Support post-bootstrap config of kube-apiserver parameters

Add a script and puppet class to update the kube-apiserver parameters
through "kubeadm init phase" after bootstrap.
Update tox to include pep8, copied from the ansible repo

Story: 2006711
Task: 38944

Change-Id: If1ee452273887d652d1246f761a547ffb0d45269
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>

.zuul.yaml

@@ -3,9 +3,13 @@
     check:
       jobs:
         - stx-puppet-linters
+        - openstack-tox-pep8
+        - openstack-tox-pylint
     gate:
       jobs:
         - stx-puppet-linters
+        - openstack-tox-pep8
+        - openstack-tox-pylint
     post:
       jobs:
         - stx-stx-puppet-upload-git-mirror

puppet-manifests/centos/puppet-manifests.spec

@@ -60,6 +60,9 @@ Requires: puppet-puppi
 Requires: puppet-vlan
 Requires: puppet-collectd
 
+# python scripts
+Requires: python2-ruamel-yaml
+
 %description
 Platform puppet configuration files and manifests
 

puppet-manifests/src/modules/platform/files/change_kube_apiserver_params.py

@@ -0,0 +1,71 @@
+#
+# Copyright (c) 2020 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This script edits a file containing a kubernetes cluster configmap.
+# It currently adds/removes certain kube-apiserver startup parameters.
+# If the script is run without a particular kube-apiserver parameter
+# passed in as an argument, the existing kube-apiserver parameter will
+# be removed.
+
+import argparse
+import ruamel.yaml as yaml
+
+configmap_file = '/tmp/cluster_configmap.yaml'
+parser = argparse.ArgumentParser()
+parser.add_argument("--configmap_file")
+parser.add_argument("--oidc_issuer_url")
+parser.add_argument("--oidc_client_id")
+parser.add_argument("--oidc_username_claim")
+parser.add_argument("--oidc_groups_claim")
+args = parser.parse_args()
+
+if args.configmap_file:
+    configmap_file = args.configmap_file
+
+with open(configmap_file, 'r') as dest:
+    configmap = yaml.load(dest, Loader=yaml.RoundTripLoader)
+    # cluster config is a single string, so we need to parse the string
+    # in order to modify it correctly
+    cluster_config = yaml.load(configmap['data']['ClusterConfiguration'],
+                               Loader=yaml.RoundTripLoader)
+
+if args.oidc_issuer_url:
+    cluster_config['apiServer']['extraArgs']['oidc-issuer-url'] = \
+        args.oidc_issuer_url
+else:
+    if 'oidc-issuer-url' in cluster_config['apiServer']['extraArgs']:
+        del cluster_config['apiServer']['extraArgs']['oidc-issuer-url']
+
+if args.oidc_client_id:
+    cluster_config['apiServer']['extraArgs']['oidc-client-id'] = \
+        args.oidc_client_id
+else:
+    if 'oidc-client-id' in cluster_config['apiServer']['extraArgs']:
+        del cluster_config['apiServer']['extraArgs']['oidc-client-id']
+
+if args.oidc_username_claim:
+    cluster_config['apiServer']['extraArgs']['oidc-username-claim'] = \
+        args.oidc_username_claim
+else:
+    if 'oidc-username-claim' in cluster_config['apiServer']['extraArgs']:
+        del cluster_config['apiServer']['extraArgs']['oidc-username-claim']
+
+if args.oidc_groups_claim:
+    cluster_config['apiServer']['extraArgs']['oidc-groups-claim'] = \
+        args.oidc_groups_claim
+else:
+    if 'oidc-groups-claim' in cluster_config['apiServer']['extraArgs']:
+        del cluster_config['apiServer']['extraArgs']['oidc-groups-claim']
+
+cluster_config_string = yaml.dump(cluster_config, Dumper=yaml.RoundTripDumper,
+                                  default_flow_style=False)
+# use yaml.scalarstring.PreservedScalarString to make sure the yaml is
+# constructed with proper formatting and tabbing
+cluster_config_string = yaml.scalarstring.PreservedScalarString(
+    cluster_config_string)
+configmap['data']['ClusterConfiguration'] = cluster_config_string
+with open(configmap_file, 'w') as dest:
+    yaml.dump(configmap, dest, Dumper=yaml.RoundTripDumper,
+              default_flow_style=False)

