New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the ability to migrate CoreDNS configmap in kubeadm #78033
Add the ability to migrate CoreDNS configmap in kubeadm #78033
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the PR @rajansandeep
i understand the motivation of this change thus i've spent time doing a detailed review.
we might need at least some unit tests and possibly extend the release note that preflight checks are run now.
ideally more eyes from @kubernetes/sig-cluster-lifecycle-pr-reviews are needed here.
@@ -92,6 +93,10 @@ func enforceRequirements(flags *applyPlanFlags, dryRun bool, newK8sVersion strin | |||
return nil, nil, nil, errors.Wrapf(err, "couldn't create a Kubernetes client from file %q", flags.kubeConfigPath) | |||
} | |||
|
|||
if err := runCoreDNSpreflightChecks(client, ignorePreflightErrorsSet); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the upgrade checks should have a single entry point: runPreflightChecks
the call to runCoreDNSpreflightChecks()
should be moved there.
client
needs to be passed to runPreflightChecks
.
return err | ||
} | ||
if currentDNSType == kubeadmapi.CoreDNS { | ||
fmt.Println("[preflight] Running CoreDNS migration pre-flight checks.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can omit this notification, the preflight package will show check names.
} | ||
if currentDNSType == kubeadmapi.CoreDNS { | ||
fmt.Println("[preflight] Running CoreDNS migration pre-flight checks.") | ||
return upgrade.RunCoreDNSMigrationCheck(client, ignorePreflightErrors) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
currentDNSType, _, err := dns.DeployedDNSAddon(client)
if err != nil {
return err
}
if currentDNSType == kubeadmapi.CoreDNS {
...
can be inside upgrade.RunCoreDNSMigrationCheck
, and optionally make the function a no-op if kube-dns is used.
(i.e. exit early and don't run preflight.RunChecks(migrationChecks, os.Stderr, ignorePreflightErrors)
)
} | ||
} | ||
// Get the Corefile and installed CoreDNS version. | ||
corefile, currentInstalledCoreDNSVersion, err := GetCoreDNSInfo(client) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GetCoreDNSInfo()
can accept a *ConfigMap
as an argument.
if nil
it should fetch the CM, if non-nil
it should use the given CM.
this avoids fetching the same CM twice.
if !migration.Default("", corefile) { | ||
updatedCorefile, err := migration.Migrate(currentInstalledCoreDNSVersion, kubeadmconstants.CoreDNSVersion, corefile, false) | ||
if err != nil { | ||
return errors.Wrap(err, "unable to migrate CoreDNS Configmap") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configmap
-> ConfigMap
@@ -297,6 +298,83 @@ func createDNSService(dnsService *v1.Service, serviceBytes []byte, client client | |||
return nil | |||
} | |||
|
|||
func createCoreDNSConfigMap(client clientset.Interface, cm *v1.ConfigMap) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we get an unit test for this function?
// checkUnsupportedPlugins checks if there are any plugins included in the current configuration | ||
// that is unsupported for migration. | ||
func checkUnsupportedPlugins(client clientset.Interface) error { | ||
klog.V(1).Infoln("validating if there are any unsupported CoreDNS plugins in the Config") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Config->Corefile
?
|
||
} | ||
if UnsupportedPlugins != "" || UnsupportedVersion != "" { | ||
return errors.Errorf("there are unsupported plugins in the CoreDNS Configuration") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configuration->Corefile
?
|
||
// Checks if the CoreDNS image currently installed is an official released version. | ||
func checkRelease(client clientset.Interface) error { | ||
klog.V(1).Infoln("validating if the image installed is the official release of CoreDNS.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra space before official
.
|
||
isValid := migration.Released(coreDNSImageSha[1]) | ||
if !isValid { | ||
return errors.Errorf("the CoreDNS image currently installed is not an official image. If you still wish to proceed, do so at your own risk.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not a check we have for the control plane or etcd images.
to my understanding, if someone has built coredns from source at any SHA, migration.Released
would return false
. while this is still not recommended, blocking on it with a preflight check might be a bit too strict.
but possibly needs discussion / feedback from more people.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for not having this. Users in China may be implicated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is generally safe to remove this check.
