Upgrade controller-runtime to v0.3.0 (#712)

* Upgrade controller-runtime to v0.3.0

* Upstream k8s libs are updated to kubernetes-1.15.4 release tag
* Fixed many API breaking changes
* Logic regarding checking version of CCM is removed

Signed-off-by: Artiom Diomin <[email protected]>

* Whitelist ICS license for dependencies

Signed-off-by: Artiom Diomin <[email protected]>

* Fix borken API in e2e tests

Signed-off-by: Artiom Diomin <[email protected]>

* Fix linter

Signed-off-by: Artiom Diomin <[email protected]>

* Removed HackIssue321InitDynamicClient hack

* upstream issue kubernetes-sigs/controller-runtime#321

Signed-off-by: Artiom Diomin <[email protected]>

* Return back accidentally removed initialization of dynamic client

Signed-off-by: Artiom Diomin <[email protected]>

* Revert "Removed HackIssue321InitDynamicClient hack"

This reverts commit 73710af.

Signed-off-by: Artiom Diomin <[email protected]>

* Better comment reason for pki.go existance.

Signed-off-by: Artiom Diomin <[email protected]>

.wwhrd.yml

@@ -1,10 +1,11 @@
 blacklist:
-  - GPL-2.0
+- GPL-2.0
 
 whitelist:
-  - Apache-2.0
-  - MIT
-  - NewBSD
-  - FreeBSD
-  - LGPL-3.0
-  - MPL-2.0
+- Apache-2.0
+- FreeBSD
+- ISC
+- LGPL-3.0
+- MIT
+- MPL-2.0
+- NewBSD

Makefile

@@ -65,7 +65,7 @@ buildenv:
 	@go version
 
 .PHONY: lint
-lint: dist/kubeone
+lint:
 	@golangci-lint --version
 	golangci-lint run ./pkg/... ./test/...
 

go.mod

@@ -6,49 +6,37 @@ require (
 	github.com/Masterminds/semver v1.4.2
 	github.com/aws/aws-sdk-go v1.20.15
 	github.com/ghodss/yaml v1.0.0
-	github.com/go-logr/logr v0.1.0 // indirect
 	github.com/go-logr/zapr v0.1.1 // indirect
 	github.com/gogo/protobuf v1.2.1 // indirect
-	github.com/google/btree v1.0.0 // indirect
-	github.com/googleapis/gnostic v0.2.0 // indirect
-	github.com/gregjones/httpcache v0.0.0-20190203031600-7a902570cb17 // indirect
 	github.com/imdario/mergo v0.3.7
 	github.com/json-iterator/go v1.1.7 // indirect
 	github.com/koron-go/prefixw v0.0.0-20181013140428-271b207a7572
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/onsi/ginkgo v1.8.0 // indirect
 	github.com/onsi/gomega v1.5.0 // indirect
-	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.8.1
 	github.com/pkg/sftp v1.10.0
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/sirupsen/logrus v1.2.0
 	github.com/spf13/cobra v0.0.5
 	github.com/spf13/pflag v1.0.3
 	go.uber.org/atomic v1.4.0 // indirect
-	go.uber.org/multierr v1.1.0 // indirect
 	go.uber.org/zap v1.10.0 // indirect
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
-	golang.org/x/net v0.0.0-20190628185345-da137c7871d7 // indirect
-	golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 // indirect
 	golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb // indirect
 	golang.org/x/text v0.3.2 // indirect
 	golang.org/x/time v0.0.0-20181108054448-85acf8d2951c // indirect
 	golang.org/x/tools v0.0.0-20190703212419-2214986f1668 // indirect
-	gopkg.in/inf.v0 v0.9.0 // indirect
 	gopkg.in/yaml.v2 v2.2.2
-	k8s.io/api v0.0.0-20190222213804-5cb15d344471
-	k8s.io/apiextensions-apiserver v0.0.0-20190228180357-d002e88f6236
-	k8s.io/apimachinery v0.0.0-20190221213512-86fb29eff628
-	k8s.io/client-go v0.0.0-20190228174230-b40b2a5939e4
-	k8s.io/cluster-bootstrap v0.0.0-20190228181738-e96ff33745e4
-	k8s.io/code-generator v0.0.0-20190703204957-583809a49343
-	k8s.io/gengo v0.0.0-20190327210449-e17681d19d3a // indirect
-	k8s.io/klog v0.3.3 // indirect
-	k8s.io/kube-aggregator v0.0.0-20190228175259-3e0149950b0e
+	k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2
+	k8s.io/apiextensions-apiserver v0.0.0-20190918201827-3de75813f604
+	k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d
+	k8s.io/client-go v0.0.0-20190918200256-06eb1244587a
+	k8s.io/cluster-bootstrap v0.0.0-20190918202959-c340507a5d48
+	k8s.io/code-generator v0.0.0-20190612205613-18da4a14b22b
+	k8s.io/gengo v0.0.0-20191010091904-7fa3014cb28f // indirect
+	k8s.io/kube-aggregator v0.0.0-20190918201136-c3a845f1fbb2
 	sigs.k8s.io/cluster-api v0.0.0-20190603191137-2ec456177c0e
-	sigs.k8s.io/controller-runtime v0.1.12
-	sigs.k8s.io/testing_frameworks v0.1.1 // indirect
+	sigs.k8s.io/controller-runtime v0.3.0
 	sigs.k8s.io/yaml v1.1.0
 )

pkg/certificate/certificate.go

@@ -25,6 +25,7 @@ import (
 	"github.com/kubermatic/kubeone/pkg/configupload"
 
