feat: enable KubePrism by default

Fixes #7787 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
siderolabs · Sep 25, 2023 · 3901374 · 3901374
1 parent 1beb5e8
commit 3901374
Show file tree

Hide file tree

Showing 11 changed files with 60 additions and 26 deletions.
diff --git a/cmd/talosctl/cmd/mgmt/cluster/create.go b/cmd/talosctl/cmd/mgmt/cluster/create.go
@@ -520,11 +520,9 @@ func create(ctx context.Context, flags *pflag.FlagSet) (err error) {
 			)
 		}
 
-		if kubePrismPort > 0 {
-			genOptions = append(genOptions,
-				generate.WithKubePrismPort(kubePrismPort),
-			)
-		}
+		genOptions = append(genOptions,
+			generate.WithKubePrismPort(kubePrismPort),
+		)
 
 		defaultInternalLB, defaultEndpoint := provisioner.GetLoadBalancers(request.Network)
 
@@ -1000,7 +998,7 @@ func init() {
 	createCmd.Flags().StringVar(&extraBootKernelArgs, "extra-boot-kernel-args", "", "add extra kernel args to the initial boot from vmlinuz and initramfs (QEMU only)")
 	createCmd.Flags().BoolVar(&dockerDisableIPv6, "docker-disable-ipv6", false, "skip enabling IPv6 in containers (Docker only)")
 	createCmd.Flags().IntVar(&controlPlanePort, controlPlanePortFlag, constants.DefaultControlPlanePort, "control plane port (load balancer and local API port)")
-	createCmd.Flags().IntVar(&kubePrismPort, kubePrismFlag, 0, "KubePrism port (defaults to 0 - disabled)")
+	createCmd.Flags().IntVar(&kubePrismPort, kubePrismFlag, constants.DefaultKubePrismPort, "KubePrism port (set to 0 to disable)")
 	createCmd.Flags().BoolVar(&dhcpSkipHostname, "disable-dhcp-hostname", false, "skip announcing hostname via DHCP (QEMU only)")
 	createCmd.Flags().BoolVar(&skipBootPhaseFinishedCheck, "skip-boot-phase-finished-check", false, "skip waiting for node to finish boot phase")
 	createCmd.Flags().BoolVar(&networkChaos, "with-network-chaos", false, "enable to use network chaos parameters when creating a qemu cluster")

diff --git a/hack/release.toml b/hack/release.toml
@@ -47,6 +47,11 @@ Previously, [network device selectors](https://www.talos.dev/v1.6/talos-guides/n
 """
 
 
+    [notes.kubeprism]
+        title = "KubePrism"
+        description = """\
+[KubePrism](https://www.talos.dev/v1.6/kubernetes-guides/configuration/kubeprism/) is enabled by default on port 7445.
+"""
 
 [make_deps]
 

diff --git a/hack/test/e2e-qemu.sh b/hack/test/e2e-qemu.sh
@@ -44,7 +44,7 @@ esac
 
 case "${WITH_CLUSTER_DISCOVERY:-true}" in
   false)
-    QEMU_FLAGS+=("--with-cluster-discovery=false")
+    QEMU_FLAGS+=("--with-cluster-discovery=false --kubeprism-port=0") # disable both KubePrism and cluster discovery
     ;;
 esac
 

diff --git a/pkg/machinery/config/contract.go b/pkg/machinery/config/contract.go
@@ -165,3 +165,8 @@ func (contract *VersionContract) SecretboxEncryptionSupported() bool {
 func (contract *VersionContract) DiskQuotaSupportEnabled() bool {
 	return contract.Greater(TalosVersion1_4)
 }
+
+// KubePrismEnabled returns true if KubePrism should be enabled by default.
+func (contract *VersionContract) KubePrismEnabled() bool {
+	return contract.Greater(TalosVersion1_5)
+}
diff --git a/pkg/machinery/config/contract_test.go b/pkg/machinery/config/contract_test.go
@@ -66,6 +66,7 @@ func TestContractCurrent(t *testing.T) {
 	assert.True(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.True(t, contract.SecretboxEncryptionSupported())
 	assert.True(t, contract.DiskQuotaSupportEnabled())
+	assert.True(t, contract.KubePrismEnabled())
 }
 
