[release/v1.9] Cherry-pick the required fixes for the release/v1.9 branch (#3547)

* feat: add flag to skip TLS verification (#3522)

* feat: add flag to skip TLS verification

Signed-off-by: Stephan <[email protected]>

* Update addons/backups-restic/backups-restic.yaml

Co-authored-by: Artiom Diomin <[email protected]>
Signed-off-by: Stephan <[email protected]>

---------

Signed-off-by: Stephan <[email protected]>
Co-authored-by: Artiom Diomin <[email protected]>

* fix cloud config defaulting before terraform config apply (#3534)

* Make sure no slash at the end of vcenterPrefix (#3537)

Signed-off-by: Artiom Diomin <[email protected]>

* Fix kubevirt csi addon template (#3529)

* fix kubevirt csi addon template

* update internal images in template

* update internal images in template

* fix labels

* update addons

* update addons sa

* fix toleration (#3545)

* update Machine controller image (#3546)

* update Machine controller image

Signed-off-by: Mohamed Rafraf <[email protected]>

* update go.mod

---------

Signed-off-by: Mohamed Rafraf <[email protected]>

* labeling control-plane before (#3544)

---------

Signed-off-by: Stephan <[email protected]>
Signed-off-by: Artiom Diomin <[email protected]>
Signed-off-by: Mohamed Rafraf <[email protected]>
Co-authored-by: Stephan <[email protected]>
Co-authored-by: Artiom Diomin <[email protected]>
Co-authored-by: Mohamed Rafraf <[email protected]>
Co-authored-by: Artiom Diomin <[email protected]>

Author: 4 people

addons/backups-restic/backups-restic.yaml

@@ -100,9 +100,9 @@ spec:
               cp -a /etc/kubernetes/pki/front-proxy-ca.key /backup/pki/kubernetes
               cp -a /etc/kubernetes/pki/sa.key /backup/pki/kubernetes
               cp -a /etc/kubernetes/pki/sa.pub /backup/pki/kubernetes
-              restic snapshots -q || restic init -q
-              restic backup --tag=etcd --host=${ETCD_HOSTNAME} /backup
-              restic forget --prune --keep-last 48
+              restic snapshots {{- with .Params.commonFlags }} {{.}}{{ end }} -q || restic init {{- with .Params.commonFlags }} {{.}}{{ end }} -q
+              restic backup {{- with .Params.commonFlags }} {{.}}{{ end }} --tag=etcd --host=${ETCD_HOSTNAME} /backup
+              restic forget {{- with .Params.commonFlags }} {{.}}{{ end }} --prune --keep-last 48
             env:
             - name: ETCD_HOSTNAME
               valueFrom:

addons/csi-kubevirt/1-kubevirt-csi-driver.yaml

@@ -61,7 +61,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: driver-config
-  namespace: kubevirt-csi-driver
+  namespace: kube-system
 data:
 {{ with .Config.CloudProvider.Kubevirt -}}
 {{ with .InfraNamespace }}
@@ -96,7 +96,7 @@ spec:
             privileged: true
             allowPrivilegeEscalation: true
           imagePullPolicy: Always
-          image: '{{ .InternalImages.Get "KubeVirtCSIDriver" }}'
+          image: '{{ .InternalImages.Get "KubeVirtCSI" }}'
           args:
             - "--endpoint=unix:/csi/csi.sock"
             - "--node-name=$(KUBE_NODE_NAME)"
@@ -159,7 +159,7 @@ spec:
               memory: 20Mi
               cpu: 5m
         - name: csi-liveness-probe
-          image: '{{ .InternalImages.Get "KubeVirtCSILivenessprobe" }}'
+          image: '{{ .InternalImages.Get "KubeVirtCSILivenessProbe" }}'
           args:
             - "--csi-address=/csi/csi.sock"
             - "--probe-timeout=3s"

