From 652ebd659b7773d93c9ca79a4e711a6beed50997 Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 27 Jan 2020 13:55:33 -0800 Subject: [PATCH 01/30] metadata addon works --- README.md | 9 +++ .../metadata/metadata-deployment.yaml.tmpl | 19 +++++ deploy/addons/metadata/metadata-ns.yaml | 20 +++++ .../metadata/metadata-service.yaml.tmpl | 12 +++ go.mod | 2 + go.sum | 4 + pkg/addons/config.go | 10 ++- pkg/addons/metadata/configmap.go | 74 +++++++++++++++++ pkg/addons/metadata/disable.go | 6 ++ pkg/addons/metadata/enable.go | 80 +++++++++++++++++++ pkg/minikube/assets/addons.go | 20 +++++ 11 files changed, 255 insertions(+), 1 deletion(-) create mode 100644 deploy/addons/metadata/metadata-deployment.yaml.tmpl create mode 100644 deploy/addons/metadata/metadata-ns.yaml create mode 100644 deploy/addons/metadata/metadata-service.yaml.tmpl create mode 100644 pkg/addons/metadata/configmap.go create mode 100644 pkg/addons/metadata/disable.go create mode 100644 pkg/addons/metadata/enable.go diff --git a/README.md b/README.md index 75423b747468..6e4308df62d5 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,12 @@ +minikube addons enable metadata +kubectl run curl --image=radial/busyboxplus:curl -i --tty +curl metadata.google.internal +kubectl delete deploy curl + +minikube addons disable metadata +kubectl run curl --image=radial/busyboxplus:curl -i --tty +curl metadata.google.internal # Should fail + # minikube [![BuildStatus Widget]][BuildStatus Result] diff --git a/deploy/addons/metadata/metadata-deployment.yaml.tmpl b/deploy/addons/metadata/metadata-deployment.yaml.tmpl new file mode 100644 index 000000000000..0fd6b8bd3d73 --- /dev/null +++ b/deploy/addons/metadata/metadata-deployment.yaml.tmpl @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata + namespace: metadata +spec: + selector: + matchLabels: + app: metadata + template: + metadata: + labels: + app: metadata + spec: + containers: + - name: metadata + image: gcr.io/k8s-minikube/metadata-server + ports: + - containerPort: 8080 \ No newline at end of file diff --git a/deploy/addons/metadata/metadata-ns.yaml b/deploy/addons/metadata/metadata-ns.yaml new file mode 100644 index 000000000000..9da954ee6656 --- /dev/null +++ b/deploy/addons/metadata/metadata-ns.yaml @@ -0,0 +1,20 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: metadata + labels: + kubernetes.io/minikube-addons: metadata diff --git a/deploy/addons/metadata/metadata-service.yaml.tmpl b/deploy/addons/metadata/metadata-service.yaml.tmpl new file mode 100644 index 000000000000..f08862b8006b --- /dev/null +++ b/deploy/addons/metadata/metadata-service.yaml.tmpl @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: metadata + namespace: metadata +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + selector: + app: metadata diff --git a/go.mod b/go.mod index 0cd9aca2bf45..eb68a63c5a1c 100644 --- a/go.mod +++ b/go.mod @@ -16,6 +16,7 @@ require ( github.com/cheggaaa/pb/v3 v3.0.1 github.com/cloudfoundry-attic/jibber_jabber v0.0.0-20151120183258-bcc4c8345a21 github.com/cloudfoundry/jibber_jabber v0.0.0-20151120183258-bcc4c8345a21 // indirect + github.com/coreos/rkt v1.30.0 github.com/docker/docker v1.13.1 github.com/docker/go-units v0.3.3 github.com/docker/machine v0.7.1-0.20190718054102-a555e4f7a8f5 // version is 0.7.1 to pin to a555e4f7a8f5 @@ -59,6 +60,7 @@ require ( github.com/pkg/errors v0.8.1 github.com/pkg/profile v0.0.0-20161223203901-3a8809bd8a80 github.com/pmezard/go-difflib v1.0.0 + github.com/rkt/rkt v1.30.0 // indirect github.com/samalba/dockerclient v0.0.0-20160414174713-91d7393ff859 // indirect github.com/shirou/gopsutil v2.18.12+incompatible github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4 // indirect diff --git a/go.sum b/go.sum index edafefc48029..6bb2abd81938 100644 --- a/go.sum +++ b/go.sum @@ -85,6 +85,7 @@ github.com/container-storage-interface/spec v1.1.0/go.mod h1:6URME8mwIBbpVyZV93C github.com/containerd/console v0.0.0-20170925154832-84eeaae905fa/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw= github.com/containerd/containerd v1.0.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/typeurl v0.0.0-20190228175220-2a93cfde8c20/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc= +github.com/containernetworking/cni v0.6.0 h1:FXICGBZNMtdHlW65trpoHviHctQD3seWhRRcqp2hMOU= github.com/containernetworking/cni v0.6.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY= github.com/coreos/bbolt v1.3.1-coreos.6/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= @@ -97,6 +98,7 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/rkt v1.30.0 h1:Kkt6sYeEGKxA3Y7SCrY+nHoXkWed6Jr2BBY42GqMymM= github.com/coreos/rkt v1.30.0/go.mod h1:O634mlH6U7qk87poQifK6M2rsFNt+FyUTWNMnP1hF1U= github.com/cpuguy83/go-md2man v1.0.4/go.mod h1:N6JayAiVKtlHSnuTCeuLSQVs75hb8q+dYQLjr7cDsKY= github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= @@ -443,6 +445,8 @@ github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a h1:9a8MnZMP0X2nL github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/quobyte/api v0.1.2/go.mod h1:jL7lIHrmqQ7yh05OJ+eEEdHr0u/kmT1Ff9iHd+4H6VI= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rkt/rkt v1.30.0 h1:ZI5RQtSibfjicSttV/HLiHuWreYClEJA2Or5XKAdJb0= +github.com/rkt/rkt v1.30.0/go.mod h1:V5VwmwHe6x1kflB4uXl1XJwXTgRISEMt2lZE6m6lXd0= github.com/robfig/cron v0.0.0-20170309132418-df38d32658d8/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k= github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 059ddf79294f..b15f82611f9f 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -16,7 +16,10 @@ limitations under the License. package addons -import "k8s.io/minikube/pkg/minikube/config" +import ( + "k8s.io/minikube/pkg/addons/metadata" + "k8s.io/minikube/pkg/minikube/config" +) type setFn func(string, string, string) error @@ -122,4 +125,9 @@ var Addons = []*Addon{ set: SetBool, callbacks: []setFn{enableOrDisableStorageClasses}, }, + { + name: "metadata", + set: SetBool, + callbacks: []setFn{metadata.EnableOrDisable, enableOrDisableAddon}, + }, } diff --git a/pkg/addons/metadata/configmap.go b/pkg/addons/metadata/configmap.go new file mode 100644 index 000000000000..e346177faab9 --- /dev/null +++ b/pkg/addons/metadata/configmap.go @@ -0,0 +1,74 @@ +package metadata + +import ( + "bytes" + "os" + "os/exec" +) + +var metadataCorefileConfigmap = `apiVersion: v1 +data: + Corefile: | + .:53 { + errors + health { + lameduck 5s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + } + rewrite name metadata.google.internal metadata.metadata.svc.cluster.local + prometheus :9153 + forward . /etc/resolv.conf + cache 30 + loop + reload + loadbalance + } +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +` + +var originalCorefileConfigmap = `apiVersion: v1 +data: + Corefile: | + .:53 { + errors + health { + lameduck 5s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + } + prometheus :9153 + forward . /etc/resolv.conf + cache 30 + loop + reload + loadbalance + } +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +` + +func updateConfigmap(data string) error { + // get current configmap + cmd := exec.Command("kubectl", "apply", "-f", "-") + reader := bytes.NewReader([]byte(data)) + cmd.Stdin = reader + + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stdout + + return cmd.Run() +} diff --git a/pkg/addons/metadata/disable.go b/pkg/addons/metadata/disable.go new file mode 100644 index 000000000000..9dbed5e77b0d --- /dev/null +++ b/pkg/addons/metadata/disable.go @@ -0,0 +1,6 @@ +package metadata + +func Disable() error { + + return nil +} diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/metadata/enable.go new file mode 100644 index 000000000000..53105fd3216f --- /dev/null +++ b/pkg/addons/metadata/enable.go @@ -0,0 +1,80 @@ +package metadata + +import ( + "fmt" + "strconv" + "strings" + "time" + + "github.com/pkg/errors" + "github.com/spf13/viper" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/minikube/pkg/kapi" + "k8s.io/minikube/pkg/minikube/config" +) + +func EnableOrDisable(name, val, profile string) error { + enable, err := strconv.ParseBool(val) + if err != nil { + return errors.Wrapf(err, "parsing bool: %s", name) + } + if enable { + return enableAddon() + } + return disableAddon() + +} + +func enableAddon() error { + fmt.Println("updating configmap") + if err := updateConfigmap(metadataCorefileConfigmap); err != nil { + return err + } + fmt.Println("restarting core dns") + if err := restartCoreDNS(); err != nil { + return err + } + return nil +} + +func disableAddon() error { + fmt.Println("updating configmap") + if err := updateConfigmap(originalCorefileConfigmap); err != nil { + return err + } + fmt.Println("restarting core dns") + if err := restartCoreDNS(); err != nil { + return err + } + return nil +} + +func restartCoreDNS() error { + client, err := kapi.Client(viper.GetString(config.MachineProfile)) + if err != nil { + return err + } + ns := "kube-system" + pods, err := client.CoreV1().Pods(ns).List(metav1.ListOptions{}) + + var coreDNSPods []string + for _, p := range pods.Items { + if !strings.Contains(p.GetName(), "coredns") { + continue + } + coreDNSPods = append(coreDNSPods, p.GetName()) + } + + for _, p := range coreDNSPods { + fmt.Println("Deleting", p) + if err := client.CoreV1().Pods(ns).Delete(p, &metav1.DeleteOptions{}); err != nil { + return err + } + } + // Wait for deployment to be healthy again + if err := kapi.WaitForDeploymentToStabilize(client, "kube-system", "coredns", 2*time.Minute); err != nil { + return err + } + return nil +} diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 67fd6b33df0d..261efc208754 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -331,6 +331,26 @@ var Addons = map[string]*Addon{ "0640", false), }, false, "ingress-dns"), + "metadata": NewAddon([]*BinAsset{ + MustBinAsset( + "deploy/addons/metadata/metadata-ns.yaml", + vmpath.GuestAddonsDir, + "metadata-ns.yaml", + "0640", + false), + MustBinAsset( + "deploy/addons/metadata/metadata-deployment.yaml.tmpl", + vmpath.GuestAddonsDir, + "metadata-deployment.yaml", + "0640", + false), + MustBinAsset( + "deploy/addons/metadata/metadata-service.yaml.tmpl", + vmpath.GuestAddonsDir, + "metadata-service.yaml", + "0640", + false), + }, false, "metadata"), } // AddMinikubeDirAssets adds all addons and files to the list From 5cd023ccb80b748ff52c260a4f22479648b9a3fc Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 27 Jan 2020 14:08:33 -0800 Subject: [PATCH 02/30] Add code for metadata server image and makefile rules --- .dockerignore | 1 - Makefile | 13 +++++++++++++ cmd/metadata-server/server.go | 25 +++++++++++++++++++++++++ deploy/metadata-server/Dockerfile | 17 +++++++++++++++++ pkg/addons/metadata/configmap.go | 11 ++++++----- pkg/addons/metadata/enable.go | 6 +----- 6 files changed, 62 insertions(+), 11 deletions(-) create mode 100644 cmd/metadata-server/server.go create mode 100644 deploy/metadata-server/Dockerfile diff --git a/.dockerignore b/.dockerignore index 7b66cd4ff58e..a44790e379fc 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,2 +1 @@ out/buildroot* - diff --git a/Makefile b/Makefile index fb9e39a60042..3fcae224fa80 100755 --- a/Makefile +++ b/Makefile @@ -604,3 +604,16 @@ help: @printf "\033[1mAvailable targets for minikube ${VERSION}\033[21m\n" @printf "\033[1m--------------------------------------\033[21m\n" @grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' + + +out/metadata-server: + CGO_ENABLED=0 GOOS=linux go build -o $@ -ldflags=$(PROVISIONER_LDFLAGS) cmd/metadata-server/server.go + +.PHONY: metadata-server-image +metadata-server-image: out/metadata-server ## Build metadata-server docker image + docker build -t $(REGISTRY)/metadata-server -f deploy/metadata-server/Dockerfile . + + +.PHONY: push-metadata-server-image +push-metadata-server-image: metadata-server-image ## Push metadata-server docker image using gcloud + gcloud docker -- push $(REGISTRY)/metadata-server diff --git a/cmd/metadata-server/server.go b/cmd/metadata-server/server.go new file mode 100644 index 000000000000..4a3923ee30b7 --- /dev/null +++ b/cmd/metadata-server/server.go @@ -0,0 +1,25 @@ +package main + +import ( + "fmt" + "log" + "net/http" + "os" +) + +func handler(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, "Success!