generic Kubernetes API server config interface #2012
Conversation
ghost
assigned
| @@ -209,7 +209,7 @@ Below is a list of controller-manager options that acs-engine will configure by | |||
| |"--route-reconciliation-period"|"10s"| | |||
|
|
|||
|
|
|||
| Below is a list of kubelet options that are *not* currently user-configurable, either because a higher order configuration vector is available that enforces kubelet configuration, or because a static configuration is required to build a functional cluster: | |||
| Below is a list of controller-manager options that are *not* currently user-configurable, either because a higher order configuration vector is available that enforces controller-manager configuration, or because a static configuration is required to build a functional cluster: | |||
There was a problem hiding this comment.
Correcting copy/paste errors from a prior, related PR.
| perl -pi -e "s|--oidc-client-id=\K(?=\")|$OIDC_CLIENT_ID| || s|--oidc-issuer-url=\K(?=\")|$OIDC_ISSUER_URL|" "/etc/kubernetes/manifests/kube-apiserver.yaml" | ||
| {{else}} | ||
| sed -i "/--oidc-client-id\|--oidc-issuer-url\|--oidc-username-claim/d" "/etc/kubernetes/manifests/kube-apiserver.yaml" | ||
| sed -i "/--oidc-issuer-url/s/$/$AAD_TENANT_ID/" "/etc/kubernetes/manifests/kube-apiserver.yaml" |
There was a problem hiding this comment.
We still need to do this post-deployment transformation because I'm not aware of any other way to implement the fallback tenantID assignment. The one here uses this kubernetesmastervars.t statement:
"tenantId": "[subscription().tenantId]",
Which gives us our fallback tenantId value (see AAD_TENANT_ID=${VAR_AAD_TENANT_ID:-$VAR_TENANT_ID} above). My understanding is that subscription() is an ARM function that we won't have access to anywhere else.
| {{if UseCloudControllerManager }} | ||
| sed -i "s|<kubernetesCcmImageSpec>|{{WrapAsVariable "kubernetesCcmImageSpec"}}|g; s|<masterFqdnPrefix>|{{WrapAsVariable "masterFqdnPrefix"}}|g; s|<allocateNodeCidrs>|{{WrapAsVariable "allocateNodeCidrs"}}|g; s|<kubeClusterCidr>|{{WrapAsVariable "kubeClusterCidr"}}|g; s|<kubernetesCtrlMgrRouteReconciliationPeriod>|{{GetCloudControllerManagerRouteReconciliationPeriod .OrchestratorProfile.KubernetesConfig}}|g" \ | ||
| /etc/kubernetes/manifests/cloud-controller-manager.yaml | ||
|
|
||
| sed -i "/--\(cloud-config\|cloud-provider\|route-reconciliation-period\)=/d" \ |
There was a problem hiding this comment.
This should have been removed in #1960, doing so now.
| @@ -12,8 +13,6 @@ func setControllerManagerConfig(cs *api.ContainerService) { | |||
| "--kubeconfig": "/var/lib/kubelet/kubeconfig", | |||
| "--allocate-node-cidrs": strconv.FormatBool(!o.IsAzureCNI()), | |||
| "--cluster-cidr": o.KubernetesConfig.ClusterSubnet, | |||
| "--cloud-provider": "azure", | |||
There was a problem hiding this comment.
This should have been done in #1960, doing so now.
| @@ -30,6 +29,12 @@ func setControllerManagerConfig(cs *api.ContainerService) { | |||
| staticLinuxControllerManagerConfig["--cluster-name"] = cs.Properties.HostedMasterProfile.DNSPrefix | |||
| } | |||
|
|
|||
| // Enable cloudprovider if we're not using cloud controller manager | |||
There was a problem hiding this comment.
This should have been done in #1960, doing so now.
parts/k8s/kubernetesmastervars.t
Outdated
| @@ -267,8 +266,8 @@ | |||
| "[concat(variables('masterFirstAddrPrefix'), add(3, int(variables('masterFirstAddrOctet4'))))]", | |||
| "[concat(variables('masterFirstAddrPrefix'), add(4, int(variables('masterFirstAddrOctet4'))))]" | |||
| ], | |||
| "masterEtcdServerPort": 2380, | |||
| "masterEtcdClientPort": 2379, | |||
| "masterEtcdServerPort": "[parameters('masterEtcdServerPort')]", | |||
There was a problem hiding this comment.
Moved these vals to pkg/acsengine/const.go (and added appropriate changes elswhere).
| sort.Strings(keys) | ||
| var buf bytes.Buffer | ||
| for _, key := range keys { | ||
| buf.WriteString(fmt.Sprintf("\\\"%s=%s\\\", ", key, apiServerConfig[key])) |
There was a problem hiding this comment.
The escaped slashes \\ in front of the escaped quote \" is needed in order to produce a literal quote char in the resulting yaml file.
This should be done in the above getters as well, will do so in a follow-up PR.
| @@ -21,7 +21,6 @@ spec: | |||
| - "--cloud-config=/etc/kubernetes/azure.json" | |||
| - "--leader-elect=true" | |||
| # TODO: RBAC support | |||
There was a problem hiding this comment.
Do you want to remove RBAC placeholder here? Seems not related to this PR. If so, remove the above TODO comment too?
| overrideAPIServerConfig = staticLinuxAPIServerConfig | ||
| } | ||
| for key, val := range overrideAPIServerConfig { | ||
| o.KubernetesConfig.APIServerConfig[key] = val |
There was a problem hiding this comment.
Some argument like "--admission-control" and "--authorization-mode" takes a list of features, and probably should allow feature addition (as long as static config is a subset of the user input config), instead of override. It can be done in a later change if needed.
There was a problem hiding this comment.
I agree this would be a useful addition to this surface area. Feature gates also are special, in that they essentially contain key/vals themselves. Yeah, I'd prefer a follow-up PR for that.
| {{end}} | ||
| sed -i "s|<kubernetesControllerManagerConfig>|{{GetControllerManagerConfigKeyVals .OrchestratorProfile.KubernetesConfig}}|g" "/etc/kubernetes/manifests/kube-controller-manager.yaml" | ||
| sed -i "s|<kubernetesAPIServerConfig>|{{GetAPIServerConfigKeyVals .OrchestratorProfile.KubernetesConfig}}|g" "/etc/kubernetes/manifests/kube-apiserver.yaml" |
There was a problem hiding this comment.
It is probably better to take APIServerConfig (instead of KubernetesConfig) as argument for GetAPIServerConfigKeyVals.
The original code logic is pretty tangled here and I have not dig very deep, I assume GetAPIServerConfigKeyVals will return the already processed argument map. Please just confirm it.
There was a problem hiding this comment.
This is good feedback. Let's do this: after all of these config refactors are done, we can optimize the number of key/val getter functions in engine.go (we have two types, I think, which is better than having one function per config file). A part of that improvement would be passing in the specific config as the arg instead of kubernetesConfig.
| VAR_AAD_TENANT_ID={{WrapAsVariable "aadTenantId"}} | ||
| VAR_TENANT_ID={{WrapAsVariable "tenantId"}} | ||
| AAD_TENANT_ID=${VAR_AAD_TENANT_ID:-$VAR_TENANT_ID} | ||
| sed -i "/--oidc-issuer-url/s/$/$AAD_TENANT_ID/" "/etc/kubernetes/manifests/kube-apiserver.yaml" |
There was a problem hiding this comment.
If the above GetAPIServerConfigKeyVals returns already processed map, why are we overriding "--oidc-issuer-url" here?
There was a problem hiding this comment.
Good question. It's because the only way (that I know of) to assign the right tenantId value is in the flow of this template: we depend upon {{WrapAsVariable "tenantId"}} as a fallback value, and that fallback value is not available in the flow of the map-producing code. See the subscription() method which the tenantId variable depends upon in kubernetesmastervars.t.
What this PR does / why we need it: exposes a generic key/val interface for configuring apiserver, using the configuration keys documented here:
https://kubernetes.io/docs/reference/generated/kube-apiserver/
API model usage patterns will look like this:
Release note: