Further refactoring

Author: patrickdillon

…pt/openshift/egress-selector-config.yaml …ift/egress-selector-config.yaml.templatedata/data/bootstrap/files/opt/openshift/egress-selector-config.yaml renamed to data/data/bootstrap/files/opt/openshift/egress-selector-config.yaml.template data/data/bootstrap/files/opt/openshift/egress-selector-config.yaml renamed to data/data/bootstrap/files/opt/openshift/egress-selector-config.yaml.template

@@ -1,3 +1,4 @@
+{{- if .KonnectivityEnabled }}
 apiVersion: apiserver.k8s.io/v1beta1
 kind: EgressSelectorConfiguration
 egressSelections:
@@ -13,3 +14,4 @@ egressSelections:
 - name: "etcd"
   connection:
     proxyProtocol: "Direct"
+{{- end }}

…nshift/konnectivity-config-override.yaml …nnectivity-config-override.yaml.templatedata/data/bootstrap/files/opt/openshift/konnectivity-config-override.yaml renamed to data/data/bootstrap/files/opt/openshift/konnectivity-config-override.yaml.template data/data/bootstrap/files/opt/openshift/konnectivity-config-override.yaml renamed to data/data/bootstrap/files/opt/openshift/konnectivity-config-override.yaml.template

@@ -1,5 +1,7 @@
+{{- if .KonnectivityEnabled }}
 apiVersion: kubecontrolplane.config.openshift.io/v1
 kind: KubeAPIServerConfig
 apiServerArguments:
   egress-selector-config-file:
   - "/etc/kubernetes/config/egress-selector-config.yaml"
+{{- end }}

data/data/bootstrap/files/usr/local/bin/bootkube.sh.template

@@ -10,6 +10,8 @@ set -euoE pipefail ## -E option will cause functions to inherit trap
 . /usr/local/bin/bootstrap-cluster-gather.sh
 # shellcheck source=bootstrap-verify-api-server-urls.sh
 . /usr/local/bin/bootstrap-verify-api-server-urls.sh
+# shellcheck source=konnectivity.sh.template
+. /usr/local/bin/konnectivity.sh
 
 mkdir --parents /etc/kubernetes/{manifests,bootstrap-configs,bootstrap-manifests}
 
@@ -19,6 +21,12 @@ BOOTSTRAP_INPLACE=true
 BOOTSTRAP_INPLACE=false
 {{ end -}}
 
+{{- if .KonnectivityEnabled }}
+KONNECTIVITY_ENABLED=true
+{{- else }}
+KONNECTIVITY_ENABLED=false
+{{- end }}
+
 ETCD_ENDPOINTS=
 
 bootkube_podman_run() {
@@ -66,7 +74,6 @@ OPENSHIFT_HYPERKUBE_IMAGE=$(image_for hyperkube)
 OPENSHIFT_CLUSTER_POLICY_IMAGE=$(image_for cluster-policy-controller)
 
 CLUSTER_BOOTSTRAP_IMAGE=$(image_for cluster-bootstrap)
-KONNECTIVITY_IMAGE=$(image_for apiserver-network-proxy)
 
