Skip to content

Commit

Permalink
use kustomize to enable keystone webhook after kubeadm init
Browse files Browse the repository at this point in the history 
it does not add the --authorization-* arguments until after kubeadm init run.
Once kubeadm init has finished, run kustomize to add the arguments to the kube-apiserver.yaml manifest.

ref: kubernetes/cloud-provider-openstack#2575
  • Loading branch information
@okozachenko1203
okozachenko1203 committed Aug 2, 2024
1 parent 51cedf2 commit dd9fe29
Show file tree
Hide file tree
Showing 5 changed files with 59 additions and 28 deletions.
2 changes: 1 addition & 1 deletion magnum_cluster_api/cmd/image_builder.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ def validate_version(_, __, value):
@click.option(
"--image-builder-version",
show_default=True,
default="3f350a5bc1f8e9ecbf25a1f119d14a5d847058df", # https://github.com/kubernetes-sigs/image-builder/pull/1485
default="v0.1.31",
help="Image builder tag (or commit) to use for building image",
)
@click.option(
Expand Down
43 changes: 37 additions & 6 deletions magnum_cluster_api/resources.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -736,6 +736,9 @@ def get_object(self) -> objects.KubeadmControlPlaneTemplate:
"rm /var/lib/etcd/lost+found -rf",
"bash /run/kubeadm/configure-kube-proxy.sh",
],
"postKubeadmCommands": [
"echo PLACEHOLDER",
],
},
},
},
Expand Down Expand Up @@ -1999,18 +2002,46 @@ def get_object(self) -> objects.ClusterClass:
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/authentication-token-webhook-config-file", # noqa: E501
"value": "/etc/kubernetes/webhooks/webhookconfig.yaml",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
"value": {
"path": "/etc/kubernetes/keystone-kustomization/kustomization.yml",
"permissions": "0644",
"owner": "root:root",
"content": textwrap.dedent(
"""\
resources:
- kube-apiserver.yaml
patches:
- patch: |-
- op: add
path: /spec/containers/0/command/-
value: --authentication-token-webhook-config-file=/etc/kubernetes/webhooks/webhookconfig.yaml
- op: add
path: /spec/containers/0/command/-
value: --authorization-webhook-config-file=/etc/kubernetes/webhooks/webhookconfig.yaml
- op: add
path: /spec/containers/0/command/-
value: --authorization-mode=Node,RBAC,Webhook
target:
kind: Pod
"""
),
},
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands/-",
"value": "mkdir /etc/kubernetes/keystone-kustomization",
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/authorization-webhook-config-file", # noqa: E501
"value": "/etc/kubernetes/webhooks/webhookconfig.yaml",
"path": "/spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/-",
"value": "cp /etc/kubernetes/manifests/kube-apiserver.yaml /etc/kubernetes/keystone-kustomization/kube-apiserver.yaml",
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/authorization-mode", # noqa: E501
"value": "Node,RBAC,Webhook",
"path": "/spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/-",
"value": "kubectl kustomize /etc/kubernetes/keystone-kustomization -o /etc/kubernetes/manifests/kube-apiserver.yaml",
},
],
}
Expand Down
14 changes: 7 additions & 7 deletions zuul.d/jobs-flatcar.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,21 +60,21 @@
kube_tag: v1.29.5

- job:
name: magnum-cluster-api-sonobuoy-flatcar-v1.27.8-calico
parent: magnum-cluster-api-sonobuoy-flatcar-v1.27.8
name: magnum-cluster-api-sonobuoy-flatcar-v1.27.14-calico
parent: magnum-cluster-api-sonobuoy-flatcar-v1.27.14
vars:
network_driver: calico

- job:
name: magnum-cluster-api-sonobuoy-flatcar-v1.27.8-cilium
parent: magnum-cluster-api-sonobuoy-flatcar-v1.27.8
name: magnum-cluster-api-sonobuoy-flatcar-v1.27.14-cilium
parent: magnum-cluster-api-sonobuoy-flatcar-v1.27.14
vars:
network_driver: cilium

- project-template:
name: magnum-cluster-api-flatcar
check:
jobs:
- magnum-cluster-api-image-build-flatcar-v1.27.8
- magnum-cluster-api-sonobuoy-flatcar-v1.27.8-calico
- magnum-cluster-api-sonobuoy-flatcar-v1.27.8-cilium
- magnum-cluster-api-image-build-flatcar-v1.27.14
- magnum-cluster-api-sonobuoy-flatcar-v1.27.14-calico
- magnum-cluster-api-sonobuoy-flatcar-v1.27.14-cilium
14 changes: 7 additions & 7 deletions zuul.d/jobs-rockylinux-8.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,22 +60,22 @@
kube_tag: v1.29.5

- job:
name: magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.8-calico
parent: magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.8
name: magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.14-calico
parent: magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.14
vars:
network_driver: calico

- job:
name: magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.8-cilium
parent: magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.8
name: magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.14-cilium
parent: magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.14
vars:
network_driver: cilium

- project-template:
name: magnum-cluster-api-rockylinux-8
check:
jobs:
- magnum-cluster-api-image-build-rockylinux-8-v1.27.8
- magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.8-calico
- magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.8-cilium
- magnum-cluster-api-image-build-rockylinux-8-v1.27.14
- magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.14-calico
- magnum-cluster-api-sonobuoy-rockylinux-8-v1.27.14-cilium

14 changes: 7 additions & 7 deletions zuul.d/jobs-rockylinux-9.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,22 +60,22 @@
kube_tag: v1.29.5

- job:
name: magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.8-calico
parent: magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.8
name: magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.14-calico
parent: magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.14
vars:
network_driver: calico

- job:
name: magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.8-cilium
parent: magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.8
name: magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.14-cilium
parent: magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.14
vars:
network_driver: cilium

- project-template:
name: magnum-cluster-api-rockylinux-9
check:
jobs:
- magnum-cluster-api-image-build-rockylinux-9-v1.27.8
- magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.8-calico
- magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.8-cilium
- magnum-cluster-api-image-build-rockylinux-9-v1.27.14
- magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.14-calico
- magnum-cluster-api-sonobuoy-rockylinux-9-v1.27.14-cilium

0 comments on commit dd9fe29

Please sign in to comment.