kubeadm: Move some code from apiclient.go to the dedicated apiconfig phase

cmd/kubeadm/app/cmd/init.go

@@ -33,7 +33,7 @@ import (
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/discovery"
 	kubemaster "k8s.io/kubernetes/cmd/kubeadm/app/master"
-	"k8s.io/kubernetes/cmd/kubeadm/app/phases/apiconfig"
+	apiconfigphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/apiconfig"
 	certphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
 	kubeconfigphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig"
 	"k8s.io/kubernetes/cmd/kubeadm/app/preflight"
@@ -210,7 +210,7 @@ func (i *Init) Run(out io.Writer) error {
 		}
 	}
 
-	// Phase 3: Bootstrap the control plane
+	// PHASE 3: Bootstrap the control plane
 	if err := kubemaster.WriteStaticPodManifests(i.cfg); err != nil {
 		return err
 	}
@@ -220,28 +220,34 @@ func (i *Init) Run(out io.Writer) error {
 		return err
 	}
 
-	if i.cfg.AuthorizationMode == kubeadmconstants.AuthzModeRBAC {
-		err = apiconfig.CreateBootstrapRBACClusterRole(client)
-		if err != nil {
-			return err
-		}
+	if err := apiconfigphase.UpdateMasterRoleLabelsAndTaints(client); err != nil {
+		return err
+	}
 
-		err = apiconfig.CreateKubeDNSRBACClusterRole(client)
-		if err != nil {
+	// Is deployment type self-hosted?
+	if i.selfHosted {
+		// Temporary control plane is up, now we create our self hosted control
+		// plane components and remove the static manifests:
+		fmt.Println("[init] Creating self-hosted control plane...")
+		if err := kubemaster.CreateSelfHostedControlPlane(i.cfg, client); err != nil {
 			return err
 		}
+	}
+
+	// PHASE 4: Set up various things in the API
+	// Create the necessary ServiceAccounts
+	err = apiconfigphase.CreateServiceAccounts(client)
+	if err != nil {
+		return err
+	}
 
-		// TODO: remove this when https://github.com/kubernetes/kubeadm/issues/114 is fixed
-		err = apiconfig.CreateKubeProxyClusterRoleBinding(client)
+	if i.cfg.AuthorizationMode == kubeadmconstants.AuthzModeRBAC {
+		err = apiconfigphase.CreateRBACRules(client)
 		if err != nil {
 			return err
 		}
 	}
 
-	if err := kubemaster.UpdateMasterRoleLabelsAndTaints(client, false); err != nil {
-		return err
-	}
-
 	if i.cfg.Discovery.Token != nil {
 		fmt.Printf("[token-discovery] Using token: %s\n", kubeadmutil.BearerToken(i.cfg.Discovery.Token))
 		if err := kubemaster.CreateDiscoveryDeploymentAndSecret(i.cfg, client); err != nil {
@@ -252,16 +258,7 @@ func (i *Init) Run(out io.Writer) error {
 		}
 	}
 
-	// Is deployment type self-hosted?
-	if i.selfHosted {
-		// Temporary control plane is up, now we create our self hosted control
-		// plane components and remove the static manifests:
-		fmt.Println("[init] Creating self-hosted control plane...")
-		if err := kubemaster.CreateSelfHostedControlPlane(i.cfg, client); err != nil {
-			return err
-		}
-	}
-
+	// PHASE 5: Deploy essential addons
 	if err := kubemaster.CreateEssentialAddons(i.cfg, client); err != nil {
 		return err
 	}

cmd/kubeadm/app/constants/constants.go

@@ -39,4 +39,8 @@ const (
 
 	// Important: a "v"-prefix shouldn't exist here; semver doesn't allow that
 	MinimumControlPlaneVersion = "1.6.0-alpha.1"
+
+	// Constants for what we name our ServiceAccounts with limited access to the cluster in case of RBAC
+	KubeDNSServiceAccountName   = "kube-dns"
+	KubeProxyServiceAccountName = "kube-proxy"
 )

