From 280db9a796d5e1c2b3b75aa3036fcfe44f669909 Mon Sep 17 00:00:00 2001 From: fabriziopandini Date: Wed, 3 Feb 2021 16:52:20 +0100 Subject: [PATCH] Run webhooks with managers --- Makefile | 47 +++++---- Tiltfile | 4 +- .../kubeadm/config/default/kustomization.yaml | 52 ++++++++++ .../config/default/kustomizeconfig.yaml | 4 + .../default}/manager_auth_proxy_patch.yaml | 4 - .../manager_image_patch.yaml | 0 .../manager_pull_policy.yaml | 0 .../default}/manager_webhook_patch.yaml | 3 - .../webhookcainjection_patch.yaml | 0 bootstrap/kubeadm/config/kustomization.yaml | 23 ----- .../kubeadm/config/manager/kustomization.yaml | 5 - bootstrap/kubeadm/config/manager/manager.yaml | 5 +- .../config/patch_crd_webhook_namespace.yaml | 3 - .../kubeadm/config/rbac/kustomization.yaml | 3 - .../kubeadm/config/webhook/kustomization.yaml | 37 ------- .../config/webhook/kustomizeconfig.yaml | 2 - bootstrap/kubeadm/main.go | 12 +-- .../hack/create-local-repository.py | 8 +- config/ci/kustomization.yaml | 19 ---- config/ci/manager/kustomization.yaml | 12 --- config/ci/manager_role_aggregation_patch.yaml | 15 --- config/ci/namespace.yaml | 6 -- config/ci/rbac/kustomization.yaml | 19 ---- config/ci/rbac/leader_election_role.yaml | 45 --------- .../ci/rbac/leader_election_role_binding.yaml | 12 --- config/default/kustomization.yaml | 53 ++++++++++ config/default/kustomizeconfig.yaml | 4 + .../manager_auth_proxy_patch.yaml | 5 - .../manager_image_patch.yaml | 0 .../manager_pull_policy.yaml | 0 .../default}/manager_webhook_patch.yaml | 4 - .../webhookcainjection_patch.yaml | 0 config/kustomization.yaml | 41 -------- config/manager/kustomization.yaml | 7 -- config/manager/manager.yaml | 5 +- config/manager/manager_auth_proxy_patch.yaml | 26 ----- config/manager/manager_image_patch.yaml | 11 --- config/patch_crd_webhook_namespace.yaml | 3 - config/rbac/kustomization.yaml | 8 -- config/webhook/kustomization.yaml | 37 ------- config/webhook/kustomizeconfig.yaml | 2 - config/webhook/namespace.yaml | 6 -- .../kubeadm/config/default/kustomization.yaml | 55 ++++++++++- .../config/default/kustomizeconfig.yaml | 4 + .../default}/manager_auth_proxy_patch.yaml | 5 - .../manager_image_patch.yaml | 0 .../config/default}/manager_pull_policy.yaml | 0 .../default}/manager_webhook_patch.yaml | 4 - .../webhookcainjection_patch.yaml | 0 .../kubeadm/config/kustomization.yaml | 17 ---- .../kubeadm/config/manager/kustomization.yaml | 5 - .../kubeadm/config/manager/manager.yaml | 3 +- .../config/patch_crd_webhook_namespace.yaml | 3 - .../kubeadm/config/webhook/kustomization.yaml | 37 ------- .../config/webhook/kustomizeconfig.yaml | 2 - controlplane/kubeadm/main.go | 12 +-- .../providers/v1alpha3-to-v1alpha4.md | 98 +++++++++++++++++++ main.go | 12 +-- test/e2e/config/docker.yaml | 8 +- test/infrastructure/docker/Makefile | 6 +- .../docker/config/default/kustomization.yaml | 55 ++++++++++- .../config/default/kustomizeconfig.yaml | 4 + .../default}/manager_auth_proxy_patch.yaml | 5 - .../manager_image_patch.yaml | 0 .../config/default}/manager_pull_policy.yaml | 0 .../manager_webhook_patch.yaml | 0 .../webhookcainjection_patch.yaml | 0 .../docker/config/kustomization.yaml | 9 -- .../docker/config/manager/kustomization.yaml | 6 -- .../docker/config/manager/manager.yaml | 4 +- .../manager_prometheus_metrics_patch.yaml | 19 ---- .../config/manager/manager_pull_policy.yaml | 11 --- .../docker/config/webhook/kustomization.yaml | 39 -------- .../config/webhook/kustomizeconfig.yaml | 2 - test/infrastructure/docker/main.go | 15 ++- tilt_modules/extensions.json | 5 + 76 files changed, 392 insertions(+), 605 deletions(-) create mode 100644 bootstrap/kubeadm/config/default/kustomizeconfig.yaml rename {controlplane/kubeadm/config/manager => bootstrap/kubeadm/config/default}/manager_auth_proxy_patch.yaml (85%) rename bootstrap/kubeadm/config/{manager => default}/manager_image_patch.yaml (100%) rename bootstrap/kubeadm/config/{manager => default}/manager_pull_policy.yaml (100%) rename {controlplane/kubeadm/config/webhook => bootstrap/kubeadm/config/default}/manager_webhook_patch.yaml (84%) rename bootstrap/kubeadm/config/{webhook => default}/webhookcainjection_patch.yaml (100%) delete mode 100644 bootstrap/kubeadm/config/kustomization.yaml delete mode 100644 bootstrap/kubeadm/config/patch_crd_webhook_namespace.yaml delete mode 100644 config/ci/kustomization.yaml delete mode 100644 config/ci/manager/kustomization.yaml delete mode 100644 config/ci/manager_role_aggregation_patch.yaml delete mode 100644 config/ci/namespace.yaml delete mode 100644 config/ci/rbac/kustomization.yaml delete mode 100644 config/ci/rbac/leader_election_role.yaml delete mode 100644 config/ci/rbac/leader_election_role_binding.yaml create mode 100644 config/default/kustomizeconfig.yaml rename config/{ci/manager => default}/manager_auth_proxy_patch.yaml (72%) rename config/{ci/manager => default}/manager_image_patch.yaml (100%) rename config/{ci/manager => default}/manager_pull_policy.yaml (100%) rename {bootstrap/kubeadm/config/webhook => config/default}/manager_webhook_patch.yaml (76%) rename config/{webhook => default}/webhookcainjection_patch.yaml (100%) delete mode 100644 config/kustomization.yaml delete mode 100644 config/manager/manager_auth_proxy_patch.yaml delete mode 100644 config/manager/manager_image_patch.yaml delete mode 100644 config/patch_crd_webhook_namespace.yaml delete mode 100644 config/webhook/namespace.yaml create mode 100644 controlplane/kubeadm/config/default/kustomizeconfig.yaml rename {test/infrastructure/docker/config/manager => controlplane/kubeadm/config/default}/manager_auth_proxy_patch.yaml (80%) rename controlplane/kubeadm/config/{manager => default}/manager_image_patch.yaml (100%) rename {config/manager => controlplane/kubeadm/config/default}/manager_pull_policy.yaml (100%) rename {config/webhook => controlplane/kubeadm/config/default}/manager_webhook_patch.yaml (70%) rename controlplane/kubeadm/config/{webhook => default}/webhookcainjection_patch.yaml (100%) delete mode 100644 controlplane/kubeadm/config/kustomization.yaml delete mode 100644 controlplane/kubeadm/config/patch_crd_webhook_namespace.yaml create mode 100644 test/infrastructure/docker/config/default/kustomizeconfig.yaml rename {bootstrap/kubeadm/config/manager => test/infrastructure/docker/config/default}/manager_auth_proxy_patch.yaml (78%) rename test/infrastructure/docker/config/{manager => default}/manager_image_patch.yaml (100%) rename {controlplane/kubeadm/config/manager => test/infrastructure/docker/config/default}/manager_pull_policy.yaml (100%) rename test/infrastructure/docker/config/{webhook => default}/manager_webhook_patch.yaml (100%) rename test/infrastructure/docker/config/{webhook => default}/webhookcainjection_patch.yaml (100%) delete mode 100644 test/infrastructure/docker/config/kustomization.yaml delete mode 100644 test/infrastructure/docker/config/manager/manager_prometheus_metrics_patch.yaml delete mode 100644 test/infrastructure/docker/config/manager/manager_pull_policy.yaml diff --git a/Makefile b/Makefile index 44bf85844052..3ac650ffc17c 100644 --- a/Makefile +++ b/Makefile @@ -124,7 +124,7 @@ test-cover: ## Run tests with code coverage and code generate reports .PHONY: docker-build-e2e docker-build-e2e: ## Rebuild all Cluster API provider images to be used in the e2e tests make docker-build REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent - $(MAKE) -C test/infrastructure/docker docker-build REGISTRY=gcr.io/k8s-staging-cluster-api + $(MAKE) -C test/infrastructure/docker docker-build REGISTRY=gcr.io/k8s-staging-cluster-api PULL_POLICY=IfNotPresent .PHONY: test-e2e test-e2e: ## Run the e2e tests @@ -312,9 +312,6 @@ generate-core-manifests: $(CONTROLLER_GEN) ## Generate manifests for the core pr paths=./cmd/clusterctl/api/... \ crd:crdVersions=v1 \ output:crd:dir=./cmd/clusterctl/config/crd/bases - ## Copy files in CI folders. - cp -f ./config/rbac/*.yaml ./config/ci/rbac/ - cp -f ./config/manager/manager*.yaml ./config/ci/manager/ .PHONY: generate-kubeadm-bootstrap-manifests generate-kubeadm-bootstrap-manifests: $(CONTROLLER_GEN) ## Generate manifests for the kubeadm bootstrap provider e.g. CRD, RBAC etc. @@ -365,20 +362,20 @@ docker-build: docker-pull-prerequisites ## Build the docker images for controlle .PHONY: docker-build-core docker-build-core: ## Build the docker image for core controller manager DOCKER_BUILDKIT=1 docker build --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg ldflags="$(LDFLAGS)" . -t $(CONTROLLER_IMG)-$(ARCH):$(TAG) - $(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/manager/manager_image_patch.yaml" - $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/manager/manager_pull_policy.yaml" + $(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/default/manager_image_patch.yaml" + $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/default/manager_pull_policy.yaml" .PHONY: docker-build-kubeadm-bootstrap docker-build-kubeadm-bootstrap: ## Build the docker image for kubeadm bootstrap controller manager DOCKER_BUILDKIT=1 docker build --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./bootstrap/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH):$(TAG) - $(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./bootstrap/kubeadm/config/manager/manager_image_patch.yaml" - $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./bootstrap/kubeadm/config/manager/manager_pull_policy.yaml" + $(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_image_patch.yaml" + $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_pull_policy.yaml" .PHONY: docker-build-kubeadm-control-plane docker-build-kubeadm-control-plane: ## Build the docker image for kubeadm control plane controller manager DOCKER_BUILDKIT=1 docker build --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=./controlplane/kubeadm --build-arg ldflags="$(LDFLAGS)" . -t $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH):$(TAG) - $(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./controlplane/kubeadm/config/manager/manager_image_patch.yaml" - $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./controlplane/kubeadm/config/manager/manager_pull_policy.yaml" + $(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)-$(ARCH) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_image_patch.yaml" + $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_pull_policy.yaml" .PHONY: docker-push docker-push: ## Push the docker images @@ -411,8 +408,8 @@ docker-push-core-manifest: ## Push the fat manifest docker image for the core im docker manifest create --amend $(CONTROLLER_IMG):$(TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(CONTROLLER_IMG)\-&:$(TAG)~g") @for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${CONTROLLER_IMG}:${TAG} ${CONTROLLER_IMG}-$${arch}:${TAG}; done docker manifest push --purge $(CONTROLLER_IMG):$(TAG) - $(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/manager/manager_image_patch.yaml" - $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/manager/manager_pull_policy.yaml" + $(MAKE) set-manifest-image MANIFEST_IMG=$(CONTROLLER_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./config/default/manager_image_patch.yaml" + $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./config/default/manager_pull_policy.yaml" .PHONY: docker-push-kubeadm-bootstrap-manifest docker-push-kubeadm-bootstrap-manifest: ## Push the fat manifest docker image for the kubeadm bootstrap image. @@ -420,8 +417,8 @@ docker-push-kubeadm-bootstrap-manifest: ## Push the fat manifest docker image fo docker manifest create --amend $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG):$(TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(KUBEADM_BOOTSTRAP_CONTROLLER_IMG)\-&:$(TAG)~g") @for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${KUBEADM_BOOTSTRAP_CONTROLLER_IMG}:${TAG} ${KUBEADM_BOOTSTRAP_CONTROLLER_IMG}-$${arch}:${TAG}; done docker manifest push --purge $(KUBEADM_BOOTSTRAP_CONTROLLER_IMG):$(TAG) - $(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_BOOTSTRAP_CONTROLLER_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./bootstrap/kubeadm/config/manager/manager_image_patch.yaml" - $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./bootstrap/kubeadm/config/manager/manager_pull_policy.yaml" + $(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_BOOTSTRAP_CONTROLLER_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_image_patch.yaml" + $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_pull_policy.yaml" .PHONY: docker-push-kubeadm-control-plane-manifest docker-push-kubeadm-control-plane-manifest: ## Push the fat manifest docker image for the kubeadm control plane image. @@ -429,8 +426,8 @@ docker-push-kubeadm-control-plane-manifest: ## Push the fat manifest docker imag docker manifest create --amend $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG):$(TAG) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG)\-&:$(TAG)~g") @for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${KUBEADM_CONTROL_PLANE_CONTROLLER_IMG}:${TAG} ${KUBEADM_CONTROL_PLANE_CONTROLLER_IMG}-$${arch}:${TAG}; done docker manifest push --purge $(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG):$(TAG) - $(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./controlplane/kubeadm/config/manager/manager_image_patch.yaml" - $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./controlplane/kubeadm/config/manager/manager_pull_policy.yaml" + $(MAKE) set-manifest-image MANIFEST_IMG=$(KUBEADM_CONTROL_PLANE_CONTROLLER_IMG) MANIFEST_TAG=$(TAG) TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_image_patch.yaml" + $(MAKE) set-manifest-pull-policy TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_pull_policy.yaml" .PHONY: set-manifest-pull-policy set-manifest-pull-policy: @@ -462,18 +459,18 @@ release: clean-release ## Builds and push container images using the latest git # Set the core manifest image to the production bucket. $(MAKE) set-manifest-image \ MANIFEST_IMG=$(PROD_REGISTRY)/$(IMAGE_NAME) MANIFEST_TAG=$(RELEASE_TAG) \ - TARGET_RESOURCE="./config/manager/manager_image_patch.yaml" + TARGET_RESOURCE="./config/default/manager_image_patch.yaml" # Set the kubeadm bootstrap image to the production bucket. $(MAKE) set-manifest-image \ MANIFEST_IMG=$(PROD_REGISTRY)/$(KUBEADM_BOOTSTRAP_IMAGE_NAME) MANIFEST_TAG=$(RELEASE_TAG) \ - TARGET_RESOURCE="./bootstrap/kubeadm/config/manager/manager_image_patch.yaml" + TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_image_patch.yaml" # Set the kubeadm control plane image to the production bucket. $(MAKE) set-manifest-image \ MANIFEST_IMG=$(PROD_REGISTRY)/$(KUBEADM_CONTROL_PLANE_IMAGE_NAME) MANIFEST_TAG=$(RELEASE_TAG) \ - TARGET_RESOURCE="./controlplane/kubeadm/config/manager/manager_image_patch.yaml" - $(MAKE) set-manifest-pull-policy PULL_POLICY=IfNotPresent TARGET_RESOURCE="./config/manager/manager_pull_policy.yaml" - $(MAKE) set-manifest-pull-policy PULL_POLICY=IfNotPresent TARGET_RESOURCE="./bootstrap/kubeadm/config/manager/manager_pull_policy.yaml" - $(MAKE) set-manifest-pull-policy PULL_POLICY=IfNotPresent TARGET_RESOURCE="./controlplane/kubeadm/config/manager/manager_pull_policy.yaml" + TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_image_patch.yaml" + $(MAKE) set-manifest-pull-policy PULL_POLICY=IfNotPresent TARGET_RESOURCE="./config/default/manager_pull_policy.yaml" + $(MAKE) set-manifest-pull-policy PULL_POLICY=IfNotPresent TARGET_RESOURCE="./bootstrap/kubeadm/config/default/manager_pull_policy.yaml" + $(MAKE) set-manifest-pull-policy PULL_POLICY=IfNotPresent TARGET_RESOURCE="./controlplane/kubeadm/config/default/manager_pull_policy.yaml" ## Build the manifests $(MAKE) release-manifests clean-release-git ## Build the development manifests @@ -482,11 +479,11 @@ release: clean-release ## Builds and push container images using the latest git .PHONY: release-manifests release-manifests: $(RELEASE_DIR) $(KUSTOMIZE) ## Builds the manifests to publish with a release # Build core-components. - $(KUSTOMIZE) build config > $(RELEASE_DIR)/core-components.yaml + $(KUSTOMIZE) build config/default > $(RELEASE_DIR)/core-components.yaml # Build bootstrap-components. - $(KUSTOMIZE) build bootstrap/kubeadm/config > $(RELEASE_DIR)/bootstrap-components.yaml + $(KUSTOMIZE) build bootstrap/kubeadm/config/default > $(RELEASE_DIR)/bootstrap-components.yaml # Build control-plane-components. - $(KUSTOMIZE) build controlplane/kubeadm/config > $(RELEASE_DIR)/control-plane-components.yaml + $(KUSTOMIZE) build controlplane/kubeadm/config/default > $(RELEASE_DIR)/control-plane-components.yaml ## Build cluster-api-components (aggregate of all of the