kubernetes · k8s-ci-robot · Jul 16, 2023 · Jul 16, 2023
diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go
@@ -35,7 +35,6 @@ import (
 
 	"golang.org/x/crypto/ssh"
 	"k8s.io/kops/cmd/kops/util"
-	"k8s.io/kops/pkg/apis/kops/model"
 	"k8s.io/kops/pkg/diff"
 	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/model/iam"
@@ -1503,20 +1502,6 @@ func (i *integrationTest) setupCluster(t *testing.T, ctx context.Context, inputY
 			secondaryCertificate: "-----BEGIN CERTIFICATE-----\nMIIBfDCCASagAwIBAgIMFo+b23acX0hZEkbkMA0GCSqGSIb3DQEBCwUAMB8xHTAb\nBgNVBAMTFGV0Y2QtcGVlcnMtY2EtY2lsaXVtMB4XDTIxMDcwNTIwMjIzN1oXDTMx\nMDcwNTIwMjIzN1owHzEdMBsGA1UEAxMUZXRjZC1wZWVycy1jYS1jaWxpdW0wXDAN\nBgkqhkiG9w0BAQEFAANLADBIAkEAw3T2pyEOgBPBKwofuILLokPxAFplVzdu540f\noREJ4iVqiroUlsz1G90mEwmqR+B7/0kt70ve9i5Z6E7Qz2nQaQIDAQABo0IwQDAO\nBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU0hyEvGir\n2ucsJrojyZaDBIb8JLAwDQYJKoZIhvcNAQELBQADQQA9vQylgkvgROIMspzOlbZr\nZwsTAzp9J2ZxZL06AQ9iWzpvIw/H3oClV63q6zN2aHtpBTkhUOSX3Q4L/X/0MOkj\n-----END CERTIFICATE-----",
 		})
 	}
-	if !model.UseKopsControllerForNodeBootstrap(cluster.Spec.GetCloudProvider()) {
-		storeKeyset(t, ctx, keyStore, "kubelet", &testingKeyset{
-			primaryKey:           "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAM6BUO6Gjjskn8s87GdJB8QPpNTx949t5Z/GgQpLVCapj741c1//\nvyH6JPsyqFUVy+lsBXQHSdCz2awMhKd9x5kCAwEAAQJARozbj4Ic2Yvbo92+jlLe\n+la146J/B1tuVbXFpDS0HTi3W94fVfu6R7FR9um1te1hzBAr6I4RqXxBAvipzG9P\n4QIhAPUg1AV/uyzKxELhVNKysAqvz1oLx2NeAh3DewRQn2MNAiEA16n2q69vFDvd\nnoCi2jwfR9/VyuMjloJElRyG1hoqg70CIQDkH/QRVgkcq2uxDkFBgLgiifF/zJx3\n1mJDzsuqfVmH9QIgEP/2z8W+bcviRlJBhA5lMNc2FQ4eigiuu0pKXqolW8kCIBy/\n27C5grBlEqjw1taSKqoSnylUW6SL8N8UR0MJU5up\n-----END RSA PRIVATE KEY-----",
-			primaryCertificate:   "-----BEGIN CERTIFICATE-----\nMIIBkzCCAT2gAwIBAgIMFpL6CzllQiBcgTbiMA0GCSqGSIb3DQEBCwUAMBgxFjAU\nBgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzE2MTk0MjIxWhcNMzEwNzE2MTk0\nMjIxWjApMRUwEwYDVQQKEwxzeXN0ZW06bm9kZXMxEDAOBgNVBAMTB2t1YmVsZXQw\nXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzoFQ7oaOOySfyzzsZ0kHxA+k1PH3j23l\nn8aBCktUJqmPvjVzX/+/Ifok+zKoVRXL6WwFdAdJ0LPZrAyEp33HmQIDAQABo1Yw\nVDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/\nBAIwADAfBgNVHSMEGDAWgBTRt81Y03C5ScA7CePyvQ1eyqIVADANBgkqhkiG9w0B\nAQsFAANBAGOPYAM8wEDpRs4Sa+UxSRNM5xt2a0ctNqLxYbN0gsoTXY3vEFb06qLH\npgBJgBLXG8siOEhyEhsFiXSw4klQ/y8=\n-----END CERTIFICATE-----",
-			secondaryKey:         "",
-			secondaryCertificate: "",
-		})
-		storeKeyset(t, ctx, keyStore, "kube-proxy", &testingKeyset{
-			primaryKey:           "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAM7f0Zt5vDchamMg9TABxyAWGRVhWVmLqmfKr1rGvohWB/eVJmxZ\nCSNg6ShIDnDT2qJx5Aw05jjfDRJsrlCcAkMCAwEAAQJAeeRo5boBy14WCFiH/4Rc\npqw+lVlpwxhHDKbhUZRe+YbfobR7M35GoKJ5Zjtvh5V1eC1irGzSvUQg96snVCIv\nqQIhAPWGxfFedkYvddBHpp6pg/55AshVp8NPeYfV1olKc10FAiEA17Lzn7yyekzY\nr8tgm5zt6Hf9DfOPS+iCUwTpJzkhRKcCIAJUiyBlUx4LaUTWyUAMP9J0d5BLL9Js\nuKyPXP/kkv+5AiEApTYO/jmU5rH3gmafP3Gqk9VbwRTdnAGh2J65Sm6quZ8CIC4v\nqwjRQtwPYB4PPym2gTL4hjgWTj7bQEspm3A9eEs5\n-----END RSA PRIVATE KEY-----",
-			primaryCertificate:   "-----BEGIN CERTIFICATE-----\nMIIBhjCCATCgAwIBAgIMFpL6CzlkDYhRlgqCMA0GCSqGSIb3DQEBCwUAMBgxFjAU\nBgNVBAMTDWt1YmVybmV0ZXMtY2EwHhcNMjEwNzE2MTk0MjIxWhcNMzEwNzE2MTk0\nMjIxWjAcMRowGAYDVQQDExFzeXN0ZW06a3ViZS1wcm94eTBcMA0GCSqGSIb3DQEB\nAQUAA0sAMEgCQQDO39Gbebw3IWpjIPUwAccgFhkVYVlZi6pnyq9axr6IVgf3lSZs\nWQkjYOkoSA5w09qiceQMNOY43w0SbK5QnAJDAgMBAAGjVjBUMA4GA1UdDwEB/wQE\nAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY\nMBaAFNG3zVjTcLlJwDsJ4/K9DV7KohUAMA0GCSqGSIb3DQEBCwUAA0EANRng3dTL\nZYQLfeRolSiKFHrsDxfNL5sXbsNcJNkP9VNmxTGs3RyvNlzsaVQkXaBnlHYx0+nk\nGWXMq4Kke2ukxQ==\n-----END CERTIFICATE-----",
-			secondaryKey:         "",
-			secondaryCertificate: "",
-		})
-	}
 
