Merge pull request #1336 from FabianKramm/main

refactor: remove enableHA for k3s
loft-sh · Oct 31, 2023 · f2d32df · f2d32df
2 parents 63f6ff6 + 1a22c75
commit f2d32df
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 31 deletions.
diff --git a/charts/k3s/templates/rbac/role.yaml b/charts/k3s/templates/rbac/role.yaml
@@ -50,7 +50,7 @@ rules:
     resources: ["endpoints"]
     verbs: ["create", "delete", "patch", "update"]
   {{- end }}
-  {{- if or .Values.enableHA .Values.rbac.role.extended }}
+  {{- if or (gt (int .Values.replicas) 1) .Values.rbac.role.extended }}
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]

diff --git a/charts/k3s/templates/statefulset.yaml b/charts/k3s/templates/statefulset.yaml
@@ -66,7 +66,7 @@ spec:
       {{- if .Values.affinity }}
       affinity:
 {{ toYaml .Values.affinity | indent 8 }}
-      {{- else if .Values.enableHA }}
+      {{- else if (gt (int .Values.replicas) 1) }}
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -220,7 +220,7 @@ spec:
           {{- if .Values.syncer.kubeConfigContextName }}
           - --kube-config-context-name={{ .Values.syncer.kubeConfigContextName }}
           {{- end }}
-          {{- if .Values.enableHA }}
+          {{- if (gt (int .Values.replicas) 1) }}
           - --leader-elect=true
           {{- else }}
           - --leader-elect=false

diff --git a/charts/k3s/values.yaml b/charts/k3s/values.yaml
@@ -4,10 +4,6 @@ globalAnnotations: {}
 # If vCluster.Pro is enabled
 pro: false
 
-# If the control plane is deployed in high availability mode
-# Make sure to scale up the replicas and use an external datastore
-enableHA: false
-
 # If true, will deploy vcluster in headless mode, which means no deployment
 # or statefulset is created.
 headless: false

diff --git a/pkg/certs/ensure.go b/pkg/certs/ensure.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strconv"
 
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
@@ -22,11 +21,11 @@ func EnsureCerts(
 	vClusterName string,
 	certificateDir string,
 	clusterDomain string,
+	etcdSans []string,
 ) error {
 	// we create a certificate for up to 20 etcd replicas, this should be sufficient for most use cases. Eventually we probably
 	// want to update this to the actual etcd number, but for now this is the easiest way to allow up and downscaling without
 	// regenerating certificates.
-	etcdReplicas := 20
 	secretName := vClusterName + "-certs"
 	secret, err := currentNamespaceClient.CoreV1().Secrets(currentNamespace).Get(ctx, secretName, metav1.GetOptions{})
 	if err == nil {
@@ -39,23 +38,11 @@ func EnsureCerts(
 		return err
 	}
 
-	// generate etcd server and peer sans
-	etcdService := vClusterName + "-etcd"
-	serverSans := []string{"localhost", etcdService, etcdService + "." + currentNamespace, etcdService + "." + currentNamespace + ".svc"}
-	for i := 0; i < etcdReplicas; i++ {
-		// this is for embedded etcd
-		hostname := vClusterName + "-" + strconv.Itoa(i)
-		serverSans = append(serverSans, hostname, hostname+"."+vClusterName+"-headless", hostname+"."+vClusterName+"-headless"+"."+currentNamespace)
-		// this is for external etcd
-		etcdHostname := etcdService + "-" + strconv.Itoa(i)
-		serverSans = append(serverSans, etcdHostname, etcdHostname+"."+etcdService+"-headless", etcdHostname+"."+etcdService+"-headless"+"."+currentNamespace)
-	}
-
 	cfg.ClusterName = "kubernetes"
 	cfg.NodeRegistration.Name = vClusterName + "-api"
 	cfg.Etcd.Local = &LocalEtcd{
-		ServerCertSANs: serverSans,
-		PeerCertSANs:   serverSans,
+		ServerCertSANs: etcdSans,
+		PeerCertSANs:   etcdSans,
 	}
 	cfg.Networking.ServiceSubnet = serviceCIDR
 	cfg.Networking.DNSDomain = clusterDomain

diff --git a/pkg/setup/initialize.go b/pkg/setup/initialize.go
@@ -95,14 +95,6 @@ func initialize(
 		}
 	}
 
-	// check if we need to create certs
-	if certificatesDir != "" {
-		err = certs.EnsureCerts(ctx, serviceCIDR, currentNamespace, currentNamespaceClient, vClusterName, certificatesDir, options.ClusterDomain)
-		if err != nil {
-			return fmt.Errorf("ensure certs: %w", err)
-		}
-	}
-
 	// check if k3s
 	if !isK0s && certificatesDir != "/pki" {
 		// its k3s, let's create the token secret
@@ -120,6 +112,32 @@ func initialize(
 				klog.Fatalf("Error running k3s: %v", err)
 			}
 		}()
+	} else if certificatesDir != "" {
+		err = GenerateK8sCerts(ctx, currentNamespaceClient, vClusterName, currentNamespace, serviceCIDR, certificatesDir, options.ClusterDomain)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func GenerateK8sCerts(ctx context.Context, currentNamespaceClient kubernetes.Interface, vClusterName, currentNamespace, serviceCIDR, certificatesDir, clusterDomain string) error {
+	// generate etcd server and peer sans
+	etcdService := vClusterName + "-etcd"
+	etcdSans := []string{
+		"localhost",
+		etcdService,
+		etcdService + "." + currentNamespace,
+		etcdService + "." + currentNamespace + ".svc",
+		"*." + etcdService + "-headless",
+		"*." + etcdService + "-headless" + "." + currentNamespace,
+	}
+
+	// generate certificates
+	err := certs.EnsureCerts(ctx, serviceCIDR, currentNamespace, currentNamespaceClient, vClusterName, certificatesDir, clusterDomain, etcdSans)
+	if err != nil {
+		return fmt.Errorf("ensure certs: %w", err)
 	}
 
 	return nil