above). cat $(RELEASE_DIR)/core-components.yaml > $(RELEASE_DIR)/cluster-api-components.yaml diff --git a/Tiltfile b/Tiltfile index 84dc7e3ac902..87858b680752 100644 --- a/Tiltfile +++ b/Tiltfile @@ -145,7 +145,7 @@ COPY manager . # # 1. Enables a local_resource go build of the provider's manager binary # 2. Configures a docker build for the provider, with live updating of the manager binary -# 3. Runs kustomize for the provider's config/ and applies it +# 3. Runs kustomize for the provider's config/default and applies it def enable_provider(name): p = providers.get(name) @@ -205,7 +205,7 @@ def enable_provider(name): os.environ.update(substitutions) # Apply the kustomized yaml for this provider - yaml = str(kustomize_with_envsubst(context + "/config")) + yaml = str(kustomize_with_envsubst(context + "/config/default")) k8s_yaml(blob(yaml)) # Users may define their own Tilt customizations in tilt.d. This directory is excluded from git and these files will diff --git a/bootstrap/kubeadm/config/default/kustomization.yaml b/bootstrap/kubeadm/config/default/kustomization.yaml index d878f6deb01e..069b018c2c69 100644 --- a/bootstrap/kubeadm/config/default/kustomization.yaml +++ b/bootstrap/kubeadm/config/default/kustomization.yaml @@ -1,9 +1,61 @@ # Adds namespace to all resources. namespace: capi-kubeadm-bootstrap-system +namePrefix: capi-kubeadm-bootstrap- + +commonLabels: + cluster.x-k8s.io/provider: "bootstrap-kubeadm" + resources: - namespace.yaml bases: +- ../crd - ../rbac - ../manager +- ../webhook +- ../certmanager + +patchesStrategicMerge: + # Provide customizable hook for make targets. + - manager_image_patch.yaml + - manager_pull_policy.yaml + # Protect the /metrics endpoint by putting it behind auth. + # Only one of manager_auth_proxy_patch.yaml and + # manager_prometheus_metrics_patch.yaml should be enabled. + - manager_auth_proxy_patch.yaml + # Enable webhook. + - manager_webhook_patch.yaml + # Inject certificate in the webhook definition. + - webhookcainjection_patch.yaml + +vars: + - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace + - name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + - name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace + - name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + +configurations: + - kustomizeconfig.yaml diff --git a/bootstrap/kubeadm/config/default/kustomizeconfig.yaml b/bootstrap/kubeadm/config/default/kustomizeconfig.yaml new file mode 100644 index 000000000000..eb191e64d056 --- /dev/null +++ b/bootstrap/kubeadm/config/default/kustomizeconfig.yaml @@ -0,0 +1,4 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +varReference: +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/controlplane/kubeadm/config/manager/manager_auth_proxy_patch.yaml b/bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml similarity index 85% rename from controlplane/kubeadm/config/manager/manager_auth_proxy_patch.yaml rename to bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml index e790f113e911..a7987a993f99 100644 --- a/controlplane/kubeadm/config/manager/manager_auth_proxy_patch.yaml +++ b/bootstrap/kubeadm/config/default/manager_auth_proxy_patch.yaml @@ -19,7 +19,3 @@ spec: ports: - containerPort: 8443 name: https - - name: manager - args: - - "--metrics-bind-addr=127.0.0.1:8080" - - "--leader-elect" diff --git a/bootstrap/kubeadm/config/manager/manager_image_patch.yaml b/bootstrap/kubeadm/config/default/manager_image_patch.yaml similarity index 100% rename from bootstrap/kubeadm/config/manager/manager_image_patch.yaml rename to bootstrap/kubeadm/config/default/manager_image_patch.yaml diff --git a/bootstrap/kubeadm/config/manager/manager_pull_policy.yaml b/bootstrap/kubeadm/config/default/manager_pull_policy.yaml similarity index 100% rename from bootstrap/kubeadm/config/manager/manager_pull_policy.yaml rename to bootstrap/kubeadm/config/default/manager_pull_policy.yaml diff --git a/controlplane/kubeadm/config/webhook/manager_webhook_patch.yaml b/bootstrap/kubeadm/config/default/manager_webhook_patch.yaml similarity index 84% rename from controlplane/kubeadm/config/webhook/manager_webhook_patch.yaml rename to bootstrap/kubeadm/config/default/manager_webhook_patch.yaml index e62520b9ea33..b387eb0eae68 100644 --- a/controlplane/kubeadm/config/webhook/manager_webhook_patch.yaml +++ b/bootstrap/kubeadm/config/default/manager_webhook_patch.yaml @@ -8,9 +8,6 @@ spec: spec: containers: - name: manager - args: - - "--metrics-bind-addr=127.0.0.1:8080" - - "--webhook-port=9443" ports: - containerPort: 9443 name: webhook-server diff --git a/bootstrap/kubeadm/config/webhook/webhookcainjection_patch.yaml b/bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml similarity index 100% rename from bootstrap/kubeadm/config/webhook/webhookcainjection_patch.yaml rename to bootstrap/kubeadm/config/default/webhookcainjection_patch.yaml diff --git a/bootstrap/kubeadm/config/kustomization.yaml b/bootstrap/kubeadm/config/kustomization.yaml deleted file mode 100644 index f211307cf365..000000000000 --- a/bootstrap/kubeadm/config/kustomization.yaml +++ /dev/null @@ -1,23 +0,0 @@ -namePrefix: capi-kubeadm-bootstrap- - -commonLabels: - cluster.x-k8s.io/provider: "bootstrap-kubeadm" - -bases: -- crd -- default -- webhook - -patchesJson6902: -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: kubeadmconfigs.bootstrap.cluster.x-k8s.io - path: patch_crd_webhook_namespace.yaml -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io - path: patch_crd_webhook_namespace.yaml diff --git a/bootstrap/kubeadm/config/manager/kustomization.yaml b/bootstrap/kubeadm/config/manager/kustomization.yaml index 4691c98f554e..5c5f0b84cba4 100644 --- a/bootstrap/kubeadm/config/manager/kustomization.yaml +++ b/bootstrap/kubeadm/config/manager/kustomization.yaml @@ -1,7 +1,2 @@ resources: - manager.yaml - -patchesStrategicMerge: -- manager_image_patch.yaml -- manager_pull_policy.yaml -- manager_auth_proxy_patch.yaml diff --git a/bootstrap/kubeadm/config/manager/manager.yaml b/bootstrap/kubeadm/config/manager/manager.yaml index 713c47d07522..69d44b8f1f46 100644 --- a/bootstrap/kubeadm/config/manager/manager.yaml +++ b/bootstrap/kubeadm/config/manager/manager.yaml @@ -19,8 +19,9 @@ spec: - command: - /manager args: - - --leader-elect - - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=false} + - "--leader-elect" + - "--metrics-bind-addr=127.0.0.1:8080" + - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}" image: controller:latest name: manager terminationGracePeriodSeconds: 10 diff --git a/bootstrap/kubeadm/config/patch_crd_webhook_namespace.yaml b/bootstrap/kubeadm/config/patch_crd_webhook_namespace.yaml deleted file mode 100644 index 110f3a4945f7..000000000000 --- a/bootstrap/kubeadm/config/patch_crd_webhook_namespace.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: replace - path: "/spec/conversion/webhook/clientConfig/service/namespace" - value: capi-webhook-system diff --git a/bootstrap/kubeadm/config/rbac/kustomization.yaml b/bootstrap/kubeadm/config/rbac/kustomization.yaml index 817f1fe61380..0f7447e6db80 100644 --- a/bootstrap/kubeadm/config/rbac/kustomization.yaml +++ b/bootstrap/kubeadm/config/rbac/kustomization.yaml @@ -3,9 +3,6 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 3 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. - auth_proxy_service.yaml - auth_proxy_role.yaml - auth_proxy_role_binding.yaml diff --git a/bootstrap/kubeadm/config/webhook/kustomization.yaml b/bootstrap/kubeadm/config/webhook/kustomization.yaml index 23314b7710e3..9cf26134e4d5 100644 --- a/bootstrap/kubeadm/config/webhook/kustomization.yaml +++ b/bootstrap/kubeadm/config/webhook/kustomization.yaml @@ -1,43 +1,6 @@ -namespace: capi-webhook-system - resources: - manifests.yaml - service.yaml -- ../certmanager -- ../manager configurations: - kustomizeconfig.yaml - -patchesStrategicMerge: -- manager_webhook_patch.yaml -- webhookcainjection_patch.yaml - -vars: -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace -- name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml -- name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service diff --git a/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml b/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml index fddf04146f37..25e21e3c963f 100644 --- a/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml +++ b/bootstrap/kubeadm/config/webhook/kustomizeconfig.yaml @@ -23,5 +23,3 @@ namespace: varReference: - path: metadata/annotations -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/bootstrap/kubeadm/main.go b/bootstrap/kubeadm/main.go index a6c4f2a850c3..c28ed13648c3 100644 --- a/bootstrap/kubeadm/main.go +++ b/bootstrap/kubeadm/main.go @@ -102,8 +102,8 @@ func InitFlags(fs *pflag.FlagSet) { fs.DurationVar(&kubeadmbootstrapcontrollers.DefaultTokenTTL, "bootstrap-token-ttl", 15*time.Minute, "The amount of time the bootstrap token will be valid") - fs.IntVar(&webhookPort, "webhook-port", 0, - "Webhook Server port, disabled by default. When enabled, the manager will only work as webhook server, no reconcilers are installed.") + fs.IntVar(&webhookPort, "webhook-port", 9443, + "Webhook Server port") feature.MutableGates.AddFlag(fs) } @@ -160,10 +160,6 @@ func main() { } func setupReconcilers(ctx context.Context, mgr ctrl.Manager) { - if webhookPort != 0 { - return - } - if err := (&kubeadmbootstrapcontrollers.KubeadmConfigReconciler{ Client: mgr.GetClient(), }).SetupWithManager(ctx, mgr, concurrency(kubeadmConfigConcurrency)); err != nil { @@ -173,10 +169,6 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) { } func setupWebhooks(mgr ctrl.Manager) { - if webhookPort == 0 { - return - } - if err := (&kubeadmbootstrapv1.KubeadmConfig{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "KubeadmConfig") os.Exit(1) diff --git a/cmd/clusterctl/hack/create-local-repository.py b/cmd/clusterctl/hack/create-local-repository.py index f6f01af9ec61..69cbef14b2c6 100755 --- a/cmd/clusterctl/hack/create-local-repository.py +++ b/cmd/clusterctl/hack/create-local-repository.py @@ -59,19 +59,19 @@ 'componentsFile': 'bootstrap-components.yaml', 'nextVersion': 'v0.3.8', 'type': 'BootstrapProvider', - 'configFolder': 'bootstrap/kubeadm/config', + 'configFolder': 'bootstrap/kubeadm/config/default', }, 'control-plane-kubeadm': { 'componentsFile': 'control-plane-components.yaml', 'nextVersion': 'v0.3.8', 'type': 'ControlPlaneProvider', - 'configFolder': 'controlplane/kubeadm/config', + 'configFolder': 'controlplane/kubeadm/config/default', }, 'infrastructure-docker': { 'componentsFile': 'infrastructure-components.yaml', 'nextVersion': 'v0.3.8', 'type': 'InfrastructureProvider', - 'configFolder': 'test/infrastructure/docker/config', + 'configFolder': 'test/infrastructure/docker/config/default', }, } @@ -147,7 +147,7 @@ def create_local_repositories(): assert p is not None, 'invalid configuration: please specify the configuration for the {} provider'.format(provider) repo = p.get('repo', '.') - config_folder = p.get('configFolder', 'config') + config_folder = p.get('configFolder', 'config/default') next_version = p.get('nextVersion') assert next_version is not None, 'invalid configuration for provider {}: please provide nextVersion value'.format(provider) diff --git a/config/ci/kustomization.yaml b/config/ci/kustomization.yaml deleted file mode 100644 index ff7695bcb284..000000000000 --- a/config/ci/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -# Adds namespace to all resources. -namespace: provider-system - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: provider- - - -patchesStrategicMerge: -- manager_role_aggregation_patch.yaml -resources: -- namespace.yaml -- ./rbac -- ./manager diff --git a/config/ci/manager/kustomization.yaml b/config/ci/manager/kustomization.yaml deleted file mode 100644 index 09e972c0fde0..000000000000 --- a/config/ci/manager/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -# Each entry in this list must resolve to an existing -# resource definition in YAML. These are the resource -# files that kustomize reads, modifies and emits as a -# YAML string, with resources separated by document -# markers ("---"). -resources: -- manager.yaml - -patchesStrategicMerge: -- manager_image_patch.yaml diff --git a/config/ci/manager_role_aggregation_patch.yaml b/config/ci/manager_role_aggregation_patch.yaml deleted file mode 100644 index 202ee21fb434..000000000000 --- a/config/ci/manager_role_aggregation_patch.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: manager-role - labels: - cluster.x-k8s.io/aggregate-to-manager: "true" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: aggregated-manager-role diff --git a/config/ci/namespace.yaml b/config/ci/namespace.yaml deleted file mode 100644 index 8b55c3cd8923..000000000000 --- a/config/ci/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: system diff --git a/config/ci/rbac/kustomization.yaml b/config/ci/rbac/kustomization.yaml deleted file mode 100644 index e4bb64e2b1fb..000000000000 --- a/config/ci/rbac/kustomization.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -# Each entry in this list must resolve to an existing -# resource definition in YAML. These are the resource -# files that kustomize reads, modifies and emits as a -# YAML string, with resources separated by document -# markers ("---"). -resources: -- role_binding.yaml -- role.yaml -- leader_election_role.yaml -- leader_election_role_binding.yaml -- aggregated_role.yaml - # Comment the following 3 lines if you want to disable - # the auth proxy (https://github.com/brancz/kube-rbac-proxy) - # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml diff --git a/config/ci/rbac/leader_election_role.yaml b/config/ci/rbac/leader_election_role.yaml deleted file mode 100644 index c654b67339c2..000000000000 --- a/config/ci/rbac/leader_election_role.yaml +++ /dev/null @@ -1,45 +0,0 @@ - -# permissions to do leader election. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: leader-election-role -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - update - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create -- apiGroups: - - "coordination.k8s.io" - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete diff --git a/config/ci/rbac/leader_election_role_binding.yaml b/config/ci/rbac/leader_election_role_binding.yaml deleted file mode 100644 index eed16906f4dc..000000000000 --- a/config/ci/rbac/leader_election_role_binding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: leader-election-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: leader-election-role -subjects: -- kind: ServiceAccount - name: default - namespace: system diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index c169cb0f1324..3689592c6984 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,11 +1,64 @@ namespace: capi-system +namePrefix: capi- + +commonLabels: + cluster.x-k8s.io/provider: "cluster-api" + resources: - namespace.yaml bases: +- ../crd - ../rbac - ../manager +- ../webhook +- ../certmanager patchesStrategicMerge: +# Provide customizable hook for make targets. +- manager_image_patch.yaml +- manager_pull_policy.yaml +# Protect the /metrics endpoint by putting it behind auth. +# Only one of manager_auth_proxy_patch.yaml and +# manager_prometheus_metrics_patch.yaml should be enabled. +- manager_auth_proxy_patch.yaml +# Enable webhook. +- manager_webhook_patch.yaml +# Inject certificate in the webhook definition. +- webhookcainjection_patch.yaml +# Ease the process of providing extra RBAC to the Cluster API manager for +# non SIG Cluster Lifecycle-sponsored provider subprojects by using an +# aggregated role - manager_role_aggregation_patch.yaml + +vars: + - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace + - name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + - name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace + - name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + +configurations: + - kustomizeconfig.yaml diff --git a/config/default/kustomizeconfig.yaml b/config/default/kustomizeconfig.yaml new file mode 100644 index 000000000000..eb191e64d056 --- /dev/null +++ b/config/default/kustomizeconfig.yaml @@ -0,0 +1,4 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +varReference: +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/config/ci/manager/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml similarity index 72% rename from config/ci/manager/manager_auth_proxy_patch.yaml rename to config/default/manager_auth_proxy_patch.yaml index 6872e702ee4e..65d23b91ef27 100644 --- a/config/ci/manager/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -19,8 +19,3 @@ spec: ports: - containerPort: 8443 