Deploy external CCMs

.golangci.yml

@@ -26,3 +26,4 @@ issues:
     - "don't use underscores in Go names; func SetDefaults_ClusterNetwork should be SetDefaultsClusterNetwork"
     - "don't use underscores in Go names; func SetDefaults_Features should be SetDefaultsFeatures"
     - "don't use underscores in Go names; func SetDefaults_MachineController should be SetDefaultsMachineController"
+    - "G101: Potential hardcoded credentials"

pkg/config/cluster.go

@@ -27,6 +27,23 @@ import (
 	"github.com/pkg/errors"
 )
 
+// ENV variable names with credential in them that machine-controller expects to see
+const (
+	AWSAccessKeyID          = "AWS_ACCESS_KEY_ID"
+	AWSSecretAccessKey      = "AWS_SECRET_ACCESS_KEY"
+	DigitalOceanTokenKey    = "DO_TOKEN"
+	GoogleServiceAccountKey = "GOOGLE_SERVICE_ACCOUNT"
+	HetznerTokenKey         = "HZ_TOKEN"
+	OpenStackAuthURL        = "OS_AUTH_URL"
+	OpenStackDomainName     = "OS_DOMAIN_NAME"
+	OpenStackPassword       = "OS_PASSWORD"
+	OpenStackTenantName     = "OS_TENANT_NAME"
+	OpenStackUserName       = "OS_USER_NAME"
+	VSphereAddress          = "VSPHERE_ADDRESS"
+	VSpherePasswords        = "VSPHERE_PASSWORD"
+	VSphereUsername         = "VSPHERE_USERNAME"
+)
+
 // Cluster describes our entire configuration.
 type Cluster struct {
 	Name              string                  `json:"name"`
@@ -462,8 +479,8 @@ func (p ProviderName) ProviderCredentials() (map[string]string, error) {
 			return nil, err
 		}
 		if envCreds.AccessKeyID != "" && envCreds.SecretAccessKey != "" {
-			creds["AWS_ACCESS_KEY_ID"] = envCreds.AccessKeyID
-			creds["AWS_SECRET_ACCESS_KEY"] = envCreds.SecretAccessKey
+			creds[AWSAccessKeyID] = envCreds.AccessKeyID
+			creds[AWSSecretAccessKey] = envCreds.SecretAccessKey
 			return creds, nil
 		}
 
@@ -474,44 +491,44 @@ func (p ProviderName) ProviderCredentials() (map[string]string, error) {
 			return nil, err
 		}
 		if configCreds.AccessKeyID != "" && configCreds.SecretAccessKey != "" {
-			creds["AWS_ACCESS_KEY_ID"] = configCreds.AccessKeyID
-			creds["AWS_SECRET_ACCESS_KEY"] = configCreds.SecretAccessKey
+			creds[AWSAccessKeyID] = configCreds.AccessKeyID
+			creds[AWSSecretAccessKey] = configCreds.SecretAccessKey
 			return creds, nil
 		}
 
 		return nil, errors.New("error parsing aws credentials")
 	case ProviderNameOpenStack:
 		return parseCredentialVariables([]ProviderEnvironmentVariable{
-			{Name: "OS_AUTH_URL"},
-			{Name: "OS_USERNAME", MachineControllerName: "OS_USER_NAME"},
-			{Name: "OS_PASSWORD"},
-			{Name: "OS_DOMAIN_NAME"},
-			{Name: "OS_TENANT_NAME"},
+			{Name: OpenStackAuthURL},
+			{Name: "OS_USERNAME", MachineControllerName: OpenStackUserName},
+			{Name: OpenStackPassword},
+			{Name: OpenStackDomainName},
+			{Name: OpenStackTenantName},
 		})
 	case ProviderNameHetzner:
 		return parseCredentialVariables([]ProviderEnvironmentVariable{
-			{Name: "HCLOUD_TOKEN", MachineControllerName: "HZ_TOKEN"},
+			{Name: "HCLOUD_TOKEN", MachineControllerName: HetznerTokenKey},
 		})
 	case ProviderNameDigitalOcean:
 		return parseCredentialVariables([]ProviderEnvironmentVariable{
-			{Name: "DIGITALOCEAN_TOKEN", MachineControllerName: "DO_TOKEN"},
+			{Name: "DIGITALOCEAN_TOKEN", MachineControllerName: DigitalOceanTokenKey},
 		})
 	case ProviderNameGCE:
 		gsa, err := parseCredentialVariables([]ProviderEnvironmentVariable{
-			{Name: "GOOGLE_CREDENTIALS", MachineControllerName: "GOOGLE_SERVICE_ACCOUNT"},
+			{Name: "GOOGLE_CREDENTIALS", MachineControllerName: GoogleServiceAccountKey},
 		})
 		if err != nil {
 			return nil, errors.WithStack(err)
 		}
 		// encode it before sending to secret to be consumed by
 		// machine-controller, as machine-controller assumes it will be double encoded
-		gsa["GOOGLE_SERVICE_ACCOUNT"] = base64.StdEncoding.EncodeToString([]byte(gsa["GOOGLE_SERVICE_ACCOUNT"]))
+		gsa[GoogleServiceAccountKey] = base64.StdEncoding.EncodeToString([]byte(gsa[GoogleServiceAccountKey]))
 		return gsa, nil
 	case ProviderNameVSphere:
 		return parseCredentialVariables([]ProviderEnvironmentVariable{
-			{Name: "VSPHERE_ADDRESS"},
-			{Name: "VSPHERE_USERNAME"},
-			{Name: "VSPHERE_PASSWORD"},
+			{Name: VSphereAddress},
+			{Name: VSphereUsername},
+			{Name: VSpherePasswords},
 		})
 	}
 

