explicit kubelet config key in Node.Spec.ConfigSource.ConfigMap

[mtaufen]

This makes the Kubelet config key in the ConfigMap an explicit part of
the API, so we can stop using magic key names.

As part of this change, we are retiring ConfigMapRef for ConfigMap.

You must now specify Node.Spec.ConfigSource.ConfigMap.KubeletConfigKey when using dynamic Kubelet config to tell the Kubelet which key of the ConfigMap identifies its config file.

[mtaufen]

TODO: Sanitize/validate this against the same rules for ConfigMap keys. Wouldn't want it to be possible to put ../x in here...

[mtaufen]

done via API server validation

[liggitt]

remove omitempty, this is required

[mtaufen]

done

[liggitt]

add +optional comment

[mtaufen]

done

[liggitt]

add +optional comment

[mtaufen]

done

[liggitt]

for posterity, this is what's going on here:

1. kind/apiVersion were used by the kubelet to persist this struct to disk (they had no protobuf tags)
2. configMapRef and proto tag 1 were used by the API to refer to a configmap, but used a generic ObjectReference type that didn't really have the fields we needed

all uses/persistence of the NodeConfigSource struct prior to 1.11 were gated by alpha feature flags, so there is no persisted data for these fields that needs to be migrated/handled.

[mtaufen]

Added this as a comment in the file, so it doesn't just live on GitHub.

[liggitt]

same comment, this doesn't really belong in the v1 API, it belongs to the kubelet

[liggitt]

needs godoc

[mtaufen]

done

[liggitt]

the ConfigMapNodeConfigSource looks much better to me, thanks

cc @kubernetes/sig-node-api-reviews

[mtaufen]

/retest

[mtaufen]

@dchen1107 @liggitt @derekwaynecarr

this should be able to be internal to the kubelet, right? not defined/registered for the entire v1 API group

Whether to move SerializedNodeConfigSource from core API group (current state of this PR) to kubeletconfig isn't an easy question to answer.

On one hand, the Kubelet is the only component that uses the serializable wrapper type right now (for locally tracking assigned and last-known-good config), which was the reason behind @liggitt's recommendation to move it.

On the other hand, the feature the type pertains to (dynamic Kubelet config) is part of the core API group (NodeConfigSource). The kubeletconfig API group is concerned with the structure of the Kubelet's configuration, and I'm not sure it should also include delivery mechanisms for that API (nobody would even think of embedding ConfigMapVolumeSource in the componentconfig API group of a component that runs in a Pod; they'd just use ConfigMapVolumeSource to deliver the config).

I was initially comfortable moving it, but these points are making me think twice.

[mtaufen]

I thought SerializedObjectReference in core would be a good argument for SerializedNodeConfigSource in core, but the history of that field (#7322) suggests it instead fits the core purpose of "serving REST APIs," which SerializedNodeConfigSource would not.

The kubeletconfig API group can assume the purpose of managing "versioned inputs to the Kubelet," and SerializedNodeConfigSource fits this description.

[mtaufen]

updated the location of the serialized reference; still need to regenerate some files

[dchen1107]

/approve

I approved the pr now so that I won't become the bottom-neck on promoting dynamic Kubelet Config to beta. Will take a deep review on the implementation later.

[dchen1107]

can we have more test cases here, for example, empty name? empty namespace? or UID?

[mtaufen]

Those cases (empty ConfigMapNodeConfigSource fields) should already be covered by API server validation. I don't see a reason to duplicate that validation here.

[dchen1107]

The comment here is very hard to understand, could you please add more clarification here?

[mtaufen]

I updated the comment to provide additional context.

[mtaufen]

New comment text:

// UID is the metadata.UID of the referenced ConfigMap.
// This field is currently reqired in Node.Spec.
// TODO(#61643): This field will be forbidden in Node.Spec when #61643 is resolved.
//               #61643 changes the behavior of dynamic Kubelet config to respect
//               ConfigMap updates, and thus removes the ability to pin the Spec to a given UID.
// TODO(#56896): This field will be required in Node.Status when #56896 is resolved.
//               #63314 (the PR that resolves #56896) adds a structured status to the Node
//               object for reporting information about the config. This status requires UID
//               and ResourceVersion, so that it represents a fully-explicit description of
//               the configuration in use, while (see previous TODO) the Spec will be
//               restricted to namespace/name in #61643.

[dchen1107]

Thanks.

[dchen1107]

Is there any reason separating this validation of a single object into two separate methods here since both are same spec related?

[mtaufen]

1. You're right, it would be cleaner to remove the Spec suffix here, but it'll just get added back in Move to a structured status for dynamic kubelet config #63314, when NodeConfigSource starts being used as part of the structured status.
2. The split between validateNodeConfigSourceSpec and validateConfigMapNodeConfigSourceSpec recognizes that the former's target (NodeConfigSource) acts as a disjoint union type, and the latter's target (ConfigMapNodeConfigSource) is one of the possible subtypes (there is only one subtype today - a ConfigMap source, but it's open to extension in the future).

[dchen1107]

Ok. I can live with it. :-)

[dashpole]

couple nits, otherwise looks good.

[dashpole]

should this be kubeletconfiginternal.SerializedNodeConfigSource?

[mtaufen]

No. The external version is what we load; the decoder automatically converts it to the internal version as part of the decoding process.

[dashpole]

Is there a reason why we dont use kubeadmconstants.KubeletBaseConfigurationConfigMapKey here? Using "key" or something other than the actual key would make it clearer that we aren't relying on the actual key. Or we should use the constant for the key if we are relying on that.

[mtaufen]

1. Kubelet should never depend on kubeadm
2. I'm not sure I understand your question? Whatever kubeletConfigKey is set to determines where the Kubelet looks for the Kubelet config. There is no "actual key" - the choice of where to put the config in the ConfigMap is up to the user.

[dashpole]

I see, thanks for clarifying.

[dashpole]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dashpole, dchen1107, mtaufen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• api/OWNERS [dchen1107]
• cmd/kubeadm/OWNERS [dchen1107]
• docs/api-reference/OWNERS [dchen1107]
• pkg/apis/core/OWNERS [dchen1107]
• pkg/kubelet/apis/kubeletconfig/OWNERS [dchen1107,mtaufen]
• pkg/kubelet/kubeletconfig/OWNERS [dchen1107,mtaufen]
• plugin/pkg/admission/noderestriction/OWNERS [dchen1107]
• plugin/pkg/auth/authorizer/node/OWNERS [dchen1107]
• staging/src/k8s.io/api/OWNERS [dchen1107]
• test/OWNERS [dchen1107]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 63624, 59847). If you want to cherry-pick this change to another branch, please follow the instructions here.