fixup! refactor: Rely on skip-kube-proxy annotation

Author: jimmidyson

api/v1alpha1/clusterconfig_types.go

@@ -335,8 +335,6 @@ type CoreDNS struct {
 type KubeProxyMode string
 
 const (
-	// KubeProxyModeDisabled indicates that kube-proxy should not be installed.
-	KubeProxyModeDisabled KubeProxyMode = "Disabled"
 	// KubeProxyModeIPTables indicates that kube-proxy should be installed in iptables
 	// mode.
 	KubeProxyModeIPTables KubeProxyMode = "iptables"
@@ -348,12 +346,10 @@ const (
 type KubeProxy struct {
 	// Mode specifies the mode for kube-proxy:
 	//
-	// - Disabled means that kube-proxy is not installed.
 	// - iptables means that kube-proxy is installed in iptables mode.
 	// - nftables means that kube-proxy is installed in nftables mode.
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Enum=Disabled;iptables;nftables
-	// +kubebuilder:default=iptables
+	// +kubebuilder:validation:Enum=iptables;nftables
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value cannot be changed after cluster creation"
 	Mode KubeProxyMode `json:"mode,omitempty"`
 }

api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml

@@ -564,15 +564,12 @@ spec:
                   description: KubeProxy defines the configuration for kube-proxy.
                   properties:
                     mode:
-                      default: iptables
                       description: |-
                         Mode specifies the mode for kube-proxy:
 
-                        - Disabled means that kube-proxy is not installed.
                         - iptables means that kube-proxy is installed in iptables mode.
                         - nftables means that kube-proxy is installed in nftables mode.
                       enum:
-                        - Disabled
                         - iptables
                         - nftables
                       type: string

api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml

@@ -501,15 +501,12 @@ spec:
                   description: KubeProxy defines the configuration for kube-proxy.
                   properties:
                     mode:
-                      default: iptables
                       description: |-
                         Mode specifies the mode for kube-proxy:
 
-                        - Disabled means that kube-proxy is not installed.
                         - iptables means that kube-proxy is installed in iptables mode.
                         - nftables means that kube-proxy is installed in nftables mode.
                       enum:
-                        - Disabled
                         - iptables
                         - nftables
                       type: string

api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml

@@ -179,15 +179,12 @@ spec:
                 description: KubeProxy defines the configuration for kube-proxy.
                 properties:
                   mode:
-                    default: iptables
                     description: |-
                       Mode specifies the mode for kube-proxy:
 
-                      - Disabled means that kube-proxy is not installed.
                       - iptables means that kube-proxy is installed in iptables mode.
                       - nftables means that kube-proxy is installed in nftables mode.
                     enum:
-                    - Disabled
                     - iptables
                     - nftables
                     type: string

api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml

@@ -680,15 +680,12 @@ spec:
                   description: KubeProxy defines the configuration for kube-proxy.
                   properties:
                     mode:
-                      default: iptables
                       description: |-
                         Mode specifies the mode for kube-proxy:
 
-                        - Disabled means that kube-proxy is not installed.
                         - iptables means that kube-proxy is installed in iptables mode.
                         - nftables means that kube-proxy is installed in nftables mode.
                       enum:
-                        - Disabled
                         - iptables
                         - nftables
                       type: string

docs/content/customization/generic/kube-proxy-mode.md

@@ -2,9 +2,8 @@
 title = "kube-proxy mode"
 +++
 
-This customization allows configuration of the `kube-proxy` proxy mode. Currently, only `iptables`, `nftables` or
-`Disabled` modes are supported. `Disabled` is useful when deploying a CNI implementation that can replace `kube-proxy`
-to avoid potential conflicts. By default, `kube-proxy` is enabled in `iptables` mode.
+This customization allows configuration of the `kube-proxy` proxy mode. Currently, only `iptables` and `nftables`
+modes are supported. By default, `kube-proxy` is enabled in `iptables` mode by `kubeadm`.
 
 ## Examples
 
@@ -52,7 +51,7 @@ is executed:
 
 ### Skipping kube-proxy installation
 
-To disable the deployment of `kube-proxy`, specify the following configuration:
+To disable the deployment and upgrade of `kube-proxy`, specify the following configuration:
 
 ```yaml
 apiVersion: cluster.x-k8s.io/v1beta1
@@ -61,11 +60,10 @@ metadata:
   name: <NAME>
 spec:
   topology:
-    variables:
-      - name: clusterConfig
-        value:
-          kubeProxy:
-            mode: Disabled
+    controlPlane:
+      metadata:
+        annotations:
+          controlplane.cluster.x-k8s.io/skip-kube-proxy: ""
 ```
 
