Controller changes

Author: Karthik-K-N

controllers/clustercache/cluster_accessor.go

@@ -18,7 +18,7 @@ package clustercache
 
 import (
 	"context"
-	"crypto/rsa"
+	"crypto"
 	"fmt"
 	"sync"
 	"time"
@@ -165,7 +165,7 @@ type clusterAccessorLockedState struct {
 	// cert to communicate with etcd.
 	// This private key is stored and cached in the ClusterCache because it's expensive to generate a new
 	// private key in every single Reconcile.
-	clientCertificatePrivateKey *rsa.PrivateKey
+	clientCertificatePrivateKey crypto.Signer
 
 	// healthChecking holds the health checking state (e.g. lastProbeSuccessTime, consecutiveFailures)
 	// of the clusterAccessor.
@@ -286,7 +286,7 @@ func (ca *clusterAccessor) Connect(ctx context.Context) (retErr error) {
 	// private key generation fails because we check Connected above.
 	if ca.lockedState.clientCertificatePrivateKey == nil {
 		log.V(6).Info("Generating client certificate private key")
-		clientCertificatePrivateKey, err := certs.NewPrivateKey()
+		clientCertificatePrivateKey, err := certs.NewPrivateKey("")
 		if err != nil {
 			return errors.Wrapf(err, "error creating client certificate private key")
 		}
@@ -435,7 +435,7 @@ func (ca *clusterAccessor) GetRESTConfig(ctx context.Context) (*rest.Config, err
 	return ca.lockedState.connection.restConfig, nil
 }
 
-func (ca *clusterAccessor) GetClientCertificatePrivateKey(ctx context.Context) *rsa.PrivateKey {
+func (ca *clusterAccessor) GetClientCertificatePrivateKey(ctx context.Context) crypto.Signer {
 	ca.rLock(ctx)
 	defer ca.rUnlock(ctx)
 

controllers/clustercache/cluster_cache.go

@@ -18,7 +18,7 @@ package clustercache
 
 import (
 	"context"
-	"crypto/rsa"
+	"crypto"
 	"fmt"
 	"os"
 	"strings"
@@ -150,7 +150,7 @@ type ClusterCache interface {
 	//
 	// Deprecated: This method is deprecated and will be removed in a future release as caching a rsa.PrivateKey
 	// is outside the scope of the ClusterCache.
-	GetClientCertificatePrivateKey(ctx context.Context, cluster client.ObjectKey) (*rsa.PrivateKey, error)
+	GetClientCertificatePrivateKey(ctx context.Context, cluster client.ObjectKey) (crypto.Signer, error)
 
 	// Watch watches a workload cluster for events.
 	// Each unique watch (by input.Name) is only added once after a Connect (otherwise we return early).
@@ -417,7 +417,7 @@ func (cc *clusterCache) GetRESTConfig(ctx context.Context, cluster client.Object
 	return accessor.GetRESTConfig(ctx)
 }
 
-func (cc *clusterCache) GetClientCertificatePrivateKey(ctx context.Context, cluster client.ObjectKey) (*rsa.PrivateKey, error) {
+func (cc *clusterCache) GetClientCertificatePrivateKey(ctx context.Context, cluster client.ObjectKey) (crypto.Signer, error) {
 	accessor := cc.getClusterAccessor(cluster)
 	if accessor == nil {
 		return nil, errors.New("error getting client certificate private key: private key was not generated yet")

controlplane/kubeadm/internal/cluster.go

@@ -30,6 +30,7 @@ import (
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	bootstrapv1 "sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta2"
 	clusterv1 "sigs.k8s.io/cluster-api/api/core/v1beta2"
 	"sigs.k8s.io/cluster-api/controllers/clustercache"
 	"sigs.k8s.io/cluster-api/util/cache"
@@ -43,7 +44,7 @@ type ManagementCluster interface {
 
 	GetMachinesForCluster(ctx context.Context, cluster *clusterv1.Cluster, filters ...collections.Func) (collections.Machines, error)
 	GetMachinePoolsForCluster(ctx context.Context, cluster *clusterv1.Cluster) (*clusterv1.MachinePoolList, error)
-	GetWorkloadCluster(ctx context.Context, clusterKey client.ObjectKey) (WorkloadCluster, error)
+	GetWorkloadCluster(ctx context.Context, clusterKey client.ObjectKey, keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) (WorkloadCluster, error)
 }
 
