Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't try to build etcd-manager secrets for cilium twice #11764

Merged
merged 2 commits into from
Jun 17, 2021
Merged

Don't try to build etcd-manager secrets for cilium twice #11764

merged 2 commits into from
Jun 17, 2021

Conversation

olemarkus
Copy link
Member

Ciliium etcd mode is broken at the moment as both etcd TLS builder and cilium builder tries to create certificates. As the logic for cilium certs is slightly different, I am keeping the older logic and skipping cilium in the etcd TLS builder.

/kind bug

@johngmyers @justinsb it may be that you want to cherry-pick this one before the 1.21.0 release.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 15, 2021
@olemarkus
Copy link
Member Author

/retest

@olemarkus
Copy link
Member Author

/retest

@johngmyers
Copy link
Member

/assign

johngmyers
johngmyers requested changes Jun 16, 2021
View reviewed changes
Copy link
Member

@johngmyers johngmyers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather you remove the code for the manager, peers, and clients certs from CiliumBuilder. It would result in less code overall and less risk of divergence between the two cases.

nodeup/pkg/model/etcd_manager_tls.go Outdated
@@ -43,6 +43,12 @@ func (b *EtcdManagerTLSBuilder) Build(ctx *fi.ModelBuilderContext) error {

for _, etcdCluster := range b.Cluster.Spec.EtcdClusters {
k := etcdCluster.Name

// The certs for cilium etcd is managed by CiliumBuilder
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// The certs for cilium etcd is managed by CiliumBuilder
// The certs for cilium etcd are managed by CiliumBuilder

@olemarkus
Copy link
Member Author

I agree that things can be consolidated here. But I am not convinced putting it in etcd_manager_tls is the best option. There will be some if cilium do this and if not apiserver do that in that logic in there.

I will follow up on refactoring this in a later PR. It is not that important to resolve this regression.

@johngmyers
Copy link
Member

What different logic would that be? The only difference I see is a nil check that is absent from the Cilium version.

@olemarkus
Copy link
Member Author

olemarkus commented Jun 16, 2021
edited
Loading

Client ca is installed not only on apiservers, but on all nodes.

I think this should go into 1.21 and therefore would like to make a small change as possible right now.

@johngmyers
Copy link
Member

So the difference is that the "cilium" etcd has a different client CA "etcd-clients-ca-cilium", whereas the others share a client CA "etcd-clients-ca".

A simple fix that would reduce code duplication would be

		// Because API server can only have a single client certificate for etcd, we need to share a client CA
  		keys["etcd-clients-ca"] = "etcd-clients-ca"
                // ...except for Cilium
                if k == "cilium" {
  		    keys["etcd-clients-ca"] = "etcd-clients-ca-cilium"
                }

That the etcd-clients-ca-cilium private key is exposed to all the nodes and the nodes issue their own client certs is inexplicable. It squanders the security benefit of using kops-controller for bootstrap, at least with respect to Cilium etcd. But that's a different ticket.

@olemarkus
Copy link
Member Author

I still suggest merging this one and cherry-pick to 1.21 and fixing all the other issues in a follow-up.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 17, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johngmyers

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 17, 2021
@k8s-ci-robot k8s-ci-robot merged commit d35bce0 into kubernetes:master Jun 17, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jun 17, 2021
@olemarkus olemarkus mentioned this pull request Jun 17, 2021
Merged
k8s-ci-robot added a commit that referenced this pull request Jun 17, 2021
@k8s-ci-robot
Merge pull request #11792 from olemarkus/automated-cherry-pick-of-#11…
c8a0e24 
…764-origin-release-1.21

Automated cherry pick of #11764: Don't try to build etcd-manager secrets for cilium twice
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johngmyers johngmyers johngmyers approved these changes

@KashifSaadat KashifSaadat Awaiting requested review from KashifSaadat

@zetaab zetaab Awaiting requested review from zetaab

Assignees

@johngmyers johngmyers

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/nodeup cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@olemarkus @johngmyers @k8s-ci-robot