 func TestContract1_6(t *testing.T) {
@@ -90,6 +91,7 @@ func TestContract1_6(t *testing.T) {
 	assert.True(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.True(t, contract.SecretboxEncryptionSupported())
 	assert.True(t, contract.DiskQuotaSupportEnabled())
+	assert.True(t, contract.KubePrismEnabled())
 }
 
 func TestContract1_5(t *testing.T) {
@@ -114,6 +116,7 @@ func TestContract1_5(t *testing.T) {
 	assert.True(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.True(t, contract.SecretboxEncryptionSupported())
 	assert.True(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract1_4(t *testing.T) {
@@ -138,6 +141,7 @@ func TestContract1_4(t *testing.T) {
 	assert.True(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.True(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract1_3(t *testing.T) {
@@ -162,6 +166,7 @@ func TestContract1_3(t *testing.T) {
 	assert.True(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.True(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract1_2(t *testing.T) {
@@ -186,6 +191,7 @@ func TestContract1_2(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract1_1(t *testing.T) {
@@ -210,6 +216,7 @@ func TestContract1_1(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract1_0(t *testing.T) {
@@ -234,6 +241,7 @@ func TestContract1_0(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract0_14(t *testing.T) {
@@ -258,6 +266,7 @@ func TestContract0_14(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract0_13(t *testing.T) {
@@ -282,6 +291,7 @@ func TestContract0_13(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract0_12(t *testing.T) {
@@ -306,6 +316,7 @@ func TestContract0_12(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract0_11(t *testing.T) {
@@ -330,6 +341,7 @@ func TestContract0_11(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract0_10(t *testing.T) {
@@ -354,6 +366,7 @@ func TestContract0_10(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract0_9(t *testing.T) {
@@ -378,6 +391,7 @@ func TestContract0_9(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
 
 func TestContract0_8(t *testing.T) {
@@ -402,4 +416,5 @@ func TestContract0_8(t *testing.T) {
 	assert.False(t, contract.KubeletManifestsDirectoryDisabled())
 	assert.False(t, contract.SecretboxEncryptionSupported())
 	assert.False(t, contract.DiskQuotaSupportEnabled())
+	assert.False(t, contract.KubePrismEnabled())
 }
diff --git a/pkg/machinery/config/generate/init.go b/pkg/machinery/config/generate/init.go
@@ -73,10 +73,17 @@ func (in *Input) init() ([]config.Document, error) {
 		machine.MachineFeatures.DiskQuotaSupport = pointer.To(true)
 	}
 
-	if in.Options.KubePrismPort > 0 {
+	if kubePrismPort, optionSet := in.Options.KubePrismPort.Get(); optionSet { // default to enabled, but if set explicitly, allow it to be disabled
+		if kubePrismPort > 0 {
+			machine.MachineFeatures.KubePrismSupport = &v1alpha1.KubePrism{
+				ServerEnabled: pointer.To(true),
+				ServerPort:    kubePrismPort,
+			}
+		}
+	} else if in.Options.VersionContract.KubePrismEnabled() {
 		machine.MachineFeatures.KubePrismSupport = &v1alpha1.KubePrism{
 			ServerEnabled: pointer.To(true),
-			ServerPort:    in.Options.KubePrismPort,
+			ServerPort:    constants.DefaultKubePrismPort,
 		}
 	}
 

diff --git a/pkg/machinery/config/generate/options.go b/pkg/machinery/config/generate/options.go
@@ -5,6 +5,7 @@
 package generate
 
 import (
+	"github.com/siderolabs/gen/optional"
 	"github.com/siderolabs/go-pointer"
 
 	"github.com/siderolabs/talos/pkg/machinery/config"
@@ -34,10 +35,13 @@ func WithLocalAPIServerPort(port int) Option {
 	}
 }
 
