-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't try to build etcd-manager secrets for cilium twice #11764
Conversation
37857e8
to
10a3eef
Compare
/retest |
10a3eef
to
2b7fd8e
Compare
2b7fd8e
to
a3cfe8d
Compare
/retest |
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather you remove the code for the manager, peers, and clients certs from CiliumBuilder. It would result in less code overall and less risk of divergence between the two cases.
nodeup/pkg/model/etcd_manager_tls.go
Outdated
@@ -43,6 +43,12 @@ func (b *EtcdManagerTLSBuilder) Build(ctx *fi.ModelBuilderContext) error { | |||
|
|||
for _, etcdCluster := range b.Cluster.Spec.EtcdClusters { | |||
k := etcdCluster.Name | |||
|
|||
// The certs for cilium etcd is managed by CiliumBuilder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// The certs for cilium etcd is managed by CiliumBuilder | |
// The certs for cilium etcd are managed by CiliumBuilder |
c5d84f2
to
f80b550
Compare
I agree that things can be consolidated here. But I am not convinced putting it in etcd_manager_tls is the best option. There will be some if cilium do this and if not apiserver do that in that logic in there. I will follow up on refactoring this in a later PR. It is not that important to resolve this regression. |
What different logic would that be? The only difference I see is a nil check that is absent from the Cilium version. |
Client ca is installed not only on apiservers, but on all nodes. I think this should go into 1.21 and therefore would like to make a small change as possible right now. |
So the difference is that the "cilium" etcd has a different client CA "etcd-clients-ca-cilium", whereas the others share a client CA "etcd-clients-ca". A simple fix that would reduce code duplication would be
That the etcd-clients-ca-cilium private key is exposed to all the nodes and the nodes issue their own client certs is inexplicable. It squanders the security benefit of using kops-controller for bootstrap, at least with respect to Cilium etcd. But that's a different ticket. |
I still suggest merging this one and cherry-pick to 1.21 and fixing all the other issues in a follow-up. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johngmyers The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…764-origin-release-1.21 Automated cherry pick of #11764: Don't try to build etcd-manager secrets for cilium twice
Ciliium etcd mode is broken at the moment as both etcd TLS builder and cilium builder tries to create certificates. As the logic for cilium certs is slightly different, I am keeping the older logic and skipping cilium in the etcd TLS builder.
/kind bug
@johngmyers @justinsb it may be that you want to cherry-pick this one before the 1.21.0 release.