 // Management holds operations on the management cluster.
@@ -59,13 +60,14 @@ type Management struct {
 
 // ClientCertEntry is an Entry for the Cache that stores the client cert.
 type ClientCertEntry struct {
-	Cluster    client.ObjectKey
-	ClientCert *tls.Certificate
+	Cluster             client.ObjectKey
+	ClientCert          *tls.Certificate
+	EncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType
 }
 
 // Key returns the cache key of a ClientCertEntry.
 func (r ClientCertEntry) Key() string {
-	return r.Cluster.String()
+	return fmt.Sprintf("%s/%s", r.Cluster.String(), r.EncryptionAlgorithm)
 }
 
 // RemoteClusterConnectionError represents a failure to connect to a remote cluster.
@@ -77,7 +79,7 @@ type RemoteClusterConnectionError struct {
 // Error satisfies the error interface.
 func (e *RemoteClusterConnectionError) Error() string { return e.Name + ": " + e.Err.Error() }
 
-// Unwrap satisfies the unwrap error inteface.
+// Unwrap satisfies the unwrap error interface.
 func (e *RemoteClusterConnectionError) Unwrap() error { return e.Err }
 
 // Get implements client.Reader.
@@ -111,7 +113,7 @@ func (m *Management) GetMachinePoolsForCluster(ctx context.Context, cluster *clu
 
 // GetWorkloadCluster builds a cluster object.
 // The cluster comes with an etcd client generator to connect to any etcd pod living on a managed machine.
-func (m *Management) GetWorkloadCluster(ctx context.Context, clusterKey client.ObjectKey) (WorkloadCluster, error) {
+func (m *Management) GetWorkloadCluster(ctx context.Context, clusterKey client.ObjectKey, keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) (WorkloadCluster, error) {
 	// TODO(chuckha): Inject this dependency.
 	// TODO(chuckha): memoize this function. The workload client only exists as long as a reconciliation loop.
 	restConfig, err := m.ClusterCache.GetRESTConfig(ctx, clusterKey)
@@ -142,15 +144,15 @@ func (m *Management) GetWorkloadCluster(ctx context.Context, clusterKey client.O
 		// Get client cert from cache if possible, otherwise generate it and add it to the cache.
 		// TODO: When we implement ClusterConfiguration.EncryptionAlgorithm we should add it to
 		//       the ClientCertEntries and make it part of the key.
-		if entry, ok := m.ClientCertCache.Has(ClientCertEntry{Cluster: clusterKey}.Key()); ok {
+		if entry, ok := m.ClientCertCache.Has(ClientCertEntry{Cluster: clusterKey, EncryptionAlgorithm: keyEncryptionAlgorithm}.Key()); ok {
 			clientCert = *entry.ClientCert
 		} else {
 			// The client cert expires after 10 years, but that's okay as the cache has a TTL of 1 day.
-			clientCert, err = generateClientCert(crtData, keyData)
+			clientCert, err = generateClientCert(crtData, keyData, keyEncryptionAlgorithm)
 			if err != nil {
 				return nil, err
 			}
-			m.ClientCertCache.Add(ClientCertEntry{Cluster: clusterKey, ClientCert: &clientCert})
+			m.ClientCertCache.Add(ClientCertEntry{Cluster: clusterKey, ClientCert: &clientCert, EncryptionAlgorithm: keyEncryptionAlgorithm})
 		}
 	} else {
 		clientCert, err = m.getAPIServerEtcdClientCert(ctx, clusterKey)

controlplane/kubeadm/internal/control_plane.go

@@ -372,7 +372,7 @@ func (c *ControlPlane) GetWorkloadCluster(ctx context.Context) (WorkloadCluster,
 		return c.workloadCluster, nil
 	}
 
