From 362c561bd4f387d3ff8b0d0af1eb18adfa0fb0e4 Mon Sep 17 00:00:00 2001 From: "Madhusudan.C.S" Date: Sun, 14 Aug 2016 16:54:09 -0700 Subject: [PATCH 1/3] Read the federation controller manager kubeconfig from a filesystem path. This decoupling from the Kubernetes API allows admins to run federation control plane components wherever they like, even outside Kubernetes. --- .../federation-controller-manager/app/controllermanager.go | 7 +------ .../federation-controller-manager-deployment.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/federation/cmd/federation-controller-manager/app/controllermanager.go b/federation/cmd/federation-controller-manager/app/controllermanager.go index 4b13ad766d7..ecbc349f245 100644 --- a/federation/cmd/federation-controller-manager/app/controllermanager.go +++ b/federation/cmd/federation-controller-manager/app/controllermanager.go @@ -52,10 +52,6 @@ import ( ) const ( - // TODO(madhusudancs): Consider making this configurable via a flag. - // "federation-apiserver-kubeconfig" is a reserved secret name which - // stores the kubeconfig for federation-apiserver. - KubeconfigSecretName = "federation-apiserver-kubeconfig" // "federation-apiserver-secret" was the old name we used to store // Federation API server kubeconfig secret. Unfortunately, this name // is very close to "federation-apiserver-secrets" and causes a lot @@ -95,8 +91,7 @@ func Run(s *options.CMServer) error { glog.Errorf("unable to register configz: %s", err) } // Create the config to talk to federation-apiserver. - kubeconfigGetter := util.KubeconfigGetterForSecret(KubeconfigSecretName) - restClientCfg, err := clientcmd.BuildConfigFromKubeconfigGetter(s.Master, kubeconfigGetter) + restClientCfg, err := clientcmd.BuildConfigFromFlags(s.Master, s.Kubeconfig) if err != nil || restClientCfg == nil { // Retry with the deprecated name in 1.4. // TODO(madhusudancs): Remove this in 1.5. diff --git a/federation/manifests/federation-controller-manager-deployment.yaml b/federation/manifests/federation-controller-manager-deployment.yaml index 410936c0ce2..80adab98919 100644 --- a/federation/manifests/federation-controller-manager-deployment.yaml +++ b/federation/manifests/federation-controller-manager-deployment.yaml @@ -17,17 +17,24 @@ spec: - name: ssl-certs hostPath: path: /etc/ssl/certs + - name: kubeconfig + secret: + secretName: federation-apiserver-kubeconfig containers: - name: controller-manager volumeMounts: - name: ssl-certs readOnly: true mountPath: /etc/ssl/certs + - name: kubeconfig + readOnly: true + mountPath: "/etc/federation/controller-manager", image: {{.FEDERATION_CONTROLLER_MANAGER_IMAGE_REPO}}:{{.FEDERATION_CONTROLLER_MANAGER_IMAGE_TAG}} command: - /usr/local/bin/hyperkube - federation-controller-manager - --master=https://{{.FEDERATION_APISERVER_DEPLOYMENT_NAME}}:443 + - --kubeconfig=/etc/federation/controller-manager/kubeconfig - --dns-provider={{.FEDERATION_DNS_PROVIDER}} - --dns-provider-config={{.FEDERATION_DNS_PROVIDER_CONFIG}} - --federation-name={{.FEDERATION_NAME}} From dbfc110934df8edfb54f0c97564dfd0cdc49acc3 Mon Sep 17 00:00:00 2001 From: "Madhusudan.C.S" Date: Wed, 24 Aug 2016 13:47:13 -0700 Subject: [PATCH 2/3] For backwards compatibility, directly try to build the rest client config from the secret if --kubeconfig flag is empty. --- .../app/controllermanager.go | 35 +++++++++++++++---- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/federation/cmd/federation-controller-manager/app/controllermanager.go b/federation/cmd/federation-controller-manager/app/controllermanager.go index ecbc349f245..1da4c74ac2e 100644 --- a/federation/cmd/federation-controller-manager/app/controllermanager.go +++ b/federation/cmd/federation-controller-manager/app/controllermanager.go @@ -90,16 +90,28 @@ func Run(s *options.CMServer) error { } else { glog.Errorf("unable to register configz: %s", err) } + + // If s.Kubeconfig flag is empty, try with the deprecated name in 1.4. + // TODO(madhusudancs): Remove this in 1.5. + var restClientCfg *restclient.Config + var err error + if len(s.Kubeconfig) <= 0 { + restClientCfg, err = restClientConfigFromSecret(s.Master) + if err != nil { + return err + } + } + // Create the config to talk to federation-apiserver. - restClientCfg, err := clientcmd.BuildConfigFromFlags(s.Master, s.Kubeconfig) + restClientCfg, err = clientcmd.BuildConfigFromFlags(s.Master, s.Kubeconfig) if err != nil || restClientCfg == nil { // Retry with the deprecated name in 1.4. // TODO(madhusudancs): Remove this in 1.5. - var depErr error - kubeconfigGetter := util.KubeconfigGetterForSecret(DeprecatedKubeconfigSecretName) - restClientCfg, depErr = clientcmd.BuildConfigFromKubeconfigGetter(s.Master, kubeconfigGetter) - if depErr != nil { - return fmt.Errorf("failed to find the secret containing Federation API server kubeconfig, tried the secret name %s and the deprecated name %s: %v, %v", KubeconfigSecretName, DeprecatedKubeconfigSecretName, err, depErr) + glog.V(2).Infof("Couldn't build the rest client config from flags: %v", err) + glog.V(2).Infof("Trying with deprecated secret: %s", DeprecatedKubeconfigSecretName) + restClientCfg, err = restClientConfigFromSecret(s.Master) + if err != nil { + return err } } @@ -182,3 +194,14 @@ func StartControllers(s *options.CMServer, restClientCfg *restclient.Config) err select {} } + +// TODO(madhusudancs): Remove this in 1.5. This is only temporary to give an +// upgrade path in 1.4. +func restClientConfigFromSecret(master string) (*restclient.Config, error) { + kubeconfigGetter := util.KubeconfigGetterForSecret(DeprecatedKubeconfigSecretName) + restClientCfg, err := clientcmd.BuildConfigFromKubeconfigGetter(master, kubeconfigGetter) + if err != nil { + return nil, fmt.Errorf("failed to find the Federation API server kubeconfig, tried the flags and the deprecated secret %s: %v", DeprecatedKubeconfigSecretName, err) + } + return restClientCfg, nil +} From efafff4078e49e9348e2d34a123983ad39866ab5 Mon Sep 17 00:00:00 2001 From: "Madhusudan.C.S" Date: Wed, 2 Nov 2016 15:26:50 -0700 Subject: [PATCH 3/3] [Federation] Update the deprecated name for 1.5 and try with flags only when `--kubeconfig` is non-empty. --- .../app/controllermanager.go | 49 +++++++++---------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/federation/cmd/federation-controller-manager/app/controllermanager.go b/federation/cmd/federation-controller-manager/app/controllermanager.go index 1da4c74ac2e..84bd734913a 100644 --- a/federation/cmd/federation-controller-manager/app/controllermanager.go +++ b/federation/cmd/federation-controller-manager/app/controllermanager.go @@ -52,14 +52,13 @@ import ( ) const ( - // "federation-apiserver-secret" was the old name we used to store - // Federation API server kubeconfig secret. Unfortunately, this name - // is very close to "federation-apiserver-secrets" and causes a lot - // of confusion, particularly while debugging. So deprecating it in - // favor of the new name but giving people time to migrate. - // TODO(madhusudancs): this name is deprecated in 1.4 and should be - // removed in 1.5. Remove it in 1.5. - DeprecatedKubeconfigSecretName = "federation-apiserver-secret" + // "federation-apiserver-kubeconfig" was the old name we used to + // store Federation API server kubeconfig secret. We are + // deprecating it in favor of `--kubeconfig` flag but giving people + // time to migrate. + // TODO(madhusudancs): this name is deprecated in 1.5 and should be + // removed in 1.6. Remove it in 1.6. + DeprecatedKubeconfigSecretName = "federation-apiserver-kubeconfig" ) // NewControllerManagerCommand creates a *cobra.Command object with default parameters @@ -91,8 +90,8 @@ func Run(s *options.CMServer) error { glog.Errorf("unable to register configz: %s", err) } - // If s.Kubeconfig flag is empty, try with the deprecated name in 1.4. - // TODO(madhusudancs): Remove this in 1.5. + // If s.Kubeconfig flag is empty, try with the deprecated name in 1.5. + // TODO(madhusudancs): Remove this in 1.6. var restClientCfg *restclient.Config var err error if len(s.Kubeconfig) <= 0 { @@ -100,18 +99,18 @@ func Run(s *options.CMServer) error { if err != nil { return err } - } - - // Create the config to talk to federation-apiserver. - restClientCfg, err = clientcmd.BuildConfigFromFlags(s.Master, s.Kubeconfig) - if err != nil || restClientCfg == nil { - // Retry with the deprecated name in 1.4. - // TODO(madhusudancs): Remove this in 1.5. - glog.V(2).Infof("Couldn't build the rest client config from flags: %v", err) - glog.V(2).Infof("Trying with deprecated secret: %s", DeprecatedKubeconfigSecretName) - restClientCfg, err = restClientConfigFromSecret(s.Master) - if err != nil { - return err + } else { + // Create the config to talk to federation-apiserver. + restClientCfg, err = clientcmd.BuildConfigFromFlags(s.Master, s.Kubeconfig) + if err != nil || restClientCfg == nil { + // Retry with the deprecated name in 1.5. + // TODO(madhusudancs): Remove this in 1.6. + glog.V(2).Infof("Couldn't build the rest client config from flags: %v", err) + glog.V(2).Infof("Trying with deprecated secret: %s", DeprecatedKubeconfigSecretName) + restClientCfg, err = restClientConfigFromSecret(s.Master) + if err != nil { + return err + } } } @@ -195,13 +194,13 @@ func StartControllers(s *options.CMServer, restClientCfg *restclient.Config) err select {} } -// TODO(madhusudancs): Remove this in 1.5. This is only temporary to give an -// upgrade path in 1.4. +// TODO(madhusudancs): Remove this in 1.6. This is only temporary to give an +// upgrade path in 1.4/1.5. func restClientConfigFromSecret(master string) (*restclient.Config, error) { kubeconfigGetter := util.KubeconfigGetterForSecret(DeprecatedKubeconfigSecretName) restClientCfg, err := clientcmd.BuildConfigFromKubeconfigGetter(master, kubeconfigGetter) if err != nil { - return nil, fmt.Errorf("failed to find the Federation API server kubeconfig, tried the flags and the deprecated secret %s: %v", DeprecatedKubeconfigSecretName, err) + return nil, fmt.Errorf("failed to find the Federation API server kubeconfig, tried the --kubeconfig flag and the deprecated secret %s: %v", DeprecatedKubeconfigSecretName, err) } return restClientCfg, nil }