Fix kube-addon-manager overwriting resources with EnsureExists

The addon manager readme states

> - Addons with label `addonmanager.kubernetes.io/mode=EnsureExists` will be checked for
> existence only. Users can edit these addons as they want.

However, the start_addon function was using `kubectl apply` to create
resources regardless of mode. This change switches between `kubectl
create` and `kubectl apply` depending on mode.

Additionally implemented tests for create_resource fn

 - Refactor functions and main executable
 - Quick tests in bash
 - Tests for Reconcile, EnsureExists behavior
 - Check for completeness with multi resource configs

Author: spencer-p

cluster/addons/addon-manager/CHANGELOG.md

@@ -1,7 +1,10 @@
-## Version 9.1.1 (Wed May 19 2020 Antoni Zawodny <[email protected]>)
+### Version 9.1.2 (Thu August 6 2020 Spencer Peterson <[email protected]>)
+ - Fix `start_addon` overwriting resources with `addonmanager.kubernetes.io/mode=EnsureExists`.
+
+### Version 9.1.1 (Wed May 19 2020 Antoni Zawodny <[email protected]>)
  - Fix kube-addons.sh and kubectl permissions
 
-## Version 9.1.0 (Wed May 13 2020 Antoni Zawodny <[email protected]>)
+### Version 9.1.0 (Wed May 13 2020 Antoni Zawodny <[email protected]>)
  - Enable overriding the default list of whitelisted resources
 
 ### Version 9.0.2  (Thu August 1 2019 Maciej Borsz <[email protected]>

cluster/addons/addon-manager/Dockerfile

@@ -17,6 +17,7 @@ FROM BASEIMAGE
 RUN clean-install bash
 
 ADD kube-addons.sh /opt/
+ADD kube-addons-main.sh /opt/
 ADD kubectl /usr/local/bin/
 
-CMD ["/opt/kube-addons.sh"]
+CMD ["/opt/kube-addons-main.sh"]

cluster/addons/addon-manager/Makefile

@@ -15,7 +15,7 @@
 IMAGE=staging-k8s.gcr.io/kube-addon-manager
 ARCH?=amd64
 TEMP_DIR:=$(shell mktemp -d)
-VERSION=v9.1.1
+VERSION=v9.1.2
 KUBECTL_VERSION?=v1.13.2
 
 BASEIMAGE=k8s.gcr.io/debian-base-$(ARCH):v1.0.0
@@ -29,7 +29,7 @@ all: build
 build:
 	cp ./* $(TEMP_DIR)
 	curl -sSL --retry 5 https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/linux/$(ARCH)/kubectl > $(TEMP_DIR)/kubectl
-	chmod a+rx $(TEMP_DIR)/kube-addons.sh $(TEMP_DIR)/kubectl
+	chmod a+rx $(TEMP_DIR)/kube-addons.sh $(TEMP_DIR)/kube-addons-main.sh $(TEMP_DIR)/kubectl
 	cd $(TEMP_DIR) && sed -i.back "s|BASEIMAGE|$(BASEIMAGE)|g" Dockerfile
 
 ifneq ($(ARCH),amd64)
@@ -48,5 +48,11 @@ ifeq ($(ARCH),amd64)
 	docker push $(IMAGE):$(VERSION)
 endif
 
+test:
+	cp ./* $(TEMP_DIR)
+	curl -sSL --retry 5 https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/linux/$(ARCH)/kubectl > $(TEMP_DIR)/kubectl
+	chmod a+rx $(TEMP_DIR)/kube-addons.sh $(TEMP_DIR)/kube-addons-test.sh $(TEMP_DIR)/kubectl
+	cd $(TEMP_DIR) && KUBECTL_BIN=$(TEMP_DIR)/kubectl ./kube-addons-test.sh
+
 clean:
 	docker rmi -f $(IMAGE)-$(ARCH):$(VERSION)

cluster/addons/addon-manager/kube-addons-main.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Copyright 2020 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Import required functions. The addon manager is installed to /opt in
+# production use (see the Dockerfile)
+# Disabling shellcheck following files as the full path would be required.
+if [ -f "kube-addons.sh" ]; then
+  # shellcheck disable=SC1091
+  source "kube-addons.sh"
+elif [ -f "/opt/kube-addons.sh" ]; then
+  # shellcheck disable=SC1091
+  source "/opt/kube-addons.sh"
+else
+  # If the required source is missing, we have to fail.
+  log ERR "== Could not find kube-addons.sh (not in working directory or /opt) at $(date -Is) =="
+  exit 1
+fi
+
+# The business logic for whether a given object should be created
+# was already enforced by salt, and /etc/kubernetes/addons is the
+# managed result of that. Start everything below that directory.
+log INFO "== Kubernetes addon manager started at $(date -Is) with ADDON_CHECK_INTERVAL_SEC=${ADDON_CHECK_INTERVAL_SEC} =="
+
+# Wait for the default service account to be created in the kube-system namespace.
+token_found=""
+while [ -z "${token_found}" ]; do
+  sleep .5
+  # shellcheck disable=SC2086
+  # Disabling because "${KUBECTL_OPTS}" needs to allow for expansion here
+  if ! token_found=$(${KUBECTL} ${KUBECTL_OPTS} get --namespace="${SYSTEM_NAMESPACE}" serviceaccount default -o go-template="{{with index .secrets 0}}{{.name}}{{end}}"); then
+    token_found="";
+    log WRN "== Error getting default service account, retry in 0.5 second =="
+  fi
+done
+
+log INFO "== Default service account in the ${SYSTEM_NAMESPACE} namespace has token ${token_found} =="
+
+# Create admission_control objects if defined before any other addon services. If the limits
+# are defined in a namespace other than default, we should still create the limits for the
+# default namespace.
+while IFS=$'\n' read -r obj; do
+  start_addon "${obj}" 100 10 default &
+  log INFO "++ obj ${obj} is created ++"
+done < <(find /etc/kubernetes/admission-controls \( -name \*.yaml -o -name \*.json \))
+
+# Start the apply loop.
+# Check if the configuration has changed recently - in case the user
+# created/updated/deleted the files on the master.
+log INFO "== Entering periodical apply loop at $(date -Is) =="
+while true; do
+  start_sec=$(date +"%s")
+  if is_leader; then
+    ensure_addons
+    reconcile_addons
+  else
+    log INFO "Not elected leader, going back to sleep."
+  fi
+  end_sec=$(date +"%s")
+  len_sec=$((end_sec-start_sec))
+  # subtract the time passed from the sleep time
+  if [[ ${len_sec} -lt ${ADDON_CHECK_INTERVAL_SEC} ]]; then
+    sleep_time=$((ADDON_CHECK_INTERVAL_SEC-len_sec))
+    sleep ${sleep_time}
+  fi
+done