From c1e3231848ddda5cb8202b10a1edf84a2bae7615 Mon Sep 17 00:00:00 2001
From: Malte Poll <mp@edgeless.systems>
Date: Tue, 25 Oct 2022 16:36:03 +0200
Subject: [PATCH] Preinstall kubelet systemd unit in OS images (#365)

---
 .../internal/kubernetes/k8sapi/constants.go   | 17 +++----
 .../internal/kubernetes/k8sapi/k8sutil.go     | 15 +------
 image/mkosi.finalize                          |  7 ---
 .../system-preset/30-constellation.preset     |  5 ++-
 .../usr/lib/systemd/system/kubelet.service    | 21 +++++++++
 internal/versions/versions.go                 | 44 ++++++++-----------
 6 files changed, 51 insertions(+), 58 deletions(-)
 create mode 100644 image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service

diff --git a/bootstrapper/internal/kubernetes/k8sapi/constants.go b/bootstrapper/internal/kubernetes/k8sapi/constants.go
index 41ad876dc..f4b016034 100644
--- a/bootstrapper/internal/kubernetes/k8sapi/constants.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/constants.go
@@ -8,14 +8,11 @@ package k8sapi
 
 const (
 	// Paths and permissions necessary for Kubernetes installation.
-	cniPluginsDir           = "/opt/cni/bin"
-	binDir                  = "/run/state/bin"
-	kubeadmPath             = "/run/state/bin/kubeadm"
-	kubeletPath             = "/run/state/bin/kubelet"
-	kubeletServiceEtcPath   = "/run/systemd/system/kubelet.service"
-	kubeletServiceStatePath = "/run/state/systemd/system/kubelet.service"
-	kubeadmConfEtcPath      = "/run/systemd/system/kubelet.service.d/10-kubeadm.conf"
-	kubeadmConfStatePath    = "/run/state/systemd/system/kubelet.service.d/10-kubeadm.conf"
-	executablePerm          = 0o544
-	systemdUnitPerm         = 0o644
+	cniPluginsDir      = "/opt/cni/bin"
+	binDir             = "/run/state/bin"
+	kubeadmPath        = "/run/state/bin/kubeadm"
+	kubeletPath        = "/run/state/bin/kubelet"
+	kubeletServicePath = "/usr/lib/systemd/system/kubelet.service"
+	executablePerm     = 0o544
+	systemdUnitPerm    = 0o644
 )
diff --git a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go
index eaab4794d..854b80fa2 100644
--- a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go
@@ -34,7 +34,6 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/versions"
-	"github.com/icholy/replace"
 	"github.com/spf13/afero"
 	"go.uber.org/zap"
 	"golang.org/x/text/transform"
@@ -93,16 +92,6 @@ func (k *KubernetesUtil) InstallComponents(ctx context.Context, version versions
 	); err != nil {
 		return fmt.Errorf("installing crictl: %w", err)
 	}
-	if err := k.inst.Install(
-		ctx, versionConf.KubeletServiceURL, []string{kubeletServiceEtcPath, kubeletServiceStatePath}, systemdUnitPerm, false, replace.String("/usr/bin", binDir),
-	); err != nil {
-		return fmt.Errorf("installing kubelet service: %w", err)
-	}
-	if err := k.inst.Install(
-		ctx, versionConf.KubeadmConfURL, []string{kubeadmConfEtcPath, kubeadmConfStatePath}, systemdUnitPerm, false, replace.String("/usr/bin", binDir),
-	); err != nil {
-		return fmt.Errorf("installing kubeadm conf: %w", err)
-	}
 	if err := k.inst.Install(
 		ctx, versionConf.KubeletURL, []string{kubeletPath}, executablePerm, false,
 	); err != nil {
@@ -119,7 +108,7 @@ func (k *KubernetesUtil) InstallComponents(ctx context.Context, version versions
 		return fmt.Errorf("installing kubectl: %w", err)
 	}
 
