Make bootstrap client cert loading part of rotation

[smarterclayton]

Ensure that bootstrap+client-cert rotation in the Kubelet can:

1. happen in the background so that static pods are launched immediately
2. collapse down to a single CSR request codepath
3. reorganize the code to allow future improvements to fetching bootstrap creds

Reorganize how the kubelet client config is determined. If rotation is
off, simplify the code path. If rotation is on, load the config
from disk, and then pass that into the cert manager. The cert manager
creates a client each time it tries to request a new cert.

Preserves existing behavior where:

1. bootstrap kubeconfig is used if the current kubeconfig is invalid/expired
2. we create the kubeconfig file based on the bootstrap kubeconfig, pointing to
   the location that new client certs will be placed
3. the newest client cert is used once it has been loaded

reverted in #71173, original release note was:

When a kubelet is using --bootstrap-kubeconfig and certificate rotation, it no longer waits for bootstrap to succeed before launching static pods.

NONE

Fixes #68686

[smarterclayton]

/assign @awly

@mikedanese @liggitt as discussed, @aaronlevy will allow bootkube and other self-hosting mechanisms to rely on bootstrapped master nodes and use static pods.

[smarterclayton]

I reverted #66056 in this - perhaps we could instead do a more aggressive dial timeout for bootstrap credentials (now that we always do both in the background)?

[smarterclayton]

Testing this here and in openshift/origin#21274 so I have a better baseline across different environments

[smarterclayton]

There are four core scenarios to test:

1. rotation on, bootstrap on
   1. no client certs, --kubeconfig file doesn't exist -> kubeconfig is created pointed at destination of client certs, cert is refreshed
   2. client certs exist, --kubeconfig file doesn't exist -> kubeconfig is created pointing at client certs, cert is not refreshed
   3. client certs exist, --kubeconfig exists, certs are valid -> cert is not refreshed until next interval
   4. client certs exist, --kubeconfig exists, certs are expired -> static pod starts and cert is refreshed
2. rotation off, bootstrap on
   1. bootstrap cert is expired -> rebootstrap
   2. bootstrap file doesn't exist -> exit with error
   3. regular kubeconfig exists but is invalid -> exit with error
3. rotation off, bootstrap off
   1. kubeconfig doesn't exist -> exit with error
   2. kubeconfig exists but is invalid/expired -> static pods start, errors are logged
4. rotation on, bootstrap off

[awly]

Re #66056: it should be fine to remove if we add aggressive timeout and fast retries for initial bootstrap.

For context: it was needed on GCE because network programming can lag behind and bootstrapping would get trapped in a very long timeout, even after master IP becomes reachable from Node. cc @mikedanese

[awly]

IIUC, if certificate manager has an expired cert and fails to rotate it, Current() will return that expired cert.
Can we check that current is still valid here and fall back to certConfig if it's not?

[smarterclayton]

Current() returns nil if the cert is expired.

[smarterclayton]

Or at least it should, that was the intended behavior a while back. The transport rotation loop checks for the transition from valid -> invalid and uses that as the "die if this persists"

[awly]

The cached cert is only updated on successful rotation: http://go/gh/kubernetes/kubernetes/blob/3c493bc95a825f0f6eb38ef78a19811f204053ec/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go#L396
And Current() just returns the cached cert without checking expiry http://go/gh/kubernetes/kubernetes/blob/3c493bc95a825f0f6eb38ef78a19811f204053ec/staging/src/k8s.io/client-go/util/certificate/certificate_manager.go#L204-L208

[smarterclayton]

Ah, I added the filtering to getCurrentCertificateOrBootstrap. There's very little point in the cert manager handing me back an expired cert - can you think of a case where that makes sense? If not, we may want to change the signature and verify callers get the right thing (callers should have to deal with nil in general). Alternatively, we make every caller filter for a valid cert.

[awly]

I think manager.Current() should always check expiration and return nil when cert is expired.

Specifically, scenario I'm concerned about is:

1. kubelet has valid bootstrap creds
2. kubelet bootstraps new client cert with short expiration
3. manager.Current() starts returning this cert
4. later, rotation using bootstrapped client cert fails
5. even later, client cert expires
6. rotation flow still gets it from manager.Current(), but fails trying to rotate because it's expired

I'd expect rotation to switch back to using bootstrap cert again when active client cert expires.

[smarterclayton]

ok, I agree. I'll make that change and add tests

[awly]

Is this only used to generate pemPath?
moveit down to where it's used.

[smarterclayton]

it's high in the function to fail earlier on local config

[awly]

bootstrapPath, certDir string

[awly]

Should this get called before starting the cert managed above?

[smarterclayton]

this is in the unmanaged path. In the managed path bootstrap is managed by the manager.

[fedebongio]

/assign @caesarxuchao

[smarterclayton]

/assign @awly

[smarterclayton]

still looking at making the waitForServer path able to have a more aggressive timeout and dial.

[smarterclayton]

Since the timeouts seemed prone to follow up, split all that out. This is just pulling bootstrap into rotation, and having m.Current() return nil when the cert is expired.

[smarterclayton]

/retest

[smarterclayton]

@awly this is back to effectively the original PR you reviewed. Was your previous review sufficient or were you looking for more?

[mikedanese]

I'm +1 on getting this in to CI and seeing how it goes.

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mikedanese, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubelet/OWNERS [mikedanese,smarterclayton]
• pkg/kubelet/certificate/OWNERS [mikedanese,smarterclayton]
• staging/src/k8s.io/client-go/util/certificate/OWNERS [mikedanese,smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

/hold
for the csiClient question

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[smarterclayton]

Comments addressed

[liggitt]

/hold cancel

[smarterclayton]

/retest

[k8s-ci-robot]

@smarterclayton: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-integration	de293b2	link	/test pull-kubernetes-integration
pull-kubernetes-kubemark-e2e-gce-big	de293b2	link	/test pull-kubernetes-kubemark-e2e-gce-big

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[smarterclayton]

This was reverted in #71173 due to breaking kubeadm's requirement that --kubeconfig be provided on masters as a high powered credential and cause a rotation of the cert. Restored in #71174 with coverage for kubeadm's flow.