feat: AWS CCM for Kubernetes v1.29 (#564)

dkoshkin · web-flow · commit 64e269f52ece · 2024-04-26T14:54:21.000-07:00
**What problem does this PR solve?**: Adds AWS CCM support for Kubernetes v1.29. While testing I also found an upstream change kubernetes/kubernetes#121028 and to fix that added `hostNetwork: true` to the CCM pods. Upstream CAPA templates and the Nutanix CCM already use `hostNetwork: true`, so it made sense to go with that approach here too. **Which issue(s) this PR fixes**: Fixes # **How Has This Been Tested?**:  Created an AWS v1.29.4 cluster with the following lookup envs: ``` AMI_LOOKUP_BASEOS=rocky-9.1 AMI_LOOKUP_FORMAT=konvoy-ami-{{.BaseOS}}-release-?{{.K8sVersion}}-* AMI_LOOKUP_ORG=999867407951 ``` **Special notes for your reviewer**:
diff --git a/charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.27.1-configmap.yaml b/charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.27.1-configmap.yaml
@@ -167,6 +167,7 @@ data:
                 cpu: 200m
             securityContext: {}
           dnsPolicy: Default
+          hostNetwork: true
           nodeSelector:
             node-role.kubernetes.io/control-plane: ""
           priorityClassName: system-node-critical
diff --git a/charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.28.1-configmap.yaml b/charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.28.1-configmap.yaml
@@ -167,6 +167,7 @@ data:
                 cpu: 200m
             securityContext: {}
           dnsPolicy: Default
+          hostNetwork: true
           nodeSelector:
             node-role.kubernetes.io/control-plane: ""
           priorityClassName: system-node-critical
diff --git a/charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.29.2-configmap.yaml b/charts/cluster-api-runtime-extensions-nutanix/templates/ccm/aws/manifests/aws-ccm-v1.29.2-configmap.yaml
@@ -0,0 +1,189 @@
+# Copyright 2023 D2iQ, Inc. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+#=================================================================
+#                 DO NOT EDIT THIS FILE
+#  IT HAS BEEN GENERATED BY /hack/addons/update-aws-ccm.sh
+#=================================================================
+apiVersion: v1
+data:
+  aws-ccm-v1.29.2.yaml: |
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+      name: cloud-controller-manager
+      namespace: kube-system
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+      name: system:cloud-controller-manager
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - events
+      verbs:
+      - create
+      - patch
+      - update
+    - apiGroups:
+      - ""
+      resources:
+      - nodes
+      verbs:
+      - '*'
+    - apiGroups:
+      - ""
+      resources:
+      - nodes/status
+      verbs:
+      - patch
+    - apiGroups:
+      - ""
+      resources:
+      - services
+      verbs:
+      - list
+      - patch
+      - update
+      - watch
+    - apiGroups:
+      - ""
+      resources:
+      - services/status
+      verbs:
+      - list
+      - patch
+      - update
+      - watch
+    - apiGroups:
+      - ""
+      resources:
+      - serviceaccounts
+      verbs:
+      - create
+    - apiGroups:
+      - ""
+      resources:
+      - persistentvolumes
+      verbs:
+      - get
+      - list
+      - update
+      - watch
+    - apiGroups:
+      - ""
+      resources:
+      - endpoints
+      verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+    - apiGroups:
+      - coordination.k8s.io
+      resources:
+      - leases
+      verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+    - apiGroups:
+      - ""
+      resources:
+      - serviceaccounts/token
+      verbs:
+      - create
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+      name: cloud-controller-manager:apiserver-authentication-reader
+      namespace: kube-system
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: extension-apiserver-authentication-reader
+    subjects:
+    - apiGroup: ""
+      kind: ServiceAccount
+      name: cloud-controller-manager
+      namespace: kube-system
+    ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+      name: system:cloud-controller-manager
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: system:cloud-controller-manager
+    subjects:
+    - apiGroup: ""
+      kind: ServiceAccount
+      name: cloud-controller-manager
+      namespace: kube-system
+    ---
+    apiVersion: apps/v1
+    kind: DaemonSet
+    metadata:
+      labels:
+        helm.sh/chart: aws-cloud-controller-manager-0.0.8
+        k8s-app: aws-cloud-controller-manager
+      name: aws-cloud-controller-manager
+      namespace: kube-system
+    spec:
+      selector:
+        matchLabels:
+          k8s-app: aws-cloud-controller-manager
+      template:
+        metadata:
+          labels:
+            k8s-app: aws-cloud-controller-manager
+          name: aws-cloud-controller-manager
+        spec:
+          containers:
+          - args:
+            - --v=2
+            - --cloud-provider=aws
+            - --configure-cloud-routes=false
+            env: []
+            image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.29.2
+            name: aws-cloud-controller-manager
+            resources:
+              requests:
+                cpu: 200m
+            securityContext: {}
+          dnsPolicy: Default
+          hostNetwork: true
+          nodeSelector:
+            node-role.kubernetes.io/control-plane: ""
+          priorityClassName: system-node-critical
+          securityContext: {}
+          serviceAccountName: cloud-controller-manager
+          tolerations:
+          - effect: NoSchedule
+            key: node.cloudprovider.kubernetes.io/uninitialized
+            value: "true"
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/master
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/control-plane
+      updateStrategy:
+        type: RollingUpdate
+kind: ConfigMap
+metadata:
+  creationTimestamp: null
+  name: aws-ccm-v1.29.2
diff --git a/hack/addons/kustomize/aws-ccm/helm-values.yaml b/hack/addons/kustomize/aws-ccm/helm-values.yaml
@@ -0,0 +1,12 @@
+# Copyright 2024 D2iQ, Inc. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+---
+# Starting in Kubernetes v1.29 the Kubelet no longer adds temporary addresses to the Node.
+# See https://github.com/kubernetes/kubernetes/pull/121028
+# This causes a deadlock with the AWS CCM and some CNI providers including Calico.
+# The Calico Pods won't start until some addresses are assigned,
+# but the AWS CCM that adds the addresses can't start until the Calico Pods are running.
+# Using hostNetworking allows the AWS CCM to start before the Calico Pods.
+# The upstream CAPA templates are also already using hostNetworking for the CCM Pods.
+hostNetworking: true
diff --git a/hack/addons/kustomize/aws-ccm/kustomization.yaml.tmpl b/hack/addons/kustomize/aws-ccm/kustomization.yaml.tmpl
@@ -12,6 +12,7 @@ helmCharts:
   repo: https://kubernetes.github.io/cloud-provider-aws
   releaseName: aws-cloud-controller-manager
   version: ${AWS_CCM_CHART_VERSION}
+  valuesFile: helm-values.yaml
   includeCRDs: true
   skipTests: true
 
diff --git a/hack/addons/update-aws-ccm.sh b/hack/addons/update-aws-ccm.sh
@@ -24,6 +24,7 @@ trap_add "rm -rf ${ASSETS_DIR}" EXIT
 
 readonly KUSTOMIZE_BASE_DIR="${SCRIPT_DIR}/kustomize/aws-ccm/"
 envsubst -no-unset <"${KUSTOMIZE_BASE_DIR}/kustomization.yaml.tmpl" >"${ASSETS_DIR}/kustomization.yaml"
+cp "${KUSTOMIZE_BASE_DIR}"/*.yaml "${ASSETS_DIR}"
 
 readonly FILE_NAME="aws-ccm-${AWS_CCM_VERSION}.yaml"
 kustomize build --enable-helm "${ASSETS_DIR}" >"${ASSETS_DIR}/${FILE_NAME}"
diff --git a/make/addons.mk b/make/addons.mk
@@ -14,13 +14,15 @@ export AWS_CCM_VERSION_127 := v1.27.1
 export AWS_CCM_CHART_VERSION_127 := 0.0.8
 export AWS_CCM_VERSION_128 := v1.28.1
 export AWS_CCM_CHART_VERSION_128 := 0.0.8
+export AWS_CCM_VERSION_129 := v1.29.2
+export AWS_CCM_CHART_VERSION_129 := 0.0.8
 
 export NUTANIX_CCM_CHART_VERSION := 0.3.3
 
 export KUBE_VIP_VERSION := v0.8.0
 
 .PHONY: addons.sync
-addons.sync: $(addprefix update-addon.,calico cilium nfd cluster-autoscaler aws-ebs-csi aws-ccm.127 aws-ccm.128 kube-vip)
+addons.sync: $(addprefix update-addon.,calico cilium nfd cluster-autoscaler aws-ebs-csi aws-ccm.127 aws-ccm.128 aws-ccm.129 kube-vip)
 
 .PHONY: update-addon.calico
 update-addon.calico: ; $(info $(M) updating calico manifests)
diff --git a/pkg/handlers/generic/lifecycle/ccm/aws/handler.go b/pkg/handlers/generic/lifecycle/ccm/aws/handler.go
@@ -34,6 +34,7 @@ func (a *AWSCCMConfig) AddFlags(prefix string, flags *pflag.FlagSet) {
 		map[string]string{
 			"1.27": "aws-ccm-v1.27.1",
 			"1.28": "aws-ccm-v1.28.1",
+			"1.29": "aws-ccm-v1.29.2",
 		},
 		"map of provider cluster implementation type to default installation ConfigMap name",
 	)

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ func (a AWSCCMConfig) AddFlags(prefix string, flags pflag.FlagSet) {`
`34`	`34`	`map[string]string{`
`35`	`35`	`"1.27": "aws-ccm-v1.27.1",`
`36`	`36`	`"1.28": "aws-ccm-v1.28.1",`
	`37`	`+ "1.29": "aws-ccm-v1.29.2",`
`37`	`38`	`},`
`38`	`39`	`"map of provider cluster implementation type to default installation ConfigMap name",`
`39`	`40`	`)`