Otto Bittner a68ee817ff AB#2074: Choosable K8S Version (#277)
AB#2074: Add configurable k8s version

Configurable version flow:
* cli config holds/validates k8sVersion
* InitCluster receive a k8sVersion arg
* InitCluster creates CM "k8s-version"
* kubeadm's InitConfiguration receives k8sVersion
* joinservice spec mounts/reads k8s-version CM
* joinservice supplies k8sVersion via JoinTicketResponse
Other changes:
* Remove unused test code (FakeK8SClient)
* move VersionConfig map to /internal/versions
* installk8sComponents is now a function instead of a method
2022-07-18 12:28:02 +02:00

203 lines
5.6 KiB

package resources
import (
apps ""
k8s ""
rbac ""
v1 ""
// accessManagerDeployment holds the configuration for the SSH user creation pods. User/Key definitions are stored in the ConfigMap, and the manager is deployed on each node by the DaemonSet.
type accessManagerDeployment struct {
ConfigMap k8s.ConfigMap
ServiceAccount k8s.ServiceAccount
Role rbac.Role
RoleBinding rbac.RoleBinding
DaemonSet apps.DaemonSet
ImagePullSecret k8s.Secret
// NewAccessManagerDeployment creates a new *accessManagerDeployment which manages the SSH users for the cluster.
func NewAccessManagerDeployment(sshUsers map[string]string) *accessManagerDeployment {
return &accessManagerDeployment{
ServiceAccount: k8s.ServiceAccount{
TypeMeta: v1.TypeMeta{
APIVersion: "v1",
Kind: "ServiceAccount",
ObjectMeta: v1.ObjectMeta{
Labels: map[string]string{
"": "constellation",
"": "constellation-access-manager",
"": "Constellation",
Name: "constellation-access-manager",
Namespace: "kube-system",
AutomountServiceAccountToken: proto.Bool(true),
ConfigMap: k8s.ConfigMap{
TypeMeta: v1.TypeMeta{
APIVersion: "v1",
Kind: "ConfigMap",
ObjectMeta: v1.ObjectMeta{
Name: "ssh-users",
Namespace: "kube-system",
Data: sshUsers,
DaemonSet: apps.DaemonSet{
TypeMeta: v1.TypeMeta{
APIVersion: "apps/v1",
Kind: "DaemonSet",
ObjectMeta: v1.ObjectMeta{
Name: "constellation-access-manager",
Namespace: "kube-system",
Labels: map[string]string{
"": "constellation",
"": "constellation-access-manager",
Spec: apps.DaemonSetSpec{
Selector: &v1.LabelSelector{
MatchLabels: map[string]string{
"": "constellation",
"": "constellation-access-manager",
Template: k8s.PodTemplateSpec{
ObjectMeta: v1.ObjectMeta{
Labels: map[string]string{
"": "constellation",
"": "constellation-access-manager",
Spec: k8s.PodSpec{
Tolerations: []k8s.Toleration{
Key: "",
Operator: k8s.TolerationOpExists,
Effect: k8s.TaintEffectNoSchedule,
Key: "",
Operator: k8s.TolerationOpExists,
Effect: k8s.TaintEffectNoSchedule,
ImagePullSecrets: []k8s.LocalObjectReference{
Name: secrets.PullSecretName,
Containers: []k8s.Container{
Name: "pause",
Image: "",
ImagePullPolicy: k8s.PullIfNotPresent,
InitContainers: []k8s.Container{
Name: "constellation-access-manager",
Image: versions.AccessManagerImage,
VolumeMounts: []k8s.VolumeMount{
Name: "host",
MountPath: "/host",
SecurityContext: &k8s.SecurityContext{
Capabilities: &k8s.Capabilities{
Add: []k8s.Capability{
ServiceAccountName: "constellation-access-manager",
Volumes: []k8s.Volume{
Name: "host",
VolumeSource: k8s.VolumeSource{
HostPath: &k8s.HostPathVolumeSource{
Path: "/",
Role: rbac.Role{
TypeMeta: v1.TypeMeta{
APIVersion: "",
Kind: "Role",
ObjectMeta: v1.ObjectMeta{
Labels: map[string]string{
"": "constellation",
"": "constellation-access-manager",
"": "Constellation",
Name: "constellation-access-manager",
Namespace: "kube-system",
Rules: []rbac.PolicyRule{
APIGroups: []string{""},
Resources: []string{
ResourceNames: []string{
Verbs: []string{
RoleBinding: rbac.RoleBinding{
TypeMeta: v1.TypeMeta{
APIVersion: "",
Kind: "RoleBinding",
ObjectMeta: v1.ObjectMeta{
Labels: map[string]string{
"": "constellation",
"": "constellation-access-manager",
"": "Constellation",
Name: "constellation-access-manager",
Namespace: "kube-system",
RoleRef: rbac.RoleRef{
APIGroup: "",
Kind: "Role",
Name: "constellation-access-manager",
Subjects: []rbac.Subject{
Kind: "ServiceAccount",
Name: "constellation-access-manager",
Namespace: "kube-system",
ImagePullSecret: NewImagePullSecret(),
// Marshal marshals the access-manager deployment as YAML documents.
func (c *accessManagerDeployment) Marshal() ([]byte, error) {
return MarshalK8SResources(c)