Merge pull request #18147 from rifelpet/gce-apiserver

gce: support for role=apiserver

Author: k8s-ci-robot

cmd/kops/integration_test.go

@@ -77,6 +77,13 @@ type integrationTest struct {
 	startupScript bool
 	// verify "kops get assets" functionality
 	testGetAssets bool
+	// gceAPIServerIGs is a list of APIServer instance group names and their zones for GCE
+	gceAPIServerIGs []gceAPIServerIG
+}
+
+type gceAPIServerIG struct {
+	name string
+	zone string
 }
 
 func newIntegrationTest(clusterName, srcDir string) *integrationTest {
@@ -151,6 +158,11 @@ func (i *integrationTest) withCiliumEtcd() *integrationTest {
 	return i
 }
 
+func (i *integrationTest) withGCEDedicatedAPIServer(name, zone string) *integrationTest {
+	i.gceAPIServerIGs = append(i.gceAPIServerIGs, gceAPIServerIG{name: name, zone: zone})
+	return i
+}
+
 func (i *integrationTest) withDedicatedAPIServer() *integrationTest {
 	i.expectTerraformFilenames = append(i.expectTerraformFilenames,
 		"aws_iam_role_apiservers."+i.clusterName+"_policy",
@@ -408,6 +420,21 @@ func TestMinimalGCEPublicLoadBalancer(t *testing.T) {
 		runTestTerraformGCE(t)
 }
 
+// TestMinimalGCEPublicLoadBalancerAPIServer runs tests on a minimal GCE configuration with a public load balancer and an APIServer instance group.
+func TestMinimalGCEPublicLoadBalancerAPIServer(t *testing.T) {
+	featureflag.ParseFlags("+APIServerNodes")
+	defer featureflag.ParseFlags("-APIServerNodes")
+
+	newIntegrationTest("minimal-gce-plb-apiserver.example.com", "minimal_gce_plb_apiserver").
+		withAddons(
+			dnsControllerAddon,
+			gcpCCMAddon,
+			gcpPDCSIAddon,
+		).
+		withGCEDedicatedAPIServer("apiserver-us-test1-a", "us-test1-a").
+		runTestTerraformGCE(t)
+}
+
 // TestMinimalGCELongClusterName runs tests on a minimal GCE configuration with a very long cluster name
 func TestMinimalGCELongClusterName(t *testing.T) {
 	newIntegrationTest("minimal-gce-with-a-very-very-very-very-very-long-name.example.com", "minimal_gce_longclustername").
@@ -1681,6 +1708,17 @@ func (i *integrationTest) runTestTerraformGCE(t *testing.T) {
 		}
 	}
 
+	for _, ig := range i.gceAPIServerIGs {
+		expectedFilenames = append(expectedFilenames, "aws_s3_object_nodeupconfig-"+ig.name+"_content")
+
+		prefix := "google_compute_instance_template_" + ig.name + "-" + gce.SafeClusterName(i.clusterName) + "_metadata_"
+		if !i.startupScript {
+			expectedFilenames = append(expectedFilenames, prefix+"user-data")
+		} else {
+			expectedFilenames = append(expectedFilenames, prefix+"startup-script")
+		}
+	}
+
 	i.runTest(t, ctx, h, expectedFilenames, "", "", nil)
 }
 

pkg/apis/kops/validation/instancegroup.go

@@ -239,8 +239,8 @@ func CrossValidateInstanceGroup(g *kops.InstanceGroup, cluster *kops.Cluster, cl
 	}
 
 	if g.Spec.Role == kops.InstanceGroupRoleAPIServer {
-		if cluster.GetCloudProvider() != kops.CloudProviderAWS {
-			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer role only supported on AWS"))
+		if cluster.GetCloudProvider() != kops.CloudProviderAWS && cluster.GetCloudProvider() != kops.CloudProviderGCE {
+			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer role only supported on AWS and GCE"))
 		}
 		if cluster.UsesNoneDNS() {
 			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "role"), "APIServer cannot be used with topology.dns.type=None"))

