New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for token authentication with network proxy #88419
Conversation
@Jefftree: GitHub didn't allow me to request PR reviews from the following users: dberkov. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml
Outdated
Show resolved
Hide resolved
cluster/gce/addons/konnectivity-agent/konnectivity-agent-rbac.yaml
Outdated
Show resolved
Hide resolved
3d8e31b
to
18df560
Compare
42965ed
to
0d0eb69
Compare
0d0eb69
to
7a69acf
Compare
/retest |
The configuration changes are consistent with kubernetes-sigs/apiserver-network-proxy#51. /lgtm |
/assign @liggitt (for approval) |
@@ -652,8 +652,13 @@ function create-master-auth { | |||
append_or_replace_prefixed_line "${known_tokens_csv}" "${GCE_GLBC_TOKEN}," "system:controller:glbc,uid:system:controller:glbc" | |||
fi | |||
if [[ -n "${ADDON_MANAGER_TOKEN:-}" ]]; then | |||
append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN}," "system:addon-manager,uid:system:addon-manager,system:masters" | |||
append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN}," "system:addon-manager,uid:system:addon-manager,system:masters" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/ / /
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(there should be 1 space instead of a bunch of spaces and a tab there)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually just revert this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fixes the alignment with the previous lines. Would you still like me to revert?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack, sorry, the diff obscured this.
type: DirectoryOrCreate | ||
--- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's weird to have a second blob in this .yaml, when you made a separate file above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Each cluster addon has its own directory but all the manifests share the same directory (at least in gce). Didn't want to pollute the manifests directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, ok.
/approve /hold for nit fixes |
7a69acf
to
964deef
Compare
cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml
Outdated
Show resolved
Hide resolved
964deef
to
0cd61e9
Compare
/lgtm |
/hold cancel |
/retest |
1 similar comment
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
0cd61e9
to
0989770
Compare
/lgtm |
/retest Review the full test history for this PR. Silence the bot with an |
/test pull-kubernetes-e2e-gce |
/lgtm |
/test pull-kubernetes-e2e-gce-100-performance |
@Jefftree: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test pull-kubernetes-e2e-gce-100-performance |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Add support for token based authentication for konnectivity server to authenticate konnectivity agent.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
KUBE_ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE=true ./cluster/kube-up.sh
to set upDoes this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/assign @caesarxuchao
/cc @cheftako
/cc @dberkov
/sig api-machinery