 mkdir --parents ./{bootstrap-manifests,manifests}
 
@@ -246,36 +253,7 @@ then
     record_service_stage_success
 fi
 
-# Detect bootstrap node IP at runtime using the default route source address
-# This is needed for Konnectivity agents to connect back to the bootstrap server.
-{{- if .UseIPv6ForNodeIP }}
-BOOTSTRAP_NODE_IP=$(ip -6 -j route get 2001:4860:4860::8888 | jq -r '.[0].prefsrc')
-{{- else }}
-BOOTSTRAP_NODE_IP=$(ip -j route get 1.1.1.1 | jq -r '.[0].prefsrc')
-{{- end }}
-echo "Detected bootstrap node IP: ${BOOTSTRAP_NODE_IP}"
-
-# Generate Konnectivity certificates (self-signed CA, server cert, agent cert)
-if [ ! -f konnectivity-certs.done ]
-then
-    record_service_stage_start "konnectivity-certs"
-    /usr/local/bin/konnectivity-certs.sh "${BOOTSTRAP_NODE_IP}"
-    touch konnectivity-certs.done
-    record_service_stage_success
-fi
-
-# Create Konnectivity server static pod manifest.
-# This runs on the bootstrap node and provides a proxy for the bootstrap KAS
-# to reach webhooks in the cluster's pod network.
-if [ ! -f konnectivity-server-bootstrap.done ]
-then
-    record_service_stage_start "konnectivity-server-bootstrap"
-    echo "Creating Konnectivity server static pod manifest..."
-    export KONNECTIVITY_IMAGE
-    envsubst < /opt/openshift/konnectivity-server-pod.yaml > /etc/kubernetes/manifests/konnectivity-server-pod.yaml
-    touch konnectivity-server-bootstrap.done
-    record_service_stage_success
-fi
+konnectivity_setup
 
 if [ ! -f kube-apiserver-bootstrap.done ]
 then
@@ -305,8 +283,9 @@ then
 		--config-override-files=/assets/konnectivity-config-override.yaml
 
 	cp kube-apiserver-bootstrap/config /etc/kubernetes/bootstrap-configs/kube-apiserver-config.yaml
-	# Copy egress selector config to bootstrap-configs where KAS can read it
-	cp /opt/openshift/egress-selector-config.yaml /etc/kubernetes/bootstrap-configs/egress-selector-config.yaml
+	if [ "${KONNECTIVITY_ENABLED}" = "true" ]; then
+		cp /opt/openshift/egress-selector-config.yaml /etc/kubernetes/bootstrap-configs/egress-selector-config.yaml
+	fi
 	cp kube-apiserver-bootstrap/bootstrap-manifests/* bootstrap-manifests/
 	cp kube-apiserver-bootstrap/manifests/* manifests/
 
@@ -601,31 +580,7 @@ then
     record_service_stage_success
 fi
 
-# Create Konnectivity agent manifests for cluster deployment.
-# The namespace, secret, and daemonset templates live as separate files
-# under /opt/openshift/ and are populated with runtime values here.
-if [ ! -f konnectivity-agent-manifest.done ]
-then
-    record_service_stage_start "konnectivity-agent-manifest"
-    echo "Creating Konnectivity agent manifests..."
-
-    KONNECTIVITY_CERT_DIR=/opt/openshift/tls/konnectivity
-
-    # Namespace
-    cp /opt/openshift/konnectivity-namespace.yaml manifests/konnectivity-namespace.yaml
-
-    # Agent certs secret (export base64-encoded cert data for envsubst)
-    export KONNECTIVITY_AGENT_CERT_BASE64=$(base64 -w0 "${KONNECTIVITY_CERT_DIR}/agent.crt")
-    export KONNECTIVITY_AGENT_KEY_BASE64=$(base64 -w0 "${KONNECTIVITY_CERT_DIR}/agent.key")
-    export KONNECTIVITY_CA_CERT_BASE64=$(base64 -w0 "${KONNECTIVITY_CERT_DIR}/ca.crt")
-    envsubst < /opt/openshift/konnectivity-agent-certs-secret.yaml > manifests/konnectivity-agent-certs.yaml
-
-    export BOOTSTRAP_NODE_IP
-    envsubst < /opt/openshift/konnectivity-agent-daemonset.yaml > manifests/konnectivity-agent-daemonset.yaml
-
-    touch konnectivity-agent-manifest.done
-    record_service_stage_success
-fi
+konnectivity_manifests
 