addons/csi-kubevirt/2-kubevirt-csi-controller.yaml

@@ -79,7 +79,7 @@ data:
     value: "{{ . }}"
 kind: Secret
 metadata:
-    labels:
+  labels:
     app: kubevirt-csi-driver
   name: infra-kubeconfig
   namespace: kube-system
@@ -104,11 +104,14 @@ spec:
       labels:
         app: kubevirt-csi-driver
     spec:
-      serviceAccount: kubevirt-csi
+      serviceAccount: kubevirt-csi-controller-sa
       priorityClassName: system-cluster-critical
       nodeSelector:
         node-role.kubernetes.io/control-plane: ""
       tolerations:
+        - key: "node-role.kubernetes.io/control-plane"
+          operator: Exists
+          effect: NoSchedule
         - key: CriticalAddonsOnly
           operator: Exists
         - key: node-role.kubernetes.io/master
@@ -117,7 +120,7 @@ spec:
       containers:
         - name: csi-driver
           imagePullPolicy: Always
-          image: '{{ .InternalImages.Get "KubeVirtCSIDriver" }}'
+          image: '{{ .InternalImages.Get "KubeVirtCSI" }}'
           args:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--infra-cluster-namespace=$(INFRACLUSTER_NAMESPACE)"
@@ -163,7 +166,7 @@ spec:
               memory: 50Mi
               cpu: 10m
         - name: csi-provisioner
-          image: '{{ .InternalImages.Get "KubeVirtCSIExternalProvisioner" }}'
+          image: '{{ .InternalImages.Get "KubeVirtCSIProvisioner" }}'
           args:
             - "--csi-address=$(ADDRESS)"
             - "--default-fstype=ext4"
@@ -177,7 +180,7 @@ spec:
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
         - name: csi-attacher
-          image:  '{{ .InternalImages.Get "KubeVirtCSIExternalAttacher" }}'
+          image:  '{{ .InternalImages.Get "KubeVirtCSIAttacher" }}'
           args:
             - "--csi-address=$(ADDRESS)"
             - "--v=5"
@@ -194,7 +197,7 @@ spec:
               memory: 50Mi
               cpu: 10m
         - name: csi-liveness-probe
-          image: '{{ .InternalImages.Get "KubeVirtCSILivenessprobe" }}'
+          image: '{{ .InternalImages.Get "KubeVirtCSILivenessProbe" }}'
           args:
             - "--csi-address=/csi/csi.sock"
             - "--probe-timeout=3s"

go.mod

@@ -35,7 +35,7 @@ require (
 	google.golang.org/grpc v1.67.0
 	gopkg.in/yaml.v2 v2.4.0
 	helm.sh/helm/v3 v3.16.1
-	k8c.io/machine-controller v1.60.0
+	k8c.io/machine-controller v1.61.0
 	k8s.io/api v0.31.1
 	k8s.io/apiextensions-apiserver v0.31.1
 	k8s.io/apimachinery v0.31.1

go.sum

@@ -456,8 +456,6 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
 golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -565,8 +563,8 @@ helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c=
 helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8c.io/machine-controller v1.60.0 h1:0ShjXyAnv0hpo59UsV9VFjEfgyG/2XrljBaEUV6JzwM=
-k8c.io/machine-controller v1.60.0/go.mod h1:j9SHRLpzFj5wOMlhdPJL+ub08P8rvVvQOFtg7JaLYb4=
+k8c.io/machine-controller v1.61.0 h1:d7KVD2CDG2K76ujSt5RPLUP3BCNDcioObdM1N0BUNlc=
+k8c.io/machine-controller v1.61.0/go.mod h1:ZGDFyUeEp66RHcNB5Ki/OJyFdZFgo9dkHJ9s6YJWPcg=
 k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU=
 k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI=
 k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40=

pkg/apis/kubeone/config/config.go

@@ -22,6 +22,7 @@ import (
 	"os"
 	"os/exec"
 	"reflect"
+	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -231,6 +232,8 @@ func DefaultedV1Beta3KubeOneCluster(versionedCluster *kubeonev1beta3.KubeOneClus
 
