Skip to content

Inject kube-apiserver pods trust stores with trusted ca bundle#552

Merged
openshift-merge-robot merged 1 commit intoopenshift:masterfrom
stlaz:add_trusted_ca_bundle
Aug 26, 2019
Merged

Inject kube-apiserver pods trust stores with trusted ca bundle#552
openshift-merge-robot merged 1 commit intoopenshift:masterfrom
stlaz:add_trusted_ca_bundle

Conversation

@stlaz
Copy link
Contributor

@stlaz stlaz commented Aug 19, 2019

Adds the trusted store injection and a watchdog that will restart
the kube-apiserver process on the trusted CA bundle change.

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 19, 2019
@stlaz
Copy link
Contributor Author

stlaz commented Aug 20, 2019

/retest

@stlaz stlaz force-pushed the add_trusted_ca_bundle branch from 16308a2 to e65e1a5 Compare August 20, 2019 12:48
@stlaz
Copy link
Contributor Author

stlaz commented Aug 20, 2019

In order for this to work correctly, we'll have to add the injected cm somewhere into https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/starter.go#L180.

We'll need to get a CM with the proper key there somewhere, possibly adding a CM apply from the targetconfigcontroller that'll read it from the CM that's being injected 🤔

@stlaz stlaz force-pushed the add_trusted_ca_bundle branch from e65e1a5 to 75b7a0c Compare August 21, 2019 08:57
@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 21, 2019
@stlaz stlaz force-pushed the add_trusted_ca_bundle branch 2 times, most recently from 3f78b39 to bb80690 Compare August 21, 2019 11:00
mfojtik
mfojtik reviewed Aug 21, 2019
View reviewed changes
@mfojtik
Copy link
Contributor

mfojtik commented Aug 21, 2019

This need e2e test.

@stlaz stlaz force-pushed the add_trusted_ca_bundle branch from bb80690 to 1cccaa2 Compare August 21, 2019 13:47
@mfojtik
Copy link
Contributor

mfojtik commented Aug 22, 2019
edited
Loading

You can't wire file watchdog to kube api server pod, because when the configmap change, the watchdog will deliberately kill all 3 api servers immediately (to restart them).

I think we need to roll new revision when the config map change. To do that you need to add the configmap with proxy CA into RevisionConfigMaps and then create optional volume mount in kube apiserver pod.

@sttts @deads2k correct?

@stlaz stlaz force-pushed the add_trusted_ca_bundle branch from 1cccaa2 to eeadf44 Compare August 22, 2019 08:31
@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 22, 2019
@stlaz
Copy link
Contributor Author

stlaz commented Aug 22, 2019

@mfojtik: seeing the issue I was mentioning earlier that prevents kube-apiserver pods from running:

'MountVolume.SetUp failed for volume "trusted-ca-bundle" : configmaps "trusted-ca-bundle-2"
    is forbidden: User "system:node:ip-10-0-149-86.ec2.internal" cannot get resource
    "configmaps" in API group "" in the namespace "openshift-kube-apiserver": no relationship
    found between node "ip-10-0-149-86.ec2.internal" and this object'

@stlaz stlaz force-pushed the add_trusted_ca_bundle branch from eeadf44 to 9a4c590 Compare August 22, 2019 10:50
mfojtik
mfojtik reviewed Aug 22, 2019
View reviewed changes
mfojtik
mfojtik reviewed Aug 22, 2019
View reviewed changes
pkg/operator/starter.go Outdated
{Name: "sa-token-signing-certs"},

// this is a copy of trusted-ca-bundle CM but with key modified to "tls-ca-bundle.pem" so that we can mount it the way we need
{Name: "trusted-ca-bundle"},
Copy link
Contributor

@mfojtik mfojtik Aug 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need this in CertConfigMaps /cc @deads2k

Copy link
Contributor Author

@stlaz stlaz Aug 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess you're right, in the logs, I can see that the dirs created are:

"/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca"

but on the other hand also

"/etc/kubernetes/static-pod-resources/kube-apiserver-pod-2/configmaps/trusted-ca-bundle"

which would explain why the Directory hostMount assumption fails, I'll move this to the CertConfigMaps then.

mfojtik
mfojtik reviewed Aug 22, 2019
View reviewed changes
bindata/v4.1.0/kube-apiserver/pod.yaml Outdated
name: cert-dir
- mountPath: /var/log/kube-apiserver
name: audit-dir
- mountPath: /etc/pki/ca-trust/extracted/pem/
Copy link
Contributor

@mfojtik mfojtik Aug 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this overriding existing directory? in case there is no trusted-ca-bundle config map, we erase that dir?

Copy link
Contributor

@mfojtik mfojtik Aug 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(i wonder if this should be handled in the installer pod controller)

Copy link
Contributor Author

@stlaz stlaz Aug 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point, I think the hostPath directory will only appear once the appropriate CM exists. I guess setting type: Directory for the matching volume might solve the problem of the hostPath directory not existing.

