Fix egress interfaces script to work on IPI clusters

We adjust the script to use the external API DNS record (api.<cluster-domain>) instead of api-int, so that it works without any problems on IPI clusters which provide the api-int record via in-cluster CoreDNS which isn't running yet before the kubelet is started.
appuio · Sep 2, 2024 · 0425f8a · 0425f8a
1 parent 9511c13
commit 0425f8a
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 5 deletions.
diff --git a/component/scripts/create-egress-interfaces.sh b/component/scripts/create-egress-interfaces.sh
@@ -2,9 +2,18 @@
 
 set -eo pipefail
 
-export KUBECONFIG="%(kubelet_kubeconfig)s"
+readonly patched_kubeconfig="/tmp/kubeconfig"
 
-readonly shadow_data=$(kubectl -n "%(cm_namespace)s" get configmap "%(cm_name)s" -ojsonpath="{.data.${HOSTNAME}}")
+# Patch node kubeconfig to use api.<cluster-domain> instead of
+# `api-int.<cluster-domain>` so that the script works on clusters which
+# provide the api-int record via in-cluster CoreDNS. This assumes that the
+# public API endpoint has a certificate that's issued by a public CA that's
+# part of the node's trusted CA certs.
+sed -e 's/api-int/api/;/certificate-authority-data/d' "%(kubelet_kubeconfig)s" > "$patched_kubeconfig"
+export KUBECONFIG="${patched_kubeconfig}"
+
+shadow_data=$(kubectl -n "%(cm_namespace)s" get configmap "%(cm_name)s" -ojsonpath="{.data.${HOSTNAME}}")
+readonly shadow_data
 
 for prefix in $(echo "$shadow_data" | jq -r '.|keys[]'); do
   base=$(echo "$shadow_data" | jq -r ".${prefix}.base")
@@ -20,4 +29,6 @@ for prefix in $(echo "$shadow_data" | jq -r '.|keys[]'); do
   done
 done
 
+rm "${patched_kubeconfig}"
+
 exit 0
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -470,6 +470,16 @@ The script uses the file indicated in field `nodeKubeconfig` to fetch the Config
 If the default value is used, the script will use the node's Kubelet kubeconfig to access the cluster.
 To ensure the Kubelet can access the configmap, users should ensure that a pod which mounts the ConfigMap is running on the node.
 
+[NOTE]
+====
+The script will apply the following changes to the provided kubeconfig:
+
+* Occurrences of `api-int` will be replaced with `api` (once per line)
+* Lines containing the string `certificate-authority-data` will be deleted
+
+This is done to ensure that the script works correctly on IPI clusters which only provide the `api-int` DNS record via the in-cluster CoreDNS which isn't running before the kubelet is started.
+====
+
 [TIP]
 ====
 Component cilium can deploy a suitable ConfigMap and DaemonSets which ensure that the Kubelets on all nodes that need to create egress dummy interfaces can access the ConfigMap.

diff --git a/tests/golden/machineconfig/openshift4-nodes/openshift4-nodes/30_egress_interfaces.yaml b/tests/golden/machineconfig/openshift4-nodes/openshift4-nodes/30_egress_interfaces.yaml
@@ -7,9 +7,18 @@ metadata:
 
       set -eo pipefail
 
-      export KUBECONFIG="/var/lib/kubelet/kubeconfig"
+      readonly patched_kubeconfig="/tmp/kubeconfig"
 
-      readonly shadow_data=$(kubectl -n "cilium" get configmap "eip-shadow-ranges" -ojsonpath="{.data.${HOSTNAME}}")
+      # Patch node kubeconfig to use api.<cluster-domain> instead of
+      # `api-int.<cluster-domain>` so that the script works on clusters which
+      # provide the api-int record via in-cluster CoreDNS. This assumes that the
+      # public API endpoint has a certificate that's issued by a public CA that's
+      # part of the node's trusted CA certs.
+      sed -e 's/api-int/api/;/certificate-authority-data/d' "/var/lib/kubelet/kubeconfig" > "$patched_kubeconfig"
+      export KUBECONFIG="${patched_kubeconfig}"
+
+      shadow_data=$(kubectl -n "cilium" get configmap "eip-shadow-ranges" -ojsonpath="{.data.${HOSTNAME}}")
+      readonly shadow_data
 
       for prefix in $(echo "$shadow_data" | jq -r '.|keys[]'); do
         base=$(echo "$shadow_data" | jq -r ".${prefix}.base")
@@ -25,6 +34,8 @@ metadata:
         done
       done
 