puppet-manifests/src/modules/platform/manifests/kubernetes.pp

@@ -16,7 +16,11 @@ class platform::kubernetes::params (
   $k8s_cpu_mgr_policy = 'none',
   $k8s_topology_mgr_policy = 'best-effort',
   $k8s_cni_bin_dir = '/usr/libexec/cni',
-  $join_cmd = undef
+  $join_cmd = undef,
+  $oidc_issuer_url = undef,
+  $oidc_client_id = undef,
+  $oidc_username_claim = undef,
+  $oidc_groups_claim = undef
 ) { }
 
 class platform::kubernetes::cgroup::params (
@@ -615,3 +619,59 @@ class platform::kubernetes::worker::upgrade_kubelet
       command => '/usr/local/sbin/pmon-restart kubelet'
   }
 }
+
+class platform::kubernetes::master::change_apiserver_parameters
+  inherits ::platform::kubernetes::params {
+
+  $configmap_temp_file = '/tmp/cluster_configmap.yaml'
+  $configview_temp_file = '/tmp/kubeadm_config_view.yaml'
+
+  file { $configmap_temp_file:
+    ensure => present,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0600',
+  }
+
+  -> file { $configview_temp_file:
+    ensure => present,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0600',
+  }
+
+  # Kubeadm stores the cluster configuration as a configmap in the cluster.
+  # We will change that configmap to include/remove kube-apiserver parameters.
+  # In order to restart kube-apiserver, we will use the "kubeadm init phase"
+  # command and feed it the output of "kubeadm config view".
+  # This keeps the configmap consistent and keeps kube-apiserver managed by kubeadm.
+
+  -> exec { 'read kubeadm config map':
+    command => "kubectl --kubeconfig=/etc/kubernetes/admin.conf get configmap kubeadm-config -o yaml -n kube-system > ${configmap_temp_file}" # lint:ignore:140chars
+  }
+
+  -> exec { 'update kube-apiserver params':
+    command => template('platform/kube-apiserver-change-params.erb')
+  }
+
+  -> exec { 'patch kubeadm config map':
+    command => "kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system patch configmap kubeadm-config -p \"$(cat ${configmap_temp_file})\"" # lint:ignore:140chars
+  }
+
+  -> exec { 'get patched configmap':
+    command => "kubeadm config view > ${configview_temp_file}"
+  }
+
+  -> exec { 'update kube-apiserver parameters':
+    command => "kubeadm init phase control-plane apiserver --config ${configview_temp_file}"
+  }
+
+  -> exec { 'remove temp configmap':
+    command => "rm ${configmap_temp_file}",
+  }
+
+  -> exec { 'remove temp configview':
+    command => "rm ${configview_temp_file}",
+  }
+
+}

puppet-manifests/src/modules/platform/templates/kube-apiserver-change-params.erb

@@ -0,0 +1,14 @@
+python /usr/share/puppet/modules/platform/files/change_kube_apiserver_params.py \
+--configmap_file <%= @configmap_temp_file %> \
+<%- if @oidc_issuer_url -%>
+--oidc_issuer_url <%= @oidc_issuer_url %> \
+<%- end -%>
+<%- if @oidc_client_id -%>
+--oidc_client_id <%= @oidc_client_id %> \
+<%- end -%>
+<%- if @oidc_username_claim -%>
+--oidc_username_claim <%= @oidc_username_claim %> \
+<%- end -%>
+<%- if @oidc_groups_claim -%>
+--oidc_groups_claim <%= @oidc_groups_claim %> \
+<%- end -%>

