bootstrapper: add fallback endpoint and custom endpoint to SAN field (#2108)

terraform: collect apiserver cert SANs and support custom endpoint constants: add new constants for cluster configuration and custom endpoint cloud: support apiserver cert sans and prepare for endpoint migration on AWS config: add customEndpoint field bootstrapper: use per-CSP apiserver cert SANs cli: route customEndpoint to terraform and add migration for apiserver cert SANs bootstrapper: change interface of GetLoadBalancerEndpoint to return host and port separately
2025-07-21 14:28:54 -04:00 · 2023-07-21 16:43:51 +02:00 · 2023-07-21 16:43:51 +02:00 · 8da6a23aa5
commit 8da6a23aa5
parent 3324a4eba2
64 changed files with 724 additions and 301 deletions
--- a/cli/internal/kubernetes/BUILD.bazel
+++ b/cli/internal/kubernetes/BUILD.bazel
@ -37,6 +37,8 @@ go_library(
        "@io_k8s_client_go//dynamic",
        "@io_k8s_client_go//kubernetes",
        "@io_k8s_client_go//tools/clientcmd",
+        "@io_k8s_kubernetes//cmd/kubeadm/app/apis/kubeadm/v1beta3",
+        "@io_k8s_sigs_yaml//:yaml",
    ],
 )

--- a/cli/internal/kubernetes/upgrade.go
+++ b/cli/internal/kubernetes/upgrade.go
@ -13,6 +13,7 @@ import (
 	"fmt"
 	"io"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"

@ -42,6 +43,8 @@ import (
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
+	kubeadmv1beta3 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
+	"sigs.k8s.io/yaml"
 )

 // UpgradeCmdKind is the kind of the upgrade command (check, apply).
@ -343,6 +346,69 @@ func (u *Upgrader) GetClusterAttestationConfig(ctx context.Context, variant vari
 	return existingAttestationConfig, existingConf, nil
 }

+// ExtendClusterConfigCertSANs extends the ClusterConfig stored under "kube-system/kubeadm-config" with the given SANs.
+// Existing SANs are preserved.
+func (u *Upgrader) ExtendClusterConfigCertSANs(ctx context.Context, alternativeNames []string) error {
+	clusterConfiguration, kubeadmConfig, err := u.GetClusterConfiguration(ctx)
+	if err != nil {
+		return fmt.Errorf("getting ClusterConfig: %w", err)
+	}
+
+	existingSANs := make(map[string]struct{})
+	for _, existingSAN := range clusterConfiguration.APIServer.CertSANs {
+		existingSANs[existingSAN] = struct{}{}
+	}
+
+	var missingSANs []string
+	for _, san := range alternativeNames {
+		if _, ok := existingSANs[san]; !ok {
+			missingSANs = append(missingSANs, san)
+		}
+	}
+
+	if len(missingSANs) == 0 {
+		return nil
+	}
+	u.log.Debugf("Extending the cluster's apiserver SAN field with the following SANs: %s\n", strings.Join(missingSANs, ", "))
+
+	clusterConfiguration.APIServer.CertSANs = append(clusterConfiguration.APIServer.CertSANs, missingSANs...)
+	sort.Strings(clusterConfiguration.APIServer.CertSANs)
+
+	newConfigYAML, err := yaml.Marshal(clusterConfiguration)
+	if err != nil {
+		return fmt.Errorf("marshaling ClusterConfiguration: %w", err)
+	}
+
+	kubeadmConfig.Data[constants.ClusterConfigurationKey] = string(newConfigYAML)
+	u.log.Debugf("Triggering kubeadm config update now")
+	if _, err = u.stableInterface.UpdateConfigMap(ctx, kubeadmConfig); err != nil {
+		return fmt.Errorf("setting new kubeadm config: %w", err)
+	}
+
+	fmt.Fprintln(u.outWriter, "Successfully extended the cluster's apiserver SAN field")
+	return nil
+}
+
+// GetClusterConfiguration fetches the kubeadm-config configmap from the cluster, extracts the config
+// and returns both the full configmap and the ClusterConfiguration.
+func (u *Upgrader) GetClusterConfiguration(ctx context.Context) (kubeadmv1beta3.ClusterConfiguration, *corev1.ConfigMap, error) {
+	existingConf, err := u.stableInterface.GetCurrentConfigMap(ctx, constants.KubeadmConfigMap)
+	if err != nil {
+		return kubeadmv1beta3.ClusterConfiguration{}, nil, fmt.Errorf("retrieving current kubeadm-config: %w", err)
+	}
+	clusterConf, ok := existingConf.Data[constants.ClusterConfigurationKey]
+	if !ok {
+		return kubeadmv1beta3.ClusterConfiguration{}, nil, errors.New("ClusterConfiguration missing from kubeadm-config")
+	}
+
+	var existingClusterConfig kubeadmv1beta3.ClusterConfiguration
+	if err := yaml.Unmarshal([]byte(clusterConf), &existingClusterConfig); err != nil {
+		return kubeadmv1beta3.ClusterConfiguration{}, nil, fmt.Errorf("unmarshaling ClusterConfiguration: %w", err)
+	}
+
+	return existingClusterConfig, existingConf, nil
+}
+
 // applyComponentsCM applies the k8s components ConfigMap to the cluster.
 func (u *Upgrader) applyComponentsCM(ctx context.Context, components *corev1.ConfigMap) error {
 	_, err := u.stableInterface.CreateConfigMap(ctx, components)