name: https - - name: manager - args: - - "--metrics-bind-addr=127.0.0.1:8080" - - "--leader-elect" - - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false}" diff --git a/config/ci/manager/manager_image_patch.yaml b/config/default/manager_image_patch.yaml similarity index 100% rename from config/ci/manager/manager_image_patch.yaml rename to config/default/manager_image_patch.yaml diff --git a/config/ci/manager/manager_pull_policy.yaml b/config/default/manager_pull_policy.yaml similarity index 100% rename from config/ci/manager/manager_pull_policy.yaml rename to config/default/manager_pull_policy.yaml diff --git a/bootstrap/kubeadm/config/webhook/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml similarity index 76% rename from bootstrap/kubeadm/config/webhook/manager_webhook_patch.yaml rename to config/default/manager_webhook_patch.yaml index fd66c79992d6..b387eb0eae68 100644 --- a/bootstrap/kubeadm/config/webhook/manager_webhook_patch.yaml +++ b/config/default/manager_webhook_patch.yaml @@ -8,10 +8,6 @@ spec: spec: containers: - name: manager - args: - - "--metrics-bind-addr=127.0.0.1:8080" - - "--webhook-port=9443" - - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}" ports: - containerPort: 9443 name: webhook-server diff --git a/config/webhook/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml similarity index 100% rename from config/webhook/webhookcainjection_patch.yaml rename to config/default/webhookcainjection_patch.yaml diff --git a/config/kustomization.yaml b/config/kustomization.yaml deleted file mode 100644 index 94df3ce22bcd..000000000000 --- a/config/kustomization.yaml +++ /dev/null @@ -1,41 +0,0 @@ -namePrefix: capi- - -commonLabels: - cluster.x-k8s.io/provider: "cluster-api" - -bases: -- crd -- webhook -- default - -patchesJson6902: -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: clusters.cluster.x-k8s.io - path: patch_crd_webhook_namespace.yaml -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: machinedeployments.cluster.x-k8s.io - path: patch_crd_webhook_namespace.yaml -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: machines.cluster.x-k8s.io - path: patch_crd_webhook_namespace.yaml -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: machinesets.cluster.x-k8s.io - path: patch_crd_webhook_namespace.yaml -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: machinehealthchecks.cluster.x-k8s.io - path: patch_crd_webhook_namespace.yaml diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 7f36aeba838b..5c5f0b84cba4 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,9 +1,2 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization resources: - manager.yaml - -patchesStrategicMerge: -- manager_pull_policy.yaml -- manager_image_patch.yaml -- manager_auth_proxy_patch.yaml diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index bc267d2b4623..299b14bc37f0 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -20,8 +20,9 @@ spec: - command: - /manager args: - - --leader-elect - - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false} + - "--leader-elect" + - "--metrics-bind-addr=127.0.0.1:8080" + - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false}" image: controller:latest name: manager ports: diff --git a/config/manager/manager_auth_proxy_patch.yaml b/config/manager/manager_auth_proxy_patch.yaml deleted file mode 100644 index 6872e702ee4e..000000000000 --- a/config/manager/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=10" - ports: - - containerPort: 8443 - name: https - - name: manager - args: - - "--metrics-bind-addr=127.0.0.1:8080" - - "--leader-elect" - - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false}" diff --git a/config/manager/manager_image_patch.yaml b/config/manager/manager_image_patch.yaml deleted file mode 100644 index 472f75963741..000000000000 --- a/config/manager/manager_image_patch.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - image: gcr.io/k8s-staging-cluster-api/cluster-api-controller:master - name: manager diff --git a/config/patch_crd_webhook_namespace.yaml b/config/patch_crd_webhook_namespace.yaml deleted file mode 100644 index 110f3a4945f7..000000000000 --- a/config/patch_crd_webhook_namespace.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: replace - path: "/spec/conversion/webhook/clientConfig/service/namespace" - value: capi-webhook-system diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index e4bb64e2b1fb..c9351b2a8ab8 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -1,19 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# Each entry in this list must resolve to an existing -# resource definition in YAML. These are the resource -# files that kustomize reads, modifies and emits as a -# YAML string, with resources separated by document -# markers ("---"). resources: - role_binding.yaml - role.yaml - leader_election_role.yaml - leader_election_role_binding.yaml - aggregated_role.yaml - # Comment the following 3 lines if you want to disable - # the auth proxy (https://github.com/brancz/kube-rbac-proxy) - # which protects your /metrics endpoint. - auth_proxy_service.yaml - auth_proxy_role.yaml - auth_proxy_role_binding.yaml diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml index 64f3d36b893f..9cf26134e4d5 100644 --- a/config/webhook/kustomization.yaml +++ b/config/webhook/kustomization.yaml @@ -1,43 +1,6 @@ -namespace: capi-webhook-system - resources: -- namespace.yaml - manifests.yaml - service.yaml -- ../certmanager -- ../manager configurations: - kustomizeconfig.yaml - -patchesStrategicMerge: -- manager_webhook_patch.yaml -- webhookcainjection_patch.yaml - -vars: -- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace -- name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml -- name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml index fddf04146f37..25e21e3c963f 100644 --- a/config/webhook/kustomizeconfig.yaml +++ b/config/webhook/kustomizeconfig.yaml @@ -23,5 +23,3 @@ namespace: varReference: - path: metadata/annotations -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/config/webhook/namespace.yaml b/config/webhook/namespace.yaml deleted file mode 100644 index c2de3b2c6622..000000000000 --- a/config/webhook/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - name: webhook-system diff --git a/controlplane/kubeadm/config/default/kustomization.yaml b/controlplane/kubeadm/config/default/kustomization.yaml index 36a864aa016a..4ea46bb12224 100644 --- a/controlplane/kubeadm/config/default/kustomization.yaml +++ b/controlplane/kubeadm/config/default/kustomization.yaml @@ -1,11 +1,60 @@ namespace: capi-kubeadm-control-plane-system +namePrefix: capi-kubeadm-control-plane- + +commonLabels: + cluster.x-k8s.io/provider: "control-plane-kubeadm" + resources: - namespace.yaml bases: -- ../rbac -- ../manager + - ../crd + - ../rbac + - ../manager + - ../webhook + - ../certmanager patchesStrategicMerge: -- manager_role_aggregation_patch.yaml + # Provide customizable hook for make targets. + - manager_image_patch.yaml + - manager_pull_policy.yaml + # Protect the /metrics endpoint by putting it behind auth. + # Only one of manager_auth_proxy_patch.yaml and + # manager_prometheus_metrics_patch.yaml should be enabled. + - manager_auth_proxy_patch.yaml + # Enable webhook. + - manager_webhook_patch.yaml + # Inject certificate in the webhook definition. + - webhookcainjection_patch.yaml + +vars: + - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace + - name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + - name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace + - name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + +configurations: + - kustomizeconfig.yaml diff --git a/controlplane/kubeadm/config/default/kustomizeconfig.yaml b/controlplane/kubeadm/config/default/kustomizeconfig.yaml new file mode 100644 index 000000000000..eb191e64d056 --- /dev/null +++ b/controlplane/kubeadm/config/default/kustomizeconfig.yaml @@ -0,0 +1,4 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +varReference: +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/test/infrastructure/docker/config/manager/manager_auth_proxy_patch.yaml b/controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml similarity index 80% rename from test/infrastructure/docker/config/manager/manager_auth_proxy_patch.yaml rename to controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml index cf7f344844ce..a7987a993f99 100644 --- a/test/infrastructure/docker/config/manager/manager_auth_proxy_patch.yaml +++ b/controlplane/kubeadm/config/default/manager_auth_proxy_patch.yaml @@ -19,8 +19,3 @@ spec: ports: - containerPort: 8443 name: https - - name: manager - args: - - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}" - - "--metrics-bind-addr=0" - - "-v=4" diff --git a/controlplane/kubeadm/config/manager/manager_image_patch.yaml b/controlplane/kubeadm/config/default/manager_image_patch.yaml similarity index 100% rename from controlplane/kubeadm/config/manager/manager_image_patch.yaml rename to controlplane/kubeadm/config/default/manager_image_patch.yaml diff --git a/config/manager/manager_pull_policy.yaml b/controlplane/kubeadm/config/default/manager_pull_policy.yaml similarity index 100% rename from config/manager/manager_pull_policy.yaml rename to controlplane/kubeadm/config/default/manager_pull_policy.yaml diff --git a/config/webhook/manager_webhook_patch.yaml b/controlplane/kubeadm/config/default/manager_webhook_patch.yaml similarity index 70% rename from config/webhook/manager_webhook_patch.yaml rename to controlplane/kubeadm/config/default/manager_webhook_patch.yaml index 0a2030c530e8..b387eb0eae68 100644 --- a/config/webhook/manager_webhook_patch.yaml +++ b/controlplane/kubeadm/config/default/manager_webhook_patch.yaml @@ -8,10 +8,6 @@ spec: spec: containers: - name: manager - args: - - "--metrics-bind-addr=127.0.0.1:8080" - - "--webhook-port=9443" - - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false}" ports: - containerPort: 9443 name: webhook-server diff --git a/controlplane/kubeadm/config/webhook/webhookcainjection_patch.yaml b/controlplane/kubeadm/config/default/webhookcainjection_patch.yaml similarity index 100% rename from controlplane/kubeadm/config/webhook/webhookcainjection_patch.yaml rename to controlplane/kubeadm/config/default/webhookcainjection_patch.yaml diff --git a/controlplane/kubeadm/config/kustomization.yaml b/controlplane/kubeadm/config/kustomization.yaml deleted file mode 100644 index 15967b1c054f..000000000000 --- a/controlplane/kubeadm/config/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -namePrefix: capi-kubeadm-control-plane- - -commonLabels: - cluster.x-k8s.io/provider: "control-plane-kubeadm" - -bases: -- crd -- default -- webhook - -patchesJson6902: -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: kubeadmcontrolplanes.controlplane.cluster.x-k8s.io - path: patch_crd_webhook_namespace.yaml diff --git a/controlplane/kubeadm/config/manager/kustomization.yaml b/controlplane/kubeadm/config/manager/kustomization.yaml index 4fe69200e8d7..5c5f0b84cba4 100644 --- a/controlplane/kubeadm/config/manager/kustomization.yaml +++ b/controlplane/kubeadm/config/manager/kustomization.yaml @@ -1,7 +1,2 @@ resources: - manager.yaml - -patchesStrategicMerge: -- manager_pull_policy.yaml -- manager_image_patch.yaml -- manager_auth_proxy_patch.yaml diff --git a/controlplane/kubeadm/config/manager/manager.yaml b/controlplane/kubeadm/config/manager/manager.yaml index 7a5d43a79421..b0b179244fff 100644 --- a/controlplane/kubeadm/config/manager/manager.yaml +++ b/controlplane/kubeadm/config/manager/manager.yaml @@ -19,7 +19,8 @@ spec: - command: - /manager args: - - --leader-elect + - "--leader-elect" + - "--metrics-bind-addr=127.0.0.1:8080" image: controller:latest name: manager terminationGracePeriodSeconds: 10 diff --git a/controlplane/kubeadm/config/patch_crd_webhook_namespace.yaml b/controlplane/kubeadm/config/patch_crd_webhook_namespace.yaml deleted file mode 100644 index 110f3a4945f7..000000000000 --- a/controlplane/kubeadm/config/patch_crd_webhook_namespace.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: replace - path: "/spec/conversion/webhook/clientConfig/service/namespace" - value: capi-webhook-system diff --git a/controlplane/kubeadm/config/webhook/kustomization.yaml b/controlplane/kubeadm/config/webhook/kustomization.yaml index 23314b7710e3..9cf26134e4d5 100644 --- a/controlplane/kubeadm/config/webhook/kustomization.yaml +++ b/controlplane/kubeadm/config/webhook/kustomization.yaml @@ -1,43 +1,6 @@ -namespace: capi-webhook-system - resources: - manifests.yaml - service.yaml -- ../certmanager -- ../manager configurations: - kustomizeconfig.yaml - -patchesStrategicMerge: -- manager_webhook_patch.yaml -- webhookcainjection_patch.yaml - -vars: -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace -- name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml -- name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service diff --git a/controlplane/kubeadm/config/webhook/kustomizeconfig.yaml b/controlplane/kubeadm/config/webhook/kustomizeconfig.yaml index fddf04146f37..25e21e3c963f 100644 --- a/controlplane/kubeadm/config/webhook/kustomizeconfig.yaml +++ b/controlplane/kubeadm/config/webhook/kustomizeconfig.yaml @@ -23,5 +23,3 @@ namespace: varReference: - path: metadata/annotations -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/controlplane/kubeadm/main.go b/controlplane/kubeadm/main.go index 79def16593c9..f158b74bc030 100644 --- a/controlplane/kubeadm/main.go +++ b/controlplane/kubeadm/main.go @@ -99,8 +99,8 @@ func InitFlags(fs *pflag.FlagSet) { fs.DurationVar(&syncPeriod, "sync-period", 10*time.Minute, "The minimum interval at which watched resources are reconciled (e.g. 15m)") - fs.IntVar(&webhookPort, "webhook-port", 0, - "Webhook Server port, disabled by default. When enabled, the manager will only work as webhook server, no reconcilers are installed.") + fs.IntVar(&webhookPort, "webhook-port", 9443, + "Webhook Server port") } func main() { rand.Seed(time.Now().UnixNano()) @@ -154,10 +154,6 @@ func main() { } func setupReconcilers(ctx context.Context, mgr ctrl.Manager) { - if webhookPort != 0 { - return - } - if err := (&kubeadmcontrolplanecontrollers.KubeadmControlPlaneReconciler{ Client: mgr.GetClient(), }).SetupWithManager(ctx, mgr, concurrency(kubeadmControlPlaneConcurrency)); err != nil { @@ -167,10 +163,6 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) { } func setupWebhooks(mgr ctrl.Manager) { - if webhookPort == 0 { - return - } - if err := (&kcpv1.KubeadmControlPlane{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "KubeadmControlPlane") os.Exit(1) diff --git a/docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md b/docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md index 6914e0d3ee88..01d5c7510110 100644 --- a/docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md +++ b/docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md @@ -58,3 +58,101 @@ Specific changes related to this topic will be detailed in this document. ## Change types with arrays of pointers to custom objects The conversion-gen code from the `1.20.x` release onward generates incorrect conversion functions for types having arrays of pointers to custom objects. Change the existing types to contain objects instead of pointer references. + +## Required kustomize changes to have a single manager watching all namespaces and answer to webhook calls + +In an effort to simplify the management of Cluster API components, and realign with Kubebuilder configuration, +we're requiring some changes to move all webhooks back into a single deployment manager, and to allow Cluster +API watch all namespaces it manages. +For a `/config` folder reference, please use the testdata in the Kubebuilder project: https://github.com/kubernetes-sigs/kubebuilder/tree/master/testdata/project-v3/config + +**Pre-requisites** + +Provider's `/config` folder has the same structure of `/config` folder in CAPI controllers. + +**Changes in the `/config/webhook` folder:** + +1. Edit the `/config/webhook/kustomization.yaml` file: + - Remove the `namespace:` configuration + - In the `resources:` list, remove the following items: + ``` + - ../certmanager + - ../manager + ``` + - Remove the `patchesStrategicMerge` list + - Copy the `vars` list into a temporary file to be used later in the process + - Remove the `vars` list +1. Edit the `config/webhook/kustomizeconfig.yaml` file: + - In the `varReference:` list, remove the item with `kind: Deployment` +1. Edit the `/config/webhook/manager_webhook_patch.yaml` file and remove + the `args` list from the `manager` container. +1. Move