 	"k8s.io/client-go/util/cert"
+	"k8s.io/client-go/util/keyutil"
 )
 
 // CAKeyPair parses generated PKI CA certificate and key
@@ -48,7 +49,7 @@ func CAKeyPair(config *configupload.Configuration) (*rsa.PrivateKey, *x509.Certi
 		return nil, nil, errors.New("ca.crt does not contain at least one valid certificate")
 	}
 
-	possibleKey, err := cert.ParsePrivateKeyPEM([]byte(caKey))
+	possibleKey, err := keyutil.ParsePrivateKeyPEM([]byte(caKey))
 	if err != nil {
 		return nil, nil, err
 	}

pkg/certificate/pki.go

@@ -0,0 +1,121 @@
+/*
+Copyright 2019 The KubeOne Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Upstream PR https://github.com/kubernetes/kubernetes/pull/73198 moved few
+// functions from "k8s.io/client-go/util/cert" to
+// "k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil".
+//
+// to avoid importing "k8s.io/kubernetes" those functions are copied over here.
+
+package certificate
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math"
+	"math/big"
+	"time"
+
+	"github.com/pkg/errors"
+
+	certutil "k8s.io/client-go/util/cert"
+)
+
+const (
+	// PrivateKeyBlockType is a possible value for pem.Block.Type.
+	PrivateKeyBlockType = "PRIVATE KEY"
+	// PublicKeyBlockType is a possible value for pem.Block.Type.
+	PublicKeyBlockType = "PUBLIC KEY"
+	// CertificateBlockType is a possible value for pem.Block.Type.
+	CertificateBlockType = "CERTIFICATE"
+	// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
+	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
+	rsaKeySize             = 2048
+	duration365d           = time.Hour * 24 * 365
+)
+
+// EncodeCertPEM returns PEM-endcoded certificate data
+func EncodeCertPEM(cert *x509.Certificate) []byte {
+	block := pem.Block{
+		Type:  CertificateBlockType,
+		Bytes: cert.Raw,
+	}
+	return pem.EncodeToMemory(&block)
+}
+
+// EncodePublicKeyPEM returns PEM-encoded public data
+func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
+	der, err := x509.MarshalPKIXPublicKey(key)
+	if err != nil {
+		return []byte{}, err
+	}
+	block := pem.Block{
+		Type:  PublicKeyBlockType,
+		Bytes: der,
+	}
+	return pem.EncodeToMemory(&block), nil
+}
+
+// EncodePrivateKeyPEM returns PEM-encoded private key data
+func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
+	block := pem.Block{
+		Type:  RSAPrivateKeyBlockType,
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	}
+	return pem.EncodeToMemory(&block)
+}
+
+// NewPrivateKey creates an RSA private key
+func NewPrivateKey() (*rsa.PrivateKey, error) {
+	return rsa.GenerateKey(rand.Reader, rsaKeySize)
+}
+
+// NewSignedCert creates a signed certificate using the given CA certificate and key
+func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
+	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+	if len(cfg.CommonName) == 0 {
+		return nil, errors.New("must specify a CommonName")
+	}
+	if len(cfg.Usages) == 0 {
+		return nil, errors.New("must specify at least one ExtKeyUsage")
+	}
+
+	certTmpl := x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:   cfg.CommonName,
+			Organization: cfg.Organization,
+		},
+		DNSNames:     cfg.AltNames.DNSNames,
+		IPAddresses:  cfg.AltNames.IPs,
+		SerialNumber: serial,
+		NotBefore:    caCert.NotBefore,
+		NotAfter:     time.Now().Add(duration365d).UTC(),
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  cfg.Usages,
+	}
+	certDERBytes, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, key.Public(), caKey)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseCertificate(certDERBytes)
+}

pkg/installer/installation/install.go

@@ -45,8 +45,8 @@ func Install(s *state.State) error {
 		{Fn: copyKubeconfig, ErrMsg: "unable to copy kubeconfig to home directory", Retries: 3},
 		{Fn: saveKubeconfig, ErrMsg: "unable to save kubeconfig to the local machine", Retries: 3},
 		{Fn: kubeconfig.BuildKubernetesClientset, ErrMsg: "unable to build kubernetes clientset", Retries: 3},
-		{Fn: features.Activate, ErrMsg: "unable to activate features", Retries: 3},
 		{Fn: nodelocaldns.Deploy, ErrMsg: "unable to deploy nodelocaldns"},
+		{Fn: features.Activate, ErrMsg: "unable to activate features", Retries: 3},
 		{Fn: ensureCNI, ErrMsg: "failed to install cni plugin", Retries: 3},
 		{Fn: patchCoreDNS, ErrMsg: "failed to patch CoreDNS", Retries: 3},
 		{Fn: credentials.Ensure, ErrMsg: "unable to ensure credentials secret", Retries: 3},

pkg/kubeconfig/kubeconfig.go

@@ -18,13 +18,13 @@ package kubeconfig
 
 import (
 	"github.com/pkg/errors"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	kubeoneapi "github.com/kubermatic/kubeone/pkg/apis/kubeone"
 	"github.com/kubermatic/kubeone/pkg/ssh"
 	"github.com/kubermatic/kubeone/pkg/state"
 
