-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubelet should resume csr bootstrap #47856
kubelet should resume csr bootstrap #47856
Conversation
c1a98cf
to
b554063
Compare
pkg/kubelet/util/csr/csr.go
Outdated
certificates.UsageDigitalSignature, | ||
certificates.UsageKeyEncipherment, | ||
certificates.UsageClientAuth, | ||
}) | ||
} | ||
|
||
// RequestCertificate will create a certificate signing request using the PEM | ||
// requestCertificate will create a certificate signing request using the PEM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update to include the purpose of the name argument, that existing requests matching the name will be re-used.
pkg/kubelet/util/csr/csr.go
Outdated
hash.Write([]byte(subject.CommonName)) | ||
for _, org := range subject.Organization { | ||
hash.Write([]byte(org)) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
include usages
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And a comment about how this hash should be kept up to date to include everything in the CSR, but can't be a hash of the csrData because of the random elements.
case err == nil: | ||
case errors.IsAlreadyExists(err): | ||
glog.Infof("csr for this node already exists, reusing") | ||
req, err = client.Get(name, metav1.GetOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also need to make sure the existing csr object actually matches (subject, usages, and private key), and if it doesn't match, I'm not really sure what the kubelet would do... hard fail, I guess
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
/retest |
unit tests are actually broken. |
b406eed
to
4f77a5f
Compare
f35f1ae
to
46c8085
Compare
/retest |
@dchen1107 - this is a release blocker from scalability perspective. Without is it's impossible to start clusters noticeably bigger than 300 Nodes. |
I was able to bring up an 1000 node cluster without a problem with this patch. |
pkg/kubelet/util/csr/csr.go
Outdated
// certificates and with ensureCompatible. | ||
func digestedName(privateKeyData []byte, subject *pkix.Name, usages []certificates.KeyUsage) string { | ||
hash := sha512.New512_256() | ||
hash.Write(privateKeyData) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need separators between fields written to the hash
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
4078517
to
ea1ba0b
Compare
actually, looks like we have code that cleans up the generated key file if the CSR bootstrap fails. if we want to reuse the existing private key on the next bootstrap, we need to leave that. can you test the following to make sure this works as expected:
|
ea1ba0b
to
44ba662
Compare
ok. I had not tested with (semi) graceful exit, just sigterms. |
44ba662
to
33635a3
Compare
Right now the kubelet creates a new csr object with the same key every time it restarts during the bootstrap process. It should resume with the old csr object if it exists. To do this the name of the csr object must be stable. Also using a list watch here eliminates a race condition where a watch event is missed and the kubelet stalls.
33635a3
to
627c414
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, jcbsmpsn, mikedanese Associated issue: 47855 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test pull-kubernetes-e2e-gce-etcd3 |
These look like flakes |
/retest |
Automatic merge from submit-queue (batch tested with PRs 47915, 47856, 44086, 47575, 47475) |
@mikedanese can you try to manually cherrypick this one? It causes conflicts. I'll batch cherry-pick others first. |
i'll do a manual cherrypick. |
…#47856-upstream-release-1.7 Automated cherry pick of #47856
It's cherrypicked to release-1.7 already. The cherrypick bot should had removed the cherrypick-approved label. I'll manually remove the label. |
Commit found in the "release-1.7" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked. |
Right now the kubelet creates a new csr object with the same key every
time it restarts during the bootstrap process. It should resume with the
old csr object if it exists. To do this the name of the csr object must
be stable.
Issue #47855