-	return enableSystemdUnit(ctx, kubeletServiceEtcPath)
+	return enableSystemdUnit(ctx, kubeletServicePath)
 }
 
 func (k *KubernetesUtil) InitCluster(
@@ -434,7 +423,7 @@ func (k *KubernetesUtil) JoinCluster(ctx context.Context, joinConfig []byte, pee
 func (k *KubernetesUtil) StartKubelet() error {
 	ctx, cancel := context.WithTimeout(context.TODO(), kubeletStartTimeout)
 	defer cancel()
-	if err := enableSystemdUnit(ctx, kubeletServiceEtcPath); err != nil {
+	if err := enableSystemdUnit(ctx, kubeletServicePath); err != nil {
 		return fmt.Errorf("enabling kubelet systemd unit: %w", err)
 	}
 	return startSystemdUnit(ctx, "kubelet.service")
diff --git a/image/mkosi.finalize b/image/mkosi.finalize
index 643f343f5..77b1066d4 100755
--- a/image/mkosi.finalize
+++ b/image/mkosi.finalize
@@ -5,12 +5,5 @@
 
 set -euxo pipefail
 
-# recreate kubelet systemd unit after reboot.
-# tmpfile config has to be written late as it interferes with the systemd-nspawn build environment
-cat >"${BUILDROOT}/usr/lib/tmpfiles.d/kubelet-service.conf" <<EOF
-C     /run/systemd/system/kubelet.service                   -    -    -     -           /run/state/systemd/system/kubelet.service
-C     /run/systemd/system/kubelet.service.d/10-kubeadm.conf -    -    -     -           /run/state/systemd/system/kubelet.service.d/10-kubeadm.conf
-EOF
-
 # cleanup dracut generation files (disk-mapper) to save space
 rm -rf "${BUILDROOT}/usr/lib/dracut/modules.d/39constellation-mount/"
diff --git a/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset b/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
index b14d3bc93..24072c48e 100644
--- a/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
+++ b/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
@@ -1,5 +1,6 @@
-enable constellation-bootstrapper.service
 enable configure-constel-csp.service
+enable constellation-bootstrapper.service
 enable containerd.service
-enable tpm-pcrs.service
+enable kubelet.service
 enable systemd-networkd.service
+enable tpm-pcrs.service
diff --git a/image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service b/image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service
new file mode 100644
index 000000000..bfe1b8b85
--- /dev/null
+++ b/image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=kubelet: The Kubernetes Node Agent
+Documentation=https://kubernetes.io/docs/home/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
+Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
+# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
+EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
+# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
+# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
+EnvironmentFile=-/etc/default/kubelet
+ExecStart=/run/state/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
+Restart=always
+StartLimitInterval=0
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
diff --git a/internal/versions/versions.go b/internal/versions/versions.go
index 4c95e83cf..059a3e922 100644
--- a/internal/versions/versions.go
+++ b/internal/versions/versions.go
@@ -82,14 +82,12 @@ var (
 // versionConfigs holds download URLs for all required kubernetes components for every supported version.
 var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 	V1_23: {
-		PatchVersion:      "1.23.12",
-		CNIPluginsURL:     "https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz",
-		CrictlURL:         "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.1/crictl-v1.24.1-linux-amd64.tar.gz",
-		KubeletServiceURL: "https://raw.githubusercontent.com/kubernetes/release/v0.14.0/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service",
-		KubeadmConfURL:    "https://raw.githubusercontent.com/kubernetes/release/v0.14.0/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf",
-		KubeletURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.23.12/bin/linux/amd64/kubelet",
-		KubeadmURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.23.12/bin/linux/amd64/kubeadm",
-		KubectlURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.23.12/bin/linux/amd64/kubectl",
+		PatchVersion:  "1.23.12",
+		CNIPluginsURL: "https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz",
+		CrictlURL:     "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.1/crictl-v1.24.1-linux-amd64.tar.gz",
+		KubeletURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.23.12/bin/linux/amd64/kubelet",
+		KubeadmURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.23.12/bin/linux/amd64/kubeadm",
+		KubectlURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.23.12/bin/linux/amd64/kubectl",
