Merge pull request #999 from wzshiming/feat/foreground-insecure-cluster

[kwokctl] Add --kube-apiserver-insecure-port for create cluster
kubernetes-sigs · Mar 26, 2024 · 864f788 · 864f788
2 parents 9cde19d + 248ba5a
commit 864f788
Show file tree

Hide file tree

Showing 18 changed files with 471 additions and 100 deletions.
diff --git a/pkg/apis/config/v1alpha1/kwokctl_configuration_types.go b/pkg/apis/config/v1alpha1/kwokctl_configuration_types.go
@@ -85,6 +85,14 @@ type KwokctlConfigurationOptions struct {
 	// is the default value for flag --kube-apiserver-port and env KWOK_KUBE_APISERVER_PORT
 	KubeApiserverPort uint32 `json:"kubeApiserverPort,omitempty"`
 
+	// KubeApiserverInsecurePort is the port to expose insecure apiserver.
+	// is the default value for flag --kube-apiserver-insecure-port and env KWOK_KUBE_APISERVER_INSECURE_PORT
+	KubeApiserverInsecurePort uint32 `json:"kubeApiserverInsecurePort,omitempty"`
+
+	// InsecureKubeconfig is the flag to use insecure kubeconfig.
+	// only available when KubeApiserverInsecurePort is set.
+	InsecureKubeconfig bool `json:"insecureKubeconfig,omitempty"`
+
 	// Runtime is the runtime to use.
 	// is the default value for flag --runtime and env KWOK_RUNTIME
 	Runtime string `json:"runtime,omitempty"`
@@ -215,6 +223,10 @@ type KwokctlConfigurationOptions struct {
 	// is the default value for flag --kube-scheduler-image and env KWOK_KUBE_SCHEDULER_IMAGE
 	KubeSchedulerImage string `json:"kubeSchedulerImage,omitempty"`
 
+	// KubectlImage is the image of kubectl.
+	// is the default value for flag --kubectl-image and env KWOK_KUBECTL_IMAGE
+	KubectlImage string `json:"kubectlImage,omitempty"`
+
 	// KwokControllerImage is the image of Kwok.
 	// is the default value for flag --controller-image and env KWOK_CONTROLLER_IMAGE
 	KwokControllerImage string `json:"kwokControllerImage,omitempty"`

diff --git a/pkg/apis/internalversion/kwokctl_configuration_types.go b/pkg/apis/internalversion/kwokctl_configuration_types.go
@@ -69,6 +69,13 @@ type KwokctlConfigurationOptions struct {
 	// KubeApiserverPort is the port to expose apiserver.
 	KubeApiserverPort uint32
 
+	// KubeApiserverInsecurePort is the port to expose kubectl proxy.
+	KubeApiserverInsecurePort uint32
+
+	// InsecureKubeconfig is the flag to use insecure kubeconfig.
+	// only available when KubeApiserverInsecurePort is set.
+	InsecureKubeconfig bool
+
 	// Runtime is the runtime to use.
 	Runtime string
 
@@ -144,6 +151,9 @@ type KwokctlConfigurationOptions struct {
 	// KubeSchedulerImage is the image of kube-scheduler.
 	KubeSchedulerImage string
 
+	// KubectlImage is the image of kubectl.
+	KubectlImage string
+
 	// KwokControllerImage is the image of Kwok.
 	KwokControllerImage string
 

diff --git a/pkg/apis/internalversion/zz_generated.conversion.go b/pkg/apis/internalversion/zz_generated.conversion.go
diff --git a/pkg/config/vars.go b/pkg/config/vars.go
@@ -257,6 +257,7 @@ func setKwokctlKubernetesConfig(conf *configv1alpha1.KwokctlConfigurationOptions
 	conf.KubeAdmission = envs.GetEnvWithPrefix("KUBE_ADMISSION", conf.KubeAdmission)
 
 	conf.KubeApiserverPort = envs.GetEnvWithPrefix("KUBE_APISERVER_PORT", conf.KubeApiserverPort)
+	conf.KubeApiserverInsecurePort = envs.GetEnvWithPrefix("KUBE_APISERVER_INSECURE_PORT", conf.KubeApiserverInsecurePort)
 
 	if conf.KubeFeatureGates == "" {
 		if conf.Mode == configv1alpha1.ModeStableFeatureGateAndAPI {
@@ -321,6 +322,11 @@ func setKwokctlKubernetesConfig(conf *configv1alpha1.KwokctlConfigurationOptions
 	}
 	conf.KubeSchedulerImage = envs.GetEnvWithPrefix("KUBE_SCHEDULER_IMAGE", conf.KubeSchedulerImage)
 
+	if conf.KubectlImage == "" {
+		conf.KubectlImage = joinImageURI(conf.KubeImagePrefix, "kubectl", conf.KubeVersion)
+	}
+	conf.KubectlImage = envs.GetEnvWithPrefix("KUBECTL_IMAGE", conf.KubectlImage)
+
 	conf.KubeSchedulerPort = envs.GetEnvWithPrefix("KUBE_SCHEDULER_PORT", conf.KubeSchedulerPort)
 }
 

diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go
@@ -78,14 +78,15 @@ const (
 