-	workloadCluster, err := c.managementCluster.GetWorkloadCluster(ctx, client.ObjectKeyFromObject(c.Cluster))
+	workloadCluster, err := c.managementCluster.GetWorkloadCluster(ctx, client.ObjectKeyFromObject(c.Cluster), c.GetKeyEncryptionAlgorithm())
 	if err != nil {
 		return nil, err
 	}
@@ -467,3 +467,8 @@ func (c *ControlPlane) StatusToLogKeyAndValues(newMachine, deletedMachine *clust
 		"etcdMembers", strings.Join(etcdMembers, ", "),
 	}
 }
+
+// GetKeyEncryptionAlgorithm returns the control plane EncryptionAlgorithm.
+func (c *ControlPlane) GetKeyEncryptionAlgorithm() bootstrapv1.EncryptionAlgorithmType {
+	return c.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.EncryptionAlgorithm
+}

controlplane/kubeadm/internal/controllers/controller.go

@@ -442,7 +442,7 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, controlPl
 	}
 
 	// Generate Cluster Kubeconfig if needed
-	if result, err := r.reconcileKubeconfig(ctx, controlPlane); !result.IsZero() || err != nil {
+	if result, err := r.reconcileKubeconfig(ctx, controlPlane); err != nil || !result.IsZero() {
 		if err != nil {
 			log.Error(err, "Failed to reconcile Kubeconfig")
 		}

controlplane/kubeadm/internal/controllers/helpers.go

@@ -52,7 +52,6 @@ func (r *KubeadmControlPlaneReconciler) reconcileKubeconfig(ctx context.Context,
 	if endpoint.IsZero() {
 		return ctrl.Result{}, nil
 	}
-
 	controllerOwnerRef := *metav1.NewControllerRef(controlPlane.KCP, controlplanev1.GroupVersion.WithKind(kubeadmControlPlaneKind))
 	clusterName := util.ObjectKey(controlPlane.Cluster)
 	configSecret, err := secret.GetFromNamespacedName(ctx, r.SecretCachingClient, clusterName, secret.Kubeconfig)
@@ -64,6 +63,7 @@ func (r *KubeadmControlPlaneReconciler) reconcileKubeconfig(ctx context.Context,
 			clusterName,
 			endpoint.String(),
 			controllerOwnerRef,
+			controlPlane.GetKeyEncryptionAlgorithm(),
 		)
 		if errors.Is(createErr, kubeconfig.ErrDependentCertificateNotFound) {
 			return ctrl.Result{RequeueAfter: dependentCertRequeueAfter}, nil
@@ -90,7 +90,7 @@ func (r *KubeadmControlPlaneReconciler) reconcileKubeconfig(ctx context.Context,
 
 	if needsRotation {
 		log.Info("Rotating kubeconfig secret")
-		if err := kubeconfig.RegenerateSecret(ctx, r.Client, configSecret); err != nil {
+		if err := kubeconfig.RegenerateSecret(ctx, r.Client, configSecret, controlPlane.GetKeyEncryptionAlgorithm()); err != nil {
 			return ctrl.Result{}, errors.Wrap(err, "failed to regenerate kubeconfig")
 		}
 	}

controlplane/kubeadm/internal/controllers/update.go

@@ -69,7 +69,8 @@ func (r *KubeadmControlPlaneReconciler) updateControlPlane(
 			workloadCluster.UpdateAPIServerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.APIServer),
 			workloadCluster.UpdateControllerManagerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.ControllerManager),
 			workloadCluster.UpdateSchedulerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Scheduler),
-			workloadCluster.UpdateCertificateValidityPeriodDays(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays))
+			workloadCluster.UpdateCertificateValidityPeriodDays(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays),
+			workloadCluster.UpdateEncryptionAlgorithm(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.EncryptionAlgorithm))
 
