/
machines.go
261 lines (242 loc) · 9.39 KB
/
machines.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
// Package gcp generates Machine objects for gcp.
package gcp
import (
"context"
"encoding/json"
"fmt"
"sort"
"github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
v1 "github.com/openshift/api/config/v1"
machinev1 "github.com/openshift/api/machine/v1"
machineapi "github.com/openshift/api/machine/v1beta1"
gcpconfig "github.com/openshift/installer/pkg/asset/installconfig/gcp"
"github.com/openshift/installer/pkg/types"
"github.com/openshift/installer/pkg/types/gcp"
)
// Machines returns a list of machines for a machinepool.
func Machines(clusterID string, config *types.InstallConfig, pool *types.MachinePool, osImage, role, userDataSecret string) ([]machineapi.Machine, *machinev1.ControlPlaneMachineSet, error) {
if configPlatform := config.Platform.Name(); configPlatform != gcp.Name {
return nil, nil, fmt.Errorf("non-GCP configuration: %q", configPlatform)
}
if poolPlatform := pool.Platform.Name(); poolPlatform != gcp.Name {
return nil, nil, fmt.Errorf("non-GCP machine-pool: %q", poolPlatform)
}
platform := config.Platform.GCP
mpool := pool.Platform.GCP
azs := mpool.Zones
credentialsMode := config.CredentialsMode
total := int64(1)
if pool.Replicas != nil {
total = *pool.Replicas
}
var machines []machineapi.Machine
machineSetProvider := &machineapi.GCPMachineProviderSpec{}
for idx := int64(0); idx < total; idx++ {
azIndex := int(idx) % len(azs)
provider, err := provider(clusterID, platform, mpool, osImage, azIndex, role, userDataSecret, credentialsMode)
if err != nil {
return nil, nil, errors.Wrap(err, "failed to create provider")
}
machine := machineapi.Machine{
TypeMeta: metav1.TypeMeta{
APIVersion: "machine.openshift.io/v1beta1",
Kind: "Machine",
},
ObjectMeta: metav1.ObjectMeta{
Namespace: "openshift-machine-api",
Name: fmt.Sprintf("%s-%s-%d", clusterID, pool.Name, idx),
Labels: map[string]string{
"machine.openshift.io/cluster-api-cluster": clusterID,
"machine.openshift.io/cluster-api-machine-role": role,
"machine.openshift.io/cluster-api-machine-type": role,
},
},
Spec: machineapi.MachineSpec{
ProviderSpec: machineapi.ProviderSpec{
Value: &runtime.RawExtension{Object: provider},
},
// we don't need to set Versions, because we control those via operators.
},
}
*machineSetProvider = *provider
machines = append(machines, machine)
}
replicas := int32(total)
failureDomains := []machinev1.GCPFailureDomain{}
sort.Strings(mpool.Zones)
for _, zone := range mpool.Zones {
domain := machinev1.GCPFailureDomain{
Zone: zone,
}
failureDomains = append(failureDomains, domain)
}
machineSetProvider.Zone = ""
controlPlaneMachineSet := &machinev1.ControlPlaneMachineSet{
TypeMeta: metav1.TypeMeta{
APIVersion: "machine.openshift.io/v1",
Kind: "ControlPlaneMachineSet",
},
ObjectMeta: metav1.ObjectMeta{
Namespace: "openshift-machine-api",
Name: "cluster",
Labels: map[string]string{
"machine.openshift.io/cluster-api-cluster": clusterID,
},
},
Spec: machinev1.ControlPlaneMachineSetSpec{
Replicas: &replicas,
State: machinev1.ControlPlaneMachineSetStateActive,
Selector: metav1.LabelSelector{
MatchLabels: map[string]string{
"machine.openshift.io/cluster-api-machine-role": role,
"machine.openshift.io/cluster-api-machine-type": role,
"machine.openshift.io/cluster-api-cluster": clusterID,
},
},
Template: machinev1.ControlPlaneMachineSetTemplate{
MachineType: machinev1.OpenShiftMachineV1Beta1MachineType,
OpenShiftMachineV1Beta1Machine: &machinev1.OpenShiftMachineV1Beta1MachineTemplate{
FailureDomains: machinev1.FailureDomains{
Platform: v1.GCPPlatformType,
GCP: &failureDomains,
},
ObjectMeta: machinev1.ControlPlaneMachineSetTemplateObjectMeta{
Labels: map[string]string{
"machine.openshift.io/cluster-api-cluster": clusterID,
"machine.openshift.io/cluster-api-machine-role": role,
"machine.openshift.io/cluster-api-machine-type": role,
},
},
Spec: machineapi.MachineSpec{
ProviderSpec: machineapi.ProviderSpec{
Value: &runtime.RawExtension{Object: machineSetProvider},
},
},
},
},
},
}
return machines, controlPlaneMachineSet, nil
}
func provider(clusterID string, platform *gcp.Platform, mpool *gcp.MachinePool, osImage string, azIdx int, role, userDataSecret string, credentialsMode types.CredentialsMode) (*machineapi.GCPMachineProviderSpec, error) {
az := mpool.Zones[azIdx]
if mpool.OSImage != nil {
osImage = fmt.Sprintf("projects/%s/global/images/%s", mpool.OSImage.Project, mpool.OSImage.Name)
}
network, subnetwork, err := getNetworks(platform, clusterID, role)
if err != nil {
return nil, err
}
var encryptionKey *machineapi.GCPEncryptionKeyReference
if mpool.OSDisk.EncryptionKey != nil {
encryptionKey = &machineapi.GCPEncryptionKeyReference{
KMSKey: &machineapi.GCPKMSKeyReference{
Name: mpool.OSDisk.EncryptionKey.KMSKey.Name,
KeyRing: mpool.OSDisk.EncryptionKey.KMSKey.KeyRing,
ProjectID: mpool.OSDisk.EncryptionKey.KMSKey.ProjectID,
Location: mpool.OSDisk.EncryptionKey.KMSKey.Location,
},
KMSKeyServiceAccount: mpool.OSDisk.EncryptionKey.KMSKeyServiceAccount,
}
}
instanceServiceAccount := fmt.Sprintf("%s-%s@%s.iam.gserviceaccount.com", clusterID, role[0:1], platform.ProjectID)
// The installer will create a service account for compute nodes with the above naming convention.