 // The following components is provided.
 const (
-	ComponentEtcd                    = "etcd"
-	ComponentKubeApiserver           = "kube-apiserver"
-	ComponentKubeControllerManager   = "kube-controller-manager"
-	ComponentKubeScheduler           = "kube-scheduler"
-	ComponentKwokController          = "kwok-controller"
-	ComponentDashboard               = "dashboard"
-	ComponentDashboardMetricsScraper = "dashboard-metrics-scraper"
-	ComponentPrometheus              = "prometheus"
-	ComponentJaeger                  = "jaeger"
-	ComponentMetricsServer           = "metrics-server"
+	ComponentEtcd                       = "etcd"
+	ComponentKubeApiserver              = "kube-apiserver"
+	ComponentKubeApiserverInsecureProxy = "kube-apiserver-insecure-proxy"
+	ComponentKubeControllerManager      = "kube-controller-manager"
+	ComponentKubeScheduler              = "kube-scheduler"
+	ComponentKwokController             = "kwok-controller"
+	ComponentDashboard                  = "dashboard"
+	ComponentDashboardMetricsScraper    = "dashboard-metrics-scraper"
+	ComponentPrometheus                 = "prometheus"
+	ComponentJaeger                     = "jaeger"
+	ComponentMetricsServer              = "metrics-server"
 )
diff --git a/pkg/kwokctl/cmd/create/cluster/cluster.go b/pkg/kwokctl/cmd/create/cluster/cluster.go
@@ -62,6 +62,7 @@ func NewCommand(ctx context.Context) *cobra.Command {
 	}
 
 	cmd.Flags().Uint32Var(&flags.Options.KubeApiserverPort, "kube-apiserver-port", flags.Options.KubeApiserverPort, `Port of the apiserver (default random)`)
+	cmd.Flags().Uint32Var(&flags.Options.KubeApiserverInsecurePort, "kube-apiserver-insecure-port", flags.Options.KubeApiserverInsecurePort, `Insecure port of the apiserver`)
 	cmd.Flags().Uint32Var(&flags.Options.PrometheusPort, "prometheus-port", flags.Options.PrometheusPort, `Port to expose Prometheus metrics`)
 	cmd.Flags().Uint32Var(&flags.Options.JaegerPort, "jaeger-port", flags.Options.JaegerPort, `Port to expose Jaeger UI`)
 	cmd.Flags().BoolVar(&flags.Options.SecurePort, "secure-port", flags.Options.SecurePort, `The apiserver port on which to serve HTTPS with authentication and authorization, is not available before Kubernetes 1.13.0`)

diff --git a/pkg/kwokctl/components/kubectl_proxy.go b/pkg/kwokctl/components/kubectl_proxy.go
@@ -0,0 +1,116 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package components
+
+import (
+	"sigs.k8s.io/kwok/pkg/apis/internalversion"
+	"sigs.k8s.io/kwok/pkg/consts"
+	"sigs.k8s.io/kwok/pkg/log"
+	"sigs.k8s.io/kwok/pkg/utils/format"
+)
+
+// BuildKubectlProxyComponentConfig is the configuration for building a kubectl proxy component.
+type BuildKubectlProxyComponentConfig struct {
+	Runtime        string
+	ProjectName    string
+	Binary         string
+	Image          string
+	Workdir        string
+	BindAddress    string
+	Port           uint32
+	CaCertPath     string
+	AdminCertPath  string
+	AdminKeyPath   string
+	ConfigPath     string
+	KubeconfigPath string
+	Verbosity      log.Level
+}
+
+// BuildKubectlProxyComponent builds a kubectl proxy component.
+func BuildKubectlProxyComponent(conf BuildKubectlProxyComponentConfig) (component internalversion.Component, err error) {
+	kubectlProxyArgs := []string{}
+
+	var volumes []internalversion.Volume
+	var ports []internalversion.Port
+
+	kubectlProxyArgs = append(kubectlProxyArgs,
+		"proxy",
+		"--accept-hosts=^*$",
+		"--address="+conf.BindAddress,
+	)
+
+	if GetRuntimeMode(conf.Runtime) != RuntimeModeNative {
+		volumes = append(volumes,
+			internalversion.Volume{
+				HostPath:  conf.KubeconfigPath,
+				MountPath: "/root/.kube/config",
+				ReadOnly:  true,
+			},
+			internalversion.Volume{
+				HostPath:  conf.CaCertPath,
+				MountPath: "/etc/kubernetes/pki/ca.crt",
+				ReadOnly:  true,
+			},
+			internalversion.Volume{
+				HostPath:  conf.AdminCertPath,
+				MountPath: "/etc/kubernetes/pki/admin.crt",
+				ReadOnly:  true,
+			},
+			internalversion.Volume{
+				HostPath:  conf.AdminKeyPath,
+				MountPath: "/etc/kubernetes/pki/admin.key",
+				ReadOnly:  true,
+			},
+		)
+		kubectlProxyArgs = append(kubectlProxyArgs,
+			"--kubeconfig=/root/.kube/config",
+			"--port=8001",
+		)
+		ports = []internalversion.Port{
+			{
+				HostPort: conf.Port,
+				Port:     8001,
+			},
+		}
+	} else {
+		kubectlProxyArgs = append(kubectlProxyArgs,
+			"--kubeconfig="+conf.KubeconfigPath,
+			"--port="+format.String(conf.Port),
+		)
+	}
+
+	if conf.Verbosity != log.LevelInfo {
+		kubectlProxyArgs = append(kubectlProxyArgs, "--v="+format.String(log.ToKlogLevel(conf.Verbosity)))
+	}
+
+	envs := []internalversion.Env{}
+
+	return internalversion.Component{
+		Name: consts.ComponentKubeApiserverInsecureProxy,
+		Links: []string{
+			consts.ComponentKubeApiserver,
+		},
+		Command: []string{"kubectl"},
+		Volumes: volumes,
+		Args:    kubectlProxyArgs,
+		Binary:  conf.Binary,
+		Image:   conf.Image,
+		Ports:   ports,
+		WorkDir: conf.Workdir,
+		Envs:    envs,
+	}, nil
+}