From cbc7406629782a8c24d4f6942eaef9b6c40b3dc7 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Mon, 16 Oct 2023 19:15:35 +0200 Subject: [PATCH] remove konnectivity --- .../internal/kubernetes/k8sapi/BUILD.bazel | 1 - .../internal/kubernetes/k8sapi/k8sutil.go | 122 +---------- .../kubernetes/k8sapi/kubeadm_config.go | 14 +- .../kubernetes/k8sapi/resources/BUILD.bazel | 6 - .../k8sapi/resources/konnectivity.go | 205 ------------------ bootstrapper/internal/kubernetes/k8sutil.go | 5 +- .../internal/kubernetes/kubernetes.go | 4 +- .../internal/kubernetes/kubernetes_test.go | 27 +-- cli/internal/helm/BUILD.bazel | 7 - .../constellation-services/Chart.yaml | 8 - .../charts/konnectivity/.helmignore | 23 -- .../charts/konnectivity/Chart.yaml | 5 - .../templates/clusterrolebinding.yaml | 15 -- .../konnectivity/templates/daemonset.yaml | 76 ------- .../templates/serviceaccount.yaml | 8 - .../charts/konnectivity/values.schema.json | 21 -- .../charts/konnectivity/values.yaml | 1 - cli/internal/helm/imageversion/BUILD.bazel | 2 - cli/internal/helm/loader.go | 5 - cli/internal/helm/loader_test.go | 7 - .../templates/clusterrolebinding.yaml | 15 -- .../konnectivity/templates/daemonset.yaml | 76 ------- .../templates/serviceaccount.yaml | 8 - .../templates/clusterrolebinding.yaml | 15 -- .../konnectivity/templates/daemonset.yaml | 76 ------- .../templates/serviceaccount.yaml | 8 - .../templates/clusterrolebinding.yaml | 15 -- .../konnectivity/templates/daemonset.yaml | 76 ------- .../templates/serviceaccount.yaml | 8 - .../templates/clusterrolebinding.yaml | 15 -- .../konnectivity/templates/daemonset.yaml | 76 ------- .../templates/serviceaccount.yaml | 8 - .../templates/clusterrolebinding.yaml | 15 -- .../konnectivity/templates/daemonset.yaml | 76 ------- .../templates/serviceaccount.yaml | 8 - cli/internal/terraform/terraform/aws/main.tf | 6 - .../terraform/terraform/azure/main.tf | 1 - cli/internal/terraform/terraform/gcp/main.tf | 6 - .../terraform/terraform/openstack/main.tf | 11 - e2e/miniconstellation/test-remote.sh | 1 - internal/constants/constants.go | 2 - internal/versions/versions.go | 4 - 42 files changed, 20 insertions(+), 1068 deletions(-) delete mode 100644 bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/.helmignore delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/Chart.yaml delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/daemonset.yaml delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/serviceaccount.yaml delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.schema.json delete mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.yaml delete mode 100644 cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml delete mode 100644 cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/daemonset.yaml delete mode 100644 cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/serviceaccount.yaml delete mode 100644 cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml delete mode 100644 cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/daemonset.yaml delete mode 100644 cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/serviceaccount.yaml delete mode 100644 cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml delete mode 100644 cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/daemonset.yaml delete mode 100644 cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/serviceaccount.yaml delete mode 100644 cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml delete mode 100644 cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/daemonset.yaml delete mode 100644 cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/serviceaccount.yaml delete mode 100644 cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml delete mode 100644 cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/daemonset.yaml delete mode 100644 cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/serviceaccount.yaml diff --git a/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel b/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel index 92b1db37f5..85738d5007 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel +++ b/bootstrapper/internal/kubernetes/k8sapi/BUILD.bazel @@ -20,7 +20,6 @@ go_library( "//internal/installer", "//internal/kubernetes", "//internal/logger", - "//internal/role", "//internal/versions/components", "@com_github_coreos_go_systemd_v22//dbus", "@com_github_spf13_afero//:afero", diff --git a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go index f3ac2ae92e..230e5958f2 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go +++ b/bootstrapper/internal/kubernetes/k8sapi/k8sutil.go @@ -18,14 +18,12 @@ import ( "os" "os/exec" "path/filepath" - "strconv" "strings" "time" "github.com/edgelesssys/constellation/v2/bootstrapper/internal/certificate" "github.com/edgelesssys/constellation/v2/bootstrapper/internal/kubernetes/k8sapi/resources" "github.com/edgelesssys/constellation/v2/internal/constants" - "github.com/edgelesssys/constellation/v2/internal/role" "github.com/edgelesssys/constellation/v2/internal/versions/components" corev1 "k8s.io/api/core/v1" "k8s.io/apiserver/pkg/authentication/user" @@ -91,7 +89,7 @@ func (k *KubernetesUtil) InstallComponents(ctx context.Context, kubernetesCompon // InitCluster instruments kubeadm to initialize the K8s cluster. // On success an admin kubeconfig file is returned. func (k *KubernetesUtil) InitCluster( - ctx context.Context, initConfig []byte, nodeName, clusterName string, ips []net.IP, controlPlaneHost, controlPlanePort string, conformanceMode bool, log *logger.Logger, + ctx context.Context, initConfig []byte, nodeName, clusterName string, ips []net.IP, conformanceMode bool, log *logger.Logger, ) ([]byte, error) { // TODO(3u13r): audit policy should be user input auditPolicy, err := resources.NewDefaultAuditPolicy().Marshal() @@ -147,12 +145,6 @@ func (k *KubernetesUtil) InitCluster( return nil, fmt.Errorf("creating static pods directory: %w", err) } - log.Infof("Preparing node for Konnectivity") - controlPlaneEndpoint := net.JoinHostPort(controlPlaneHost, controlPlanePort) - if err := k.prepareControlPlaneForKonnectivity(ctx, controlPlaneEndpoint); err != nil { - return nil, fmt.Errorf("setup konnectivity: %w", err) - } - // initialize the cluster log.Infof("Initializing the cluster using kubeadm init") skipPhases := "--skip-phases=preflight,certs" @@ -190,56 +182,6 @@ func (k *KubernetesUtil) InitCluster( return out, nil } -func (k *KubernetesUtil) prepareControlPlaneForKonnectivity(ctx context.Context, loadBalancerEndpoint string) error { - if !strings.Contains(loadBalancerEndpoint, ":") { - loadBalancerEndpoint = net.JoinHostPort(loadBalancerEndpoint, strconv.Itoa(constants.KubernetesPort)) - } - - konnectivityServerYaml, err := resources.NewKonnectivityServerStaticPod().Marshal() - if err != nil { - return fmt.Errorf("generating konnectivity server static pod: %w", err) - } - if err := os.WriteFile("/etc/kubernetes/manifests/konnectivity-server.yaml", konnectivityServerYaml, 0o644); err != nil { - return fmt.Errorf("writing konnectivity server pod: %w", err) - } - - egressConfigYaml, err := resources.NewEgressSelectorConfiguration().Marshal() - if err != nil { - return fmt.Errorf("generating egress selector configuration: %w", err) - } - if err := os.WriteFile("/etc/kubernetes/egress-selector-configuration.yaml", egressConfigYaml, 0o644); err != nil { - return fmt.Errorf("writing egress selector config: %w", err) - } - - if err := k.createSignedKonnectivityCert(); err != nil { - return fmt.Errorf("generating konnectivity server certificate: %w", err) - } - - if out, err := exec.CommandContext(ctx, constants.KubectlPath, "config", "set-credentials", "--kubeconfig", "/etc/kubernetes/konnectivity-server.conf", "system:konnectivity-server", - "--client-certificate", "/etc/kubernetes/konnectivity.crt", "--client-key", "/etc/kubernetes/konnectivity.key", "--embed-certs=true").CombinedOutput(); err != nil { - return fmt.Errorf("konnectivity kubeconfig set-credentials: %w, %s", err, string(out)) - } - if out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", "/etc/kubernetes/konnectivity-server.conf", "config", "set-cluster", "kubernetes", "--server", "https://"+loadBalancerEndpoint, - "--certificate-authority", "/etc/kubernetes/pki/ca.crt", "--embed-certs=true").CombinedOutput(); err != nil { - return fmt.Errorf("konnectivity kubeconfig set-cluster: %w, %s", err, string(out)) - } - if out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", "/etc/kubernetes/konnectivity-server.conf", "config", "set-context", "system:konnectivity-server@kubernetes", - "--cluster", "kubernetes", "--user", "system:konnectivity-server").CombinedOutput(); err != nil { - return fmt.Errorf("konnectivity kubeconfig set-context: %w, %s", err, string(out)) - } - if out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", "/etc/kubernetes/konnectivity-server.conf", "config", "use-context", "system:konnectivity-server@kubernetes").CombinedOutput(); err != nil { - return fmt.Errorf("konnectivity kubeconfig use-context: %w, %s", err, string(out)) - } - // cleanup - if err := os.Remove("/etc/kubernetes/konnectivity.crt"); err != nil { - return fmt.Errorf("removing konnectivity certificate: %w", err) - } - if err := os.Remove("/etc/kubernetes/konnectivity.key"); err != nil { - return fmt.Errorf("removing konnectivity key: %w", err) - } - return nil -} - // SetupPodNetworkInput holds all configuration options to setup the pod network. type SetupPodNetworkInput struct { CloudProvider string @@ -316,7 +258,7 @@ func (k *KubernetesUtil) FixCilium(ctx context.Context) error { } // JoinCluster joins existing Kubernetes cluster using kubeadm join. -func (k *KubernetesUtil) JoinCluster(ctx context.Context, joinConfig []byte, peerRole role.Role, controlPlaneHost, controlPlanePort string, log *logger.Logger) error { +func (k *KubernetesUtil) JoinCluster(ctx context.Context, joinConfig []byte, log *logger.Logger) error { // TODO(3u13r): audit policy should be user input auditPolicy, err := resources.NewDefaultAuditPolicy().Marshal() if err != nil { @@ -341,14 +283,6 @@ func (k *KubernetesUtil) JoinCluster(ctx context.Context, joinConfig []byte, pee return fmt.Errorf("creating static pods directory: %w", err) } - if peerRole == role.ControlPlane { - log.Infof("Prep Init Kubernetes cluster") - controlPlaneEndpoint := net.JoinHostPort(controlPlaneHost, controlPlanePort) - if err := k.prepareControlPlaneForKonnectivity(ctx, controlPlaneEndpoint); err != nil { - return fmt.Errorf("setup konnectivity: %w", err) - } - } - // run `kubeadm join` to join a worker node to an existing Kubernetes cluster cmd := exec.CommandContext(ctx, constants.KubeadmPath, "join", "-v=5", "--config", joinConfigFile.Name()) out, err := cmd.CombinedOutput() @@ -435,58 +369,6 @@ func (k *KubernetesUtil) createSignedKubeletCert(nodeName string, ips []net.IP) return k.file.Write(certificate.CertificateFilename, kubeletCert, file.OptMkdirAll) } -// createSignedKonnectivityCert manually creates a Kubernetes CA signed certificate for the Konnectivity server. -func (k *KubernetesUtil) createSignedKonnectivityCert() error { - // Create CSR - certRequestRaw, keyPem, err := resources.GetKonnectivityCertificateRequest() - if err != nil { - return err - } - if err := k.file.Write(resources.KonnectivityKeyFilename, keyPem, file.OptMkdirAll); err != nil { - return err - } - - certRequest, err := x509.ParseCertificateRequest(certRequestRaw) - if err != nil { - return err - } - - // Prepare certificate signing - serialNumber, err := crypto.GenerateCertificateSerialNumber() - if err != nil { - return err - } - - now := time.Now() - // Create the kubelet certificate - // For a reference on the certificate fields, see: https://kubernetes.io/docs/setup/best-practices/certificates/ - certTmpl := &x509.Certificate{ - SerialNumber: serialNumber, - NotBefore: now.Add(-2 * time.Hour), - NotAfter: now.Add(24 * 365 * time.Hour), - Subject: certRequest.Subject, - } - - parentCert, parentKey, err := k.getKubernetesCACertAndKey() - if err != nil { - return err - } - - // Sign the certificate - certRaw, err := x509.CreateCertificate(rand.Reader, certTmpl, parentCert, certRequest.PublicKey, parentKey) - if err != nil { - return err - } - - // Write the certificate - konnectivityCert := pem.EncodeToMemory(&pem.Block{ - Type: "CERTIFICATE", - Bytes: certRaw, - }) - - return k.file.Write(resources.KonnectivityCertificateFilename, konnectivityCert, file.OptMkdirAll) -} - // getKubernetesCACertAndKey returns the Kubernetes CA certificate and key. // The key of type `any` can be consumed by `x509.CreateCertificate()`. func (k *KubernetesUtil) getKubernetesCACertAndKey() (*x509.Certificate, any, error) { diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go