Bootstrapper

2025-05-02 14:26:23 -04:00 · 2022-07-05 14:14:11 +02:00 · 2022-07-05 14:14:11 +02:00 · 66b573ea5d
commit 66b573ea5d
parent 1af18e990d
34 changed files with 492 additions and 202 deletions
--- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
@ -88,7 +88,7 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool) Kube
 						},
 					},
 				},
-				CertSANs: []string{"127.0.0.1", "10.118.0.1"},
+				CertSANs: []string{"127.0.0.1"},
 			},
 			ControllerManager: kubeadm.ControlPlaneComponent{
 				ExtraArgs: map[string]string{
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/gcp_guest_agent.go
@ -0,0 +1,179 @@
+package resources
+
+import (
+	"github.com/edgelesssys/constellation/internal/secrets"
+	apps "k8s.io/api/apps/v1"
+	k8s "k8s.io/api/core/v1"
+	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type gcpGuestAgentDaemonset struct {
+	DaemonSet apps.DaemonSet
+}
+
+func NewGCPGuestAgentDaemonset() *gcpGuestAgentDaemonset {
+	return &gcpGuestAgentDaemonset{
+		DaemonSet: apps.DaemonSet{
+			TypeMeta: meta.TypeMeta{
+				APIVersion: "apps/v1",
+				Kind:       "DaemonSet",
+			},
+			ObjectMeta: meta.ObjectMeta{
+				Name:      "gcp-guest-agent",
+				Namespace: "kube-system",
+				Labels: map[string]string{
+					"k8s-app":                       "gcp-guest-agent",
+					"component":                     "gcp-guest-agent",
+					"kubernetes.io/cluster-service": "true",
+				},
+			},
+			Spec: apps.DaemonSetSpec{
+				Selector: &meta.LabelSelector{
+					MatchLabels: map[string]string{
+						"k8s-app": "gcp-guest-agent",
+					},
+				},
+				Template: k8s.PodTemplateSpec{
+					ObjectMeta: meta.ObjectMeta{
+						Labels: map[string]string{
+							"k8s-app": "gcp-guest-agent",
+						},
+					},
+					Spec: k8s.PodSpec{
+						PriorityClassName: "system-cluster-critical",
+						Tolerations: []k8s.Toleration{
+							{
+								Key:      "node-role.kubernetes.io/master",
+								Operator: k8s.TolerationOpExists,
+								Effect:   k8s.TaintEffectNoSchedule,
+							},
+							{
+								Key:      "node-role.kubernetes.io/control-plane",
+								Operator: k8s.TolerationOpExists,
+								Effect:   k8s.TaintEffectNoSchedule,
+							},
+						},
+						ImagePullSecrets: []k8s.LocalObjectReference{
+							{
+								Name: secrets.PullSecretName,
+							},
+						},
+						Containers: []k8s.Container{
+							{
+								Name:  "gcp-guest-agent",
+								Image: gcpGuestImage,
+								SecurityContext: &k8s.SecurityContext{
+									Privileged: func(b bool) *bool { return &b }(true),
+									Capabilities: &k8s.Capabilities{
+										Add: []k8s.Capability{"NET_ADMIN"},
+									},
+								},
+								VolumeMounts: []k8s.VolumeMount{
+									{
+										Name:      "etcssl",
+										ReadOnly:  true,
+										MountPath: "/etc/ssl",
+									},
+									{
+										Name:      "etcpki",
+										ReadOnly:  true,
+										MountPath: "/etc/pki",
+									},
+									{
+										Name:      "bin",
+										ReadOnly:  true,
+										MountPath: "/bin",
+									},
+									{
+										Name:      "usrbin",
+										ReadOnly:  true,
+										MountPath: "/usr/bin",
+									},
+									{
+										Name:      "usr",
+										ReadOnly:  true,
+										MountPath: "/usr",
+									},
+									{
+										Name:      "lib",
+										ReadOnly:  true,
+										MountPath: "/lib",
+									},
+									{
+										Name:      "lib64",
+										ReadOnly:  true,
+										MountPath: "/lib64",
+									},
+								},
+							},
+						},
+						Volumes: []k8s.Volume{
+							{
+								Name: "etcssl",
+								VolumeSource: k8s.VolumeSource{
+									HostPath: &k8s.HostPathVolumeSource{
+										Path: "/etc/ssl",
+									},
+								},
+							},
+							{
+								Name: "etcpki",
+								VolumeSource: k8s.VolumeSource{
+									HostPath: &k8s.HostPathVolumeSource{
+										Path: "/etc/pki",
+									},
+								},
+							},
+							{
+								Name: "bin",
+								VolumeSource: k8s.VolumeSource{
+									HostPath: &k8s.HostPathVolumeSource{
+										Path: "/bin",
+									},
+								},
+							},
+							{
+								Name: "usrbin",
+								VolumeSource: k8s.VolumeSource{
+									HostPath: &k8s.HostPathVolumeSource{
+										Path: "/usr/bin",
+									},
+								},
+							},
+							{
+								Name: "usr",
+								VolumeSource: k8s.VolumeSource{
+									HostPath: &k8s.HostPathVolumeSource{
+										Path: "/usr",
+									},
+								},
+							},
+							{
+								Name: "lib",
+								VolumeSource: k8s.VolumeSource{
+									HostPath: &k8s.HostPathVolumeSource{
+										Path: "/lib",
+									},
+								},
+							},
+							{
+								Name: "lib64",
+								VolumeSource: k8s.VolumeSource{
+									HostPath: &k8s.HostPathVolumeSource{
+										Path: "/lib64",
+									},
+								},
+							},
+						},
+						HostNetwork: true,
+					},
+				},
+			},
+		},
+	}
+}
+
+// Marshal marshals the access-manager deployment as YAML documents.
+func (c *gcpGuestAgentDaemonset) Marshal() ([]byte, error) {
+	return MarshalK8SResources(c)
+}
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/images.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/images.go
@ -2,10 +2,11 @@ package resources

