Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixup kubelet.conf to point to kubelet-client-current.pem #7347

Merged
merged 1 commit into from
Mar 9, 2021
Merged

Fixup kubelet.conf to point to kubelet-client-current.pem #7347

merged 1 commit into from
Mar 9, 2021

Conversation

champtar
Copy link
Contributor

@champtar champtar commented Mar 4, 2021

c9c0c01 only fix the problem for new clusters

What type of PR is this?
/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #7338

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Fix kubelet client certificate rotation

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 4, 2021
@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 4, 2021
oomichi
oomichi reviewed Mar 8, 2021
View reviewed changes
Copy link
Contributor

@oomichi oomichi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/cc @oomichi

roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml Outdated Show resolved Hide resolved
roles/kubernetes/control-plane/tasks/kubelet-fix-client-cert-rotation.yml Outdated Show resolved Hide resolved
@champtar champtar force-pushed the fix_kubelet_conf branch 2 times, most recently from 3d778c4 to 08cf679 Compare March 8, 2021 23:06
@champtar
Fixup kubelet.conf to point to kubelet-client-current.pem
9722e22 
c9c0c01 only fix the problem for new clusters

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
oomichi
oomichi reviewed Mar 9, 2021
View reviewed changes
Copy link
Contributor

@oomichi oomichi left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this change is for https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

On nodes created with kubeadm init, prior to kubeadm version 1.17, there is a bug where you manually have to modify the contents of kubelet.conf.
After kubeadm init finishes, you should update kubelet.conf to point to the rotated kubelet client certificates,
by replacing client-certificate-data and client-key-data with:

client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem

The change seems valid for the above note.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 9, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: champtar, floryut

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 9, 2021
@k8s-ci-robot k8s-ci-robot merged commit 14b63ed into kubernetes-sigs:master Mar 9, 2021
@champtar champtar deleted the fix_kubelet_conf branch March 9, 2021 12:39
@champtar
Copy link
Contributor Author

champtar commented Mar 9, 2021

Responded on slack, in kubespray case we were regenerating the kubeconfigs thus undoing the kubeadm fix, so for kubespray user all clusters have broken kubelet client cert rotation before this commit

champtar added a commit to champtar/kubespray that referenced this pull request Mar 11, 2021
@champtar
Fixup kubelet.conf to point to kubelet-client-current.pem (kubernetes…
e490de9 
…-sigs#7347)

c9c0c01 only fix the problem for new clusters

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 14b63ed)

Conflicts:
	roles/kubernetes/master/tasks/kubelet-fix-client-cert-rotation.yml
k8s-ci-robot pushed a commit that referenced this pull request Mar 15, 2021
@champtar @k8s-ci-robot
Fixup kubelet.conf to point to kubelet-client-current.pem (#7347)
c22915a 
c9c0c01 only fix the problem for new clusters

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 14b63ed)

Conflicts:
	roles/kubernetes/master/tasks/kubelet-fix-client-cert-rotation.yml
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Apr 6, 2021
@champtar @LuckySB
Fixup kubelet.conf to point to kubelet-client-current.pem (kubernetes…
dbdde9c 
…-sigs#7347)

c9c0c01 only fix the problem for new clusters

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
r3dsm0k3 added a commit to reynencourt/kubespray that referenced this pull request May 3, 2021
@r3dsm0k3 @champtar
@dujiulun @electrocucaracha @maciejaszek @floryut @mirwan @oomichi @belak @anthr76 @dlouks @bleech1 @liupeng0518 @Xartos @hjanuschka @lodow @orange-llajeanne @LuckySB @krystianmlynek
Release 2.15 (#35)
2559809 
* Only use stat get_checksum: yes when needed (kubernetes-sigs#7270)

By default Ansible stat module compute checksum, list extended attributes and find mime type
To find all stat invocations that really use one of those:
git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)'

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit de1d9df)

Conflicts:
	roles/etcd/tasks/check_certs.yml

* Add kube-ipvs0/nodelocaldns to NetworkManager unmanaged-devices (kubernetes-sigs#7315)

On CentOS 8 they seem to be ignored by default, but better be extra safe
This also make it easy to exclude other network plugin interfaces

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit e442b1d)

* Stop using kubeadm to update server in kubeconfigs (kubernetes-sigs#7338)

Using `kubeadm init phase kubeconfig all` breaks kubelet client certificate rotation
as we are missing `kubeadm init phase kubelet-finalize all` to point to `kubelet-client-current.pem`

kubeconfig format is stable so let's just use lineinfile,
this will avoid other future breakage

This revert to the logic before 6fe2248

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit c9c0c01)

* kubeadm-config.v1beta2.yaml.j2: etcd log level arg (kubernetes-sigs#7339)

According to [etcd's docs](https://etcd.io/docs/v3.4.0/op-guide/configuration/#--log-package-levels), argument 'log-package-levels' should not contain underscores.