+      rm "${patched_kubeconfig}"
+
       exit 0
   labels:
     app.kubernetes.io/component: openshift4-nodes
@@ -40,7 +51,7 @@ spec:
     storage:
       files:
         - contents:
-            source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKCnNldCAtZW8gcGlwZWZhaWwKCmV4cG9ydCBLVUJFQ09ORklHPSIvdmFyL2xpYi9rdWJlbGV0L2t1YmVjb25maWciCgpyZWFkb25seSBzaGFkb3dfZGF0YT0kKGt1YmVjdGwgLW4gImNpbGl1bSIgZ2V0IGNvbmZpZ21hcCAiZWlwLXNoYWRvdy1yYW5nZXMiIC1vanNvbnBhdGg9InsuZGF0YS4ke0hPU1ROQU1FfX0iKQoKZm9yIHByZWZpeCBpbiAkKGVjaG8gIiRzaGFkb3dfZGF0YSIgfCBqcSAtciAnLnxrZXlzW10nKTsgZG8KICBiYXNlPSQoZWNobyAiJHNoYWRvd19kYXRhIiB8IGpxIC1yICIuJHtwcmVmaXh9LmJhc2UiKQogIGZyb209JChlY2hvICIkc2hhZG93X2RhdGEiIHwganEgLXIgIi4ke3ByZWZpeH0uZnJvbSIpCiAgdG89JChlY2hvICIkc2hhZG93X2RhdGEiIHwganEgLXIgIi4ke3ByZWZpeH0udG8iKQogIGVjaG8gIkNvbmZpZ3VyaW5nIGR1bW15IGludGVyZmFjZXMgZm9yIGVncmVzcyByYW5nZSAke3ByZWZpeH06IGJhc2U9JHtiYXNlfSwgZnJvbT0ke2Zyb219LCB0bz0ke3RvfSIKICBmb3Igc3VmZml4IGluICQoc2VxICIkZnJvbSIgIiR0byIpOyBkbwogICAgaWR4PSQoKCIkc3VmZml4IiAtICIkZnJvbSIpKQogICAgaWZhY2U9IiR7cHJlZml4fV8ke2lkeH0iCiAgICBpcCBsIGRlbCAiJGlmYWNlIiAyPi9kZXYvbnVsbCB8fCB0cnVlCiAgICBpcCBsIGFkZCAiJGlmYWNlIiB0eXBlIGR1bW15CiAgICBpcCBhIGFkZCAiJHtiYXNlfS4ke3N1ZmZpeH0iIGRldiAiJGlmYWNlIgogIGRvbmUKZG9uZQoKZXhpdCAwCg==
+            source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKCnNldCAtZW8gcGlwZWZhaWwKCnJlYWRvbmx5IHBhdGNoZWRfa3ViZWNvbmZpZz0iL3RtcC9rdWJlY29uZmlnIgoKIyBQYXRjaCBub2RlIGt1YmVjb25maWcgdG8gdXNlIGFwaS48Y2x1c3Rlci1kb21haW4+IGluc3RlYWQgb2YKIyBgYXBpLWludC48Y2x1c3Rlci1kb21haW4+YCBzbyB0aGF0IHRoZSBzY3JpcHQgd29ya3Mgb24gY2x1c3RlcnMgd2hpY2gKIyBwcm92aWRlIHRoZSBhcGktaW50IHJlY29yZCB2aWEgaW4tY2x1c3RlciBDb3JlRE5TLiBUaGlzIGFzc3VtZXMgdGhhdCB0aGUKIyBwdWJsaWMgQVBJIGVuZHBvaW50IGhhcyBhIGNlcnRpZmljYXRlIHRoYXQncyBpc3N1ZWQgYnkgYSBwdWJsaWMgQ0EgdGhhdCdzCiMgcGFydCBvZiB0aGUgbm9kZSdzIHRydXN0ZWQgQ0EgY2VydHMuCnNlZCAtZSAncy9hcGktaW50L2FwaS87L2NlcnRpZmljYXRlLWF1dGhvcml0eS1kYXRhL2QnICIvdmFyL2xpYi9rdWJlbGV0L2t1YmVjb25maWciID4gIiRwYXRjaGVkX2t1YmVjb25maWciCmV4cG9ydCBLVUJFQ09ORklHPSIke3BhdGNoZWRfa3ViZWNvbmZpZ30iCgpzaGFkb3dfZGF0YT0kKGt1YmVjdGwgLW4gImNpbGl1bSIgZ2V0IGNvbmZpZ21hcCAiZWlwLXNoYWRvdy1yYW5nZXMiIC1vanNvbnBhdGg9InsuZGF0YS4ke0hPU1ROQU1FfX0iKQpyZWFkb25seSBzaGFkb3dfZGF0YQoKZm9yIHByZWZpeCBpbiAkKGVjaG8gIiRzaGFkb3dfZGF0YSIgfCBqcSAtciAnLnxrZXlzW10nKTsgZG8KICBiYXNlPSQoZWNobyAiJHNoYWRvd19kYXRhIiB8IGpxIC1yICIuJHtwcmVmaXh9LmJhc2UiKQogIGZyb209JChlY2hvICIkc2hhZG93X2RhdGEiIHwganEgLXIgIi4ke3ByZWZpeH0uZnJvbSIpCiAgdG89JChlY2hvICIkc2hhZG93X2RhdGEiIHwganEgLXIgIi4ke3ByZWZpeH0udG8iKQogIGVjaG8gIkNvbmZpZ3VyaW5nIGR1bW15IGludGVyZmFjZXMgZm9yIGVncmVzcyByYW5nZSAke3ByZWZpeH06IGJhc2U9JHtiYXNlfSwgZnJvbT0ke2Zyb219LCB0bz0ke3RvfSIKICBmb3Igc3VmZml4IGluICQoc2VxICIkZnJvbSIgIiR0byIpOyBkbwogICAgaWR4PSQoKCIkc3VmZml4IiAtICIkZnJvbSIpKQogICAgaWZhY2U9IiR7cHJlZml4fV8ke2lkeH0iCiAgICBpcCBsIGRlbCAiJGlmYWNlIiAyPi9kZXYvbnVsbCB8fCB0cnVlCiAgICBpcCBsIGFkZCAiJGlmYWNlIiB0eXBlIGR1bW15CiAgICBpcCBhIGFkZCAiJHtiYXNlfS4ke3N1ZmZpeH0iIGRldiAiJGlmYWNlIgogIGRvbmUKZG9uZQoKcm0gIiR7cGF0Y2hlZF9rdWJlY29uZmlnfSIKCmV4aXQgMAo=
           mode: 493
           path: /usr/local/bin/appuio-create-egress-interfaces.sh
     systemd: