8000 init: create kubeconfig file with unique user/cluster name by daniel-weisse · Pull Request #1133 · edgelesssys/constellation · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

init: create kubeconfig file with unique user/cluster name #1133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Feb 10, 2023
Merged

init: create kubeconfig file with unique user/cluster name #1133

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
43b0ef5
Generate kubeconfig with unique name
daniel-weisse Feb 1, 2023
93a737b
Move create name flag to config
daniel-weisse Feb 1, 2023
37ff936
Add name validation to config
daniel-weisse Feb 2, 2023
5744452
Adjust name flag in e2e tests
daniel-weisse Feb 2, 2023
af8215e
Fix unit test
daniel-weisse Feb 2, 2023
a6ceac5
Remove name flag
daniel-weisse Feb 2, 2023
388cf40
Adjust doc comment
daniel-weisse Feb 2, 2023
785cabf
Update ascii cinema flow
daniel-weisse Feb 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/actions/constellation_create/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,8 @@ runs:
run: |
constellation config generate ${{ inputs.cloudProvider }}

yq eval -i "(.name) = \"e2e-test\"" constellation-conf.yaml

yq eval -i \
"(.provider | select(. | has(\"azure\")).azure.subscription) = \"${{ inputs.azureSubscription }}\" |
(.provider | select(. | has(\"azure\")).azure.tenant) = \"${{ inputs.azureTenant }}\" |
Expand Down Expand Up @@ -158,7 +160,7 @@ runs:
echo "Creating cluster using config:"
cat constellation-conf.yaml
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts' || true
constellation create -c ${{ inputs.controlNodesCount }} -w ${{ inputs.workerNodesCount }} --name e2e-test -y --force
constellation create -c ${{ inputs.controlNodesCount }} -w ${{ inputs.workerNodesCount }} -y --force

- name: Cdbg deploy
if: inputs.isDebugImage == 'true'
Expand Down
2 changes: 1 addition & 1 deletion bootstrapper/cmd/bootstrapper/test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ type clusterFake struct{}

// InitCluster fakes bootstrapping a new cluster with the current node being the master, returning the arguments required to join the cluster.
func (c *clusterFake) InitCluster(
context.Context, string, string, []byte, []uint32, bool, bool,
context.Context, string, string, string, []byte, []uint32, bool, bool,
[]byte, bool, components.Components, *logger.Logger,
) ([]byte, error) {
return []byte{}, nil
Expand Down
58 changes: 34 additions & 24 deletions bootstrapper/initproto/init.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions bootstrapper/initproto/init.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ message InitRequest {
bool conformance_mode = 14;
repeated KubernetesComponent kubernetes_components = 15;
bytes init_secret = 16;
string cluster_name = 17;
}

message InitResponse {
Expand Down
7 changes: 7 additions & 0 deletions bootstrapper/internal/initserver/initserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,9 +161,15 @@ func (s *Server) Init(ctx context.Context, req *initproto.InitRequest) (*initpro
// Check if we are running on a CVM
_, isCVM := s.issuer.(*snp.Issuer)

clusterName := req.ClusterName
if clusterName == "" {
clusterName = "constellation"
}

kubeconfig, err := s.initializer.InitCluster(ctx,
req.CloudServiceAccountUri,
req.KubernetesVersion,
clusterName,
measurementSalt,
req.EnforcedPcrs,
req.EnforceIdkeydigest,
Expand Down Expand Up @@ -237,6 +243,7 @@ type ClusterInitializer interface {
ctx context.Context,
cloudServiceAccountURI string,
k8sVersion string,
clusterName string,
measurementSalt []byte,
enforcedPcrs []uint32,
enforceIDKeyDigest bool,
Expand Down
2 changes: 1 addition & 1 deletion bootstrapper/internal/initserver/initserver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,7 +314,7 @@ type stubClusterInitializer struct {
}

func (i *stubClusterInitializer) InitCluster(
context.Context, string, string, []byte, []uint32, bool, bool,
context.Context, string, string, string, []byte, []uint32, bool, bool,
[]byte, bool, components.Components, *logger.Logger,
) ([]byte, error) {
return i.initClusterKubeconfig, i.initClusterErr
Expand Down
49 changes: 34 additions & 15 deletions bootstrapper/internal/kubernetes/k8sapi/k8sutil.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
F438 "github.com/edgelesssys/constellation/v2/internal/role"
"github.com/edgelesssys/constellation/v2/internal/versions/components"
corev1 "k8s.io/api/core/v1"
"k8s.io/apiserver/pkg/authentication/user"
kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"

"github.com/edgelesssys/constellation/v2/internal/crypto"
Expand Down Expand Up @@ -87,25 +88,26 @@ func (k *KubernetesUtil) InstallComponents(ctx context.Context, kubernetesCompon
}

// InitCluster instruments kubeadm to initialize the K8s cluster.
// On success an admin kubeconfig file is returned.
func (k *KubernetesUtil) InitCluster(
ctx context.Context, initConfig []byte, nodeName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger,
) error {
ctx context.Context, initConfig []byte, nodeName, clusterName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger,
) ([]byte, error) {
// TODO: audit policy should be user input
auditPolicy, err := resources.NewDefaultAuditPolicy().Marshal()
if err != nil {
return fmt.Errorf("generating default audit policy: %w", err)
return nil, fmt.Errorf("generating default audit policy: %w", err)
}
if err := os.WriteFile(auditPolicyPath, auditPolicy, 0o644); err != nil {
return fmt.Errorf("writing default audit policy: %w", err)
return nil, fmt.Errorf("writing default audit policy: %w", err)
}

initConfigFile, err := os.CreateTemp("", "kubeadm-init.*.yaml")
if err != nil {
return fmt.Errorf("creating init config file %v: %w", initConfigFile.Name(), err)
return nil, fmt.Errorf("creating init config file %v: %w", initConfigFile.Name(), err)
}

if _, err := initConfigFile.Write(initConfig); err != nil {
return fmt.Errorf("writing kubeadm init yaml config %v: %w", initConfigFile.Name(), err)
return nil, fmt.Errorf("writing kubeadm init yaml config %v: %w", initConfigFile.Name(), err)
}

// preflight
Expand All @@ -115,9 +117,9 @@ func (k *KubernetesUtil) InitCluster(
if err != nil {
var exitErr *exec.ExitError
if errors.As(err, &exitErr) {
return fmt.Errorf("kubeadm init phase preflight failed (code %v) with: %s", exitErr.ExitCode(), out)
return nil, fmt.Errorf("kubeadm init phase preflight failed (code %v) with: %s", exitErr.ExitCode(), out)
}
return fmt.Errorf("kubeadm init: %w", err)
return nil, fmt.Errorf("kubeadm init: %w", err)
}

// create CA certs
Expand All @@ -127,20 +129,20 @@ func (k *KubernetesUtil) InitCluster(
if err != nil {
var exitErr *exec.ExitError
if errors.As(err, &exitErr) {
return fmt.Errorf("kubeadm init phase certs all failed (code %v) with: %s", exitErr.ExitCode(), out)
return nil, fmt.Errorf("kubeadm init phase certs all failed (code %v) with: %s", exitErr.ExitCode(), out)
}
return fmt.Errorf("kubeadm init: %w", err)
return nil, fmt.Errorf("kubeadm init: %w", err)
}

// create kubelet key and CA signed certificate for the node
log.Infof("Creating signed kubelet certificate")
if err := k.createSignedKubeletCert(nodeName, ips); err != nil {
return err
return nil, fmt.Errorf("creating signed kubelete certificate: %w", err)
}

log.Infof("Preparing node for Konnectivity")
if err := k.prepareControlPlaneForKonnectivity(ctx, controlPlaneEndpoint); err != nil {
return fmt.Errorf("setup konnectivity: %w", err)
return nil, fmt.Errorf("setup konnectivity: %w", err)
}

// initialize the cluster
Expand All @@ -155,12 +157,29 @@ func (k *KubernetesUtil) InitCluster(
if err != nil {
var exitErr *exec.ExitError
if errors.As(err, &exitErr) {
return fmt.Errorf("kubeadm init failed (code %v) with: %s", exitErr.ExitCode(), out)
return nil, fmt.Errorf("kubeadm init failed (code %v) with: %s", exitErr.ExitCode(), out)
}
return fmt.Errorf("kubeadm init: %w", err)
return nil, fmt.Errorf("kubeadm init: %w", err)
}
log.With(zap.String("output", string(out))).Infof("kubeadm init succeeded")
return nil

userName := clusterName + "-admin"

log.With(zap.String("userName", userName)).Infof("Creating admin kubeconfig file")
cmd = exec.CommandContext(
ctx, constants.KubeadmPath, "kubeconfig", "user",
"--client-name", userName, "--config", initConfigFile.Name(), "--org", user.SystemPrivilegedGroup,
)
out, err = cmd.Output()
if err != nil {
var exitErr *exec.ExitError
if errors.As(err, &exitErr) {
return nil, fmt.Errorf("kubeadm kubeconfig user failed (code %v) with: %s", exitErr.ExitCode(), out)
}
return nil, fmt.Errorf("kubeadm kubeconfig user: %w", err)
}
log.Infof("kubeadm kubeconfig user succeeded")
return out, nil
}

func (k *KubernetesUtil) prepareControlPlaneForKonnectivity(ctx context.Context, loadBalancerEndpoint string) error {
Expand Down
6 changes: 6 additions & 0 deletions bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,12 @@ func (k *KubeadmInitYAML) SetNodeName(nodeName string) {
k.InitConfiguration.NodeRegistration.Name = nodeName
}

// SetClusterName sets the name of the Kubernetes cluster.
// This name is reflected in the kubeconfig file and in the name of the default admin user.
func (k *KubeadmInitYAML) SetClusterName(clusterName string) {
k.ClusterConfiguration.ClusterName = clusterName
}

// SetCertSANs sets the SANs for the certificate.
func (k *KubeadmInitYAML) SetCertSANs(certSANs []string) {
for _, certSAN := range certSANs {
Expand Down
2 changes: 1 addition & 1 deletion bootstrapper/internal/kubernetes/k8sutil.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import (

type clusterUtil interface {
InstallComponents(ctx cont B925 ext.Context, kubernetesComponents components.Components) error
InitCluster(ctx context.Context, initConfig []byte, nodeName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger) error
InitCluster(ctx context.Context, initConfig []byte, nodeName, clusterName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger) ([]byte, error)
JoinCluster(ctx context.Context, joinConfig []byte, peerRole role.Role, controlPlaneEndpoint string, log *logger.Logger) error
FixCilium(log *logger.Logger)
StartKubelet() error
Expand Down
29 changes: 0 additions & 29 deletions bootstrapper/internal/kubernetes/kubeconfig.go
View file
Open in desktop

This file was deleted.

40 changes: 0 additions & 40 deletions bootstrapper/internal/kubernetes/kubeconfig_test.go
View file
Open in desktop

This file was deleted.

Loading
0