Replace the NodeLocalDNS template with an addon

addons/nodelocaldns/nodelocaldns.yaml

@@ -0,0 +1,196 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: node-local-dns
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubeone.io/component: nodelocaldns
+data:
+  Corefile: |
+    {{ .Config.ClusterNetwork.ServiceDomainName }}:53 {
+      errors
+      cache {
+        success 9984 30
+        denial 9984 5
+      }
+      reload
+      loop
+      bind __PILLAR__LOCAL__DNS__
+      forward . __PILLAR__CLUSTER__DNS__ {
+        force_tcp
+      }
+      prometheus :9253
+      health __PILLAR__LOCAL__DNS__:8080
+    }
+    in-addr.arpa:53 {
+      errors
+      cache 30
+      reload
+      loop
+      bind __PILLAR__LOCAL__DNS__
+      forward . __PILLAR__CLUSTER__DNS__ {
+        force_tcp
+      }
+      prometheus :9253
+    }
+    ip6.arpa:53 {
+      errors
+      cache 30
+      reload
+      loop
+      bind __PILLAR__LOCAL__DNS__
+      forward . __PILLAR__CLUSTER__DNS__ {
+        force_tcp
+      }
+      prometheus :9253
+    }
+    .:53 {
+      errors
+      cache 30
+      reload
+      loop
+      bind __PILLAR__LOCAL__DNS__
+      forward . __PILLAR__UPSTREAM__SERVERS__ {
+        force_tcp
+      }
+      prometheus :9253
+    }
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-local-dns
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubeone.io/component: nodelocaldns
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-dns-upstream
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/name: "KubeDNSUpstream"
+    kubeone.io/component: nodelocaldns
+spec:
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+    targetPort: 53
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
+    targetPort: 53
+  selector:
+    k8s-app: kube-dns
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: node-local-dns
+  namespace: kube-system
+  labels:
+    k8s-app: node-local-dns
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubeone.io/component: nodelocaldns
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 10%
+  selector:
+    matchLabels:
+      k8s-app: node-local-dns
+  template:
+    metadata:
+      labels:
+        k8s-app: node-local-dns
+    spec:
+      priorityClassName: system-node-critical
+      serviceAccountName: node-local-dns
+      hostNetwork: true
+      dnsPolicy: Default  # Don't use cluster DNS.
+      tolerations:
+      - operator: "Exists"
+      containers:
+      - name: node-cache
+        image: {{ Registry "k8s.gcr.io" }}/k8s-dns-node-cache:1.15.13
+        command:
+        - /bin/sh
+        - -c
+        - |-
+          sleep 10;
+          exec /node-cache -localip {{ .Resources.NodeLocalDNSVirtualIP }} -conf /etc/Corefile -upstreamsvc kube-dns-upstream
+        resources:
+          requests:
+            cpu: 25m
+            memory: 5Mi
+        securityContext:
+          privileged: true
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        - containerPort: 9253
+          name: metrics
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            host: "{{ .Resources.NodeLocalDNSVirtualIP }}"
+            path: /health
+            port: 8080
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+        volumeMounts:
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
+          readOnly: false
+        - name: config-volume
+          mountPath: /etc/coredns
+        - name: kube-dns-config
+          mountPath: /etc/kube-dns
+      volumes:
+      - name: xtables-lock
+        hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+      - name: kube-dns-config
+        configMap:
+          name: kube-dns
+          optional: true
+      - name: config-volume
+        configMap:
+          name: node-local-dns
+          items:
+            - key: Corefile
+              path: Corefile.base
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/port: "9253"
+    prometheus.io/scrape: "true"
+  labels:
+    k8s-app: node-local-dns
+    kubeone.io/component: nodelocaldns
+  name: node-local-dns
+  namespace: kube-system
+spec:
+  clusterIP: None
+  ports:
+    - name: metrics
+      port: 9253
+      targetPort: 9253
+  selector:
+    k8s-app: node-local-dns

pkg/addons/applier.go

@@ -29,6 +29,7 @@ import (
 	kubeoneapi "k8c.io/kubeone/pkg/apis/kubeone"
 	"k8c.io/kubeone/pkg/credentials"
 	"k8c.io/kubeone/pkg/state"
+	"k8c.io/kubeone/pkg/templates/resources"
 )
 
 var (
@@ -49,6 +50,7 @@ type applier struct {
 type templateData struct {
 	Config      *kubeoneapi.KubeOneCluster
 	Credentials map[string]string
+	Resources   map[string]string
 }
 
 func newAddonsApplier(s *state.State) (*applier, error) {
@@ -74,6 +76,7 @@ func newAddonsApplier(s *state.State) (*applier, error) {
 	td := templateData{
 		Config:      s.Cluster,
 		Credentials: creds,
+		Resources:   resources.All(),
 	}
 
 	return &applier{

pkg/addons/ensure.go

@@ -83,10 +83,10 @@ func EnsureUserAddons(s *state.State) error {
 	return nil
 }
 
