Run node/etcd over https #1383
Run node/etcd over https #1383
Conversation
|
@rajatchopra can you look at the commit with the vagrant sdn changes to pass in etcd certs? |
|
vagrant sdn changes look good. |
|
@deads2k review config/create-node-config bits |
|
For the name |
|
done |
|
@liggitt One of the issues I had with previous method was that once I submitted a build, I had to wait like ~30 seconds for kubelet to orchestrate the build pod (otherwise I got 500: https://github.com/DBuildService/osbs/blob/master/osbs/core.py#L137). Will that work the same way? |
|
continuous-integration/openshift-jenkins/test Running (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_openshift3/1567/) |
|
@TomasTomecek build logs would be retrieved the same way pod logs are, by proxying through the API server to the node. This doesn't change anything with that, except that you have to go through the API rather than directly to the node. |
|
In your code, you would stream from this URL rather than redirecting and contacting the node yourself: |
|
The direction we're moving for things like build logs is a subresource of the build itself, so you could stream this URL directly: |
Thanks. Will try.
That would be awesome! Is there a trello card/PR/issue for that? |
pkg/cmd/server/start/master_args.go
Outdated
There was a problem hiding this comment.
This should be based on whether etcd's bind address scheme is https.
There was a problem hiding this comment.
GetEtcdBindAddress derives from ListenArg...
There was a problem hiding this comment.
GetEtcdBindAddress derives from ListenArg...
So.... I need to make sure that etcdAddr matches what will be produced by twisting up the listenAddr for my master? I really want to be free of this, but do we need to try to figure out which configurations we want to support from the command line and then come up with some sane arguments to describe them?
There was a problem hiding this comment.
from args, you get no options for etcd server addresses... it uses the scheme and host from --listen and port 4001. I'll add a follow up item to split listen args for etcd and node if we think it's important
|
rebased, tweaked param name for client ca in create-node-config |
There was a problem hiding this comment.
Shouldn't (probably can't here) use a cert without a CA.
There was a problem hiding this comment.
If the etcd server is using a cert signed by a recognized authority, you don't need a custom CA
|
Nothing significant. A few questions, not all of them directly related to this pull. Otherwise, lgtm |
|
Rebased, tests updated, comments addressed |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/1374/) (Image: devenv-fedora_1182) |
|
Evaluated for origin up to e0e1955 |
…service-catalog/' changes from 3aacfedec6..aa27078754 aa27078754 origin build: add origin tooling bcf37fd 0.1.0-rc2 chart updates (openshift#1410) 4ab0a0a add back 'Processing' message for instance deletion (openshift#1332) 0ecbcb1 Update logs for Cluster service plans. (openshift#1389) 8b491ef Fix a quoting nit (openshift#1400) 63685e4 add orphan mitigation-specific conditions for instances (openshift#1378) adee662 Updated missed fields in service and plan specs (openshift#1406) 2095919 Handle default plan setting when using k8s names (openshift#1405) 607ba66 Document rbacEnable. (openshift#1404) 268294e Adding rbac definition for v1 api endpoint. (openshift#1284) 103288d differentiate between failed updates and provisions during deletion (openshift#1383) eba8ba4 enable API aggregation and Service Catalog RBAC on Jenkins (openshift#1333) 5a93315 Validate relistDuration is non-negative (openshift#1395) e279d21 Fix log messages for secrets (openshift#1385) 87fa8c9 fix status update when starting orphan mitigation (openshift#1372) 11f18f3 Switch to wget for integration apiserver checks (openshift#1384) 8c44a7d update OSB client to 2.13 (openshift#1392) e64bbd1 default plan admission controller: filter list of service plans/service classes by the class name (openshift#1351) 6648c0e Check field names. Fix issue 1291 (openshift#1379) 5319841 update comment for instance generation check (openshift#1382) 7d5823f remove internal poll method (openshift#1381) 07d3068 Rework the logging for controller_instance. (openshift#1371) 5f4ca01 address PR comment as a followup (openshift#1380) 485d5e6 Add support for specifying plan using K8S names. (openshift#1377) 662bba8 Log number of secret keys created for binding credential (openshift#1375) 8ad6a31 Move controller constants into correct files (openshift#1373) 7bd66dd Adding type to log. (openshift#1339) 1ce5c4d Remove k8s/k8s dependency (openshift#1355) b458323 Adding log formatting for BindingController. (openshift#1352) 275eb11 rename test variables to be consistent (openshift#1315) ffd6b8b travis: skip cleanup before deploy (openshift#1368) d5ecc04 fix travis tag checker (openshift#1365) 2cae0ee Minor updates to README (openshift#1360) REVERT: 3aacfedec6 carry: Set external plan name for service-catalog walkthrough REVERT: 3ec9e5b07a origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: aa2707875461dd51be3731b1d94b5cfc3b9a3976
6 participants
Follow-ups: