Ensure openshift start network can run in a pod

Need to be able to take node-config from bootstrap node. For
openshift start network the --kubeconfig flag from the CLI overrides the
value of masterKubeConfig in the provided node config. If the value is
empty (like it is by default) the in-cluster-config is used.

Reorganize the node startup slightly so there is even less overlap
between kubelet and network. A future change will completely separate
these two initialization paths.

Author: smarterclayton

contrib/completions/bash/openshift

@@ -33708,6 +33708,8 @@ _openshift_start_network()
     local_nonpersistent_flags+=("--kubernetes=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--listen=")
+    local_nonpersistent_flags+=("--listen=")
     flags+=("--network-plugin=")
     local_nonpersistent_flags+=("--network-plugin=")
     flags+=("--recursive-resolv-conf=")

contrib/completions/zsh/openshift

@@ -33857,6 +33857,8 @@ _openshift_start_network()
     local_nonpersistent_flags+=("--kubernetes=")
     flags+=("--latest-images")
     local_nonpersistent_flags+=("--latest-images")
+    flags+=("--listen=")
+    local_nonpersistent_flags+=("--listen=")
     flags+=("--network-plugin=")
     local_nonpersistent_flags+=("--network-plugin=")
     flags+=("--recursive-resolv-conf=")

pkg/cmd/server/api/helpers.go

@@ -334,6 +334,27 @@ func SetProtobufClientDefaults(overrides *ClientConnectionOverrides) {
 	overrides.Burst *= 2
 }
 
+// GetKubeConfigOrInClusterConfig loads in-cluster config if kubeConfigFile is empty or the file if not,
+// then applies overrides.
+func GetKubeConfigOrInClusterConfig(kubeConfigFile string, overrides *ClientConnectionOverrides) (*restclient.Config, error) {
+	var kubeConfig *restclient.Config
+	var err error
+	if len(kubeConfigFile) == 0 {
+		kubeConfig, err = restclient.InClusterConfig()
+	} else {
+		loadingRules := &clientcmd.ClientConfigLoadingRules{}
+		loadingRules.ExplicitPath = kubeConfigFile
+		loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
+
+		kubeConfig, err = loader.ClientConfig()
+	}
+	if err != nil {
+		return nil, err
+	}
+	applyClientConnectionOverrides(overrides, kubeConfig)
+	return kubeConfig, nil
+}
+
 // TODO: clients should be copied and instantiated from a common client config, tweaked, then
 // given to individual controllers and other infrastructure components.
 func GetInternalKubeClient(kubeConfigFile string, overrides *ClientConnectionOverrides) (kclientsetinternal.Interface, *restclient.Config, error) {

pkg/cmd/server/api/validation/validation.go

@@ -128,7 +128,7 @@ func ValidateServingInfo(info api.ServingInfo, certificatesRequired bool, fldPat
 			validationResults.AddErrors(ValidateFile(info.ClientCA, fldPath.Child("clientCA"))...)
 		}
 	} else {
-		if len(info.ClientCA) > 0 {
+		if certificatesRequired && len(info.ClientCA) > 0 {
 			validationResults.AddErrors(field.Invalid(fldPath.Child("clientCA"), info.ClientCA, "cannot specify a clientCA without a certFile"))
 		}
 	}

pkg/cmd/server/kubernetes/network/network_config.go

@@ -14,6 +14,7 @@ import (
 	kclientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	kclientsetexternal "k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
+	kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
@@ -49,11 +50,15 @@ type NetworkConfig struct {
 
