManager.Secrets(ctx, instance.ProviderID, cloudServiceAccountURI)
|
2022-05-24 10:04:42 +02:00
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("defining Secrets for CCM: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
2022-07-21 14:41:07 +02:00
|
|
|
ccmImage, err := k.cloudControllerManager.Image(k8sVersion)
|
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("defining Image for CCM: %w", err)
|
2022-07-21 14:41:07 +02:00
|
|
|
}
|
2022-05-24 10:04:42 +02:00
|
|
|
|
|
|
|
cloudControllerManagerConfiguration := resources.NewDefaultCloudControllerManagerDeployment(
|
2022-07-21 14:41:07 +02:00
|
|
|
k.cloudControllerManager.Name(), ccmImage, k.cloudControllerManager.Path(), subnetworkPodCIDR,
|
2022-05-24 10:04:42 +02:00
|
|
|
k.cloudControllerManager.ExtraArgs(), k.cloudControllerManager.Volumes(), k.cloudControllerManager.VolumeMounts(), k.cloudControllerManager.Env(),
|
|
|
|
)
|
|
|
|
if err := k.clusterUtil.SetupCloudControllerManager(k.client, cloudControllerManagerConfiguration, ccmConfigMaps, ccmSecrets); err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("setting up cloud-controller-manager: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-07-22 15:05:04 +02:00
|
|
|
func (k *KubeWrapper) setupCloudNodeManager(k8sVersion versions.ValidK8sVersion) error {
|
2022-05-24 10:04:42 +02:00
|
|
|
if !k.cloudNodeManager.Supported() {
|
|
|
|
return nil
|
|
|
|
}
|
2022-07-21 14:41:07 +02:00
|
|
|
nodeManagerImage, err := k.cloudNodeManager.Image(k8sVersion)
|
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("defining Image for Node Manager: %w", err)
|
2022-07-21 14:41:07 +02:00
|
|
|
}
|
|
|
|
|
2022-05-24 10:04:42 +02:00
|
|
|
cloudNodeManagerConfiguration := resources.NewDefaultCloudNodeManagerDeployment(
|
2022-07-21 14:41:07 +02:00
|
|
|
nodeManagerImage, k.cloudNodeManager.Path(), k.cloudNodeManager.ExtraArgs(),
|
2022-05-24 10:04:42 +02:00
|
|
|
)
|
|
|
|
if err := k.clusterUtil.SetupCloudNodeManager(k.client, cloudNodeManagerConfiguration); err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("setting up cloud-node-manager: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-09-15 16:51:07 +02:00
|
|
|
func (k *KubeWrapper) setupClusterAutoscaler(instance metadata.InstanceMetadata, cloudServiceAccountURI string, k8sVersion versions.ValidK8sVersion) error {
|
2022-05-24 10:04:42 +02:00
|
|
|
if !k.clusterAutoscaler.Supported() {
|
|
|
|
return nil
|
|
|
|
}
|
2022-06-28 16:08:05 +02:00
|
|
|
caSecrets, err := k.clusterAutoscaler.Secrets(instance.ProviderID, cloudServiceAccountURI)
|
2022-05-24 10:04:42 +02:00
|
|
|
if err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("defining Secrets for cluster-autoscaler: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
|
|
|
|
2022-07-21 14:41:07 +02:00
|
|
|
clusterAutoscalerConfiguration := resources.NewDefaultAutoscalerDeployment(k.clusterAutoscaler.Volumes(), k.clusterAutoscaler.VolumeMounts(), k.clusterAutoscaler.Env(), k8sVersion)
|
2022-05-24 10:04:42 +02:00
|
|
|
if err := k.clusterUtil.SetupAutoscaling(k.client, clusterAutoscalerConfiguration, caSecrets); err != nil {
|
2022-08-01 16:51:34 +02:00
|
|
|
return fmt.Errorf("setting up cluster-autoscaler: %w", err)
|
2022-05-24 10:04:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-07-18 12:28:02 +02:00
|
|
|
// setupK8sVersionConfigMap applies a ConfigMap (cf. server-side apply) to consistently store the installed k8s version.
|
2022-07-22 15:05:04 +02:00
|
|
|
func (k *KubeWrapper) setupK8sVersionConfigMap(ctx context.Context, k8sVersion versions.ValidK8sVersion) error {
|
2022-07-18 12:28:02 +02:00
|
|
|
config := corev1.ConfigMap{
|
|
|
|
TypeMeta: metav1.TypeMeta{
|
|
|
|
APIVersion: "v1",
|
|
|
|
Kind: "ConfigMap",
|
|
|
|
},
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "k8s-version",
|
|
|
|
Namespace: "kube-system",
|
|
|
|
},
|
|
|
|
Data: map[string]string{
|
2022-07-22 15:05:04 +02:00
|
|
|
constants.K8sVersion: string(k8sVersion),
|
2022-07-18 12:28:02 +02:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// We do not use the client's Apply method here since we are handling a kubernetes-native type.