 Applying this configuration will result in the following configuration being applied:
@@ -81,17 +79,3 @@ Applying this configuration will result in the following configuration being app
               skipPhases:
                 - addon/kube-proxy
     ```
-
-**IMPORTANT**: If you are disabling kube-proxy in this way to manage kube-proxy yourself, then you will also need
-to add the following control plane annotation to your `Cluster` definition:
-
-```yaml
-spec:
-  topology:
-    controlPlane:
-      metadata:
-        annotations:
-          controlplane.cluster.x-k8s.io/skip-kube-proxy: ""
-```
-
-Without this, CAPI will attempt to upgrade kube-proxy when the cluster is upgraded.

pkg/handlers/generic/mutation/kubeproxymode/inject.go

@@ -9,6 +9,7 @@ import (
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
@@ -76,17 +77,23 @@ func (h *kubeProxyMode) Mutate(
 		"holderRef", holderRef,
 	)
 
+	cluster, err := clusterGetter(ctx)
+	if err != nil {
+		log.Error(err, "failed to get cluster for kube proxy mode mutation")
+		return fmt.Errorf("failed to get cluster for kube proxy mode mutation: %w", err)
+	}
+
+	isSkipProxy := false
+	if cluster.Spec.Topology != nil {
+		_, isSkipProxy = cluster.Spec.Topology.ControlPlane.Metadata.Annotations[controlplanev1.SkipKubeProxyAnnotation]
+	}
+
 	kubeProxyMode, err := variables.Get[v1alpha1.KubeProxyMode](
 		vars,
 		h.variableName,
 		h.variableFieldPath...,
 	)
-	if err != nil {
-		if variables.IsNotFoundError(err) {
-			log.V(5).Info("kubeProxy mode variable not defined")
-			return nil
-		}
-
+	if err != nil && !variables.IsNotFoundError(err) {
 		return err
 	}
 
@@ -99,8 +106,8 @@ func (h *kubeProxyMode) Mutate(
 		kubeProxyMode,
 	)
 
-	if kubeProxyMode == "" {
-		log.V(5).Info("kube proxy mode is not set, skipping mutation")
+	if kubeProxyMode == "" && !isSkipProxy {
+		log.V(5).Info("kube proxy mode is not set or skipped, skipping mutation")
 		return nil
 	}
 
@@ -116,9 +123,11 @@ func (h *kubeProxyMode) Mutate(
 				"patchedObjectName", client.ObjectKeyFromObject(obj),
 			).Info("adding kube proxy mode to control plane kubeadm config spec")
 
-			switch kubeProxyMode {
-			case v1alpha1.KubeProxyModeDisabled:
-				log.Info("kube proxy mode is set to disabled, skipping kube-proxy addon")
+			if isSkipProxy {
+				log.Info(
+					"cluster controlplane contains controlplane.cluster.x-k8s.io/skip-kube-proxy annotation, " +
+						"skipping kube-proxy addon",
+				)
 				if obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration == nil {
 					obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration = &bootstrapv1.InitConfiguration{}
 				}
@@ -127,15 +136,13 @@ func (h *kubeProxyMode) Mutate(
 					initConfiguration.SkipPhases,
 					"addon/kube-proxy",
 				)
+
+				return nil
+			}
+
+			switch kubeProxyMode {
 			case v1alpha1.KubeProxyModeIPTables, v1alpha1.KubeProxyModeNFTables:
-				kubeProxyConfigProviderTemplate, err := templateForClusterProvider(ctx, clusterGetter)
-				if err != nil {
-					log.Error(
-						err,
-						"failed to get kube proxy config template for cluster provider",
-					)
-					return fmt.Errorf("failed to get cluster for kube proxy mode mutation: %w", err)
-				}
+				kubeProxyConfigProviderTemplate := templateForClusterProvider(cluster)
 
 				kubeProxyConfig := bootstrapv1.File{
 					Path:        "/etc/kubernetes/kubeproxy-config.yaml",
@@ -162,16 +169,11 @@ func (h *kubeProxyMode) Mutate(
 }
 
 // templateForClusterProvider returns the kube-proxy config template based on the cluster provider.
-func templateForClusterProvider(ctx context.Context, clusterGetter mutation.ClusterGetter) (string, error) {
-	cluster, err := clusterGetter(ctx)
-	if err != nil {
-		return "", err
-	}
-
+func templateForClusterProvider(cluster *clusterv1.Cluster) string {
 	switch utils.GetProvider(cluster) {
 	case "docker":
-		return kubeProxyConfigYAMLTemplateForDockerProvider, nil
+		return kubeProxyConfigYAMLTemplateForDockerProvider
 	default:
-		return kubeProxyConfigYAMLTemplate, nil
+		return kubeProxyConfigYAMLTemplate
 	}
 }

pkg/handlers/generic/mutation/kubeproxymode/inject_test.go

@@ -14,6 +14,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	controlplanev1 "sigs.k8s.io/cluster-api/controlplane/kubeadm/api/v1beta1"
 	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
 
