Merge pull request #2674 from rawmind0/kdmmaster

Bump KDM and go generate

cluster/addons.go

@@ -53,11 +53,15 @@ const (
 	Nodelocal       = "nodelocal"
 
 	NginxIngressAddonAppName                 = "ingress-nginx"
+	NginxIngressAddonAppNamespace            = "ingress-nginx"
 	NginxIngressAddonDefaultBackendName      = "default-http-backend"
 	NginxIngressAddonDefaultBackendNamespace = "ingress-nginx"
 )
 
-var DNSProviders = []string{KubeDNSProvider, CoreDNSProvider}
+var (
+	DNSProviders              = []string{KubeDNSProvider, CoreDNSProvider}
+	NginxIngressAddonJobNames = []string{"ingress-nginx-admission-create", "ingress-nginx-admission-patch"}
+)
 
 type ingressOptions struct {
 	RBACConfig                              string
@@ -613,6 +617,20 @@ func (c *Cluster) deployIngress(ctx context.Context, data map[string]interface{}
 		if version < "0.16.0" {
 			ingressConfig.AlpineImage = c.SystemImages.Alpine
 		}
+		// since nginx ingress controller 0.40.0, admission batch jobs are deployed.
+		// Before deployment of the new ingress controller based on the update strategy, remove admission batch jobs if they exist.
+		if version > "0.40.0" {
+			log.Infof(ctx, "[ingress] removing admission batch jobs if they exist")
+			kubeClient, err := k8s.NewClient(c.LocalKubeConfigPath, c.K8sWrapTransport)
+			if err != nil {
+				return err
+			}
+			for _, jobName := range NginxIngressAddonJobNames {
+				if err = k8s.DeleteK8sJobIfExists(kubeClient, jobName, NginxIngressAddonAppNamespace); err != nil {
+					return err
+				}
+			}
+		}
 	}
 	tmplt, err := templates.GetVersionedTemplates(kdm.NginxIngress, data, c.Version)
 	if err != nil {

cluster/validation.go

@@ -54,11 +54,6 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
 		return err
 	}
 
-	// validate registry credential plugin
-	if err := validateRegistryAuthPlugin(c); err != nil {
-		return err
-	}
-
 	// validate services options
 	return validateServicesOptions(c)
 }
@@ -654,19 +649,3 @@ func validateCRIDockerdOption(c *Cluster) error {
 	}
 	return nil
 }
-
-func validateRegistryAuthPlugin(c *Cluster) error {
-	for _, pr := range c.PrivateRegistriesMap {
-		if len(pr.CredentialPlugin) != 0 {
-			if credPluginType, ok := pr.CredentialPlugin["type"]; ok {
-				switch credPluginType {
-				case "ecr":
-					logrus.Debugf("Plugin type %s is valid", credPluginType)
-				default:
-					return fmt.Errorf("invalid registry plugin helper provided for %s", pr.URL)
-				}
-			}
-		}
-	}
-	return nil
-}

docker/docker.go

@@ -672,18 +672,10 @@ func tryRegistryAuth(pr v3.PrivateRegistry) types.RequestPrivilegeFunc {
 func getRegistryAuth(pr v3.PrivateRegistry) (string, error) {
 	var authConfig types.AuthConfig
 	var err error
-	if len(pr.User) == 0 && len(pr.Password) == 0 && len(pr.CredentialPlugin) != 0 {
-		if regType, ok := pr.CredentialPlugin["type"]; ok {
-			switch regType {
-			case "ecr":
-				// generate ecr authConfig
-				authConfig, err = util.ECRCredentialPlugin(pr.CredentialPlugin, pr.URL)
-				if err != nil {
-					return "", err
-				}
-			default:
-				return "", fmt.Errorf("Unsupported Credential Plugin")
-			}
+	if len(pr.User) == 0 && len(pr.Password) == 0 && pr.ECRCredentialPlugin != nil {
+		authConfig, err = util.ECRCredentialPlugin(pr.ECRCredentialPlugin, pr.URL)
+		if err != nil {
+			return "", err
 		}
 	} else {
 		authConfig = types.AuthConfig{
@@ -761,12 +753,8 @@ func GetKubeletDockerConfig(prsMap map[string]v3.PrivateRegistry) (string, error
 	auths := map[string]authConfig{}
 	credHelper := make(map[string]string)
 	for url, pr := range prsMap {
-		if len(pr.CredentialPlugin) != 0 {
-			if credPluginType, ok := pr.CredentialPlugin["type"]; ok {
-				if credPluginType == "ecr" {
-					credHelper[pr.URL] = "ecr-login"
-				}
-			}
+		if pr.ECRCredentialPlugin != nil {
+			credHelper[pr.URL] = "ecr-login"
 		} else {
 			auth := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", pr.User, pr.Password)))
 			auths[url] = authConfig{Auth: auth}

k8s/job.go

@@ -71,6 +71,13 @@ func DeleteK8sSystemJob(jobYaml string, k8sClient *kubernetes.Clientset, timeout
 	return nil
 }
 
