Add the ability to migrate CoreDNS configmap in kubeadm #78033
Conversation
k8s-ci-robot
added
size/L
There was a problem hiding this comment.
thanks for the PR @rajansandeep
i understand the motivation of this change thus i've spent time doing a detailed review.
we might need at least some unit tests and possibly extend the release note that preflight checks are run now.
ideally more eyes from @kubernetes/sig-cluster-lifecycle-pr-reviews are needed here.
| @@ -92,6 +93,10 @@ func enforceRequirements(flags *applyPlanFlags, dryRun bool, newK8sVersion strin | |||
| return nil, nil, nil, errors.Wrapf(err, "couldn't create a Kubernetes client from file %q", flags.kubeConfigPath) | |||
| } | |||
|
|
|||
| if err := runCoreDNSpreflightChecks(client, ignorePreflightErrorsSet); err != nil { | |||
There was a problem hiding this comment.
the upgrade checks should have a single entry point: runPreflightChecks
the call to runCoreDNSpreflightChecks() should be moved there.
client needs to be passed to runPreflightChecks.
| return err | ||
| } | ||
| if currentDNSType == kubeadmapi.CoreDNS { | ||
| fmt.Println("[preflight] Running CoreDNS migration pre-flight checks.") |
There was a problem hiding this comment.
we can omit this notification, the preflight package will show check names.
| } | ||
| if currentDNSType == kubeadmapi.CoreDNS { | ||
| fmt.Println("[preflight] Running CoreDNS migration pre-flight checks.") | ||
| return upgrade.RunCoreDNSMigrationCheck(client, ignorePreflightErrors) |
There was a problem hiding this comment.
currentDNSType, _, err := dns.DeployedDNSAddon(client)
if err != nil {
return err
}
if currentDNSType == kubeadmapi.CoreDNS {
...
can be inside upgrade.RunCoreDNSMigrationCheck, and optionally make the function a no-op if kube-dns is used.
(i.e. exit early and don't run preflight.RunChecks(migrationChecks, os.Stderr, ignorePreflightErrors))
| } | ||
| } | ||
| // Get the Corefile and installed CoreDNS version. | ||
| corefile, currentInstalledCoreDNSVersion, err := GetCoreDNSInfo(client) |
There was a problem hiding this comment.
GetCoreDNSInfo() can accept a *ConfigMap as an argument.
if nil it should fetch the CM, if non-nil it should use the given CM.
this avoids fetching the same CM twice.
| if !migration.Default("", corefile) { | ||
| updatedCorefile, err := migration.Migrate(currentInstalledCoreDNSVersion, kubeadmconstants.CoreDNSVersion, corefile, false) | ||
| if err != nil { | ||
| return errors.Wrap(err, "unable to migrate CoreDNS Configmap") |
| @@ -297,6 +298,83 @@ func createDNSService(dnsService *v1.Service, serviceBytes []byte, client client | |||
| return nil | |||
| } | |||
|
|
|||
| func createCoreDNSConfigMap(client clientset.Interface, cm *v1.ConfigMap) error { | |||
There was a problem hiding this comment.
can we get an unit test for this function?
| // checkUnsupportedPlugins checks if there are any plugins included in the current configuration | ||
| // that is unsupported for migration. | ||
| func checkUnsupportedPlugins(client clientset.Interface) error { | ||
| klog.V(1).Infoln("validating if there are any unsupported CoreDNS plugins in the Config") |
|
|
||
| } | ||
| if UnsupportedPlugins != "" || UnsupportedVersion != "" { | ||
| return errors.Errorf("there are unsupported plugins in the CoreDNS Configuration") |
|
|
||
| // Checks if the CoreDNS image currently installed is an official released version. | ||
| func checkRelease(client clientset.Interface) error { | ||
| klog.V(1).Infoln("validating if the image installed is the official release of CoreDNS.") |
|
|
||
| isValid := migration.Released(coreDNSImageSha[1]) | ||
| if !isValid { | ||
| return errors.Errorf("the CoreDNS image currently installed is not an official image. If you still wish to proceed, do so at your own risk.") |
There was a problem hiding this comment.
this is not a check we have for the control plane or etcd images.
to my understanding, if someone has built coredns from source at any SHA, migration.Released would return false. while this is still not recommended, blocking on it with a preflight check might be a bit too strict.
but possibly needs discussion / feedback from more people.
There was a problem hiding this comment.
+1 for not having this. Users in China may be implicated.
There was a problem hiding this comment.
I think it is generally safe to remove this check.
The main reason for adding this check is to prevent external plugin users from inadvertently replacing their custom CoreDNS with a stock one. A stock CoreDNS will crash when it encounters an unknown plugin in the Corefile at start up.
