Kubelet talks securely to apiserver #2387
Conversation
erictune
commented
Nov 15, 2014
erictune
commented
erictune
force-pushed
the
secure_port_on
branch
from
166e3f6
to
b314120
Compare
|
@jbeda looking for confirmation that this is the right approach. If so, I will add to aws, and try to add to other cloud providers. Also, working on an e2e test that will be part of the final PR. |
| @@ -28,3 +28,19 @@ EOF | |||
|
|
|||
| mkdir -p /srv/salt-overlay/salt/nginx | |||
| echo $MASTER_HTPASSWD > /srv/salt-overlay/salt/nginx/htpasswd | |||
|
|
|||
| # TODO: do aws. | |||
There was a problem hiding this comment.
We have more than AWS -- we need to get vSphere, rackspace and vagrant too.
|
Approach looks good to me! To be honest, this doesn't give us much -- we auto-accept minions to the master now... |
|
I don't get your comment about this not buying much. |
|
Eric, --brendan On Fri, Nov 14, 2014 at 5:03 PM, Eric Tune notifications@github.com wrote:
|
|
by startup-script you mean the gce startup script? |
|
No, the scripts that actually build the release. We should have the Although, to be honest, this may all be a little bit moot, as I think we're --brendan On Fri, Nov 14, 2014 at 5:26 PM, Eric Tune notifications@github.com wrote:
|
|
@erictune Let me know when you are ready for me to take another pass. We need to be somewhat careful that we don't break other cloud/deployments. |
|
Would you be okay with a PR which only adds the new functionality on GCE, and which make no change on other platforms (e.g. using Also, shall I go ahead and file an issue for the salt credential distribution? |
erictune
force-pushed
the
secure_port_on
branch
from
6b23d02
to
a298074
Compare
|
@erictune That seems reasonable. Or you can take your best guess at making this happen for the other platforms and we can contact owners to verify. I like the idea of making the kubelet->master communication optional for now and revert to logging events locally. It isn't idea but it gives us a way forward. |
erictune
force-pushed
the
secure_port_on
branch
from
a298074
to
b534a0b
Compare
|
I'm still worried that we are going to break other clouds. In I'd test this with vagrant and make sure things still come up. |
|
yep, will do. Just debugging issues on GCP at the moment, but planning to On Mon, Nov 17, 2014 at 5:05 PM, Joe Beda notifications@github.com wrote:
|
erictune
force-pushed
the
secure_port_on
branch
from
861b8bb
to
bf655dd
Compare
Configure apiserver to serve Securely on port 6443. Generate token for kubelets during master VM startup. Put token into file apiserver can get and another file the kubelets can get. Added e2e test.
erictune
force-pushed
the
secure_port_on
branch
from
8d73974
to
4dbdfd7
Compare
|
Okay, I added checks to the salt to only expect the known_tokens.csv on GCE and a check to the e2e test to only expect events on GCE. I'm running the e2e on vagrant now (wow that is slow.) |
|
I'll file bugs for other providers after this merges. |
|
Vagrant sets up correctly with the apiserver not crashing. I can't get the e2e test to run for reasons that I think are unrelated to this PR. So, I think this is safe to merge. |
|
This lgtm. I'm merging, we'll see if Jenkins is OK with it... |
Kubelet talks securely to apiserver
|
thanks. |
|
@brendanburns where is jenkins? |
|
Okay, events are done for GCE. Yay. @dchen1107 @lavalamp |
|
Cool! I will get this cherry picked into the 0.5 release. Thanks!
|
|
Great, thanks! |
|
@erictune - so this is what caused the e2e tests to not pass because even though the apiserver is up, it broke the kubelet from starting on the minions. I had been looking at other things so had missed this PR, but if you need help in future, please feel free to just mention me and I would be more than happy to test out the change prior to merging. |
|
Sorry for the trouble. Will ask for help next time with vagrant. On Wed, Nov 19, 2014 at 6:00 PM, Derek Carr notifications@github.com
|
…ssion Add more detailed plan for admission controller and webhook support to dry-run kep