 // New creates a new network config object for running the networking components of the OpenShift node.
 func New(options configapi.NodeConfig, clusterDomain string, proxyConfig *componentconfig.KubeProxyConfiguration, enableProxy, enableDNS bool) (*NetworkConfig, error) {
-	internalKubeClient, kubeConfig, err := configapi.GetInternalKubeClient(options.MasterKubeConfig, options.MasterClientConnectionOverrides)
+	kubeConfig, err := configapi.GetKubeConfigOrInClusterConfig(options.MasterKubeConfig, options.MasterClientConnectionOverrides)
 	if err != nil {
 		return nil, err
 	}
-	externalKubeClient, _, err := configapi.GetExternalKubeClient(options.MasterKubeConfig, options.MasterClientConnectionOverrides)
+	internalKubeClient, err := kclientsetinternal.NewForConfig(kubeConfig)
+	if err != nil {
+		return nil, err
+	}
+	externalKubeClient, err := kclientsetexternal.NewForConfig(kubeConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -135,7 +140,6 @@ func New(options configapi.NodeConfig, clusterDomain string, proxyConfig *compon
 
 		// TODO: use kubeletConfig.ResolverConfig as an argument to etcd in the event the
 		//   user sets it, instead of passing it to the kubelet.
-		glog.Infof("DNS Bind to %s", options.DNSBindAddress)
 		config.DNSServer = dns.NewServer(
 			dnsConfig,
 			services,

pkg/cmd/server/kubernetes/network/options/options.go

@@ -0,0 +1,89 @@
+package node
+
+import (
+	"fmt"
+	"net"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kerrors "k8s.io/apimachinery/pkg/util/errors"
+	kubeproxyoptions "k8s.io/kubernetes/cmd/kube-proxy/app"
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	cmdflags "github.com/openshift/origin/pkg/cmd/util/flags"
+)
+
+// Build creates the network Kubernetes component configs for a given NodeConfig, or returns
+// an error
+func Build(options configapi.NodeConfig) (*componentconfig.KubeProxyConfiguration, error) {
+	proxyOptions, err := kubeproxyoptions.NewOptions()
+	if err != nil {
+		return nil, err
+	}
+	// get default config
+	proxyconfig := proxyOptions.GetConfig()
+
+	proxyconfig.HostnameOverride = options.NodeName
+
+	// BindAddress - Override default bind address from our config
+	addr := options.ServingInfo.BindAddress
+	host, _, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, fmt.Errorf("The provided value to bind to must be an ip:port %q", addr)
+	}
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return nil, fmt.Errorf("The provided value to bind to must be an ip:port: %q", addr)
+	}
+	proxyconfig.BindAddress = ip.String()
+	// MetricsBindAddress - disable by default but allow enablement until we switch to
+	// reading proxy config directly
+	proxyconfig.MetricsBindAddress = ""
+	if arg := options.ProxyArguments["metrics-bind-address"]; len(arg) > 0 {
+		proxyconfig.MetricsBindAddress = arg[0]
+	}
+	delete(options.ProxyArguments, "metrics-bind-address")
+
+	// OOMScoreAdj, ResourceContainer - clear, we don't run in a container
+	oomScoreAdj := int32(0)
+	proxyconfig.OOMScoreAdj = &oomScoreAdj
+	proxyconfig.ResourceContainer = ""
+
+	// use the same client as the node
+	proxyconfig.ClientConnection.KubeConfigFile = options.MasterKubeConfig
+
+	// ProxyMode, set to iptables
+	proxyconfig.Mode = "iptables"
+
+	// IptablesSyncPeriod, set to our config value
+	syncPeriod, err := time.ParseDuration(options.IPTablesSyncPeriod)
+	if err != nil {
+		return nil, fmt.Errorf("Cannot parse the provided ip-tables sync period (%s) : %v", options.IPTablesSyncPeriod, err)
+	}
+	proxyconfig.IPTables.SyncPeriod = metav1.Duration{
+		Duration: syncPeriod,
+	}
+	masqueradeBit := int32(0)
+	proxyconfig.IPTables.MasqueradeBit = &masqueradeBit
+
+	// PortRange, use default
+	// HostnameOverride, use default
+	// ConfigSyncPeriod, use default
+	// MasqueradeAll, use default
+	// CleanupAndExit, use default
+	// KubeAPIQPS, use default, doesn't apply until we build a separate client
+	// KubeAPIBurst, use default, doesn't apply until we build a separate client
+	// UDPIdleTimeout, use default
+
+	// Resolve cmd flags to add any user overrides
+	if err := cmdflags.Resolve(options.ProxyArguments, proxyOptions.AddFlags); len(err) > 0 {
+		return nil, kerrors.NewAggregate(err)
+	}
+
+	if err := proxyOptions.Complete(); err != nil {
+		return nil, err
+	}
+
+	return proxyconfig, nil
+}