+func DeleteK8sJobIfExists(k8sClient *kubernetes.Clientset, name, namespace string) error {
+	if err := deleteK8sJob(k8sClient, name, namespace); err != nil && !apierrors.IsNotFound(err) {
+		return err
+	}
+	return nil
+}
+
 func ensureJobCompleted(k8sClient *kubernetes.Clientset, j interface{}) error {
 	job := j.(v1.Job)
 

types/rke_types.go

@@ -110,8 +110,8 @@ type PrivateRegistry struct {
 	Password string `yaml:"password" json:"password,omitempty" norman:"type=password"`
 	// Default registry
 	IsDefault bool `yaml:"is_default" json:"isDefault,omitempty"`
-	// CredentialPlugin
-	CredentialPlugin map[string]string `yaml:"credentialPlugin" json:"credentialPlugin,omitempty"`
+	// ECRCredentialPlugin
+	ECRCredentialPlugin *ECRCredentialPlugin `yaml:"ecr_credential_plugin" json:"ecrCredentialPlugin,omitempty"`
 }
 
 type RKESystemImages struct {
@@ -1011,3 +1011,9 @@ type NodeDrainInput struct {
 	// Time to wait (in seconds) before giving up for one try
 	Timeout int `yaml:"timeout" json:"timeout" norman:"min=1,max=10800,default=120"`
 }
+
+type ECRCredentialPlugin struct {
+	AwsAccessKeyID     string `yaml:"aws_access_key_id" json:"awsAccessKeyId,omitempty"`
+	AwsSecretAccessKey string `yaml:"aws_secret_access_key" json:"awsSecretAccessKey,omitempty"`
+	AwsSessionToken    string `yaml:"aws_session_token" json:"awsAccessToken,omitempty"`
+}

types/zz_generated_deepcopy.go

@@ -554,6 +554,22 @@ func (in *DiskVsphereOpts) DeepCopy() *DiskVsphereOpts {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ECRCredentialPlugin) DeepCopyInto(out *ECRCredentialPlugin) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ECRCredentialPlugin.
+func (in *ECRCredentialPlugin) DeepCopy() *ECRCredentialPlugin {
+	if in == nil {
+		return nil
+	}
+	out := new(ECRCredentialPlugin)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ETCDService) DeepCopyInto(out *ETCDService) {
 	*out = *in
@@ -1354,12 +1370,10 @@ func (in *PortCheck) DeepCopy() *PortCheck {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrivateRegistry) DeepCopyInto(out *PrivateRegistry) {
 	*out = *in
-	if in.CredentialPlugin != nil {
-		in, out := &in.CredentialPlugin, &out.CredentialPlugin
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
+	if in.ECRCredentialPlugin != nil {
+		in, out := &in.ECRCredentialPlugin, &out.ECRCredentialPlugin
+		*out = new(ECRCredentialPlugin)
+		**out = **in
 	}
 	return
 }

util/ecr.go

@@ -6,11 +6,14 @@ import (
 	"regexp"
 	"strings"
 
+	"github.com/sirupsen/logrus"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
 	"github.com/docker/docker/api/types"
+	v3 "github.com/rancher/rke/types"
 )
 
 const proxyEndpointScheme = "https://"
@@ -18,7 +21,13 @@ const proxyEndpointScheme = "https://"
 var ecrPattern = regexp.MustCompile(`(^[a-zA-Z0-9][a-zA-Z0-9-_]*)\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.amazonaws\.com(\.cn)?`)
 
 // ECRCredentialPlugin is a wrapper to generate ECR token using the AWS Credentials
-func ECRCredentialPlugin(plugin map[string]string, pr string) (authConfig types.AuthConfig, err error) {
+func ECRCredentialPlugin(plugin *v3.ECRCredentialPlugin, pr string) (authConfig types.AuthConfig, err error) {
+	if plugin == nil {
+		err = fmt.Errorf("ECRCredentialPlugin: ECRCredentialPlugin called with nil plugin data")
+		return authConfig, err
+	}
+
+	logrus.Tracef("ECRCredentialPlugin: ECRCredentialPlugin called with plugin [%v] and pr [%s]", plugin, pr)
 
 	if strings.HasPrefix(pr, proxyEndpointScheme) {
 		pr = strings.TrimPrefix(pr, proxyEndpointScheme)
@@ -34,17 +43,16 @@ func ECRCredentialPlugin(plugin map[string]string, pr string) (authConfig types.
 		Region: aws.String(matches[3]),
 	}
 
+	logrus.Debugf("ECRCredentialPlugin: Setting Region to [%s]", matches[3])
 	var sess *session.Session
-	awsAccessKeyID, accessKeyOK := plugin["aws_access_key_id"]
-	awsSecretAccessKey, secretKeyOK := plugin["aws_secret_access_key"]
 
 	// Use predefined keys and override env lookup if keys are present //
-	if accessKeyOK && secretKeyOK {
-		// if session token doesnt exist just pass empty string
-		awsSessionToken := plugin["aws_session_token"]
-		config.Credentials = credentials.NewStaticCredentials(awsAccessKeyID, awsSecretAccessKey, awsSessionToken)
+	if plugin.AwsAccessKeyID != "" && plugin.AwsSecretAccessKey != "" {
+		// if session token doesn't exist just pass empty string
+		config.Credentials = credentials.NewStaticCredentials(plugin.AwsAccessKeyID, plugin.AwsSecretAccessKey, plugin.AwsSessionToken)
 		sess, err = session.NewSession(config)
 	} else {
+		logrus.Debug("ECRCredentialPlugin: aws_access_key_id and aws_secret_access_key keys not in plugin, using IAM role or env variables")
 		sess, err = session.NewSessionWithOptions(session.Options{
 			Config:            *config,
 			SharedConfigState: session.SharedConfigEnable,
@@ -52,6 +60,7 @@ func ECRCredentialPlugin(plugin map[string]string, pr string) (authConfig types.
 	}
 
 	if err != nil {
+		logrus.Trace("ECRCredentialPlugin: Error found while constructing auth session, returning authConfig")
 		return authConfig, err
 	}