index 28bdc5454c..b54fcd9b4a 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go @@ -71,10 +71,9 @@ func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, cl "audit-log-path": filepath.Join(auditLogDir, auditLogFile), // CIS benchmark "audit-log-maxage": "30", // CIS benchmark - Default value of Rancher // log size = 10 files * 100MB + 100 MB (which is currently being written) = 1.1GB - "audit-log-maxbackup": "10", // CIS benchmark - Default value of Rancher - "audit-log-maxsize": "100", // CIS benchmark - Default value of Rancher - "profiling": "false", // CIS benchmark - "egress-selector-config-file": "/etc/kubernetes/egress-selector-configuration.yaml", + "audit-log-maxbackup": "10", // CIS benchmark - Default value of Rancher + "audit-log-maxsize": "100", // CIS benchmark - Default value of Rancher + "profiling": "false", // CIS benchmark "kubelet-certificate-authority": filepath.Join( kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, @@ -111,13 +110,6 @@ func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, cl ReadOnly: true, PathType: corev1.HostPathFile, }, - { - Name: "konnectivity-uds", - HostPath: "/run/konnectivity-server", - MountPath: "/run/konnectivity-server", - ReadOnly: false, - PathType: corev1.HostPathDirectoryOrCreate, - }, }, }, CertSANs: []string{"127.0.0.1"}, diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/BUILD.bazel b/bootstrapper/internal/kubernetes/k8sapi/resources/BUILD.bazel index 7995fd78e2..9058b3d6b8 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/BUILD.bazel +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/BUILD.bazel @@ -5,19 +5,13 @@ go_library( name = "resources", srcs = [ "auditpolicy.go", - "konnectivity.go", "resources.go", ], importpath = "github.com/edgelesssys/constellation/v2/bootstrapper/internal/kubernetes/k8sapi/resources", visibility = ["//bootstrapper:__subpackages__"], deps = [ - "//bootstrapper/internal/certificate", "//internal/kubernetes", - "//internal/versions", - "@io_k8s_api//core/v1:core", "@io_k8s_apimachinery//pkg/apis/meta/v1:meta", - "@io_k8s_apimachinery//pkg/util/intstr", - "@io_k8s_apiserver//pkg/apis/apiserver", "@io_k8s_apiserver//pkg/apis/audit/v1:audit", ], ) diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go b/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go deleted file mode 100644 index e527363990..0000000000 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go +++ /dev/null @@ -1,205 +0,0 @@ -/* -Copyright (c) Edgeless Systems GmbH - -SPDX-License-Identifier: AGPL-3.0-only -*/ - -package resources - -import ( - "crypto/x509" - "crypto/x509/pkix" - - "github.com/edgelesssys/constellation/v2/bootstrapper/internal/certificate" - "github.com/edgelesssys/constellation/v2/internal/kubernetes" - "github.com/edgelesssys/constellation/v2/internal/versions" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/apiserver/pkg/apis/apiserver" -) - -const ( - // KonnectivityCertificateFilename is the path to the kubelets certificate. - KonnectivityCertificateFilename = "/etc/kubernetes/konnectivity.crt" - // KonnectivityKeyFilename is the path to the kubelets private key. - KonnectivityKeyFilename = "/etc/kubernetes/konnectivity.key" -) - -// KonnectivityServerStaticPod deployment. -type KonnectivityServerStaticPod struct { - StaticPod corev1.Pod -} - -// EgressSelectorConfiguration deployment. -type EgressSelectorConfiguration struct { - EgressSelectorConfiguration apiserver.EgressSelectorConfiguration -} - -// NewKonnectivityServerStaticPod create a new KonnectivityServerStaticPod. -func NewKonnectivityServerStaticPod() *KonnectivityServerStaticPod { - udsHostPathType := corev1.HostPathDirectoryOrCreate - return &KonnectivityServerStaticPod{ - StaticPod: corev1.Pod{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "v1", - Kind: "Pod", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "konnectivity-server", - Namespace: "kube-system", - }, - Spec: corev1.PodSpec{ - PriorityClassName: "system-cluster-critical", - HostNetwork: true, - Containers: []corev1.Container{ - { - Name: "konnectivity-server-container", - Image: versions.KonnectivityServerImage, - Command: []string{"/proxy-server"}, - Args: []string{ - "--logtostderr=true", - // This needs to be consistent with the value set in egressSelectorConfiguration. - "--uds-name=/run/konnectivity-server/konnectivity-server.socket", - // Clean up existing UDS file before starting the server in case the server crashed at some point. - "--delete-existing-uds-file=true", - // The following two lines assume the Konnectivity server is - // deployed on the same machine as the apiserver, and the certs and - // key of the API Server are at the specified location. - "--cluster-cert=/etc/kubernetes/pki/apiserver.crt", - "--cluster-key=/etc/kubernetes/pki/apiserver.key", - // This needs to be consistent with the value set in egressSelectorConfiguration. - "--mode=grpc", - "--server-port=0", - "--agent-port=8132", - "--admin-port=8133", - "--health-port=8134", - "--v=5", - "--agent-namespace=kube-system", - "--agent-service-account=konnectivity-agent", - "--kubeconfig=/etc/kubernetes/konnectivity-server.conf", - "--authentication-audience=system:konnectivity-server", - "--proxy-strategies=default", - }, - LivenessProbe: &corev1.Probe{ - ProbeHandler: corev1.ProbeHandler{ - HTTPGet: &corev1.HTTPGetAction{ - Path: "/healthz", - Port: intstr.FromInt(8134), - }, - }, - InitialDelaySeconds: 30, - TimeoutSeconds: 60, - }, - Ports: []corev1.ContainerPort{ - { - Name: "agent-port", - ContainerPort: 8132, - HostPort: 8132, - }, - { - Name: "admin-port", - ContainerPort: 8133, - HostPort: 8133, - }, - { - Name: "health-port", - ContainerPort: 8134, - HostPort: 8134, - }, - }, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "k8s-certs", - MountPath: "/etc/kubernetes/pki", - ReadOnly: true, - }, - { - Name: "kubeconfig", - MountPath: "/etc/kubernetes/konnectivity-server.conf", - ReadOnly: true, - }, - { - Name: "konnectivity-uds", - MountPath: "/run/konnectivity-server", - ReadOnly: false, - }, - }, - }, - }, - Volumes: []corev1.Volume{ - { - Name: "k8s-certs", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/etc/kubernetes/pki", - }, - }, - }, - { - Name: "kubeconfig", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/etc/kubernetes/konnectivity-server.conf", - }, - }, - }, - { - Name: "konnectivity-uds", - VolumeSource: corev1.VolumeSource{ - HostPath: &corev1.HostPathVolumeSource{ - Path: "/run/konnectivity-server", - Type: &udsHostPathType, - }, - }, - }, - }, - }, - }, - } -} - -// NewEgressSelectorConfiguration creates a new EgressSelectorConfiguration. -func NewEgressSelectorConfiguration() *EgressSelectorConfiguration { - return &EgressSelectorConfiguration{ - EgressSelectorConfiguration: apiserver.EgressSelectorConfiguration{ - TypeMeta: metav1.TypeMeta{ - APIVersion: "apiserver.k8s.io/v1beta1", - Kind: "EgressSelectorConfiguration", - }, - EgressSelections: []apiserver.EgressSelection{ - { - Name: "cluster", - Connection: apiserver.Connection{ - ProxyProtocol: "GRPC", - Transport: &apiserver.Transport{ - UDS: &apiserver.UDSTransport{ - UDSName: "/run/konnectivity-server/konnectivity-server.socket", - }, - }, - }, - }, - }, - }, - } -} - -// Marshal to Kubernetes YAML. -func (v *KonnectivityServerStaticPod) Marshal() ([]byte, error) { - return kubernetes.MarshalK8SResources(v) -} - -// Marshal to Kubernetes YAML. -func (v *EgressSelectorConfiguration) Marshal() ([]byte, error) { - return kubernetes.MarshalK8SResources(v) -} - -// GetKonnectivityCertificateRequest returns a certificate request and matching private key for the konnectivity server. -func GetKonnectivityCertificateRequest() (certificateRequest []byte, privateKey []byte, err error) { - csrTemplate := &x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: "system:konnectivity-server", - }, - } - return certificate.GetCertificateRequest(csrTemplate) -} diff --git a/bootstrapper/internal/kubernetes/k8sutil.go b/bootstrapper/internal/kubernetes/k8sutil.go index d8bf72f238..070f2a1de2 100644 --- a/bootstrapper/internal/kubernetes/k8sutil.go +++ b/bootstrapper/internal/kubernetes/k8sutil.go @@ -11,14 +11,13 @@ import ( "net" "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/edgelesssys/constellation/v2/internal/role" "github.com/edgelesssys/constellation/v2/internal/versions/components" ) type clusterUtil interface { InstallComponents(ctx context.Context, kubernetesComponents components.Components) error - InitCluster(ctx context.Context, initConfig []byte, nodeName, clusterName string, ips []net.IP, controlPlaneHost, controlPlanePort string, conformanceMode bool, log *logger.Logger) ([]byte, error) - JoinCluster(ctx context.Context, joinConfig []byte, peerRole role.Role, controlPlaneHost, controlPlanePort string, log *logger.Logger) error + InitCluster(ctx context.Context, initConfig []byte, nodeName, clusterName string, ips []net.IP, conformanceMode bool, log *logger.Logger) ([]byte, error) + JoinCluster(ctx context.Context, joinConfig []byte, log *logger.Logger) error WaitForCilium(ctx context.Context, log *logger.Logger) error FixCilium(ctx context.Context) error StartKubelet() error diff --git a/bootstrapper/internal/kubernetes/kubernetes.go b/bootstrapper/internal/kubernetes/kubernetes.go index cb8ee8f47e..d2b86972eb 100644 --- a/bootstrapper/internal/kubernetes/kubernetes.go +++ b/bootstrapper/internal/kubernetes/kubernetes.go @@ -133,7 +133,7 @@ func (k *KubeWrapper) InitCluster( return nil, fmt.Errorf("encoding kubeadm init configuration as YAML: %w", err) } log.Infof("Initializing Kubernetes cluster") - kubeConfig, err := k.clusterUtil.InitCluster(ctx, initConfigYAML, nodeName, clusterName, validIPs, controlPlaneHost, controlPlanePort, conformanceMode, log) + kubeConfig, err := k.clusterUtil.InitCluster(ctx, initConfigYAML, nodeName, clusterName, validIPs, conformanceMode, log) if err != nil { return nil, fmt.Errorf("kubeadm init: %w", err) } @@ -238,7 +238,7 @@ func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTo return fmt.Errorf("encoding kubeadm join configuration as YAML: %w", err) } log.With(zap.String("apiServerEndpoint", args.APIServerEndpoint)).Infof("Joining Kubernetes cluster") - if err := k.clusterUtil.JoinCluster(ctx, joinConfigYAML, peerRole, loadBalancerHost, loadBalancerPort, log); err != nil { + if err := k.clusterUtil.JoinCluster(ctx, joinConfigYAML, log); err != nil { return fmt.Errorf("joining cluster: %v; %w ", string(joinConfigYAML), err) } diff --git a/bootstrapper/internal/kubernetes/kubernetes_test.go b/bootstrapper/internal/kubernetes/kubernetes_test.go index 11f49d6997..76e1ef258e 100644 --- a/bootstrapper/internal/kubernetes/kubernetes_test.go +++ b/bootstrapper/internal/kubernetes/kubernetes_test.go @@ -420,16 +420,15 @@ func TestK8sCompliantHostname(t *testing.T) { } type stubClusterUtil struct { - installComponentsErr error - initClusterErr error - setupAutoscalingError error - setupKonnectivityError error - setupGCPGuestAgentErr error - setupOLMErr error - setupNMOErr error - setupNodeOperatorErr error - joinClusterErr error - startKubeletErr error + installComponentsErr error + initClusterErr error + setupAutoscalingError error + setupGCPGuestAgentErr error + setupOLMErr error + setupNMOErr error + setupNodeOperatorErr error + joinClusterErr error + startKubeletErr error kubeconfig []byte @@ -437,15 +436,11 @@ type stubClusterUtil struct { joinConfigs [][]byte } -func (s *stubClusterUtil) SetupKonnectivity(_ k8sapi.Client, _ kubernetes.Marshaler) error { - return s.setupKonnectivityError -} - func (s *stubClusterUtil) InstallComponents(_ context.Context, _ components.Components) error { return s.installComponentsErr } -func (s *stubClusterUtil) InitCluster(_ context.Context, initConfig []byte, _, _ string, _ []net.IP, _, _ string, _ bool, _ *logger.Logger) ([]byte, error) { +func (s *stubClusterUtil) InitCluster(_ context.Context, initConfig []byte, _, _ string, _ []net.IP, _ bool, _ *logger.Logger) ([]byte, error) { s.initConfigs = append(s.initConfigs, initConfig) return s.kubeconfig, s.initClusterErr } @@ -470,7 +465,7 @@ func (s *stubClusterUtil) SetupNodeOperator(_ context.Context, _ k8sapi.Client, return s.setupNodeOperatorErr } -func (s *stubClusterUtil) JoinCluster(_ context.Context, joinConfig []byte, _ role.Role, _, _ string, _ *logger.Logger) error { +func (s *stubClusterUtil) JoinCluster(_ context.Context, joinConfig []byte, _ *logger.Logger) error { s.joinConfigs = append(s.joinConfigs, joinConfig) return s.joinClusterErr } diff --git a/cli/internal/helm/BUILD.bazel b/cli/internal/helm/BUILD.bazel index b615076154..9099211a12 100644 --- a/cli/internal/helm/BUILD.bazel +++ b/cli/internal/helm/BUILD.bazel @@ -242,13 +242,6 @@ go_library( "charts/edgeless/constellation-services/charts/key-service/templates/serviceaccount.yaml", "charts/edgeless/constellation-services/charts/key-service/values.schema.json", "charts/edgeless/constellation-services/charts/key-service/values.yaml", - "charts/edgeless/constellation-services/charts/konnectivity/.helmignore", - "charts/edgeless/constellation-services/charts/konnectivity/Chart.yaml", - "charts/edgeless/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml", - "charts/edgeless/constellation-services/charts/konnectivity/templates/daemonset.yaml", - "charts/edgeless/constellation-services/charts/konnectivity/templates/serviceaccount.yaml", - "charts/edgeless/constellation-services/charts/konnectivity/values.schema.json", - "charts/edgeless/constellation-services/charts/konnectivity/values.yaml", "charts/edgeless/constellation-services/charts/verification-service/.helmignore", "charts/edgeless/constellation-services/charts/verification-service/Chart.yaml", "charts/edgeless/constellation-services/charts/verification-service/templates/daemonset.yaml", diff --git a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml index 87a6d0c4e2..4cabb55284 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml @@ -45,14 +45,6 @@ dependencies: - GCP - OpenStack - QEMU - - name: konnectivity - version: 0.0.0 - tags: - - AWS - - Azure - - GCP - - OpenStack - - QEMU - name: gcp-guest-agent version: 0.0.0 tags: diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/.helmignore b/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/.helmignore deleted file mode 100644 index 0e8a0eb36f..0000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/Chart.yaml deleted file mode 100644 index 010e5d0712..0000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: konnectivity -description: A chart to deploy konnectivity for Constellation -type: application -version: 0.0.0 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml deleted file mode 100644 index f189cb6a3f..0000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: system:konnectivity-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:konnectivity-server diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/daemonset.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/daemonset.yaml deleted file mode 100644 index d195e80365..0000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/daemonset.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - k8s-app: konnectivity-agent - name: konnectivity-agent - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - k8s-app: konnectivity-agent - template: - metadata: - labels: - k8s-app: konnectivity-agent - spec: - containers: - - args: - - --logtostderr=true - - --proxy-server-host={{ .Values.loadBalancerIP }} - - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - --proxy-server-port=8132 - - --admin-server-port=8133 - - --health-server-port={{ .Values.healthServerPort }} - - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token - - --agent-identifiers=host=$(HOST_IP) - - --sync-forever=true - - --keepalive-time=60m - - --sync-interval=5s - - --sync-interval-cap=30s - - --probe-interval=5s - - --v=3 - command: - - /proxy-agent - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - image: {{ .Values.image | quote }} - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.healthServerPort }} - initialDelaySeconds: 15 - timeoutSeconds: 15 - name: konnectivity-agent - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: konnectivity-agent-token - readOnly: true - priorityClassName: system-cluster-critical - serviceAccountName: konnectivity-agent - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - volumes: - - name: konnectivity-agent-token - projected: - sources: - - serviceAccountToken: - audience: system:konnectivity-server - path: konnectivity-agent-token - updateStrategy: {} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/serviceaccount.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/serviceaccount.yaml deleted file mode 100644 index d48b234303..0000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: konnectivity-agent - namespace: {{ .Release.Namespace }} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.schema.json b/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.schema.json deleted file mode 100644 index 50f9c0de30..0000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.schema.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft-07/schema#", - "properties": { - "image": { - "description": "Container image to use for the spawned pods.", - "type": "string", - "examples": ["us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da"] - }, - "loadBalancerIP": { - "description": "IP of the loadbalancer serving the control plane.", - "type": "string", - "examples": ["10.4.0.1"] - } - }, - "required": [ - "image", - "loadBalancerIP" - ], - "title": "Values", - "type": "object" -} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.yaml deleted file mode 100644 index 61ffc1a85c..0000000000 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.yaml +++ /dev/null @@ -1 +0,0 @@ -healthServerPort: 8134 diff --git a/cli/internal/helm/imageversion/BUILD.bazel b/cli/internal/helm/imageversion/BUILD.bazel index eed0e184ec..b424e288af 100644 --- a/cli/internal/helm/imageversion/BUILD.bazel +++ b/cli/internal/helm/imageversion/BUILD.bazel @@ -33,7 +33,5 @@ go_library( # TODO(malt3): add missing third-party images # - logstash # - filebeat -# - konnectivity-agent -# - konnectivity-server # - node-maintenance-operator # - gcp-guest-agent diff --git a/cli/internal/helm/loader.go b/cli/internal/helm/loader.go index c91ec96e71..6427517cca 100644 --- a/cli/internal/helm/loader.go +++ b/cli/internal/helm/loader.go @@ -67,7 +67,6 @@ type chartLoader struct { autoscalerImage string verificationServiceImage string gcpGuestAgentImage string - konnectivityImage string constellationOperatorImage string nodeMaintenanceOperatorImage string clusterName string @@ -105,7 +104,6 @@ func newLoader(config *config.Config, stateFile *state.State, cliVersion semver. autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage, verificationServiceImage: imageversion.VerificationService("", ""), gcpGuestAgentImage: versions.GcpGuestImage, - konnectivityImage: versions.KonnectivityAgentImage, constellationOperatorImage: imageversion.ConstellationNodeOperator("", ""), nodeMaintenanceOperatorImage: versions.NodeMaintenanceOperatorImage, } @@ -307,9 +305,6 @@ func (i *chartLoader) loadConstellationServicesValues() map[string]any { "gcp-guest-agent": map[string]any{ "image": i.gcpGuestAgentImage, }, - "konnectivity": map[string]any{ - "image": i.konnectivityImage, - }, "tags": i.cspTags(), } } diff --git a/cli/internal/helm/loader_test.go b/cli/internal/helm/loader_test.go index 1fd5c03dfb..c91dbbf619 100644 --- a/cli/internal/helm/loader_test.go +++ b/cli/internal/helm/loader_test.go @@ -171,7 +171,6 @@ func TestConstellationServices(t *testing.T) { azureCNMImage: tc.cnmImage, autoscalerImage: "autoscalerImage", verificationServiceImage: "verificationImage", - konnectivityImage: "konnectivityImage", gcpGuestAgentImage: "gcpGuestAgentImage", clusterName: "testCluster", } @@ -384,12 +383,6 @@ func addInClusterValues(values map[string]any, csp cloudprovider.Provider) error } verificationVals["loadBalancerIP"] = "127.0.0.1" - konnectivityVals, ok := values["konnectivity"].(map[string]any) - if !ok { - return errors.New("missing 'konnectivity' key") - } - konnectivityVals["loadBalancerIP"] = "127.0.0.1" - ccmVals, ok := values["ccm"].(map[string]any) if !ok { return errors.New("missing 'ccm' key") diff --git a/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml b/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml deleted file mode 100644 index f189cb6a3f..0000000000 --- a/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: system:konnectivity-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:konnectivity-server diff --git a/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/daemonset.yaml b/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/daemonset.yaml deleted file mode 100644 index 0f26cfbb98..0000000000 --- a/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/daemonset.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - k8s-app: konnectivity-agent - name: konnectivity-agent - namespace: testNamespace -spec: - selector: - matchLabels: - k8s-app: konnectivity-agent - template: - metadata: - labels: - k8s-app: konnectivity-agent - spec: - containers: - - args: - - --logtostderr=true - - --proxy-server-host=127.0.0.1 - - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - --proxy-server-port=8132 - - --admin-server-port=8133 - - --health-server-port=8134 - - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token - - --agent-identifiers=host=$(HOST_IP) - - --sync-forever=true - - --keepalive-time=60m - - --sync-interval=5s - - --sync-interval-cap=30s - - --probe-interval=5s - - --v=3 - command: - - /proxy-agent - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - image: konnectivityImage - livenessProbe: - httpGet: - path: /healthz - port: 8134 - initialDelaySeconds: 15 - timeoutSeconds: 15 - name: konnectivity-agent - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: konnectivity-agent-token - readOnly: true - priorityClassName: system-cluster-critical - serviceAccountName: konnectivity-agent - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - volumes: - - name: konnectivity-agent-token - projected: - sources: - - serviceAccountToken: - audience: system:konnectivity-server - path: konnectivity-agent-token - updateStrategy: {} diff --git a/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/serviceaccount.yaml b/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/serviceaccount.yaml deleted file mode 100644 index ad307c56f3..0000000000 --- a/cli/internal/helm/testdata/AWS/constellation-services/charts/konnectivity/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: konnectivity-agent - namespace: testNamespace diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml deleted file mode 100644 index f189cb6a3f..0000000000 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: system:konnectivity-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:konnectivity-server diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/daemonset.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/daemonset.yaml deleted file mode 100644 index 0f26cfbb98..0000000000 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/daemonset.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - k8s-app: konnectivity-agent - name: konnectivity-agent - namespace: testNamespace -spec: - selector: - matchLabels: - k8s-app: konnectivity-agent - template: - metadata: - labels: - k8s-app: konnectivity-agent - spec: - containers: - - args: - - --logtostderr=true - - --proxy-server-host=127.0.0.1 - - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - --proxy-server-port=8132 - - --admin-server-port=8133 - - --health-server-port=8134 - - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token - - --agent-identifiers=host=$(HOST_IP) - - --sync-forever=true - - --keepalive-time=60m - - --sync-interval=5s - - --sync-interval-cap=30s - - --probe-interval=5s - - --v=3 - command: - - /proxy-agent - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - image: konnectivityImage - livenessProbe: - httpGet: - path: /healthz - port: 8134 - initialDelaySeconds: 15 - timeoutSeconds: 15 - name: konnectivity-agent - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: konnectivity-agent-token - readOnly: true - priorityClassName: system-cluster-critical - serviceAccountName: konnectivity-agent - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - volumes: - - name: konnectivity-agent-token - projected: - sources: - - serviceAccountToken: - audience: system:konnectivity-server - path: konnectivity-agent-token - updateStrategy: {} diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/serviceaccount.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/serviceaccount.yaml deleted file mode 100644 index ad307c56f3..0000000000 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/konnectivity/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: konnectivity-agent - namespace: testNamespace diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml deleted file mode 100644 index f189cb6a3f..0000000000 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: system:konnectivity-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:konnectivity-server diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/daemonset.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/daemonset.yaml deleted file mode 100644 index 0f26cfbb98..0000000000 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/daemonset.