-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alpha JWS Discovery API for locating an apiserver securely #32203
Conversation
@kubernetes/sig-cluster-lifecycle |
We found a Contributor License Agreement for you (the sender of this pull request) and all commit authors, but as best as we can tell these commits were authored by someone else. If that's the case, please add them to this pull request and have them confirm that they're okay with these commits being contributed to Google. If we're mistaken and you did author these commits, just reply here to confirm. |
@@ -0,0 +1,6 @@ | |||
FROM golang |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't be in the discovery/
dir, but cluster/images/jws-discovery
or something like that.
Also, it should be
FROM busybox
COPY kube-discovery /usr/local/bin
ENTRYPOINT ["/usr/local/bin/kube-discovery"]
in order to be consistent with the other server images
Introduced a Makefile, is this on track for building the container for appropriate arches @luxas ? |
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# Build the hyperkube image. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kube-discovery
Please nuke the Makefile and cluster/images/hyperkube/Makefile changes... |
Lastly, we should apply |
ef8c382
to
96101cc
Compare
Boilerplate updated. Hmm, I should be CLA approved, at least I was for this: kubernetes/release#50, via being added to the kubernetes-redhat-contributors group. |
Yes, I just think the issue is that the CLA bot doesn't allow two committers |
Ping @jbeda @errordeveloper @mikedanese @smarterclayton @mikedanese Should build and push the images as soon as it's LGTM'd (which I hope is today) |
all: build | ||
|
||
build: | ||
cp -r ./* ${TEMP_DIR} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dgoodwin I think you need a line similar to this here:
cd ${TEMP_DIR} && sed -i.back "s|BASEIMAGE|${BASEIMAGE}|g" Dockerfile
At least that's how it's done in the hyperkube
image :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added, thanks!
96101cc
to
baebd7c
Compare
GCE e2e build/test passed for commit baebd7c. |
LGTM, would be great to get this in as soon as we can! |
LGTM to me as well, I hope we can get this in today or tomorrow. Waiting for @mikedanese's and/or @jbeda's review. |
Friendly ping @mikedanese :) |
@mikedanese I have no preference on how that image gets built so say the word and I can apply https://storage.googleapis.com/mikedanese/patches/0001-build-kube-discovery-image-with-release.patch if you like. It does look simpler. |
I still think we should follow the kube-dns approach with tagged Everything for that is done. @mikedanese I vote for merging this now. We can take this discussion again when we start thinking about promoting it to beta. |
@k8s-bot test this please github issue: #IGNORE |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
@mikedanese Please push these images for all architectures today! |
Amazing to see this merged! Please ping me whenever we have images on GCR, and I'll update #33262 accordingly. |
@mikedanese do we have images on GCR for this? |
Yes |
This PR contains an early alpha prototype of the JWS discovery API outlined in proposal #30707.
CA certificate, API endpoints, and the token to be used to authenticate to this discovery API are currently passed in as secrets. If the caller provides a valid token ID, a JWS signed blob of ClusterInfo containing the API endpoints and the CA cert to use will be returned to the caller. This is used by the alpha kubeadm to allow seamless, very quick cluster setup with simple commands well suited for copy paste.
Current TODO list:
There is additional pending work to return a kubeconfig rather than ClusterInfo, however I believe this is slated for post-alpha.
This change is![Reviewable](https://camo.githubusercontent.com/2d899f4291d07d3cd2fa4aaae1e3b243f164c23fce87d30a589ace0d496a444c/68747470733a2f2f72657669657761626c652e6b756265726e657465732e696f2f7265766965775f627574746f6e2e737667)