Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 6d33a4342a16200d628f30ff91b169927fc2867a / . / metropolis / node / kubernetes / controller-manager.go
blob: 0223fd546127d0845efa7dcf49700e683cc0080a [file] [log] [blame]
Tim Windelschmidt6d33a432025-02-04 14:34:25 +0100[diff] [blame^]1// Copyright The Monogon Project Authors.
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]2// SPDX-License-Identifier: Apache-2.0
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]3
4package kubernetes
5
6import (
Lorenz Brun878f5f92020-05-12 16:15:39 +0200[diff] [blame]7 "context"
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]8 "encoding/pem"
9 "fmt"
10 "net"
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]11 "os/exec"
12
Serge Bazanski31370b02021-01-07 16:31:14 +0100[diff] [blame]13 "source.monogon.dev/metropolis/node/kubernetes/pki"
Tim Windelschmidt9f21f532024-05-07 15:14:20 +0200[diff] [blame]14 "source.monogon.dev/osbase/fileargs"
15 "source.monogon.dev/osbase/supervisor"
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]16)
17
18type controllerManagerConfig struct {
19 clusterNet net.IPNet
Lorenz Brun6211e4d2023-11-14 19:09:40 +0100[diff] [blame]20 serviceNet net.IPNet
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]21 // All PKI-related things are in DER
22 kubeConfig []byte
23 rootCA []byte
24 serviceAccountPrivKey []byte // In PKCS#8 form
25 serverCert []byte
26 serverKey []byte
27}
28
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]29func getPKIControllerManagerConfig(ctx context.Context, kpki *pki.PKI) (*controllerManagerConfig, error) {
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]30 var config controllerManagerConfig
31 var err error
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]32 config.rootCA, _, err = kpki.Certificate(ctx, pki.IdCA)
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]33 if err != nil {
34 return nil, fmt.Errorf("failed to get ID root CA: %w", err)
35 }
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]36 config.serverCert, config.serverKey, err = kpki.Certificate(ctx, pki.ControllerManager)
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]37 if err != nil {
38 return nil, fmt.Errorf("failed to get controller-manager serving certificate: %w", err)
39 }
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]40 config.serviceAccountPrivKey, err = kpki.ServiceAccountKey(ctx)
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]41 if err != nil {
42 return nil, fmt.Errorf("failed to get serviceaccount privkey: %w", err)
43 }
Serge Bazanskie88ffe92023-03-21 13:38:46 +0100[diff] [blame]44 config.kubeConfig, err = kpki.Kubeconfig(ctx, pki.ControllerManagerClient, pki.KubernetesAPIEndpointForController)
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]45 if err != nil {
46 return nil, fmt.Errorf("failed to get controller-manager kubeconfig: %w", err)
47 }
48 return &config, nil
49}
50
Serge Bazanski967be212020-11-02 11:26:59 +0100[diff] [blame]51func runControllerManager(config controllerManagerConfig) supervisor.Runnable {
Lorenz Brun8e3b8fc2020-05-19 14:29:40 +0200[diff] [blame]52 return func(ctx context.Context) error {
53 args, err := fileargs.New()
54 if err != nil {
55 panic(err) // If this fails, something is very wrong. Just crash.
56 }
57 defer args.Close()
58
59 cmd := exec.CommandContext(ctx, "/kubernetes/bin/kube", "kube-controller-manager",
60 args.FileOpt("--kubeconfig", "kubeconfig", config.kubeConfig),
61 args.FileOpt("--service-account-private-key-file", "service-account-privkey.pem",
62 pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: config.serviceAccountPrivKey})),
63 args.FileOpt("--root-ca-file", "root-ca.pem",
64 pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
Tim Windelschmidt90613af2023-07-20 14:26:18 +0200[diff] [blame]65 args.FileOpt("--client-ca-file", "root-ca.pem",
66 pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
Jan Schärd5d33ba2024-05-15 11:45:35 +0200[diff] [blame]67 "--use-service-account-credentials=true",
Lorenz Brun8e3b8fc2020-05-19 14:29:40 +0200[diff] [blame]68 fmt.Sprintf("--cluster-cidr=%v", config.clusterNet.String()),
Lorenz Brun6211e4d2023-11-14 19:09:40 +0100[diff] [blame]69 fmt.Sprintf("--service-cluster-ip-range=%v", config.serviceNet.String()),
Lorenz Brun8e3b8fc2020-05-19 14:29:40 +0200[diff] [blame]70 args.FileOpt("--tls-cert-file", "server-cert.pem",
71 pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.serverCert})),
72 args.FileOpt("--tls-private-key-file", "server-key.pem",
73 pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: config.serverKey})),
Lorenz Brunf042e6f2020-06-24 16:46:09 +0200[diff] [blame]74 "--allocate-node-cidrs",
Lorenz Brun6211e4d2023-11-14 19:09:40 +0100[diff] [blame]75 // Disables unused cloud control loops and prevents warnings.
76 "--cloud-provider=external",
77 "--controllers=*,-certificatesigningrequest-signing-controller",
78 // This is intentionally empty, but if unset it tries to mkdir it
79 // in the usual place, generating an error.
80 "--flex-volume-plugin-dir=/kubernetes/conf/flexvolume-plugins",
Lorenz Brund58edf42024-11-27 20:38:14 +0000[diff] [blame]81 extraFeatureGates.AsFlag(),
Lorenz Brun8e3b8fc2020-05-19 14:29:40 +0200[diff] [blame]82 )
Lorenz Brunf042e6f2020-06-24 16:46:09 +0200[diff] [blame]83
Lorenz Brun8e3b8fc2020-05-19 14:29:40 +0200[diff] [blame]84 if args.Error() != nil {
85 return fmt.Errorf("failed to use fileargs: %w", err)
86 }
Serge Bazanski05604292021-03-12 17:47:21 +0100[diff] [blame]87 return supervisor.RunCommand(ctx, cmd, supervisor.ParseKLog())
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]88 }
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]89}