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - k8s-app: konnectivity-agent - name: konnectivity-agent - namespace: testNamespace -spec: - selector: - matchLabels: - k8s-app: konnectivity-agent - template: - metadata: - labels: - k8s-app: konnectivity-agent - spec: - containers: - - args: - - --logtostderr=true - - --proxy-server-host=127.0.0.1 - - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - --proxy-server-port=8132 - - --admin-server-port=8133 - - --health-server-port=8134 - - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token - - --agent-identifiers=host=$(HOST_IP) - - --sync-forever=true - - --keepalive-time=60m - - --sync-interval=5s - - --sync-interval-cap=30s - - --probe-interval=5s - - --v=3 - command: - - /proxy-agent - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - image: konnectivityImage - livenessProbe: - httpGet: - path: /healthz - port: 8134 - initialDelaySeconds: 15 - timeoutSeconds: 15 - name: konnectivity-agent - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: konnectivity-agent-token - readOnly: true - priorityClassName: system-cluster-critical - serviceAccountName: konnectivity-agent - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - volumes: - - name: konnectivity-agent-token - projected: - sources: - - serviceAccountToken: - audience: system:konnectivity-server - path: konnectivity-agent-token - updateStrategy: {} diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/serviceaccount.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/serviceaccount.yaml deleted file mode 100644 index ad307c56f3..0000000000 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/konnectivity/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: konnectivity-agent - namespace: testNamespace diff --git a/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml b/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml deleted file mode 100644 index f189cb6a3f..0000000000 --- a/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: system:konnectivity-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:konnectivity-server diff --git a/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/daemonset.yaml b/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/daemonset.yaml deleted file mode 100644 index 0f26cfbb98..0000000000 --- a/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/daemonset.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - k8s-app: konnectivity-agent - name: konnectivity-agent - namespace: testNamespace -spec: - selector: - matchLabels: - k8s-app: konnectivity-agent - template: - metadata: - labels: - k8s-app: konnectivity-agent - spec: - containers: - - args: - - --logtostderr=true - - --proxy-server-host=127.0.0.1 - - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - --proxy-server-port=8132 - - --admin-server-port=8133 - - --health-server-port=8134 - - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token - - --agent-identifiers=host=$(HOST_IP) - - --sync-forever=true - - --keepalive-time=60m - - --sync-interval=5s - - --sync-interval-cap=30s - - --probe-interval=5s - - --v=3 - command: - - /proxy-agent - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - image: konnectivityImage - livenessProbe: - httpGet: - path: /healthz - port: 8134 - initialDelaySeconds: 15 - timeoutSeconds: 15 - name: konnectivity-agent - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: konnectivity-agent-token - readOnly: true - priorityClassName: system-cluster-critical - serviceAccountName: konnectivity-agent - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - volumes: - - name: konnectivity-agent-token - projected: - sources: - - serviceAccountToken: - audience: system:konnectivity-server - path: konnectivity-agent-token - updateStrategy: {} diff --git a/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/serviceaccount.yaml b/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/serviceaccount.yaml deleted file mode 100644 index ad307c56f3..0000000000 --- a/cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: konnectivity-agent - namespace: testNamespace diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml deleted file mode 100644 index f189cb6a3f..0000000000 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: system:konnectivity-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: system:konnectivity-server diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/daemonset.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/daemonset.yaml deleted file mode 100644 index 0f26cfbb98..0000000000 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/daemonset.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - k8s-app: konnectivity-agent - name: konnectivity-agent - namespace: testNamespace -spec: - selector: - matchLabels: - k8s-app: konnectivity-agent - template: - metadata: - labels: - k8s-app: konnectivity-agent - spec: - containers: - - args: - - --logtostderr=true - - --proxy-server-host=127.0.0.1 - - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - --proxy-server-port=8132 - - --admin-server-port=8133 - - --health-server-port=8134 - - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token - - --agent-identifiers=host=$(HOST_IP) - - --sync-forever=true - - --keepalive-time=60m - - --sync-interval=5s - - --sync-interval-cap=30s - - --probe-interval=5s - - --v=3 - command: - - /proxy-agent - env: - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - image: konnectivityImage - livenessProbe: - httpGet: - path: /healthz - port: 8134 - initialDelaySeconds: 15 - timeoutSeconds: 15 - name: konnectivity-agent - resources: {} - volumeMounts: - - mountPath: /var/run/secrets/tokens - name: konnectivity-agent-token - readOnly: true - priorityClassName: system-cluster-critical - serviceAccountName: konnectivity-agent - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - volumes: - - name: konnectivity-agent-token - projected: - sources: - - serviceAccountToken: - audience: system:konnectivity-server - path: konnectivity-agent-token - updateStrategy: {} diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/serviceaccount.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/serviceaccount.yaml deleted file mode 100644 index ad307c56f3..0000000000 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/konnectivity/templates/serviceaccount.