kubermatic · kubermatic-bot · Jul 2, 2021 · Jun 29, 2021
diff --git a/addons/cni-weavenet/README.md b/addons/cni-weavenet/README.md
@@ -0,0 +1 @@
+# WeaveNet CNI addon
diff --git a/addons/cni-weavenet/weavenet.yaml b/addons/cni-weavenet/weavenet.yaml
@@ -0,0 +1,248 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: weave-net
+  labels:
+    name: weave-net
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: weave-net
+  labels:
+    name: weave-net
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - namespaces
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: weave-net
+  labels:
+    name: weave-net
+roleRef:
+  kind: ClusterRole
+  name: weave-net
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: weave-net
+    namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: weave-net
+  labels:
+    name: weave-net
+  namespace: kube-system
+rules:
+  - apiGroups:
+      - ''
+    resourceNames:
+      - weave-net
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: weave-net
+  labels:
+    name: weave-net
+  namespace: kube-system
+roleRef:
+  kind: Role
+  name: weave-net
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: weave-net
+    namespace: kube-system
+
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: weave-net
+  labels:
+    name: weave-net
+  namespace: kube-system
+spec:
+  minReadySeconds: 5
+  selector:
+    matchLabels:
+      name: weave-net
+  template:
+    metadata:
+      labels:
+        name: weave-net
+    spec:
+      containers:
+        - name: weave
+          command:
+            - /home/weave/launch.sh
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: INIT_CONTAINER
+              value: 'true'
+            - name: WEAVE_METRICS_ADDR
+              value: '127.0.0.1:6782'
+            - name: CHECKPOINT_DISABLE
+              value: '1'
+            {{ $peers := list }}
+            {{ range .Config.ControlPlane.Hosts }}
+            {{ $peers = append $peers .PrivateAddress }}
+            {{ end }}
+            - name: KUBE_PEERS
+              value: '{{ $peers | join " " }}'
+            - name: IPALLOC_RANGE
+              value: '{{ .Config.ClusterNetwork.PodSubnet }}'
+            {{ if .Config.ClusterNetwork.CNI.WeaveNet.Encrypted }}
+            - name: WEAVE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: weave-passwd
+                  key: weave-passwd
+            {{ end }}
+          image: {{ .InternalImages.Get "WeaveNetCNIKube" }}
+          readinessProbe:
+            httpGet:
+              host: 127.0.0.1
+              path: /status
+              port: 6784
+          resources:
+            requests:
+              cpu: 50m
+              memory: 100Mi
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: weavedb
+              mountPath: /weavedb
+            - name: dbus
+              mountPath: /host/var/lib/dbus
+            - name: machine-id
+              mountPath: /host/etc/machine-id
+              readOnly: true
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+        - name: weave-npc
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+          image: {{ .InternalImages.Get "WeaveNetCNINPC" }}
+          resources:
+            requests:
+              cpu: 50m
+              memory: 100Mi
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      initContainers:
+        - name: weave-init
+          command:
+            - /home/weave/init.sh
+          image: {{ .InternalImages.Get "WeaveNetCNIKube" }}
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: cni-bin
+              mountPath: /host/opt
+            - name: cni-bin2
+              mountPath: /host/home
+            - name: cni-conf
+              mountPath: /host/etc
+            - name: lib-modules
+              mountPath: /lib/modules
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+      priorityClassName: system-node-critical
+      restartPolicy: Always
+      securityContext:
+        seLinuxOptions: {}
+      serviceAccountName: weave-net
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      volumes:
+        - name: weavedb
+          hostPath:
+            path: /var/lib/weave
+        - name: cni-bin
+          hostPath:
+            path: /opt
+        - name: cni-bin2
+          hostPath:
+            path: /home
+        - name: cni-conf
+          hostPath:
+            path: /etc
+        - name: dbus
+          hostPath:
+            path: /var/lib/dbus
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: machine-id
+          hostPath:
+            path: /etc/machine-id
+            type: FileOrCreate
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+  updateStrategy:
+    type: RollingUpdate
diff --git a/go.mod b/go.mod
@@ -23,7 +23,7 @@ require (
 	go.etcd.io/etcd/client/v3 v3.5.0
 	golang.org/x/crypto v0.0.0-20201217014255-9d1352758620
 	golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1
-	golang.org/x/tools v0.1.4 // indirect
+	golang.org/x/tools v0.1.4
 	google.golang.org/grpc v1.38.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.19.4