But most users just use a stock version of CoreDNS. And IIUC, those who use CoreDNS compiled with external plugins will upgrade using "phases", and manually upgrade CoreDNS with an updated version compiled with the required external plugins if desired.
k8s-ci-robot
added
needs-rebase
|
Is this needed/intended to merge before 1.15 code freeze? |
|
@cblecker Yes! This is needed for 1.15 |
|
@rajansandeep Looks like the caddy dependency needs to be updated. Can you please run: And commit the changes? Then when complete, include a comment with the output of |
looks simple enough 🙄 /priority important-soon |
k8s-ci-robot
added
the
priority/important-soon
k8s-ci-robot
removed
the
needs-priority
k8s-ci-robot
removed
sig/cloud-provider
|
/remove-area apiserver cloudprovider |
|
|
This still needs root approval for the changes in vendor/deps... |
|
/assign @liggitt PTAL WRT approval of the /vendor changes. thanks! |
| @@ -314,9 +314,9 @@ data: | |||
| .:53 { | |||
| errors | |||
| health | |||
| ready | |||
There was a problem hiding this comment.
FYI @aojea the ipv6 config may need tweaking.
| @@ -0,0 +1,33 @@ | |||
| // Copyright 2015 Light Code Labs, LLC | |||
There was a problem hiding this comment.
is this package a copy from a different upstream? do we have accurate licensing info for this (in Godeps/) ?
is there a reason this isn't imported from the original authors? was it modified?
There was a problem hiding this comment.
Originally I just imported the caddy package. But at the suggestion of reviewers concerned for the number of imported packages, I copied the required pieces locally. The licensing was copied verbatim from the original project. IIRC, I had to modify it slightly (a function moved from one package to another), to reduce the amount of copied code.
do we have accurate licensing info for this (in Godeps/) ?
Sorry, I'm not familiar with the licensing process ... Please let me know what I need to do here to make everyone happy.
There was a problem hiding this comment.
Originally I just imported the caddy package. But at the suggestion of reviewers concerned for the number of imported packages, I copied the required pieces locally. The licensing was copied verbatim from the original project.
I see, that makes sense I suppose.
IIRC, I had to modify it slightly (a function moved from one package to another), to reduce the amount of copied code.
So you modified one of the source files then? Do we need to denote this somehow?
Sorry, I'm not familiar with the licensing process ... Please let me know what I need to do here to make everyone happy.
I'm not actually sure either, I haven't seen this case before.
There was a problem hiding this comment.
So you modified one of the source files then? Do we need to denote this somehow?
I recall I had to do that to stop the "bleeding" ... otherwise i'd be duplicating most caddy. I don't know if we need to or how to properly denote this (comments in the files? readme in same directory?). IMHO, copying files like this feels a hack to me, and I'd prefer just importing the packages normally. OTOH, I don't have a good understanding of the concern for importing the package in the first place, other than it created a lot of dependencies (which I infer is bad).
There was a problem hiding this comment.
I propose we just import the packages normally, and remove the copied files. Any objections?
There was a problem hiding this comment.
@chrisohaver -- yeah, I'd feel better about that route.
There was a problem hiding this comment.
/hold
(until that's resolved.)
There was a problem hiding this comment.
I fixed the part. @justaugustus PTAL and cancel the hold if you feel it's good. Thanks!
There was a problem hiding this comment.
Thanks for fixing the licensing piece, @rajansandeep!
/hold cancel
|
I had the same question w.r.t. that package license |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
area/kubectl
sig/api-machinery
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Looks like all hurdles have been crossed and requires one final approval tag. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini, liggitt, neolit123, rajansandeep The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Add the ability to migrate CoreDNS configmap in kubeadm Kubernetes-commit: e1c2c67
What type of PR is this?
/kind feature
What this PR does / why we need it:
Currently in kubeadm, when upgrading from Kubernetes (Eg. k8s 1.13 -> 1.14), the CoreDNS ConfigMap is retained as-is and applied to the upgraded version. This is done due to the possibility that the user could have customized the Corefile for their use-case.
This approach is disadvantageous because this can lead to an incompatible Corefile which can lead to CoreDNS entering a
CrashLoopBackOffstate, and hence DNS not working in the cluster.This PR adds the ability for users to seamlessly migrate their CoreDNS Configuration when they upgrade their clusters using kubeadm. The CoreDNS Migration library helps to handle migrations of CoreDNS Corefiles to be compatible with new versions of CoreDNS.
The PR includes 3 preflight-checks while upgrading to check:
The user will be provided Logs and can override these checks.
During Upgrade:
The user will be informed appropriately through logs.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
The first commit includes the code change required for this PR.
The second commit includes the vendor and go mod changes.
This PR also updates the CoreDNS version to 1.5.0
Does this PR introduce a user-facing change?: