fix: honor the extraArgs option for the kubelet

This allows users to supply extra arguments for the kubelet.

Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>

internal/app/machined/pkg/system/services/etcd.go

@@ -92,7 +92,7 @@ func (e *Etcd) DependsOn(config runtime.Configurator) []string {
 
 // Runner implements the Service interface.
 func (e *Etcd) Runner(config runtime.Configurator) (runner.Runner, error) {
-	a, err := args(config)
+	a, err := e.args(config)
 	if err != nil {
 		return nil, err
 	}
@@ -318,12 +318,8 @@ func buildInitialCluster(config runtime.Configurator, name, ip string) (initial
 	return initial, nil
 }
 
-func blacklistError(s string) error {
-	return fmt.Errorf("extra etcd arg %q is not allowed", s)
-}
-
 // nolint: gocyclo
-func args(config runtime.Configurator) ([]string, error) {
+func (e *Etcd) args(config runtime.Configurator) ([]string, error) {
 	hostname, err := os.Hostname()
 	if err != nil {
 		return nil, err
@@ -362,7 +358,7 @@ func args(config runtime.Configurator) ([]string, error) {
 
 	for k := range blackListArgs {
 		if extraArgs.Contains(k) {
-			return nil, blacklistError(k)
+			return nil, argsbuilder.NewBlacklistError(k)
 		}
 	}
 

internal/app/machined/pkg/system/services/kubelet.go

@@ -30,6 +30,7 @@ import (
 	"github.com/talos-systems/talos/internal/app/machined/pkg/system/runner/containerd"
 	"github.com/talos-systems/talos/internal/app/machined/pkg/system/runner/restart"
 	"github.com/talos-systems/talos/internal/pkg/runtime"
+	"github.com/talos-systems/talos/pkg/argsbuilder"
 	"github.com/talos-systems/talos/pkg/constants"
 	tnet "github.com/talos-systems/talos/pkg/net"
 )
@@ -131,12 +132,7 @@ func (k *Kubelet) DependsOn(config runtime.Configurator) []string {
 func (k *Kubelet) Runner(config runtime.Configurator) (runner.Runner, error) {
 	image := fmt.Sprintf("%s:v%s", constants.KubernetesImage, config.Cluster().Version())
 
-	_, serviceCIDR, err := net.ParseCIDR(config.Cluster().Network().ServiceCIDR())
+	a, err := k.args(config)
-	if err != nil {
-		return nil, err
-	}
-
-	dnsServiceIP, err := tnet.NthIPInNetwork(serviceCIDR, 10)
 	if err != nil {
 		return nil, err
 	}
@@ -144,24 +140,7 @@ func (k *Kubelet) Runner(config runtime.Configurator) (runner.Runner, error) {
 	// Set the process arguments.
 	args := runner.Args{
 		ID:          k.ID(config),
-		ProcessArgs: []string{
+		ProcessArgs: append([]string{"/hyperkube", "kubelet"}, a...),
-			"/hyperkube",
-			"kubelet",
-			"--bootstrap-kubeconfig=" + constants.KubeletBootstrapKubeconfig,
-			"--kubeconfig=" + constants.KubeletKubeconfig,
-			"--container-runtime=remote",
-			"--container-runtime-endpoint=unix://" + constants.ContainerdAddress,
-			"--anonymous-auth=false",
-			"--cert-dir=/var/lib/kubelet/pki",
-			"--client-ca-file=" + constants.KubernetesCACert,
-			"--cni-conf-dir=/etc/cni/net.d",
-			"--cluster-domain=cluster.local",
-			"--pod-manifest-path=/etc/kubernetes/manifests",
-			"--rotate-certificates",
-			"--cluster-dns=" + dnsServiceIP.String(),
-			// TODO(andrewrynhard): Only set this in the case of container run mode.
-			"--fail-swap-on=false",
-		},
 	}
 	// Set the required kubelet mounts.
 	mounts := []specs.Mount{
@@ -247,3 +226,46 @@ func (k *Kubelet) HealthSettings(runtime.Configurator) *health.Settings {
 
 	return &settings
 }
+
+// nolint: gocyclo
+func (k *Kubelet) args(config runtime.Configurator) ([]string, error) {
+	_, serviceCIDR, err := net.ParseCIDR(config.Cluster().Network().ServiceCIDR())
+	if err != nil {
+		return nil, err
+	}
+
+	dnsServiceIP, err := tnet.NthIPInNetwork(serviceCIDR, 10)
+	if err != nil {
+		return nil, err
+	}
+
+	blackListArgs := argsbuilder.Args{
+		"bootstrap-kubeconfig":       constants.KubeletBootstrapKubeconfig,
+		"kubeconfig":                 constants.KubeletKubeconfig,
+		"container-runtime":          "remote",
+		"container-runtime-endpoint": "unix://" + constants.ContainerdAddress,
+		"anonymous-auth":             "false",
+		"cert-dir":                   "/var/lib/kubelet/pki",
+		"client-ca-file":             constants.KubernetesCACert,
+		"cni-conf-dir":               "/etc/cni/net.d",
+		"pod-manifest-path":          "/etc/kubernetes/manifests",
+		"rotate-certificates":        "true",
+		"cluster-dns":                dnsServiceIP.String(),
+		// TODO(andrewrynhard): Only set this in the case of container run mode.
+		"fail-swap-on": "false",
+	}
+
+	extraArgs := argsbuilder.Args(config.Machine().Kubelet().ExtraArgs())
+
+	for k := range blackListArgs {
+		if extraArgs.Contains(k) {
+			return nil, argsbuilder.NewBlacklistError(k)
+		}
+	}
+
+	if !extraArgs.Contains("cluster-domain") {
+		extraArgs.Set("cluster-domain", "cluster.local")
+	}
+
+	return blackListArgs.Merge(extraArgs).Args(), nil
+}

pkg/argsbuilder/argsbuilder_args.go

@@ -53,3 +53,19 @@ func (a Args) Contains(k Key) bool {
 
 	return ok
 }
+
+// BlackListError represents an error indicating that an argument was supplied
+// that is not allowed.
+type BlackListError struct {
+	s string
+}
+
+// NewBlacklistError returns a BlackListError.
+func NewBlacklistError(s string) error {
+	return &BlackListError{s}
+}
+
+// Error implements the Error interface.
+func (b *BlackListError) Error() string {
+	return fmt.Sprintf("extra arg %q is not allowed", b.s)
+}

pkg/config/machine/machine.go

@@ -125,5 +125,6 @@ type Time interface {
 // Kubelet defines the requirements for a config that pertains to kubelet
 // related options.
 type Kubelet interface {
+	ExtraArgs() map[string]string
 	ExtraMounts() []specs.Mount
 }

pkg/config/types/v1alpha1/v1alpha1_configurator.go

@@ -118,7 +118,7 @@ func (m *MachineConfig) Time() machine.Time {
 
 // Kubelet implements the Configurator interface.
 func (m *MachineConfig) Kubelet() machine.Kubelet {
-	return m
+	return m.MachineKubelet
 }
 
 // Env implements the Configurator interface.
@@ -168,8 +168,17 @@ func (m *MachineConfig) SetCertSANs(sans []string) {
 	m.MachineCertSANs = append(m.MachineCertSANs, sans...)
 }
 
+// ExtraArgs implements the Configurator interface.
+func (k *KubeletConfig) ExtraArgs() map[string]string {
+	if k.KubeletExtraArgs == nil {
+		k.KubeletExtraArgs = make(map[string]string)
+	}
+
+	return k.KubeletExtraArgs
+}
+
 // ExtraMounts implements the Configurator interface.
-func (m *MachineConfig) ExtraMounts() []specs.Mount {
+func (k *KubeletConfig) ExtraMounts() []specs.Mount {
 	return nil
 }
 
@@ -239,7 +248,7 @@ func (e *EtcdConfig) CA() *x509.PEMEncodedCertificateAndKey {
 // ExtraArgs implements the Configurator interface.
 func (e *EtcdConfig) ExtraArgs() map[string]string {
 	if e.EtcdExtraArgs == nil {
-		return make(map[string]string)
+		e.EtcdExtraArgs = make(map[string]string)
 	}
 
 	return e.EtcdExtraArgs

pkg/config/types/v1alpha1/v1alpha1_types.go

@@ -266,7 +266,7 @@ type KubeletConfig struct {
 	//     - |
 	//       extraArgs:
 	//         key: value
-	ExtraArgs map[string]string `yaml:"extraArgs,omitempty"`
+	KubeletExtraArgs map[string]string `yaml:"extraArgs,omitempty"`
 }
 
 // NetworkConfig reperesents the machine's networking config values.