 		// Etcd local and external are mutually exclusive and they cannot be switched, once set.
 		if controlPlane.IsEtcdManaged() {

controlplane/kubeadm/internal/controllers/upgrade.go

@@ -0,0 +1,102 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"context"
+
+	"github.com/blang/semver/v4"
+	"github.com/pkg/errors"
+	"k8s.io/klog/v2"
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	bootstrapv1 "sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta2"
+	controlplanev1 "sigs.k8s.io/cluster-api/api/controlplane/kubeadm/v1beta2"
+	"sigs.k8s.io/cluster-api/controlplane/kubeadm/internal"
+	"sigs.k8s.io/cluster-api/util/collections"
+)
+
+func (r *KubeadmControlPlaneReconciler) upgradeControlPlane(
+	ctx context.Context,
+	controlPlane *internal.ControlPlane,
+	machinesRequireUpgrade collections.Machines,
+) (ctrl.Result, error) {
+	log := ctrl.LoggerFrom(ctx)
+
+	// TODO: handle reconciliation of etcd members and kubeadm config in case they get out of sync with cluster
+
+	workloadCluster, err := controlPlane.GetWorkloadCluster(ctx)
+	if err != nil {
+		log.Error(err, "failed to get remote client for workload cluster", "Cluster", klog.KObj(controlPlane.Cluster))
+		return ctrl.Result{}, err
+	}
+
+	parsedVersion, err := semver.ParseTolerant(controlPlane.KCP.Spec.Version)
+	if err != nil {
+		return ctrl.Result{}, errors.Wrapf(err, "failed to parse kubernetes version %q", controlPlane.KCP.Spec.Version)
+	}
+
+	// Ensure kubeadm clusterRoleBinding for v1.29+ as per https://github.com/kubernetes/kubernetes/pull/121305
+	if err := workloadCluster.AllowClusterAdminPermissions(ctx, parsedVersion); err != nil {
+		return ctrl.Result{}, errors.Wrap(err, "failed to set cluster-admin ClusterRoleBinding for kubeadm")
+	}
+
+	kubeadmCMMutators := make([]func(*bootstrapv1.ClusterConfiguration), 0)
+
+	if controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.IsDefined() {
+		// Get the imageRepository or the correct value if nothing is set and a migration is necessary.
+		imageRepository := internal.ImageRepositoryFromClusterConfig(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration)
+
+		kubeadmCMMutators = append(kubeadmCMMutators,
+			workloadCluster.UpdateImageRepositoryInKubeadmConfigMap(imageRepository),
+			workloadCluster.UpdateFeatureGatesInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec, parsedVersion),
+			workloadCluster.UpdateAPIServerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.APIServer),
+			workloadCluster.UpdateControllerManagerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.ControllerManager),
+			workloadCluster.UpdateSchedulerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Scheduler),
+			workloadCluster.UpdateCertificateValidityPeriodDays(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays),
+			workloadCluster.UpdateEncryptionAlgorithm(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.EncryptionAlgorithm))
+
+		// Etcd local and external are mutually exclusive and they cannot be switched, once set.
+		if controlPlane.IsEtcdManaged() {
+			kubeadmCMMutators = append(kubeadmCMMutators,
+				workloadCluster.UpdateEtcdLocalInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local))
+		} else {
+			kubeadmCMMutators = append(kubeadmCMMutators,
+				workloadCluster.UpdateEtcdExternalInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.External))
+		}
+	}
+
+	// collectively update Kubeadm config map
+	if err = workloadCluster.UpdateClusterConfiguration(ctx, parsedVersion, kubeadmCMMutators...); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	switch controlPlane.KCP.Spec.Rollout.Strategy.Type {
+	case controlplanev1.RollingUpdateStrategyType:
+		// RolloutStrategy is currently defaulted and validated to be RollingUpdate
+		// We can ignore MaxUnavailable because we are enforcing health checks before we get here.
+		maxNodes := *controlPlane.KCP.Spec.Replicas + int32(controlPlane.KCP.Spec.Rollout.Strategy.RollingUpdate.MaxSurge.IntValue())
+		if int32(controlPlane.Machines.Len()) < maxNodes {
+			// scaleUp ensures that we don't continue scaling up while waiting for Machines to have NodeRefs
+			return r.scaleUpControlPlane(ctx, controlPlane)
+		}
+		return r.scaleDownControlPlane(ctx, controlPlane, machinesRequireUpgrade)
+	default:
+		log.Info("RolloutStrategy type is not set to RollingUpdate, unable to determine the strategy for rolling out machines")
+		return ctrl.Result{}, nil
+	}
+}