 		// CloudControllerManagerImageGCP is the CCM image used on GCP.
 		// TODO: use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
 		CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v23.0.0@sha256:476616939b85345d7188815045847fcbea8d502464083407cdbb6c934e35820d",
@@ -101,14 +99,12 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 		ClusterAutoscalerImage: "k8s.gcr.io/autoscaling/cluster-autoscaler:v1.23.1@sha256:cd2101ba67f3d6ec719f7792d4bdaa3a50e1b716f3a9ccee8931086496c655b7",
 	},
 	V1_24: {
-		PatchVersion:      "1.24.6",
-		CNIPluginsURL:     "https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz",
-		CrictlURL:         "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.2/crictl-v1.24.2-linux-amd64.tar.gz",
-		KubeletServiceURL: "https://raw.githubusercontent.com/kubernetes/release/v0.14.0/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service",
-		KubeadmConfURL:    "https://raw.githubusercontent.com/kubernetes/release/v0.14.0/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf",
-		KubeletURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.24.6/bin/linux/amd64/kubelet",
-		KubeadmURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.24.6/bin/linux/amd64/kubeadm",
-		KubectlURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.24.6/bin/linux/amd64/kubectl",
+		PatchVersion:  "1.24.6",
+		CNIPluginsURL: "https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz",
+		CrictlURL:     "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.24.2/crictl-v1.24.2-linux-amd64.tar.gz",
+		KubeletURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.24.6/bin/linux/amd64/kubelet",
+		KubeadmURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.24.6/bin/linux/amd64/kubeadm",
+		KubectlURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.24.6/bin/linux/amd64/kubectl",
 		// CloudControllerManagerImageGCP is the CCM image used on GCP.
 		// TODO: use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
 		CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v24.0.0@sha256:8ee4261980019d3ee8517e12f36fc313fe3ea3e44dd40ee2e004b57f6e5ef171",
@@ -120,14 +116,12 @@ var VersionConfigs = map[ValidK8sVersion]KubernetesVersion{
 		ClusterAutoscalerImage: "k8s.gcr.io/autoscaling/cluster-autoscaler:v1.24.0@sha256:5bd22353ae7f30c9abfaa08189281367ef47ea1b3d09eb13eb26bd13de241e72",
 	},
 	V1_25: {
-		PatchVersion:      "1.25.2",
-		CNIPluginsURL:     "https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz",
-		CrictlURL:         "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.25.0/crictl-v1.25.0-linux-amd64.tar.gz",
-		KubeletServiceURL: "https://raw.githubusercontent.com/kubernetes/release/v0.14.0/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service",
-		KubeadmConfURL:    "https://raw.githubusercontent.com/kubernetes/release/v0.14.0/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf",
-		KubeletURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.25.2/bin/linux/amd64/kubelet",
-		KubeadmURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.25.2/bin/linux/amd64/kubeadm",
-		KubectlURL:        "https://storage.googleapis.com/kubernetes-release/release/v1.25.2/bin/linux/amd64/kubectl",
+		PatchVersion:  "1.25.2",
+		CNIPluginsURL: "https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz",
+		CrictlURL:     "https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.25.0/crictl-v1.25.0-linux-amd64.tar.gz",
+		KubeletURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.25.2/bin/linux/amd64/kubelet",
+		KubeadmURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.25.2/bin/linux/amd64/kubeadm",
+		KubectlURL:    "https://storage.googleapis.com/kubernetes-release/release/v1.25.2/bin/linux/amd64/kubectl",
 		// CloudControllerManagerImageGCP is the CCM image used on GCP.
 		// TODO: use newer "cloud-provider-gcp" from https://github.com/kubernetes/cloud-provider-gcp when newer releases are available.
 		CloudControllerManagerImageGCP: "ghcr.io/edgelesssys/cloud-provider-gcp:v25.2.0@sha256:86fa9d31ed0b3d0d8806f13d6e7debd3471028b2cb7cca3a876d8a31612a7ba5",
@@ -148,8 +142,6 @@ type KubernetesVersion struct {
 	PatchVersion                     string
 	CNIPluginsURL                    string // No k8s version dependency.
 	CrictlURL                        string // k8s version dependency.
-	KubeletServiceURL                string // No k8s version dependency.
-	KubeadmConfURL                   string // kubeadm/kubelet v1.11+.
 	KubeletURL                       string // k8s version dependency.
 	KubeadmURL                       string // k8s version dependency.
 	KubectlURL                       string // k8s version dependency.