\n") +} + +func main() { + log.Print("Metadata server started.") + + http.HandleFunc("/", handler) + + port := os.Getenv("PORT") + if port == "" { + port = "8080" + } + + log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", port), nil)) +} diff --git a/deploy/metadata-server/Dockerfile b/deploy/metadata-server/Dockerfile new file mode 100644 index 000000000000..66c3b65b3431 --- /dev/null +++ b/deploy/metadata-server/Dockerfile @@ -0,0 +1,17 @@ +# Copyright 2016 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM scratch +COPY out/metadata-server metadata-server +CMD ["/metadata-server"] diff --git a/pkg/addons/metadata/configmap.go b/pkg/addons/metadata/configmap.go index e346177faab9..27be8adcff54 100644 --- a/pkg/addons/metadata/configmap.go +++ b/pkg/addons/metadata/configmap.go @@ -2,7 +2,7 @@ package metadata import ( "bytes" - "os" + "fmt" "os/exec" ) @@ -67,8 +67,9 @@ func updateConfigmap(data string) error { reader := bytes.NewReader([]byte(data)) cmd.Stdin = reader - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stdout - - return cmd.Run() + if output, err := cmd.CombinedOutput(); err != nil { + fmt.Println(string(output)) + return err + } + return nil } diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/metadata/enable.go index 53105fd3216f..7c696de49bdb 100644 --- a/pkg/addons/metadata/enable.go +++ b/pkg/addons/metadata/enable.go @@ -27,11 +27,9 @@ func EnableOrDisable(name, val, profile string) error { } func enableAddon() error { - fmt.Println("updating configmap") if err := updateConfigmap(metadataCorefileConfigmap); err != nil { return err } - fmt.Println("restarting core dns") if err := restartCoreDNS(); err != nil { return err } @@ -39,11 +37,9 @@ func enableAddon() error { } func disableAddon() error { - fmt.Println("updating configmap") if err := updateConfigmap(originalCorefileConfigmap); err != nil { return err } - fmt.Println("restarting core dns") if err := restartCoreDNS(); err != nil { return err } @@ -66,8 +62,8 @@ func restartCoreDNS() error { coreDNSPods = append(coreDNSPods, p.GetName()) } + fmt.Println("Restarting coredns...") for _, p := range coreDNSPods { - fmt.Println("Deleting", p) if err := client.CoreV1().Pods(ns).Delete(p, &metav1.DeleteOptions{}); err != nil { return err } From 582ed255ee807d235507b2154db7d6f9b660adab Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Tue, 28 Jan 2020 10:00:40 -0800 Subject: [PATCH 03/30] remove log message --- pkg/addons/metadata/enable.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/metadata/enable.go index 7c696de49bdb..0db9e9081443 100644 --- a/pkg/addons/metadata/enable.go +++ b/pkg/addons/metadata/enable.go @@ -1,7 +1,6 @@ package metadata import ( - "fmt" "strconv" "strings" "time" @@ -62,7 +61,6 @@ func restartCoreDNS() error { coreDNSPods = append(coreDNSPods, p.GetName()) } - fmt.Println("Restarting coredns...") for _, p := range coreDNSPods { if err := client.CoreV1().Pods(ns).Delete(p, &metav1.DeleteOptions{}); err != nil { return err From 615b35f7c1610c125d4aa130589ec27a57954ef6 Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Tue, 28 Jan 2020 16:43:48 -0800 Subject: [PATCH 04/30] update to work with v1.13.11 --- pkg/addons/metadata/configmap.go | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/pkg/addons/metadata/configmap.go b/pkg/addons/metadata/configmap.go index 27be8adcff54..f3c9cc31c6a6 100644 --- a/pkg/addons/metadata/configmap.go +++ b/pkg/addons/metadata/configmap.go @@ -11,18 +11,15 @@ data: Corefile: | .:53 { errors - health { - lameduck 5s - } - ready + health kubernetes cluster.local in-addr.arpa ip6.arpa { pods insecure + upstream fallthrough in-addr.arpa ip6.arpa - ttl 30 } rewrite name metadata.google.internal metadata.metadata.svc.cluster.local prometheus :9153 - forward . /etc/resolv.conf + proxy . /etc/resolv.conf cache 30 loop reload @@ -39,17 +36,14 @@ data: Corefile: | .:53 { errors - health { - lameduck 5s - } - ready + health kubernetes cluster.local in-addr.arpa ip6.arpa { pods insecure + upstream fallthrough in-addr.arpa ip6.arpa - ttl 30 } prometheus :9153 - forward . /etc/resolv.conf + proxy . /etc/resolv.conf cache 30 loop reload @@ -67,9 +61,9 @@ func updateConfigmap(data string) error { reader := bytes.NewReader([]byte(data)) cmd.Stdin = reader - if output, err := cmd.CombinedOutput(); err != nil { - fmt.Println(string(output)) - return err - } + if output, err := cmd.CombinedOutput(); err != nil { + fmt.Println(string(output)) + return err + } return nil } From 4c2001426b393ae92bef08fffec15bf04cebba2a Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 20 Apr 2020 11:43:57 -0700 Subject: [PATCH 05/30] update readme --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 6e4308df62d5..3e3b4494885e 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,16 @@ minikube addons enable metadata + kubectl run curl --image=radial/busyboxplus:curl -i --tty + curl metadata.google.internal + kubectl delete deploy curl + minikube addons disable metadata + kubectl run curl --image=radial/busyboxplus:curl -i --tty + curl metadata.google.internal # Should fail # minikube From 8a202f03b07018906ebc8ccec85b59dc746fabab Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Thu, 4 Jun 2020 15:35:31 -0700 Subject: [PATCH 06/30] fix metadata addon stuff for newer codebase --- pkg/addons/metadata/enable.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/metadata/enable.go index 0db9e9081443..4092b1a3b1f7 100644 --- a/pkg/addons/metadata/enable.go +++ b/pkg/addons/metadata/enable.go @@ -13,7 +13,7 @@ import ( "k8s.io/minikube/pkg/minikube/config" ) -func EnableOrDisable(name, val, profile string) error { +func EnableOrDisable(cc *config.ClusterConfig, name string, val string) error { enable, err := strconv.ParseBool(val) if err != nil { return errors.Wrapf(err, "parsing bool: %s", name) @@ -46,7 +46,7 @@ func disableAddon() error { } func restartCoreDNS() error { - client, err := kapi.Client(viper.GetString(config.MachineProfile)) + client, err := kapi.Client(viper.GetString(config.ProfileName)) if err != nil { return err } From b0fc07a7e6650182f84c8e3137ce62d4a8ef909b Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Mon, 15 Jun 2020 16:51:44 -0700 Subject: [PATCH 07/30] buncha changes --- Makefile | 2 +- cmd/metadata-server/server.go | 7 ++- .../metadata/metadata-deployment.yaml.tmpl | 2 +- deploy/metadata-server/Dockerfile | 2 +- pkg/addons/metadata/configmap.go | 61 +++++++++++-------- 5 files changed, 42 insertions(+), 32 deletions(-) diff --git a/Makefile b/Makefile index a96e3926c324..63fb1facb43f 100755 --- a/Makefile +++ b/Makefile @@ -679,7 +679,7 @@ out/metadata-server: .PHONY: metadata-server-image metadata-server-image: out/metadata-server ## Build metadata-server docker image - docker build -t $(REGISTRY)/metadata-server -f deploy/metadata-server/Dockerfile . + docker build -t $(REGISTRY)/metadata-server:snapshot -f deploy/metadata-server/Dockerfile ./out .PHONY: push-metadata-server-image diff --git a/cmd/metadata-server/server.go b/cmd/metadata-server/server.go index 4a3923ee30b7..6523a246b5e4 100644 --- a/cmd/metadata-server/server.go +++ b/cmd/metadata-server/server.go @@ -8,11 +8,14 @@ import ( ) func handler(w http.ResponseWriter, r *http.Request) { - fmt.Fprint(w, "Success!\n") + fmt.Fprint(w, "Yes!\n") + fmt.Fprint(w, r.URL.EscapedPath()) + log.Printf("----REQUEST: %+v----\n", r) + fmt.Printf("----REQUEST: %+v----\n", r) } func main() { - log.Print("Metadata server started.") + log.Print("Metadata server started!") http.HandleFunc("/", handler) diff --git a/deploy/addons/metadata/metadata-deployment.yaml.tmpl b/deploy/addons/metadata/metadata-deployment.yaml.tmpl index 0fd6b8bd3d73..ec8153b2a8eb 100644 --- a/deploy/addons/metadata/metadata-deployment.yaml.tmpl +++ b/deploy/addons/metadata/metadata-deployment.yaml.tmpl @@ -14,6 +14,6 @@ spec: spec: containers: - name: metadata - image: gcr.io/k8s-minikube/metadata-server + image: gcr.io/k8s-minikube/metadata-server:snapshot ports: - containerPort: 8080 \ No newline at end of file diff --git a/deploy/metadata-server/Dockerfile b/deploy/metadata-server/Dockerfile index 66c3b65b3431..3495bba9db89 100644 --- a/deploy/metadata-server/Dockerfile +++ b/deploy/metadata-server/Dockerfile @@ -13,5 +13,5 @@ # limitations under the License. FROM scratch -COPY out/metadata-server metadata-server +COPY metadata-server /metadata-server CMD ["/metadata-server"] diff --git a/pkg/addons/metadata/configmap.go b/pkg/addons/metadata/configmap.go index f3c9cc31c6a6..52b053b3fb8d 100644 --- a/pkg/addons/metadata/configmap.go +++ b/pkg/addons/metadata/configmap.go @@ -10,20 +10,24 @@ var metadataCorefileConfigmap = `apiVersion: v1 data: Corefile: | .:53 { - errors - health - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - upstream - fallthrough in-addr.arpa ip6.arpa - } - rewrite name metadata.google.internal metadata.metadata.svc.cluster.local - prometheus :9153 - proxy . /etc/resolv.conf - cache 30 - loop - reload - loadbalance + log + errors + health { + lameduck 5s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + } + rewrite name metadata.google.internal metadata.metadata.svc.cluster.local + prometheus :9153 + forward . /etc/resolv.conf + cache 30 + loop + reload + loadbalance } kind: ConfigMap metadata: @@ -35,19 +39,22 @@ var originalCorefileConfigmap = `apiVersion: v1 data: Corefile: | .:53 { - errors - health - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - upstream - fallthrough in-addr.arpa ip6.arpa - } - prometheus :9153 - proxy . /etc/resolv.conf - cache 30 - loop - reload - loadbalance + errors + health { + lameduck 5s + } + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + } + prometheus :9153 + forward . /etc/resolv.conf + cache 30 + loop + reload + loadbalance } kind: ConfigMap metadata: From 66d37c8d40dc9b32ef6f6bfe83d60311e1a189e9 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 30 Jun 2020 13:49:05 -0700 Subject: [PATCH 08/30] just so many changes --- Makefile | 2 + cmd/metadata-server/server.go | 193 ++++++++++++++++-- ...ent.yaml.tmpl => metadata-deployment.yaml} | 11 +- .../metadata/metadata-mutatingwebhook.yaml | 100 +++++++++ ...ervice.yaml.tmpl => metadata-service.yaml} | 4 +- deploy/metadata-server/Dockerfile | 2 +- pkg/addons/config.go | 2 +- pkg/addons/metadata/configmap.go | 76 ------- pkg/addons/metadata/disable.go | 6 - pkg/addons/metadata/enable.go | 72 +++---- pkg/minikube/assets/addons.go | 10 +- 11 files changed, 339 insertions(+), 139 deletions(-) rename deploy/addons/metadata/{metadata-deployment.yaml.tmpl => metadata-deployment.yaml} (53%) create mode 100644 deploy/addons/metadata/metadata-mutatingwebhook.yaml rename deploy/addons/metadata/{metadata-service.yaml.tmpl => metadata-service.yaml} (78%) delete mode 100644 pkg/addons/metadata/configmap.go delete mode 100644 pkg/addons/metadata/disable.go diff --git a/Makefile b/Makefile index 63fb1facb43f..4802936ba882 100755 --- a/Makefile +++ b/Makefile @@ -674,6 +674,8 @@ help: @grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' +metadata-server: out/metadata-server + out/metadata-server: CGO_ENABLED=0 GOOS=linux go build -o $@ -ldflags=$(PROVISIONER_LDFLAGS) cmd/metadata-server/server.go diff --git a/cmd/metadata-server/server.go b/cmd/metadata-server/server.go index 6523a246b5e4..1e4e7af07cbd 100644 --- a/cmd/metadata-server/server.go +++ b/cmd/metadata-server/server.go @@ -1,28 +1,197 @@ package main import ( + "encoding/json" "fmt" + "io/ioutil" "log" "net/http" - "os" + + admissionv1 "k8s.io/api/admission/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/serializer" +) + +var ( + runtimeScheme = runtime.NewScheme() + codecs = serializer.NewCodecFactory(runtimeScheme) + deserializer = codecs.UniversalDeserializer() ) -func handler(w http.ResponseWriter, r *http.Request) { - fmt.Fprint(w, "Yes!\n") - fmt.Fprint(w, r.URL.EscapedPath()) - log.Printf("----REQUEST: %+v----\n", r) - fmt.Printf("----REQUEST: %+v----\n", r) +type patchOperation struct { + Op string `json:"op"` + Path string `json:"path"` + Value interface{} `json:"value,omitempty"` +} + +func mutateHandler(w http.ResponseWriter, r *http.Request) { + log.Printf("%v\n", r) + + var body []byte + if r.Body != nil { + if data, err := ioutil.ReadAll(r.Body); err == nil { + body = data + } + } + + if len(body) == 0 { + log.Print("request body was empty, returning") + http.Error(w, "empty body", http.StatusBadRequest) + return + } + + var admissionResponse *admissionv1.AdmissionResponse + + ar := admissionv1.AdmissionReview{} + if _, _, err := deserializer.Decode(body, nil, &ar); err != nil { + log.Printf("Can't decode body: %v", err) + admissionResponse = &admissionv1.AdmissionResponse{ + Result: &metav1.Status{ + Message: err.Error(), + }, + } + } + + req := ar.Request + var pod corev1.Pod + if err := json.Unmarshal(req.Object.Raw, &pod); err != nil { + log.Printf("Could not unmarshal raw object: %v", err) + admissionResponse = &admissionv1.AdmissionResponse{ + Result: &metav1.Status{ + Message: err.Error(), + }, + } + } + + var patch []patchOperation + + // Define the volume to mount in + v := corev1.Volume{ + Name: "gcp-creds", + VolumeSource: corev1.VolumeSource{ + HostPath: func() *corev1.HostPathVolumeSource { + h := corev1.HostPathVolumeSource{ + Path: "/tmp/google_application_credentials.json", + Type: func() *corev1.HostPathType { + hpt := corev1.HostPathFile + return &hpt + }(), + } + return &h + }(), + }, + } + + // Mount the volume in + mount := corev1.VolumeMount{ + Name: "gcp-creds", + MountPath: "/google-app-creds.json", + ReadOnly: true, + } + + // Define the env var + e := corev1.EnvVar{ + Name: "GOOGLE_APPLICATION_CREDENTIALS", + Value: "/google-app-creds.json", + } + + e2 := corev1.EnvVar{ + Name: "GOOGLE_CLOUD_PROJECT", + Value: "k8s-minikube", + } + envVars := []corev1.EnvVar{e, e2} + + patch = append(patch, patchOperation{ + Op: "add", + Path: "/spec/volumes", + Value: append(pod.Spec.Volumes, v), + }) + + for i, c := range pod.Spec.Containers { + if len(c.VolumeMounts) == 0 { + patch = append(patch, patchOperation{ + Op: "add", + Path: fmt.Sprintf("/spec/containers/%d/volumeMounts", i), + Value: []corev1.VolumeMount{mount}, + }) + } else { + patch = append(patch, patchOperation{ + Op: "add", + Path: fmt.Sprintf("/spec/containers/%d/volumeMounts", i), + Value: append(c.VolumeMounts, mount), + }) + } + if len(c.Env) == 0 { + patch = append(patch, patchOperation{ + Op: "add", + Path: fmt.Sprintf("/spec/containers/%d/env", i), + Value: envVars, + }) + } else { + patch = append(patch, patchOperation{ + Op: "add", + Path: fmt.Sprintf("/spec/containers/%d/env", i), + Value: append(c.Env, envVars...), + }) + } + } + + patchBytes, err := json.Marshal(patch) + if err != nil { + admissionResponse = &admissionv1.AdmissionResponse{ + Result: &metav1.Status{ + Message: err.Error(), + }, + } + } + + if admissionResponse == nil { + admissionResponse = &admissionv1.AdmissionResponse{ + Allowed: true, + Patch: patchBytes, + PatchType: func() *admissionv1.PatchType { + pt := admissionv1.PatchTypeJSONPatch + return &pt + }(), + } + } + + admissionReview := admissionv1.AdmissionReview{} + if admissionResponse != nil { + admissionReview.Response = admissionResponse + if ar.Request != nil { + admissionReview.Response.UID = ar.Request.UID + } + } + admissionReview.Kind = "AdmissionReview" + admissionReview.APIVersion = "admission.k8s.io/v1" + + resp, err := json.Marshal(admissionReview) + if err != nil { + log.Printf("Can't encode response: %v", err) + http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError) + } + log.Printf("Ready to write reponse ...") + if _, err := w.Write(resp); err != nil { + log.Printf("Can't write response: %v", err) + http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError) + } + } func main() { - log.Print("Metadata server started!") + log.Print("Mutate webhook server started! Take 5.") + + mux := http.NewServeMux() - http.HandleFunc("/", handler) + mux.HandleFunc("/mutate", mutateHandler) - port := os.Getenv("PORT") - if port == "" { - port = "8080" + s := &http.Server{ + Addr: ":8443", + Handler: mux, } - log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", port), nil)) + log.Fatal(s.ListenAndServeTLS("/etc/webhook/certs/cert.pem", "/etc/webhook/certs/key.pem")) } diff --git a/deploy/addons/metadata/metadata-deployment.yaml.tmpl b/deploy/addons/metadata/metadata-deployment.yaml similarity index 53% rename from deploy/addons/metadata/metadata-deployment.yaml.tmpl rename to deploy/addons/metadata/metadata-deployment.yaml index ec8153b2a8eb..29f68591b615 100644 --- a/deploy/addons/metadata/metadata-deployment.yaml.tmpl +++ b/deploy/addons/metadata/metadata-deployment.yaml @@ -15,5 +15,14 @@ spec: containers: - name: metadata image: gcr.io/k8s-minikube/metadata-server:snapshot + imagePullPolicy: Never ports: - - containerPort: 8080 \ No newline at end of file + - containerPort: 8443 + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true + volumes: + - name: webhook-certs + secret: + secretName: metadata-certs diff --git a/deploy/addons/metadata/metadata-mutatingwebhook.yaml b/deploy/addons/metadata/metadata-mutatingwebhook.yaml new file mode 100644 index 000000000000..bd3d7bd57e6a --- /dev/null +++ b/deploy/addons/metadata/metadata-mutatingwebhook.yaml @@ -0,0 +1,100 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: minikube-metadata-certs + namespace: metadata +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: minikube-metadata-certs +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - list + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: minikube-metadata-certs + namespace: metadata +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: minikube-metadata-certs +subjects: + - kind: ServiceAccount + name: minikube-metadata-certs + namespace: metadata +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: metadata-certs-create + namespace: metadata +spec: + template: + metadata: + name: metadata-certs-create + spec: + serviceAccountName: minikube-metadata-certs + containers: + - name: create + image: jettech/kube-webhook-certgen:v1.2.2 + imagePullPolicy: IfNotPresent + args: + - create + - --host=metadata,metadata.metadata,metadata.metadata.svc + - --namespace=metadata + - --secret-name=metadata-certs + restartPolicy: OnFailure +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: metadata-webhook-cfg + labels: + app: metadata +webhooks: +- name: metadata-mutate.k8s.io + sideEffects: None + admissionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: metadata + namespace: metadata + path: "/mutate" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: ["pods"] + scope: "*" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: metadata-certs-patch + namespace: metadata +spec: + template: + metadata: + name: metadata-certs-patch + spec: + serviceAccountName: minikube-metadata-certs + containers: + - name: patch + image: jettech/kube-webhook-certgen:v1.2.2 + imagePullPolicy: IfNotPresent + args: + - patch + - --secret-name=metadata-certs + - --namespace=metadata-certs + - --webhook-name=metadata-webhook-cfg + restartPolicy: OnFailure \ No newline at end of file diff --git a/deploy/addons/metadata/metadata-service.yaml.tmpl b/deploy/addons/metadata/metadata-service.yaml similarity index 78% rename from deploy/addons/metadata/metadata-service.yaml.tmpl rename to deploy/addons/metadata/metadata-service.yaml index f08862b8006b..54a0f4d20189 100644 --- a/deploy/addons/metadata/metadata-service.yaml.tmpl +++ b/deploy/addons/metadata/metadata-service.yaml @@ -5,8 +5,8 @@ metadata: namespace: metadata spec: ports: - - port: 80 - targetPort: 8080 + - port: 443 + targetPort: 8443 protocol: TCP selector: app: metadata diff --git a/deploy/metadata-server/Dockerfile b/deploy/metadata-server/Dockerfile index 3495bba9db89..b4586d6becc2 100644 --- a/deploy/metadata-server/Dockerfile +++ b/deploy/metadata-server/Dockerfile @@ -14,4 +14,4 @@ FROM scratch COPY metadata-server /metadata-server -CMD ["/metadata-server"] +ENTRYPOINT ["/metadata-server"] diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 8ad3c7012c4a..90caf58f465e 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -149,6 +149,6 @@ var Addons = []*Addon{ { name: "metadata", set: SetBool, - callbacks: []setFn{metadata.EnableOrDisable, enableOrDisableAddon}, + callbacks: []setFn{enableOrDisableAddon, metadata.EnableOrDisable}, }, } diff --git a/pkg/addons/metadata/configmap.go b/pkg/addons/metadata/configmap.go deleted file mode 100644 index 52b053b3fb8d..000000000000 --- a/pkg/addons/metadata/configmap.go +++ /dev/null @@ -1,76 +0,0 @@ -package metadata - -import ( - "bytes" - "fmt" - "os/exec" -) - -var metadataCorefileConfigmap = `apiVersion: v1 -data: - Corefile: | - .:53 { - log - errors - health { - lameduck 5s - } - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - ttl 30 - } - rewrite name metadata.google.internal metadata.metadata.svc.cluster.local - prometheus :9153 - forward . /etc/resolv.conf - cache 30 - loop - reload - loadbalance - } -kind: ConfigMap -metadata: - name: coredns - namespace: kube-system -` - -var originalCorefileConfigmap = `apiVersion: v1 -data: - Corefile: | - .:53 { - errors - health { - lameduck 5s - } - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - ttl 30 - } - prometheus :9153 - forward . /etc/resolv.conf - cache 30 - loop - reload - loadbalance - } -kind: ConfigMap -metadata: - name: coredns - namespace: kube-system -` - -func updateConfigmap(data string) error { - // get current configmap - cmd := exec.Command("kubectl", "apply", "-f", "-") - reader := bytes.NewReader([]byte(data)) - cmd.Stdin = reader - - if output, err := cmd.CombinedOutput(); err != nil { - fmt.Println(string(output)) - return err - } - return nil -} diff --git a/pkg/addons/metadata/disable.go b/pkg/addons/metadata/disable.go deleted file mode 100644 index 9dbed5e77b0d..000000000000 --- a/pkg/addons/metadata/disable.go +++ /dev/null @@ -1,6 +0,0 @@ -package metadata - -func Disable() error { - - return nil -} diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/metadata/enable.go index 4092b1a3b1f7..81dee877255d 100644 --- a/pkg/addons/metadata/enable.go +++ b/pkg/addons/metadata/enable.go @@ -1,74 +1,70 @@ package metadata import ( + "path/filepath" "strconv" - "strings" - "time" "github.com/pkg/errors" - "github.com/spf13/viper" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/minikube/pkg/kapi" + "k8s.io/client-go/util/homedir" + "k8s.io/minikube/pkg/minikube/assets" "k8s.io/minikube/pkg/minikube/config" + "k8s.io/minikube/pkg/minikube/driver" + "k8s.io/minikube/pkg/minikube/machine" ) -func EnableOrDisable(cc *config.ClusterConfig, name string, val string) error { +//EnableOrDisable enables or disables the metadata addon based on val +func EnableOrDisable(cfg *config.ClusterConfig, name, val string) error { enable, err := strconv.ParseBool(val) if err != nil { return errors.Wrapf(err, "parsing bool: %s", name) } if enable { - return enableAddon() + return enableAddon(cfg) } return disableAddon() } -func enableAddon() error { - if err := updateConfigmap(metadataCorefileConfigmap); err != nil { - return err - } - if err := restartCoreDNS(); err != nil { +func enableAddon(cfg *config.ClusterConfig) error { + // This is the default location for GCP credentials to live, it's where they're stored when gcloud login is run + credsPath := filepath.Join(homedir.HomeDir(), ".config", "gcloud", "application_default_credentials.json") + f, err := assets.NewFileAsset(credsPath, "/tmp/", "google_application_credentials.json", "0444") + if err != nil { return err } - return nil -} -func disableAddon() error { - if err := updateConfigmap(originalCorefileConfigmap); err != nil { + api, err := machine.NewAPIClient() + if err != nil { return err } - if err := restartCoreDNS(); err != nil { + + host, err := machine.LoadHost(api, driver.MachineName(*cfg, cfg.Nodes[0])) + if err != nil { return err } - return nil -} -func restartCoreDNS() error { - client, err := kapi.Client(viper.GetString(config.ProfileName)) + r, err := machine.CommandRunner(host) if err != nil { return err } - ns := "kube-system" - pods, err := client.CoreV1().Pods(ns).List(metav1.ListOptions{}) - var coreDNSPods []string - for _, p := range pods.Items { - if !strings.Contains(p.GetName(), "coredns") { - continue - } - coreDNSPods = append(coreDNSPods, p.GetName()) - } + return r.Copy(f) - for _, p := range coreDNSPods { - if err := client.CoreV1().Pods(ns).Delete(p, &metav1.DeleteOptions{}); err != nil { - return err - } - } - // Wait for deployment to be healthy again - if err := kapi.WaitForDeploymentToStabilize(client, "kube-system", "coredns", 2*time.Minute); err != nil { + /*secretCmd := exec.Command("kubectl", "create", "secret", "generic", "metadata-certs", "--from-file", "key.pem=server-key.pem", "--from-file", "cert.pem=server-cert.pem", "--dry-run", "-o", "yaml") + secretYaml, err := secretCmd.Output() + if err != nil { return err } + + applyCmd := exec.Command("kubectl", "-n", "metadata", "apply", "-f", "-") + reader := bytes.NewReader(secretYaml) + applyCmd.Stdin = reader + applyCmd.Stdout = os.Stdout + applyCmd.Stderr = os.Stdout + + return applyCmd.Run()*/ +} + +func disableAddon() error { return nil } diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 5c8cc268c892..52268080b1cf 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -411,17 +411,23 @@ var Addons = map[string]*Addon{ "0640", false), MustBinAsset( - "deploy/addons/metadata/metadata-deployment.yaml.tmpl", + "deploy/addons/metadata/metadata-deployment.yaml", vmpath.GuestAddonsDir, "metadata-deployment.yaml", "0640", false), MustBinAsset( - "deploy/addons/metadata/metadata-service.yaml.tmpl", + "deploy/addons/metadata/metadata-service.yaml", vmpath.GuestAddonsDir, "metadata-service.yaml", "0640", false), + MustBinAsset( + "deploy/addons/metadata/metadata-mutatingwebhook.yaml", + vmpath.GuestAddonsDir, + "metadata-mutatingwebhook.yaml", + "0640", + false), }, false, "metadata"), } From 60e3d3241a1738c66f183b3549a077b4e5969cac Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 7 Jul 2020 13:27:09 -0700 Subject: [PATCH 09/30] ch-ch-ch-ch-changes --- cmd/metadata-server/server.go | 2 +- .../metadata/metadata-mutatingwebhook.yaml | 32 ++++++++++++++++- pkg/addons/metadata/enable.go | 34 ++----------------- pkg/minikube/assets/addons.go | 6 ---- 4 files changed, 35 insertions(+), 39 deletions(-) diff --git a/cmd/metadata-server/server.go b/cmd/metadata-server/server.go index 1e4e7af07cbd..7def7c59e0bd 100644 --- a/cmd/metadata-server/server.go +++ b/cmd/metadata-server/server.go @@ -193,5 +193,5 @@ func main() { Handler: mux, } - log.Fatal(s.ListenAndServeTLS("/etc/webhook/certs/cert.pem", "/etc/webhook/certs/key.pem")) + log.Fatal(s.ListenAndServeTLS("/etc/webhook/certs/cert", "/etc/webhook/certs/key")) } diff --git a/deploy/addons/metadata/metadata-mutatingwebhook.yaml b/deploy/addons/metadata/metadata-mutatingwebhook.yaml index bd3d7bd57e6a..f8eaeff8066d 100644 --- a/deploy/addons/metadata/metadata-mutatingwebhook.yaml +++ b/deploy/addons/metadata/metadata-mutatingwebhook.yaml @@ -55,6 +55,35 @@ spec: - --secret-name=metadata-certs restartPolicy: OnFailure --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata + namespace: metadata +spec: + selector: + matchLabels: + app: metadata + template: + metadata: + labels: + app: metadata + spec: + containers: + - name: metadata + image: gcr.io/k8s-minikube/metadata-server:snapshot + imagePullPolicy: Never + ports: + - containerPort: 8443 + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true + volumes: + - name: webhook-certs + secret: + secretName: metadata-certs +--- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -70,6 +99,7 @@ webhooks: name: metadata namespace: metadata path: "/mutate" + caBundle: ${CA_BUNDLE} rules: - operations: ["CREATE", "UPDATE"] apiGroups: ["*"] @@ -95,6 +125,6 @@ spec: args: - patch - --secret-name=metadata-certs - - --namespace=metadata-certs + - --namespace=metadata - --webhook-name=metadata-webhook-cfg restartPolicy: OnFailure \ No newline at end of file diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/metadata/enable.go index 81dee877255d..718e0a31ef69 100644 --- a/pkg/addons/metadata/enable.go +++ b/pkg/addons/metadata/enable.go @@ -2,9 +2,7 @@ package metadata import ( "path/filepath" - "strconv" - "github.com/pkg/errors" "k8s.io/client-go/util/homedir" "k8s.io/minikube/pkg/minikube/assets" "k8s.io/minikube/pkg/minikube/config" @@ -12,20 +10,7 @@ import ( "k8s.io/minikube/pkg/minikube/machine" ) -//EnableOrDisable enables or disables the metadata addon based on val -func EnableOrDisable(cfg *config.ClusterConfig, name, val string) error { - enable, err := strconv.ParseBool(val) - if err != nil { - return errors.Wrapf(err, "parsing bool: %s", name) - } - if enable { - return enableAddon(cfg) - } - return disableAddon() - -} - -func enableAddon(cfg *config.ClusterConfig) error { +func EnableAddon(cfg *config.ClusterConfig, name string, val string) error { // This is the default location for GCP credentials to live, it's where they're stored when gcloud login is run credsPath := filepath.Join(homedir.HomeDir(), ".config", "gcloud", "application_default_credentials.json") f, err := assets.NewFileAsset(credsPath, "/tmp/", "google_application_credentials.json", "0444") @@ -50,21 +35,8 @@ func enableAddon(cfg *config.ClusterConfig) error { return r.Copy(f) - /*secretCmd := exec.Command("kubectl", "create", "secret", "generic", "metadata-certs", "--from-file", "key.pem=server-key.pem", "--from-file", "cert.pem=server-cert.pem", "--dry-run", "-o", "yaml") - secretYaml, err := secretCmd.Output() - if err != nil { - return err - } - - applyCmd := exec.Command("kubectl", "-n", "metadata", "apply", "-f", "-") - reader := bytes.NewReader(secretYaml) - applyCmd.Stdin = reader - applyCmd.Stdout = os.Stdout - applyCmd.Stderr = os.Stdout - - return applyCmd.Run()*/ } -func disableAddon() error { - return nil +func PatchCABundle(cfg *config.ClusterConfig, name string, val string) error { + } diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 3d0f267162cb..7ff74b3cabea 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -418,12 +418,6 @@ var Addons = map[string]*Addon{ "metadata-ns.yaml", "0640", false), - MustBinAsset( - "deploy/addons/metadata/metadata-deployment.yaml", - vmpath.GuestAddonsDir, - "metadata-deployment.yaml", - "0640", - false), MustBinAsset( "deploy/addons/metadata/metadata-service.yaml", vmpath.GuestAddonsDir, From 9ae5bc4f1c23cd8cd7fc827f514b6e1254613de3 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 8 Jul 2020 13:56:41 -0700 Subject: [PATCH 10/30] addon works --- cmd/metadata-server/server.go | 20 ++++-- .../metadata/metadata-mutatingwebhook.yaml | 63 ++++++++++++------- pkg/addons/config.go | 2 +- pkg/addons/metadata/enable.go | 61 +++++++++++++++++- 4 files changed, 114 insertions(+), 32 deletions(-) diff --git a/cmd/metadata-server/server.go b/cmd/metadata-server/server.go index 7def7c59e0bd..5a01e54f454c 100644 --- a/cmd/metadata-server/server.go +++ b/cmd/metadata-server/server.go @@ -6,6 +6,7 @@ import ( "io/ioutil" "log" "net/http" + "os" admissionv1 "k8s.io/api/admission/v1" corev1 "k8s.io/api/core/v1" @@ -97,11 +98,22 @@ func mutateHandler(w http.ResponseWriter, r *http.Request) { Value: "/google-app-creds.json", } - e2 := corev1.EnvVar{ - Name: "GOOGLE_CLOUD_PROJECT", - Value: "k8s-minikube", + // If GOOGLE_CLOUD_PROJECT is set in the VM, set it for all GCP apps. + var e2 corev1.EnvVar + if _, err := os.Stat("/tmp/google_cloud_project"); err == nil { + project, err := ioutil.ReadFile("/tmp/google_cloud_project") + if err == nil { + e2 = corev1.EnvVar{ + Name: "GOOGLE_CLOUD_PROJECT", + Value: string(project), + } + } + } + + envVars := []corev1.EnvVar{e} + if e2.Name != "" { + envVars = append(envVars, e2) } - envVars := []corev1.EnvVar{e, e2} patch = append(patch, patchOperation{ Op: "add", diff --git a/deploy/addons/metadata/metadata-mutatingwebhook.yaml b/deploy/addons/metadata/metadata-mutatingwebhook.yaml index f8eaeff8066d..1bf84de53abd 100644 --- a/deploy/addons/metadata/metadata-mutatingwebhook.yaml +++ b/deploy/addons/metadata/metadata-mutatingwebhook.yaml @@ -18,6 +18,14 @@ rules: - list - get - create + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - update + --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -79,33 +87,17 @@ spec: - name: webhook-certs mountPath: /etc/webhook/certs readOnly: true + - name: gcp-project + mountPath: /tmp/google_cloud_project + readOnly: true volumes: - name: webhook-certs secret: secretName: metadata-certs ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: metadata-webhook-cfg - labels: - app: metadata -webhooks: -- name: metadata-mutate.k8s.io - sideEffects: None - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: metadata - namespace: metadata - path: "/mutate" - caBundle: ${CA_BUNDLE} - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["*"] - apiVersions: ["*"] - resources: ["pods"] - scope: "*" + - name: gcp-project + hostPath: + path: /tmp/google_cloud_project + type: File --- apiVersion: batch/v1 kind: Job @@ -126,5 +118,28 @@ spec: - patch - --secret-name=metadata-certs - --namespace=metadata + - --patch-validating=false - --webhook-name=metadata-webhook-cfg - restartPolicy: OnFailure \ No newline at end of file + restartPolicy: OnFailure +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: metadata-webhook-cfg + labels: + app: metadata +webhooks: +- name: metadata-mutate.k8s.io + sideEffects: None + admissionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: metadata + namespace: metadata + path: "/mutate" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: ["pods"] + scope: "*" \ No newline at end of file diff --git a/pkg/addons/config.go b/pkg/addons/config.go index c81ba57eba9c..1daf05660058 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -162,6 +162,6 @@ var Addons = []*Addon{ { name: "metadata", set: SetBool, - callbacks: []setFn{enableOrDisableAddon, metadata.EnableOrDisable}, + callbacks: []setFn{metadata.EnableOrDisable, enableOrDisableAddon}, }, } diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/metadata/enable.go index 718e0a31ef69..7225bb0611bc 100644 --- a/pkg/addons/metadata/enable.go +++ b/pkg/addons/metadata/enable.go @@ -1,8 +1,11 @@ package metadata import ( + "os/exec" "path/filepath" + "strconv" + "github.com/pkg/errors" "k8s.io/client-go/util/homedir" "k8s.io/minikube/pkg/minikube/assets" "k8s.io/minikube/pkg/minikube/config" @@ -10,7 +13,20 @@ import ( "k8s.io/minikube/pkg/minikube/machine" ) -func EnableAddon(cfg *config.ClusterConfig, name string, val string) error { +// EnableOrDisable enables or disables the metadata addon depending on the val parameter +func EnableOrDisable(cfg *config.ClusterConfig, name string, val string) error { + enable, err := strconv.ParseBool(val) + if err != nil { + return errors.Wrapf(err, "parsing bool: %s", name) + } + if enable { + return enableAddon(cfg) + } + return disableAddon(cfg) + +} + +func enableAddon(cfg *config.ClusterConfig) error { // This is the default location for GCP credentials to live, it's where they're stored when gcloud login is run credsPath := filepath.Join(homedir.HomeDir(), ".config", "gcloud", "application_default_credentials.json") f, err := assets.NewFileAsset(credsPath, "/tmp/", "google_application_credentials.json", "0444") @@ -33,10 +49,49 @@ func EnableAddon(cfg *config.ClusterConfig, name string, val string) error { return err } - return r.Copy(f) + err = r.Copy(f) + if err != nil { + return err + } + // We're currently assuming gcloud is installed and in the user's path + project, err := exec.Command("gcloud", "config", "get-value", "project").Output() + if err == nil && len(project) > 0 { + f := assets.NewMemoryAssetTarget(project, "/tmp/google_cloud_project", "0444") + return r.Copy(f) + } + + return nil } -func PatchCABundle(cfg *config.ClusterConfig, name string, val string) error { +func disableAddon(cfg *config.ClusterConfig) error { + api, err := machine.NewAPIClient() + if err != nil { + return err + } + + host, err := machine.LoadHost(api, driver.MachineName(*cfg, cfg.Nodes[0])) + if err != nil { + return err + } + + r, err := machine.CommandRunner(host) + if err != nil { + return err + } + + // Clean up the files generated when enabling the addon + creds := assets.NewMemoryAssetTarget([]byte{}, "/tmp/google_application_credentials.json", "0444") + err = r.Remove(creds) + if err != nil { + return err + } + + project := assets.NewMemoryAssetTarget([]byte{}, "/tmp/google_cloud_project", "0444") + err = r.Remove(project) + if err != nil { + return err + } + return nil } From 77224197253bb679e7f24fad6f64cb4c47fa5250 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 8 Jul 2020 13:58:16 -0700 Subject: [PATCH 11/30] update readme --- README.md | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/README.md b/README.md index b99c2d7e1a7b..757debf449ac 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,3 @@ -minikube addons enable metadata - -kubectl run curl --image=radial/busyboxplus:curl -i --tty - -curl metadata.google.internal - -kubectl delete deploy curl - - -minikube addons disable metadata - -kubectl run curl --image=radial/busyboxplus:curl -i --tty - -curl metadata.google.internal # Should fail - # minikube [![BuildStatus Widget]][BuildStatus Result] @@ -81,4 +66,4 @@ minikube is a Kubernetes [#sig-cluster-lifecycle](https://github.com/kubernetes/ Join our meetings: * [Bi-weekly office hours, Mondays @ 11am PST](https://tinyurl.com/minikube-oh) -* [Triage Party](https://minikube.sigs.k8s.io/docs/contrib/triage/) \ No newline at end of file +* [Triage Party](https://minikube.sigs.k8s.io/docs/contrib/triage/) From 95c9ff95d0e1b23026237b4e8a5b817c0989c749 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 8 Jul 2020 14:28:22 -0700 Subject: [PATCH 12/30] boilerplate --- cmd/metadata-server/server.go | 16 ++++++++++++++++ pkg/addons/metadata/enable.go | 16 ++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/cmd/metadata-server/server.go b/cmd/metadata-server/server.go index 5a01e54f454c..b84f582bf640 100644 --- a/cmd/metadata-server/server.go +++ b/cmd/metadata-server/server.go @@ -1,3 +1,19 @@ +/* +Copyright 2020 The Kubernetes Authors All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package main import ( diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/metadata/enable.go index 7225bb0611bc..dea6912f301a 100644 --- a/pkg/addons/metadata/enable.go +++ b/pkg/addons/metadata/enable.go @@ -1,3 +1,19 @@ +/* +Copyright 2020 The Kubernetes Authors All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + package metadata import ( From ec1174606d38991720c00e496ece296a6f3018b3 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 8 Jul 2020 14:56:08 -0700 Subject: [PATCH 13/30] revert unrelated change --- .dockerignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.dockerignore b/.dockerignore index a44790e379fc..7b66cd4ff58e 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1 +1,2 @@ out/buildroot* + From 216462b08b5da1c9c7620b95a8137597c0333b20 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 8 Jul 2020 16:46:18 -0700 Subject: [PATCH 14/30] move server code to another repo --- Makefile | 15 -- cmd/metadata-server/server.go | 225 ------------------ .../metadata/metadata-mutatingwebhook.yaml | 4 +- deploy/metadata-server/Dockerfile | 17 -- 4 files changed, 2 insertions(+), 259 deletions(-) delete mode 100644 cmd/metadata-server/server.go delete mode 100644 deploy/metadata-server/Dockerfile diff --git a/Makefile b/Makefile index 01bfef22bc52..689c93354791 100644 --- a/Makefile +++ b/Makefile @@ -675,18 +675,3 @@ help: @printf "\033[1mAvailable targets for minikube ${VERSION}\033[21m\n" @printf "\033[1m--------------------------------------\033[21m\n" @grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' - - -metadata-server: out/metadata-server - -out/metadata-server: - CGO_ENABLED=0 GOOS=linux go build -o $@ -ldflags=$(PROVISIONER_LDFLAGS) cmd/metadata-server/server.go - -.PHONY: metadata-server-image -metadata-server-image: out/metadata-server ## Build metadata-server docker image - docker build -t $(REGISTRY)/metadata-server:snapshot -f deploy/metadata-server/Dockerfile ./out - - -.PHONY: push-metadata-server-image -push-metadata-server-image: metadata-server-image ## Push metadata-server docker image using gcloud - gcloud docker -- push $(REGISTRY)/metadata-server diff --git a/cmd/metadata-server/server.go b/cmd/metadata-server/server.go deleted file mode 100644 index b84f582bf640..000000000000 --- a/cmd/metadata-server/server.go +++ /dev/null @@ -1,225 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "encoding/json" - "fmt" - "io/ioutil" - "log" - "net/http" - "os" - - admissionv1 "k8s.io/api/admission/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/serializer" -) - -var ( - runtimeScheme = runtime.NewScheme() - codecs = serializer.NewCodecFactory(runtimeScheme) - deserializer = codecs.UniversalDeserializer() -) - -type patchOperation struct { - Op string `json:"op"` - Path string `json:"path"` - Value interface{} `json:"value,omitempty"` -} - -func mutateHandler(w http.ResponseWriter, r *http.Request) { - log.Printf("%v\n", r) - - var body []byte - if r.Body != nil { - if data, err := ioutil.ReadAll(r.Body); err == nil { - body = data - } - } - - if len(body) == 0 { - log.Print("request body was empty, returning") - http.Error(w, "empty body", http.StatusBadRequest) - return - } - - var admissionResponse *admissionv1.AdmissionResponse - - ar := admissionv1.AdmissionReview{} - if _, _, err := deserializer.Decode(body, nil, &ar); err != nil { - log.Printf("Can't decode body: %v", err) - admissionResponse = &admissionv1.AdmissionResponse{ - Result: &metav1.Status{ - Message: err.Error(), - }, - } - } - - req := ar.Request - var pod corev1.Pod - if err := json.Unmarshal(req.Object.Raw, &pod); err != nil { - log.Printf("Could not unmarshal raw object: %v", err) - admissionResponse = &admissionv1.AdmissionResponse{ - Result: &metav1.Status{ - Message: err.Error(), - }, - } - } - - var patch []patchOperation - - // Define the volume to mount in - v := corev1.Volume{ - Name: "gcp-creds", - VolumeSource: corev1.VolumeSource{ - HostPath: func() *corev1.HostPathVolumeSource { - h := corev1.HostPathVolumeSource{ - Path: "/tmp/google_application_credentials.json", - Type: func() *corev1.HostPathType { - hpt := corev1.HostPathFile - return &hpt - }(), - } - return &h - }(), - }, - } - - // Mount the volume in - mount := corev1.VolumeMount{ - Name: "gcp-creds", - MountPath: "/google-app-creds.json", - ReadOnly: true, - } - - // Define the env var - e := corev1.EnvVar{ - Name: "GOOGLE_APPLICATION_CREDENTIALS", - Value: "/google-app-creds.json", - } - - // If GOOGLE_CLOUD_PROJECT is set in the VM, set it for all GCP apps. - var e2 corev1.EnvVar - if _, err := os.Stat("/tmp/google_cloud_project"); err == nil { - project, err := ioutil.ReadFile("/tmp/google_cloud_project") - if err == nil { - e2 = corev1.EnvVar{ - Name: "GOOGLE_CLOUD_PROJECT", - Value: string(project), - } - } - } - - envVars := []corev1.EnvVar{e} - if e2.Name != "" { - envVars = append(envVars, e2) - } - - patch = append(patch, patchOperation{ - Op: "add", - Path: "/spec/volumes", - Value: append(pod.Spec.Volumes, v), - }) - - for i, c := range pod.Spec.Containers { - if len(c.VolumeMounts) == 0 { - patch = append(patch, patchOperation{ - Op: "add", - Path: fmt.Sprintf("/spec/containers/%d/volumeMounts", i), - Value: []corev1.VolumeMount{mount}, - }) - } else { - patch = append(patch, patchOperation{ - Op: "add", - Path: fmt.Sprintf("/spec/containers/%d/volumeMounts", i), - Value: append(c.VolumeMounts, mount), - }) - } - if len(c.Env) == 0 { - patch = append(patch, patchOperation{ - Op: "add", - Path: fmt.Sprintf("/spec/containers/%d/env", i), - Value: envVars, - }) - } else { - patch = append(patch, patchOperation{ - Op: "add", - Path: fmt.Sprintf("/spec/containers/%d/env", i), - Value: append(c.Env, envVars...), - }) - } - } - - patchBytes, err := json.Marshal(patch) - if err != nil { - admissionResponse = &admissionv1.AdmissionResponse{ - Result: &metav1.Status{ - Message: err.Error(), - }, - } - } - - if admissionResponse == nil { - admissionResponse = &admissionv1.AdmissionResponse{ - Allowed: true, - Patch: patchBytes, - PatchType: func() *admissionv1.PatchType { - pt := admissionv1.PatchTypeJSONPatch - return &pt - }(), - } - } - - admissionReview := admissionv1.AdmissionReview{} - if admissionResponse != nil { - admissionReview.Response = admissionResponse - if ar.Request != nil { - admissionReview.Response.UID = ar.Request.UID - } - } - admissionReview.Kind = "AdmissionReview" - admissionReview.APIVersion = "admission.k8s.io/v1" - - resp, err := json.Marshal(admissionReview) - if err != nil { - log.Printf("Can't encode response: %v", err) - http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError) - } - log.Printf("Ready to write reponse ...") - if _, err := w.Write(resp); err != nil { - log.Printf("Can't write response: %v", err) - http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError) - } - -} - -func main() { - log.Print("Mutate webhook server started! Take 5.") - - mux := http.NewServeMux() - - mux.HandleFunc("/mutate", mutateHandler) - - s := &http.Server{ - Addr: ":8443", - Handler: mux, - } - - log.Fatal(s.ListenAndServeTLS("/etc/webhook/certs/cert", "/etc/webhook/certs/key")) -} diff --git a/deploy/addons/metadata/metadata-mutatingwebhook.yaml b/deploy/addons/metadata/metadata-mutatingwebhook.yaml index 1bf84de53abd..70098115390d 100644 --- a/deploy/addons/metadata/metadata-mutatingwebhook.yaml +++ b/deploy/addons/metadata/metadata-mutatingwebhook.yaml @@ -79,8 +79,8 @@ spec: spec: containers: - name: metadata - image: gcr.io/k8s-minikube/metadata-server:snapshot - imagePullPolicy: Never + image: gcr.io/k8s-minikube/gcp-auth-webhook:latest + imagePullPolicy: IfNotPresent ports: - containerPort: 8443 volumeMounts: diff --git a/deploy/metadata-server/Dockerfile b/deploy/metadata-server/Dockerfile deleted file mode 100644 index b4586d6becc2..000000000000 --- a/deploy/metadata-server/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2016 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM scratch -COPY metadata-server /metadata-server -ENTRYPOINT ["/metadata-server"] From a8abf432997ceafd8c0b0b83c4b059d7b1155086 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 8 Jul 2020 16:58:47 -0700 Subject: [PATCH 15/30] switch addon name to gcp-auth --- pkg/addons/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 1b6ac39b603d..74542a054440 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -165,7 +165,7 @@ var Addons = []*Addon{ callbacks: []setFn{enableOrDisableAddon}, }, { - name: "metadata", + name: "gcp-auth", set: SetBool, callbacks: []setFn{metadata.EnableOrDisable, enableOrDisableAddon}, }, From 488c625f65649190f10651fb77028d93e6c02665 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Fri, 10 Jul 2020 09:57:17 -0700 Subject: [PATCH 16/30] metadata -> gcp-auth --- .../gcp-auth-ns.yaml} | 4 +- .../gcp-auth-service.yaml} | 6 +- .../gcp-auth-webhook.yaml} | 64 +++++++++---------- .../addons/metadata/metadata-deployment.yaml | 28 -------- pkg/addons/config.go | 4 +- pkg/addons/{metadata => gcpauth}/enable.go | 2 +- pkg/minikube/assets/addons.go | 14 ++-- 7 files changed, 47 insertions(+), 75 deletions(-) rename deploy/addons/{metadata/metadata-ns.yaml => gcp-auth/gcp-auth-ns.yaml} (91%) rename deploy/addons/{metadata/metadata-service.yaml => gcp-auth/gcp-auth-service.yaml} (68%) rename deploy/addons/{metadata/metadata-mutatingwebhook.yaml => gcp-auth/gcp-auth-webhook.yaml} (68%) delete mode 100644 deploy/addons/metadata/metadata-deployment.yaml rename pkg/addons/{metadata => gcpauth}/enable.go (99%) diff --git a/deploy/addons/metadata/metadata-ns.yaml b/deploy/addons/gcp-auth/gcp-auth-ns.yaml similarity index 91% rename from deploy/addons/metadata/metadata-ns.yaml rename to deploy/addons/gcp-auth/gcp-auth-ns.yaml index 9da954ee6656..fb8d1cbc15cf 100644 --- a/deploy/addons/metadata/metadata-ns.yaml +++ b/deploy/addons/gcp-auth/gcp-auth-ns.yaml @@ -15,6 +15,6 @@ apiVersion: v1 kind: Namespace metadata: - name: metadata + name: gcp-auth labels: - kubernetes.io/minikube-addons: metadata + kubernetes.io/minikube-addons: gcp-auth diff --git a/deploy/addons/metadata/metadata-service.yaml b/deploy/addons/gcp-auth/gcp-auth-service.yaml similarity index 68% rename from deploy/addons/metadata/metadata-service.yaml rename to deploy/addons/gcp-auth/gcp-auth-service.yaml index 54a0f4d20189..830ac31212c4 100644 --- a/deploy/addons/metadata/metadata-service.yaml +++ b/deploy/addons/gcp-auth/gcp-auth-service.yaml @@ -1,12 +1,12 @@ apiVersion: v1 kind: Service metadata: - name: metadata - namespace: metadata + name: gcp-auth + namespace: gcp-auth spec: ports: - port: 443 targetPort: 8443 protocol: TCP selector: - app: metadata + app: gcp-auth diff --git a/deploy/addons/metadata/metadata-mutatingwebhook.yaml b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml similarity index 68% rename from deploy/addons/metadata/metadata-mutatingwebhook.yaml rename to deploy/addons/gcp-auth/gcp-auth-webhook.yaml index 70098115390d..718f8c89caee 100644 --- a/deploy/addons/metadata/metadata-mutatingwebhook.yaml +++ b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml @@ -2,13 +2,13 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: minikube-metadata-certs - namespace: metadata + name: minikube-gcp-auth-certs + namespace: gcp-auth --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: minikube-metadata-certs + name: minikube-gcp-auth-certs rules: - apiGroups: - '' @@ -30,55 +30,55 @@ rules: apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: minikube-metadata-certs + name: minikube-gcp-auth-certs namespace: metadata roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: minikube-metadata-certs + name: minikube-gcp-auth-certs subjects: - kind: ServiceAccount - name: minikube-metadata-certs - namespace: metadata + name: minikube-gcp-auth-certs + namespace: gcp-auth --- apiVersion: batch/v1 kind: Job metadata: - name: metadata-certs-create - namespace: metadata + name: gcp-auth-certs-create + namespace: gcp-auth spec: template: metadata: - name: metadata-certs-create + name: gcp-auth-certs-create spec: - serviceAccountName: minikube-metadata-certs + serviceAccountName: minikube-gcp-auth-certs containers: - name: create image: jettech/kube-webhook-certgen:v1.2.2 imagePullPolicy: IfNotPresent args: - create - - --host=metadata,metadata.metadata,metadata.metadata.svc - - --namespace=metadata - - --secret-name=metadata-certs + - --host=gcp-auth,gcp-auth.gcp-auth,gcp-auth.gcp-auth.svc + - --namespace=gcp-auth + - --secret-name=gcp-auth-certs restartPolicy: OnFailure --- apiVersion: apps/v1 kind: Deployment metadata: - name: metadata - namespace: metadata + name: gcp-auth + namespace: gcp-auth spec: selector: matchLabels: - app: metadata + app: gcp-auth template: metadata: labels: - app: metadata + app: gcp-auth spec: containers: - - name: metadata + - name: gcp-auth image: gcr.io/k8s-minikube/gcp-auth-webhook:latest imagePullPolicy: IfNotPresent ports: @@ -93,7 +93,7 @@ spec: volumes: - name: webhook-certs secret: - secretName: metadata-certs + secretName: gcp-auth-certs - name: gcp-project hostPath: path: /tmp/google_cloud_project @@ -102,40 +102,40 @@ spec: apiVersion: batch/v1 kind: Job metadata: - name: metadata-certs-patch - namespace: metadata + name: gcp-auth-certs-patch + namespace: gcp-auth spec: template: metadata: - name: metadata-certs-patch + name: gcp-auth-certs-patch spec: - serviceAccountName: minikube-metadata-certs + serviceAccountName: minikube-gcp-auth-certs containers: - name: patch image: jettech/kube-webhook-certgen:v1.2.2 imagePullPolicy: IfNotPresent args: - patch - - --secret-name=metadata-certs - - --namespace=metadata + - --secret-name=gcp-auth-certs + - --namespace=gcp-auth - --patch-validating=false - - --webhook-name=metadata-webhook-cfg + - --webhook-name=gcp-auth-webhook-cfg restartPolicy: OnFailure --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: metadata-webhook-cfg + name: gcp-auth-webhook-cfg labels: - app: metadata + app: gcp-auth webhooks: -- name: metadata-mutate.k8s.io +- name: gcp-auth-mutate.k8s.io sideEffects: None admissionReviewVersions: ["v1", "v1beta1"] clientConfig: service: - name: metadata - namespace: metadata + name: gcp-auth + namespace: gcp-auth path: "/mutate" rules: - operations: ["CREATE", "UPDATE"] diff --git a/deploy/addons/metadata/metadata-deployment.yaml b/deploy/addons/metadata/metadata-deployment.yaml deleted file mode 100644 index 29f68591b615..000000000000 --- a/deploy/addons/metadata/metadata-deployment.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metadata - namespace: metadata -spec: - selector: - matchLabels: - app: metadata - template: - metadata: - labels: - app: metadata - spec: - containers: - - name: metadata - image: gcr.io/k8s-minikube/metadata-server:snapshot - imagePullPolicy: Never - ports: - - containerPort: 8443 - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true - volumes: - - name: webhook-certs - secret: - secretName: metadata-certs diff --git a/pkg/addons/config.go b/pkg/addons/config.go index 74542a054440..a17aa5dbe33b 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -17,7 +17,7 @@ limitations under the License. package addons import ( - "k8s.io/minikube/pkg/addons/metadata" + "k8s.io/minikube/pkg/addons/gcpauth" "k8s.io/minikube/pkg/minikube/config" ) @@ -167,6 +167,6 @@ var Addons = []*Addon{ { name: "gcp-auth", set: SetBool, - callbacks: []setFn{metadata.EnableOrDisable, enableOrDisableAddon}, + callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon}, }, } diff --git a/pkg/addons/metadata/enable.go b/pkg/addons/gcpauth/enable.go similarity index 99% rename from pkg/addons/metadata/enable.go rename to pkg/addons/gcpauth/enable.go index dea6912f301a..4d2dcff42a5e 100644 --- a/pkg/addons/metadata/enable.go +++ b/pkg/addons/gcpauth/enable.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package metadata +package gcpauth import ( "os/exec" diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 7cc1f7574367..580e3854849a 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -419,23 +419,23 @@ var Addons = map[string]*Addon{ "0640", false), }, false, "ambassador"), - "metadata": NewAddon([]*BinAsset{ + "gcp-auth": NewAddon([]*BinAsset{ MustBinAsset( - "deploy/addons/metadata/metadata-ns.yaml", + "deploy/addons/gcp-auth/gcp-auth-ns.yaml", vmpath.GuestAddonsDir, - "metadata-ns.yaml", + "gcp-auth-ns.yaml", "0640", false), MustBinAsset( - "deploy/addons/metadata/metadata-service.yaml", + "deploy/addons/gcp-auth/gcp-auth-service.yaml", vmpath.GuestAddonsDir, - "metadata-service.yaml", + "gcp-auth-service.yaml", "0640", false), MustBinAsset( - "deploy/addons/metadata/metadata-mutatingwebhook.yaml", + "deploy/addons/gcp-auth/gcp-auth-webhook.yaml", vmpath.GuestAddonsDir, - "metadata-mutatingwebhook.yaml", + "gcp-auth-webhook.yaml", "0640", false), }, false, "metadata"), From 839e5812b38e29143bb7d7c13825d3a18e3522ee Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Fri, 10 Jul 2020 10:17:24 -0700 Subject: [PATCH 17/30] missed one --- pkg/minikube/assets/addons.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index 580e3854849a..73b2d46854f5 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -438,7 +438,7 @@ var Addons = map[string]*Addon{ "gcp-auth-webhook.yaml", "0640", false), - }, false, "metadata"), + }, false, "gcp-auth"), } // GenerateTemplateData generates template data for template assets From b5d9e3c922a037c5c1fec48cbc8b2e82c77744ee Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 14 Jul 2020 10:00:40 -0700 Subject: [PATCH 18/30] automate finding of credentials --- go.mod | 1 + pkg/addons/gcpauth/enable.go | 13 ++++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index d16121bdebe4..b8357b265de2 100644 --- a/go.mod +++ b/go.mod @@ -74,6 +74,7 @@ require ( github.com/zchee/go-vmnet v0.0.0-20161021174912-97ebf9174097 golang.org/x/build v0.0.0-20190927031335-2835ba2e683f golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 + golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a golang.org/x/sys v0.0.0-20200523222454-059865788121 golang.org/x/text v0.3.2 diff --git a/pkg/addons/gcpauth/enable.go b/pkg/addons/gcpauth/enable.go index 4d2dcff42a5e..e149712f8ddc 100644 --- a/pkg/addons/gcpauth/enable.go +++ b/pkg/addons/gcpauth/enable.go @@ -17,12 +17,12 @@ limitations under the License. package gcpauth import ( + "context" "os/exec" - "path/filepath" "strconv" "github.com/pkg/errors" - "k8s.io/client-go/util/homedir" + "golang.org/x/oauth2/google" "k8s.io/minikube/pkg/minikube/assets" "k8s.io/minikube/pkg/minikube/config" "k8s.io/minikube/pkg/minikube/driver" @@ -43,13 +43,16 @@ func EnableOrDisable(cfg *config.ClusterConfig, name string, val string) error { } func enableAddon(cfg *config.ClusterConfig) error { - // This is the default location for GCP credentials to live, it's where they're stored when gcloud login is run - credsPath := filepath.Join(homedir.HomeDir(), ".config", "gcloud", "application_default_credentials.json") - f, err := assets.NewFileAsset(credsPath, "/tmp/", "google_application_credentials.json", "0444") + // Grab credentials from where GCP would normally look + // We should allow users to specify an arbitrary file as well + ctx := context.Background() + creds, err := google.FindDefaultCredentials(ctx) if err != nil { return err } + f := assets.NewMemoryAssetTarget(creds.JSON, "/tmp/google_application_credentials.json", "0444") + api, err := machine.NewAPIClient() if err != nil { return err From 76d4dc3079ee51a5adca4d7cf80dc0b2075df56f Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 14 Jul 2020 10:43:54 -0700 Subject: [PATCH 19/30] remove unnecessary comment --- pkg/addons/gcpauth/enable.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/addons/gcpauth/enable.go b/pkg/addons/gcpauth/enable.go index e149712f8ddc..e7dff386f510 100644 --- a/pkg/addons/gcpauth/enable.go +++ b/pkg/addons/gcpauth/enable.go @@ -44,7 +44,6 @@ func EnableOrDisable(cfg *config.ClusterConfig, name string, val string) error { func enableAddon(cfg *config.ClusterConfig) error { // Grab credentials from where GCP would normally look - // We should allow users to specify an arbitrary file as well ctx := context.Background() creds, err := google.FindDefaultCredentials(ctx) if err != nil { From a34eca705a239655c4164066790bba51a1815a8c Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 14 Jul 2020 16:56:26 -0700 Subject: [PATCH 20/30] address comments --- README.md | 1 + deploy/addons/gcp-auth/gcp-auth-webhook.yaml | 12 +++++-- pkg/addons/addons.go | 10 +++++- pkg/addons/config.go | 3 +- pkg/addons/gcpauth/enable.go | 35 ++++++++++---------- pkg/kapi/kapi.go | 2 +- 6 files changed, 39 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 757debf449ac..f9651f8032f6 100644 --- a/README.md +++ b/README.md @@ -67,3 +67,4 @@ minikube is a Kubernetes [#sig-cluster-lifecycle](https://github.com/kubernetes/ Join our meetings: * [Bi-weekly office hours, Mondays @ 11am PST](https://tinyurl.com/minikube-oh) * [Triage Party](https://minikube.sigs.k8s.io/docs/contrib/triage/) + diff --git a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml index 718f8c89caee..4534f51de60c 100644 --- a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml +++ b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml @@ -76,6 +76,7 @@ spec: metadata: labels: app: gcp-auth + kubernetes.io/minikube-addons: gcp-auth spec: containers: - name: gcp-auth @@ -88,7 +89,7 @@ spec: mountPath: /etc/webhook/certs readOnly: true - name: gcp-project - mountPath: /tmp/google_cloud_project + mountPath: /var/lib/minikube/google_cloud_project readOnly: true volumes: - name: webhook-certs @@ -96,7 +97,7 @@ spec: secretName: gcp-auth-certs - name: gcp-project hostPath: - path: /tmp/google_cloud_project + path: /var/lib/minikube/google_cloud_project type: File --- apiVersion: batch/v1 @@ -130,8 +131,13 @@ metadata: app: gcp-auth webhooks: - name: gcp-auth-mutate.k8s.io + objectSelector: + matchExpressions: + - key: gcp-auth-skip-secret + operator: NotIn + values: ["true"] sideEffects: None - admissionReviewVersions: ["v1", "v1beta1"] + admissionReviewVersions: ["v1","v1beta1"] clientConfig: service: name: gcp-auth diff --git a/pkg/addons/addons.go b/pkg/addons/addons.go index c197913d1249..1f838cf30557 100644 --- a/pkg/addons/addons.go +++ b/pkg/addons/addons.go @@ -315,6 +315,14 @@ func enableOrDisableStorageClasses(cc *config.ClusterConfig, name string, val st } func verifyAddonStatus(cc *config.ClusterConfig, name string, val string) error { + return verifyAddonStatusInternal(cc, name, val, "kube-system") +} + +func verifyGCPAuthAddon(cc *config.ClusterConfig, name string, val string) error { + return verifyAddonStatusInternal(cc, name, val, "gcp-auth") +} + +func verifyAddonStatusInternal(cc *config.ClusterConfig, name string, val string, ns string) error { glog.Infof("Verifying addon %s=%s in %q", name, val, cc.Name) enable, err := strconv.ParseBool(val) if err != nil { @@ -329,7 +337,7 @@ func verifyAddonStatus(cc *config.ClusterConfig, name string, val string) error return errors.Wrapf(err, "get kube-client to validate %s addon: %v", name, err) } - err = kapi.WaitForPods(client, "kube-system", label, time.Minute*3) + err = kapi.WaitForPods(client, ns, label, time.Minute*3) if err != nil { return errors.Wrapf(err, "verifying %s addon pods : %v", name, err) } diff --git a/pkg/addons/config.go b/pkg/addons/config.go index a17aa5dbe33b..b8725d4401d7 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -36,6 +36,7 @@ var addonPodLabels = map[string]string{ "ingress": "app.kubernetes.io/name=ingress-nginx", "registry": "kubernetes.io/minikube-addons=registry", "gvisor": "kubernetes.io/minikube-addons=gvisor", + "gcp-auth": "kubernetes.io/minikube-addons=gcp-auth", } // Addons is a list of all addons @@ -167,6 +168,6 @@ var Addons = []*Addon{ { name: "gcp-auth", set: SetBool, - callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon}, + callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon, verifyGCPAuthAddon}, }, } diff --git a/pkg/addons/gcpauth/enable.go b/pkg/addons/gcpauth/enable.go index e7dff386f510..d2647a31f20a 100644 --- a/pkg/addons/gcpauth/enable.go +++ b/pkg/addons/gcpauth/enable.go @@ -18,6 +18,7 @@ package gcpauth import ( "context" + "os" "os/exec" "strconv" @@ -27,6 +28,7 @@ import ( "k8s.io/minikube/pkg/minikube/config" "k8s.io/minikube/pkg/minikube/driver" "k8s.io/minikube/pkg/minikube/machine" + "k8s.io/minikube/pkg/minikube/mustload" ) // EnableOrDisable enables or disables the metadata addon depending on the val parameter @@ -43,6 +45,11 @@ func EnableOrDisable(cfg *config.ClusterConfig, name string, val string) error { } func enableAddon(cfg *config.ClusterConfig) error { + + // Grab command runner from running cluster + cc := mustload.Running(cfg.Name) + r := cc.CP.Runner + // Grab credentials from where GCP would normally look ctx := context.Background() creds, err := google.FindDefaultCredentials(ctx) @@ -50,32 +57,24 @@ func enableAddon(cfg *config.ClusterConfig) error { return err } - f := assets.NewMemoryAssetTarget(creds.JSON, "/tmp/google_application_credentials.json", "0444") - - api, err := machine.NewAPIClient() - if err != nil { - return err - } - - host, err := machine.LoadHost(api, driver.MachineName(*cfg, cfg.Nodes[0])) - if err != nil { - return err - } + f := assets.NewMemoryAssetTarget(creds.JSON, "/var/lib/minikube/google_application_credentials.json", "0444") - r, err := machine.CommandRunner(host) + err = r.Copy(f) if err != nil { return err } - err = r.Copy(f) - if err != nil { - return err + // First check if the project env var is explicitly set + projectEnv := os.Getenv("GOOGLE_CLOUD_PROJECT") + if projectEnv != "" { + f := assets.NewMemoryAssetTarget([]byte(projectEnv), "/var/lib/minikube/google_cloud_project", "0444") + return r.Copy(f) } // We're currently assuming gcloud is installed and in the user's path project, err := exec.Command("gcloud", "config", "get-value", "project").Output() if err == nil && len(project) > 0 { - f := assets.NewMemoryAssetTarget(project, "/tmp/google_cloud_project", "0444") + f := assets.NewMemoryAssetTarget(project, "/var/lib/minikube/google_cloud_project", "0444") return r.Copy(f) } @@ -99,13 +98,13 @@ func disableAddon(cfg *config.ClusterConfig) error { } // Clean up the files generated when enabling the addon - creds := assets.NewMemoryAssetTarget([]byte{}, "/tmp/google_application_credentials.json", "0444") + creds := assets.NewMemoryAssetTarget([]byte{}, "/var/lib/minikube/google_application_credentials.json", "0444") err = r.Remove(creds) if err != nil { return err } - project := assets.NewMemoryAssetTarget([]byte{}, "/tmp/google_cloud_project", "0444") + project := assets.NewMemoryAssetTarget([]byte{}, "/var/lib/minikube/google_cloud_project", "0444") err = r.Remove(project) if err != nil { return err diff --git a/pkg/kapi/kapi.go b/pkg/kapi/kapi.go index 763bf2111be7..493f87a41e6c 100644 --- a/pkg/kapi/kapi.go +++ b/pkg/kapi/kapi.go @@ -72,7 +72,7 @@ func Client(context string) (*kubernetes.Clientset, error) { // WaitForPods waits for all matching pods to become Running or finish successfully and at least one matching pod exists. func WaitForPods(c kubernetes.Interface, ns string, selector string, timeOut ...time.Duration) error { start := time.Now() - glog.Infof("Waiting for pod with label %q in ns %q ...", ns, selector) + glog.Infof("Waiting for pod with label %q in ns %q ...", selector, ns) lastKnownPodNumber := -1 f := func() (bool, error) { listOpts := meta.ListOptions{LabelSelector: selector} From 3f86effd3c04bd775d7db1a1f00843712e6d10e9 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 14 Jul 2020 16:59:42 -0700 Subject: [PATCH 21/30] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index f9651f8032f6..757debf449ac 100644 --- a/README.md +++ b/README.md @@ -67,4 +67,3 @@ minikube is a Kubernetes [#sig-cluster-lifecycle](https://github.com/kubernetes/ Join our meetings: * [Bi-weekly office hours, Mondays @ 11am PST](https://tinyurl.com/minikube-oh) * [Triage Party](https://minikube.sigs.k8s.io/docs/contrib/triage/) - From aabbbe04e12abe9abff519d23fb38392fbe75d64 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 14 Jul 2020 17:00:12 -0700 Subject: [PATCH 22/30] Update README.md From dde94b55dd6fa1a52bde413bae9cac8700154403 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 14 Jul 2020 17:05:23 -0700 Subject: [PATCH 23/30] use mustload everywhere --- pkg/addons/gcpauth/enable.go | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/pkg/addons/gcpauth/enable.go b/pkg/addons/gcpauth/enable.go index d2647a31f20a..4502b2fa9e37 100644 --- a/pkg/addons/gcpauth/enable.go +++ b/pkg/addons/gcpauth/enable.go @@ -26,8 +26,6 @@ import ( "golang.org/x/oauth2/google" "k8s.io/minikube/pkg/minikube/assets" "k8s.io/minikube/pkg/minikube/config" - "k8s.io/minikube/pkg/minikube/driver" - "k8s.io/minikube/pkg/minikube/machine" "k8s.io/minikube/pkg/minikube/mustload" ) @@ -45,7 +43,6 @@ func EnableOrDisable(cfg *config.ClusterConfig, name string, val string) error { } func enableAddon(cfg *config.ClusterConfig) error { - // Grab command runner from running cluster cc := mustload.Running(cfg.Name) r := cc.CP.Runner @@ -82,24 +79,13 @@ func enableAddon(cfg *config.ClusterConfig) error { } func disableAddon(cfg *config.ClusterConfig) error { - api, err := machine.NewAPIClient() - if err != nil { - return err - } - - host, err := machine.LoadHost(api, driver.MachineName(*cfg, cfg.Nodes[0])) - if err != nil { - return err - } - - r, err := machine.CommandRunner(host) - if err != nil { - return err - } + // Grab command runner from running cluster + cc := mustload.Running(cfg.Name) + r := cc.CP.Runner // Clean up the files generated when enabling the addon creds := assets.NewMemoryAssetTarget([]byte{}, "/var/lib/minikube/google_application_credentials.json", "0444") - err = r.Remove(creds) + err := r.Remove(creds) if err != nil { return err } From e651fab71f9cfb1f4f34edb0cc4a6814d8ecde4e Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 15 Jul 2020 09:36:13 -0700 Subject: [PATCH 24/30] swap selector condition --- deploy/addons/gcp-auth/gcp-auth-webhook.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml index 4534f51de60c..bf4e6802b150 100644 --- a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml +++ b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml @@ -134,8 +134,7 @@ webhooks: objectSelector: matchExpressions: - key: gcp-auth-skip-secret - operator: NotIn - values: ["true"] + operator: DoesNotExist sideEffects: None admissionReviewVersions: ["v1","v1beta1"] clientConfig: From dd89c1c1ddd945881efbf23ebf9adee041b51ec4 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 15 Jul 2020 10:22:49 -0700 Subject: [PATCH 25/30] upgrade kube-webhook-certgen to 1.3 --- deploy/addons/gcp-auth/gcp-auth-webhook.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml index bf4e6802b150..24dfe49ac5d1 100644 --- a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml +++ b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml @@ -54,7 +54,7 @@ spec: serviceAccountName: minikube-gcp-auth-certs containers: - name: create - image: jettech/kube-webhook-certgen:v1.2.2 + image: jettech/kube-webhook-certgen:v1.3.0 imagePullPolicy: IfNotPresent args: - create @@ -113,7 +113,7 @@ spec: serviceAccountName: minikube-gcp-auth-certs containers: - name: patch - image: jettech/kube-webhook-certgen:v1.2.2 + image: jettech/kube-webhook-certgen:v1.3.0 imagePullPolicy: IfNotPresent args: - patch From 142192b11d3ed8978fa891386d088c9a183be357 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 15 Jul 2020 10:43:27 -0700 Subject: [PATCH 26/30] move paths to constants --- pkg/addons/gcpauth/enable.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pkg/addons/gcpauth/enable.go b/pkg/addons/gcpauth/enable.go index 4502b2fa9e37..6cc28db2c525 100644 --- a/pkg/addons/gcpauth/enable.go +++ b/pkg/addons/gcpauth/enable.go @@ -29,6 +29,11 @@ import ( "k8s.io/minikube/pkg/minikube/mustload" ) +const ( + credentialsPath = "/var/lib/minikube/google_application_credentials.json" + projectPath = "/var/lib/minikube/google_cloud_project" +) + // EnableOrDisable enables or disables the metadata addon depending on the val parameter func EnableOrDisable(cfg *config.ClusterConfig, name string, val string) error { enable, err := strconv.ParseBool(val) @@ -54,7 +59,7 @@ func enableAddon(cfg *config.ClusterConfig) error { return err } - f := assets.NewMemoryAssetTarget(creds.JSON, "/var/lib/minikube/google_application_credentials.json", "0444") + f := assets.NewMemoryAssetTarget(creds.JSON, credentialsPath, "0444") err = r.Copy(f) if err != nil { @@ -64,14 +69,14 @@ func enableAddon(cfg *config.ClusterConfig) error { // First check if the project env var is explicitly set projectEnv := os.Getenv("GOOGLE_CLOUD_PROJECT") if projectEnv != "" { - f := assets.NewMemoryAssetTarget([]byte(projectEnv), "/var/lib/minikube/google_cloud_project", "0444") + f := assets.NewMemoryAssetTarget([]byte(projectEnv), projectPath, "0444") return r.Copy(f) } // We're currently assuming gcloud is installed and in the user's path project, err := exec.Command("gcloud", "config", "get-value", "project").Output() if err == nil && len(project) > 0 { - f := assets.NewMemoryAssetTarget(project, "/var/lib/minikube/google_cloud_project", "0444") + f := assets.NewMemoryAssetTarget(project, projectPath, "0444") return r.Copy(f) } @@ -84,13 +89,13 @@ func disableAddon(cfg *config.ClusterConfig) error { r := cc.CP.Runner // Clean up the files generated when enabling the addon - creds := assets.NewMemoryAssetTarget([]byte{}, "/var/lib/minikube/google_application_credentials.json", "0444") + creds := assets.NewMemoryAssetTarget([]byte{}, credentialsPath, "0444") err := r.Remove(creds) if err != nil { return err } - project := assets.NewMemoryAssetTarget([]byte{}, "/var/lib/minikube/google_cloud_project", "0444") + project := assets.NewMemoryAssetTarget([]byte{}, projectPath, "0444") err = r.Remove(project) if err != nil { return err From 0a675689191b0f12854613031ac522b924786802 