(cherry picked from commit b7c2265)

* Remove pre kubeadm cert migration tasks

apiserver.pem is not used since ddffdb6

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit fedd671)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
	roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml

* Remove useless call to 'kubeadm version'

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit a6e1f5e)

* Remove admin.conf removal

kubeadm is the default for a long time now,
and admin.conf is created by it, so let kubeadm handle it

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 280036f)

* Remove rotate_tokens logic

kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 8800b5c)

* Always backup both certs and kubeconfig

There are no reasons not to backup during upgrade

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 53e5ef6)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-backup.yml
	roles/kubernetes/master/tasks/kubeadm-certificate.yml

* Delete misnammed kubeadm-version.yml

The important action in kubeadm-version.yml is the templating of the configuration,
not finding / setting the version

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit a9c97e5)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-version.yml

* Add privileged_without_host_devices support (kubernetes-sigs#7343)

When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.

More information:
* containerd/cri#1225
* cri-o/cri-o@1d0f681

(cherry picked from commit dc5df57)

* ansible and jinja2 updates (kubernetes-sigs#7357)

* Update ansible to v2.9.18

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>

* Update jinja2 to v2.11.3

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
(cherry picked from commit b07c596)

* Fixup kubelet.conf to point to kubelet-client-current.pem (kubernetes-sigs#7347)

c9c0c01 only fix the problem for new clusters

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 14b63ed)

Conflicts:
	roles/kubernetes/master/tasks/kubelet-fix-client-cert-rotation.yml

* Check for dummy kernel module (kubernetes-sigs#7348)

The dummy module is needed for nodelocaldns.

(cherry picked from commit 5a54db2)

* Fixup one more missing kubespray-defaults (kubernetes-sigs#7375)

"The error was: 'proxy_disable_env' is undefined\n\nThe error appears to
be in '<censored>scale.yml': line 72, column 7"

Fixes 067db68

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 057e8b4)

* Upgrade openSUSE Leap to 15.2 (kubernetes-sigs#7331)

15.1 has reached EOL on 2021-02-02.

Signed-off-by: Maciej Wereski <m.wereski@partner.samsung.com>
(cherry picked from commit 69d11da)

* Update kube-ovn to 1.6.0 (kubernetes-sigs#7240)

(cherry picked from commit edc4bb4)

* Minor update to cilium and calico

(cherry picked from commit de46f86)

* Update nodelocaldns to 1.17.1

(cherry picked from commit 5f2c8ac)

* Download Calico KDD CRDs (kubernetes-sigs#7372)

* Download Calico KDD CRDs

* Replace kustomize with lineinfile and use ansible assemble module

* Replace find+lineinfile by sed in shell module to avoid nested loop

* add condition on sed

* use block for kdd tasks + remove supernumerary kdd manifest apply in start "Start Calico resources"

(cherry picked from commit 1c62af0)

Conflicts:
        roles/network_plugin/calico/tasks/install.yml

* Update CNI (calico, kubeovn, multus) and Helm

(cherry picked from commit 05f132c)

* Fix calico crds missing 3.16.9 (kubernetes-sigs#7386)

(cherry picked from commit ead8a4e)

* Update hashes for 1.20.5/1.19.9/1.18.17

(cherry picked from commit 6d3dbb4)

* Set K8S default to v1.19.9

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

* Auto renew control plane certificates (kubernetes-sigs#7358)

While at it remove force_certificate_regeneration
This boolean only forced the renewal of the apiserver certs
Either manually use k8s-certs-renew.sh or set auto_renew_certificates

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit efa1803)

Conflicts:
	roles/kubernetes/master/templates/k8s-certs-renew.service.j2
	roles/kubernetes/master/templates/k8s-certs-renew.sh.j2
	roles/kubernetes/master/templates/k8s-certs-renew.timer.j2

* Add cryptography installation (kubernetes-sigs#7404)

To avoid ModuleNotFoundError due to no module named 'setuptools_rust',
this adds cryptography installation to requirements.txt.

Created by jfc-evs originally as kubernetes-sigs#7264

(cherry picked from commit 49abf60)

* Allow connecting to bastion via non-standard SSH port (kubernetes-sigs#7396)

* Allow connecting to bastion via non-standard port

* Fix bastion connection when ansible_port is not provided

(cherry picked from commit 6fa3565)

* Correct Jinja Syntax for etcd-unsupported-arch (kubernetes-sigs#6919)

`-%` causes `etcd-unsupported-arch: arm64` to print on COL 1 instead of
COL 6.

Signed-off-by: anthr76 <hello@anthonyrabbito.com>
(cherry picked from commit edfa3e9)

* Fix k8s-certs-renew for k8s < 1.20 (kubernetes-sigs#7410)

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 2d1597b)

* Remove ignore_errors from drain tasks and enable retires (kubernetes-sigs#7151)

* Remove ignore_errors from drain tasks and enable retires

* Fix lint error by checking if stdout length is not 0, ie string is not empty.

