Skip to content
This repository has been archived by the owner on Sep 30, 2020. It is now read-only.

Commit

Permalink
merge parent v0.16.x changes (#2)
Browse files Browse the repository at this point in the history 
* KIAM updates to support assumeRoleArn functionalilty

* Add compute.internal to etcd san when using private zones, because the aws controller does not support private zones

* Fix tests

* Forced rebuild.

Co-authored-by: Dominic Gunn <dominic@fable.sh>
Co-authored-by: Dominic Gunn <4493719+dominicgunn@users.noreply.github.com>
  • Loading branch information
@brandong954 @dominicgunn
3 people authored Sep 2, 2020
1 parent 2260379 commit 56346fb
Show file tree
Hide file tree
Showing 12 changed files with 117 additions and 100 deletions.
1 change: 1 addition & 0 deletions builtin/files/cluster.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1646,6 +1646,7 @@ kubeAwsPlugins:
# image: quay.io/uswitch/kiam
# tag: v3.2
# sessionDuration: 30m
# assumeRoleArn: arn:aws:iam::....
# server:
# portName: grpclb
# address: localhost:443
Expand Down
47 changes: 19 additions & 28 deletions builtin/files/plugins/kiam/manifests/agent-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,12 @@ metadata:
namespace: kube-system
name: kiam-agent
spec:
updateStrategy:
rollingUpdate:
maxUnavailable: 100%
type: RollingUpdate
selector:
matchLabels:
app: kiam
role: agent
updateStrategy:
type: OnDelete
template:
metadata:
annotations:
Expand All @@ -21,41 +19,32 @@ spec:
app: kiam
role: agent
spec:
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
- operator: Exists
effect: NoExecute
- operator: Exists
key: CriticalAddonsOnly
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node.kubernetes.io/role
operator: NotIn
values:
- master
nodeSelector:
kubernetes.io/role: node
volumes:
- name: ssl-certs
hostPath:
# for AWS linux or RHEL distros
# path: /etc/pki/ca-trust/extracted/pem/
# debian or ubuntu distros
# path: /etc/ssl/certs
path: /usr/share/ca-certificates
- name: tls
secret:
secretName: kiam-agent-tls
- name: xtables
hostPath:
path: /run/xtables.lock
type: FileOrCreate
containers:
- name: kiam
securityContext:
capabilities:
add: ["NET_ADMIN"]
image: {{ .Values.image }}:{{ .Values.tag }}
imagePullPolicy: Always
command:
- {{ if checkVersion ">= 3.0" .Values.tag }}/kiam{{ else }}/agent{{ end }}
args:
Expand All @@ -65,18 +54,20 @@ spec:
- --gateway-timeout-creation=1s
{{ end -}}
- --iptables
{{- if .Config.Cluster.Kubernetes.Networking.AmazonVPC.Enabled }}
{{- if .Config.Cluster.Kubernetes.Networking.AmazonVPC.Enabled }}
- --host-interface=!eni0
{{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "canal" }}
{{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "canal" }}
- --host-interface=cali+
{{- else if eq .Config.Cluster.Kubernetes.Networking.SelfHosting.Type "calico" }}
- --host-interface=cali+
{{- else}}
{{- else}}
- --host-interface=cni0
{{- end }}
{{- end }}
- --json-log
- --port=8181
- --cert=/etc/kiam/tls/tls.crt
- --key=/etc/kiam/tls/tls.key
- --ca=/etc/kiam/tls/ca.crt
- --cert=/etc/kiam/tls/agent.pem
- --key=/etc/kiam/tls/agent-key.pem
- --ca=/etc/kiam/tls/ca.pem
- --server-address={{ .Values.agent.address }}
- --prometheus-listen-addr=0.0.0.0:9620
- --prometheus-sync-interval=5s
Expand Down
8 changes: 4 additions & 4 deletions builtin/files/plugins/kiam/manifests/agent-tls-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ kind: Secret
metadata:
name: kiam-agent-tls
namespace: kube-system
type: kubernetes.io/tls
type: Opaque
data:
tls.crt: {{ insertTemplateFile "credentials/kiam-agent.pem" . | b64enc }}
tls.key: {{ insertTemplateFile "credentials/kiam-agent-key.pem" . | b64enc }}
ca.crt: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }}
agent.pem: {{ insertTemplateFile "credentials/kiam-agent.pem" . | b64enc }}
agent-key.pem: {{ insertTemplateFile "credentials/kiam-agent-key.pem" . | b64enc }}
ca.pem: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }}
60 changes: 60 additions & 0 deletions builtin/files/plugins/kiam/manifests/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: kiam-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kiam-read
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
verbs:
- watch
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kiam-read
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kiam-read
subjects:
- kind: ServiceAccount
name: kiam-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kiam-write
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kiam-write
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kiam-write
subjects:
- kind: ServiceAccount
name: kiam-server
namespace: kube-system
12 changes: 0 additions & 12 deletions builtin/files/plugins/kiam/manifests/server-cluster-role-binding.yaml
View file