pkg/installer/installation/install.go

@@ -22,6 +22,7 @@ import (
 	"github.com/kubermatic/kubeone/pkg/certificate"
 	"github.com/kubermatic/kubeone/pkg/features"
 	"github.com/kubermatic/kubeone/pkg/task"
+	"github.com/kubermatic/kubeone/pkg/templates/externalccm"
 	"github.com/kubermatic/kubeone/pkg/templates/machinecontroller"
 	"github.com/kubermatic/kubeone/pkg/util"
 )
@@ -42,9 +43,10 @@ func Install(ctx *util.Context) error {
 		{Fn: saveKubeconfig, ErrMsg: "unable to save kubeconfig to the local machine", Retries: 3},
 		{Fn: util.BuildKubernetesClientset, ErrMsg: "unable to build kubernetes clientset", Retries: 3},
 		{Fn: features.Activate, ErrMsg: "unable to activate features"},
-		{Fn: applyCanalCNI, ErrMsg: "failed to install cni plugin canal", Retries: 3},
+		{Fn: externalccm.Ensure, ErrMsg: "failed to install external CCM"},
 		{Fn: patchCoreDNS, ErrMsg: "failed to patch CoreDNS", Retries: 3},
-		{Fn: machinecontroller.EnsureMachineController, ErrMsg: "failed to install machine-controller", Retries: 3},
+		{Fn: applyCanalCNI, ErrMsg: "failed to install cni plugin canal", Retries: 3},
+		{Fn: machinecontroller.Ensure, ErrMsg: "failed to install machine-controller", Retries: 3},
 		{Fn: machinecontroller.WaitReady, ErrMsg: "failed to wait for machine-controller", Retries: 3},
 		{Fn: createWorkerMachines, ErrMsg: "failed to create worker machines", Retries: 3},
 	}

pkg/templates/externalccm/ccm.go

@@ -0,0 +1,93 @@
+/*
+Copyright 2019 The KubeOne Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package externalccm
+
+import (
+	"context"
+	"strings"
+
+	"github.com/Masterminds/semver"
+	"github.com/pkg/errors"
+
+	"github.com/kubermatic/kubeone/pkg/config"
+	"github.com/kubermatic/kubeone/pkg/util"
+
+	appsv1 "k8s.io/api/apps/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	dynclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+// Ensure external CCM deployen if Provider.External
+func Ensure(ctx *util.Context) error {
+	if !ctx.Cluster.Provider.External {
+		return nil
+	}
+
+	ctx.Logger.Info("Ensure external CCM is up to date")
+
+	switch ctx.Cluster.Provider.Name {
+	case config.ProviderNameHetzner:
+		return ensureHetzner(ctx)
+	case config.ProviderNameDigitalOcean:
+		return ensureDigitalOcean(ctx)
+	default:
+		ctx.Logger.Infof("External CCM for %q not yet supported, skipping", ctx.Cluster.Provider.Name)
+		return nil
+	}
+}
+
+func simpleCreateOrUpdate(ctx context.Context, client dynclient.Client, obj runtime.Object) error {
+	okFunc := func(runtime.Object) error { return nil }
+	_, err := controllerutil.CreateOrUpdate(ctx, client, obj, okFunc)
+	return err
+}
+
+func mutateDeploymentWithVersionCheck(want *semver.Constraints) func(obj runtime.Object) error {
+	return func(obj runtime.Object) error {
+		dep, ok := obj.(*appsv1.Deployment)
+		if !ok {
+			return errors.Errorf("unknown object type %T passed", obj)
+		}
+
+		if dep.ObjectMeta.CreationTimestamp.IsZero() {
+			// let it create deployment
+			return nil
+		}
+
+		if len(dep.Spec.Template.Spec.Containers) != 1 {
+			return errors.New("unable to choose a CCM container, as number of containers > 1")
+		}
+
+		imageSpec := strings.SplitN(dep.Spec.Template.Spec.Containers[0].Image, ":", 2)
+		if len(imageSpec) != 2 {
+			return errors.New("unable to grab CCM image version")
+		}
+
+		existing, err := semver.NewVersion(imageSpec[1])
+		if err != nil {
+			return errors.Wrap(err, "failed to parse deployed CCM version")
+		}
+
+		if !want.Check(existing) {
+			return errors.New("newer version deployed, skipping")
+		}
+
+		// OK to update the deployment
+		return nil
+	}
+}