Merge pull request #167 from gyliu513/agg-api

✨ Enabled Aggregate API for Virtual Cluster

Author: k8s-ci-robot

virtualcluster/config/sampleswithspec/clusterversion_v1_loadbalancer.yaml

@@ -159,6 +159,14 @@ spec:
               - --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
               - --apiserver-count=1
               - --endpoint-reconciler-type=master-count
+              - --enable-aggregator-routing=true
+              - --requestheader-client-ca-file=/etc/kubernetes/pki/root/tls.crt
+              - --requestheader-allowed-names=""
+              - --requestheader-username-headers=X-Remote-User
+              - --requestheader-group-headers=X-Remote-Group
+              - --requestheader-extra-headers-prefix=X-Remote-Extra-
+              - --proxy-client-key-file=/etc/kubernetes/pki/frontproxy/tls.key
+              - --proxy-client-cert-file=/etc/kubernetes/pki/frontproxy/tls.crt
               - --v=2
               ports:
               - containerPort: 6443
@@ -185,6 +193,9 @@ spec:
               - mountPath: /etc/kubernetes/pki/apiserver
                 name: apiserver-ca
                 readOnly: true
+              - mountPath: /etc/kubernetes/pki/frontproxy
+                name: front-proxy-ca
+                readOnly: true
               - mountPath: /etc/kubernetes/pki/root
                 name: root-ca
                 readOnly: true
@@ -205,6 +216,10 @@ spec:
               secret:
                 defaultMode: 420
                 secretName: root-ca
+            - name: front-proxy-ca
+              secret:
+                defaultMode: 420
+                secretName: front-proxy-ca
             - name: serviceaccount-rsa
               secret:
                 defaultMode: 420

virtualcluster/config/sampleswithspec/clusterversion_v1_nodeport.yaml

@@ -165,6 +165,14 @@ spec:
               - --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
               - --apiserver-count=1
               - --endpoint-reconciler-type=master-count
+              - --enable-aggregator-routing=true
+              - --requestheader-client-ca-file=/etc/kubernetes/pki/root/tls.crt
+              - --requestheader-allowed-names=""
+              - --requestheader-username-headers=X-Remote-User
+              - --requestheader-group-headers=X-Remote-Group
+              - --requestheader-extra-headers-prefix=X-Remote-Extra-
+              - --proxy-client-key-file=/etc/kubernetes/pki/frontproxy/tls.key
+              - --proxy-client-cert-file=/etc/kubernetes/pki/frontproxy/tls.crt
               - --v=2
               ports:
               - containerPort: 6443
@@ -191,6 +199,9 @@ spec:
               - mountPath: /etc/kubernetes/pki/apiserver
                 name: apiserver-ca
                 readOnly: true
+              - mountPath: /etc/kubernetes/pki/frontproxy
+                name: front-proxy-ca
+                readOnly: true
               - mountPath: /etc/kubernetes/pki/root
                 name: root-ca
                 readOnly: true
@@ -211,6 +222,10 @@ spec:
               secret:
                 defaultMode: 420
                 secretName: root-ca
+            - name: front-proxy-ca
+              secret:
+                defaultMode: 420
+                secretName: front-proxy-ca
             - name: serviceaccount-rsa
               secret:
                 defaultMode: 420

virtualcluster/pkg/controller/controllers/provisioner/provisioner_native.go

@@ -218,6 +218,9 @@ func (mpn *ProvisionerNative) createPKISecrets(caGroup *vcpki.ClusterCAGroup, na
 	// create secret for etcd crt/key pair
 	etcdSrt := secret.CrtKeyPairToSecret(secret.ETCDCASecretName,
 		namespace, caGroup.ETCD)
+	// create secret for front proxy crt/key pair
+	frontProxySrt := secret.CrtKeyPairToSecret(secret.FrontProxyCASecretName,
+		namespace, caGroup.FrontProxy)
 	// create secret for controller manager kubeconfig
 	ctrlMgrSrt := secret.KubeconfigToSecret(secret.ControllerManagerSecretName,
 		namespace, caGroup.CtrlMgrKbCfg)
@@ -230,7 +233,7 @@ func (mpn *ProvisionerNative) createPKISecrets(caGroup *vcpki.ClusterCAGroup, na
 	if err != nil {
 		return err
 	}
-	secrets := []*v1.Secret{rootSrt, apiserverSrt, etcdSrt,
+	secrets := []*v1.Secret{rootSrt, apiserverSrt, etcdSrt, frontProxySrt,
 		ctrlMgrSrt, adminSrt, svcActSrt}
 
 	// create all secrets on metacluster
@@ -287,6 +290,13 @@ func (mpn *ProvisionerNative) createPKI(vc *tenancyv1alpha1.VirtualCluster, cv *
 	}
 	caGroup.ETCD = etcdCAPair
 
+	// create crt, key for frontendproxy
+	frontProxyCAPair, frontProxyCrtErr := vcpki.NewFrontProxyClientCertAndKey(rootCAPair)
+	if frontProxyCrtErr != nil {
+		return frontProxyCrtErr
+	}
+	caGroup.FrontProxy = frontProxyCAPair
+
 	clusterIP := ""
 	if isClusterIP {
 		var err error

virtualcluster/pkg/controller/pki/pki.go

@@ -44,6 +44,7 @@ type ClusterCAGroup struct {
 	RootCA                   *CrtKeyPair
 	APIServer                *CrtKeyPair
 	ETCD                     *CrtKeyPair
+	FrontProxy               *CrtKeyPair
 	CtrlMgrKbCfg             string // the kubeconfig used by controller-manager
 	AdminKbCfg               string // the kubeconfig used by admin user
 	ServiceAccountPrivateKey *rsa.PrivateKey

virtualcluster/pkg/controller/secret/secret.go

@@ -30,6 +30,7 @@ const (
 	RootCASecretName            = "root-ca"
 	APIServerCASecretName       = "apiserver-ca"
 	ETCDCASecretName            = "etcd-ca"
+	FrontProxyCASecretName      = "front-proxy-ca"
 	ControllerManagerSecretName = "controller-manager-kubeconfig"
 	AdminSecretName             = "admin-kubeconfig"
 	ServiceAccountSecretName    = "serviceaccount-rsa"