Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support bootstrapping nodes using Public Key authentication #16141

Merged
merged 3 commits into from
Dec 1, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 22 additions & 6 deletions cmd/kops-controller/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,9 @@ import (
"k8s.io/kops/cmd/kops-controller/controllers"
"k8s.io/kops/cmd/kops-controller/pkg/config"
"k8s.io/kops/cmd/kops-controller/pkg/server"
"k8s.io/kops/pkg/apis/kops/v1alpha2"
"k8s.io/kops/pkg/bootstrap"
"k8s.io/kops/pkg/bootstrap/pkibootstrap"
"k8s.io/kops/pkg/nodeidentity"
nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws"
nodeidentityazure "k8s.io/kops/pkg/nodeidentity/azure"
Expand All @@ -58,7 +60,6 @@ import (
)

var (
scheme = runtime.NewScheme()
setupLog = ctrl.Log.WithName("setup")
)

Expand Down Expand Up @@ -100,14 +101,16 @@ func main() {

ctrl.SetLogger(klogr.New())

if err := buildScheme(); err != nil {
scheme, err := buildScheme()
if err != nil {
setupLog.Error(err, "error building scheme")
os.Exit(1)
}

kubeConfig := ctrl.GetConfigOrDie()
kubeConfig.Burst = 200
kubeConfig.QPS = 100

mgr, err := ctrl.NewManager(kubeConfig, ctrl.Options{
Scheme: scheme,
Metrics: metricsserver.Options{
Expand Down Expand Up @@ -183,6 +186,15 @@ func main() {
verifiers = append(verifiers, verifier)
}

if opt.Server.PKI != nil {
verifier, err := pkibootstrap.NewVerifier(opt.Server.PKI, mgr.GetClient())
if err != nil {
setupLog.Error(err, "unable to create verifier")
os.Exit(1)
}
verifiers = append(verifiers, verifier)
}

if len(verifiers) == 0 {
klog.Fatalf("server verifiers not provided")
}
Expand Down Expand Up @@ -233,15 +245,19 @@ func main() {
}
}

func buildScheme() error {
func buildScheme() (*runtime.Scheme, error) {
scheme := runtime.NewScheme()
if err := corev1.AddToScheme(scheme); err != nil {
return fmt.Errorf("error registering corev1: %v", err)
return nil, fmt.Errorf("error registering corev1: %v", err)
}
if err := v1alpha2.AddToScheme(scheme); err != nil {
return nil, fmt.Errorf("error registering kops/v1alpha2 API: %v", err)
}
// Needed so that the leader-election system can post events
if err := coordinationv1.AddToScheme(scheme); err != nil {
return fmt.Errorf("error registering coordinationv1: %v", err)
return nil, fmt.Errorf("error registering coordinationv1: %v", err)
}
return nil
return scheme, nil
}

func addNodeController(mgr manager.Manager, vfsContext *vfs.VFSContext, opt *config.Options) error {
Expand Down
4 changes: 4 additions & 0 deletions cmd/kops-controller/pkg/config/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ limitations under the License.
package config

import (
"k8s.io/kops/pkg/bootstrap/pkibootstrap"
"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
"k8s.io/kops/upup/pkg/fi/cloudup/azure"
"k8s.io/kops/upup/pkg/fi/cloudup/do"
Expand Down Expand Up @@ -51,6 +52,9 @@ type ServerOptions struct {
// Provider is the cloud provider.
Provider ServerProviderOptions `json:"provider"`

// PKI configures private/public key node authentication.
PKI *pkibootstrap.Options `json:"pki,omitempty"`

// ServerKeyPath is the path to our TLS serving private key.
ServerKeyPath string `json:"serverKeyPath,omitempty"`
// ServerCertificatePath is the path to our TLS serving certificate.
Expand Down
44 changes: 44 additions & 0 deletions k8s/crds/kops.k8s.io_hosts.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: hosts.kops.k8s.io
spec:
group: kops.k8s.io
names:
kind: Host
listKind: HostList
plural: hosts
singular: host
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
description: Host represents a bare-metal machine that could be registered
as a Node.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
instanceGroup:
type: string
publicKey:
type: string
type: object
type: object
served: true
storage: true
8 changes: 8 additions & 0 deletions nodeup/pkg/model/bootstrap_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (

"k8s.io/kops/pkg/apis/kops"
"k8s.io/kops/pkg/bootstrap"
"k8s.io/kops/pkg/bootstrap/pkibootstrap"
"k8s.io/kops/pkg/kopscontrollerclient"
"k8s.io/kops/pkg/resolver"
"k8s.io/kops/pkg/wellknownports"
Expand Down Expand Up @@ -101,6 +102,13 @@ func (b BootstrapClientBuilder) Build(c *fi.NodeupModelBuilderContext) error {
}
authenticator = a

case "metal":
a, err := pkibootstrap.NewAuthenticatorFromFile("/etc/kubernetes/kops/pki/machine/private.pem")
if err != nil {
return err
}
authenticator = a

default:
return fmt.Errorf("unsupported cloud provider for authenticator %q", b.CloudProvider())
}
Expand Down
46 changes: 46 additions & 0 deletions pkg/apis/kops/v1alpha2/host.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
/*
Copyright 2023 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha2

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// Host represents a bare-metal machine that could be registered as a Node.
type Host struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec HostSpec `json:"spec,omitempty"`
}

type HostSpec struct {
PublicKey string `json:"publicKey,omitempty"`
InstanceGroup string `json:"instanceGroup,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

type HostList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`

Items []Host `json:"items"`
}
2 changes: 2 additions & 0 deletions pkg/apis/kops/v1alpha2/register.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&KeysetList{},
&SSHCredential{},
&SSHCredentialList{},
&Host{},
&HostList{},
)

metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
Expand Down
76 changes: 76 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

46 changes: 46 additions & 0 deletions pkg/apis/kops/v1alpha3/host.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
/*
Copyright 2023 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha3

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// Host represents a bare-metal machine that could be registered as a Node.
type Host struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`

Spec HostSpec `json:"spec,omitempty"`
}

type HostSpec struct {
PublicKey string `json:"publicKey,omitempty"`
InstanceGroup string `json:"instanceGroup,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

type HostList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`

Items []Host `json:"items"`
}
2 changes: 2 additions & 0 deletions pkg/apis/kops/v1alpha3/register.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&KeysetList{},
&SSHCredential{},
&SSHCredentialList{},
&Host{},
&HostList{},
)

metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
Expand Down
Loading
Loading