New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: Make it possible to configure volume mounts via the config file #49840
kubeadm: Make it possible to configure volume mounts via the config file #49840
Conversation
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Hi @andrewrynhard. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
a3fc2c0
to
ea1097b
Compare
ea1097b
to
f81d7bf
Compare
Manifests are generated correctly
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I talked to @andrewrynhard about this on Slack and we decided that a generic variant of this is much better. Something like this:
type HostPathMount struct {
Name string
HostPath string
MountPath string
}
type MasterConfiguration struct {
...
APIServerExtraVolumes []HostPathMount
ControllerManagerExtraVolumes []HostPathMount
SchedulerExtraVolumes []HostPathMount
}
/release-note |
f81d7bf
to
6450d92
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a couple of style questions. Other than picking the right name and fixing some tests, I don't see a reason not to make this configurable.
Distros are pretty inconsistent about where they keep "system" trust stores (/etc/pki/
vs. /usr/share/ca-certificates
vs. /etc/ssl/
).
@@ -51,6 +51,8 @@ type MasterConfiguration struct { | |||
APIServerCertSANs []string | |||
// CertificatesDir specifies where to store or look for all required certificates | |||
CertificatesDir string | |||
// CACertificatesPkiDir specifies where to mount host CA certficates | |||
CACertificatesPkiDir string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a style nit but this should be CACertificatesPKIDir
(per this guide).
I think the name is a little confusing too, since this doesn't have to do with the kubeadm-generated cluster CA like CertificatesDir
does. Maybe SystemCACertificatesDir
, HostCACertificatesDir
, or ExternalCACertificatesDir
?
@@ -51,6 +51,8 @@ type MasterConfiguration struct { | |||
APIServerCertSANs []string `json:"apiServerCertSANs"` | |||
// CertificatesDir specifies where to store or look for all required certificates | |||
CertificatesDir string `json:"certificatesDir"` | |||
// CACertificatesPkiDir specifies where to mount host CA certficates | |||
CACertificatesPkiDir string `json:"caCertificatesPkiDir"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same style nit here (s/Pki/PKI/
).
@@ -135,7 +130,7 @@ func newVolumeMount(name, path string, readOnly bool) v1.VolumeMount { | |||
} | |||
|
|||
// getEtcdCertVolumes returns the volumes/volumemounts needed for talking to an external etcd cluster | |||
func getEtcdCertVolumes(etcdCfg kubeadmapi.Etcd) ([]v1.Volume, []v1.VolumeMount) { | |||
func getEtcdCertVolumes(etcdCfg kubeadmapi.Etcd, caCertsPkiVolumePath string) ([]v1.Volume, []v1.VolumeMount) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same style nit here also (s/Pki/PKI/
).
@@ -175,7 +170,7 @@ func getEtcdCertVolumes(etcdCfg kubeadmapi.Etcd) ([]v1.Volume, []v1.VolumeMount) | |||
// isPkiVolumeMountNeeded specifies whether /etc/pki should be host-mounted into the containers | |||
// On some systems were we host-mount /etc/ssl/certs, it is also required to mount /etc/pki. This is needed | |||
// due to symlinks pointing from files in /etc/ssl/certs into /etc/pki/ | |||
func isPkiVolumeMountNeeded() bool { | |||
func isPkiVolumeMountNeeded(caCertsPkiVolumePath string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same style nit here also (s/Pki/PKI/
).
// caCertsPkiVolumePath specifies the path that can be conditionally mounted into the apiserver and controller-manager containers | ||
// as /etc/ssl/certs might be a symlink to it. It's a variable since it may be changed in unit testing. This var MUST NOT be changed | ||
// in normal codepaths during runtime. | ||
var caCertsPkiVolumePath = "/etc/pki" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like the unit tests that used this variable need a fix (test log):
[...]
W0804 00:30:36.473] # k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane
W0804 00:30:36.474] cmd/kubeadm/app/phases/controlplane/volumes_test.go:276: not enough arguments in call to getEtcdCertVolumes
W0804 00:30:36.474] have (kubeadm.Etcd)
W0804 00:30:36.475] want (kubeadm.Etcd, string)
W0804 00:30:36.475] cmd/kubeadm/app/phases/controlplane/volumes_test.go:514: undefined: caCertsPkiVolumePath
W0804 00:30:36.475] cmd/kubeadm/app/phases/controlplane/volumes_test.go:515: undefined: caCertsPkiVolumePath
[...]
I'm also +1 on the idea of a generic |
ping @andrewrynhard You're gonna take a look at this soon, right? |
6450d92
to
3cc384b
Compare
/retest |
667d81a
to
5a64c04
Compare
/test pull-kubernetes-unit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andrewrynhard, luxas Associated issue: 484 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/release-note-none |
/retest Review the full test history for this PR. |
1 similar comment
/retest Review the full test history for this PR. |
/test all [submit-queue is verifying that this PR is safe to merge] |
@andrewrynhard: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test pull-kubernetes-unit |
Automatic merge from submit-queue (batch tested with PRs 49840, 54937, 54543). If you want to cherry-pick this change to another branch, please follow the instructions here. |
Hi, does this PR allows to use volume type ? I'm trying with kubeadm config file to mount the cloud_config file for an OpenStack provider but all the extra volumes are of type |
@ArchiFleKs Not right now, please file an issue with more details if that's something you'd like to see |
Is the feature of volume mounts via the config file been released on the current kubeadm? I need to mount the cloud_config to add the AWS support :) using this approach apiServerExtraArgs: root@ip-10-1-18-136:~# kubeadm version |
@usernkey it is, see https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/apis/kubeadm/v1alpha1/types.go#L93-L99. Has been available since 1.8 I believe. |
cool thanks I'll try it |
What this PR does / why we need it:
Kubeadm mounts host CA certs into api server and controller manager. It uses
/etc/pki
and does not allow for the path to be configurable. This PR adds a default to/etc/pki
but also allows a user to configure the path in the config file. In the case of using Container Linux, the CAs are located at/usr/share/ca-certificates
, so without this PR the hardcoded/etc/pki
path is used and will break, for example, the--cloud-provider
flag because of missing CAs.Fixes kubernetes/kubeadm#484
Fixes kubernetes/kubeadm#476
Fixes kubernetes/kubeadm#441
/cc @luxas