Move mutable configmaps out of deployment manifest

Moving "antrea-ca" and "antrea-cluster-identity" out of deployment manifest.
Instead creating them in the code.

Fixes #1945

build/yamls/antrea-aks.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/antrea-eks.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/antrea-gke.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/antrea-ipsec.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/antrea.yml

@@ -1185,6 +1185,12 @@ rules:
   verbs:
   - get
   - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
 - apiGroups:
   - apiregistration.k8s.io
   resourceNames:
@@ -1312,22 +1318,6 @@ subjects:
   namespace: kube-system
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-ca
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app: antrea
-  name: antrea-cluster-identity
-  namespace: kube-system
----
-apiVersion: v1
 data:
   antrea-agent.conf: |
     # FeatureGates is a map of feature names to bools that enable or disable experimental features.

build/yamls/base/controller-rbac.yml

@@ -83,6 +83,12 @@ rules:
     verbs:
       - get
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
   - apiGroups:
       - apiregistration.k8s.io
     resources:

build/yamls/base/controller.yml

@@ -11,16 +11,6 @@ spec:
   selector:
     component: antrea-controller
 ---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: antrea-ca
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: antrea-cluster-identity
----
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:

pkg/apiserver/certificate/cacert_controller.go

@@ -22,6 +22,7 @@ import (
 	"time"
 
 	v1 "k8s.io/api/admissionregistration/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -246,7 +247,13 @@ func (c *CACertController) syncConfigMap(caCert []byte) error {
 	caConfigMapNamespace := GetCAConfigMapNamespace()
 	caConfigMap, err := c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Get(context.TODO(), CAConfigMapName, metav1.GetOptions{})
 	if err != nil {
-		return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("error getting ConfigMap %s: %v", CAConfigMapName, err)
+		}
+		caConfigMap, err = c.client.CoreV1().ConfigMaps(caConfigMapNamespace).Create(context.TODO(), c.createConfigMap(caConfigMapNamespace), metav1.CreateOptions{})
+		if err != nil {
+			return fmt.Errorf("error creating ConfigMap %s: %v", CAConfigMapName, err)
+		}
 	}
 	if caConfigMap.Data != nil && caConfigMap.Data[CAConfigMapKey] == string(caCert) {
 		return nil
@@ -316,3 +323,15 @@ func (c *CACertController) processNextWorkItem() bool {
 
 	return true
 }
+
+func (c *CACertController) createConfigMap(caConfigMapNamespace string) *corev1.ConfigMap {
+	caConfigMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      CAConfigMapName,
+			Namespace: caConfigMapNamespace,
+		},
+		Data:       map[string]string{},
+		BinaryData: map[string][]byte{},
+	}
+	return caConfigMap
+}

pkg/clusteridentity/clusteridentity.go

@@ -20,6 +20,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
@@ -55,7 +57,13 @@ func NewClusterIdentityAllocator(
 func (a *ClusterIdentityAllocator) updateConfigMapIfNeeded() error {
 	configMap, err := a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Get(context.TODO(), a.clusterIdentityConfigMapName, metav1.GetOptions{})
 	if err != nil {
-		return fmt.Errorf("error when getting '%s/%s' ConfigMap: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		if !errors.IsNotFound(err) {
+			return fmt.Errorf("error when getting '%s/%s' ConfigMap: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		}
+		configMap, err = a.k8sClient.CoreV1().ConfigMaps(a.clusterIdentityConfigMapNamespace).Create(context.TODO(), a.createConfigMap(), metav1.CreateOptions{})
+		if err != nil {
+			return fmt.Errorf("error when creating '%s/%s' ConfigMap: %v", a.clusterIdentityConfigMapNamespace, a.clusterIdentityConfigMapName, err)
+		}
 	}
 
 	// returns a triplet consisting of the cluster UUID, a boolean indicating if the UUID needs
@@ -189,3 +197,15 @@ func (p *clusterIdentityProvider) Get() (ClusterIdentity, time.Time, error) {
 
 	return identity, creationTime, nil
 }
+
+func (a *ClusterIdentityAllocator) createConfigMap() *corev1.ConfigMap {
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      a.clusterIdentityConfigMapName,
+			Namespace: a.clusterIdentityConfigMapNamespace,
+		},
+		Data:       map[string]string{},
+		BinaryData: map[string][]byte{},
+	}
+	return configMap
+}