tracking issue for kubeadm init phases

[neolit123]

this tracking issue goes outside of the scope for 1.13 AKA we have items for post 1.13.

this post will summarize the work that has to be done to graduate the kubeadm phases to beta (ga?).
the issue will track PRs, assignees, but also have extra actions that have to be handled.
if you wish to work on a certain item please add a comment about it.

discussion happened around this gdoc in the 17oct/2018 kubeadm office hours meeting:
https://docs.google.com/document/d/10ZQ5erWhab3GJH-CjCBT6NgvLJQygyqPkQUsx_y5snQ/edit?usp=sharing

notes:

• we are keeping the kubeadm alpha command for now, but moving all viable phases in the bellow list to kubeadm init phase
• some phases are going to be collapsed into a parent phase, but optionally sub-phases to be exposed over time.
• some phases are shuffled around or removed.
• we have plans to support aliases where a sub-phase can call the same code as another sub-phase.
• some phases are going to be hidden which implies that they are going to be called by the backend in a specific order, but the user would not be able to call them from CLI or skip them.

list of phases (ordered)

---

• preflight

• assigned: @fabriziopandini

• PR: Kubeadm graduate preflight phase kubernetes#69666
  NOTE: this PR also serves as an example of how a new phases should be graduated.

• kubelet-start

• assigned: @fabriziopandini

• PR: kubeadm - graduate kubelet-start phase kubernetes#70049

currently this phase has sub-phases, the idea is to collapse them into a single phase. shuffle folders around etc. this however removes the control if the user wants to write a kubelet config, modify it and then start. so we might want to expose it eventually based on user feedback.

• certs
• assigned: @ereslibre
• PR: kubeadm: Graduate certs phase kubernetes#70331

should be a straight forward one, move all cert sub commands as sub phases.
renew needs to not be a sub-phase of certs, extra item bellow.

• kubeconfig
• assigned: @fabriziopandini
• PR: Kubeadm graduate kubeconfig phase kubernetes#70098

same as certs,
user however should be kept as an utility under kubeadm alpha kubeconfig user and not being a phase.

• control-plane
• assigned: @neolit123
• PR: kubeadm: graduate the control-plane phase kubernetes#70097

contains sub-phases for the control plane components. under api-server we also need to handle audit-policy (currently feature gated as a separate phase). there are plans to add aliases for certs here and eventually also have sub-sub-commands under each control plane component to 1) write config 2) write cert

• etcd
• assigned: @neolit123
• PR: kubeadm: graduate etcd phase kubernetes#70388

similar to control-plane, optionally enable 1) write config 2) write cert as sub phases here eventually too.

• wait-control-plane
• assigned: @neolit123
• PR: kubeadm: graduate wait-control-plane phase kubernetes#70512

hidden phase!

• upload-config
• assigned: @yagonobre
• PR: kubeadm graduate upload-config phase kubernetes#70405

this should including uploading the kubelet config (currently under kubelet phase) and the kubeadm config. both should be exposed as sub-phases.

annotate-cri-socket should be part of uploading the kubelet config

• mark-control-plane
• assigned: @RA489 @neolit123
• PR: kubeadm: graduate the mark-control-plane-phase kubernetes#70885

renamed from mark-master.

• bootstrap-token
• assigned: @yagonobre
• PR: kubeadm graduate bootstrap-token phase kubernetes#70727

should contain all of these, but collapsed and not exposed as sub-phases.

create (the function is CreateOrUpdate...)
allow-post-rbac-csr
auto-approve-node-tokens
auto-approve-node-cert-rotation
create-bootstrap-config-map 
create-cluster-info-rbac

• addons
• assigned: @yagonobre
• PR: Kubeadm graduate addons phase kubernetes#70354

should contain dns and proxy as subphases exposed in that order.

---

other action items:

• printing the join command should happen after all the phases in init have finished
• assigned: @yuexiao-wang
• PR: kubeadm: print the join command kubernetes#70795

this needs to handle the case where the creation of a token was skipped.

