From 1a22c75b0917907ef4ddf742223bc3460e7afc32 Mon Sep 17 00:00:00 2001 From: Fabian Kramm Date: Tue, 31 Oct 2023 10:25:38 +0100 Subject: [PATCH] refactor: remove enableHA for k3s --- charts/k3s/templates/rbac/role.yaml | 2 +- charts/k3s/templates/statefulset.yaml | 4 ++-- charts/k3s/values.yaml | 4 ---- pkg/certs/ensure.go | 19 +++------------ pkg/setup/initialize.go | 34 ++++++++++++++++++++------- 5 files changed, 32 insertions(+), 31 deletions(-) diff --git a/charts/k3s/templates/rbac/role.yaml b/charts/k3s/templates/rbac/role.yaml index eb837e640..630ce445f 100644 --- a/charts/k3s/templates/rbac/role.yaml +++ b/charts/k3s/templates/rbac/role.yaml @@ -50,7 +50,7 @@ rules: resources: ["endpoints"] verbs: ["create", "delete", "patch", "update"] {{- end }} - {{- if or .Values.enableHA .Values.rbac.role.extended }} + {{- if or (gt (int .Values.replicas) 1) .Values.rbac.role.extended }} - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create", "delete", "patch", "update", "get", "list", "watch"] diff --git a/charts/k3s/templates/statefulset.yaml b/charts/k3s/templates/statefulset.yaml index 641fca82f..5d3e13816 100644 --- a/charts/k3s/templates/statefulset.yaml +++ b/charts/k3s/templates/statefulset.yaml @@ -66,7 +66,7 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} - {{- else if .Values.enableHA }} + {{- else if (gt (int .Values.replicas) 1) }} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -220,7 +220,7 @@ spec: {{- if .Values.syncer.kubeConfigContextName }} - --kube-config-context-name={{ .Values.syncer.kubeConfigContextName }} {{- end }} - {{- if .Values.enableHA }} + {{- if (gt (int .Values.replicas) 1) }} - --leader-elect=true {{- else }} - --leader-elect=false diff --git a/charts/k3s/values.yaml b/charts/k3s/values.yaml index f9726357f..b16b8ce5b 100644 --- a/charts/k3s/values.yaml +++ b/charts/k3s/values.yaml @@ -4,10 +4,6 @@ globalAnnotations: {} # If vCluster.Pro is enabled pro: false -# If the control plane is deployed in high availability mode -# Make sure to scale up the replicas and use an external datastore -enableHA: false - # If true, will deploy vcluster in headless mode, which means no deployment # or statefulset is created. headless: false diff --git a/pkg/certs/ensure.go b/pkg/certs/ensure.go index 7606e9768..35febf2ff 100644 --- a/pkg/certs/ensure.go +++ b/pkg/certs/ensure.go @@ -5,7 +5,6 @@ import ( "fmt" "os" "path/filepath" - "strconv" corev1 "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" @@ -22,11 +21,11 @@ func EnsureCerts( vClusterName string, certificateDir string, clusterDomain string, + etcdSans []string, ) error { // we create a certificate for up to 20 etcd replicas, this should be sufficient for most use cases. Eventually we probably // want to update this to the actual etcd number, but for now this is the easiest way to allow up and downscaling without // regenerating certificates. - etcdReplicas := 20 secretName := vClusterName + "-certs" secret, err := currentNamespaceClient.CoreV1().Secrets(currentNamespace).Get(ctx, secretName, metav1.GetOptions{}) if err == nil { @@ -39,23 +38,11 @@ func EnsureCerts( return err } - // generate etcd server and peer sans - etcdService := vClusterName + "-etcd" - serverSans := []string{"localhost", etcdService, etcdService + "." + currentNamespace, etcdService + "." + currentNamespace + ".svc"} - for i := 0; i < etcdReplicas; i++ { - // this is for embedded etcd - hostname := vClusterName + "-" + strconv.Itoa(i) - serverSans = append(serverSans, hostname, hostname+"."+vClusterName+"-headless", hostname+"."+vClusterName+"-headless"+"."+currentNamespace) - // this is for external etcd - etcdHostname := etcdService + "-" + strconv.Itoa(i) - serverSans = append(serverSans, etcdHostname, etcdHostname+"."+etcdService+"-headless", etcdHostname+"."+etcdService+"-headless"+"."+currentNamespace) - } - cfg.ClusterName = "kubernetes" cfg.NodeRegistration.Name = vClusterName + "-api" cfg.Etcd.Local = &LocalEtcd{ - ServerCertSANs: serverSans, - PeerCertSANs: serverSans, + ServerCertSANs: etcdSans, + PeerCertSANs: etcdSans, } cfg.Networking.ServiceSubnet = serviceCIDR cfg.Networking.DNSDomain = clusterDomain diff --git a/pkg/setup/initialize.go b/pkg/setup/initialize.go index ce291a8f3..63c69284a 100644 --- a/pkg/setup/initialize.go +++ b/pkg/setup/initialize.go @@ -95,14 +95,6 @@ func initialize( } } - // check if we need to create certs - if certificatesDir != "" { - err = certs.EnsureCerts(ctx, serviceCIDR, currentNamespace, currentNamespaceClient, vClusterName, certificatesDir, options.ClusterDomain) - if err != nil { - return fmt.Errorf("ensure certs: %w", err) - } - } - // check if k3s if !isK0s && certificatesDir != "/pki" { // its k3s, let's create the token secret @@ -120,6 +112,32 @@ func initialize( klog.Fatalf("Error running k3s: %v", err) } }() + } else if certificatesDir != "" { + err = GenerateK8sCerts(ctx, currentNamespaceClient, vClusterName, currentNamespace, serviceCIDR, certificatesDir, options.ClusterDomain) + if err != nil { + return err + } + } + + return nil +} + +func GenerateK8sCerts(ctx context.Context, currentNamespaceClient kubernetes.Interface, vClusterName, currentNamespace, serviceCIDR, certificatesDir, clusterDomain string) error { + // generate etcd server and peer sans + etcdService := vClusterName + "-etcd" + etcdSans := []string{ + "localhost", + etcdService, + etcdService + "." + currentNamespace, + etcdService + "." + currentNamespace + ".svc", + "*." + etcdService + "-headless", + "*." + etcdService + "-headless" + "." + currentNamespace, + } + + // generate certificates + err := certs.EnsureCerts(ctx, serviceCIDR, currentNamespace, currentNamespaceClient, vClusterName, certificatesDir, clusterDomain, etcdSans) + if err != nil { + return fmt.Errorf("ensure certs: %w", err) } return nil