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
@@ -49,13 +50,7 @@ var _ = Describe("Generate kube proxy mode patches", func() {
 			Vars: []runtimehooksv1.Variable{
 				capitest.VariableWithValue(
 					v1alpha1.ClusterConfigVariableName,
-					v1alpha1.AWSClusterConfigSpec{
-						GenericClusterConfigSpec: v1alpha1.GenericClusterConfigSpec{
-							KubeProxy: &v1alpha1.KubeProxy{
-								Mode: v1alpha1.KubeProxyModeDisabled,
-							},
-						},
-					},
+					v1alpha1.AWSClusterConfigSpec{},
 				),
 			},
 			RequestItem: request.NewKubeadmControlPlaneTemplateRequestItem(""),
@@ -65,19 +60,35 @@ var _ = Describe("Generate kube proxy mode patches", func() {
 				ValueMatcher: gomega.ConsistOf("addon/kube-proxy"),
 			}},
 		},
+		cluster: &clusterv1.Cluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-cluster",
+				Namespace: request.Namespace,
+				Labels: map[string]string{
+					clusterv1.ProviderNameLabel: "aws",
+				},
+			},
+			Spec: clusterv1.ClusterSpec{
+				Topology: &clusterv1.Topology{
+					Version: "dummy-version",
+					Class:   "dummy-class",
+					ControlPlane: clusterv1.ControlPlaneTopology{
+						Metadata: clusterv1.ObjectMeta{
+							Annotations: map[string]string{
+								controlplanev1.SkipKubeProxyAnnotation: "",
+							},
+						},
+					},
+				},
+			},
+		},
 	}, {
 		patchTest: capitest.PatchTestDef{
 			Name: "disable kube proxy with Docker",
 			Vars: []runtimehooksv1.Variable{
 				capitest.VariableWithValue(
 					v1alpha1.ClusterConfigVariableName,
-					v1alpha1.DockerClusterConfigSpec{
-						GenericClusterConfigSpec: v1alpha1.GenericClusterConfigSpec{
-							KubeProxy: &v1alpha1.KubeProxy{
-								Mode: v1alpha1.KubeProxyModeDisabled,
-							},
-						},
-					},
+					v1alpha1.DockerClusterConfigSpec{},
 				),
 			},
 			RequestItem: request.NewKubeadmControlPlaneTemplateRequestItem(""),
@@ -87,19 +98,35 @@ var _ = Describe("Generate kube proxy mode patches", func() {
 				ValueMatcher: gomega.ConsistOf("addon/kube-proxy"),
 			}},
 		},
+		cluster: &clusterv1.Cluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-cluster",
+				Namespace: request.Namespace,
+				Labels: map[string]string{
+					clusterv1.ProviderNameLabel: "docker",
+				},
+			},
+			Spec: clusterv1.ClusterSpec{
+				Topology: &clusterv1.Topology{
+					Version: "dummy-version",
+					Class:   "dummy-class",
+					ControlPlane: clusterv1.ControlPlaneTopology{
+						Metadata: clusterv1.ObjectMeta{
+							Annotations: map[string]string{
+								controlplanev1.SkipKubeProxyAnnotation: "",
+							},
+						},
+					},
+				},
+			},
+		},
 	}, {
 		patchTest: capitest.PatchTestDef{
 			Name: "disable kube proxy with Nutanix",
 			Vars: []runtimehooksv1.Variable{
 				capitest.VariableWithValue(
 					v1alpha1.ClusterConfigVariableName,
-					v1alpha1.NutanixClusterConfigSpec{
-						GenericClusterConfigSpec: v1alpha1.GenericClusterConfigSpec{
-							KubeProxy: &v1alpha1.KubeProxy{
-								Mode: v1alpha1.KubeProxyModeDisabled,
-							},
-						},
-					},
+					v1alpha1.NutanixClusterConfigSpec{},
 				),
 			},
 			RequestItem: request.NewKubeadmControlPlaneTemplateRequestItem(""),
@@ -117,6 +144,19 @@ var _ = Describe("Generate kube proxy mode patches", func() {
 					clusterv1.ProviderNameLabel: "nutanix",
 				},
 			},
+			Spec: clusterv1.ClusterSpec{
+				Topology: &clusterv1.Topology{
+					Version: "dummy-version",
+					Class:   "dummy-class",
+					ControlPlane: clusterv1.ControlPlaneTopology{
+						Metadata: clusterv1.ObjectMeta{
+							Annotations: map[string]string{
+								controlplanev1.SkipKubeProxyAnnotation: "",
+							},
+						},
+					},
+				},
+			},
 		},
 	}, {
 		patchTest: capitest.PatchTestDef{