 	return factory
 }

diff --git a/nodeup/pkg/model/bootstrap_client.go b/nodeup/pkg/model/bootstrap_client.go
@@ -45,7 +45,7 @@ type BootstrapClientBuilder struct {
 }
 
 func (b BootstrapClientBuilder) Build(c *fi.NodeupModelBuilderContext) error {
-	if b.IsMaster || !b.UseKopsControllerForNodeBootstrap() {
+	if b.IsMaster {
 		return nil
 	}
 

diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go
@@ -284,82 +284,27 @@ func (c *NodeupModelContext) GetBootstrapCert(name string, signer string) (cert,
 
 // BuildBootstrapKubeconfig generates a kubeconfig with a client certificate from either kops-controller or the state store.
 func (c *NodeupModelContext) BuildBootstrapKubeconfig(name string, ctx *fi.NodeupModelBuilderContext) (fi.Resource, error) {
-	if c.UseKopsControllerForNodeBootstrap() {
-		cert, key, err := c.GetBootstrapCert(name, fi.CertificateIDCA)
-		if err != nil {
-			return nil, err
-		}
-
-		kubeConfig := &nodetasks.KubeConfig{
-			Name: name,
-			Cert: cert,
-			Key:  key,
-			CA:   fi.NewStringResource(c.NodeupConfig.CAs[fi.CertificateIDCA]),
-		}
-		if c.HasAPIServer {
-			// @note: use https even for local connections, so we can turn off the insecure port
-			kubeConfig.ServerURL = "https://127.0.0.1"
-		} else {
-			kubeConfig.ServerURL = "https://" + c.APIInternalName()
-		}
-
-		ctx.EnsureTask(kubeConfig)
+	cert, key, err := c.GetBootstrapCert(name, fi.CertificateIDCA)
+	if err != nil {
+		return nil, err
+	}
 