pkg/cmd/server/kubernetes/node/node_config.go

@@ -12,6 +12,7 @@ import (
 	kubeletapp "k8s.io/kubernetes/cmd/kubelet/app"
 	kubeletoptions "k8s.io/kubernetes/cmd/kubelet/app/options"
 	"k8s.io/kubernetes/pkg/apis/componentconfig/v1alpha1"
+	kclientsetexternal "k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 	"k8s.io/kubernetes/pkg/kubelet"
 	dockertools "k8s.io/kubernetes/pkg/kubelet/dockershim/libdocker"
@@ -57,7 +58,7 @@ func New(options configapi.NodeConfig, server *kubeletoptions.KubeletServer) (*N
 		return nil, err
 	}
 	// Make a separate client for event reporting, to avoid event QPS blocking node calls
-	eventClient, _, err := configapi.GetExternalKubeClient(options.MasterKubeConfig, options.MasterClientConnectionOverrides)
+	eventClient, err := kclientsetexternal.NewForConfig(kubeConfig)
 	if err != nil {
 		return nil, err
 	}

pkg/cmd/server/kubernetes/node/options/options.go

@@ -9,7 +9,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	kubeproxyoptions "k8s.io/kubernetes/cmd/kube-proxy/app"
 	kubeletoptions "k8s.io/kubernetes/cmd/kubelet/app/options"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	"k8s.io/kubernetes/pkg/features"
@@ -25,7 +24,7 @@ import (
 
 // Build creates the core Kubernetes component configs for a given NodeConfig, or returns
 // an error
-func Build(options configapi.NodeConfig) (*kubeletoptions.KubeletServer, *componentconfig.KubeProxyConfiguration, error) {
+func Build(options configapi.NodeConfig) (*kubeletoptions.KubeletServer, error) {
 	imageTemplate := variable.NewDefaultImageTemplate()
 	imageTemplate.Format = options.ImageConfig.Format
 	imageTemplate.Latest = options.ImageConfig.Latest
@@ -39,11 +38,11 @@ func Build(options configapi.NodeConfig) (*kubeletoptions.KubeletServer, *compon
 
 	kubeAddressStr, kubePortStr, err := net.SplitHostPort(options.ServingInfo.BindAddress)
 	if err != nil {
-		return nil, nil, fmt.Errorf("cannot parse node address: %v", err)
+		return nil, fmt.Errorf("cannot parse node address: %v", err)
 	}
 	kubePort, err := strconv.Atoi(kubePortStr)
 	if err != nil {
-		return nil, nil, fmt.Errorf("cannot parse node port: %v", err)
+		return nil, fmt.Errorf("cannot parse node port: %v", err)
 	}
 
 	// Defaults are tested in TestKubeletDefaults
@@ -91,7 +90,7 @@ func Build(options configapi.NodeConfig) (*kubeletoptions.KubeletServer, *compon
 	// Setup auth
 	authnTTL, err := time.ParseDuration(options.AuthConfig.AuthenticationCacheTTL)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 	server.Authentication = componentconfig.KubeletAuthentication{
 		X509: componentconfig.KubeletX509Authentication{
@@ -107,7 +106,7 @@ func Build(options configapi.NodeConfig) (*kubeletoptions.KubeletServer, *compon
 	}
 	authzTTL, err := time.ParseDuration(options.AuthConfig.AuthorizationCacheTTL)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 	server.Authorization = componentconfig.KubeletAuthorization{
 		Mode: componentconfig.KubeletAuthorizationModeWebhook,
@@ -121,13 +120,13 @@ func Build(options configapi.NodeConfig) (*kubeletoptions.KubeletServer, *compon
 	// TODO: this should be done in config validation (along with the above) so we can provide
 	// proper errors
 	if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
-		return nil, nil, kerrors.NewAggregate(err)
+		return nil, kerrors.NewAggregate(err)
 	}
 