-// WithKubePrismPort specifies the KubePrism port. If 0, load balancer is disabled.
+// WithKubePrismPort specifies the KubePrism port.
+//
+// If 0, load balancer is disabled.
+// If not set, defaults to enabled with Talos 1.6+.
 func WithKubePrismPort(port int) Option {
 	return func(o *Options) error {
-		o.KubePrismPort = port
+		o.KubePrismPort = optional.Some(port)
 
 		return nil
 	}
@@ -295,7 +299,7 @@ type Options struct {
 	AdditionalSubjectAltNames      []string
 	DiscoveryEnabled               *bool
 
-	KubePrismPort int
+	KubePrismPort optional.Optional[int]
 
 	// Client options.
 	Roles        role.Set

diff --git a/pkg/machinery/config/generate/worker.go b/pkg/machinery/config/generate/worker.go
@@ -74,10 +74,17 @@ func (in *Input) worker() ([]config.Document, error) {
 		machine.MachineFeatures.DiskQuotaSupport = pointer.To(true)
 	}
 
-	if in.Options.KubePrismPort > 0 {
+	if kubePrismPort, optionSet := in.Options.KubePrismPort.Get(); optionSet { // default to enabled, but if set explicitly, allow it to be disabled
+		if kubePrismPort > 0 {
+			machine.MachineFeatures.KubePrismSupport = &v1alpha1.KubePrism{
+				ServerEnabled: pointer.To(true),
+				ServerPort:    kubePrismPort,
+			}
+		}
+	} else if in.Options.VersionContract.KubePrismEnabled() {
 		machine.MachineFeatures.KubePrismSupport = &v1alpha1.KubePrism{
 			ServerEnabled: pointer.To(true),
-			ServerPort:    in.Options.KubePrismPort,
+			ServerPort:    constants.DefaultKubePrismPort,
 		}
 	}
 

diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
@@ -897,6 +897,9 @@ const (
 	// TcellMinimizeEnvironment is the environment variable to minimize tcell library memory usage (skips rune width calculation).
 	TcellMinimizeEnvironment = "TCELL_MINIMIZE=1"
 
+	// DefaultKubePrismPort is the default port for the KubePrism loadbalancer.
+	DefaultKubePrismPort = 7445
+
 	// KubePrismDialTimeout is the timeout for the KubePrism loadbalancer dialing an endpoint.
 	KubePrismDialTimeout = 15 * time.Second
 

diff --git a/website/content/v1.6/kubernetes-guides/configuration/kubeprism.md b/website/content/v1.6/kubernetes-guides/configuration/kubeprism.md
@@ -22,17 +22,7 @@ To see a live demo of this writeup, see the video below:
 
 ## Enabling KubePrism
 
-> As of Talos 1.5, KubePrism is not enabled by default.
-
-To enable KubePrism, apply the following machine config patch either during the machine config generation, or to a running cluster (the patch should be applied to all nodes):
-
-```yaml
-machine:
-  features:
-    kubeprism:
-      enabled: true
-      port: 7445
-```
+As of Talos 1.6, KubePrism is enabled by default with port 7445.
 
 > Note: the `port` specified should be available on every node in the cluster.
 

diff --git a/website/content/v1.6/reference/cli.md b/website/content/v1.6/reference/cli.md
@@ -132,7 +132,7 @@ talosctl cluster create [flags]
       --ipv4                                     enable IPv4 network in the cluster (default true)
       --ipv6                                     enable IPv6 network in the cluster (QEMU provisioner only)
       --iso-path string                          the ISO path to use for the initial boot (VM only)
-      --kubeprism-port int                       KubePrism port (defaults to 0 - disabled)
+      --kubeprism-port int                       KubePrism port (set to 0 to disable) (default 7445)
       --kubernetes-version string                desired kubernetes version to run (default "1.28.2")
       --memory int                               the limit on memory usage in MB (each control plane/VM) (default 2048)
       --memory-workers int                       the limit on memory usage in MB (each worker/VM) (default 2048)