Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting Azure cloud provider from Kubernetes secrets instread of local configure file #78242

Merged
merged 6 commits into from Jun 1, 2019
Merged

Allow setting Azure cloud provider from Kubernetes secrets instread of local configure file #78242

merged 6 commits into from Jun 1, 2019

Conversation

feiskyer
Copy link
Member

@feiskyer feiskyer commented May 23, 2019
edited

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:

Refer Azure/container-upstream#27. This PR allows configure Azure cloud provider from Kubernetes secrets.

To support this, a new option cloudConfigType is added. Supported values are:

  • file: The cloud provider configuration is read from cloud-config file.
  • secret: the cloud provider configuration must be overridden by a secret.
  • merge: the cloud provider configuration can be optionally overridden by a secret when it is set explicitly in the secret, this is default value.

Note that the secret is a serialized version of azure.json file with key cloud-config. And the secret name is azure-cloud-provider.

Since Azure cloud provider would read Kubernetes secrets, the following RBAC should also be configured:

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  labels:
    kubernetes.io/cluster-service: "true"
  name: system:azure-cloud-provider-secret-getter
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["azure-cloud-provider"]
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  labels:
    kubernetes.io/cluster-service: "true"
  name: system:azure-cloud-provider-secret-getter
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:azure-cloud-provider-secret-getter
subjects:
- kind: ServiceAccount
  name: azure-cloud-provider
  namespace: kube-system

Which issue(s) this PR fixes:

Fixes Azure/container-upstream#27

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Azure cloud provider could now be configured by Kubernetes secrets and a new option `cloudConfigType` is introduced, whose candicate values are `file`, `secret` and `merge` (default is `merge`).

action required:

Since Azure cloud provider would read Kubernetes secrets, the following RBAC should be configured:

  apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRole
  metadata:
    labels:
      kubernetes.io/cluster-service: "true"
    name: system:azure-cloud-provider-secret-getter
  rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["azure-cloud-provider"]
    verbs:
    - get
  ---
  apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
  metadata:
    labels:
      kubernetes.io/cluster-service: "true"
    name: system:azure-cloud-provider-secret-getter
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: system:azure-cloud-provider-secret-getter
  subjects:
  - kind: ServiceAccount
    name: azure-cloud-provider
    namespace: kube-system

/sig azure
/kind feature
/priority important-soon

/assign @khenidak @andyzhangx

@k8s-ci-robot k8s-ci-robot added the release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. label May 23, 2019
@k8s-ci-robot k8s-ci-robot added sig/azure size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 23, 2019
@feiskyer feiskyer mentioned this pull request May 23, 2019
Closed
@feiskyer feiskyer added this to In progress in Provider Azure via automation May 23, 2019
@k8s-ci-robot k8s-ci-robot added area/cloudprovider sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. labels May 23, 2019
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 23, 2019
@k8s-ci-robot k8s-ci-robot added area/dependency Issues or PRs related to dependency changes and removed approved Indicates a PR has been approved by an approver from all required OWNERS files. labels May 23, 2019
andyzhangx
andyzhangx reviewed May 24, 2019
View reviewed changes
Copy link
Member

@andyzhangx andyzhangx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one question about the code logic, we have two path

init --> NewCloud --> initializeCloudFromConfig(fromSecret: false)
Cloud.Initialize --> initializeCloudFromSecret --> initializeCloudFromConfig(fromSecret: true)

so init would be invoked first and Cloud.Initialize could be invoked second, and finally it will goto initializeCloudFromConfig, right?

staging/src/k8s.io/legacy-cloud-providers/azure/azure_config.go Outdated Show resolved Hide resolved
staging/src/k8s.io/legacy-cloud-providers/azure/azure_config.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 24, 2019
@feiskyer
Copy link
Member Author

/retest

andyzhangx
andyzhangx reviewed May 24, 2019
View reviewed changes
Copy link
Member

@andyzhangx andyzhangx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one question about the code logic, we have two path

init --> NewCloud --> initializeCloudFromConfig(fromSecret: false)
Cloud.Initialize --> initializeCloudFromSecret --> initializeCloudFromConfig(fromSecret: true)

so init would be invoked first and Cloud.Initialize could be invoked second, and finally it will goto initializeCloudFromConfig, right?

staging/src/k8s.io/legacy-cloud-providers/azure/azure.go Outdated Show resolved Hide resolved
@feiskyer
Copy link
Member Author

so init would be invoked first and Cloud.Initialize could be invoked second, and finally it will goto initializeCloudFromConfig, right?

