Merge pull request #10022 from olemarkus/metrics-server

Kubelet serving certificate and metrics server addon

Author: k8s-ci-robot

addons/metrics-server/README.md

@@ -1,5 +1,7 @@
 # Kubernetes Metrics Server
 
+**This addon is deprecated. Set `spec.metricsServer.enabled: true` instead**
+
 ## User guide
 
 You can find the user guide in

cmd/kops-controller/pkg/server/server.go

@@ -175,6 +175,12 @@ func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, vali
 			CommonName:   fmt.Sprintf("system:node:%s", id.NodeName),
 			Organization: []string{rbac.NodesGroup},
 		}
+	case "kubelet-server":
+		issueReq.Subject = pkix.Name{
+			CommonName: id.NodeName,
+		}
+		issueReq.AlternateNames = []string{id.NodeName}
+		issueReq.Type = "server"
 	case "kube-proxy":
 		issueReq.Subject = pkix.Name{
 			CommonName: rbac.KubeProxy,

docs/releases/1.19-NOTES.md

@@ -42,6 +42,8 @@ The expiration times vary randomly so that nodes are likely to have their certs
 
 * New command for deleting a single instance: [kops delete instance](/docs/cli/kops_delete_instance/)
 
+* Metrics Server is now available as a configurable addon. Add `spec.metricsServer.enabled: true` to the cluster spec to enable.
+
 # Breaking changes
 
 * Support for Kubernetes 1.9 and 1.10 has been removed.
@@ -62,6 +64,8 @@ The expiration times vary randomly so that nodes are likely to have their certs
 
 * Support for feature flag `Terraform-0.12` has been deprecated and will be removed in kops 1.20. All generated Terraform HCL2/JSON files will support versions `0.12.26+` and `0.13.0+`.
 
+* The [manifest based metrics server addon](https://github.com/kubernetes/kops/tree/master/addons/metrics-server) has been deprecated in favour of a configurable addon.
+
 # Full change list since 1.18.0 release
 
 ## v1.18.0-alpha.3 to v1.19.0-alpha.1

k8s/crds/kops.k8s.io_clusters.yaml

@@ -2088,6 +2088,16 @@ spec:
               masterPublicName:
                 description: MasterPublicName is the external DNS name for the master nodes
                 type: string
+              metricsServer:
+                description: MetricsServerConfig determines the metrics server configuration.
+                properties:
+                  enabled:
+                    description: 'Enabled enables the metrics server. Default: false'
+                    type: boolean
+                  image:
+                    description: 'Image is the docker container used. Default: the latest supported image for the specified kubernetes version.'
+                    type: string
+                type: object
               networkCIDR:
                 description: NetworkCIDR is the CIDR used for the AWS VPC / GCE Network, or otherwise allocated to k8s This is a real CIDR, not the internal k8s network On AWS, it maps to the VPC CIDR.  It is not required on GCE.
                 type: string

nodeup/pkg/model/kubelet.go

@@ -56,6 +56,12 @@ var _ fi.ModelBuilder = &KubeletBuilder{}
 
 // Build is responsible for building the kubelet configuration
 func (b *KubeletBuilder) Build(c *fi.ModelBuilderContext) error {
+
+	err := b.buildKubeletServingCertificate(c)
+	if err != nil {
+		return fmt.Errorf("error building kubelet server cert: %v", err)
+	}
+
 	kubeletConfig, err := b.buildKubeletConfig()
 	if err != nil {
 		return fmt.Errorf("error building kubelet config: %v", err)
@@ -226,6 +232,11 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet
 		}
 	}
 
+	if b.UseKopsControllerForNodeBootstrap() {
+		flags += " --tls-cert-file=" + b.PathSrvKubernetes() + "/kubelet-server.crt"
+		flags += " --tls-private-key-file=" + b.PathSrvKubernetes() + "/kubelet-server.key"
+	}
+
 	sysconfig := "DAEMON_ARGS=\"" + flags + "\"\n"
 	// Makes kubelet read /root/.docker/config.json properly
 	sysconfig = sysconfig + "HOME=\"/root" + "\"\n"
@@ -538,3 +549,50 @@ func (b *KubeletBuilder) buildMasterKubeletKubeconfig(c *fi.ModelBuilderContext)
 
 	return b.BuildIssuedKubeconfig("kubelet", certName, c), nil
 }
+
+func (b *KubeletBuilder) buildKubeletServingCertificate(c *fi.ModelBuilderContext) error {
+
+	if b.UseKopsControllerForNodeBootstrap() {
+		name := "kubelet-server"
+		dir := b.PathSrvKubernetes()
+		signer := fi.CertificateIDCA
+
+		nodeName, err := b.NodeName()
+		if err != nil {
+			return err
+		}
+
+		if !b.IsMaster {
+			cert, key := b.GetBootstrapCert(name)
+
+			c.AddTask(&nodetasks.File{
+				Path:     filepath.Join(dir, name+".crt"),
+				Contents: cert,
+				Type:     nodetasks.FileType_File,
+				Mode:     fi.String("0644"),
+			})
+
+			c.AddTask(&nodetasks.File{
+				Path:     filepath.Join(dir, name+".key"),
+				Contents: key,
+				Type:     nodetasks.FileType_File,
+				Mode:     fi.String("0400"),
+			})
+
+		} else {
+			issueCert := &nodetasks.IssueCert{
+				Name:   name,
+				Signer: signer,
+				Type:   "server",
+				Subject: nodetasks.PKIXName{
+					CommonName: nodeName,
+				},
+				AlternateNames: []string{nodeName},
+			}
+			c.AddTask(issueCert)
+			return issueCert.AddFileTasks(c, dir, name, "", nil)
+		}
+	}
+	return nil
+
+}

pkg/apis/kops/cluster.go

@@ -160,6 +160,8 @@ type ClusterSpec struct {
 
 	// NodeTerminationHandlerConfig determines the cluster autoscaler configuration.
 	NodeTerminationHandler *NodeTerminationHandlerConfig `json:"nodeTerminationHandler,omitempty"`
+	// MetricsServerConfig determines the metrics server configuration.
+	MetricsServer *MetricsServerConfig `json:"metricsServer,omitempty"`
 
 	// Networking configuration
 	Networking *NetworkingSpec `json:"networking,omitempty"`

pkg/apis/kops/componentconfig.go

@@ -803,6 +803,16 @@ type ClusterAutoscalerConfig struct {
 	Image *string `json:"image,omitempty"`
 }
 
+// MetricsServerConfig determines the metrics server configuration.
+type MetricsServerConfig struct {
+	// Enabled enables the metrics server.
+	// Default: false
+	Enabled *bool `json:"enabled,omitempty"`
+	// Image is the docker container used.
+	// Default: the latest supported image for the specified kubernetes version.
+	Image *string `json:"image,omitempty"`
+}
+
 // HasAdmissionController checks if a specific admission controller is enabled
 func (c *KubeAPIServerConfig) HasAdmissionController(name string) bool {
 	for _, x := range c.AdmissionControl {

pkg/apis/kops/v1alpha2/cluster.go

@@ -159,6 +159,8 @@ type ClusterSpec struct {
 
 	// NodeTerminationHandlerConfig determines the cluster autoscaler configuration.
 	NodeTerminationHandler *NodeTerminationHandlerConfig `json:"nodeTerminationHandler,omitempty"`
+	// MetricsServerConfig determines the metrics server configuration.
+	MetricsServer *MetricsServerConfig `json:"metricsServer,omitempty"`
 
 	// Networking configuration
 	Networking *NetworkingSpec `json:"networking,omitempty"`

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -804,6 +804,16 @@ type ClusterAutoscalerConfig struct {
 	Image *string `json:"image,omitempty"`
 }
 
+// MetricsServerConfig determines the metrics server configuration.
+type MetricsServerConfig struct {
+	// Enabled enables the metrics server.
+	// Default: false
+	Enabled *bool `json:"enabled,omitempty"`
+	// Image is the docker container used.
+	// Default: the latest supported image for the specified kubernetes version.
+	Image *string `json:"image,omitempty"`
+}
+
 // HasAdmissionController checks if a specific admission controller is enabled
 func (c *KubeAPIServerConfig) HasAdmissionController(name string) bool {
 	for _, x := range c.AdmissionControl {