-		return kubeConfig.GetConfig(), nil
+	kubeConfig := &nodetasks.KubeConfig{
+		Name: name,
+		Cert: cert,
+		Key:  key,
+		CA:   fi.NewStringResource(c.NodeupConfig.CAs[fi.CertificateIDCA]),
+	}
+	if c.HasAPIServer {
+		// @note: use https even for local connections, so we can turn off the insecure port
+		kubeConfig.ServerURL = "https://127.0.0.1"
 	} else {
-		keyset, err := c.KeyStore.FindKeyset(ctx.Context(), name)
-		if err != nil {
-			return nil, fmt.Errorf("error fetching keyset %q from keystore: %w", name, err)
-		}
-		if keyset == nil {
-			return nil, fmt.Errorf("keyset %q not found", name)
-		}
-
-		keypairID := c.NodeupConfig.KeypairIDs[name]
-		if keypairID == "" {
-			return nil, fmt.Errorf("keypairID for %s missing from NodeupConfig", name)
-		}
-		item := keyset.Items[keypairID]
-		if item == nil {
-			return nil, fmt.Errorf("keypairID %s missing from %s keyset", keypairID, name)
-		}
-
-		cert, err := item.Certificate.AsBytes()
-		if err != nil {
-			return nil, err
-		}
-
-		key, err := item.PrivateKey.AsBytes()
-		if err != nil {
-			return nil, err
-		}
-
-		kubeConfig := &nodetasks.KubeConfig{
-			Name: name,
-			Cert: fi.NewBytesResource(cert),
-			Key:  fi.NewBytesResource(key),
-			CA:   fi.NewStringResource(c.NodeupConfig.CAs[fi.CertificateIDCA]),
-		}
-		if c.HasAPIServer {
-			// @note: use https even for local connections, so we can turn off the insecure port
-			// This code path is used for the kubelet cert in Kubernetes 1.18 and earlier.
-			kubeConfig.ServerURL = "https://127.0.0.1"
-		} else {
-			kubeConfig.ServerURL = "https://" + c.APIInternalName()
-		}
-
-		err = kubeConfig.Run(nil)
-		if err != nil {
-			return nil, err
-		}
+		kubeConfig.ServerURL = "https://" + c.APIInternalName()
+	}
 
-		config, err := fi.ResourceAsBytes(kubeConfig.GetConfig())
-		if err != nil {
-			return nil, err
-		}
+	ctx.EnsureTask(kubeConfig)
 
-		return fi.NewBytesResource(config), nil
-	}
+	return kubeConfig.GetConfig(), nil
 }
 
 // RemapImage applies any needed remapping to an image reference.
@@ -392,11 +337,6 @@ func (c *NodeupModelContext) UseVolumeMounts() bool {
 	return len(c.NodeupConfig.VolumeMounts) > 0
 }
 
-// UseKopsControllerForNodeBootstrap checks if nodeup should use kops-controller to bootstrap.
-func (c *NodeupModelContext) UseKopsControllerForNodeBootstrap() bool {
-	return model.UseKopsControllerForNodeBootstrap(c.CloudProvider())
-}
-
 // UseChallengeCallback is true if we should use a callback challenge during node provisioning with kops-controller.
 func (c *NodeupModelContext) UseChallengeCallback(cloudProvider kops.CloudProviderID) bool {
 	return model.UseChallengeCallback(cloudProvider)

diff --git a/nodeup/pkg/model/etc_hosts.go b/nodeup/pkg/model/etc_hosts.go
@@ -51,12 +51,10 @@ func (b *EtcHostsBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 			Hostname:  b.APIInternalName(),
 			Addresses: b.BootConfig.APIServerIPs,
 		})
-		if b.UseKopsControllerForNodeBootstrap() {
-			task.Records = append(task.Records, nodetasks.HostRecord{
-				Hostname:  "kops-controller.internal." + b.NodeupConfig.ClusterName,
-				Addresses: b.BootConfig.APIServerIPs,
-			})
-		}
+		task.Records = append(task.Records, nodetasks.HostRecord{
+			Hostname:  "kops-controller.internal." + b.NodeupConfig.ClusterName,
+			Addresses: b.BootConfig.APIServerIPs,
+		})
 	}
 
 	if len(task.Records) != 0 {

diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go
@@ -336,10 +336,8 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet
 		}
 	}
 
-	if b.UseKopsControllerForNodeBootstrap() {
-		flags += " --tls-cert-file=" + b.PathSrvKubernetes() + "/kubelet-server.crt"
-		flags += " --tls-private-key-file=" + b.PathSrvKubernetes() + "/kubelet-server.key"
-	}
+	flags += " --tls-cert-file=" + b.PathSrvKubernetes() + "/kubelet-server.crt"
+	flags += " --tls-private-key-file=" + b.PathSrvKubernetes() + "/kubelet-server.key"
 
 	if b.IsIPv6Only() {
 		flags += " --node-ip=::"
@@ -688,51 +686,49 @@ func (b *KubeletBuilder) buildControlPlaneKubeletKubeconfig(c *fi.NodeupModelBui
 }
 
 func (b *KubeletBuilder) buildKubeletServingCertificate(c *fi.NodeupModelBuilderContext) error {
-	if b.UseKopsControllerForNodeBootstrap() {
-		name := "kubelet-server"
-		dir := b.PathSrvKubernetes()
+	name := "kubelet-server"
+	dir := b.PathSrvKubernetes()
+
+	names, err := b.kubeletNames()
+	if err != nil {
+		return err
+	}
 