Both would go to initializeCloudFromConfig, the difference is Kubelet won't invoke Initialize, while controller-manager would do. And for controller-manager, we want NewCloud won't error out, and initialize from secret again. But when secret initializing failed, controller-manager would fail with an error.

@andyzhangx
Copy link
Member

so init would be invoked first and Cloud.Initialize could be invoked second, and finally it will goto initializeCloudFromConfig, right?

Both would go to initializeCloudFromConfig, the difference is Kubelet won't invoke Initialize, while controller-manager would do. And for controller-manager, we want NewCloud won't error out, and initialize from secret again. But when secret initializing failed, controller-manager would fail with an error.

There are other drivers like CSI driver would also leverage this azure cloud provider lib, it uses NewCloud: https://github.com/kubernetes-sigs/azuredisk-csi-driver/blob/master/pkg/azuredisk/azure.go#L45
can we add a switch in NewCloud, let it read from secret also? by default, fromSecret could be false in NewCloud

@andrewsykim
Copy link
Member

/hold

So sorry for the last minute hold, but I think the kubelet checks are worth raising a flag for. Can we do this change without the kubelet checks?

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 30, 2019
@feiskyer
Copy link
Member Author

@andrewsykim thanks for reviewing. Agreed, the Kubelet check should be changed in alternative ways. will address these comments before v1.15 release

@andrewsykim
Copy link
Member

/hold cancel

Thanks @feiskyer

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 30, 2019
@andrewsykim
Copy link
Member

heads up @claurence, we might have some follow-up PRs come in for this one

@andrewsykim
Copy link
Member

/hold

@feiskyer addressing comments given the code freeze extension

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 31, 2019
@feiskyer
Copy link
Member Author

@andrewsykim Addressed comments. PTAL

/hold cancel

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels May 31, 2019
@justaugustus
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 31, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewsykim, feiskyer, justaugustus

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

andrewsykim
andrewsykim reviewed May 31, 2019
View reviewed changes
Copy link
Member

@andrewsykim andrewsykim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks for iterating @feiskyer!

@k8s-ci-robot k8s-ci-robot merged commit bb7898b into kubernetes:master Jun 1, 2019
Provider Azure automation moved this from In progress to Done Jun 1, 2019
@feiskyer feiskyer deleted the configurable-provider branch June 3, 2019 06:00
mboersma added a commit to mboersma/aks-engine that referenced this pull request Jun 6, 2019
@mboersma
chore: add cluster role and binding for Azure secret getter
018a80c 
See kubernetes/kubernetes#78242
@mboersma mboersma mentioned this pull request Jun 6, 2019
Merged
5 tasks
@jackfrancis
Copy link
Contributor

@feiskyer will these capabilities ever be backported into pre-1.15 k8s or is this only applicable for 1.15 and greater?

@andyzhangx
Copy link
Member

@feiskyer will these capabilities ever be backported into pre-1.15 k8s or is this only applicable for 1.15 and greater?

It won't be backported, only applicable for 1.15 and greater

jackfrancis pushed a commit to Azure/aks-engine that referenced this pull request Jun 8, 2019
@mboersma @jackfrancis
feat: add support for Kubernetes 1.15.0-beta.2 (#1438)
5a76654 
* feat: add support for Kubernetes 1.15.0-beta.2

See https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#changelog-since-v1150-beta1

* chore: add cluster role and binding for Azure secret getter

See kubernetes/kubernetes#78242
@feiskyer
Copy link
Member Author

feiskyer commented Jun 9, 2019

@jackfrancis Yep, the feature is only available for v1.15 and greater

@feiskyer feiskyer mentioned this pull request Jun 15, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewsykim andrewsykim andrewsykim left review comments

@justaugustus justaugustus justaugustus requested changes

@andyzhangx andyzhangx andyzhangx approved these changes

@brendandburns brendandburns Awaiting requested review from brendandburns

@karataliu karataliu Awaiting requested review from karataliu

Assignees

@justaugustus justaugustus

@andyzhangx andyzhangx

@khenidak khenidak

@andrewsykim andrewsykim

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cloudprovider area/dependency Issues or PRs related to dependency changes cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
Provider Azure
  
Done
Milestone
v1.15
Development

Successfully merging this pull request may close these issues.

[k8s] configurable provider
7 participants
@feiskyer @andyzhangx @k8s-ci-robot @justaugustus @andrewsykim @khenidak @jackfrancis