Automatic merge from submit-queue (batch tested with PRs 39684, 39577, 38989, 39534, 39702)
kubeadm: refactored token discovery.
**What this PR does / why we need it**: refactored `kubeadm` token discovery to follow the discovery interface and use new TLS bootstrap mechanism.
/cc @luxas @mikedanese
Adds kubeadm subcommands to create, list, and delete bootstrap tokens.
Tokens can be created with a TTL duration, or 0 for tokens that will not
expire. The create command can also be used to specify your own token
(for use when bootstrapping masters and nodes in parallel), or update an
existing token's secret or ttl.
Marked "ex" for experimental for now as the boostrap controllers are not
yet hooked up in core.
Automatic merge from submit-queue
path.Clean paths in GlobalEnvParams and remove unnecessary path.Join
**What this PR does / why we need it**:
1. clean all paths in `GlobalEnvParams`
1. remove unnecessary path.Join call in `pki.go`
2. fix some typos and comment errors
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
Automatic merge from submit-queue (batch tested with PRs 37270, 38309, 37568, 34554)
kubeadm UX improvements for the v1.5 stable release
This PR targets the next stable kubeadm release.
It's work in progress, but please comment on it and review, since there are many changes.
I tried to group the commits logically, so you can review them separately.
Q: Why this large PR? Why not many small?
A: Because of the Submit Queue and the time it takes.
PTAL @kubernetes/sig-cluster-lifecycle
_Edit:_ This work was splitted up in three PRs in total
Fix boilerplates, comments in the code and make the output of kubeadm more user-friendly
Start using HostPKIPath and KubernetesDir everywhere in the code, so they can be changed for real
More robust kubeadm reset code now.
Removed old glog-things from app.Run()
Renamed /etc/kubernetes/cloud-config.json to /etc/kubernetes/cloud-config since it shouldn't be a json file
Simplification of the code
Less verbose output from master/pki.go
Cleaned up dead code
Start a small logging/output framework:
- fmt.Println("[the-stage-here] Capital first letter of this message. Tell the user what the current state is")
- fmt.Printf("[the-stage-here] Capital first letter. Maybe a [%v] in the end if an error should be displayed. Always ends with \n")
- fmt.Errorf("Never starts with []. Includes a short error message plus the underlying error in [%v]. Never ends with \n")
Automatic merge from submit-queue (batch tested with PRs 38294, 37009, 36778, 38130, 37835)
Add a cloudprovider validator flag to kubeadm and update the DNS spec
Broken out from: https://github.com/kubernetes/kubernetes/pull/37568
This PR creates a flag for `cloud-provider` that validates the value before `RunInit()` is run, which makes it now act as a "real" flag
Then it removes the `k8s.io/kubernetes/pkg/cloudprovider` dependency, which makes the binary ~40MB smaller! That's _really_ worth it!
In the second commit, the DNS addon is updated to the latest version: https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/skydns-rc.yaml.base
@kubernetes/sig-cluster-lifecycle
Automatic merge from submit-queue (batch tested with PRs 35300, 36709, 37643, 37813, 37697)
Revert "[kubeadm] use iteration instead of recursion in function"
Reverts kubernetes/kubernetes#36625
Removing the recursive call means that `n` is never updated, so you never succeed in the update, and you've creating an infinite loop.
Also, this entire bit of functionality should be a patch and you won't have to worry about conflicts.
@luxas
Automatic merge from submit-queue
change unconfined_t to spc_t
**What this PR does / why we need it**:
When installing kube via kubeadm on a system w/ selinux enabled, it's necessary to disable selinux in order for the etcd and kube-discovery containers to run.
The kube etcd and discovery pods are currently set to unconfined_t in order to avoid disabling selinux, but the correct type for an unconfined container is spc_t. For more information, see http://danwalsh.livejournal.com/2016/10/03/.
Automatic merge from submit-queue
[kubeadm] use iteration instead of recursion in function
**What this PR does / why we need it**:
before this PR, function `attemptToUpdateMasterRoleLabelsAndTaints` recursively call itself. there are some defeats in it:
1. potential stack overflow.
