Skip to content

Commit

Permalink
Merge pull request #77 from FabianKramm/main
Browse files Browse the repository at this point in the history
feat: issue real service account tokens for projected volumes
  • Loading branch information
FabianKramm authored Jul 6, 2021
2 parents e86fd20 + 8bc534a commit 9f06d98
Show file tree
Hide file tree
Showing 60 changed files with 13,903 additions and 289 deletions.
1 change: 1 addition & 0 deletions cmd/vcluster/context/context.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (

// VirtualCluster holds the cmd flags
type VirtualClusterOptions struct {
ServiceAccountKey string
ServerCaCert string
ServerCaKey string
TlsSANs []string
Expand Down
5 changes: 3 additions & 2 deletions cmd/vcluster/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"github.com/loft-sh/vcluster/pkg/apis"
"github.com/loft-sh/vcluster/pkg/controllers/resources/nodes"
"github.com/loft-sh/vcluster/pkg/controllers/resources/nodes/nodeservice"
translatepods "github.com/loft-sh/vcluster/pkg/controllers/resources/pods/translate"
"github.com/loft-sh/vcluster/pkg/leaderelection"
"io/ioutil"
"k8s.io/client-go/discovery"
Expand All @@ -16,7 +17,6 @@ import (
"github.com/loft-sh/vcluster/cmd/vcluster/context"
"github.com/loft-sh/vcluster/pkg/controllers"
"github.com/loft-sh/vcluster/pkg/controllers/resources/endpoints"
"github.com/loft-sh/vcluster/pkg/controllers/resources/pods"
"github.com/loft-sh/vcluster/pkg/controllers/resources/services"
"github.com/loft-sh/vcluster/pkg/server"
"github.com/loft-sh/vcluster/pkg/util/clienthelper"
Expand Down Expand Up @@ -88,6 +88,7 @@ func NewCommand() *cobra.Command {
cmd.Flags().StringVar(&options.ClientCaCert, "client-ca-cert", "/data/server/tls/client-ca.crt", "The path to the client ca certificate")
cmd.Flags().StringVar(&options.ServerCaCert, "server-ca-cert", "/data/server/tls/server-ca.crt", "The path to the server ca certificate")
cmd.Flags().StringVar(&options.ServerCaKey, "server-ca-key", "/data/server/tls/server-ca.key", "The path to the server ca key")
cmd.Flags().StringVar(&options.ServiceAccountKey, "service-account-key", "/data/server/tls/service.key", "The path to the service account token key")
cmd.Flags().StringSliceVar(&options.TlsSANs, "tls-san", []string{}, "Add additional hostname or IP as a Subject Alternative Name in the TLS cert")
cmd.Flags().StringVar(&options.KubeConfig, "kube-config", "/data/server/cred/admin.kubeconfig", "The path to the virtual cluster admin kube config")
cmd.Flags().StringVar(&options.KubeConfigSecret, "out-kube-config-secret", "kubeconfig", "If specified, the virtual cluster will write the generated kube config to the given secret")
Expand Down Expand Up @@ -115,7 +116,7 @@ func NewCommand() *cobra.Command {
cmd.Flags().StringVar(&options.ServiceAccount, "service-account", "", "If set, will set this host service account on the synced pods")

cmd.Flags().BoolVar(&options.OverrideHosts, "override-hosts", true, "If enabled, vcluster will override a containers /etc/hosts file if there is a subdomain specified for the pod (spec.subdomain).")
cmd.Flags().StringVar(&options.OverrideHostsContainerImage, "override-hosts-container-image", pods.HostsRewriteImage, "The image for the init container that is used for creating the override hosts file.")
cmd.Flags().StringVar(&options.OverrideHostsContainerImage, "override-hosts-container-image", translatepods.HostsRewriteImage, "The image for the init container that is used for creating the override hosts file.")

cmd.Flags().StringVar(&options.ClusterDomain, "cluster-domain", "cluster.local", "The cluster domain ending that should be used for the virtual cluster")
cmd.Flags().Int64Var(&options.LeaseDuration, "lease-duration", 60, "Lease duration of the leader election in seconds")
Expand Down
76 changes: 76 additions & 0 deletions conformance/v1.21/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
### Run Conformance Tests

We recommend to use GKE as host cluster for conformance tests, as you will need a cluster with at least 2 nodes.


