Add aws-cloud-controller-manager config to addons

[nckturner]

• Added addon for aws-cloud-controller (aws-cloud-controller.addons.k8s.io)
• Initial manifest: upup/models/cloudup/resources/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml.template
• --external-cloud-volume-plugin flag for KCM
• AWSCCMTag to hold the logic to determine the CCM tag. This will change as soon as we have stable releases (soon).

[nckturner]

/hold

[johngmyers]

What is the correct behavior for k8s < 1.18? Previously it would install core.addons.k8s.io.

[nckturner]

Yeah, we should probably keep that behavior, as we don't have any published images pre-1.18.

[johngmyers]

Does the version need to track that of Kubernetes? The cloud-provider-aws repo doesn't say what the version compatibility policy is.

[olemarkus]

You can most likely just copy the OpenStackCCMTag function in template_functions.go.

[olemarkus]

Need any help to progress on this?

[nckturner]

@olemarkus so I ran into a ton of failures running e2e tests on clusters created with this change, and finally had a chance to dig in and discovered that the issue is that aws volumes need kubelet to start up with --cloud-provider=aws in order to pass. Otherwise, the volumes fail to be mounted.

Error: "MountVolume.SetUp failed for volume \"aws-j6cxz\" (UniqueName: \"kubernetes.io/aws-ebs/ddc37e26-a4ea-4800-b9cf-89f4c4ba2e06-aws-j6cxz\") pod \"aws-injector\" (UID: \"ddc37e26-a4ea-4800-b9cf-89f4c4ba2e06\") : mount failed: exit status 32\nMounting command: systemd-run\nMounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/pods/ddc37e26-a4ea-4800-b9cf-89f4c4ba2e06/volumes/kubernetes.io~aws-ebs/aws-j6cxz --scope -- mount -o bind /var/lib/kubelet/plugins/kubernetes.io/aws-ebs/mounts/aws/us-west-2a/vol-0927658c7047d003e/var/lib/kubelet/pods/ddc37e26-a4ea-4800-b9cf-89f4c4ba2e06/volumes/kubernetes.io~aws-ebs/aws-j6cxz\nOutput: Running scope as unit: run-r0506619461a2436f9b6de03226e313b4.scope\nmount: /var/lib/kubelet/pods/ddc37e26-a4ea-4800-b9cf-89f4c4ba2e06/volumes/kubernetes.io~aws-ebs/aws-j6cxz: special device /var/lib/kubelet/plugins/kubernetes.io/aws-ebs/mounts/aws/us-west-2a/vol-0927658c7047d003e does not exist.\n"

Interestingly, with --cloud-provider=external set, code paths using pkg/volume/awsebs/aws_ebs.go were being triggered, which was unexpected to me.

This issue looks like the same: kubernetes/kubernetes#71018. So possibly the options as the code stands today are either 1. use CSI or 2. run kubelet with --cloud-provider=aws? Note that I tested with 1.18.6.

[olemarkus]

I think it makes sense to use CSI. It is something that would be interesting to support anyway.

[nckturner]

@olemarkus I'd actually like to allow for both, as one use case for this change is testing upgrade scenarios. Right now this is configurable with:

  kubelet:
    cloudProvider: aws

[nckturner]

The other KCM flag that I've exposed in this PR is the --external-cloud-volume-plugin which allows the KCM to run the existing cloud volume control loops even when the other cloud loops are disabled due to setting --cloud-provider=external.

[olemarkus]

This type of logic can be added in ./pkg/model/components. That way changes done are also subject to validation and such. There is already something similar in place for openstack.

[nckturner]

Thanks, that's very helpful. Will add some validation here.

[olemarkus]

Sounds good. It may be an idea to add a flag to CloudConfig controlling if the CSI addon is installed or not, and then ensure users are configuring the flags you mention correctly through validation.

[nckturner]

/cc @andrewsykim

[nckturner]

• I've added a template function for the CCM tag: AWSCCMTag
• I've added a propsed CSI API so that we can detect and at least log a message when the user has a configuration that will break volumes. I'm not sure if we want to overwrite the user's value for --external-cloud-volume-plugin or not, I think we shouldn't do it in this PR because CSI is not yet implemented. (I can also remove the proposed CSI API from this PR if we want to discuss that separately, I'm not planning on implementing it in this PR).

[olemarkus]

For other providers we have similar types of configuration under a struct in CloudConfiguration. AWS doesn't have its own struct here; now may be the time to add it.

[nckturner]

I thought about that, but CloudConfig seems to be tightly mapped to the actual config file that is placed on disk, which is deprecated according to documentation I found. Shouldn't we move on from that object? Also, it kindof combines/conflates various addons, like CCM, CSI, etc. (even though, yes they are cloud related, there are many combinations that users might want to use and combining all of the configuration makes it quite difficult to understand what configuration is configuring which addon).

[olemarkus]

/retest

[nckturner]

I think I missed the versioned v1alpha2 API, will update that now.

[olemarkus]

And make apimachinery it seems. Running make verify && ./hack/verify-staticcheck.sh locally may be a faster feedback loop.

[justinsb]

This looks really good. We discussed that probably the CSI fields are better in a separate PR, and that we can just leave the warning when running without CSI & without the CCM flag in the code for now but commented out (maybe just the CSI bit commented out?) until the CSI PR lands separately.

There won't be much in the codepath then unless the feature-flag is set, so I'm in favor of merging and getting this under testing.

Thanks @nckturner for this :-)

[nckturner]

Updated the PR per @justinsb's comments. I decided to leave out docs at his suggestion since its early/feature gate protected, we will add them in a follow on PR. We can start with some basic usage docs in the aws-cloud-provider repository.

[nckturner]

/test pull-kops-e2e-cni-weave

[nckturner]

/hold
Fixing bug...

[olemarkus]

/test pull-kops-e2e-cni-flannel

[olemarkus]

/retest

[nckturner]

@justinsb ready for another look

[nckturner]

/hold cancel

Any chance we can merge this @justinsb? It will make testing the CCM easier..

[nckturner]

/retest

[justinsb]

Sorry about the delay here, and thanks for doing this @nckturner !

This looks to be entirely additive and feature flagged, and I believe the current target for external cloud-controller-manager is 1.21, so I think it's important that we start to get this under testing (not least because my understanding is that it doesn't yet entirely work!).

/approve
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb, nckturner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [justinsb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[olemarkus]

/retest