2. unnecessary extra `json.Marshal` calls.
3. unnecessary extra `client.Nodes().List` calls.
this PR rewrite `attemptToUpdateMasterRoleLabelsAndTaints` function, use iterate instead of recursion.
so these 3 defeats the metioned above are gone.
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
Automatic merge from submit-queue
kubeadm: changed tests to be table driven
Small change to migrate tests in kubeadm/app/util/tokens_test.go to be table driven which should make adding more tests in the future easier and also have them match how other tests are being written.
This PR is part of the ongoing effort to add tests (#35025)
The kube etcd and discovery pods are set to unconfined_t in
order to avoid disabling selinux, but the correct type for
an unconfined container is spc_t. For more information, see
http://danwalsh.livejournal.com/2016/10/03/.
Previously, GetEnvParams (now called SetEnvParams) had no way of being altered unless
it was through enviroment variables. These changes allow for a global
EnvParam to be set and also altered while still initally getting their value from
set enviroment variables. This change is especially helpful for testing
(see kubeadm/app/util/kubeconfig_test.go).
Automatic merge from submit-queue
Test API more extensivelly before declaring readiness
**What this PR does / why we need it**:
It's possible that first deployment kubeadm creates will hit `deployments.extensions "kube-discovery" is forbidden: not yet ready to handle request`, which comes from NamespaceLifecycle admission controller and has something to do with cache. According to @derekwaynecarr, we need to create a namespace-scoped resource to really check for this. I didn't want to make a check with deployment of whatever comes first right now, and decided to have explicit step for this in `apiclient.go`.
**Which issue this PR fixes**: fixes#34411
**Special notes for your reviewer**: @kubernetes/sig-cluster-lifecycle
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue
Do not probe so aggressively which may lead to unnecessary restarts
@errordeveloper @mikedanese PTAL
I came across a case where etcd restarted about 5-10 times because the load was very high on the machine.
The load seems to have lead to that the `etcd` container occasionally didn't respond to the probe, which caused many restart and made the whole thing even worse.
Maybe we should remove the etcd probe totally? I don't know, what do you think?
This is at least a try to loosen the limits here...
Automatic merge from submit-queue
Kubeadm: print information about certificates
Prints basic information about certificates to the user.
Example of `kubeadm init` output:
```
<master/pki> generated Certificate Authority key and certificate:
Issuer: CN=kubernetes | Subject: CN=kubernetes | CA: true
Not before: 2016-09-30 11:19:19 +0000 UTC Not After: 2026-09-28 11:19:19 +0000 UTC
Public: /etc/kubernetes/pki/ca-pub.pem
Private: /etc/kubernetes/pki/ca-key.pem
Cert: /etc/kubernetes/pki/ca.pem
<master/pki> generated API Server key and certificate:
Issuer: CN=kubernetes | Subject: CN=kube-apiserver | CA: false
Not before: 2016-09-30 11:19:19 +0000 UTC Not After: 2017-09-30 11:19:19 +0000 UTC
Alternate Names: [172.18.76.239 10.0.0.1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local]
Public: /etc/kubernetes/pki/apiserver-pub.pem
Private: /etc/kubernetes/pki/apiserver-key.pem
Cert: /etc/kubernetes/pki/apiserver.pem
<master/pki> generated Service Account Signing keys:
Public: /etc/kubernetes/pki/sa-pub.pem
Private: /etc/kubernetes/pki/sa-key.pem
```
Example of `kubeadm join` command:
```
<node/csr> received signed certificate from the API server:
Issuer: CN=kubernetes | Subject: CN=system:node:minion | CA: false
Not before: 2016-09-30 11:28:00 +0000 UTC Not After: 2017-09-30 11:28:00 +0000 UTC
```
Fixes#33642
cc @kubernetes/sig-cluster-lifecycle
Currently the boostrap fails when a token is provided by the user
on `master init` and works when the token is generated. This is
because of a mismatch of how the token string in the kube-discovery
secret is encoded.
NickrenREN