 const (
 	// Constellation images.
-	joinImage          = "ghcr.io/edgelesssys/constellation/join-service:v1.2"
-	accessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v1.2"
-	kmsImage           = "ghcr.io/edgelesssys/constellation/kmsserver:v1.2"
-	verificationImage  = "ghcr.io/edgelesssys/constellation/verification-service:v1.2"
+	joinImage          = "ghcr.io/edgelesssys/constellation/join-service:feat-coordinator-selfactivation-node"
+	accessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:feat-coordinator-selfactivation-node"
+	kmsImage           = "ghcr.io/edgelesssys/constellation/kmsserver:feat-coordinator-selfactivation-node"
+	verificationImage  = "ghcr.io/edgelesssys/constellation/verification-service:feat-coordinator-selfactivation-node"
+	gcpGuestImage      = "ghcr.io/edgelesssys/gcp-guest-agent:latest"

 	// external images.
 	clusterAutoscalerImage = "k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.0"
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go
@ -22,7 +22,7 @@ type joinServiceDaemonset struct {
 }

 // NewJoinServiceDaemonset returns a daemonset for the join service.
-func NewJoinServiceDaemonset(csp, measurementsJSON, idJSON string) *joinServiceDaemonset {
+func NewJoinServiceDaemonset(csp string, measurementsJSON, idJSON string) *joinServiceDaemonset {
 	return &joinServiceDaemonset{
 		ClusterRole: rbac.ClusterRole{
 			TypeMeta: meta.TypeMeta{
--- a/bootstrapper/internal/kubernetes/k8sapi/util.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/util.go
@ -90,13 +90,13 @@ func (k *KubernetesUtil) InitCluster(ctx context.Context, initConfig []byte) err
 	if err != nil {
 		return fmt.Errorf("creating init config file %v: %w", initConfigFile.Name(), err)
 	}
-	defer os.Remove(initConfigFile.Name())
+	// defer os.Remove(initConfigFile.Name())

 	if _, err := initConfigFile.Write(initConfig); err != nil {
 		return fmt.Errorf("writing kubeadm init yaml config %v: %w", initConfigFile.Name(), err)
 	}

-	cmd := exec.CommandContext(ctx, kubeadmPath, "init", "--config", initConfigFile.Name())
+	cmd := exec.CommandContext(ctx, kubeadmPath, "init", "-v=5", "--config", initConfigFile.Name())
 	_, err = cmd.Output()
 	if err != nil {
 		var exitErr *exec.ExitError
@ -237,6 +237,11 @@ func (k *KubernetesUtil) SetupJoinService(kubectl Client, joinServiceConfigurati
 	return kubectl.Apply(joinServiceConfiguration, true)
 }

+// SetupGCPGuestAgent deploys the GCP guest agent daemon set.
+func (k *KubernetesUtil) SetupGCPGuestAgent(kubectl Client, guestAgentDaemonset resources.Marshaler) error {
+	return kubectl.Apply(guestAgentDaemonset, true)
+}
+
 // SetupCloudControllerManager deploys the k8s cloud-controller-manager.
 func (k *KubernetesUtil) SetupCloudControllerManager(kubectl Client, cloudControllerManagerConfiguration resources.Marshaler, configMaps resources.Marshaler, secrets resources.Marshaler) error {
 	if err := kubectl.Apply(configMaps, true); err != nil {
@ -289,18 +294,18 @@ func (k *KubernetesUtil) JoinCluster(ctx context.Context, joinConfig []byte) err
 	if err != nil {
 		return fmt.Errorf("creating join config file %v: %w", joinConfigFile.Name(), err)
 	}
-	defer os.Remove(joinConfigFile.Name())
+	// defer os.Remove(joinConfigFile.Name())

 	if _, err := joinConfigFile.Write(joinConfig); err != nil {
 		return fmt.Errorf("writing kubeadm init yaml config %v: %w", joinConfigFile.Name(), err)
 	}

 	// run `kubeadm join` to join a worker node to an existing Kubernetes cluster
-	cmd := exec.CommandContext(ctx, kubeadmPath, "join", "--config", joinConfigFile.Name())
+	cmd := exec.CommandContext(ctx, kubeadmPath, "join", "-v=5", "--config", joinConfigFile.Name())
 	if _, err := cmd.Output(); err != nil {
 		var exitErr *exec.ExitError
 		if errors.As(err, &exitErr) {
-			return fmt.Errorf("kubeadm join failed (code %v) with: %s", exitErr.ExitCode(), exitErr.Stderr)
+			return fmt.Errorf("kubeadm join failed (code %v) with: %s (full err: %s)", exitErr.ExitCode(), exitErr.Stderr, err)
 		}
 		return fmt.Errorf("kubeadm join: %w", err)
 	}
@ -334,7 +339,7 @@ func (k *KubernetesUtil) GetControlPlaneJoinCertificateKey(ctx context.Context)
 	if err != nil {
 		var exitErr *exec.ExitError
 		if errors.As(err, &exitErr) {
-			return "", fmt.Errorf("kubeadm upload-certs failed (code %v) with: %s", exitErr.ExitCode(), exitErr.Stderr)
+			return "", fmt.Errorf("kubeadm upload-certs failed (code %v) with: %s (full err: %s)", exitErr.ExitCode(), exitErr.Stderr, err)
 		}
 		return "", fmt.Errorf("kubeadm upload-certs: %w", err)
 	}