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Wed, 15 Jul 2020 14:26:14 -0700 Subject: [PATCH 27/30] add notice to user on addon enable --- pkg/addons/config.go | 2 +- pkg/addons/gcpauth/enable.go | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/addons/config.go b/pkg/addons/config.go index b8725d4401d7..bcc382a86d49 100644 --- a/pkg/addons/config.go +++ b/pkg/addons/config.go @@ -168,6 +168,6 @@ var Addons = []*Addon{ { name: "gcp-auth", set: SetBool, - callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon, verifyGCPAuthAddon}, + callbacks: []setFn{gcpauth.EnableOrDisable, enableOrDisableAddon, verifyGCPAuthAddon, gcpauth.DisplayAddonMessage}, }, } diff --git a/pkg/addons/gcpauth/enable.go b/pkg/addons/gcpauth/enable.go index 6cc28db2c525..93c7d091cf95 100644 --- a/pkg/addons/gcpauth/enable.go +++ b/pkg/addons/gcpauth/enable.go @@ -27,6 +27,7 @@ import ( "k8s.io/minikube/pkg/minikube/assets" "k8s.io/minikube/pkg/minikube/config" "k8s.io/minikube/pkg/minikube/mustload" + "k8s.io/minikube/pkg/minikube/out" ) const ( @@ -103,3 +104,10 @@ func disableAddon(cfg *config.ClusterConfig) error { return nil } + +// DisplayAddonMessage display an gcp auth addon specific message to the user +func DisplayAddonMessage(cfg *config.ClusterConfig, name string, val string) error { + out.T(out.Notice, "Your GCP credentials will now be mounted into every pod created in the {{.name}} cluster.", out.V{"name": cfg.Name}) + out.T(out.Notice, "If you don't want credential mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.") + return nil +} From 0ee4b71f610abaee812c799200ded2d3f5aa5bd6 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Thu, 16 Jul 2020 14:54:54 -0700 Subject: [PATCH 28/30] adding addon documentation --- site/content/en/docs/addons/_index.md | 8 +++ site/content/en/docs/addons/gcp-auth.md | 69 +++++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 site/content/en/docs/addons/_index.md create mode 100644 site/content/en/docs/addons/gcp-auth.md diff --git a/site/content/en/docs/addons/_index.md b/site/content/en/docs/addons/_index.md new file mode 100644 index 000000000000..bba88552d670 --- /dev/null +++ b/site/content/en/docs/addons/_index.md @@ -0,0 +1,8 @@ +--- +title: "Addons" +weight: 4 +description: > + Details on maintained minikube addons +--- + +Addons are maintained extensions of minikube used for added functionality for Kubernetes. diff --git a/site/content/en/docs/addons/gcp-auth.md b/site/content/en/docs/addons/gcp-auth.md new file mode 100644 index 000000000000..14194909e9bf --- /dev/null +++ b/site/content/en/docs/addons/gcp-auth.md @@ -0,0 +1,69 @@ +--- +title: "Automated Google Cloud Platform Authentication" +linkTitle: "GCP Auth" +weight: 1 +date: 2020-07-15 +--- + +If you have a containerized GCP app with a Kubernetes yaml, you can automatically add your credentials to all your deployed pods dynamically with this minikube addon. You just need to have a credentials file, which can be generated with `gcloud auth login`. If you already have a json credentials file you want specify, use the GOOGLE_APPLICATION_CREDENTIALS environment variable. + +- Start a cluster: +``` +minikube start +😄 minikube v1.12.0 on Darwin 10.15.5 +✨ Automatically selected the docker driver. Other choices: hyperkit, virtualbox +👍 Starting control plane node minikube in cluster minikube +🔥 Creating docker container (CPUs=2, Memory=3892MB) ... +🐳 Preparing Kubernetes v1.18.3 on Docker 19.03.2 ... +🔎 Verifying Kubernetes components... +🌟 Enabled addons: default-storageclass, storage-provisioner +🏄 Done! kubectl is now configured to use "minikube" +``` + +- Enable the `gcp-auth` addon: +``` +minikube addons enable gcp-auth +🔎 Verifying gcp-auth addon... +📌 Your GCP credentials will now be mounted into every pod created in the minikube cluster. +📌 If you don't want credential mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration. +🌟 The 'gcp-auth' addon is enabled +``` + +- For credentials in an arbitrary path: +``` +export GOOGLE_APPLICATION_CREDENTIALS=.json +minikube addons enable gcp-auth +``` + +- Deploy your GCP app as normal: +``` +kubectl apply -f test.yaml +deployment.apps/pytest created +``` + +Everything should work as expected. You can run `kubectl describe` on your pods to see the environment variables we inject. + +As explained in the output above, if you have a pod you don't want to inject with your credentials, all you need to do is add the `gcp-auth-skip-secret` label: +
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pytest
+spec:
+  selector:
+    matchLabels:
+      app: pytest
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: pytest
+        gcp-auth-skip-secret: "true"
+    spec:
+      containers:
+      - name: py-test
+        imagePullPolicy: Never
+        image: local-pytest
+        ports:
+          - containerPort: 80
+
From ce0d41a1085d998109550e5ea6c6d7c2346f11aa Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 21 Jul 2020 13:33:09 -0700 Subject: [PATCH 29/30] move addons documentation inside handbook --- README.md | 2 +- .../content/en/docs/handbook/addons/_index.md | 8 +++ .../en/docs/handbook/addons/gcp-auth.md | 69 +++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 site/content/en/docs/handbook/addons/_index.md create mode 100644 site/content/en/docs/handbook/addons/gcp-auth.md diff --git a/README.md b/README.md index 757debf449ac..d8cedfe41a09 100644 --- a/README.md +++ b/README.md @@ -66,4 +66,4 @@ minikube is a Kubernetes [#sig-cluster-lifecycle](https://github.com/kubernetes/ Join our meetings: * [Bi-weekly office hours, Mondays @ 11am PST](https://tinyurl.com/minikube-oh) -* [Triage Party](https://minikube.sigs.k8s.io/docs/contrib/triage/) +* [Triage Party](https://minikube.sigs.k8s.io/docs/contrib/triage/) \ No newline at end of file diff --git a/site/content/en/docs/handbook/addons/_index.md b/site/content/en/docs/handbook/addons/_index.md new file mode 100644 index 000000000000..bba88552d670 --- /dev/null +++ b/site/content/en/docs/handbook/addons/_index.md @@ -0,0 +1,8 @@ +--- +title: "Addons" +weight: 4 +description: > + Details on maintained minikube addons +--- + +Addons are maintained extensions of minikube used for added functionality for Kubernetes. diff --git a/site/content/en/docs/handbook/addons/gcp-auth.md b/site/content/en/docs/handbook/addons/gcp-auth.md new file mode 100644 index 000000000000..14194909e9bf --- /dev/null +++ b/site/content/en/docs/handbook/addons/gcp-auth.md @@ -0,0 +1,69 @@ +--- +title: "Automated Google Cloud Platform Authentication" +linkTitle: "GCP Auth" +weight: 1 +date: 2020-07-15 +--- + +If you have a containerized GCP app with a Kubernetes yaml, you can automatically add your credentials to all your deployed pods dynamically with this minikube addon. You just need to have a credentials file, which can be generated with `gcloud auth login`. If you already have a json credentials file you want specify, use the GOOGLE_APPLICATION_CREDENTIALS environment variable. + +- Start a cluster: +``` +minikube start +😄 minikube v1.12.0 on Darwin 10.15.5 +✨ Automatically selected the docker driver. Other choices: hyperkit, virtualbox +👍 Starting control plane node minikube in cluster minikube +🔥 Creating docker container (CPUs=2, Memory=3892MB) ... +🐳 Preparing Kubernetes v1.18.3 on Docker 19.03.2 ... +🔎 Verifying Kubernetes components... +🌟 Enabled addons: default-storageclass, storage-provisioner +🏄 Done! kubectl is now configured to use "minikube" +``` + +- Enable the `gcp-auth` addon: +``` +minikube addons enable gcp-auth +🔎 Verifying gcp-auth addon... +📌 Your GCP credentials will now be mounted into every pod created in the minikube cluster. +📌 If you don't want credential mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration. +🌟 The 'gcp-auth' addon is enabled +``` + +- For credentials in an arbitrary path: +``` +export GOOGLE_APPLICATION_CREDENTIALS=.json +minikube addons enable gcp-auth +``` + +- Deploy your GCP app as normal: +``` +kubectl apply -f test.yaml +deployment.apps/pytest created +``` + +Everything should work as expected. You can run `kubectl describe` on your pods to see the environment variables we inject. + +As explained in the output above, if you have a pod you don't want to inject with your credentials, all you need to do is add the `gcp-auth-skip-secret` label: +
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pytest
+spec:
+  selector:
+    matchLabels:
+      app: pytest
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: pytest
+        gcp-auth-skip-secret: "true"
+    spec:
+      containers:
+      - name: py-test
+        imagePullPolicy: Never
+        image: local-pytest
+        ports:
+          - containerPort: 80
+
From f07dd49131613c00c37864bcc2e7800d28c4a282 Mon Sep 17 00:00:00 2001 From: Sharif Elgamal Date: Tue, 21 Jul 2020 14:00:26 -0700 Subject: [PATCH 30/30] remove old addons docs location --- site/content/en/docs/addons/_index.md | 8 --- site/content/en/docs/addons/gcp-auth.md | 69 ------------------------- 2 files changed, 77 deletions(-) delete mode 100644 site/content/en/docs/addons/_index.md delete mode 100644 site/content/en/docs/addons/gcp-auth.md diff --git a/site/content/en/docs/addons/_index.md b/site/content/en/docs/addons/_index.md deleted file mode 100644 index bba88552d670..000000000000 --- a/site/content/en/docs/addons/_index.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -title: "Addons" -weight: 4 -description: > - Details on maintained minikube addons ---- - -Addons are maintained extensions of minikube used for added functionality for Kubernetes. diff --git a/site/content/en/docs/addons/gcp-auth.md b/site/content/en/docs/addons/gcp-auth.md deleted file mode 100644 index 14194909e9bf..000000000000 --- a/site/content/en/docs/addons/gcp-auth.md +++ /dev/null @@ -1,69 +0,0 @@ ---- -title: "Automated Google Cloud Platform Authentication" -linkTitle: "GCP Auth" -weight: 1 -date: 2020-07-15 ---- - -If you have a containerized GCP app with a Kubernetes yaml, you can automatically add your credentials to all your deployed pods dynamically with this minikube addon. You just need to have a credentials file, which can be generated with `gcloud auth login`. If you already have a json credentials file you want specify, use the GOOGLE_APPLICATION_CREDENTIALS environment variable. - -- Start a cluster: -``` -minikube start -😄 minikube v1.12.0 on Darwin 10.15.5 -✨ Automatically selected the docker driver. Other choices: hyperkit, virtualbox -👍 Starting control plane node minikube in cluster minikube -🔥 Creating docker container (CPUs=2, Memory=3892MB) ... -🐳 Preparing Kubernetes v1.18.3 on Docker 19.03.2 ... -🔎 Verifying Kubernetes components... -🌟 Enabled addons: default-storageclass, storage-provisioner -🏄 Done! kubectl is now configured to use "minikube" -``` - -- Enable the `gcp-auth` addon: -``` -minikube addons enable gcp-auth -🔎 Verifying gcp-auth addon... -📌 Your GCP credentials will now be mounted into every pod created in the minikube cluster. -📌 If you don't want credential mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration. -🌟 The 'gcp-auth' addon is enabled -``` - -- For credentials in an arbitrary path: -``` -export GOOGLE_APPLICATION_CREDENTIALS=.json -minikube addons enable gcp-auth -``` - -- Deploy your GCP app as normal: -``` -kubectl apply -f test.yaml -deployment.apps/pytest created -``` - -Everything should work as expected. You can run `kubectl describe` on your pods to see the environment variables we inject. - -As explained in the output above, if you have a pod you don't want to inject with your credentials, all you need to do is add the `gcp-auth-skip-secret` label: -
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: pytest
-spec:
-  selector:
-    matchLabels:
-      app: pytest
-  replicas: 2
-  template:
-    metadata:
-      labels:
-        app: pytest
-        gcp-auth-skip-secret: "true"
-    spec:
-      containers:
-      - name: py-test
-        imagePullPolicy: Never
-        image: local-pytest
-        ports:
-          - containerPort: 80
-