// The same service account will be used for control plane nodes during a vanilla installation. During a
// xpn installation, the installer will attempt to use an existing service account either through the
// credentials or through a user supplied value from the install-config.
if role == "master" && len(platform.NetworkProjectID) > 0 {
instanceServiceAccount = mpool.ServiceAccount
if instanceServiceAccount == "" {
sess, err := gcpconfig.GetSession(context.TODO())
if err != nil {
return nil, err
}
var found bool
serviceAccount := make(map[string]interface{})
err = json.Unmarshal(sess.Credentials.JSON, &serviceAccount)
if err != nil {
return nil, err
}
instanceServiceAccount, found = serviceAccount["client_email"].(string)
if !found {
return nil, errors.New("could not find google service account")
}
}
}
shieldedInstanceConfig := machineapi.GCPShieldedInstanceConfig{}
if mpool.SecureBoot == string(machineapi.SecureBootPolicyEnabled) {
shieldedInstanceConfig.SecureBoot = machineapi.SecureBootPolicyEnabled
}
labels := make(map[string]string, len(platform.UserLabels))
for _, label := range platform.UserLabels {
labels[label.Key] = label.Value
}
return &machineapi.GCPMachineProviderSpec{
TypeMeta: metav1.TypeMeta{
APIVersion: "machine.openshift.io/v1beta1",
Kind: "GCPMachineProviderSpec",
},
UserDataSecret: &corev1.LocalObjectReference{Name: userDataSecret},
CredentialsSecret: &corev1.LocalObjectReference{Name: "gcp-cloud-credentials"},
Disks: []*machineapi.GCPDisk{{
AutoDelete: true,
Boot: true,
SizeGB: mpool.OSDisk.DiskSizeGB,
Type: mpool.OSDisk.DiskType,
Image: osImage,
Labels: labels,
EncryptionKey: encryptionKey,
}},
NetworkInterfaces: []*machineapi.GCPNetworkInterface{{
Network: network,
ProjectID: platform.NetworkProjectID,
Subnetwork: subnetwork,
}},
ServiceAccounts: []machineapi.GCPServiceAccount{{
Email: instanceServiceAccount,
Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
}},
Tags: append(mpool.Tags, []string{fmt.Sprintf("%s-%s", clusterID, role)}...),
MachineType: mpool.InstanceType,
Region: platform.Region,
Zone: az,
ProjectID: platform.ProjectID,
ShieldedInstanceConfig: shieldedInstanceConfig,
ConfidentialCompute: machineapi.ConfidentialComputePolicy(mpool.ConfidentialCompute),
OnHostMaintenance: machineapi.GCPHostMaintenanceType(mpool.OnHostMaintenance),
Labels: labels,
}, nil
}
// ConfigMasters assigns a set of load balancers to the given machines
func ConfigMasters(machines []machineapi.Machine, controlPlane *machinev1.ControlPlaneMachineSet, clusterID string, publish types.PublishingStrategy) error {
var targetPools []string
if publish == types.ExternalPublishingStrategy {
targetPools = append(targetPools, fmt.Sprintf("%s-api", clusterID))
}
for _, machine := range machines {
providerSpec := machine.Spec.ProviderSpec.Value.Object.(*machineapi.GCPMachineProviderSpec)
providerSpec.TargetPools = targetPools
}
providerSpec, ok := controlPlane.Spec.Template.OpenShiftMachineV1Beta1Machine.Spec.ProviderSpec.Value.Object.(*machineapi.GCPMachineProviderSpec)
if !ok {
return errors.New("Unable to set target pools to control plane machine set")
}
providerSpec.TargetPools = targetPools
return nil
}
func getNetworks(platform *gcp.Platform, clusterID, role string) (string, string, error) {
if platform.Network == "" {
return fmt.Sprintf("%s-network", clusterID), fmt.Sprintf("%s-%s-subnet", clusterID, role), nil
}
switch role {
case "worker":
return platform.Network, platform.ComputeSubnet, nil
case "master":
return platform.Network, platform.ControlPlaneSubnet, nil
default:
return "", "", fmt.Errorf("unrecognized machine role %s", role)
}
}