• alpha phase certs renew should be moved to alpha certs renew (not a phase)

• assigned: @fabriziopandini

• PR: Kubeadm alpha cmd kubernetes#70333

• app/phases/upgrade needs to be moved to generic kubeadm utils (not a phase)

• assigned: @yuexiao-wang

• PR: kubeadm: move app/phases/upgrade to generic kubeadm utils kubernetes#70346

• certs/pkiutil needs to be moved to generic kubeadm utils (not a phase)

• assigned: @yuexiao-wang

• PR: kubeadm: move certs/pkiutil to generic kubeadm utils kubernetes#70336

• bootstraptoken/node/token.go the utils in here need to be moved outside of k/k

• assigned: @neolit123

• PR: kubeadm: remove TODO about moving token utils to client-go kubernetes#69979

• enable-dynamic-kubelet-config should be moved outside of phases

• assigned: @yagonobre

• PR: Remove DynamicKubeletConfig from init and join workflow kubernetes#70849

it's feature gated.

to be decided....
the new home for this should be "k8s.io/cluster-bootstrap/token/util"
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/cluster-bootstrap/token/util/helpers.go

[fabriziopandini]

fyi
This was the list of phases proposed some time ago

  preflight                  Run master pre-flight checks
  certs|certificates         Generates all PKI assets necessary to establish the control plane
    /ca                        Generates a self-signed kubernetes CA to provision identities for components of the cluster
    /apiserver                 Generates an API server serving certificate and key
    /apiserver-kubelet-client  Generates a client certificate for the API server to connect to the kubelets securely
    /etcd-ca                   Generates a self-signed CA to provision identities for etcd
    /etcd-server               Generates an etcd serving certificate and key
    /etcd-peer                 Generates an etcd peer certificate and key
    /etcd-healthcheck-client   Generates a client certificate for liveness probes to healthcheck etcd
    /apiserver-etcd-client     Generates a client certificate for the API server to connect to etcd securely
    /sa                        Generates a private key for signing service account tokens along with its public key
    /front-proxy-ca            Generates a front proxy CA certificate and key for a Kubernetes cluster
    /front-proxy-client        Generates a front proxy CA client certificate and key for a Kubernetes cluster
  kubeconfig                 Generates all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
    /admin                     Generates a kubeconfig file for the admin to use and for kubeadm itself
    /kubelet                   Generates a kubeconfig file for the kubelet to use. Please note that this should be used *only* for bootstrapping purposes.
    /controller-manager        Generates a kubeconfig file for the controller manager to use
    /scheduler                 Generates a kubeconfig file for the scheduler to use
  audit-policy               Generates the audit-policy to use in the API server configuration (featureGated)
  controlplane               Generates all static Pod manifest files necessary to establish the control plane
    /apiserver                 Generates the API server static Pod manifest.
    /controller-manager        Generates the controller-manager static Pod manifest.
    /scheduler                 Generates the scheduler static Pod manifest.
  etcd                       Generates the static Pod manifest file for a local, single-node etcd instance
  init-kubeletconfig         (featureGated) Writes base configuration of kubelets to disk
  upload-kubeletconfig       (featureGated) Uploads kubelet config to a configMap and use it as a configSource for this node
  upload-config              Uploads the currently used configuration for kubeadm to a ConfigMap
  mark-master                Marks a node as master
  bootstrap-token            Makes all the bootstrap token configurations and creates an initial token
    /token                     Creates an initial bootstrap token to be used for node joining
    /cluster-info|clusterinfo  Uploads the cluster-info ConfigMap from the given kubeconfig file
    /allow-post-csr            Configures RBAC to allow node bootstrap tokens to post CSR in order for nodes to get long term certificate credentials
    /allow-auto-approve        Configures RBAC rules to allow the CSR approver controller automatically approve CSR from a node bootstrap token
  addons                     Installs required addons for passing Conformance tests
    /dns                       Installs the dns addon to a Kubernetes cluster
    /proxy                     Installs the proxy addon to a Kubernetes cluster
  selfhosting|self-hosting   Makes a kubeadm cluster self-hosted (featureGated)

[timothysc]

This looks good, but I think we might want to change some of the names, and obviously move selfhosting into it's own space.

