kubeadm: Implementing the kubeconfig phase fully #49419
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @fabriziopandini. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-github-robot
added
size/XXL
|
This PR will fix also kubernetes/kubeadm#350; edited command for easier reference |
|
/ok-to-test |
k8s-ci-robot
added
release-note
timothysc
added
the
sig/cluster-lifecycle
timothysc
added
the
kind/cleanup
luxas
left a comment
luxas
left a comment
There was a problem hiding this comment.
On a high level:
- Please don't move useful pkg functions like writing a kubeconfig file if not exists. That's useful generally
- Enhance the struct that describes the generation
- Move over the
map[string]buildStructto cmd and call the generic fn from there
I'd like this PR to touch way less code. It can be done ;)
There was a problem hiding this comment.
I think this will make the tempdir to be deleted immediately after this function exits, which is not what we want
There was a problem hiding this comment.
In any case, I'd explicitely call defer os.RemoveAll after the createTmpDir call
There was a problem hiding this comment.
what about getKubeConfigSubCommands?
There was a problem hiding this comment.
Please add a note: Please note that this should *only* be used for bootstrapping purposes. After your control plane is up, you should request all kubelet credentials from the CSR API
There was a problem hiding this comment.
with an alias controller-manager possibly?
There was a problem hiding this comment.
Please make a ClientCertAuth struct with the unique fields there: Organization and CAKey
There was a problem hiding this comment.
Use structs as pointers instead to detect auth method
There was a problem hiding this comment.
I'd propose to just move this map to cmd and consume it there.
Also keep most of the code as-is here in this pkg.
The only thing that has to change is that and the BuildConfigProperties struct organization
There was a problem hiding this comment.
I think making a new function for all special cases is not necessary. We have the pattern, let's express what we want with a struct instead and pass it to a generic function GetKubeConfigBytesFromSpec or similar
Then just move the default generation profiles into cmd
There was a problem hiding this comment.
Can you make this a wrapped function so that you can set this as cmdFunc: createDefaultKubeConfigFiles("all|api-server|etc.")?
k8s-github-robot
added
the
needs-rebase
fabriziopandini
force-pushed
the
kubeadm-phase-kubeconfig2
branch
from
cf0bbdb to
f9f91bf
Compare
k8s-github-robot
removed
the
needs-rebase
luxas
left a comment
luxas
left a comment
There was a problem hiding this comment.
Thank you a bunch @fabriziopandini!
I left a couple of nits here, but none of them block this PR
It's better to merge this now and reiterate on small one-line changes than to hold this and its dependencies up for such trivial things.
I downloaded this and tested it out manually and it works well. Thank you for improving our test coverage as part of this btw ;)
/lgtm
| MakeClientCerts bool | ||
| // clientCertAuth struct holds info required to build a client certificate to provide authentication info in a kubeconfig object | ||
| type clientCertAuth struct { | ||
| CaKey *rsa.PrivateKey |
| // /etc/kubernetes/{admin,kubelet}.conf exist but not certs => certs will be generated and conflict with the kubeconfig files => error | ||
| // kubeConfigSpec struct holds info required to build a KubeConfig object | ||
| type kubeConfigSpec struct { | ||
| CaCert *x509.Certificate |
| kubeConfigFilePath := filepath.Join(outDir, filename) | ||
| err = writeKubeconfigToDiskIfNotExists(kubeConfigFilePath, kubeconfig) | ||
| // writes the KubeConfig to disk if it not exists | ||
| err = createKubeConfigFileIfNotExists(outDir, kubeConfigFileName, config) |
There was a problem hiding this comment.
nit: inline this in the if clause: if err := foo(); err != nil {. Reduces scope, which is good
| kubeadmconstants.KubeletKubeConfigFileName: { | ||
| CaCert: caCert, | ||
| APIServer: cfg.GetMasterEndpoint(), | ||
| ClientName: fmt.Sprintf("system:node:%s", cfg.NodeName), |
There was a problem hiding this comment.
I'd love to find a helper func in an auth pkg for this some day.
| } | ||
| return kubeconfigutil.CreateWithCerts( | ||
| config.APIServer, | ||
| // If this kubeconfing should use token |
| } | ||
| cmd.Flags().StringVar(&cfg.CertificatesDir, "cert-dir", cfg.CertificatesDir, "The path where to save and store the certificates") | ||
| cmd.Flags().StringVar(&cfg.API.AdvertiseAddress, "apiserver-advertise-address", cfg.API.AdvertiseAddress, "The IP address the API Server will advertise it's listening on. 0.0.0.0 means the default network interface's address.") | ||
| cmd.Flags().Int32Var(&cfg.API.BindPort, "apiserver-bind-port", cfg.API.BindPort, "Port for the API Server to bind to") |
There was a problem hiding this comment.
nit: apiserver-port
nit: The port the API server is accessible on
| cmd.Flags().StringVar(&cfg.API.AdvertiseAddress, "apiserver-advertise-address", cfg.API.AdvertiseAddress, "The IP address the API Server will advertise it's listening on. 0.0.0.0 means the default network interface's address.") | ||
| cmd.Flags().Int32Var(&cfg.API.BindPort, "apiserver-bind-port", cfg.API.BindPort, "Port for the API Server to bind to") | ||
| if properties.use == "all" || properties.use == "kubelet" { | ||
| cmd.Flags().StringVar(&cfg.NodeName, "node-name", cfg.NodeName, `Specify the node name`) |
There was a problem hiding this comment.
nit: The node name that the kubelet client cert should use
| cmd.Flags().StringVar(&cfg.NodeName, "node-name", cfg.NodeName, `Specify the node name`) | ||
| } | ||
| if properties.use == "user" { | ||
| cmd.Flags().StringVar(&token, "token", token, "The path to the directory where the certificates are.") |
There was a problem hiding this comment.
nit: The token that should be used as the authentication mechanism for this kubeconfig
| } | ||
| if properties.use == "user" { | ||
| cmd.Flags().StringVar(&token, "token", token, "The path to the directory where the certificates are.") | ||
| cmd.Flags().StringVar(&clientName, "client-name", clientName, "The name of the client for which the KubeConfig file will be generated.") |
There was a problem hiding this comment.
nit: The name of the KubeConfig user that will be created. Will also be used as the CN if client certs are created.
| kubeconfigtestutil "k8s.io/kubernetes/cmd/kubeadm/test/kubeconfig" | ||
| ) | ||
|
|
||
| func TestKubeConfigCSubCommandsHasFlags(t *testing.T) { |
There was a problem hiding this comment.
nit: TestKubeConfigSubCommandsHasFlags?
k8s-ci-robot
added
the
lgtm
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini, luxas Associated issue: 267 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
|
Thanks @luxas! 🎉 As agreed I move to phase "controlplane" and then I will come back on this comments and on refactoring phase cert! |
…plane2 Automatic merge from submit-queue kubeadm: Implementing the controlplane phase **What this PR does / why we need it:** This contains implementation of controlplane phases in kubeadm, which is part of the wider effort of implementing phases in kubeadm, previously in alpha stage. The original proposal for this activity can be found [here](https://github.com/kubernetes/kubeadm/pull/156/files) and related comments. Kubeadm phase implementation checklist is defined [here](kubernetes/kubeadm#267) Common implementation guidelines and principles for all phases are defined [here](https://docs.google.com/document/d/1VQMyFIVMfRGQPP3oCUpfjiWtOr3pLxp4g7cP-hXQFXc/edit?usp=sharing) This PR implements: - [x] kubeadm phase controlplane: wip by @fabriziopandini - [x] kubeadm phase controlplane all - [x] kubeadm phase controlplane etcd - [x] kubeadm phase controlplane apiserver - [x] kubeadm phase controlplane scheduler - [x] kubeadm phase controlplane controller-manager **Which issue this PR fixes:** kubernetes/kubeadm#349 **Special notes for your reviewer:** This PR implements the same approach of #49419, thus minimising rework/impacts on existing codebase.
…leanups Automatic merge from submit-queue (batch tested with PRs 50692, 50727) kubeadm: Small cleanups from the phases refactoring **What this PR does / why we need it**: Small cleanups on kubeadm phases **Which issue this PR fixes**: fixes pending comments in [#49419](#49419) fixes [#376](kubernetes/kubeadm#376) **Special notes for your reviewer**: cc @luxas
Automatic merge from submit-queue (batch tested with PRs 50904, 50691) Make Kubeadm phase certs codebase consistent with other phases **What this PR does / why we need it:** This PR is a refactoring of [#48196](#48196), that makes this part of kubeadm more consistent with other parts of kubeadm recently changed, e.g. [controlplane & etcd phase #50302](#50302) and [kubeconfig phase #49419](#49419) **Which issue this PR fixes:** none **Special notes for your reviewer:** cc @luxas
6 participants
What this PR does / why we need it:
This contains implementation of kubeconfig phases in kubeadm, which is part of the wider effort of implementing phases in kubeadm, previously in alpha stage.
The original proposal for this activity can be found here and related comments.
Kubeadm phase implementation checklist is defined here
Common implementation guidelines and principles for all phases are defined here
This PR implements:
Which issue this PR fixes:
kubernetes/kubeadm#350
Special notes for your reviewer:
This PR implements the second phases of kubeadm init; implementation of this PR follow the same approach already used for #48196 (cert phases).
Please note that:
initphase #48594 and few minor code changes in phase certs introduced to avoid code duplication between the two phases.