pylint.rc

@@ -0,0 +1,237 @@
+[MASTER]
+# Specify a configuration file.
+rcfile=pylint.rc
+
+# Python code to execute, usually for sys.path manipulation such as
+# pygtk.require().
+#init-hook=
+
+# Add files or directories to the blacklist. Should be base names, not paths.
+ignore=
+
+# Pickle collected data for later comparisons.
+persistent=yes
+
+# List of plugins (as comma separated values of python modules names) to load,
+# usually to register additional checkers.
+load-plugins=
+
+# Use multiple processes to speed up Pylint.
+jobs=4
+
+# Allow loading of arbitrary C extensions. Extensions are imported into the
+# active Python interpreter and may run arbitrary code.
+unsafe-load-any-extension=no
+
+# A comma-separated list of package or module names from where C extensions may
+# be loaded. Extensions are loading into the active Python interpreter and may
+# run arbitrary code
+extension-pkg-whitelist=lxml.etree,greenlet
+
+
+
+[MESSAGES CONTROL]
+# Enable the message, report, category or checker with the given id(s). You can
+# either give multiple identifier separated by comma (,) or put this option
+# multiple time.
+#enable=
+
+# Disable the message, report, category or checker with the given id(s). You
+# can either give multiple identifier separated by comma (,) or put this option
+# multiple time (only on the command line, not in the configuration file where
+# it should appear only once).
+# See "Messages Control" section of
+# https://pylint.readthedocs.io/en/latest/user_guide
+# We are disabling (C)onvention
+disable=C,
+
+[REPORTS]
+# Set the output format. Available formats are text, parseable, colorized, msvs
+# (visual studio) and html
+output-format=text
+
+# Put messages in a separate file for each module / package specified on the
+# command line instead of printing them on stdout. Reports (if any) will be
+# written in a file name "pylint_global.[txt|html]".
+files-output=no
+
+# Tells whether to display a full report or only the messages
+reports=yes
+
+# Python expression which should return a note less than 10 (10 is the highest
+# note). You have access to the variables errors warning, statement which
+# respectively contain the number of errors / warnings messages and the total
+# number of statements analyzed. This is used by the global evaluation report
+# (RP0004).
+evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
+
+
+[SIMILARITIES]
+# Minimum lines number of a similarity.
+min-similarity-lines=4
+
+# Ignore comments when computing similarities.
+ignore-comments=yes
+
+# Ignore docstrings when computing similarities.
+ignore-docstrings=yes
+
+
+[FORMAT]
+# Maximum number of characters on a single line.
+max-line-length=85
+
+# Maximum number of lines in a module
+max-module-lines=1000
+
+# String used as indentation unit. This is usually 4 spaces or "\t" (1 tab).
+indent-string='    '
+
+
+[TYPECHECK]
+# Tells whether missing members accessed in mixin class should be ignored. A
+# mixin class is detected if its name ends with "mixin" (case insensitive).
+ignore-mixin-members=yes
+
+# List of module names for which member attributes should not be checked
+# (useful for modules/projects where namespaces are manipulated during runtime
+# and thus existing member attributes cannot be deduced by static analysis
+ignored-modules=distutils,eventlet.green.subprocess,six,six.moves
+
+# List of classes names for which member attributes should not be checked
+# (useful for classes with attributes dynamically set).
+# pylint is confused by sqlalchemy Table, as well as sqlalchemy Enum types
+# ie: (unprovisioned, identity)
+# LookupDict in requests library confuses pylint
+ignored-classes=SQLObject, optparse.Values, thread._local, _thread._local,
+                Table, unprovisioned, identity, LookupDict
+
+# List of members which are set dynamically and missed by pylint inference
+# system, and so shouldn't trigger E0201 when accessed. Python regular
+# expressions are accepted.
+generated-members=REQUEST,acl_users,aq_parent
+
+
+[BASIC]
+# List of builtins function names that should not be used, separated by a comma
+bad-functions=map,filter,apply,input
+
+# Regular expression which should only match correct module names
+module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
+
+# Regular expression which should only match correct module level names
+const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$
+