cmd/kubeadm/app/master/BUILD

@@ -38,7 +38,6 @@ go_library(
         "//vendor:k8s.io/apimachinery/pkg/util/uuid",
         "//vendor:k8s.io/apimachinery/pkg/util/wait",
         "//vendor:k8s.io/client-go/tools/clientcmd",
-        "//vendor:k8s.io/client-go/tools/clientcmd/api",
         "//vendor:k8s.io/client-go/util/cert",
     ],
 )

cmd/kubeadm/app/master/addons.go

@@ -310,11 +310,7 @@ func CreateEssentialAddons(cfg *kubeadmapi.MasterConfiguration, client *clientse
 
 	kubeDNSDeployment := NewDeployment(KubeDNS, 1, createKubeDNSPodSpec(cfg))
 	SetMasterTaintTolerations(&kubeDNSDeployment.Spec.Template.ObjectMeta)
-	kubeDNSServiceAccount := &v1.ServiceAccount{}
-	kubeDNSServiceAccount.ObjectMeta.Name = KubeDNS
-	if _, err := client.ServiceAccounts(metav1.NamespaceSystem).Create(kubeDNSServiceAccount); err != nil {
-		return fmt.Errorf("failed creating kube-dns service account [%v]", err)
-	}
+
 	if _, err := client.Extensions().Deployments(metav1.NamespaceSystem).Create(kubeDNSDeployment); err != nil {
 		return fmt.Errorf("failed creating essential kube-dns addon [%v]", err)
 	}

cmd/kubeadm/app/master/apiclient.go

@@ -25,7 +25,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/tools/clientcmd"
-	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"k8s.io/kubernetes/cmd/kubeadm/app/images"
 	"k8s.io/kubernetes/pkg/api/v1"
 	extensions "k8s.io/kubernetes/pkg/apis/extensions/v1beta1"
@@ -34,8 +33,11 @@ import (
 
 const apiCallRetryInterval = 500 * time.Millisecond
 
-// TODO: This method shouldn't exist as a standalone function but be integrated into CreateClientFromFile
-func createAPIClient(adminKubeconfig *clientcmdapi.Config) (*clientset.Clientset, error) {
+func CreateClientFromFile(path string) (*clientset.Clientset, error) {
+	adminKubeconfig, err := clientcmd.LoadFromFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load admin kubeconfig [%v]", err)
+	}
 	adminClientConfig, err := clientcmd.NewDefaultClientConfig(
 		*adminKubeconfig,
 		&clientcmd.ConfigOverrides{},
@@ -51,14 +53,6 @@ func createAPIClient(adminKubeconfig *clientcmdapi.Config) (*clientset.Clientset
 	return client, nil
 }
 
-func CreateClientFromFile(path string) (*clientset.Clientset, error) {
-	adminKubeconfig, err := clientcmd.LoadFromFile(path)
-	if err != nil {
-		return nil, fmt.Errorf("failed to load admin kubeconfig [%v]", err)
-	}
-	return createAPIClient(adminKubeconfig)
-}
-
 func CreateClientAndWaitForAPI(file string) (*clientset.Clientset, error) {
 	client, err := CreateClientFromFile(file)
 	if err != nil {
@@ -171,55 +165,6 @@ func NewDeployment(deploymentName string, replicas int32, podSpec v1.PodSpec) *e
 	}
 }
 