controlplane/kubeadm/internal/workload_cluster.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"crypto"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -88,6 +87,7 @@ type WorkloadCluster interface {
 	UpdateControllerManagerInKubeadmConfigMap(controllerManager bootstrapv1.ControllerManager) func(*bootstrapv1.ClusterConfiguration)
 	UpdateSchedulerInKubeadmConfigMap(scheduler bootstrapv1.Scheduler) func(*bootstrapv1.ClusterConfiguration)
 	UpdateCertificateValidityPeriodDays(certificateValidityPeriodDays int32) func(*bootstrapv1.ClusterConfiguration)
+	UpdateEncryptionAlgorithm(encryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) func(*bootstrapv1.ClusterConfiguration)
 	UpdateKubeProxyImageInfo(ctx context.Context, kcp *controlplanev1.KubeadmControlPlane) error
 	UpdateCoreDNS(ctx context.Context, kcp *controlplanev1.KubeadmControlPlane) error
 	RemoveEtcdMemberForMachine(ctx context.Context, machine *clusterv1.Machine) error
@@ -195,6 +195,13 @@ func (w *Workload) UpdateCertificateValidityPeriodDays(certificateValidityPeriod
 	}
 }
 
+// UpdateEncryptionAlgorithm updates EncryptionAlgorithmType in kubeadm config map.
+func (w *Workload) UpdateEncryptionAlgorithm(encryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
+		c.EncryptionAlgorithm = encryptionAlgorithm
+	}
+}
+
 // UpdateClusterConfiguration gets the ClusterConfiguration kubeadm-config ConfigMap, converts it to the
 // Cluster API representation, and then applies a mutation func; if changes are detected, the
 // data are converted back into the Kubeadm API version in use for the target Kubernetes version and the
@@ -347,7 +354,7 @@ func calculateAPIServerPort(config *bootstrapv1.KubeadmConfig) int32 {
 	return 6443
 }
 
-func generateClientCert(caCertEncoded, caKeyEncoded []byte) (tls.Certificate, error) {
+func generateClientCert(caCertEncoded, caKeyEncoded []byte, keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) (tls.Certificate, error) {
 	caCert, err := certs.DecodeCertPEM(caCertEncoded)
 	if err != nil {
 		return tls.Certificate{}, err
@@ -356,18 +363,22 @@ func generateClientCert(caCertEncoded, caKeyEncoded []byte) (tls.Certificate, er
 	if err != nil {
 		return tls.Certificate{}, err
 	}
-	clientKey, err := certs.NewPrivateKey()
+	clientKey, err := certs.NewPrivateKey(keyEncryptionAlgorithm)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	x509Cert, err := newClientCert(caCert, clientKey, caKey)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
-	return tls.X509KeyPair(certs.EncodeCertPEM(x509Cert), certs.EncodePrivateKeyPEM(clientKey))
+	encodedClientKey, err := certs.EncodePrivateKeyPEM(clientKey)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	return tls.X509KeyPair(certs.EncodeCertPEM(x509Cert), encodedClientKey)
 }
 
-func newClientCert(caCert *x509.Certificate, key *rsa.PrivateKey, caKey crypto.Signer) (*x509.Certificate, error) {
+func newClientCert(caCert *x509.Certificate, key crypto.Signer, caKey crypto.Signer) (*x509.Certificate, error) {
 	cfg := certs.Config{
 		CommonName: "cluster-api.x-k8s.io",
 	}

internal/controllers/cluster/cluster_controller_phases.go

@@ -360,7 +360,7 @@ func (r *Reconciler) reconcileKubeconfig(ctx context.Context, s *scope) (ctrl.Re
 	_, err := secret.Get(ctx, r.Client, util.ObjectKey(cluster), secret.Kubeconfig)
 	switch {
 	case apierrors.IsNotFound(err):
-		if err := kubeconfig.CreateSecret(ctx, r.Client, cluster); err != nil {
+		if err := kubeconfig.CreateSecret(ctx, r.Client, cluster, ""); err != nil { // TODO(Karthik): Discuss on how to pass the keyEncryptionAlgorithm
 			if errors.Is(err, kubeconfig.ErrDependentCertificateNotFound) {
 				log.Info("Could not find secret for cluster, requeuing", "Secret", secret.ClusterCA)
 				return ctrl.Result{RequeueAfter: 30 * time.Second}, nil