-		names, err := b.kubeletNames()
+	if !b.HasAPIServer {
+		cert, key, err := b.GetBootstrapCert(name, fi.CertificateIDCA)
 		if err != nil {
 			return err
 		}
 
-		if !b.HasAPIServer {
-			cert, key, err := b.GetBootstrapCert(name, fi.CertificateIDCA)
-			if err != nil {
-				return err
-			}
-
-			c.AddTask(&nodetasks.File{
-				Path:           filepath.Join(dir, name+".crt"),
-				Contents:       cert,
-				Type:           nodetasks.FileType_File,
-				Mode:           fi.PtrTo("0644"),
-				BeforeServices: []string{"kubelet.service"},
-			})
+		c.AddTask(&nodetasks.File{
+			Path:           filepath.Join(dir, name+".crt"),
+			Contents:       cert,
+			Type:           nodetasks.FileType_File,
+			Mode:           fi.PtrTo("0644"),
+			BeforeServices: []string{"kubelet.service"},
+		})
 
-			c.AddTask(&nodetasks.File{
-				Path:           filepath.Join(dir, name+".key"),
-				Contents:       key,
-				Type:           nodetasks.FileType_File,
-				Mode:           fi.PtrTo("0400"),
-				BeforeServices: []string{"kubelet.service"},
-			})
+		c.AddTask(&nodetasks.File{
+			Path:           filepath.Join(dir, name+".key"),
+			Contents:       key,
+			Type:           nodetasks.FileType_File,
+			Mode:           fi.PtrTo("0400"),
+			BeforeServices: []string{"kubelet.service"},
+		})
 
-		} else {
-			issueCert := &nodetasks.IssueCert{
-				Name:      name,
-				Signer:    fi.CertificateIDCA,
-				KeypairID: b.NodeupConfig.KeypairIDs[fi.CertificateIDCA],
-				Type:      "server",
-				Subject: nodetasks.PKIXName{
-					CommonName: names[0],
-				},
-				AlternateNames: names,
-			}
-			c.AddTask(issueCert)
-			return issueCert.AddFileTasks(c, dir, name, "", nil)
-		}
+	} else {
+		issueCert := &nodetasks.IssueCert{
+			Name:      name,
+			Signer:    fi.CertificateIDCA,
+			KeypairID: b.NodeupConfig.KeypairIDs[fi.CertificateIDCA],
+			Type:      "server",
+			Subject: nodetasks.PKIXName{
+				CommonName: names[0],
+			},
+			AlternateNames: names,
+		}
+		c.AddTask(issueCert)
+		return issueCert.AddFileTasks(c, dir, name, "", nil)
 	}
 	return nil
 }

diff --git a/nodeup/pkg/model/networking/cilium.go b/nodeup/pkg/model/networking/cilium.go
@@ -168,31 +168,27 @@ func (b *CiliumBuilder) buildCiliumEtcdSecrets(c *fi.NodeupModelBuilderContext)
 		c.AddTask(issueCert)
 		return issueCert.AddFileTasks(c, dir, name, "", nil)
 	} else {
-		if b.UseKopsControllerForNodeBootstrap() {
-			cert, key, err := b.GetBootstrapCert(name, signer)
-			if err != nil {
-				return err
-			}
-
-			c.AddTask(&nodetasks.File{
-				Path:           filepath.Join(dir, name+".crt"),
-				Contents:       cert,
-				Type:           nodetasks.FileType_File,
-				Mode:           fi.PtrTo("0644"),
-				BeforeServices: []string{"kubelet.service"},
-			})
-
-			c.AddTask(&nodetasks.File{
-				Path:           filepath.Join(dir, name+".key"),
-				Contents:       key,
-				Type:           nodetasks.FileType_File,
-				Mode:           fi.PtrTo("0400"),
-				BeforeServices: []string{"kubelet.service"},
-			})
-
-			return nil
-		} else {
-			return b.BuildCertificatePairTask(c, name, dir, name, nil, []string{"kubelet.service"})
+		cert, key, err := b.GetBootstrapCert(name, signer)
+		if err != nil {
+			return err
 		}
+
+		c.AddTask(&nodetasks.File{
+			Path:           filepath.Join(dir, name+".crt"),
+			Contents:       cert,
+			Type:           nodetasks.FileType_File,
+			Mode:           fi.PtrTo("0644"),
+			BeforeServices: []string{"kubelet.service"},
+		})
+
+		c.AddTask(&nodetasks.File{
+			Path:           filepath.Join(dir, name+".key"),
+			Contents:       key,
+			Type:           nodetasks.FileType_File,
+			Mode:           fi.PtrTo("0400"),
+			BeforeServices: []string{"kubelet.service"},
+		})
+
+		return nil
 	}
 }
diff --git a/pkg/apis/kops/model/features.go b/pkg/apis/kops/model/features.go
@@ -22,11 +22,6 @@ import (
 	"k8s.io/kops/pkg/apis/kops/util"
 )
 