-// It's safe to do this for alpha, as we don't have HA and there is no way we can get
-// more then one node here (TODO(phase1+) use os.Hostname)
-func findMyself(client *clientset.Clientset) (*v1.Node, error) {
-	nodeList, err := client.Nodes().List(metav1.ListOptions{})
-	if err != nil {
-		return nil, fmt.Errorf("unable to list nodes [%v]", err)
-	}
-	if len(nodeList.Items) < 1 {
-		return nil, fmt.Errorf("no nodes found")
-	}
-	node := &nodeList.Items[0]
-	return node, nil
-}
-
-func attemptToUpdateMasterRoleLabelsAndTaints(client *clientset.Clientset, schedulable bool) error {
-	n, err := findMyself(client)
-	if err != nil {
-		return err
-	}
-
-	n.ObjectMeta.Labels[metav1.NodeLabelKubeadmAlphaRole] = metav1.NodeLabelRoleMaster
-
-	if !schedulable {
-		taintsAnnotation, _ := json.Marshal([]v1.Taint{{Key: "dedicated", Value: "master", Effect: "NoSchedule"}})
-		n.ObjectMeta.Annotations[v1.TaintsAnnotationKey] = string(taintsAnnotation)
-	}
-
-	if _, err := client.Nodes().Update(n); err != nil {
-		if apierrs.IsConflict(err) {
-			fmt.Println("[apiclient] Temporarily unable to update master node metadata due to conflict (will retry)")
-			time.Sleep(apiCallRetryInterval)
-			attemptToUpdateMasterRoleLabelsAndTaints(client, schedulable)
-		} else {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func UpdateMasterRoleLabelsAndTaints(client *clientset.Clientset, schedulable bool) error {
-	// TODO(phase1+) use iterate instead of recursion
-	err := attemptToUpdateMasterRoleLabelsAndTaints(client, schedulable)
-	if err != nil {
-		return fmt.Errorf("failed to update master node - [%v]", err)
-	}
-	return nil
-}
-
 func SetMasterTaintTolerations(meta *metav1.ObjectMeta) {
 	tolerationsAnnotation, _ := json.Marshal([]v1.Toleration{{Key: "dedicated", Value: "master", Effect: "NoSchedule"}})
 	if meta.Annotations == nil {

cmd/kubeadm/app/master/apiclient_test.go

@@ -17,22 +17,11 @@ limitations under the License.
 package master
 
 import (
-	"fmt"
 	"testing"
 
-	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
-	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
-	apiv1 "k8s.io/kubernetes/pkg/api/v1"
+	"k8s.io/kubernetes/pkg/api/v1"
 )
 
-func TestCreateClientAndWaitForAPI(t *testing.T) {
-	cfg := &kubeadmapi.MasterConfiguration{
-		Networking: kubeadm.Networking{DNSDomain: "localhost"},
-	}
-	fmt.Println(cfg)
-
-}
-
 func TestStandardLabels(t *testing.T) {
 	var tests = []struct {
 		n        string
@@ -90,7 +79,7 @@ func TestNewDaemonSet(t *testing.T) {
 	}
 
 	for _, rt := range tests {
-		p := apiv1.PodSpec{}
+		p := v1.PodSpec{}
 		actual := NewDaemonSet(rt.dn, p)
 		if actual.Spec.Selector.MatchLabels["k8s-app"] != rt.expected {
 			t.Errorf(
@@ -132,7 +121,7 @@ func TestNewService(t *testing.T) {
 	}
 
 	for _, rt := range tests {
-		p := apiv1.ServiceSpec{}
+		p := v1.ServiceSpec{}
 		actual := NewService(rt.dn, p)
 		if actual.ObjectMeta.Labels["k8s-app"] != rt.expected {
 			t.Errorf(
@@ -174,7 +163,7 @@ func TestNewDeployment(t *testing.T) {
 	}
 
 	for _, rt := range tests {
-		p := apiv1.PodSpec{}
+		p := v1.PodSpec{}
 		actual := NewDeployment(rt.dn, 1, p)
 		if actual.Spec.Selector.MatchLabels["k8s-app"] != rt.expected {
 			t.Errorf(

cmd/kubeadm/app/phases/apiconfig/BUILD

@@ -9,12 +9,18 @@ load(
 
 go_library(
     name = "go_default_library",
-    srcs = ["clusterroles.go"],
+    srcs = [
+        "clusterroles.go",
+        "setupmaster.go",
+    ],
     tags = ["automanaged"],
     deps = [
+        "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/master:go_default_library",
+        "//pkg/api/v1:go_default_library",
         "//pkg/apis/rbac/v1beta1:go_default_library",
         "//pkg/client/clientset_generated/clientset:go_default_library",
+        "//vendor:k8s.io/apimachinery/pkg/api/errors",
         "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
     ],
 )