 // SetKubeOneClusterDynamicDefaults sets the dynamic defaults for a given KubeOneCluster object
 func SetKubeOneClusterDynamicDefaults(cluster *kubeoneapi.KubeOneCluster, credentialsFile []byte) error {
+	// Set the default cloud config
+	SetDefaultsCloudConfig(cluster)
 	// Parse the credentials file
 	credentials := make(map[string]string)
 
@@ -289,6 +292,42 @@ func SetKubeOneClusterDynamicDefaults(cluster *kubeoneapi.KubeOneCluster, creden
 	return nil
 }
 
+// SetDefaultsCloudConfig sets default values for the CloudConfig field in the KubeOneCluster object.
+// this function assigns a default cloud configuration.
+func SetDefaultsCloudConfig(obj *kubeoneapi.KubeOneCluster) {
+	if obj.CloudProvider.AWS != nil && obj.CloudProvider.External {
+		if obj.CloudProvider.CloudConfig == "" {
+			obj.CloudProvider.CloudConfig = defaultAWSCCMCloudConfig(obj.Name, obj.ClusterNetwork.IPFamily)
+		}
+	}
+}
+
+// defaultAWSCCMCloudConfig generates a default cloud configuration for AWS when using the Cloud Controller Manager (CCM).
+// The configuration includes the Kubernetes cluster ID and optionally sets NodeIPFamilies based on the IPFamily setting.
+func defaultAWSCCMCloudConfig(name string, ipFamily kubeoneapi.IPFamily) string {
+	// Initialize the configuration with the global section and cluster ID.
+	lines := []string{
+		"[global]",
+		fmt.Sprintf("KubernetesClusterID=%q", name),
+	}
+
+	// Set NodeIPFamilies based on the IP family configuration.
+	switch ipFamily {
+	case kubeoneapi.IPFamilyIPv4:
+		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
+	case kubeoneapi.IPFamilyIPv6:
+		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
+	case kubeoneapi.IPFamilyIPv4IPv6:
+		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
+		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
+	case kubeoneapi.IPFamilyIPv6IPv4:
+		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
+		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
+	}
+
+	return strings.Join(lines, "\n")
+}
+
 func setRegistriesAuth(cluster *kubeoneapi.KubeOneCluster, buf string) error {
 	var registriesAuth struct {
 		runtime.TypeMeta                          `json:",inline"`

pkg/apis/kubeone/v1beta2/defaults.go

@@ -18,7 +18,6 @@ package v1beta2
 
 import (
 	"crypto/tls"
-	"fmt"
 	"strings"
 	"time"
 
@@ -74,7 +73,6 @@ func SetDefaults_KubeOneCluster(obj *KubeOneCluster) {
 	SetDefaults_HelmReleases(obj)
 	SetDefaults_SystemPackages(obj)
 	SetDefaults_Features(obj)
-	SetDefaults_CloudConfig(obj)
 	SetDefaults_TLSCipherSuites(obj)
 }
 
@@ -97,14 +95,6 @@ func SetDefaults_CloudProvider(obj *KubeOneCluster) {
 	}
 }
 
-func SetDefaults_CloudConfig(obj *KubeOneCluster) {
-	if obj.CloudProvider.AWS != nil && obj.CloudProvider.External {
-		if obj.CloudProvider.CloudConfig == "" {
-			obj.CloudProvider.CloudConfig = defaultAWSCCMCloudConfig(obj.Name, obj.ClusterNetwork.IPFamily)
-		}
-	}
-}
-
 func SetDefaults_Hosts(obj *KubeOneCluster) {
 	// No hosts, so skip defaulting
 	if len(obj.ControlPlane.Hosts) == 0 {
@@ -349,28 +339,6 @@ func defaultHostConfig(obj *HostConfig) {
 	obj.BastionUser = defaults(obj.BastionUser, obj.SSHUsername)
 }
 
