Merge pull request #30601 from madhusudancs/fed-cm-kubeconfig-from-flags

Automatic merge from submit-queue

Read the federation controller manager kubeconfig from a filesystem path

This decoupling from the Kubernetes API allows admins to run federation control plane components wherever they like, even outside Kubernetes. This also makes the federation controller manager read its config from one single place in a uniform and/or consistent way, instead of spreading the config around command line flags and secrets.

``` release-note
Federation controller manager can consume the federation API server kubeconfig from a file configured via --kubeconfig flag.

If you are upgrading your Cluster Federation components from v1.4.x, please update your `federation-apiserver` and `federation-controller-manager` manifests to the new version:
```

cc @kubernetes/sig-cluster-federation

federation/cmd/federation-controller-manager/app/controllermanager.go

@@ -53,18 +53,13 @@ import (
 )
 
 const (
-	// TODO(madhusudancs): Consider making this configurable via a flag.
-	// "federation-apiserver-kubeconfig" is a reserved secret name which
-	// stores the kubeconfig for federation-apiserver.
-	KubeconfigSecretName = "federation-apiserver-kubeconfig"
-	// "federation-apiserver-secret" was the old name we used to store
-	// Federation API server kubeconfig secret. Unfortunately, this name
-	// is very close to "federation-apiserver-secrets" and causes a lot
-	// of confusion, particularly while debugging. So deprecating it in
-	// favor of the new name but giving people time to migrate.
-	// TODO(madhusudancs): this name is deprecated in 1.4 and should be
-	// removed in 1.5. Remove it in 1.5.
-	DeprecatedKubeconfigSecretName = "federation-apiserver-secret"
+	// "federation-apiserver-kubeconfig" was the old name we used to
+	// store Federation API server kubeconfig secret. We are
+	// deprecating it in favor of `--kubeconfig` flag but giving people
+	// time to migrate.
+	// TODO(madhusudancs): this name is deprecated in 1.5 and should be
+	// removed in 1.6. Remove it in 1.6.
+	DeprecatedKubeconfigSecretName = "federation-apiserver-kubeconfig"
 )
 
 // NewControllerManagerCommand creates a *cobra.Command object with default parameters
@@ -95,17 +90,28 @@ func Run(s *options.CMServer) error {
 	} else {
 		glog.Errorf("unable to register configz: %s", err)
 	}
-	// Create the config to talk to federation-apiserver.
-	kubeconfigGetter := util.KubeconfigGetterForSecret(KubeconfigSecretName)
-	restClientCfg, err := clientcmd.BuildConfigFromKubeconfigGetter(s.Master, kubeconfigGetter)
-	if err != nil || restClientCfg == nil {
-		// Retry with the deprecated name in 1.4.
-		// TODO(madhusudancs): Remove this in 1.5.
-		var depErr error
-		kubeconfigGetter := util.KubeconfigGetterForSecret(DeprecatedKubeconfigSecretName)
-		restClientCfg, depErr = clientcmd.BuildConfigFromKubeconfigGetter(s.Master, kubeconfigGetter)
-		if depErr != nil {
-			return fmt.Errorf("failed to find the secret containing Federation API server kubeconfig, tried the secret name %s and the deprecated name %s: %v, %v", KubeconfigSecretName, DeprecatedKubeconfigSecretName, err, depErr)
+
+	// If s.Kubeconfig flag is empty, try with the deprecated name in 1.5.
+	// TODO(madhusudancs): Remove this in 1.6.
+	var restClientCfg *restclient.Config
+	var err error
+	if len(s.Kubeconfig) <= 0 {
+		restClientCfg, err = restClientConfigFromSecret(s.Master)
+		if err != nil {
+			return err
+		}
+	} else {
+		// Create the config to talk to federation-apiserver.
+		restClientCfg, err = clientcmd.BuildConfigFromFlags(s.Master, s.Kubeconfig)
+		if err != nil || restClientCfg == nil {
+			// Retry with the deprecated name in 1.5.
+			// TODO(madhusudancs): Remove this in 1.6.
+			glog.V(2).Infof("Couldn't build the rest client config from flags: %v", err)
+			glog.V(2).Infof("Trying with deprecated secret: %s", DeprecatedKubeconfigSecretName)
+			restClientCfg, err = restClientConfigFromSecret(s.Master)
+			if err != nil {
+				return err
+			}
 		}
 	}
 
@@ -192,3 +198,14 @@ func StartControllers(s *options.CMServer, restClientCfg *restclient.Config) err
 
 	select {}
 }
+
+// TODO(madhusudancs): Remove this in 1.6. This is only temporary to give an
+// upgrade path in 1.4/1.5.
+func restClientConfigFromSecret(master string) (*restclient.Config, error) {
+	kubeconfigGetter := util.KubeconfigGetterForSecret(DeprecatedKubeconfigSecretName)
+	restClientCfg, err := clientcmd.BuildConfigFromKubeconfigGetter(master, kubeconfigGetter)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find the Federation API server kubeconfig, tried the --kubeconfig flag and the deprecated secret %s: %v", DeprecatedKubeconfigSecretName, err)
+	}
+	return restClientCfg, nil
+}

federation/manifests/federation-controller-manager-deployment.yaml

@@ -17,17 +17,24 @@ spec:
       - name: ssl-certs
         hostPath:
           path: /etc/ssl/certs
+      - name: kubeconfig
+        secret:
+          secretName: federation-apiserver-kubeconfig
       containers:
       - name: controller-manager
         volumeMounts:
         - name: ssl-certs
           readOnly: true
           mountPath: /etc/ssl/certs
+        - name: kubeconfig
+          readOnly: true
+          mountPath: "/etc/federation/controller-manager",
         image: {{.FEDERATION_CONTROLLER_MANAGER_IMAGE_REPO}}:{{.FEDERATION_CONTROLLER_MANAGER_IMAGE_TAG}}
         command:
         - /usr/local/bin/hyperkube
         - federation-controller-manager
         - --master=https://{{.FEDERATION_APISERVER_DEPLOYMENT_NAME}}:443
+        - --kubeconfig=/etc/federation/controller-manager/kubeconfig
         - --dns-provider={{.FEDERATION_DNS_PROVIDER}}
         - --dns-provider-config={{.FEDERATION_DNS_PROVIDER_CONFIG}}
         - --federation-name={{.FEDERATION_NAME}}