pkg/apis/kops/validation/instancegroup_test.go

@@ -510,3 +510,69 @@ func createMinimalInstanceGroup() *kops.InstanceGroup {
 	}
 	return ig
 }
+
+func TestCrossValidateAPIServerRole(t *testing.T) {
+	grid := []struct {
+		Description    string
+		Cluster        *kops.Cluster
+		ExpectedErrors int
+	}{
+		{
+			Description: "APIServer role allowed on AWS",
+			Cluster: &kops.Cluster{
+				Spec: kops.ClusterSpec{
+					CloudProvider: kops.CloudProviderSpec{
+						AWS: &kops.AWSSpec{},
+					},
+				},
+			},
+			ExpectedErrors: 0,
+		},
+		{
+			Description: "APIServer role allowed on GCE",
+			Cluster: &kops.Cluster{
+				Spec: kops.ClusterSpec{
+					CloudProvider: kops.CloudProviderSpec{
+						GCE: &kops.GCESpec{},
+					},
+				},
+			},
+			ExpectedErrors: 0,
+		},
+		{
+			Description: "APIServer role forbidden on DO",
+			Cluster: &kops.Cluster{
+				Spec: kops.ClusterSpec{
+					CloudProvider: kops.CloudProviderSpec{
+						DO: &kops.DOSpec{},
+					},
+				},
+			},
+			ExpectedErrors: 1,
+		},
+	}
+
+	for _, g := range grid {
+		t.Run(g.Description, func(t *testing.T) {
+			ig := &kops.InstanceGroup{
+				ObjectMeta: v1.ObjectMeta{
+					Name: "apiserver",
+				},
+				Spec: kops.InstanceGroupSpec{
+					Role:    kops.InstanceGroupRoleAPIServer,
+					Subnets: []string{"eu-central-1a"},
+					MaxSize: fi.PtrTo(int32(1)),
+					MinSize: fi.PtrTo(int32(1)),
+					Image:   "my-image",
+				},
+			}
+			g.Cluster.Spec.Networking.Subnets = []kops.ClusterSubnetSpec{
+				{Name: "eu-central-1a", Region: "eu-central-1"},
+			}
+			errs := CrossValidateInstanceGroup(ig, g.Cluster, nil, true)
+			if len(errs) != g.ExpectedErrors {
+				t.Errorf("expected %d errors, got %d: %v", g.ExpectedErrors, len(errs), errs)
+			}
+		})
+	}
+}

pkg/model/gcemodel/api_loadbalancer.go

@@ -146,7 +146,7 @@ func (b *APILoadBalancerBuilder) createInternalLB(c *fi.CloudupModelBuilderConte
 	c.AddTask(hc)
 	var igms []*gcetasks.InstanceGroupManager
 	for _, ig := range b.InstanceGroups {
-		if ig.Spec.Role != kops.InstanceGroupRoleControlPlane {
+		if !ig.HasAPIServer() {
 			continue
 		}
 		if len(ig.Spec.Zones) > 1 {

pkg/model/gcemodel/autoscalinggroup.go

@@ -214,6 +214,10 @@ func (b *AutoscalingGroupModelBuilder) buildInstanceTemplate(c *fi.CloudupModelB
 			t.Tags = append(t.Tags, b.GCETagForRole(kops.InstanceGroupRoleControlPlane))
 			t.Tags = append(t.Tags, b.GCETagForRole("master"))
 
+		case kops.InstanceGroupRoleAPIServer:
+			t.Scopes = append(t.Scopes, "https://www.googleapis.com/auth/ndev.clouddns.readwrite")
+			t.Tags = append(t.Tags, b.GCETagForRole(kops.InstanceGroupRoleControlPlane))
+
 		case kops.InstanceGroupRoleNode:
 			t.Tags = append(t.Tags, b.GCETagForRole(kops.InstanceGroupRoleNode))
 
@@ -349,8 +353,8 @@ func (b *AutoscalingGroupModelBuilder) Build(c *fi.CloudupModelBuilderContext) e
 				ListManagedInstancesResults: "PAGINATED",
 			}
 
-			// Attach masters to load balancer if we're using one
-			if ig.Spec.Role == kops.InstanceGroupRoleControlPlane {
+			// Attach API server instances to load balancer if we're using one
+			if ig.HasAPIServer() {
 				if b.UseLoadBalancerForAPI() {
 					lbSpec := b.Cluster.Spec.API.LoadBalancer
 					if lbSpec != nil {

tests/e2e/templates/apiserver-gce.yaml.tmpl

@@ -0,0 +1,122 @@
+{{$zone := index .zones 0}}
+apiVersion: kops.k8s.io/v1alpha2
+kind: Cluster
+metadata:
+  name: {{.clusterName}}
+spec:
+  kubernetesApiAccess:
+  - {{.publicIP}}
+  api:
+    loadBalancer:
+      type: Public
+  authorization:
+    rbac: {}
+  channel: stable
+  cloudConfig:
+    gceServiceAccount: default
+  cloudProvider: {{.cloudProvider}}
+  configBase: "{{.stateStore}}/{{.clusterName}}"
+  containerd:
+    configAdditions:
+      plugins."io.containerd.grpc.v1.cri".containerd.runtimes.test-handler.runtime_type: io.containerd.runc.v2
+  etcdClusters:
+  - etcdMembers:
+    - instanceGroup: control-plane-{{$zone}}
+      name: {{$zone}}
+    name: main
+  - etcdMembers:
+    - instanceGroup: control-plane-{{$zone}}
+      name: {{$zone}}
+    name: events
+  iam:
+    allowContainerRegistry: true
+    legacy: false
+  kubelet:
+    anonymousAuth: false
+  kubernetesVersion: {{.kubernetesVersion}}
+  networking:
+    kubenet: {}
+  nodePortAccess:
+    - 0.0.0.0/0
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+    - {{.publicIP}}
+  subnets:
+  - cidr: 10.0.16.0/20
+    name: {{$zone}}
+    region: {{$zone}}
+    type: Public
+  topology:
+    dns:
+      type: Public
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: SSHCredential
+metadata:
+  name: admin
+  labels:
+    kops.k8s.io/cluster: {{.clusterName}}
+spec:
+  publicKey: {{.sshPublicKey}}
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  name: nodes-{{$zone}}
+  labels:
+    kops.k8s.io/cluster: {{.clusterName}}
+spec:
+  image: ubuntu-os-cloud/ubuntu-2404-noble-amd64-v20250606
+  machineType: e2-standard-2
+  maxSize: 4
+  minSize: 4
+  role: Node
+  rootVolumeSize: 100
+  subnets:
+  - {{$zone}}
+  zones:
+  - {{$zone}}
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  name: control-plane-{{$zone}}
+  labels:
+    kops.k8s.io/cluster: {{.clusterName}}
+spec:
+  image: ubuntu-os-cloud/ubuntu-2404-noble-amd64-v20250606
+  machineType: e2-standard-2
+  maxSize: 1
+  minSize: 1
+  role: Master
+  rootVolumeSize: 48
+  subnets:
+  - {{$zone}}
+  zones:
+  - {{$zone}}
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  name: apiserver-{{$zone}}
+  labels:
+    kops.k8s.io/cluster: {{.clusterName}}
+spec:
+  image: ubuntu-os-cloud/ubuntu-2404-noble-amd64-v20250606
+  machineType: e2-standard-2
+  maxSize: 1
+  minSize: 1
+  role: APIServer
+  rootVolumeSize: 48
+  subnets:
+  - {{$zone}}
+  zones:
+  - {{$zone}}