This file was deleted.

21 changes: 0 additions & 21 deletions builtin/files/plugins/kiam/manifests/server-cluster-role.yaml
View file

This file was deleted.

21 changes: 12 additions & 9 deletions builtin/files/plugins/kiam/manifests/server-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,13 @@ spec:
{{ end -}}
- --json-log
- --bind=0.0.0.0:443
- --cert=/etc/kiam/tls/tls.crt
- --key=/etc/kiam/tls/tls.key
- --ca=/etc/kiam/tls/ca.crt
- --cert=/etc/kiam/tls/server.pem
- --key=/etc/kiam/tls/server-key.pem
- --ca=/etc/kiam/tls/ca.pem
- --role-base-arn-autodetect
{{- if .Values.assumeRoleArn }}
- --assume-role-arn={{ .Values.assumeRoleArn }}
{{- end }}
- --sync=1m
- --prometheus-listen-addr=0.0.0.0:9620
- --prometheus-sync-interval=5s
Expand All @@ -74,9 +77,9 @@ spec:
- /health
- --server-address-refresh=2s
{{ end -}}
- --cert=/etc/kiam/tls/tls.crt
- --key=/etc/kiam/tls/tls.key
- --ca=/etc/kiam/tls/ca.crt
- --cert=/etc/kiam/tls/server.pem
- --key=/etc/kiam/tls/server-key.pem
- --ca=/etc/kiam/tls/ca.pem
- --server-address={{ .Values.server.address }}
- --timeout=5s
initialDelaySeconds: 10
Expand All @@ -93,9 +96,9 @@ spec:
- /health
- --server-address-refresh=2s
{{ end -}}
- --cert=/etc/kiam/tls/tls.crt
- --key=/etc/kiam/tls/tls.key
- --ca=/etc/kiam/tls/ca.crt
- --cert=/etc/kiam/tls/server.pem
- --key=/etc/kiam/tls/server-key.pem
- --ca=/etc/kiam/tls/ca.pem
- --server-address={{ .Values.server.address }}
- --timeout=5s
initialDelaySeconds: 3
Expand Down
8 changes: 4 additions & 4 deletions builtin/files/plugins/kiam/manifests/server-tls-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ kind: Secret
metadata:
name: kiam-server-tls
namespace: kube-system
type: kubernetes.io/tls
type: Opaque
data:
tls.crt: {{ insertTemplateFile "credentials/kiam-server.pem" . | b64enc }}
tls.key: {{ insertTemplateFile "credentials/kiam-server-key.pem" . | b64enc }}
ca.crt: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }}
server.pem: {{ insertTemplateFile "credentials/kiam-server.pem" . | b64enc }}
server-key.pem: {{ insertTemplateFile "credentials/kiam-server-key.pem" . | b64enc }}
ca.pem: {{ insertTemplateFile "credentials/kiam-ca.pem" . | b64enc }}
5 changes: 0 additions & 5 deletions builtin/files/plugins/kiam/manifests/service-account.yaml
View file

This file was deleted.