(cherry picked from commit ccd3aee)

* Fix remove-node by removing jq usage (kubernetes-sigs#7405)

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 36a3a78)

* Remove left over nodes_to_drain

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

* remove local lb privileged (kubernetes-sigs#7437) (kubernetes-sigs#7454)

Co-authored-by: Samuel Liu <liupeng0518@gmail.com>

* Add new kubernetes hashes (1.19.10, 1.20.6)

* Default to latest kubernetes patch version (1.19.10)

* Update k8s-certs-renew.sh.j2 (kubernetes-sigs#7422)

fix undefinedElse

(cherry picked from commit cce9d31)

* reset roles need flush iptables:raw (kubernetes-sigs#7426)

(cherry picked from commit 7f52c1d)

* Remove calico-rr from local inventory hosts file (kubernetes-sigs#7439)

(cherry picked from commit 596d028)

Conflicts:
	inventory/local/hosts.ini

* Replace deprecated 'with_dict' with 'loop' (kubernetes-sigs#7442)

(cherry picked from commit 6479e26)

* local provisioner 'useNodeNameOnly' option can be configured (kubernetes-sigs#7421)

(cherry picked from commit 7e75d48)

* fix scale (kubernetes-sigs#7449)

(cherry picked from commit 7340a16)

* remove-node roles: fix kubectl absolute path (kubernetes-sigs#7469)

* kubelet absolute path

* kubelet absolute path

(cherry picked from commit e2a7f3e)

* add CI test for auto_renew_certificates (kubernetes-sigs#7472)

* add CI test for auto_renew_certificates

* change timer value

fix typo error in rotate cert script

(cherry picked from commit cce0940)

Conflicts:
	roles/kubernetes/master/templates/k8s-certs-renew.timer.j2

* Remove dead code from kubeadm-etcd (kubernetes-sigs#7470)

(cherry picked from commit aa086e5)

* format ansible output (kubernetes-sigs#7482)

(cherry picked from commit 90c643f)

* Regenerate apiserver.crt on all control-plane nodes (kubernetes-sigs#7463)

We were regenerating only the cert of the first node
While at it speed up the check step

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit e444b3c)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-setup.yml

* Add auto_renew_certificates_systemd_calendar (kubernetes-sigs#7490)

This allow to configure when K8S certificates renewal runs

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit bf6a39e)

Conflicts:
        inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
        roles/kubernetes/master/defaults/main/main.yml
        roles/kubernetes/master/templates/k8s-certs-renew.timer.j2

* Check if python netaddr and recent enough jinja are installed (kubernetes-sigs#7486)

CentOS 7 provides up to date Ansible with really old jinja version

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 332cc1c)

* Add missing proxy environment in crio_repo.yml (kubernetes-sigs#7492)

(cherry picked from commit 2a2fb68)

Co-authored-by: Etienne Champetier <e.champetier@ateme.com>
Co-authored-by: Du9L.com <dujiulun@users.noreply.github.com>
Co-authored-by: Victor Morales <chipahuac@hotmail.com>
Co-authored-by: Maciej <m.wereski@partner.samsung.com>
Co-authored-by: Lennart Jern <lennart.jern@elastisys.com>
Co-authored-by: Florian Ruynat <16313165+floryut@users.noreply.github.com>
Co-authored-by: Erwan Miran <mirwan@users.noreply.github.com>
Co-authored-by: Kenichi Omichi <ken1ohmichi@gmail.com>
Co-authored-by: Kaleb Elwert <kaleb@coded.io>
Co-authored-by: Anthony Rabbito <hello@anthonyrabbito.com>
Co-authored-by: David Louks <2402775+dlouks@users.noreply.github.com>
Co-authored-by: bleech1 <15leechb@gmail.com>
Co-authored-by: Samuel Liu <liupeng0518@gmail.com>
Co-authored-by: Fredrik Liv <fredrik.liv@elastisys.com>
Co-authored-by: Helmut Januschka <helmut@januschka.com>
Co-authored-by: Maxime Lavandier <maxime.l@live.fr>
Co-authored-by: orange-llajeanne <71634751+orange-llajeanne@users.noreply.github.com>
Co-authored-by: Sergey <s.bondarev@southbridge.ru>
Co-authored-by: Krystian Młynek <75165213+krystianmlynek@users.noreply.github.com>
@floryut floryut mentioned this pull request May 11, 2021
Closed
@timgriffiths timgriffiths mentioned this pull request May 30, 2022
Closed
zexi pushed a commit to zexi/kubespray that referenced this pull request Nov 9, 2022
@champtar @zexi
Fixup kubelet.conf to point to kubelet-client-current.pem (kubernetes…
57d9df0 
…-sigs#7347)

c9c0c01 only fix the problem for new clusters

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oomichi oomichi oomichi left review comments

@floryut floryut floryut approved these changes

@holmsten holmsten Awaiting requested review from holmsten

Assignees

@oomichi oomichi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@champtar @k8s-ci-robot @oomichi @floryut