 REQUIRED_PODS="openshift-kube-apiserver/kube-apiserver,openshift-kube-scheduler/openshift-kube-scheduler,openshift-kube-controller-manager/kube-controller-manager,openshift-cluster-version/cluster-version-operator"
 if [ "$BOOTSTRAP_INPLACE" = true ]
@@ -712,18 +667,7 @@ if [ ! -f api-int-dns-check.done ]; then
   fi
 fi
 
-# Clean up bootstrap konnectivity resources by deleting the namespace.
-# This cascades to all resources (DaemonSet, Secret) within it.
-if [ ! -f konnectivity-cleanup.done ]; then
-    record_service_stage_start "konnectivity-cleanup"
-    echo "Cleaning up bootstrap konnectivity resources..."
-    oc delete namespace openshift-bootstrap-konnectivity \
-        --kubeconfig=/opt/openshift/auth/kubeconfig \
-        --ignore-not-found=true || true
-    rm -f /etc/kubernetes/manifests/konnectivity-server-pod.yaml
-    touch konnectivity-cleanup.done
-    record_service_stage_success
-fi
+konnectivity_cleanup
 
 # Workaround for https://github.com/opencontainers/runc/pull/1807
 touch /opt/openshift/.bootkube.done

data/data/bootstrap/files/usr/local/bin/konnectivity.sh.template

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+# Konnectivity bootstrap functions.
+# Sourced by bootkube.sh — do not execute directly.
+
+# konnectivity_setup detects the bootstrap node IP, generates certificates,
+# and creates the konnectivity server static pod manifest.
+konnectivity_setup() {
+    if [ "${KONNECTIVITY_ENABLED}" != "true" ]; then
+        return 0
+    fi
+
+    # Detect bootstrap node IP at runtime using the default route source address.
+    # Konnectivity agents use this to connect back to the bootstrap server.
+{{- if .UseIPv6ForNodeIP }}
+    BOOTSTRAP_NODE_IP=$(ip -6 -j route get 2001:4860:4860::8888 | jq -r '.[0].prefsrc')
+{{- else }}
+    BOOTSTRAP_NODE_IP=$(ip -j route get 1.1.1.1 | jq -r '.[0].prefsrc')
+{{- end }}
+    echo "Detected bootstrap node IP: ${BOOTSTRAP_NODE_IP}"
+
+    if [ ! -f konnectivity-certs.done ]; then
+        record_service_stage_start "konnectivity-certs"
+        /usr/local/bin/konnectivity-certs.sh "${BOOTSTRAP_NODE_IP}"
+        touch konnectivity-certs.done
+        record_service_stage_success
+    fi
+
+    if [ ! -f konnectivity-server-bootstrap.done ]; then
+        record_service_stage_start "konnectivity-server-bootstrap"
+        echo "Creating Konnectivity server static pod manifest..."
+        export KONNECTIVITY_IMAGE=$(image_for apiserver-network-proxy)
+        envsubst < /opt/openshift/konnectivity-server-pod.yaml > /etc/kubernetes/manifests/konnectivity-server-pod.yaml
+        touch konnectivity-server-bootstrap.done
+        record_service_stage_success
+    fi
+}
+
+# konnectivity_manifests creates the agent namespace, secret, and daemonset
+# manifests for cluster deployment.
+konnectivity_manifests() {
+    if [ "${KONNECTIVITY_ENABLED}" != "true" ]; then
+        return 0
+    fi
+
+    if [ ! -f konnectivity-agent-manifest.done ]; then
+        record_service_stage_start "konnectivity-agent-manifest"
+        echo "Creating Konnectivity agent manifests..."
+
+        KONNECTIVITY_CERT_DIR=/opt/openshift/tls/konnectivity
+
+        cp /opt/openshift/konnectivity-namespace.yaml manifests/konnectivity-namespace.yaml
+
+        export KONNECTIVITY_AGENT_CERT_BASE64=$(base64 -w0 "${KONNECTIVITY_CERT_DIR}/agent.crt")
+        export KONNECTIVITY_AGENT_KEY_BASE64=$(base64 -w0 "${KONNECTIVITY_CERT_DIR}/agent.key")
+        export KONNECTIVITY_CA_CERT_BASE64=$(base64 -w0 "${KONNECTIVITY_CERT_DIR}/ca.crt")
+        envsubst < /opt/openshift/konnectivity-agent-certs-secret.yaml > manifests/konnectivity-agent-certs.yaml
+
+        export BOOTSTRAP_NODE_IP
+        envsubst < /opt/openshift/konnectivity-agent-daemonset.yaml > manifests/konnectivity-agent-daemonset.yaml
+
+        touch konnectivity-agent-manifest.done
+        record_service_stage_success
+    fi
+}
+
+# konnectivity_cleanup removes bootstrap konnectivity resources by deleting
+# the namespace (cascading to DaemonSet and Secret) and the server static pod.
+konnectivity_cleanup() {
+    if [ "${KONNECTIVITY_ENABLED}" != "true" ]; then
+        return 0
+    fi
+
+    if [ ! -f konnectivity-cleanup.done ]; then
+        record_service_stage_start "konnectivity-cleanup"
+        echo "Cleaning up bootstrap konnectivity resources..."
+        oc delete namespace openshift-bootstrap-konnectivity \
+            --kubeconfig=/opt/openshift/auth/kubeconfig \
+            --ignore-not-found=true || true
+        rm -f /etc/kubernetes/manifests/konnectivity-server-pod.yaml
+        touch konnectivity-cleanup.done
+        record_service_stage_success
+    fi
+}

