Kubelet tls bootstrap #2809
Kubelet tls bootstrap #2809
Conversation
|
Can one of the admins verify this patch? |
config.tf
Outdated
| bootkube = "quay.io/coreos/bootkube:v0.8.1" | ||
| etcd = "quay.io/coreos/etcd:v3.2.14" | ||
| bootkube = "quay.io/coreos/bootkube:v0.10.0" | ||
| etcd = "quay.io/coreos/etcd:v3.1.8" |
There was a problem hiding this comment.
oh, fixed that.
| @@ -0,0 +1,43 @@ | |||
| # admin | |||
| # Admin (generated/tls/{admin.key,admin.crt}) | |||
| # Used to create kubeconfig (generated/auth/kubeconfig) with admin level priviledges. | |||
| # Kubelet | ||
| resource "tls_private_key" "kubelet" { | ||
| # Admin (generated/tls/{admin.key,admin.crt}) | ||
| # Used to create kubeconfig (generated/auth/kubeconfig) with admin level priviledges. |
| @@ -45,11 +61,31 @@ resource "local_file" "kubeconfig" { | |||
| filename = "./generated/auth/kubeconfig" | |||
There was a problem hiding this comment.
I would consider renaming this one too (to kubeconfig-admin) to make it really clear that you shouldn't use it for anything in the cluster. Others might have different feelings though.
There was a problem hiding this comment.
bootkube start expects the admin kubeconfig to exist at this path.
https://github.com/kubernetes-incubator/bootkube/blob/master/pkg/bootkube/bootstrap.go#L38-L41
There was a problem hiding this comment.
Heh, look at the fool who left that TODO there :-/
There was a problem hiding this comment.
may be just add a comment on the kubeconfig file if that does not break any consumer?
|
cc @ericchiang |
abhinavdahiya
force-pushed
the
kubelet-tls-bootstrap
branch
from
ef28504 to
74190e9
Compare
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
ok to test |
|
closed and reopened to trigger smoke tests. |
| --cni-bin-dir=/var/lib/cni/bin \ | ||
| --cni-conf-dir=/etc/kubernetes/cni/net.d \ | ||
| --exit-on-lock-contention \ | ||
| --kubeconfig=/etc/kubernetes/kubeconfig \ |
There was a problem hiding this comment.
Why not?:
--kubeconfig=/path/to/to-be-generated-kubeconfig
--require-kubeconfig
--bootstrap-kubeconfig="/path/to/bootstrap/kubeconfig"
There was a problem hiding this comment.
I believe he alphabetized them.
There was a problem hiding this comment.
I meant what's the reasoning to not use the --bootstrap-kubeconfig flag and then letting the kubelet write the new config on approval in the path pointed by --kubeconfig as suggested here https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration.
There was a problem hiding this comment.
|
Hey @abhinavdahiya After a quick run, secrets check-pointing seems to be failing: Sound like the checkpointer using the kubelet bootstrapping kubeconfig? |
| @@ -33,8 +33,8 @@ output "id" { | |||
| local_file.apiserver_crt.id, | |||
| local_file.kube_ca_key.id, | |||
| local_file.kube_ca_crt.id, | |||
| local_file.kubelet_key.id, | |||
There was a problem hiding this comment.
This needs (along with everything else) to be kept in sync within contrib/user-provided-certs.
@abhinavdahiya We are in the process of decoupling the tls generation from the installer. Eventually we'll rely on modules/tls/user-provided to just wire the previously generated certificates into the installer.
As a transitional step for automation purposes we plan to rely on contrib/user-provided-certs to pre-generate the certificates before moving to a more suitable tool.
There was a problem hiding this comment.
@enxebre I think i have synced all these changes to contrib/user-provided-certs in this PR iteself .
(771525b#diff-1e46a06517303b3aa2caeddc2865efb5)
(771525b#diff-266340c2b198d2324636d1e007ce3a66)
(771525b#diff-a870b0054dd4ceba57305ced8ff8b116)
Is anything else required?
abhinavdahiya
force-pushed
the
kubelet-tls-bootstrap
branch
4 times, most recently
from
a76dc9b to
004fef4
Compare
|
Can one of the admins verify this patch? |
|
retest this please. govcloud only |
|
retest this please. aws only |
|
retest this please. metal only |
|
all tests are green. aws/azure/metal/govcloud. |
abhinavdahiya
force-pushed
the
kubelet-tls-bootstrap
branch
from
500a60c to
d08c244
Compare
config.tf
Outdated
| etcd = "quay.io/coreos/etcd:v3.2.14" | ||
| etcd_operator = "quay.io/coreos/etcd-operator:v0.5.0" | ||
| hyperkube = "quay.io/coreos/hyperkube:v1.9.1_coreos.0" | ||
| kube_core_renderer = "quay.io/coreos/kube-core-renderer:beryllium-m1" | ||
| kube_core_renderer = "quay.io/coreos/kube-core-renderer-dev:6c49ce4da9fc36966812381891b4f558aa53097b" |
There was a problem hiding this comment.
I guess there will be a release of kube-core-renderer before this change needs to merge, so that we don't have to carry the dev tag into installer's master?
There was a problem hiding this comment.
Is there a serious problem with using dev images on master? Then we cut over to release images for release branches?
There was a problem hiding this comment.
I don't have any concerns myself as long as we track the follow-up to catch up with the future release.
There was a problem hiding this comment.
Let's go forward with that for now then.
|
friendly ping :) |
|
@abhinavdahiya can you please rebase? then I can check the tests. thanks! |
|
retest this please |
abhinavdahiya
force-pushed
the
kubelet-tls-bootstrap
branch
from
d08c244 to
bf78ad0
Compare
|
@cpanato rebased against master |
abhinavdahiya
force-pushed
the
kubelet-tls-bootstrap
branch
2 times, most recently
from
0190675 to
f4c51c6
Compare
abhinavdahiya
force-pushed
the
kubelet-tls-bootstrap
branch
from
f4c51c6 to
6d2c21a
Compare
|
any updates on this. :) |
|
retest this please. Needs to re-run after rebase with all platforms. |
|
@diegs all green |
Enable kubelet auto TLS bootstrapping.
kubeconfig-kubletfrom a bootstrapping token for kubelet to generate CSRs.auto-approveall nodes.(kubernetes-retired/bootkube#663)
(https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/)
cc @aaronlevy @diegs