Move mutable configmaps out of deployment manifest

Moving "antrea-ca", "antrea-cluster-identity" and "flow-aggregator-ca"
out of deployment manifest. Instead creating them in the code.

Fixes #1945

build/yamls/antrea-aks.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/antrea-eks.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/antrea-gke.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/antrea-ipsec.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/antrea.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/base/controller-rbac.yml

@@ -83,6 +83,12 @@ rules:
     verbs:
       - get
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
   - apiGroups:
       - apiregistration.k8s.io
     resources:

build/yamls/base/controller.yml

@@ -11,16 +11,6 @@ spec:
   selector:
     component: antrea-controller
 ---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: antrea-ca
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: antrea-cluster-identity
----
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:

build/yamls/flow-aggregator.yml

@@ -30,6 +30,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - ""
   resourceNames:
@@ -119,14 +125,6 @@ subjects:
   namespace: flow-aggregator
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: flow-aggregator
-  name: flow-aggregator-ca
-  namespace: flow-aggregator
----
-apiVersion: v1
 data:
   flow-aggregator.conf: |
     # Provide the flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp.

build/yamls/flow-aggregator/base/flow-aggregator.yml

@@ -5,12 +5,6 @@ metadata:
   name: flow-aggregator
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: flow-aggregator-ca
-  namespace: flow-aggregator
----
-apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: flow-aggregator
@@ -26,6 +20,9 @@ rules:
     resources: ["configmaps"]
     resourceNames: ["flow-aggregator-ca"]
     verbs: ["get", "update"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create"]
   - apiGroups: [""]
     resources: ["secrets"]
     resourceNames: ["flow-aggregator-client-tls"]

pkg/apiserver/certificate/cacert_controller.go

@@ -22,6 +22,7 @@ import (
 	"time"
 
 	v1 "k8s.io/api/admissionregistration/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -245,17 +246,35 @@ func (c *CACertController) syncConfigMap(caCert []byte) error {
 	// Use the Antrea Pod Namespace for the CA cert ConfigMap.
 	caConfigMapNamespace := GetCAConfigMapNamespace()
 	caConfigMap, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Get(context.TODO(), CAConfigMapName, metav1.GetOptions{})
+	exists := true
 	if err != nil {
-		return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
+		}
+		exists = false
+		caConfigMap = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      CAConfigMapName,
+				Namespace: caConfigMapNamespace,
+			},
+			Data:       map[string]string{},
+			BinaryData: map[string][]byte{},
+		}
 	}
 	if caConfigMap.Data != nil && caConfigMap.Data[CAConfigMapKey] == string(caCert) {
 		return nil
 	}
 	caConfigMap.Data = map[string]string{
 		CAConfigMapKey: string(caCert),
 	}
-	if _, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Update(context.TODO(), caConfigMap, metav1.UpdateOptions{}); err != nil {
-		return fmt.Errorf("error updating ConfigMap %s: %v", CAConfigMapName, err)
+	if exists {
+		if _, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Update(context.TODO(), caConfigMap, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error updating ConfigMap %s: %v", CAConfigMapName, err)
+		}
+	} else {
+		if _, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Create(context.TODO(), caConfigMap, metav1.CreateOptions{}); err != nil {
+			return fmt.Errorf("error creating ConfigMap %s: %v", CAConfigMapName, err)
+		}
 	}
 	return nil
 }

pkg/clusteridentity/clusteridentity.go

@@ -20,6 +20,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
@@ -54,8 +56,20 @@ func NewClusterIdentityAllocator(
 
 func (a *ClusterIdentityAllocator) updateConfigMapIfNeeded() error {
 	configMap, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Get(context.TODO(), a.clusterIdentityConfigMapName, metav1.GetOptions{})
+	exists := true
 	if err != nil {
-		return fmt.Errorf("error when getting '%s/%s' ConfigMap: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("error when getting '%s/%s' ConfigMap: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		}
+		exists = false
+		configMap = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      a.clusterIdentityConfigMapName,
+				Namespace: a.clusterIdentityConfigMapNamespace,
+			},
+			Data:       map[string]string{},
+			BinaryData: map[string][]byte{},
+		}
 	}
 
 	// returns a triplet consisting of the cluster UUID, a boolean indicating if the UUID needs
@@ -88,8 +102,14 @@ func (a *ClusterIdentityAllocator) updateConfigMapIfNeeded() error {
 	configMap.Data = map[string]string{
 		uuidConfigMapKey: clusterUUID.String(),
 	}
-	if _, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Update(context.TODO(), configMap, metav1.UpdateOptions{}); err != nil {
-		return fmt.Errorf("error when updating '%s/%s' ConfigMap with new cluster identity: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+	if exists {
+		if _, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Update(context.TODO(), configMap, metav1.UpdateOptions{}); err != nil {
+			return fmt.Errorf("error when updating '%s/%s' ConfigMap with new cluster identity: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		}
+	} else {
+		if _, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Create(context.TODO(), configMap, metav1.CreateOptions{}); err != nil {
+			return fmt.Errorf("error when creating '%s/%s' ConfigMap with new cluster identity: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		}
 	}
 	klog.Infof("New cluster UUID: %v", clusterUUID)
 	return nil