add konnectivity component

Author: kvaps

deploy/helm/kubernetes/manifests/konnectivity-agent-deployment.yaml

@@ -0,0 +1,101 @@
+{{- $fullName := include "kubernetes.fullname" . -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: konnectivity-agent
+    {{- with .Values.konnectivityAgent.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.konnectivityAgent.annotations }}
+    annotations:
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  namespace: kube-system
+  name: konnectivity-agent
+spec:
+  replicas: {{ .Values.konnectivityAgent.replicaCount }}
+  selector:
+    matchLabels:
+      k8s-app: konnectivity-agent
+  template:
+    metadata:
+      labels:
+        k8s-app: konnectivity-agent
+        {{- with .Values.konnectivityAgent.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.konnectivityAgent.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.konnectivityAgent.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      hostNetwork: {{ .Values.konnectivityAgent.hostNetwork }}
+      priorityClassName: system-cluster-critical
+      tolerations:
+      - key: "CriticalAddonsOnly"
+        operator: "Exists"
+      {{- with .Values.konnectivityAgent.tolerations }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      containers:
+      - image: {{ .Values.konnectivityAgent.image.repository }}:{{ .Values.konnectivityAgent.image.tag }}
+        name: konnectivity-agent
+        command: ["/proxy-agent"]
+        args:
+        - --logtostderr=true
+        - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token
+
+        {{- if not (hasKey .Values.konnectivityAgent.extraArgs "proxy-server-host") }}
+        {{- if .Values.konnectivityServer.service.loadBalancerIP }}
+        - --proxy-server-host={{ .Values.konnectivityServer.service.loadBalancerIP }}
+        {{- else }}
+        {{- fail ".konnectivityAgent.extraArgs.proxy-server-host must be specified!" }}
+        {{- end }}
+        {{- end }}
+
+        {{- if not (hasKey .Values.konnectivityAgent.extraArgs "roxy-server-port") }}
+        {{- if eq .Values.konnectivityServer.service.type "LoadBalancer" }}
+        - --proxy-server-port={{ .Values.konnectivityServer.service.ports.agent }}
+        {{- else if .Values.konnectivityServer.service.NodePort }}
+        - --proxy-server-port={{ .Values.konnectivityServer.service.nodePorts.agent }}
+        {{- else }}
+        {{- fail ".konnectivityAgent.extraArgs.proxy-server-port must be specified!" }}
+        {{- end }}
+        {{- end }}
+
+        {{- range $key, $value := .Values.konnectivityAgent.extraArgs }}
+        - --{{ $key }}={{ $value }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/secrets/tokens
+          name: konnectivity-agent-token
+        {{- with .Values.konnectivityAgent.extraVolumeMounts }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        livenessProbe:
+          httpGet:
+            port: 8093
+            path: /healthz
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+      {{- with .Values.konnectivityAgent.sidecars }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      serviceAccountName: konnectivity-agent
+      volumes:
+      - name: konnectivity-agent-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              path: konnectivity-agent-token
+              audience: system:konnectivity-server
+      {{- with .Values.konnectivityAgent.extraVolumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}

deploy/helm/kubernetes/manifests/konnectivity-agent-rbac.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: konnectivity-agent
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile

deploy/helm/kubernetes/manifests/konnectivity-server-rbac.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:konnectivity-server
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:konnectivity-server

deploy/helm/kubernetes/scripts/configure-cluster.sh

@@ -42,25 +42,36 @@ fi
 # generate cluster-admin kubeconfig
 rm -f /etc/kubernetes/admin.conf
 kubeadm init phase kubeconfig admin --config kubeadmcfg.yaml
-kubectl --kubeconfig=/etc/kubernetes/admin.conf config set clusters.kubernetes.server "https://${FULL_NAME}-apiserver:6443"
+kubectl --kubeconfig=/etc/kubernetes/admin.conf config set-cluster kubernetes --server "https://${FULL_NAME}-apiserver:6443"
 kubectl create secret generic "${FULL_NAME}-admin-conf" --from-file=/etc/kubernetes/admin.conf --dry-run=client -o yaml | kubectl apply -f -
 
