diff --git a/bindata/bootkube/manifests/kube-scheduler-secret-kubeconfig.yaml b/bindata/bootkube/manifests/kube-scheduler-secret-kubeconfig.yaml deleted file mode 100644 index a809dac6d..000000000 --- a/bindata/bootkube/manifests/kube-scheduler-secret-kubeconfig.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: scheduler-kubeconfig - namespace: openshift-kube-scheduler - labels: - tier: "control-plane" - k8s-app: "kube-scheduler" - openshift.io/control-plane: "true" - openshift.io/component: "scheduler" -data: - kubeconfig: {{ .Assets | load "kubeconfig" | base64 }} diff --git a/bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap-with-policy.yaml b/bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap-with-policy.yaml index 7ba306922..66e90e558 100644 --- a/bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap-with-policy.yaml +++ b/bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap-with-policy.yaml @@ -1,7 +1,7 @@ apiVersion: componentconfig/v1alpha1 kind: KubeSchedulerConfiguration clientConnection: - kubeconfig: /etc/kubernetes/static-pod-resources/secrets/scheduler-kubeconfig/kubeconfig + kubeconfig: /etc/kubernetes/static-pod-resources/configmaps/scheduler-kubeconfig/kubeconfig algorithmSource: policy: configMap: diff --git a/bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap.yaml b/bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap.yaml index 2b4db9e38..175646731 100644 --- a/bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap.yaml +++ b/bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap.yaml @@ -1,4 +1,4 @@ apiVersion: componentconfig/v1alpha1 kind: KubeSchedulerConfiguration clientConnection: - kubeconfig: /etc/kubernetes/static-pod-resources/secrets/scheduler-kubeconfig/kubeconfig + kubeconfig: /etc/kubernetes/static-pod-resources/configmaps/scheduler-kubeconfig/kubeconfig diff --git a/bindata/v3.11.0/kube-scheduler/kubeconfig-cm.yaml b/bindata/v3.11.0/kube-scheduler/kubeconfig-cm.yaml new file mode 100644 index 000000000..68bc6bafb --- /dev/null +++ b/bindata/v3.11.0/kube-scheduler/kubeconfig-cm.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: scheduler-kubeconfig + namespace: openshift-kube-scheduler +data: + kubeconfig: | + apiVersion: v1 + clusters: + - cluster: + certificate-authority: /etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt + server: https://localhost:6443 + name: loopback + contexts: + - context: + cluster: loopback + user: kube-scheduler + name: kube-scheduler + current-context: kube-scheduler + kind: Config + preferences: {} + users: + - name: kube-scheduler + user: + client-certificate: /etc/kubernetes/static-pod-resources/secrets/kube-scheduler-client-cert-key/tls.crt + client-key: /etc/kubernetes/static-pod-resources/secrets/kube-scheduler-client-cert-key/tls.key diff --git a/bindata/v3.11.0/kube-scheduler/leader-election-rolebinding.yaml b/bindata/v3.11.0/kube-scheduler/leader-election-rolebinding.yaml new file mode 100644 index 000000000..e7e0749dd --- /dev/null +++ b/bindata/v3.11.0/kube-scheduler/leader-election-rolebinding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: kube-system + name: system:openshift:leader-locking-kube-scheduler +roleRef: + kind: Role + name: system::leader-locking-kube-scheduler +subjects: + - kind: User + name: system:kube-scheduler diff --git a/pkg/operator/resourcesynccontroller/resourcesynccontroller.go b/pkg/operator/resourcesynccontroller/resourcesynccontroller.go index 65ea05204..aa46df56d 100644 --- a/pkg/operator/resourcesynccontroller/resourcesynccontroller.go +++ b/pkg/operator/resourcesynccontroller/resourcesynccontroller.go @@ -27,5 +27,11 @@ func NewResourceSyncController( resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "policy-configmap"}); err != nil { return nil, err } + if err := resourceSyncController.SyncSecret( + resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-scheduler-client-cert-key"}, + resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-scheduler-client-cert-key"}, + ); err != nil { + return nil, err + } return resourceSyncController, nil } diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index 8f03ef14c..96fe196fb 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -153,11 +153,14 @@ func RunOperator(ctx *controllercmd.ControllerContext) error { // the first element should be the configmap that contains the static pod manifest var deploymentConfigMaps = []revision.RevisionResource{ {Name: "kube-scheduler-pod"}, + {Name: "config"}, + {Name: "scheduler-kubeconfig"}, + {Name: "serviceaccount-ca"}, {Name: "policy-configmap", Optional: true}, } // deploymentSecrets is a list of secrets that are directly copied for the current values. A different actor/controller modifies these. var deploymentSecrets = []revision.RevisionResource{ - {Name: "scheduler-kubeconfig"}, + {Name: "kube-scheduler-client-cert-key"}, } diff --git a/pkg/operator/target_config_reconciler_v311_00.go b/pkg/operator/target_config_reconciler_v311_00.go index 038bfde7f..1b41b3bb2 100644 --- a/pkg/operator/target_config_reconciler_v311_00.go +++ b/pkg/operator/target_config_reconciler_v311_00.go @@ -17,6 +17,7 @@ import ( "github.com/openshift/library-go/pkg/operator/resource/resourceapply" "github.com/openshift/library-go/pkg/operator/resource/resourcemerge" "github.com/openshift/library-go/pkg/operator/resource/resourceread" + "github.com/openshift/library-go/pkg/operator/resourcesynccontroller" "github.com/openshift/library-go/pkg/operator/v1helpers" ) @@ -28,6 +29,8 @@ func createTargetConfigReconciler_v311_00_to_latest(c TargetConfigReconciler, re directResourceResults := resourceapply.ApplyDirectly(c.kubeClient, c.eventRecorder, v311_00_assets.Asset, "v3.11.0/kube-scheduler/ns.yaml", + "v3.11.0/kube-scheduler/kubeconfig-cm.yaml", + "v3.11.0/kube-scheduler/leader-election-rolebinding.yaml", "v3.11.0/kube-scheduler/scheduler-clusterrolebinding.yaml", "v3.11.0/kube-scheduler/svc.yaml", "v3.11.0/kube-scheduler/sa.yaml", @@ -41,6 +44,10 @@ func createTargetConfigReconciler_v311_00_to_latest(c TargetConfigReconciler, re if err != nil { errors = append(errors, fmt.Errorf("%q: %v", "configmap", err)) } + _, _, err = manageServiceAccountCABundle(c.configMapLister, c.kubeClient.CoreV1(), recorder) + if err != nil { + errors = append(errors, fmt.Errorf("%q: %v", "configmap/serviceaccount-ca", err)) + } _, _, err = managePod_v311_00_to_latest(c.kubeClient.CoreV1(), recorder, operatorConfig, c.targetImagePullSpec) if err != nil { errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-scheduler-pod", err)) @@ -130,3 +137,19 @@ func managePod_v311_00_to_latest(client coreclientv1.ConfigMapsGetter, recorder configMap.Data["version"] = version.Get().String() return resourceapply.ApplyConfigMap(client, recorder, configMap) } + +func manageServiceAccountCABundle(lister corev1listers.ConfigMapLister, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) { + requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps( + resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "serviceaccount-ca"}, + lister, client, recorder, + // include the ca bundle needed to recognize the server + resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-server-ca"}, + // include the ca bundle needed to recognize default + // certificates generated by cluster-ingress-operator + resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "router-ca"}, + ) + if err != nil { + return nil, false, err + } + return resourceapply.ApplyConfigMap(client, recorder, requiredConfigMap) +} diff --git a/pkg/operator/v311_00_assets/bindata.go b/pkg/operator/v311_00_assets/bindata.go index e2e0453b3..5416412a6 100644 --- a/pkg/operator/v311_00_assets/bindata.go +++ b/pkg/operator/v311_00_assets/bindata.go @@ -4,6 +4,8 @@ // bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap-with-policy.yaml // bindata/v3.11.0/kube-scheduler/defaultconfig-postbootstrap.yaml // bindata/v3.11.0/kube-scheduler/defaultconfig.yaml +// bindata/v3.11.0/kube-scheduler/kubeconfig-cm.yaml +// bindata/v3.11.0/kube-scheduler/leader-election-rolebinding.yaml // bindata/v3.11.0/kube-scheduler/ns.yaml // bindata/v3.11.0/kube-scheduler/operator-config.yaml // bindata/v3.11.0/kube-scheduler/pod-cm.yaml @@ -82,7 +84,7 @@ func v3110KubeSchedulerCmYaml() (*asset, error) { var _v3110KubeSchedulerDefaultconfigPostbootstrapWithPolicyYaml = []byte(`apiVersion: componentconfig/v1alpha1 kind: KubeSchedulerConfiguration clientConnection: - kubeconfig: /etc/kubernetes/static-pod-resources/secrets/scheduler-kubeconfig/kubeconfig + kubeconfig: /etc/kubernetes/static-pod-resources/configmaps/scheduler-kubeconfig/kubeconfig algorithmSource: policy: configMap: @@ -108,7 +110,7 @@ func v3110KubeSchedulerDefaultconfigPostbootstrapWithPolicyYaml() (*asset, error var _v3110KubeSchedulerDefaultconfigPostbootstrapYaml = []byte(`apiVersion: componentconfig/v1alpha1 kind: KubeSchedulerConfiguration clientConnection: - kubeconfig: /etc/kubernetes/static-pod-resources/secrets/scheduler-kubeconfig/kubeconfig + kubeconfig: /etc/kubernetes/static-pod-resources/configmaps/scheduler-kubeconfig/kubeconfig `) func v3110KubeSchedulerDefaultconfigPostbootstrapYamlBytes() ([]byte, error) { @@ -145,6 +147,77 @@ func v3110KubeSchedulerDefaultconfigYaml() (*asset, error) { return a, nil } +var _v3110KubeSchedulerKubeconfigCmYaml = []byte(`apiVersion: v1 +kind: ConfigMap +metadata: + name: scheduler-kubeconfig + namespace: openshift-kube-scheduler +data: + kubeconfig: | + apiVersion: v1 + clusters: + - cluster: + certificate-authority: /etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt + server: https://localhost:6443 + name: loopback + contexts: + - context: + cluster: loopback + user: kube-scheduler + name: kube-scheduler + current-context: kube-scheduler + kind: Config + preferences: {} + users: + - name: kube-scheduler + user: + client-certificate: /etc/kubernetes/static-pod-resources/secrets/kube-scheduler-client-cert-key/tls.crt + client-key: /etc/kubernetes/static-pod-resources/secrets/kube-scheduler-client-cert-key/tls.key +`) + +func v3110KubeSchedulerKubeconfigCmYamlBytes() ([]byte, error) { + return _v3110KubeSchedulerKubeconfigCmYaml, nil +} + +func v3110KubeSchedulerKubeconfigCmYaml() (*asset, error) { + bytes, err := v3110KubeSchedulerKubeconfigCmYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "v3.11.0/kube-scheduler/kubeconfig-cm.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _v3110KubeSchedulerLeaderElectionRolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: kube-system + name: system:openshift:leader-locking-kube-scheduler +roleRef: + kind: Role + name: system::leader-locking-kube-scheduler +subjects: + - kind: User + name: system:kube-scheduler +`) + +func v3110KubeSchedulerLeaderElectionRolebindingYamlBytes() ([]byte, error) { + return _v3110KubeSchedulerLeaderElectionRolebindingYaml, nil +} + +func v3110KubeSchedulerLeaderElectionRolebindingYaml() (*asset, error) { + bytes, err := v3110KubeSchedulerLeaderElectionRolebindingYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "v3.11.0/kube-scheduler/leader-election-rolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _v3110KubeSchedulerNsYaml = []byte(`apiVersion: v1 kind: Namespace metadata: @@ -411,6 +484,8 @@ var _bindata = map[string]func() (*asset, error){ "v3.11.0/kube-scheduler/defaultconfig-postbootstrap-with-policy.yaml": v3110KubeSchedulerDefaultconfigPostbootstrapWithPolicyYaml, "v3.11.0/kube-scheduler/defaultconfig-postbootstrap.yaml": v3110KubeSchedulerDefaultconfigPostbootstrapYaml, "v3.11.0/kube-scheduler/defaultconfig.yaml": v3110KubeSchedulerDefaultconfigYaml, + "v3.11.0/kube-scheduler/kubeconfig-cm.yaml": v3110KubeSchedulerKubeconfigCmYaml, + "v3.11.0/kube-scheduler/leader-election-rolebinding.yaml": v3110KubeSchedulerLeaderElectionRolebindingYaml, "v3.11.0/kube-scheduler/ns.yaml": v3110KubeSchedulerNsYaml, "v3.11.0/kube-scheduler/operator-config.yaml": v3110KubeSchedulerOperatorConfigYaml, "v3.11.0/kube-scheduler/pod-cm.yaml": v3110KubeSchedulerPodCmYaml, @@ -467,6 +542,8 @@ var _bintree = &bintree{nil, map[string]*bintree{ "defaultconfig-postbootstrap-with-policy.yaml": {v3110KubeSchedulerDefaultconfigPostbootstrapWithPolicyYaml, map[string]*bintree{}}, "defaultconfig-postbootstrap.yaml": {v3110KubeSchedulerDefaultconfigPostbootstrapYaml, map[string]*bintree{}}, "defaultconfig.yaml": {v3110KubeSchedulerDefaultconfigYaml, map[string]*bintree{}}, + "kubeconfig-cm.yaml": {v3110KubeSchedulerKubeconfigCmYaml, map[string]*bintree{}}, + "leader-election-rolebinding.yaml": {v3110KubeSchedulerLeaderElectionRolebindingYaml, map[string]*bintree{}}, "ns.yaml": {v3110KubeSchedulerNsYaml, map[string]*bintree{}}, "operator-config.yaml": {v3110KubeSchedulerOperatorConfigYaml, map[string]*bintree{}}, "pod-cm.yaml": {v3110KubeSchedulerPodCmYaml, map[string]*bintree{}},