-// UseKopsControllerForNodeBootstrap is true if nodeup should use kops-controller for bootstrapping.
-func UseKopsControllerForNodeBootstrap(cloudProvider kops.CloudProviderID) bool {
-	return true
-}
-
 // UseChallengeCallback is true if we should use a callback challenge during node provisioning with kops-controller.
 func UseChallengeCallback(cloudProvider kops.CloudProviderID) bool {
 	switch cloudProvider {
@@ -54,7 +49,7 @@ func UseKopsControllerForNodeConfig(cluster *kops.Cluster) bool {
 			return false
 		}
 	}
-	return UseKopsControllerForNodeBootstrap(cluster.Spec.GetCloudProvider())
+	return true
 }
 
 // UseCiliumEtcd is true if we are using the Cilium etcd cluster.

diff --git a/pkg/model/bootstrapscript.go b/pkg/model/bootstrapscript.go
@@ -27,7 +27,6 @@ import (
 	"strings"
 
 	"k8s.io/klog/v2"
-	"k8s.io/kops/pkg/apis/kops/model"
 	"k8s.io/kops/upup/pkg/fi/cloudup/scaleway"
 	"k8s.io/kops/upup/pkg/fi/utils"
 	"sigs.k8s.io/yaml"
@@ -134,12 +133,7 @@ func (b *BootstrapScript) buildEnvironmentVariables() (map[string]string, error)
 	}
 
 	if os.Getenv("S3_ENDPOINT") != "" {
-		passEnvs := false
-		if b.ig.IsControlPlane() || !b.builder.UseKopsControllerForNodeBootstrap() {
-			passEnvs = true
-		}
-
-		if passEnvs {
+		if b.ig.IsControlPlane() {
 			env["S3_ENDPOINT"] = os.Getenv("S3_ENDPOINT")
 			env["S3_REGION"] = os.Getenv("S3_REGION")
 			env["S3_ACCESS_KEY_ID"] = os.Getenv("S3_ACCESS_KEY_ID")
@@ -190,12 +184,7 @@ func (b *BootstrapScript) buildEnvironmentVariables() (map[string]string, error)
 	}
 
 	if cluster.Spec.GetCloudProvider() == kops.CloudProviderDO {
-		passEnvs := false
-		if b.ig.IsControlPlane() || !b.builder.UseKopsControllerForNodeBootstrap() {
-			passEnvs = true
-		}
-
-		if passEnvs {
+		if b.ig.IsControlPlane() {
 			doToken := os.Getenv("DIGITALOCEAN_ACCESS_TOKEN")
 			if doToken != "" {
 				env["DIGITALOCEAN_ACCESS_TOKEN"] = doToken
@@ -255,16 +244,8 @@ func (b *BootstrapScriptBuilder) ResourceNodeUp(c *fi.CloudupModelBuilderContext
 		}
 	}
 
-	if model.UseCiliumEtcd(b.Cluster) && !model.UseKopsControllerForNodeBootstrap(b.Cluster.Spec.GetCloudProvider()) {
-		keypairs = append(keypairs, "etcd-client-cilium")
-	}
 	if ig.HasAPIServer() {
 		keypairs = append(keypairs, "apiserver-aggregator-ca", "service-account", "etcd-clients-ca")
-	} else if !model.UseKopsControllerForNodeBootstrap(b.Cluster.Spec.GetCloudProvider()) {
-		keypairs = append(keypairs, "kubelet", "kube-proxy")
-		if b.Cluster.Spec.Networking.KubeRouter != nil {
-			keypairs = append(keypairs, "kube-router")
-		}
 	}
 
 	if ig.IsBastion() {