Bump certificates.k8s.io to v1 (#25)

* Bump to certificates.k8s.io/v1
* Add get permission for coordination.k8s.io/leases
* Change scheme registration
* Add discovery API to support multiple group versions
* Change duplicate package imports
* Bump min Go version 1.16
* Remove Makefile dependency on test on docker-build
* Enable kubelet CSR controller in E2E test

#23

Signed-off-by: JenTing Hsiao <[email protected]>

.github/workflows/ci.yml

@@ -11,9 +11,6 @@ jobs:
     strategy:
       matrix:
         go:
-          - '1.13'
-          - '1.14'
-          - '1.15'
           - '1.16'
           - '1.17'
     runs-on: ubuntu-latest

Makefile

@@ -49,7 +49,7 @@ vet:
 	go vet ./...
 
 # Build the docker image
-docker-build: test
+docker-build:
 	docker build --build-arg VERSION=${VERSION} -t ${IMG} .
 
 # Push the docker image

README.md

@@ -22,7 +22,7 @@ By default, kucero enables kubelet client `rotateCertificates: true` and server
 
 ## Build Requirements
 
-- Golang >= 1.13
+- Golang >= 1.16
 - Docker
 - Kustomize
 

cmd/kucero/lock.go

@@ -17,6 +17,8 @@ limitations under the License.
 package main
 
 import (
+	"time"
+
 	"github.com/sirupsen/logrus"
 	"github.com/weaveworks/kured/pkg/daemonsetlock"
 )
@@ -33,7 +35,7 @@ func holding(lock *daemonsetlock.DaemonSetLock, metadata interface{}) bool {
 }
 
 func acquire(lock *daemonsetlock.DaemonSetLock, metadata interface{}) bool {
-	holding, holder, err := lock.Acquire(metadata)
+	holding, holder, err := lock.Acquire(metadata, time.Minute)
 	switch {
 	case err != nil:
 		logrus.Errorf("Error acquiring lock: %v", err)

cmd/kucero/main.go

@@ -17,18 +17,19 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"math/rand"
 	"os"
 	"os/signal"
 	"syscall"
 	"time"
 
-	capi "k8s.io/api/certificates/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/kubernetes"
-	k8sclient "k8s.io/client-go/kubernetes"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/tools/clientcmd"
 	ctrl "sigs.k8s.io/controller-runtime"
 
@@ -40,6 +41,7 @@ import (
 	"github.com/jenting/kucero/pkg/host"
 	"github.com/jenting/kucero/pkg/pki/node"
 	"github.com/jenting/kucero/pkg/pki/signer"
+	//+kubebuilder:scaffold:imports
 )
 
 var (
@@ -60,9 +62,8 @@ var (
 )
 
 func init() {
-	_ = capi.AddToScheme(scheme)
-	_ = corev1.AddToScheme(scheme)
-	// +kubebuilder:scaffold:scheme
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	//+kubebuilder:scaffold:scheme
 }
 
 func main() {
@@ -139,7 +140,7 @@ func root(cmd *cobra.Command, args []string) {
 		logrus.Fatal(err)
 	}
 
-	corev1Node, err := client.CoreV1().Nodes().Get(nodeName, metav1.GetOptions{})
+	corev1Node, err := client.CoreV1().Nodes().Get(context.TODO(), nodeName, metav1.GetOptions{})
 	if err != nil {
 		logrus.Fatal(err)
 	}
@@ -202,14 +203,14 @@ func rotateCertificateWhenNeeded(corev1Node *corev1.Node, isControlPlaneNode boo
 
 			if err := (&controllers.CertificateSigningRequestSigningReconciler{
 				Client:        mgr.GetClient(),
-				ClientSet:     k8sclient.NewForConfigOrDie(mgr.GetConfig()),
+				ClientSet:     kubernetes.NewForConfigOrDie(mgr.GetConfig()),
 				Scheme:        mgr.GetScheme(),
 				Signer:        signer,
 				EventRecorder: mgr.GetEventRecorderFor("CSRSigningReconciler"),
 			}).SetupWithManager(mgr); err != nil {
 				logrus.Fatal(err)
 			}
-			// +kubebuilder:scaffold:builder
+			//+kubebuilder:scaffold:builder
 
 			logrus.Info("Starting manager")
 			if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {

controllers/certificatesigningrequest_controller.go

@@ -22,24 +22,27 @@ import (
 	"fmt"
 
 	authorization "k8s.io/api/authorization/v1beta1"
-	capi "k8s.io/api/certificates/v1beta1"
-	v1 "k8s.io/api/core/v1"
+	capi "k8s.io/api/certificates/v1"
+	capiv1beta1 "k8s.io/api/certificates/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	k8sclient "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/sirupsen/logrus"
+	velerodiscovery "github.com/vmware-tanzu/velero/pkg/discovery"
 
 	"github.com/jenting/kucero/pkg/pki/cert"
 	"github.com/jenting/kucero/pkg/pki/signer"
 )
 
 // CertificateSigningRequestSigningReconciler reconciles a CertificateSigningRequest object
 type CertificateSigningRequestSigningReconciler struct {
-	Client        ctrlclient.Client
+	Client        client.Client
 	ClientSet     k8sclient.Interface
 	Scheme        *runtime.Scheme
 	Signer        *signer.Signer
@@ -68,8 +71,7 @@ func recognizers() []csrRecognizer {
 // +kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/status,verbs=patch
 // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch
 
-func (r *CertificateSigningRequestSigningReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
-	ctx := context.Background()
+func (r *CertificateSigningRequestSigningReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	var csr capi.CertificateSigningRequest
 	if err := r.Client.Get(ctx, req.NamespacedName, &csr); client.IgnoreNotFound(err) != nil {
 		return ctrl.Result{}, fmt.Errorf("error %q getting CSR", err)
@@ -84,7 +86,7 @@ func (r *CertificateSigningRequestSigningReconciler) Reconcile(req ctrl.Request)
 		x509cr, err := cert.ParseCSR(csr.Spec.Request)
 		if err != nil {
 			logrus.Errorf("Unable to parse csr: %v", err)
-			r.EventRecorder.Event(&csr, v1.EventTypeWarning, "SigningFailed", "Unable to parse the CSR request")
+			r.EventRecorder.Event(&csr, corev1.EventTypeWarning, "SigningFailed", "Unable to parse the CSR request")
 			return ctrl.Result{}, nil
 		}
 
@@ -122,12 +124,12 @@ func (r *CertificateSigningRequestSigningReconciler) Reconcile(req ctrl.Request)
 
 				// approve the csr
 				appendApprovalCondition(&csr, recognizer.successMessage)
-				_, err = r.ClientSet.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(&csr)
+				_, err = r.ClientSet.CertificatesV1().CertificateSigningRequests().UpdateApproval(context.TODO(), csr.Name, &csr, metav1.UpdateOptions{})
 				if err != nil {
 					return ctrl.Result{}, fmt.Errorf("error updating approval for csr: %v", err)
 				}
 
-				r.EventRecorder.Event(&csr, v1.EventTypeNormal, "Signed", "The CSR has been signed")
+				r.EventRecorder.Event(&csr, corev1.EventTypeNormal, "Signed", "The CSR has been signed")
 			} else {
 				return ctrl.Result{}, fmt.Errorf("SubjectAccessReview failed")
 			}
@@ -152,7 +154,7 @@ func (r *CertificateSigningRequestSigningReconciler) authorize(csr *capi.Certifi
 			ResourceAttributes: &rattrs,
 		},
 	}
-	sar, err := r.ClientSet.AuthorizationV1beta1().SubjectAccessReviews().Create(sar)
+	sar, err := r.ClientSet.AuthorizationV1beta1().SubjectAccessReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
 	if err != nil {
 		return false, err
 	}
@@ -168,7 +170,28 @@ func appendApprovalCondition(csr *capi.CertificateSigningRequest, message string
 }
 
 func (r *CertificateSigningRequestSigningReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewControllerManagedBy(mgr).
-		For(&capi.CertificateSigningRequest{}).
-		Complete(r)
+	discoveryHelper, err := velerodiscovery.NewHelper(r.ClientSet.Discovery(), &logrus.Logger{})
+	if err != nil {
+		return err
+	}
+	gvr, _, err := discoveryHelper.ResourceFor(schema.GroupVersionResource{
+		Group:    "certificates.k8s.io",
+		Resource: "CertificateSigningRequest",
+	})
+	if err != nil {
+		return err
+	}
+
+	switch gvr.Version {
+	case "v1beta1":
+		return ctrl.NewControllerManagedBy(mgr).
+			For(&capiv1beta1.CertificateSigningRequest{}).
+			Complete(r)
+	case "v1":
+		return ctrl.NewControllerManagedBy(mgr).
+			For(&capi.CertificateSigningRequest{}).
+			Complete(r)
+	default:
+		return fmt.Errorf("unsupported certificates.k8s.io/%s", gvr.Version)
+	}
 }

controllers/helper.go

@@ -21,7 +21,7 @@ import (
 	"reflect"
 	"strings"
 
-	capi "k8s.io/api/certificates/v1beta1"
+	capi "k8s.io/api/certificates/v1"
 
 	"github.com/sirupsen/logrus"
 )

controllers/helper_test.go

@@ -22,7 +22,7 @@ import (
 	"net"
 	"testing"
 
-	capi "k8s.io/api/certificates/v1beta1"
+	capi "k8s.io/api/certificates/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 

go.mod

@@ -1,24 +1,17 @@
 module github.com/jenting/kucero
 
-go 1.13
+go 1.16
 
 require (
-	github.com/gogo/protobuf v1.3.1 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/sirupsen/logrus v1.6.0
-	github.com/spf13/cobra v1.0.0
-	github.com/weaveworks/kured v0.0.0-20200430160730-f2a0f8e20dbe
-	golang.org/x/net v0.0.0-20200202094626-16171245cfb2 // indirect
-	golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7 // indirect
-	k8s.io/api v0.17.4
-	k8s.io/apimachinery v0.17.4
-	k8s.io/apiserver v0.17.4
-	k8s.io/client-go v0.17.4
-	k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6 // indirect
-	k8s.io/kubectl v0.17.4
-	k8s.io/utils v0.0.0-20200414100711-2df71ebbae66 // indirect
-	sigs.k8s.io/controller-runtime v0.5.0
-	sigs.k8s.io/yaml v1.2.0
+	github.com/sirupsen/logrus v1.8.1
+	github.com/spf13/cobra v1.2.1
+	github.com/vmware-tanzu/velero v1.7.0
+	github.com/weaveworks/kured v0.0.0-20211008084731-7c33ad8b6e60
+	k8s.io/api v0.22.2
+	k8s.io/apimachinery v0.22.2
+	k8s.io/apiserver v0.22.2
+	k8s.io/client-go v0.22.2
+	k8s.io/kubectl v0.22.2
+	sigs.k8s.io/controller-runtime v0.10.2
+	sigs.k8s.io/yaml v1.3.0
 )