 {{- if .Values.controllerManager.enabled }}{{"\n"}}
 # generate controller-manager kubeconfig
 rm -f /etc/kubernetes/controller-manager.conf
 kubeadm init phase kubeconfig controller-manager --config kubeadmcfg.yaml
-kubectl --kubeconfig=/etc/kubernetes/controller-manager.conf config set clusters.kubernetes.server "https://${FULL_NAME}-apiserver:6443"
+kubectl --kubeconfig=/etc/kubernetes/controller-manager.conf config set-cluster kubernetes --server "https://${FULL_NAME}-apiserver:6443"
 kubectl create secret generic "${FULL_NAME}-controller-manager-conf" --from-file=/etc/kubernetes/controller-manager.conf --dry-run=client -o yaml | kubectl apply -f -
 {{- end }}
 
 {{- if .Values.scheduler.enabled }}{{"\n"}}
 # generate scheduler kubeconfig
 rm -f /etc/kubernetes/scheduler.conf
 kubeadm init phase kubeconfig scheduler --config kubeadmcfg.yaml
-kubectl --kubeconfig=/etc/kubernetes/scheduler.conf config set clusters.kubernetes.server "https://${FULL_NAME}-apiserver:6443"
+kubectl --kubeconfig=/etc/kubernetes/scheduler.conf config set-cluster kubernetes --server "https://${FULL_NAME}-apiserver:6443"
 kubectl create secret generic "${FULL_NAME}-scheduler-conf" --from-file=/etc/kubernetes/scheduler.conf --dry-run=client -o yaml | kubectl apply -f -
 {{- end }}
 
+{{- if .Values.konnectivityServer.enabled }}{{"\n"}}
+# generate konnectivity-server kubeconfig
+openssl req -subj "/CN=system:konnectivity-server" -new -newkey rsa:2048 -nodes -out konnectivity.csr -keyout konnectivity.key -out konnectivity.csr
+openssl x509 -req -in konnectivity.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out konnectivity.crt -days 375 -sha256
+kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-credentials system:konnectivity-server --client-certificate konnectivity.crt --client-key konnectivity.key --embed-certs=true
+kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-cluster kubernetes --server "https://${FULL_NAME}-apiserver:6443" --certificate-authority /etc/kubernetes/pki/ca.crt --embed-certs=true
+kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-context system:konnectivity-server@kubernetes --cluster kubernetes --user system:konnectivity-server
+kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config use-context system:konnectivity-server@kubernetes
+kubectl create secret generic "${FULL_NAME}-konnectivity-server-conf" --from-file=/etc/kubernetes/konnectivity-server.conf --dry-run=client -o yaml | kubectl apply -f -
+{{- end }}
+
 # wait for cluster
 echo "Waiting for api-server endpoint ${FULL_NAME}-apiserver:6443..."
 until kubectl --kubeconfig /etc/kubernetes/admin.conf cluster-info >/dev/null 2>/dev/null; do
@@ -91,6 +102,21 @@ kubectl --kubeconfig "$tmp/kubeconfig" config set clusters..certificate-authorit
 kubectl create configmap cluster-info --from-file="$tmp/kubeconfig" --dry-run=client -o yaml | kubectl --kubeconfig /etc/kubernetes/admin.conf apply -n kube-public -f -
 rm -rf "$tmp"
 
+{{- if .Values.konnectivityServer.enabled }}{{"\n"}}
+# install konnectivity server
+kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f /manifests/konnectivity-server-rbac.yaml
+{{- else }}{{"\n"}}
+kubectl --kubeconfig /etc/kubernetes/admin.conf delete clusterrolebinding/system:konnectivity-server 2>/dev/null || true
+{{- end }}
+
+{{- if .Values.konnectivityAgent.enabled }}{{"\n"}}
+# install konnectivity agent
+kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f /manifests/konnectivity-agent-deployment.yaml -f /manifests/konnectivity-agent-rbac.yaml
+{{- else }}{{"\n"}}
+# uninstall konnectivity agent
+kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-system delete deployment/konnectivity-agent serviceaccount/konnectivity-agent 2>/dev/null || true
+{{- end }}
+
 {{- if .Values.coredns.enabled }}{{"\n"}}
 # install coredns addon
 kubeadm init phase addon coredns --config /config/kubeadmcfg.yaml

deploy/helm/kubernetes/templates/apiserver-config.yaml

@@ -0,0 +1,31 @@
+{{- $fullName := include "kubernetes.fullname" . -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $fullName }}-apiserver-config
+data:
+  egress-selector-configuration.yaml: |
+    apiVersion: apiserver.k8s.io/v1beta1
+    kind: EgressSelectorConfiguration
+    egressSelections:
+    - name: cluster
+      connection:
+        {{- if and .Values.konnectivityServer.enabled }}
+        proxyProtocol: HTTPConnect
+        transport:
+          tcp:
+            url: "https://{{ $fullName }}-konnectivity-server:8131"
+            TLSConfig:
+              caBundle: /pki/konnectivity-client/ca.crt
+              clientKey: /pki/konnectivity-client/tls.key
+              clientCert: /pki/konnectivity-client/tls.crt
+        {{- else }}
+        proxyProtocol: Direct
+        {{- end }}
+    - name: master
+      connection:
+        proxyProtocol: Direct
+    - name: etcd
+      connection:
+        proxyProtocol: Direct

deploy/helm/kubernetes/templates/apiserver-deployment.yaml

@@ -26,10 +26,11 @@ spec:
         {{- with .Values.apiServer.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- with .Values.apiServer.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/apiserver-config.yaml") . | sha256sum }}
+        {{- with .Values.apiServer.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
     spec:
       {{- with .Values.apiServer.nodeSelector }}
       nodeSelector:
@@ -77,6 +78,12 @@ spec:
         - --service-cluster-ip-range={{ .Values.apiServer.serviceClusterIPRange }}
         - --tls-cert-file=/pki/apiserver/tls.crt
         - --tls-private-key-file=/pki/apiserver/tls.key
+        - --egress-selector-config-file=/etc/kubernetes/egress-selector-configuration.yaml
+        {{- if .Values.konnectivityAgent.enabled }}{{"\n"}}
+        - --service-account-issuer=api
+        - --service-account-signing-key-file=/pki/sa/sa.key
+        - --api-audiences=system:konnectivity-server
+        {{- end }}
         {{- if not (hasKey .Values.apiServer.extraArgs "advertise-address") }}
         {{- with .Values.apiServer.service.loadBalancerIP }}
         - --advertise-address={{ . }}
@@ -106,6 +113,8 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
         volumeMounts:
+        - mountPath: /etc/kubernetes
+          name: apiserver-config
         - mountPath: /pki/front-proxy-client
           name: pki-front-proxy-client
         - mountPath: /pki/apiserver
@@ -116,13 +125,20 @@ spec:
           name: pki-apiserver-kubelet-client
         - mountPath: /pki/sa
           name: pki-sa
+        {{- if .Values.konnectivityServer.enabled }}{{"\n"}}
+        - mountPath: /pki/konnectivity-client
+          name: pki-konnectivity-client
+        {{- end }}
         {{- with .Values.apiServer.extraVolumeMounts }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- with .Values.apiServer.sidecars }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
       volumes:
+      - configMap:
+          name: "{{ $fullName }}-apiserver-config"
+        name: apiserver-config
       - secret:
           secretName: "{{ $fullName }}-pki-front-proxy-client"
         name: pki-front-proxy-client
@@ -141,6 +157,11 @@ spec:
       - secret:
           secretName: "{{ $fullName }}-pki-sa"
         name: pki-sa
+      {{- if .Values.konnectivityServer.enabled }}{{"\n"}}
+      - secret:
+          secretName: "{{ $fullName }}-pki-konnectivity-client"
+        name: pki-konnectivity-client
+      {{- end }}
       {{- with .Values.apiServer.extraVolumes }}
       {{- toYaml . | nindent 6 }}
       {{- end }}