Copy link

@danehans danehans Aug 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stlaz the mount should be optional.

Copy link
Contributor Author

@stlaz stlaz Aug 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danehans I don't think there is a way how that could work here

Copy link
Contributor Author

@stlaz stlaz Aug 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nvm, we found a way around it to make it optional

mfojtik
mfojtik reviewed Aug 22, 2019
View reviewed changes
mfojtik
mfojtik reviewed Aug 22, 2019
View reviewed changes
@stlaz stlaz force-pushed the add_trusted_ca_bundle branch from 9a4c590 to f8bac6d Compare August 22, 2019 12:49
@stlaz
Copy link
Contributor Author

stlaz commented Aug 22, 2019

/test e2e-aws
Looks like installer bug:

level=error msg="Error: Provider produced inconsistent result after apply"
level=error
level=error msg="When applying changes to module.bootstrap.aws_s3_bucket.ignition, provider"
level=error msg="\"aws\" produced an unexpected new value for was present, but now absent."
level=error
level=error msg="This is a bug in the provider, which should be reported in the provider's own"
level=error msg="issue tracker."

@wking

@wking
Copy link
Member

wking commented Aug 22, 2019

Shared upstream.

@stlaz
Copy link
Contributor Author

stlaz commented Aug 22, 2019

/hold
I was suggested to use bash wrapper to wait for the file mount location to exist and then just copy to proper path, probably a better solution

@stlaz stlaz force-pushed the add_trusted_ca_bundle branch from f8bac6d to c104bee Compare August 22, 2019 15:02
@stlaz
Copy link
Contributor Author

stlaz commented Aug 22, 2019

The dir check in hostPath seemed to have failed, I wonder if removing revision from the path will help

@stlaz
Copy link
Contributor Author

stlaz commented Aug 22, 2019

/retest

@stlaz stlaz force-pushed the add_trusted_ca_bundle branch from c104bee to 8dba95a Compare August 22, 2019 18:33
@stlaz
Copy link
Contributor Author

stlaz commented Aug 22, 2019

Pods are still getting stuck in unitialized on the mount, it would appear the directory just does not appear...

@stlaz stlaz force-pushed the add_trusted_ca_bundle branch 2 times, most recently from 3087341 to 5c67756 Compare August 23, 2019 07:23
@stlaz stlaz changed the title WIP: Inject kube-apiserver pods trust stores with trusted ca bundle Inject kube-apiserver pods trust stores with trusted ca bundle Aug 23, 2019
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 23, 2019
@stlaz stlaz force-pushed the add_trusted_ca_bundle branch 6 times, most recently from ce6cd93 to 86b7dc9 Compare August 23, 2019 14:36
@stlaz
Copy link
Contributor Author

stlaz commented Aug 23, 2019

/retest
The failures don’t seem to be related to this PR

@stlaz
Copy link
Contributor Author

stlaz commented Aug 24, 2019

/retest

@sttts sttts force-pushed the add_trusted_ca_bundle branch from ce683a2 to 2b4ad94 Compare August 26, 2019 09:42
@stlaz @sttts
Inject kube-apiserver pods trust stores with trusted ca bundle
afc2bbe 
Adds the trusted store injection and a watchdog that will restart
the kube-apiserver process on the trusted CA bundle change.
@sttts sttts force-pushed the add_trusted_ca_bundle branch from 2b4ad94 to afc2bbe Compare August 26, 2019 09:42
mfojtik
mfojtik reviewed Aug 26, 2019
View reviewed changes
pkg/operator/targetconfigcontroller/targetconfigcontroller.go
return resourceapply.ApplyConfigMap(client, recorder, requiredConfigMap)
}

func ensureKubeAPIServerTrustedCA(client coreclientv1.CoreV1Interface, recorder events.Recorder) error {
Copy link
Contributor

@mfojtik mfojtik Aug 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do believe these should have comments describing their purpose.

@mfojtik
Copy link
Contributor

mfojtik commented Aug 26, 2019

/lgtm

I don't like the bash in the pod spec, but for can't think of simpler solution for now (we can improve this in future).

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 26, 2019
@openshift-ci-robot
Copy link

openshift-ci-robot commented Aug 26, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mfojtik, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 26, 2019
@openshift-bot
Copy link
Contributor

openshift-bot commented Aug 26, 2019

/retest

Please review the full test history for this PR and help us cut down flakes.

@cuppett
Copy link
Member

cuppett commented Aug 26, 2019

/test e2e-aws-upgrade

@openshift-merge-robot openshift-merge-robot merged commit 189121a into openshift:master Aug 26, 2019
@soltysh soltysh mentioned this pull request Dec 12, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sttts sttts Awaiting requested review from sttts

2 more reviewers

@mfojtik mfojtik mfojtik left review comments

@danehans danehans danehans left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mfojtik mfojtik

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@stlaz @mfojtik @wking @openshift-ci-robot @openshift-bot @cuppett @sttts @danehans @openshift-merge-robot