kubeadm: Make it possible to configure volume mounts via the config file

[andrewrynhard]

What this PR does / why we need it:
Kubeadm mounts host CA certs into api server and controller manager. It uses /etc/pki and does not allow for the path to be configurable. This PR adds a default to /etc/pki but also allows a user to configure the path in the config file. In the case of using Container Linux, the CAs are located at /usr/share/ca-certificates, so without this PR the hardcoded /etc/pki path is used and will break, for example, the --cloud-provider flag because of missing CAs.

Fixes kubernetes/kubeadm#484
Fixes kubernetes/kubeadm#476
Fixes kubernetes/kubeadm#441

/cc @luxas

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-ci-robot]

Hi @andrewrynhard. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[andrewrynhard]

Manifests are generated correctly

core # cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep /usr/share/ca-certificates
    - mountPath: /usr/share/ca-certificates
      path: /usr/share/ca-certificates
core # cat /etc/kubernetes/manifests/kube-controller-manager.yaml | grep /usr/share/ca-certificates
    - mountPath: /usr/share/ca-certificates
      path: /usr/share/ca-certificates

[luxas]

I talked to @andrewrynhard about this on Slack and we decided that a generic variant of this is much better. Something like this:

type HostPathMount struct {
	Name string
	HostPath string
	MountPath string
}

type MasterConfiguration struct {
        ...
	APIServerExtraVolumes []HostPathMount
	ControllerManagerExtraVolumes []HostPathMount
	SchedulerExtraVolumes []HostPathMount
}

[luxas]

/release-note
/ok-to-test

[timothysc]

@mattmoyer

[mattmoyer]

I had a couple of style questions. Other than picking the right name and fixing some tests, I don't see a reason not to make this configurable.

Distros are pretty inconsistent about where they keep "system" trust stores (/etc/pki/ vs. /usr/share/ca-certificates vs. /etc/ssl/).

[mattmoyer]

Just a style nit but this should be CACertificatesPKIDir (per this guide).

I think the name is a little confusing too, since this doesn't have to do with the kubeadm-generated cluster CA like CertificatesDir does. Maybe SystemCACertificatesDir, HostCACertificatesDir, or ExternalCACertificatesDir?

[mattmoyer]

Same style nit here (s/Pki/PKI/).

[mattmoyer]

Same style nit here also (s/Pki/PKI/).

[mattmoyer]

Same style nit here also (s/Pki/PKI/).

[mattmoyer]

It looks like the unit tests that used this variable need a fix (test log):

[...]
W0804 00:30:36.473] # k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane
W0804 00:30:36.474] cmd/kubeadm/app/phases/controlplane/volumes_test.go:276: not enough arguments in call to getEtcdCertVolumes
W0804 00:30:36.474] 	have (kubeadm.Etcd)
W0804 00:30:36.475] 	want (kubeadm.Etcd, string)
W0804 00:30:36.475] cmd/kubeadm/app/phases/controlplane/volumes_test.go:514: undefined: caCertsPkiVolumePath
W0804 00:30:36.475] cmd/kubeadm/app/phases/controlplane/volumes_test.go:515: undefined: caCertsPkiVolumePath
[...]

[mattmoyer]

I'm also +1 on the idea of a generic HostPathMount configuration.

[luxas]

ping @andrewrynhard You're gonna take a look at this soon, right?

[andrewrynhard]

/retest

[andrewrynhard]

/test pull-kubernetes-unit

[luxas]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewrynhard, luxas

Associated issue: 484

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• cmd/kubeadm/OWNERS [luxas]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[luxas]

/release-note-none

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-ci-robot]

@andrewrynhard: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-bazel	6450d92	link	/test pull-kubernetes-bazel

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[andrewrynhard]

/test pull-kubernetes-unit

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 49840, 54937, 54543). If you want to cherry-pick this change to another branch, please follow the instructions here.

[ArchiFleKs]

Hi, does this PR allows to use volume type ? I'm trying with kubeadm config file to mount the cloud_config file for an OpenStack provider but all the extra volumes are of type DirectoryOrCreate

[luxas]

@ArchiFleKs Not right now, please file an issue with more details if that's something you'd like to see

[usernkey]

Is the feature of volume mounts via the config file been released on the current kubeadm?

I need to mount the cloud_config to add the AWS support :) using this approach

apiServerExtraArgs:
cloud-provider: "openstack"
cloud-config: "/etc/kubernetes/cloud.conf"
controllerManagerExtraArgs:
cloud-provider: "openstack"
cloud-config: "/etc/kubernetes/cloud.conf"

root@ip-10-1-18-136:~# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:10:24Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

[andrewrynhard]

@usernkey it is, see https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/apis/kubeadm/v1alpha1/types.go#L93-L99. Has been available since 1.8 I believe.

[usernkey]

cool thanks I'll try it