 	"k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 // Download downloads Kubeconfig over SSH
@@ -72,11 +72,11 @@ func BuildKubernetesClientset(s *state.State) error {
 // HackIssue321InitDynamicClient initialize controller-runtime/client
 // name comes from: https://github.com/kubernetes-sigs/controller-runtime/issues/321
 func HackIssue321InitDynamicClient(s *state.State) error {
+	var err error
 	if s.RESTConfig == nil {
 		return errors.New("rest config is not initialized")
 	}
 
-	var err error
 	s.DynamicClient, err = client.New(s.RESTConfig, client.Options{})
 	return errors.Wrap(err, "unable to build dynamic client")
 }

pkg/templates/canal/canal.go

@@ -129,9 +129,5 @@ func Deploy(s *state.State) error {
 
 	// HACK: re-init dynamic client in order to re-init RestMapper, to drop caches
 	err = kubeconfig.HackIssue321InitDynamicClient(s)
-	if err != nil {
-		return errors.Wrap(err, "failed to re-init dynamic client")
-	}
-
-	return nil
+	return errors.Wrap(err, "failed to re-init dynamic client")
 }

pkg/templates/externalccm/ccm.go

@@ -18,20 +18,15 @@ package externalccm
 
 import (
 	"context"
-	"strings"
 	"time"
 
-	"github.com/Masterminds/semver"
 	"github.com/pkg/errors"
 
 	kubeoneapi "github.com/kubermatic/kubeone/pkg/apis/kubeone"
 	"github.com/kubermatic/kubeone/pkg/state"
 
-	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
-	dynclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
@@ -76,9 +71,8 @@ func waitForInitializedNodes(s *state.State) error {
 
 	return wait.Poll(5*time.Second, 60*time.Second, func() (bool, error) {
 		nodes := corev1.NodeList{}
-		nodeListOpts := dynclient.ListOptions{}
 
-		if err := s.DynamicClient.List(ctx, &nodeListOpts, &nodes); err != nil {
+		if err := s.DynamicClient.List(ctx, &nodes); err != nil {
 			return false, err
 		}
 
@@ -93,38 +87,3 @@ func waitForInitializedNodes(s *state.State) error {
 		return true, nil
 	})
 }
-
-func mutateDeploymentWithVersionCheck(want *semver.Constraints) func(obj runtime.Object) error {
-	return func(obj runtime.Object) error {
-		dep, ok := obj.(*appsv1.Deployment)
-		if !ok {
-			return errors.Errorf("unknown object type %T passed", obj)
-		}
-
-		if dep.ObjectMeta.CreationTimestamp.IsZero() {
-			// let it create deployment
-			return nil
-		}
-
-		if len(dep.Spec.Template.Spec.Containers) != 1 {
-			return errors.New("unable to choose a CCM container, as number of containers > 1")
-		}
-
-		imageSpec := strings.SplitN(dep.Spec.Template.Spec.Containers[0].Image, ":", 2)
-		if len(imageSpec) != 2 {
-			return errors.New("unable to grab CCM image version")
-		}
-
-		existing, err := semver.NewVersion(imageSpec[1])
-		if err != nil {
-			return errors.Wrap(err, "failed to parse deployed CCM version")
-		}
-
-		if !want.Check(existing) {
-			return errors.New("newer version deployed, skipping")
-		}
-
-		// OK to update the deployment
-		return nil
-	}
-}

pkg/templates/externalccm/digitalocean.go

@@ -19,7 +19,6 @@ package externalccm
 import (
 	"context"
 
-	"github.com/Masterminds/semver"
 	"github.com/pkg/errors"
 
 	"github.com/kubermatic/kubeone/pkg/clientutil"
@@ -32,7 +31,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
 const (
@@ -59,20 +57,7 @@ func ensureDigitalOcean(s *state.State) error {
 		}
 	}
 
-	dep := doDeployment()
-	want, err := semver.NewConstraint("<= " + digitaloceanCCMVersion)
-	if err != nil {
-		return errors.Wrap(err, "failed to parse digitalocean CCM version constraint")
-	}
-
-	_, err = controllerutil.CreateOrUpdate(ctx,
-		s.DynamicClient,
-		dep,
-		mutateDeploymentWithVersionCheck(want))
-	if err != nil {
-		s.Logger.Warnf("unable to ensure digitalocean CCM Deployment: %v, skipping", err)
-	}
-	return nil
+	return clientutil.CreateOrUpdate(ctx, s.DynamicClient, doDeployment())
 }
 
 func doServiceAccount() *corev1.ServiceAccount {