[fabriziopandini]

@neolit123 could you kindly change this issues into a tracking issue /help-wanted that we can use to assign part of this effort to volunteers...

I think that @ereslibre, @RA489, @Klaven can help on this effort once the PR with the first phase implementation merges; ideally who takes in charge a phase should implement related subphases as well

[neolit123]

@fabriziopandini
done.

[neolit123]

are we going to discuss the list of phases this weeks kubeadm office hour? we need a solid list...

[ereslibre]

I won't be able to join tomorrows kubeadm office hours :(, but count me in for any ongoing effort!

[neolit123]

now that we have the list of phases i will update this tracking issue tomorrow.

[fabriziopandini]

@neolit123 thanks for this write-up. It is great starting point
@ereslibre, @RA489, @Klaven time for volunteering!

[neolit123]

a couple of requests for volunteers :)

• please, don't mention this issue in commit messages, because it will spam it on commit rebases.
• in PR descriptions use, Ref #this-issue-num instead of Fixes #this-issue-num, so that we don't close it on merge.

thanks.

[ereslibre]

For starting I can take the certs one!

[neolit123]

@fabriziopandini
btw i'm not exactly sure how we can sync the work here, unless phases are implemented in the presented order. the code in runInit() would still have to be present and we have to hold PRs that implement say mark-control-plane in the new fashion. otherwise we are going to break master.

[fabriziopandini]

@neolit123 I'm confident we can sync via slack/this issue

BTW, I'm taking phase kubelet-start

[neolit123]

@fabriziopandini ok, sounds good.

kubelet-start has a bit of a blocker in terms of the "stop" part as per @chuckha 's PR here:
kubernetes/kubernetes#69985
we need to discuss what to do with that.

[fabriziopandini]

taking kubeconfig

[neolit123]

taking control-plane but really want the PR that removes placeholder docs merged...

[yagonobre]

alpha phase certs renew was done in kubernetes/kubernetes#70333, I can take bootstrap-token and addons.

[bart0sh]

I can take this: "app/phases/upgrade needs to be moved to generic kubeadm utils (not a phase)"

[yagonobre]

@bart0sh this was done on kubernetes/kubernetes#70346

[bart0sh]

@yagonobre thanks for pointing it out. won't take it then. I thought it's not assigned:

 app/phases/upgrade needs to be moved to generic kubeadm utils (not a phase)

assigned: TODO

[neolit123]

sorry, just updated it.

[yagonobre]

What is the expected subphases on bootstrap-token? I'm taking upload-config in the meantime.

[yagonobre]

taking enable-dynamic-kubelet-config

[neolit123]

@yagonobre

What is the expected subphases on bootstrap-token? I'm taking upload-config in the meantime.

as commented there, the listed sub-phases should be just collapsed in a single phase.

should contain all of these, but collapsed and not exposed as sub-phases.

[yagonobre]

ok, taking bootstrap-token again

[neolit123]

PSA, the phases need to be merged in the above order as we don't want to break e2e tests.

[fabriziopandini]

@neolit123 annotateCRI IMO doesn't deserve a first level phase because it ideally should go away as soon as possible.. What about having annotateCRI as part of the upload kubelet config subphases? (Run Upload kubelet config writes the config map and annotates CRI)
@yagonobre wdyt?

[neolit123]

@fabriziopandini
SGTM, i will update the list.
responded here too: kubernetes/kubernetes#70405 (comment)

[neolit123]

@RA489 hi, do you have a PR in the works for mark-control-plane?
we might be able to merge it this week if so.

[RA489]

@neolit123 WIP

[neolit123]

the work here is done!

the only remaining items are these, but we can track then individually:
kubernetes/kubernetes#70346
kubernetes/kubernetes#69979

we did a pretty nice organization here and managed to tackle the list of tasks pretty well!!
thank you @fabriziopandini @yagonobre @yuexiao-wang @ereslibre @RA489

i will also send a shoutout to everyone for the community meeting on Thursday.