 	// terminate early if feature gate is incorrect on the node
 	if len(server.FeatureGates) > 0 {
 		if err := utilfeature.DefaultFeatureGate.Set(server.FeatureGates); err != nil {
-			return nil, nil, err
+			return nil, err
 		}
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
@@ -138,11 +137,6 @@ func Build(options configapi.NodeConfig) (*kubeletoptions.KubeletServer, *compon
 		}
 	}
 
-	proxyconfig, err := buildKubeProxyConfig(options)
-	if err != nil {
-		return nil, nil, err
-	}
-
 	if network.IsOpenShiftNetworkPlugin(options.NetworkConfig.NetworkPluginName) {
 		// SDN plugin pod setup/teardown is implemented as a CNI plugin
 		server.NetworkPluginName = kubeletcni.CNIPluginName
@@ -152,72 +146,7 @@ func Build(options configapi.NodeConfig) (*kubeletoptions.KubeletServer, *compon
 		server.HairpinMode = componentconfig.HairpinNone
 	}
 
-	return server, proxyconfig, nil
-}
-
-func buildKubeProxyConfig(options configapi.NodeConfig) (*componentconfig.KubeProxyConfiguration, error) {
-	proxyOptions, err := kubeproxyoptions.NewOptions()
-	if err != nil {
-		return nil, err
-	}
-	// get default config
-	proxyconfig := proxyOptions.GetConfig()
-
-	// BindAddress - Override default bind address from our config
-	addr := options.ServingInfo.BindAddress
-	host, _, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, fmt.Errorf("The provided value to bind to must be an ip:port %q", addr)
-	}
-	ip := net.ParseIP(host)
-	if ip == nil {
-		return nil, fmt.Errorf("The provided value to bind to must be an ip:port: %q", addr)
-	}
-	proxyconfig.BindAddress = ip.String()
-	// MetricsBindAddress - disable
-	proxyconfig.MetricsBindAddress = ""
-
-	// OOMScoreAdj, ResourceContainer - clear, we don't run in a container
-	oomScoreAdj := int32(0)
-	proxyconfig.OOMScoreAdj = &oomScoreAdj
-	proxyconfig.ResourceContainer = ""
-
-	// use the same client as the node
-	proxyconfig.ClientConnection.KubeConfigFile = options.MasterKubeConfig
-
-	// ProxyMode, set to iptables
-	proxyconfig.Mode = "iptables"
-
-	// IptablesSyncPeriod, set to our config value
-	syncPeriod, err := time.ParseDuration(options.IPTablesSyncPeriod)
-	if err != nil {
-		return nil, fmt.Errorf("Cannot parse the provided ip-tables sync period (%s) : %v", options.IPTablesSyncPeriod, err)
-	}
-	proxyconfig.IPTables.SyncPeriod = metav1.Duration{
-		Duration: syncPeriod,
-	}
-	masqueradeBit := int32(0)
-	proxyconfig.IPTables.MasqueradeBit = &masqueradeBit
-
-	// PortRange, use default
-	// HostnameOverride, use default
-	// ConfigSyncPeriod, use default
-	// MasqueradeAll, use default
-	// CleanupAndExit, use default
-	// KubeAPIQPS, use default, doesn't apply until we build a separate client
-	// KubeAPIBurst, use default, doesn't apply until we build a separate client
-	// UDPIdleTimeout, use default
-
-	// Resolve cmd flags to add any user overrides
-	if err := cmdflags.Resolve(options.ProxyArguments, proxyOptions.AddFlags); len(err) > 0 {
-		return nil, kerrors.NewAggregate(err)
-	}
-
-	if err := proxyOptions.Complete(); err != nil {
-		return nil, err
-	}
-
-	return proxyconfig, nil
+	return server, nil
 }
 
 func ToFlags(config *kubeletoptions.KubeletServer) []string {