the following files to the `/config/default` folder + - `/config/webhook/manager_webhook_patch.yaml` + - `/config/webhook/webhookcainjection_patch.yaml` + +**Changes in the `/config/manager` folder:** + +1. Edit the `/config/manager/kustomization.yaml` file: + - Remove the `patchesStrategicMerge` list +1. Edit the `/config/manager/manager.yaml` file: + - Add the following items to the `args` list for the `manager` container list + ``` + - "--metrics-bind-addr=127.0.0.1:8080" + ``` + - Verify that fetaure flags required by your container are properly set + (as it was in `/config/webhook/manager_webhook_patch.yaml`). +1. Edit the `/config/manager/manager_auth_proxy_patch.yaml` file: + - Remove the patch for the container with name `manager` +1. Move the following files to the `/config/default` folder + - `/config/manager/manager_auth_proxy_patch.yaml` + - `/config/manager/manager_image_patch.yaml` + - `/config/manager/manager_pull_policy.yaml` + +**Changes in the `/config/default` folder:** +1. Create a file named `/config/default/kustomizeconfig.yaml` with the following content: + ``` + # This configuration is for teaching kustomize how to update name ref and var substitution + varReference: + - kind: Deployment + path: spec/template/spec/volumes/secret/secretName + ``` +1. Edit the `/config/manager/kustomization.yaml` file: + - Add the `namePrefix` and the `commonLabels` configuration values copying values from the `/config/kustomization.yaml` file + - In the `bases:` list, add the following items: + ``` + - ../crd + - ../certmanager + - ../webhook + ``` + - Add the `patchesStrategicMerge:` list, with the following items: + ``` + - manager_auth_proxy_patch.yaml + - manager_image_patch.yaml + - manager_pull_policy.yaml + ``` + - Add a `vars:` configuration using the value from the temporary file created while modifying `/config/webhook/kustomization.yaml` + - Add the `configurations:` list with the following items: + ``` + - kustomizeconfig.yaml + ``` + +**Changes in the `/config` folder:** + +1. Remove the `/config/kustomization.yaml` file +1. Remove the `/config/patch_crd_webhook_namespace.yaml` file + +**Changes in the `main.go` file:** + +1. Change default value for the flags `webhook-port` flag to `9443` +1. Change your code so all the controllers and the webhooks are started no matter if the webhooks port selected. + +**Other changes:** + +- makefile + - update all the references for `/config/manager/manager_image_patch.yaml` to `/config/default/manager_image_patch.yaml` + - update all the references for `/config/manager/manager_pull_policy.yaml` to `/config/default/manager_pull_policy.yaml` + - update all the call to `kustomize` targeting `/config` to target `/config/default` instead. +- E2E config files + - update provider sources reading from `/config` to read from `/config/default` instead. +- clusterctl-settings.json file + - if the `configFolder` value is defined, update from `/config` to `/config/default`. diff --git a/main.go b/main.go index db8f33c0092f..d5203b33204e 100644 --- a/main.go +++ b/main.go @@ -129,8 +129,8 @@ func InitFlags(fs *pflag.FlagSet) { fs.DurationVar(&syncPeriod, "sync-period", 10*time.Minute, "The minimum interval at which watched resources are reconciled (e.g. 15m)") - fs.IntVar(&webhookPort, "webhook-port", 0, - "Webhook Server port, disabled by default. When enabled, the manager will only work as webhook server, no reconcilers are installed.") + fs.IntVar(&webhookPort, "webhook-port", 9443, + "Webhook Server port") fs.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.") @@ -204,10 +204,6 @@ func setupChecks(mgr ctrl.Manager) { } func setupReconcilers(ctx context.Context, mgr ctrl.Manager) { - if webhookPort != 0 { - return - } - // Set up a ClusterCacheTracker and ClusterCacheReconciler to provide to controllers // requiring a connection to a remote cluster tracker, err := remote.NewClusterCacheTracker( @@ -289,10 +285,6 @@ func setupReconcilers(ctx context.Context, mgr ctrl.Manager) { } func setupWebhooks(mgr ctrl.Manager) { - if webhookPort == 0 { - return - } - if err := (&clusterv1.Cluster{}).SetupWebhookWithManager(mgr); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "Cluster") os.Exit(1) diff --git a/test/e2e/config/docker.yaml b/test/e2e/config/docker.yaml index 2f04101f6560..944b79fa634d 100644 --- a/test/e2e/config/docker.yaml +++ b/test/e2e/config/docker.yaml @@ -31,7 +31,7 @@ providers: versions: - name: v0.3.0 # Use manifest from source files - value: ../../../config + value: ../../../config/default replacements: - old: --metrics-bind-addr=127.0.0.1:8080 new: --metrics-bind-addr=:8080 @@ -43,7 +43,7 @@ providers: versions: - name: v0.3.0 # Use manifest from source files - value: ../../../bootstrap/kubeadm/config + value: ../../../bootstrap/kubeadm/config/default replacements: - old: --metrics-bind-addr=127.0.0.1:8080 new: --metrics-bind-addr=:8080 @@ -55,7 +55,7 @@ providers: versions: - name: v0.3.0 # Use manifest from source files - value: ../../../controlplane/kubeadm/config + value: ../../../controlplane/kubeadm/config/default replacements: - old: --metrics-bind-addr=127.0.0.1:8080 new: --metrics-bind-addr=:8080 @@ -67,7 +67,7 @@ providers: versions: - name: v0.3.0 # Use manifest from source files - value: ../../../test/infrastructure/docker/config + value: ../../../test/infrastructure/docker/config/default replacements: - old: --metrics-bind-addr=127.0.0.1:8080 new: --metrics-bind-addr=:8080 diff --git a/test/infrastructure/docker/Makefile b/test/infrastructure/docker/Makefile index 2998ef00dbf9..47654350540e 100644 --- a/test/infrastructure/docker/Makefile +++ b/test/infrastructure/docker/Makefile @@ -187,12 +187,12 @@ docker-push-manifest: ## Push the fat manifest docker image. .PHONY: set-manifest-image set-manifest-image: $(info Updating kustomize image patch file for manager resource) - sed -i'' -e 's@image: .*@image: '"${MANIFEST_IMG}:$(MANIFEST_TAG)"'@' ./config/manager/manager_image_patch.yaml + sed -i'' -e 's@image: .*@image: '"${MANIFEST_IMG}:$(MANIFEST_TAG)"'@' ./config/default/manager_image_patch.yaml .PHONY: set-manifest-pull-policy set-manifest-pull-policy: $(info Updating kustomize pull policy file for manager resource) - sed -i'' -e 's@imagePullPolicy: .*@imagePullPolicy: '"$(PULL_POLICY)"'@' ./config/manager/manager_pull_policy.yaml + sed -i'' -e 's@imagePullPolicy: .*@imagePullPolicy: '"$(PULL_POLICY)"'@' ./config/default/manager_pull_policy.yaml ## -------------------------------------- ## Release @@ -218,7 +218,7 @@ release: clean-release ## Builds and push container images using the latest git .PHONY: release-manifests release-manifests: $(RELEASE_DIR) ## Builds the manifests to publish with a release - kustomize build config/ > $(RELEASE_DIR)/infrastructure-components.yaml + kustomize build config/default > $(RELEASE_DIR)/infrastructure-components.yaml .PHONY: release-staging release-staging: ## Builds and push container images to the staging bucket. diff --git a/test/infrastructure/docker/config/default/kustomization.yaml b/test/infrastructure/docker/config/default/kustomization.yaml index 6ff3f026988e..2079a279a5ab 100644 --- a/test/infrastructure/docker/config/default/kustomization.yaml +++ b/test/infrastructure/docker/config/default/kustomization.yaml @@ -1,9 +1,60 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization namespace: capd-system +namePrefix: capd- + +commonLabels: + cluster.x-k8s.io/provider: "infrastructure-docker" + resources: - namespace.yaml bases: + - ../crd - ../rbac + - ../manager + - ../webhook + - ../certmanager + +patchesStrategicMerge: + # Provide customizable hook for make targets. + - manager_image_patch.yaml + - manager_pull_policy.yaml + # Protect the /metrics endpoint by putting it behind auth. + # Only one of manager_auth_proxy_patch.yaml and + # manager_prometheus_metrics_patch.yaml should be enabled. + - manager_auth_proxy_patch.yaml + # Enable webhook. + - manager_webhook_patch.yaml + # Inject certificate in the webhook definition. + - webhookcainjection_patch.yaml + +vars: + - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace + - name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: serving-cert # this name should match the one in certificate.yaml + - name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace + - name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + +configurations: + - kustomizeconfig.yaml diff --git a/test/infrastructure/docker/config/default/kustomizeconfig.yaml b/test/infrastructure/docker/config/default/kustomizeconfig.yaml new file mode 100644 index 000000000000..eb191e64d056 --- /dev/null +++ b/test/infrastructure/docker/config/default/kustomizeconfig.yaml @@ -0,0 +1,4 @@ +# This configuration is for teaching kustomize how to update name ref and var substitution +varReference: +- kind: Deployment + path: spec/template/spec/volumes/secret/secretName diff --git a/bootstrap/kubeadm/config/manager/manager_auth_proxy_patch.yaml b/test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml similarity index 78% rename from bootstrap/kubeadm/config/manager/manager_auth_proxy_patch.yaml rename to test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml index 22d5ed509911..a7987a993f99 100644 --- a/bootstrap/kubeadm/config/manager/manager_auth_proxy_patch.yaml +++ b/test/infrastructure/docker/config/default/manager_auth_proxy_patch.yaml @@ -19,8 +19,3 @@ spec: ports: - containerPort: 8443 name: https - - name: manager - args: - - "--metrics-bind-addr=127.0.0.1:8080" - - "--leader-elect" - - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}" diff --git a/test/infrastructure/docker/config/manager/manager_image_patch.yaml b/test/infrastructure/docker/config/default/manager_image_patch.yaml similarity index 100% rename from test/infrastructure/docker/config/manager/manager_image_patch.yaml rename to test/infrastructure/docker/config/default/manager_image_patch.yaml diff --git a/controlplane/kubeadm/config/manager/manager_pull_policy.yaml b/test/infrastructure/docker/config/default/manager_pull_policy.yaml similarity index 100% rename from controlplane/kubeadm/config/manager/manager_pull_policy.yaml rename to test/infrastructure/docker/config/default/manager_pull_policy.yaml diff --git a/test/infrastructure/docker/config/webhook/manager_webhook_patch.yaml b/test/infrastructure/docker/config/default/manager_webhook_patch.yaml similarity index 100% rename from test/infrastructure/docker/config/webhook/manager_webhook_patch.yaml rename to test/infrastructure/docker/config/default/manager_webhook_patch.yaml diff --git a/test/infrastructure/docker/config/webhook/webhookcainjection_patch.yaml b/test/infrastructure/docker/config/default/webhookcainjection_patch.yaml similarity index 100% rename from test/infrastructure/docker/config/webhook/webhookcainjection_patch.yaml rename to test/infrastructure/docker/config/default/webhookcainjection_patch.yaml diff --git a/test/infrastructure/docker/config/kustomization.yaml b/test/infrastructure/docker/config/kustomization.yaml deleted file mode 100644 index bd7e5666a031..000000000000 --- a/test/infrastructure/docker/config/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -namePrefix: capd- - -commonLabels: - cluster.x-k8s.io/provider: "infrastructure-docker" - -resources: -- crd -- default -- webhook diff --git a/test/infrastructure/docker/config/manager/kustomization.yaml b/test/infrastructure/docker/config/manager/kustomization.yaml index 9d299adae969..5c5f0b84cba4 100644 --- a/test/infrastructure/docker/config/manager/kustomization.yaml +++ b/test/infrastructure/docker/config/manager/kustomization.yaml @@ -1,8 +1,2 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization resources: - manager.yaml - -patchesStrategicMerge: - - manager_image_patch.yaml - - manager_auth_proxy_patch.yaml diff --git a/test/infrastructure/docker/config/manager/manager.yaml b/test/infrastructure/docker/config/manager/manager.yaml index e15c54bb8e59..9111cd777543 100644 --- a/test/infrastructure/docker/config/manager/manager.yaml +++ b/test/infrastructure/docker/config/manager/manager.yaml @@ -17,7 +17,9 @@ spec: spec: containers: - args: - - --leader-elect + - "--leader-elect" + - "--metrics-bind-addr=127.0.0.1:8080" + - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false}" image: controller:latest name: manager ports: diff --git a/test/infrastructure/docker/config/manager/manager_prometheus_metrics_patch.yaml b/test/infrastructure/docker/config/manager/manager_prometheus_metrics_patch.yaml deleted file mode 100644 index 0b96c6813e02..000000000000 --- a/test/infrastructure/docker/config/manager/manager_prometheus_metrics_patch.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# This patch enables Prometheus scraping for the manager pod. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - metadata: - annotations: - prometheus.io/scrape: 'true' - spec: - containers: - # Expose the prometheus metrics on default port - - name: manager - ports: - - containerPort: 8080 - name: metrics - protocol: TCP diff --git a/test/infrastructure/docker/config/manager/manager_pull_policy.yaml b/test/infrastructure/docker/config/manager/manager_pull_policy.yaml deleted file mode 100644 index 74a0879c604a..000000000000 --- a/test/infrastructure/docker/config/manager/manager_pull_policy.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - imagePullPolicy: Always diff --git a/test/infrastructure/docker/config/webhook/kustomization.yaml b/test/infrastructure/docker/config/webhook/kustomization.yaml index ec4e284261ed..9cf26134e4d5 100644 --- a/test/infrastructure/docker/config/webhook/kustomization.yaml +++ b/test/infrastructure/docker/config/webhook/kustomization.yaml @@ -1,45 +1,6 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: capd-system - resources: - manifests.yaml - service.yaml -- ../certmanager -- ../manager - -patchesStrategicMerge: -- manager_webhook_patch.yaml -- webhookcainjection_patch.yaml configurations: - kustomizeconfig.yaml - -vars: - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1alpha2 - name: serving-cert # this name should match the one in certificate.yaml diff --git a/test/infrastructure/docker/config/webhook/kustomizeconfig.yaml b/test/infrastructure/docker/config/webhook/kustomizeconfig.yaml index 7cf1cd5534d1..e809f78208e0 100644 --- a/test/infrastructure/docker/config/webhook/kustomizeconfig.yaml +++ b/test/infrastructure/docker/config/webhook/kustomizeconfig.yaml @@ -16,5 +16,3 @@ namespace: varReference: - path: metadata/annotations -- kind: Deployment - path: spec/template/spec/volumes/secret/secretName diff --git a/test/infrastructure/docker/main.go b/test/infrastructure/docker/main.go index 17acf9ee8eec..eb9ad67912c3 100644 --- a/test/infrastructure/docker/main.go +++ b/test/infrastructure/docker/main.go @@ -53,6 +53,7 @@ var ( syncPeriod time.Duration concurrency int healthAddr string + webhookPort int ) func init() { @@ -82,7 +83,7 @@ func main() { LeaderElectionID: "controller-leader-election-capd", SyncPeriod: &syncPeriod, HealthProbeBindAddress: healthAddr, - Port: 9443, + Port: webhookPort, }) if err != nil { setupLog.Error(err, "unable to start manager") @@ -105,13 +106,19 @@ func main() { } func initFlags(fs *pflag.FlagSet) { - fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080", "The address the metric endpoint binds to.") - fs.IntVar(&concurrency, "concurrency", 10, "The number of docker machines to process simultaneously") + fs.StringVar(&metricsBindAddr, "metrics-bind-addr", ":8080", + "The address the metric endpoint binds to.") + fs.IntVar(&concurrency, "concurrency", 10, + "The number of docker machines to process simultaneously") fs.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.") fs.DurationVar(&syncPeriod, "sync-period", 10*time.Minute, "The minimum interval at which watched resources are reconciled (e.g. 15m)") - fs.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.") + fs.StringVar(&healthAddr, "health-addr", ":9440", + "The address the health endpoint binds to.") + fs.IntVar(&webhookPort, "webhook-port", 9443, + "Webhook Server port") + feature.MutableGates.AddFlag(fs) } diff --git a/tilt_modules/extensions.json b/tilt_modules/extensions.json index 44fe7523f5a3..5a6cd2fc8665 100644 --- a/tilt_modules/extensions.json +++ b/tilt_modules/extensions.json @@ -4,6 +4,11 @@ "Name": "cert_manager", "ExtensionRegistry": "https://github.com/tilt-dev/tilt-extensions", "TimeFetched": "2020-10-13T10:04:11.507324896-07:00" + }, + { + "Name": "cert_manager", + "ExtensionRegistry": "https://github.com/tilt-dev/tilt-extensions", + "TimeFetched": "2021-02-03T16:29:09.695507+01:00" } ] } \ No newline at end of file