13 changes: 4 additions & 9 deletions builtin/files/plugins/kiam/plugin.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ spec:
image: quay.io/uswitch/kiam
tag: v3.2
sessionDuration: 30m
assumeRoleArn: ""
server:
portName: grpclb
address: localhost:443
Expand Down Expand Up @@ -40,11 +41,7 @@ spec:
- source:
path: manifests/service.yaml
- source:
path: manifests/service-account.yaml
- source:
path: manifests/server-cluster-role.yaml
- source:
path: manifests/server-cluster-role-binding.yaml
path: manifests/rbac.yaml

pki:
keypairs:
Expand All @@ -58,11 +55,9 @@ spec:
commonName: kiam-server
organization: kube-aws-kiam
dnsNames:
- kiam-server
- kiam-server:443
- localhost
- localhost:443
- localhost:9610
- 127.0.0.1
- kiam-server
duration: 8760h
usages:
- server
Expand Down
5 changes: 5 additions & 0 deletions pkg/model/etcd_cluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ func (c EtcdCluster) DNSNames() []string {
dnsName = fmt.Sprintf("*.%s", c.region.PrivateDomainName())
}
}

privateDomainSan := fmt.Sprintf("*.%s", c.region.PrivateDomainName())
if dnsName != privateDomainSan && c.GetMemberIdentityProvider() == api.MemberIdentityProviderENI {
return []string{dnsName, privateDomainSan}
}
return []string{dnsName}
}

Expand Down
16 changes: 8 additions & 8 deletions pkg/model/etcd_cluster_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,15 @@ func TestEtcdClusterDNSNames(t *testing.T) {
actual := cluster.DNSNames()
expected := []string{"*.ec2.internal"}
if !reflect.DeepEqual(actual, expected) {
t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual)
t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual)
}
})
t.Run("us-west-1", func(t *testing.T) {
cluster := NewEtcdCluster(config, usWest1, etcdNet, etcdCount)
actual := cluster.DNSNames()
expected := []string{"*.us-west-1.compute.internal"}
if !reflect.DeepEqual(actual, expected) {
t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual)
t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual)
}
})
})
Expand All @@ -42,17 +42,17 @@ func TestEtcdClusterDNSNames(t *testing.T) {
t.Run("us-east-1", func(t *testing.T) {
cluster := NewEtcdCluster(config, usEast1, etcdNet, etcdCount)
actual := cluster.DNSNames()
expected := []string{"*.internal.example.com"}
expected := []string{"*.internal.example.com", "*.ec2.internal"}
if !reflect.DeepEqual(actual, expected) {
t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual)
t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual)
}
})
t.Run("us-west-1", func(t *testing.T) {
cluster := NewEtcdCluster(config, usWest1, etcdNet, etcdCount)
actual := cluster.DNSNames()
expected := []string{"*.internal.example.com"}
expected := []string{"*.internal.example.com", "*.us-west-1.compute.internal"}
if !reflect.DeepEqual(actual, expected) {
t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual)
t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual)
}
})
})
Expand All @@ -67,15 +67,15 @@ func TestEtcdClusterDNSNames(t *testing.T) {
actual := cluster.DNSNames()
expected := []string{"*.compute-1.amazonaws.com"}
if !reflect.DeepEqual(actual, expected) {
t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual)
t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual)
}
})
t.Run("us-west-1", func(t *testing.T) {
cluster := NewEtcdCluster(config, usWest1, etcdNet, etcdCount)
actual := cluster.DNSNames()
expected := []string{"*.us-west-1.compute.amazonaws.com"}
if !reflect.DeepEqual(actual, expected) {
t.Errorf("invalid dns names: expecetd=%v, got=%v", expected, actual)
t.Errorf("invalid dns names: expected=%v, got=%v", expected, actual)
}
})
})
Expand Down

0 comments on commit 56346fb

Please sign in to comment.