-// ensureAddonByName deploys an addon by its name. If the addon is not found
+// EnsureAddonByName deploys an addon by its name. If the addon is not found
 // in the addons directory, or if the addons or not enabled, it will search
 // for the embedded addons.
-func ensureAddonByName(s *state.State, addonName string) error { //nolint:deadcode,unused
+func EnsureAddonByName(s *state.State, addonName string) error {
 	applier, err := newAddonsApplier(s)
 	if err != nil {
 		return err

pkg/tasks/tasks.go

@@ -28,7 +28,6 @@ import (
 	"k8c.io/kubeone/pkg/state"
 	"k8c.io/kubeone/pkg/templates/externalccm"
 	"k8c.io/kubeone/pkg/templates/machinecontroller"
-	"k8c.io/kubeone/pkg/templates/nodelocaldns"
 )
 
 type Tasks []Task
@@ -175,7 +174,10 @@ func WithResources(t Tasks) Tasks {
 				ErrMsg: "failed to save kubeconfig to the local machine",
 			},
 			{
-				Fn:          nodelocaldns.Deploy,
+				Fn: func(s *state.State) error {
+					s.Logger.Infoln("Ensure node local DNS cache...")
+					return addons.EnsureAddonByName(s, "nodelocaldns")
+				},
 				ErrMsg:      "failed to deploy nodelocaldns",
 				Description: "ensure nodelocaldns",
 			},

pkg/templates/kubeadm/v1beta1/kubeadm.go

@@ -31,7 +31,7 @@ import (
 	"k8c.io/kubeone/pkg/kubeflags"
 	"k8c.io/kubeone/pkg/state"
 	"k8c.io/kubeone/pkg/templates/kubeadm/kubeadmargs"
-	"k8c.io/kubeone/pkg/templates/nodelocaldns"
+	"k8c.io/kubeone/pkg/templates/resources"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -160,7 +160,7 @@ func NewConfig(s *state.State, host kubeoneapi.HostConfig) ([]runtime.Object, er
 		CgroupDriver:       "systemd",
 		ReadOnlyPort:       0,
 		RotateCertificates: true,
-		ClusterDNS:         []string{nodelocaldns.VirtualIP},
+		ClusterDNS:         []string{resources.NodeLocalDNSVirtualIP},
 		Authentication: kubeletconfigv1beta1.KubeletAuthentication{
 			Anonymous: kubeletconfigv1beta1.KubeletAnonymousAuthentication{
 				Enabled: &bfalse,
@@ -310,7 +310,7 @@ func NewConfigWorker(s *state.State, host kubeoneapi.HostConfig) ([]runtime.Obje
 		CgroupDriver:       "systemd",
 		ReadOnlyPort:       0,
 		RotateCertificates: true,
-		ClusterDNS:         []string{nodelocaldns.VirtualIP},
+		ClusterDNS:         []string{resources.NodeLocalDNSVirtualIP},
 		Authentication: kubeletconfigv1beta1.KubeletAuthentication{
 			Anonymous: kubeletconfigv1beta1.KubeletAnonymousAuthentication{
 				Enabled: &bfalse,

pkg/templates/kubeadm/v1beta2/kubeadm.go

@@ -31,7 +31,7 @@ import (
 	"k8c.io/kubeone/pkg/kubeflags"
 	"k8c.io/kubeone/pkg/state"
 	"k8c.io/kubeone/pkg/templates/kubeadm/kubeadmargs"
-	"k8c.io/kubeone/pkg/templates/nodelocaldns"
+	"k8c.io/kubeone/pkg/templates/resources"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -165,7 +165,7 @@ func NewConfig(s *state.State, host kubeoneapi.HostConfig) ([]runtime.Object, er
 		CgroupDriver:       "systemd",
 		ReadOnlyPort:       0,
 		RotateCertificates: true,
-		ClusterDNS:         []string{nodelocaldns.VirtualIP},
+		ClusterDNS:         []string{resources.NodeLocalDNSVirtualIP},
 		Authentication: kubeletconfigv1beta1.KubeletAuthentication{
 			Anonymous: kubeletconfigv1beta1.KubeletAnonymousAuthentication{
 				Enabled: &bfalse,
@@ -319,7 +319,7 @@ func NewConfigWorker(s *state.State, host kubeoneapi.HostConfig) ([]runtime.Obje
 		CgroupDriver:       "systemd",
 		ReadOnlyPort:       0,
 		RotateCertificates: true,
-		ClusterDNS:         []string{nodelocaldns.VirtualIP},
+		ClusterDNS:         []string{resources.NodeLocalDNSVirtualIP},
 		Authentication: kubeletconfigv1beta1.KubeletAuthentication{
 			Anonymous: kubeletconfigv1beta1.KubeletAnonymousAuthentication{
 				Enabled: &bfalse,

pkg/templates/machinecontroller/deployment.go

@@ -29,7 +29,7 @@ import (
 	"k8c.io/kubeone/pkg/kubeconfig"
 	"k8c.io/kubeone/pkg/state"
 	"k8c.io/kubeone/pkg/templates/images"
-	"k8c.io/kubeone/pkg/templates/nodelocaldns"
+	"k8c.io/kubeone/pkg/templates/resources"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -765,7 +765,7 @@ func machineControllerDeployment(cluster *kubeoneapi.KubeOneCluster, credentials
 		"-v", "4",
 		"-health-probe-address", "0.0.0.0:8085",
 		"-metrics-address", "0.0.0.0:8080",
-		"-cluster-dns", nodelocaldns.VirtualIP,
+		"-cluster-dns", resources.NodeLocalDNSVirtualIP,
 		"-node-csr-approver",
 	}