deploy/helm/kubernetes/templates/apiserver-service.yaml

@@ -10,10 +10,13 @@ metadata:
     {{- with .Values.apiServer.service.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- with .Values.apiServer.service.annotations }}
   annotations:
+    {{- if not (index .Values.apiServer.service.annotations "metallb.universe.tf/allow-shared-ip") }}
+    metallb.universe.tf/allow-shared-ip: {{ $fullName }}
+    {{- end }}
+    {{- with .Values.apiServer.service.annotations }}
     {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- end }}
 spec:
   type: {{ .Values.apiServer.service.type }}
   {{- with .Values.apiServer.service.loadBalancerIP }}

deploy/helm/kubernetes/templates/konnectivity-certs.yaml

@@ -0,0 +1,88 @@
+{{- if and .Values.konnectivityServer.enabled }}
+{{- $fullName := include "kubernetes.fullname" . -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "{{ $fullName }}-pki-konnectivity-ca"
+spec:
+  commonName: "{{ $fullName }}-pki-konnectivity-ca"
+  secretName: "{{ $fullName }}-pki-konnectivity-ca"
+  duration: 87600h # 3650d
+  renewBefore: 8760h # 365d
+  subject:
+    organizations:
+    - "{{ $fullName }}"
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "cert sign"
+  isCA: true
+  issuerRef:
+    name: "{{ $fullName }}-selfsigning-issuer"
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: "{{ $fullName }}-konnectivity-issuer"
+spec:
+  ca:
+    secretName: "{{ $fullName }}-pki-konnectivity-ca"
+---
+{{- $svcName1 := printf "%s-konnectivity-server" $fullName }}
+{{- $svcName2 := printf "%s-konnectivity-server.%s" $fullName .Release.Namespace }}
+{{- $svcName3 := printf "%s-konnectivity-server.%s.svc" $fullName .Release.Namespace }}
+{{- $podName1 := printf "*.%s-konnectivity-server" $fullName }}
+{{- $podName2 := printf "*.%s-konnectivity-server.%s" $fullName .Release.Namespace }}
+{{- $podName3 := printf "*.%s-konnectivity-server.%s.svc" $fullName .Release.Namespace }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "{{ $fullName }}-pki-konnectivity-server"
+spec:
+  commonName: "{{ $fullName }}-pki-konnectivity-server"
+  secretName: "{{ $fullName }}-pki-konnectivity-server"
+  duration: 8760h # 365d
+  renewBefore: 4380h # 178d
+  subject:
+    organizations:
+    - "{{ $fullName }}"
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "server auth"
+  dnsNames:
+  - "{{ $svcName1 }}"
+  - "{{ $svcName2 }}"
+  - "{{ $svcName3 }}"
+  - "{{ $podName1 }}"
+  - "{{ $podName2 }}"
+  - "{{ $podName3 }}"
+  - "localhost"
+  ipAddresses:
+  - "127.0.0.1"
+  issuerRef:
+    name: "{{ $fullName }}-konnectivity-issuer"
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "{{ $fullName }}-pki-konnectivity-client"
+spec:
+  commonName: "{{ $fullName }}-pki-konnectivity-client"
+  secretName: "{{ $fullName }}-pki-konnectivity-client"
+  duration: 8760h # 365d
+  renewBefore: 4380h # 178d
+  subject:
+    organizations:
+    - "system:masters"
+  usages:
+  - "signing"
+  - "key encipherment"
+  - "client auth"
+  issuerRef:
+    name: "{{ $fullName }}-konnectivity-issuer"
+    kind: Issuer
+{{- end }}