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" - name: konnectivity-agent - namespace: testNamespace diff --git a/cli/internal/terraform/terraform/aws/main.tf b/cli/internal/terraform/terraform/aws/main.tf index 5a0517bee9..796b31facd 100644 --- a/cli/internal/terraform/terraform/aws/main.tf +++ b/cli/internal/terraform/terraform/aws/main.tf @@ -26,7 +26,6 @@ locals { { name = "kubernetes", port = "6443", health_check = "HTTPS" }, { name = "bootstrapper", port = "9000", health_check = "TCP" }, { name = "verify", port = "30081", health_check = "TCP" }, - { name = "konnectivity", port = "8132", health_check = "TCP" }, { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], @@ -222,11 +221,6 @@ module "jump_host" { } # TODO(31u3r): Remove once 2.12 is released -moved { - from = module.load_balancer_target_konnectivity - to = module.load_balancer_targets["konnectivity"] -} - moved { from = module.load_balancer_target_verify to = module.load_balancer_targets["verify"] diff --git a/cli/internal/terraform/terraform/azure/main.tf b/cli/internal/terraform/terraform/azure/main.tf index 4e53705104..05099d0de8 100644 --- a/cli/internal/terraform/terraform/azure/main.tf +++ b/cli/internal/terraform/terraform/azure/main.tf @@ -32,7 +32,6 @@ locals { { name = "kubernetes", port = "6443", health_check_protocol = "Https", path = "/readyz", priority = 100 }, { name = "bootstrapper", port = "9000", health_check_protocol = "Tcp", path = null, priority = 101 }, { name = "verify", port = "30081", health_check_protocol = "Tcp", path = null, priority = 102 }, - { name = "konnectivity", port = "8132", health_check_protocol = "Tcp", path = null, priority = 103 }, { name = "recovery", port = "9999", health_check_protocol = "Tcp", path = null, priority = 104 }, { name = "join", port = "30090", health_check_protocol = "Tcp", path = null, priority = 105 }, var.debug ? [{ name = "debugd", port = "4000", health_check_protocol = "Tcp", path = null, priority = 106 }] : [], diff --git a/cli/internal/terraform/terraform/gcp/main.tf b/cli/internal/terraform/terraform/gcp/main.tf index b773cd5ec7..b0a4b1b540 100644 --- a/cli/internal/terraform/terraform/gcp/main.tf +++ b/cli/internal/terraform/terraform/gcp/main.tf @@ -46,7 +46,6 @@ locals { { name = "kubernetes", port = "6443", health_check = "HTTPS" }, { name = "bootstrapper", port = "9000", health_check = "TCP" }, { name = "verify", port = "30081", health_check = "TCP" }, - { name = "konnectivity", port = "8132", health_check = "TCP" }, { name = "recovery", port = "9999", health_check = "TCP" }, { name = "join", port = "30090", health_check = "TCP" }, var.debug ? [{ name = "debugd", port = "4000", health_check = "TCP" }] : [], @@ -259,11 +258,6 @@ moved { to = module.loadbalancer_public["verify"] } -moved { - from = module.loadbalancer_konnectivity - to = module.loadbalancer_public["konnectivity"] -} - moved { from = module.loadbalancer_recovery to = module.loadbalancer_public["recovery"] diff --git a/cli/internal/terraform/terraform/openstack/main.tf b/cli/internal/terraform/terraform/openstack/main.tf index 564528e458..49e5c7e5a7 100644 --- a/cli/internal/terraform/terraform/openstack/main.tf +++ b/cli/internal/terraform/terraform/openstack/main.tf @@ -28,7 +28,6 @@ locals { ports_node_range_end = "32767" ports_kubernetes = "6443" ports_bootstrapper = "9000" - ports_konnectivity = "8132" ports_verify = "30081" ports_recovery = "9999" ports_debugd = "4000" @@ -144,7 +143,6 @@ resource "openstack_compute_secgroup_v2" "vpc_secgroup" { for_each = flatten([ local.ports_kubernetes, local.ports_bootstrapper, - local.ports_konnectivity, local.ports_verify, local.ports_recovery, var.debug ? [local.ports_debugd] : [], @@ -248,15 +246,6 @@ moved { # port = local.ports_verify # } -# module "loadbalancer_konnectivity" { -# source = "./modules/loadbalancer" -# name = "${local.name}-konnectivity" -# member_ips = module.instance_group_control_plane.ips -# loadbalancer_id = openstack_lb_loadbalancer_v2.loadbalancer.id -# subnet_id = openstack_networking_subnet_v2.vpc_subnetwork.id -# port = local.ports_konnectivity -# } - # module "loadbalancer_recovery" { # source = "./modules/loadbalancer" # name = "${local.name}-recovery" diff --git a/e2e/miniconstellation/test-remote.sh b/e2e/miniconstellation/test-remote.sh index 7166dec1cd..ed8f907b7e 100755 --- a/e2e/miniconstellation/test-remote.sh +++ b/e2e/miniconstellation/test-remote.sh @@ -71,7 +71,6 @@ kubectl -n kube-system wait --for=condition=Available=True --timeout=180s deploy kubectl -n kube-system rollout status --timeout 180s daemonset cilium kubectl -n kube-system rollout status --timeout 180s daemonset join-service kubectl -n kube-system rollout status --timeout 180s daemonset key-service -kubectl -n kube-system rollout status --timeout 180s daemonset konnectivity-agent kubectl -n kube-system rollout status --timeout 180s daemonset verification-service echo "Miniconstellation started successfully. Shutting down..." diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 853c45dfdb..15c794d297 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -67,8 +67,6 @@ const ( RecoveryPort = 9999 // DebugdPort port for debugd process. DebugdPort = 4000 - // KonnectivityPort port for konnectivity k8s service. - KonnectivityPort = 8132 // // Filenames. diff --git a/internal/versions/versions.go b/internal/versions/versions.go index bb1fc01b0c..1c15ad79dc 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -160,10 +160,6 @@ const ( // These images are built in a way that they support all versions currently listed in VersionConfigs. // - // KonnectivityAgentImage agent image for konnectivity service. - KonnectivityAgentImage = "registry.k8s.io/kas-network-proxy/proxy-agent:v0.1.2@sha256:cd3046d253d26ffb5907c625e0d0c2be05c5693c90e12116980851739fc0ead8" // renovate:container - // KonnectivityServerImage server image for konnectivity service. - KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.1.2@sha256:79933c3779bc30e33bb7509dff913e70f6ba78ad441f4827f0f3e840ce5f3ddb" // renovate:container // GcpGuestImage image for GCP guest agent. // Check for new versions at https://github.com/GoogleCloudPlatform/guest-agent/releases and update in /.github/workflows/build-gcp-guest-agent.yml. GcpGuestImage = "ghcr.io/edgelesssys/gcp-guest-agent:v20231016.0.0@sha256:c51ebfc2b67f5a39daba88039e7f8f171d7084656c49c092cc53b0a2318209b2" // renovate:container