Alpha JWS Discovery API for locating an apiserver securely #32203
Conversation
|
@kubernetes/sig-cluster-lifecycle |
luxas
added
sig/cluster-lifecycle
k8s-github-robot
added
size/XL
|
We found a Contributor License Agreement for you (the sender of this pull request) and all commit authors, but as best as we can tell these commits were authored by someone else. If that's the case, please add them to this pull request and have them confirm that they're okay with these commits being contributed to Google. If we're mistaken and you did author these commits, just reply here to confirm. |
| @@ -0,0 +1,6 @@ | |||
| FROM golang | |||
There was a problem hiding this comment.
This shouldn't be in the discovery/ dir, but cluster/images/jws-discovery or something like that.
Also, it should be
FROM busybox
COPY kube-discovery /usr/local/bin
ENTRYPOINT ["/usr/local/bin/kube-discovery"]
in order to be consistent with the other server images
|
Introduced a Makefile, is this on track for building the container for appropriate arches @luxas ? |
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| # Build the hyperkube image. |
|
Please nuke the Makefile and cluster/images/hyperkube/Makefile changes... |
|
Lastly, we should apply |
dgoodwin
force-pushed
the
kubediscovery
branch
from
ef8c382
to
96101cc
Compare
|
Boilerplate updated. Hmm, I should be CLA approved, at least I was for this: kubernetes/release#50, via being added to the kubernetes-redhat-contributors group. |
|
Yes, I just think the issue is that the CLA bot doesn't allow two committers |
|
Ping @jbeda @errordeveloper @mikedanese @smarterclayton @mikedanese Should build and push the images as soon as it's LGTM'd (which I hope is today) |
| all: build | ||
|
|
||
| build: | ||
| cp -r ./* ${TEMP_DIR} |
There was a problem hiding this comment.
@dgoodwin I think you need a line similar to this here:
cd ${TEMP_DIR} && sed -i.back "s|BASEIMAGE|${BASEIMAGE}|g" DockerfileAt least that's how it's done in the hyperkube image :)
dgoodwin
force-pushed
the
kubediscovery
branch
from
96101cc
to
baebd7c
Compare
|
GCE e2e build/test passed for commit baebd7c. |
|
LGTM, would be great to get this in as soon as we can! |
|
LGTM to me as well, I hope we can get this in today or tomorrow. Waiting for @mikedanese's and/or @jbeda's review. |
|
Friendly ping @mikedanese :) |
|
@mikedanese I have no preference on how that image gets built so say the word and I can apply https://storage.googleapis.com/mikedanese/patches/0001-build-kube-discovery-image-with-release.patch if you like. It does look simpler. |
|
I still think we should follow the kube-dns approach with tagged Everything for that is done. @mikedanese I vote for merging this now. We can take this discussion again when we start thinking about promoting it to beta. |
mikedanese
added
lgtm
luxas
added
the
priority/backlog
|
@k8s-bot test this please github issue: #IGNORE |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
|
@mikedanese Please push these images for all architectures today! |
|
Amazing to see this merged! Please ping me whenever we have images on GCR, and I'll update #33262 accordingly. |
|
@mikedanese do we have images on GCR for this? |
|
Yes |
This PR contains an early alpha prototype of the JWS discovery API outlined in proposal #30707.
CA certificate, API endpoints, and the token to be used to authenticate to this discovery API are currently passed in as secrets. If the caller provides a valid token ID, a JWS signed blob of ClusterInfo containing the API endpoints and the CA cert to use will be returned to the caller. This is used by the alpha kubeadm to allow seamless, very quick cluster setup with simple commands well suited for copy paste.
Current TODO list:
There is additional pending work to return a kubeconfig rather than ClusterInfo, however I believe this is slated for post-alpha.
This change is