pkg/asset/ignition/bootstrap/common.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/utils/ptr"
 
 	configv1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/api/features"
 	"github.com/openshift/installer/data"
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/ignition"
@@ -97,6 +98,7 @@ type bootstrapTemplateData struct {
 	FeatureSet            configv1.FeatureSet
 	Invoker               string
 	ClusterDomain         string
+	KonnectivityEnabled   bool
 }
 
 // platformTemplateData is the data to use to replace values in bootstrap
@@ -401,6 +403,7 @@ func (a *Common) getTemplateData(dependencies asset.Parents, bootstrapInPlace bo
 		FeatureSet:            installConfig.Config.FeatureSet,
 		Invoker:               openshiftInstallInvoker,
 		ClusterDomain:         installConfig.Config.ClusterDomain(),
+		KonnectivityEnabled:   !bootstrapInPlace && installConfig.Config.EnabledFeatureGates().Enabled(features.FeatureGateMachineAPIMigrationAWS),
 	}
 }
 

pkg/gather/service/analyze.go

@@ -114,18 +114,20 @@ func checkReleaseImageDownload(a analysis) bool {
 	return false
 }
 
-// bootstrap-verify-api-servel-urls.sh is currently running as part of the bootkube service.
-// And the verification of the API and API-Int URLs are the only stage where a failure is
-// currently reported. So, here we are able to conclude that a failure corresponds to a
-// failure to resolve either the API URL or API-Int URL or both. If that changes and if
-// any other stage in the bootkube service starts reporting a failure, we need to revisit
-// this. At that point verification of the URLs could be moved to its own service.
 func checkBootkubeService(a analysis) bool {
 	if a.successful {
 		return true
 	}
-	// Note: Even when there is a stage failure, we are not returning false here. That is
-	// intentional because we donot want to report this as an error in the "analyze" output.
+	switch a.failingStage {
+	case "konnectivity-certs":
+		logrus.Error("The bootstrap machine failed to generate konnectivity certificates")
+	case "konnectivity-server-bootstrap":
+		logrus.Error("The bootstrap machine failed to start the konnectivity server")
+	case "konnectivity-agent-manifest":
+		logrus.Error("The bootstrap machine failed to create konnectivity agent manifests")
+	case "konnectivity-cleanup":
+		logrus.Error("The bootstrap machine failed to clean up konnectivity resources")
+	}
 	a.logLastError()
 	return true
 }