-func defaultAWSCCMCloudConfig(name string, ipFamily IPFamily) string {
-	lines := []string{
-		"[global]",
-		fmt.Sprintf("KubernetesClusterID=%q", name),
-	}
-
-	switch ipFamily {
-	case IPFamilyIPv4:
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
-	case IPFamilyIPv6:
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
-	case IPFamilyIPv4IPv6:
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
-	case IPFamilyIPv6IPv4:
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
-	}
-
-	return strings.Join(lines, "\n")
-}
-
 func defaults[T comparable](input, defaultValue T) T {
 	var zero T
 

pkg/apis/kubeone/v1beta3/defaults.go

@@ -18,7 +18,6 @@ package v1beta3
 
 import (
 	"crypto/tls"
-	"fmt"
 	"strings"
 	"time"
 
@@ -74,7 +73,6 @@ func SetDefaults_KubeOneCluster(obj *KubeOneCluster) {
 	SetDefaults_Addons(obj)
 	SetDefaults_SystemPackages(obj)
 	SetDefaults_Features(obj)
-	SetDefaults_CloudConfig(obj)
 	SetDefaults_TLSCipherSuites(obj)
 }
 
@@ -97,14 +95,6 @@ func SetDefaults_CloudProvider(obj *KubeOneCluster) {
 	}
 }
 
-func SetDefaults_CloudConfig(obj *KubeOneCluster) {
-	if obj.CloudProvider.AWS != nil && obj.CloudProvider.External {
-		if obj.CloudProvider.CloudConfig == "" {
-			obj.CloudProvider.CloudConfig = defaultAWSCCMCloudConfig(obj.Name, obj.ClusterNetwork.IPFamily)
-		}
-	}
-}
-
 func SetDefaults_Hosts(obj *KubeOneCluster) {
 	// No hosts, so skip defaulting
 	if len(obj.ControlPlane.Hosts) == 0 {
@@ -347,28 +337,6 @@ func defaultHostConfig(obj *HostConfig) {
 	obj.BastionUser = defaults(obj.BastionUser, obj.SSHUsername)
 }
 
-func defaultAWSCCMCloudConfig(name string, ipFamily IPFamily) string {
-	lines := []string{
-		"[global]",
-		fmt.Sprintf("KubernetesClusterID=%q", name),
-	}
-
-	switch ipFamily {
-	case IPFamilyIPv4:
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
-	case IPFamilyIPv6:
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
-	case IPFamilyIPv4IPv6:
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
-	case IPFamilyIPv6IPv4:
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv6"))
-		lines = append(lines, fmt.Sprintf("NodeIPFamilies=%q", "ipv4"))
-	}
-
-	return strings.Join(lines, "\n")
-}
-
 func defaults[T comparable](input, defaultValue T) T {
 	var zero T
 

pkg/credentials/secret.go

@@ -211,6 +211,7 @@ func vsphereSecret(credentials map[string]string) *corev1.Secret {
 	vscreds := map[string]string{}
 
 	vcenterPrefix := strings.ReplaceAll(credentials[VSphereAddressMC], "https://", "")
+	vcenterPrefix, _ = strings.CutSuffix(vcenterPrefix, "/")
 	// Save credentials in Secret and configure vSphere cloud controller
 	// manager to read it, in replace of storing those in /etc/kubernates/cloud-config
 	// see more: https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/k8s-secret.html

pkg/tasks/tasks.go

@@ -276,6 +276,11 @@ func WithResources(t Tasks) Tasks {
 				Description: "ensure caBundle configMap",
 				Predicate:   func(s *state.State) bool { return s.Cluster.CABundle != "" },
 			},
+			{
+				Fn:          labelNodes,
+				Operation:   "labeling control-plane nodes",
+				Description: "labeling control-plane nodes",
+			},
 			{
 				Fn:          addons.Ensure,
 				Operation:   "applying addons",
@@ -310,8 +315,9 @@ func WithResources(t Tasks) Tasks {
 				Operation: "joining static worker nodes to the cluster",
 			},
 			{
-				Fn:        labelNodes,
-				Operation: "labeling nodes",
+				Fn:          labelNodes,
+				Operation:   "labeling nodes",
+				Description: "labeling nodes",
 			},
 			{
 				Fn:        fixFilePermissions,