Kubeadm upload and fetch of kubeam config v1alpha3

[fabriziopandini]

What this PR does / why we need it:
This PR implements upload and fetch of kubeam config v1alpha3 from cluster.

More in detail:
In upload, kubeadm-config gets

• ClusterConfiguration (without components config which are already stored in separated ConfigMaps)
• ClusterStatus(initialised or updated with the API endpoint of the current node)

During fetch InitConfiguration is composed with:

• ClusterConfiguration from kubeadm-config
• The APIEndpoint of the current node from ClusterStatus in kubeadm-config
• Component configs from corresponding ConfigMaps

Which issue(s) this PR fixes :
refs kubernetes/kubeadm#911, refs kubernetes/kubeadm#963

Special notes for your reviewer:
In order to implement this it was necessary to extend current component config management with a new GetFromConfigMap operation. This is implemented in a separated commit "
implement component configs GetFromConfigMap".
The real change build on this (commi "upload and fetch kubeadm v1alpha3")

Release note:

NONE

/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/sig cluster-lifecycle
/area kubeadm
/kind enhancement
/assign @luxas
/assign @timothysc
/cc @chuckha @rosti @neolit123 @liztio

[neolit123]

thanks @fabriziopandini
added minor comments but also commented on the usage of ChooseBindAddress that we talked about last time. we might need something more unique here, unless i'm mistaken.

[neolit123]

to retry -> to get?

[neolit123]

so if we have the following scenario:

• machine A is a master node and ChooseBindAddress returned 192.168.0.1 for it.
• machine B in a different network want to join the cluster but ChooseBindAddress also returns 192.168.0.1 for it.
• both nodes have the same ID/local IP, even if technically for node B to join node A it needs it's external IP.

hostnames suffer from the same problem.
i think we might have to do UUIDs, but this needs platform specific code.

[fabriziopandini]

@neolit123 how frequent is this case?
However, If there is a library already vendored in kubernetes for getting UUIDs I can try to switch...

[neolit123]

i think it's a general issue when nodes are not on the same sub-network?

[timothysc]

I think generating some UUID is pretty useful when folks are changing nodes in a virutual infra will be useful.

[neolit123]

i can't find a vendored "system" uuid lib in k8s - i.e. a library for returning the uuid of the machine.

there is this, but this library is just for generating a RFC compliant random uuid:
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/util/uuid/uuid.go

we need something like:
https://github.com/denisbrodbeck/machineid
the methods that the library uses are outlined here:
https://github.com/denisbrodbeck/machineid#snippets

[rosti]

I like the idea of UUIDs here. IP change can cause issues.

On the other hand, the machineid library queries OS maintained IDs. These are usually generated upon first boot, install or regenerated if missing on boot. They can be the same if a VM is created from a template and these are not taken care of correctly.

[rosti]

Meanwhile, in our own documentation:
https://kubernetes.io/docs/setup/independent/install-kubeadm/#verify-the-mac-address-and-product-uuid-are-unique-for-every-node

[neolit123]

i can't find MAC address handling in the k/k codebase.

closed PR that introduced machine IDs for host names:
#52625

closed issue about node uniqueness:
#6557

[neolit123]

@fabriziopandini we talked about this at the kubeadm office hours today.

Jason reminded us that the node name should be unique for a cluster to work anyway so we can use that as the key for the status map:

from @detiber

More specifically, this should be "node name" being either the user-supplied override in the kubeadm config or the default detected node name (generally the hostname here)

[neolit123]

2018

[neolit123]

Couldn't -> couldn't

[neolit123]

Unexpected -> unexpected

[neolit123]

Error getting -> error getting

[neolit123]

Couldn't -> couldn't

[rosti]

@fabriziopandini Thanks for the effort! Has a few minor nits, but otherwise it LGTM.

[rosti]

Perhaps print actual and expected here?

[rosti]

The actual error message is missing here

[rosti]

We may need to keep an updated version of this TODO for the future.
Ideally we should not be forced to have InitConfiguration for anything else than kubeadm init. I am not sure, that ClusterConfiguration is the answer too (since APIEndpoint is not part of it).
It may be something else, but we may just keep some TODO here, just to mark our intent in reducing the InitConfiguration usages in the long run.

[fabriziopandini]

Here I removed the comment about ClusterConfiguration because we know this isn't the right approach.

For the long run I agree 100% with your intent of reducing the InitConfiguration usages, but better track this with an issue than TODOs in the code.
If you can kindly open the issue this will be great 😉

[rosti]

Filed kubernetes/kubeadm#1084

[timothysc]

I only did a quick scan, let me know when you're ready and I'll go through this in detail.

[timothysc]

I think generating some UUID is pretty useful when folks are changing nodes in a virutual infra will be useful.

[timothysc]

umm

[fabriziopandini]

Forget it, now removed

[timothysc]

?

[fabriziopandini]

This is the key name used in kube-proxy manifest.. just refactored in a constant because it is now used in different places.

[rosti]

Is the trailing s desired?

[fabriziopandini]

No, now fixed, thanks

[fabriziopandini]

@timothysc

1. Implemented the logic for getting the node name from the kubelet.conf. However it was necessary to get the user name from x509 certificate and manage two cases:
   • kubelet.conf generated by kubeadm
   • kubelet.conf generated by TLSBootstrap.
2. Used the node name as a key for the ClusterConfig.APIEndpoints map (insterad of the netutil.ChooseBindAddress or hostname)
3. Implemented a lot of unit tests for all the upload /fetch config jiggery
4. Fixed kubeadm join --control-plane, kubeadm upgrade and kubeadm upgrade node --control-plane workflows with the new upload /fetch config jiggery removing some TODOs left in previous PRs
5. completed first rounds of manual testing:
   • V1.11.2 --> v1.12.0
   • V1.12.0 with two masters --> v1.12.1

[timothysc]

1st pass run through.

[timothysc]

should you index check 1st otherwise you could SEGV here. .Data[kubeadmconstants.KubeletBaseConfigurationConfigMapKey]

[fabriziopandini]

fixed + added UT

[timothysc]

Same comment.

[fabriziopandini]

same

[timothysc]

I swear these functions exist elsewhere.

[fabriziopandini]

This function uses a scheme with component configs api registered.
The other unmarshal func uses a scheme with only kubeadm types registered

[timothysc]

Do we have tests to validate the updated RBAC rules?

[fabriziopandini]

The only test on RBAC I'm aware of are in test\e2e_kubeadm but I'm not sure if those test are used in test grid batches...

[timothysc]

I think we are ok for now, but we should add a //TODO use configmap locks on this object on the get before the update. We may even bug fix that after the freeze

/cc @liztio

[fabriziopandini]

done

[neolit123]

LGTM

[neolit123]

nit / optional: errors.New() instead of fmt.Errorf()

[neolit123]

do we have a tracking issue?

[fabriziopandini]

Not yet. I will send tracking issues for TODOs soonish (after lgtm)

[rosti]

@fabriziopandini at first pass this LGTM, has some tiny nits though

[rosti]

Infof -> Info

[rosti]

Infof -> Info

[rosti]

Errorf -> Error

[rosti]

Fatalf -> Fatal

[rosti]

Fatalf -> Fatal

[rosti]

Errorf -> Error

[rosti]

Errorf -> Error

[rosti]

Errorf -> Error

[rosti]

fmt.Errorf -> errors.New

[timothysc]

/lgtm
/approve

We're too late for nits, we'll have to beat on this during freeze.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini, timothysc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubeadm/OWNERS [fabriziopandini,timothysc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[timothysc]

/test pull-kubernetes-integration

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 63011, 68089, 67944, 68132). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.