Generate and approve CSRs for conntrol-plane and static workers nodes #1750

kron4eg · 2022-01-23T14:55:35Z

What this PR does / why we need it:
Fixes the issue that kubelets on control-plane and static workers nodes are service requests under self-signed certificates.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1093

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Generate and approve CSRs for conntrol-plane and static workers nodes

kubermatic-bot · 2022-01-23T14:55:39Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Signed-off-by: Artiom Diomin <kron82@gmail.com>

kron4eg · 2022-01-26T08:50:33Z

/assign @xmudrii

ahmedwaleedmalik

Great work

/lgtm
/approve

kubermatic-bot · 2022-01-26T09:58:41Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahmedwaleedmalik, kron4eg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [kron4eg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

kubermatic-bot · 2022-01-26T09:58:41Z

LGTM label has been added.

Git tree hash: f75eb598de77f6ea6107ce63d37516893d313453

xmudrii

Retroactive reveiw.

xmudrii · 2022-01-27T07:45:45Z

pkg/tasks/certs.go

+	// Need to wait for the second CSR to appear
+	time.Sleep(20 * time.Second)


I think we should leave a log message that KubeOne is waiting 20 seconds for CSRs to appear. We already do that when we wait for other tasks (e.g. for the control plane instance to come up).

xmudrii · 2022-01-27T07:52:28Z

pkg/tasks/certs.go

+	if fmt.Sprintf("%s:%s", nodeUser, node.Hostname) != spec.Username {
+		return errors.New("")
+	}
+
+	if !sets.NewString(spec.Groups...).HasAll(groupNodes, groupAuthenticated) {
+		return errors.New("")
+	}
+
+	for _, usage := range spec.Usages {
+		if !isUsageInUsageList(usage, allowedUsages) {
+			return errors.New("")
+		}
+	}


Why is this returning empty errors?

xmudrii · 2022-01-27T07:52:55Z

pkg/tasks/certs.go

+	csrBlock, rest := pem.Decode(spec.Request)
+	if csrBlock == nil {
+		return fmt.Errorf("no certificate request found for the given CSR")
+	}
+
+	if len(rest) != 0 {
+		return fmt.Errorf("found more than one PEM encoded block in the result")
+	}


Why don't we use errors.New() here?

kubermatic-bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 23, 2022

kron4eg force-pushed the cp-csrs branch 4 times, most recently from 2110551 to 2a0e7ca Compare January 25, 2022 16:33

kubermatic-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 25, 2022

kron4eg marked this pull request as ready for review January 25, 2022 16:47

kubermatic-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 25, 2022

kron4eg added 2 commits January 25, 2022 23:34

Generate and approve CSRs for conntrol-plane and static workers nodes

2fc80cf

Signed-off-by: Artiom Diomin <kron82@gmail.com>

Pre-pull images

68b32cb

Signed-off-by: Artiom Diomin <kron82@gmail.com>

kron4eg force-pushed the cp-csrs branch from 2a0e7ca to 68b32cb Compare January 25, 2022 22:09

kron4eg requested a review from xmudrii January 26, 2022 08:50

kubermatic-bot assigned xmudrii Jan 26, 2022

embik requested a review from ahmedwaleedmalik January 26, 2022 09:03

ahmedwaleedmalik approved these changes Jan 26, 2022

View reviewed changes

kubermatic-bot assigned ahmedwaleedmalik Jan 26, 2022

kubermatic-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 26, 2022

kubermatic-bot merged commit d55cc58 into kubermatic:master Jan 26, 2022

kubermatic-bot added this to the KubeOne 1.4 milestone Jan 26, 2022

kron4eg deleted the cp-csrs branch January 26, 2022 10:09

xmudrii reviewed Jan 27, 2022

View reviewed changes

kron4eg mentioned this pull request Jan 27, 2022

Small CSR tweaks #1758

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Generate and approve CSRs for conntrol-plane and static workers nodes #1750

Generate and approve CSRs for conntrol-plane and static workers nodes #1750

kron4eg commented Jan 23, 2022

kubermatic-bot commented Jan 23, 2022

kron4eg commented Jan 26, 2022

ahmedwaleedmalik left a comment

kubermatic-bot commented Jan 26, 2022

kubermatic-bot commented Jan 26, 2022

xmudrii left a comment

xmudrii Jan 27, 2022

xmudrii Jan 27, 2022

xmudrii Jan 27, 2022

		// Need to wait for the second CSR to appear
		time.Sleep(20 * time.Second)

Generate and approve CSRs for conntrol-plane and static workers nodes #1750

Generate and approve CSRs for conntrol-plane and static workers nodes #1750

Conversation

kron4eg commented Jan 23, 2022

kubermatic-bot commented Jan 23, 2022

kron4eg commented Jan 26, 2022

ahmedwaleedmalik left a comment

Choose a reason for hiding this comment

kubermatic-bot commented Jan 26, 2022

kubermatic-bot commented Jan 26, 2022

xmudrii left a comment

Choose a reason for hiding this comment

xmudrii Jan 27, 2022

Choose a reason for hiding this comment

xmudrii Jan 27, 2022

Choose a reason for hiding this comment

xmudrii Jan 27, 2022

Choose a reason for hiding this comment