### 1. Create GKE cluster

```
export PROJECT_NAME=my-google-cloud-project
export CLUSTER_NAME=conformance-test
export CLUSTER_ZONE=europe-west3-a
# At the time of writing 1.21.1 was newest in
# rapid channel
export CLUSTER_VERSION=1.21.1-gke.1800
export CLUSTER_CHANNEL=rapid
# Create the cluster
gcloud beta container --project $PROJECT_NAME clusters create $CLUSTER_NAME \
--zone $CLUSTER_ZONE --no-enable-basic-auth --cluster-version $CLUSTER_VERSION \
--release-channel $CLUSTER_CHANNEL --enable-ip-alias --no-enable-master-authorized-networks \
--addons GcePersistentDiskCsiDriver --node-locations $CLUSTER_ZONE
# Make sure you have a firewall rule that allows incoming connections or the NodePort
# tests will fail
gcloud compute firewall-rules --project $PROJECT_NAME create conformance-firewall-rules --direction=INGRESS --network=default --action=ALLOW --rules=tcp --source-ranges=0.0.0.0/0 --description="vcluster conformance test firewall rule"
```

### 2. Create the vcluster

Create a file called `values.yaml` with the following content:
```yaml
vcluster:
image: rancher/k3s:v1.21.1-k3s1
# Tolerate everything as the test will taint some nodes
tolerations:
- operator: "Exists"
rbac:
clusterRole:
create: true
syncer:
extraArgs:
- --sync-all-nodes
- --sync-node-changes
- --fake-nodes=false
- --fake-kubelets=false
- --enable-priority-classes
- --disable-sync-resources=ingresses
```
Now create the vcluster with the [vcluster cli](https://github.com/loft-sh/vcluster/releases) (at least version v0.3.2 or newer):
```
# Create the vcluster
vcluster create vcluster -n vcluster -f values.yaml

# Connect to the vcluster
vcluster connect vcluster -n vcluster
```

### 3. Run Tests

Install [sonobuoy](https://github.com/vmware-tanzu/sonobuoy) and run this in a different shell:
```
export KUBECONFIG=./kubeconfig.yaml
export CONFORMANCE_VERSION=v1.21.1
export SONOBUOY_IMAGE_VERSION=v0.52.0
export SONOBUOY_LOGS_IMAGE_VERSION=v0.3
sonobuoy run \
--mode=certified-conformance \
--kube-conformance-image-version=$CONFORMANCE_VERSION \
--sonobuoy-image=sonobuoy/sonobuoy:$SONOBUOY_IMAGE_VERSION \
--systemd-logs-image=sonobuoy/systemd-logs:$SONOBUOY_LOGS_IMAGE_VERSION \
--wait
```

2 changes: 1 addition & 1 deletion devspace.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ vars:
- name: SYNCER_IMAGE
value: ghcr.io/loft-sh/loft-enterprise/dev-vcluster
- name: K3S_IMAGE
value: rancher/k3s:v1.20.5-k3s1
value: rancher/k3s:v1.21.2-k3s1
# Replace this with your clusters service CIDR, you can find it out via
# kubectl apply -f hack/wrong-cluster-ip-service.yaml
- name: SERVICE_CIDR
Expand Down
4 changes: 3 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,15 @@ require (
github.com/spf13/cobra v1.1.3
github.com/spf13/pflag v1.0.5
gopkg.in/AlecAivazis/survey.v1 v1.8.8
gopkg.in/square/go-jose.v2 v2.2.2
gotest.tools v2.2.0+incompatible
k8s.io/api v0.21.1
k8s.io/apiextensions-apiserver v0.21.1
k8s.io/apimachinery v0.21.1
k8s.io/apiserver v0.21.1
k8s.io/client-go v0.21.1
k8s.io/klog v1.0.0
k8s.io/klog/v2 v2.9.0
k8s.io/kube-aggregator v0.21.1
k8s.io/kubectl v0.21.1
k8s.io/kubelet v0.21.1
Expand All @@ -35,8 +37,8 @@ require (
)

replace (
k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7
github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.1
github.com/kubernetes-incubator/reference-docs => github.com/kubernetes-sigs/reference-docs v0.0.0-20170929004150-fcf65347b256
github.com/markbates/inflect => github.com/markbates/inflect v1.0.4
k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7
)
1 change: 1 addition & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1083,6 +1083,7 @@ gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
gopkg.in/square/go-jose.v2 v2.2.2 h1:orlkJ3myw8CN1nVQHBFfloD+L3egixIa4FvUP6RosSA=
gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
Expand Down
132 changes: 0 additions & 132 deletions pkg/controllers/resources/pods/diff.go

This file was deleted.

Loading

0 comments on commit 9f06d98

Please sign in to comment.