The main reason for adding this check is to prevent external plugin users from inadvertently replacing their custom CoreDNS with a stock one. A stock CoreDNS will crash when it encounters an unknown plugin in the Corefile at start up.
But most users just use a stock version of CoreDNS. And IIUC, those who use CoreDNS compiled with external plugins will upgrade using "phases", and manually upgrade CoreDNS with an updated version compiled with the required external plugins if desired.
Is this needed/intended to merge before 1.15 code freeze? |
@cblecker Yes! This is needed for 1.15 |
@rajansandeep Looks like the caddy dependency needs to be updated. Can you please run:
And commit the changes? Then when complete, include a comment with the output of |
looks simple enough 🙄 /priority important-soon |
/remove-area apiserver cloudprovider |
|
This still needs root approval for the changes in vendor/deps... |
/assign @liggitt PTAL WRT approval of the /vendor changes. thanks! |
@@ -314,9 +314,9 @@ data: | |||
.:53 { | |||
errors | |||
health | |||
ready |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI @aojea the ipv6 config may need tweaking.
@@ -0,0 +1,33 @@ | |||
// Copyright 2015 Light Code Labs, LLC |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this package a copy from a different upstream? do we have accurate licensing info for this (in Godeps/) ?
is there a reason this isn't imported from the original authors? was it modified?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Originally I just imported the caddy package. But at the suggestion of reviewers concerned for the number of imported packages, I copied the required pieces locally. The licensing was copied verbatim from the original project. IIRC, I had to modify it slightly (a function moved from one package to another), to reduce the amount of copied code.
do we have accurate licensing info for this (in Godeps/) ?
Sorry, I'm not familiar with the licensing process ... Please let me know what I need to do here to make everyone happy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Originally I just imported the caddy package. But at the suggestion of reviewers concerned for the number of imported packages, I copied the required pieces locally. The licensing was copied verbatim from the original project.
I see, that makes sense I suppose.
IIRC, I had to modify it slightly (a function moved from one package to another), to reduce the amount of copied code.
So you modified one of the source files then? Do we need to denote this somehow?
Sorry, I'm not familiar with the licensing process ... Please let me know what I need to do here to make everyone happy.
I'm not actually sure either, I haven't seen this case before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you modified one of the source files then? Do we need to denote this somehow?
I recall I had to do that to stop the "bleeding" ... otherwise i'd be duplicating most caddy. I don't know if we need to or how to properly denote this (comments in the files? readme in same directory?). IMHO, copying files like this feels a hack to me, and I'd prefer just importing the packages normally. OTOH, I don't have a good understanding of the concern for importing the package in the first place, other than it created a lot of dependencies (which I infer is bad).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I propose we just import the packages normally, and remove the copied files. Any objections?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chrisohaver -- yeah, I'd feel better about that route.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold
(until that's resolved.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I fixed the part. @justaugustus PTAL and cancel the hold if you feel it's good. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing the licensing piece, @rajansandeep!
/hold cancel
I had the same question w.r.t. that package license |
/lgtm |
Looks like all hurdles have been crossed and requires one final approval tag. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini, liggitt, neolit123, rajansandeep The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Add the ability to migrate CoreDNS configmap in kubeadm Kubernetes-commit: e1c2c67
What type of PR is this?
/kind feature
What this PR does / why we need it:
Currently in kubeadm, when upgrading from Kubernetes (Eg. k8s 1.13 -> 1.14), the CoreDNS ConfigMap is retained as-is and applied to the upgraded version. This is done due to the possibility that the user could have customized the Corefile for their use-case.
This approach is disadvantageous because this can lead to an incompatible Corefile which can lead to CoreDNS entering a
CrashLoopBackOff
state, and hence DNS not working in the cluster.This PR adds the ability for users to seamlessly migrate their CoreDNS Configuration when they upgrade their clusters using kubeadm. The CoreDNS Migration library helps to handle migrations of CoreDNS Corefiles to be compatible with new versions of CoreDNS.
The PR includes 3 preflight-checks while upgrading to check:
The user will be provided Logs and can override these checks.
During Upgrade:
The user will be informed appropriately through logs.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
The first commit includes the code change required for this PR.
The second commit includes the vendor and go mod changes.
This PR also updates the CoreDNS version to 1.5.0
Does this PR introduce a user-facing change?: