BUG 1685704: assets: use internal apiserver name for all internal clients

[sjenning]

BZ1685704 requires that all internal client ie openshift cluster-infra clients inside the cluster that talk to the apiserver on LB needs to move to using api-int.$cluster_domain so that customers can modify the external LB URL for apiserver without affecting the internal clients.

• data/data/bootstrap/files/usr/local/bin/bootkube.sh.template

All the internal clients which includes the etcd cert agent moved to contacting the apiserver on api-int.$cluster_domain therefore the etcd signer on the bootstrap node needs to use the serving cert for the api-int

• pkg/asset/kubeconfig/

The admin kubeconfig that installer provides its users needs to continue the apiserver on api.$cluster_domain

The kubelet kubeconfig is moved to use api-int.$cluster_domain as kubelets are internal clients to apiserver as kubelets are internal clients to apiserver.

• pkg/asset/manifests

This change changes the .status.apiServerURL for cluster infrastructures.config.openshift.io 1 to point all internal client to use api-int.$cluster_domain for contacting apiserver.

@deads2k @abhinavdahiya @wking

see if this works now that the groundwork is laid
xref https://bugzilla.redhat.com/show_bug.cgi?id=1685704

[wking]

/hold

We don't want to land this until we have everyone on board (which may already be the case, but I want to be sure ;)

[sjenning]

also @deads2k @eparis

[abhinavdahiya]

you need to change the kubeconfig for kubelet to use api-int

$ rg 'https://api' ./pkg/asset
pkg/asset/kubeconfig/kubeconfig.go
34:                                     Server: fmt.Sprintf("https://api.%s:6443", installConfig.ClusterDomain()),

pkg/asset/kubeconfig/kubeconfig_test.go
65:    server: https://api.test-cluster-name.test.example.com:6443
89:    server: https://api.test-cluster-name.test.example.com:6443

pkg/asset/manifests/utils.go
37:     return fmt.Sprintf("https://api.%s:6443", ic.ClusterDomain())

[abhinavdahiya]

/test e2e-metal

[sjenning]

Interesting. All the worker kubelets are Ready but the master kubelets are Unknown

https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1633/pull-ci-openshift-installer-master-e2e-aws/5392/artifacts/e2e-aws/nodes.json

[sjenning]

Unfortunately the kubelet logs were not captured from the masters so it is hard to tell what happened. I'll try to recreate manually and see what is going on.

[sjenning]

I spent most of the day trying to figure this out to no avail. There must be some side effect I'm not intending. The only effect I intend is that the /etc/kubernetes/kubeconfig created for the nodes and an API URL that point to api-int.

Any help would be appreciated! 🙏

[sjenning]

making the changes @abhinavdahiya suggested and now my etcd-members won't come up, stuck in the certs init container with

agent.go:116] error sending CSR to signer: Post https://api-int.lab.variantweb.net:6443/apis/certificates.k8s.io/v1beta1/certificatesigningrequests: x509: certificate is valid for api.lab.variantweb.net, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, not api-int.lab.variantweb.net

sounds like the bootstrap apiserver is not configured with the cert for api-int. fyi @deads2k

[sjenning]

from /opt/openshift/kube-apiserver-bootstrap/config on the bootstrap node

  namedCertificates:
  - certFile: /etc/kubernetes/secrets/kube-apiserver-service-network-server.crt
    keyFile: /etc/kubernetes/secrets/kube-apiserver-service-network-server.key
    names:
    - kubernetes
    - kubernetes.default
    - kubernetes.default.svc
    - kubernetes.default.svc.cluster.local
  - certFile: /etc/kubernetes/secrets/kube-apiserver-localhost-server.crt
    keyFile: /etc/kubernetes/secrets/kube-apiserver-localhost-server.key
    names:
    - localhost
    - 127.0.0.1
    - ::1
  - certFile: /etc/kubernetes/secrets/kube-apiserver-lb-server.crt
    keyFile: /etc/kubernetes/secrets/kube-apiserver-lb-server.key
  - certFile: /etc/kubernetes/secrets/kube-apiserver-internal-lb-server.crt
    keyFile: /etc/kubernetes/secrets/kube-apiserver-internal-lb-server.key

[sjenning]

gah, this isn't the real apiserver (since there is no etcd yet). it is the kube-etcd-signer-server.

# openssl x509 -in /opt/openshift/tls/apiserver.crt -noout -text
Certificate:
    Data:
...
        Issuer: OU = bootkube, CN = kube-ca
...
        Subject: O = kube-master, CN = system:kube-apiserver
...
            X509v3 Subject Alternative Name: 
                DNS:api.lab.variantweb.net, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, IP Address:172.30.0.1, IP Address:127.0.0.1
...

[sjenning]

rebased due to collision with #1640

[sjenning]

/retest

[sjenning]

i'm seeing this locally now

Apr 18 16:30:56 bootstrap bootkube.sh[1410]: All self-hosted control plane components successfully started
Apr 18 16:30:56 bootstrap bootkube.sh[1410]: Sending bootstrap-success event.Tearing down temporary bootstrap control plane...
Apr 18 16:30:56 bootstrap bootkube.sh[1410]: Waiting for remaining assets to be created.
Apr 18 16:31:56 bootstrap bootkube.sh[1410]: Failed to create /v1, Resource=namespaces: Post https://api.lab.variantweb.net:6443/api/v1/namespaces: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, 172.30.0.1, not api.lab.variantweb.net
Apr 18 16:31:56 bootstrap bootkube.sh[1410]: Failed to create apiextensions.k8s.io/v1beta1, Resource=customresourcedefinitions: Post https://api.lab.variantweb.net:6443/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, 172.30.0.1, not api.lab.variantweb.net
Apr 18 16:31:56 bootstrap bootkube.sh[1410]: Failed to create apiextensions.k8s.io/v1beta1, Resource=customresourcedefinitions: Post https://api.lab.variantweb.net:6443/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, 172.30.0.1, not api.lab.variantweb.net

self-hosted apiserver doesn't have a cert for api. external LB name
@abhinavdahiya @deads2k ?

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[abhinavdahiya]

/hold cancel

[abhinavdahiya]

/hold

Looks like we want to merge this after beta4 ships ie after monday

[abhinavdahiya]

/hold

Looks like we want to merge this after beta4 ships ie after monday

/hold cancel

we are ready to merge this.

[openshift-ci-robot]

@sjenning: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-metal	371283200c584b13fd101f6ed3d0bcc721f86a78	link	/test e2e-metal

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.