+# Regular expression which should only match correct class names
+class-rgx=[A-Z_][a-zA-Z0-9]+$
+
+# Regular expression which should only match correct function names
+function-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression which should only match correct method names
+method-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression which should only match correct instance attribute names
+attr-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression which should only match correct argument names
+argument-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression which should only match correct variable names
+variable-rgx=[a-z_][a-z0-9_]{2,30}$
+
+# Regular expression which should only match correct list comprehension /
+# generator expression variable names
+inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
+
+# Good variable names which should always be accepted, separated by a comma
+good-names=i,j,k,ex,Run,_
+
+# Bad variable names which should always be refused, separated by a comma
+bad-names=foo,bar,baz,toto,tutu,tata
+
+# Regular expression which should only match functions or classes name which do
+# not require a docstring
+no-docstring-rgx=__.*__
+
+
+[MISCELLANEOUS]
+# List of note tags to take in consideration, separated by a comma.
+notes=FIXME,XXX,TODO
+
+
+[VARIABLES]
+# Tells whether we should check for unused import in __init__ files.
+init-import=no
+
+# A regular expression matching the beginning of the name of dummy variables
+# (i.e. not used).
+dummy-variables-rgx=_|dummy
+
+# List of additional names supposed to be defined in builtins. Remember that
+# you should avoid to define new builtins when possible.
+additional-builtins=
+
+
+[IMPORTS]
+# Deprecated modules which should not be used, separated by a comma
+deprecated-modules=regsub,string,TERMIOS,Bastion,rexec
+
+# Create a graph of every (i.e. internal and external) dependencies in the
+# given file (report RP0402 must not be disabled)
+import-graph=
+
+# Create a graph of external dependencies in the given file (report RP0402 must
+# not be disabled)
+ext-import-graph=
+
+# Create a graph of internal dependencies in the given file (report RP0402 must
+# not be disabled)
+int-import-graph=
+
+
+[DESIGN]
+# Maximum number of arguments for function / method
+max-args=5
+
+# Argument names that match this expression will be ignored. Default to name
+# with leading underscore
+ignored-argument-names=_.*
+
+# Maximum number of locals for function / method body
+max-locals=15
+
+# Maximum number of return / yield for function / method body
+max-returns=6
+
+# Maximum number of branch for function / method body
+max-branchs=12
+
+# Maximum number of statements in function / method body
+max-statements=50
+
+# Maximum number of parents for a class (see R0901).
+max-parents=7
+
+# Maximum number of attributes for a class (see R0902).
+max-attributes=7
+
+# Minimum number of public methods for a class (see R0903).
+min-public-methods=2
+
+# Maximum number of public methods for a class (see R0904).
+max-public-methods=20
+
+
+[CLASSES]
+# List of method names used to declare (i.e. assign) instance attributes.
+defining-attr-methods=__init__,__new__,setUp
+
+# List of valid names for the first argument in a class method.
+valid-classmethod-first-arg=cls
+
+
+[EXCEPTIONS]
+# Exceptions that will emit a warning when being caught. Defaults to
+# "Exception"
+overgeneral-exceptions=Exception

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = linters
+envlist = linters,pep8,pylint
 minversion = 2.3
 skipsdist = True
 sitepackages=False
@@ -52,3 +52,32 @@ commands =
                 | xargs -0 puppet-lint --fail-on-warnings {[testenv:linters]skip_tests}"
     {[testenv:bashate]commands}
 
+[testenv:pep8]
+basepython = python3
+usedevelop = False
+description =
+    Run style checks.
+
+
+commands =
+    flake8 puppet-manifests/src/modules/platform/files
+
+[testenv:pylint]
+basepython = python3
+sitepackages = False
+
+deps = {[testenv]deps}
+       ruamel.yaml
+       pylint
+commands =
+     pylint {posargs} --rcfile=./pylint.rc puppet-manifests
+
+[flake8]
+# E123, E125 skipped as they are invalid PEP-8.
+# E501 skipped because some of the code files include templates
+#      that end up quite wide
+# H405: multi line docstring summary not separated with an empty line
+show-source = True
+ignore = E123,E125,E501,H405,W504
+exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build,release-tag-*
+