diff --git a/go.sum b/go.sum
@@ -1130,7 +1130,6 @@ golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20201202200335-bef1c476418a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.2 h1:kRBLX7v7Af8W7Gdbbc908OJcdgtK8bOz9Uaj8/F1ACA=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4 h1:cVngSRcfgyZCzys3KYOpCFa+4dqX/Oub9tAq00ttGVs=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=

diff --git a/pkg/addons/ensure.go b/pkg/addons/ensure.go
@@ -38,10 +38,11 @@ var (
 	// embeddedAddons is a list of addons that are embedded in the KubeOne
 	// binary. Those addons are skipped when applying the user-provided addons
 	embeddedAddons = map[string]string{
-		resources.AddonCNICanal:        "",
 		resources.AddonCCMDigitalOcean: "",
 		resources.AddonCCMHetzner:      "",
 		resources.AddonCCMPacket:       "",
+		resources.AddonCNICanal:        "",
+		resources.AddonCNIWeavenet:     "",
 		resources.AddonNodeLocalDNS:    "",
 	}
 )

diff --git a/pkg/tasks/cni.go b/pkg/tasks/cni.go
@@ -33,22 +33,19 @@ func ensureCNI(s *state.State) error {
 			return err
 		}
 	case s.Cluster.ClusterNetwork.CNI.WeaveNet != nil:
-		return ensureCNIWeaveNet(s)
+		if s.Cluster.ClusterNetwork.CNI.WeaveNet.Encrypted {
+			if err := weave.EnsureSecret(s); err != nil {
+				return err
+			}
+		}
+		if err := addons.EnsureAddonByName(s, resources.AddonCNIWeavenet); err != nil {
+			return err
+		}
 	case s.Cluster.ClusterNetwork.CNI.External != nil:
-		return ensureCNIExternal(s)
+		s.Logger.Infoln("External CNI plugin will be used")
 	default:
 		return errors.Errorf("unknown CNI provider")
 	}
 
 	return kubeconfig.HackIssue321InitDynamicClient(s)
 }
-
-func ensureCNIWeaveNet(s *state.State) error {
-	s.Logger.Infoln("Applying weave-net CNI plugin...")
-	return weave.Deploy(s)
-}
-
-func ensureCNIExternal(s *state.State) error {
-	s.Logger.Infoln("External CNI plugin will be used")
-	return nil
-}
diff --git a/pkg/templates/images/images.go b/pkg/templates/images/images.go
@@ -79,8 +79,8 @@ func optionalResources() map[Resource]string {
 		OpenstackCCM:    "docker.io/k8scloudprovider/openstack-cloud-controller-manager:v1.17.0",
 		PacketCCM:       "docker.io/packethost/packet-ccm:v1.0.0",
 		VsphereCCM:      "gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.2.1",
-		WeaveNetCNIKube: "docker.io/weaveworks/weave-kube:2.7.0",
-		WeaveNetCNINPC:  "docker.io/weaveworks/weave-npc:2.7.0",
+		WeaveNetCNIKube: "docker.io/weaveworks/weave-kube:2.8.1",
+		WeaveNetCNINPC:  "docker.io/weaveworks/weave-npc:2.8.1",
 	}
 }
 

diff --git a/pkg/templates/resources/resources.go b/pkg/templates/resources/resources.go
@@ -18,10 +18,11 @@ package resources
 
 // Names of the internal addons
 const (
-	AddonCNICanal        = "cni-canal"
 	AddonCCMDigitalOcean = "ccm-digitalocean"
 	AddonCCMHetzner      = "ccm-hetzner"
 	AddonCCMPacket       = "ccm-packet"
+	AddonCNICanal        = "cni-canal"
+	AddonCNIWeavenet     = "cni-weavenet"
 	AddonNodeLocalDNS    = "nodelocaldns"
 )