|
|
|
|
// These types don't implement our custom Marshaler interface.
|
|
|
|
if err := k.client.CreateConfigMap(ctx, config); err != nil {
|
2022-08-31 20:10:49 +02:00
|
|
|
return fmt.Errorf("apply in KubeWrapper.setupK8sVersionConfigMap(..) failed with: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// setupInternalConfigMap applies a ConfigMap (cf. server-side apply) to store information that is not supposed to be user-editable.
|
|
|
|
func (k *KubeWrapper) setupInternalConfigMap(ctx context.Context, azureCVM string) error {
|
|
|
|
config := corev1.ConfigMap{
|
|
|
|
TypeMeta: metav1.TypeMeta{
|
|
|
|
APIVersion: "v1",
|
|
|
|
Kind: "ConfigMap",
|
|
|
|
},
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: constants.InternalConfigMap,
|
|
|
|
Namespace: "kube-system",
|
|
|
|
},
|
|
|
|
Data: map[string]string{
|
|
|
|
constants.AzureCVM: azureCVM,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// We do not use the client's Apply method here since we are handling a kubernetes-native type.
|
|
|
|
// These types don't implement our custom Marshaler interface.
|
|
|
|
if err := k.client.CreateConfigMap(ctx, config); err != nil {
|
|
|
|
return fmt.Errorf("apply in KubeWrapper.setupInternalConfigMap failed with: %w", err)
|
2022-07-18 12:28:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-08-04 16:15:52 +02:00
|
|
|
// setupOperators deploys the operator lifecycle manager and subscriptions to operators.
|
|
|
|
func (k *KubeWrapper) setupOperators(ctx context.Context) error {
|
|
|
|
if err := k.clusterUtil.SetupOperatorLifecycleManager(ctx, k.client, &resources.OperatorLifecycleManagerCRDs{}, &resources.OperatorLifecycleManager{}, resources.OLMCRDNames); err != nil {
|
|
|
|
return fmt.Errorf("setting up OLM: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := k.clusterUtil.SetupNodeMaintenanceOperator(k.client, resources.NewNodeMaintenanceOperatorDeployment()); err != nil {
|
|
|
|
return fmt.Errorf("setting up node maintenance operator: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
uid, err := k.providerMetadata.UID(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("retrieving constellation UID: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := k.clusterUtil.SetupNodeOperator(ctx, k.client, resources.NewNodeOperatorDeployment(k.cloudProvider, uid)); err != nil {
|
|
|
|
return fmt.Errorf("setting up constellation node operator: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-05-24 10:04:42 +02:00
|
|
|
// k8sCompliantHostname transforms a hostname to an RFC 1123 compliant, lowercase subdomain as required by Kubernetes node names.
|
|
|
|
// The following regex is used by k8s for validation: /^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$/ .
|
|
|
|
// Only a simple heuristic is used for now (to lowercase, replace underscores).
|
|
|
|
func k8sCompliantHostname(in string) string {
|
|
|
|
hostname := strings.ToLower(in)
|
|
|
|
hostname = strings.ReplaceAll(hostname, "_", "-")
|
|
|
|
return hostname
|
2022-05-04 14:32:34 +02:00
|
|
|
}
|
|
|
|
|
2022-05-19 17:18:22 +02:00
|
|
|
// StartKubelet starts the kubelet service.
|
2022-09-08 14:45:27 +02:00
|
|
|
func (k *KubeWrapper) StartKubelet(log *logger.Logger) error {
|
|
|
|
if err := k.clusterUtil.StartKubelet(); err != nil {
|
|
|
|
return fmt.Errorf("starting kubelet: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
k.clusterUtil.FixCilium(log)
|
|
|
|
return nil
|
2022-05-19 17:18:22 +02:00
|
|
|
}
|
2022-08-26 09:44:05 +00:00
|
|
|
|
|
|
|
// getIPAddr retrieves to default sender IP used for outgoing connection.
|
|
|
|
func getIPAddr() (string, error) {
|
|
|
|
conn, err := net.Dial("udp", "8.8.8.8:80")
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
defer conn.Close()
|
|
|
|
|
|
|
|
localAddr := conn.LocalAddr().(*net.UDPAddr)
|
|
|
|
|
|
|
|
return localAddr.IP.String(), nil
|
|
|
|
}
|