New command for stand-alone GKE certificates controller #41160
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
kind/api-change
|
This change is |
pipejakob
force-pushed
the
webhooksigner-pr
branch
from
3008d13
to
e6a53da
Compare
|
/approve |
|
Hey @lavalamp -- can you approve my hack/verify-flags/known-flags.txt change? Thanks! |
| useDefault = time.Duration(0) // missing/zero value indicates to use default | ||
| ) | ||
|
|
||
| type webhookSignerConfig struct { |
There was a problem hiding this comment.
config files need versioning. rather than a new config file format, I'd suggest taking a kubeconfig file and a backoff flag set to a reasonable default
There was a problem hiding this comment.
Sounds like a reasonable alternative. In my defense, I was following the example of the ImagePolicyWebhook, which uses an unversioned config file:
There was a problem hiding this comment.
Right, which now has tech debt to switch to versioned config :)
There was a problem hiding this comment.
D'oh. My biggest weakness: TODO comments mere lines away from where I stopped reading :-P.
I like the idea of removing the need for yet another config file anyway, especially since I doubt many users will care enough to override the retryBackoff. Will do.
|
it seems weird to have a controller call a webhook... why wouldn't we make the existing signing controller individually runnable and you could run it from wherever you felt safe keeping the private signing key? |
|
Reasons were discussed here #39761 (comment) |
heh, glad to know I agree with myself. I didn't expect webhook capabilities to be added to the controller-manager. I envisioned a standalone controller you could run in your network that could call out to a webhook. |
|
FWIW we were planning on creating a webhook approver as well for 1.7. I agree that the controller-manager is bloated but breaking out the certificate controller seems orthogonal to this feature and should be tackled separately. Do you think these webhooks are generally useful features? What is your concerns with adding to the "bloat"? Do you think adding these features will make it significantly harder to break out the certificates controller later on? |
k8s-github-robot
added
the
needs-rebase
|
I think adding webhook call-outs from the controller manager crosses the line. The point of the API is to allow coordination by external controllers. A signer that wants to closely hold their signing cert/key makes sense to me, but I'd expect that to be handled by the signer running a signing controller themselves, pointed at the kube API: If there is no network visibility from the CA to the kube API, and/or the CA wants to expose an API for signing certs, a signing controller that reads from the kube API, calls out to the CA, and updates the kube API with the results could work as well: But if network visibility is a concern, it is equally likely the kubernetes installation would not have visibility to the CA, so lumping a glue controller (k8s <-> controller <-> ca) into the controller manager monolith seems like a bad idea. |
|
The whole design of kube APIs is predicated that multiple controllers can coexist by talking to fundamental API resources on a dumb server. I don't know what @bgrant0607's opinion is but I am very strongly against this sort of extension model (we have admission, or controllers, but not both together) |
|
Ok, talked to liggit on slack. We are going to explore some other options. I think I misunderstood his comment on the original issue. |
pipejakob
force-pushed
the
webhooksigner-pr
branch
from
e6a53da
to
453c402
Compare
k8s-github-robot
removed
needs-rebase
|
I'll update the PR description and release notes, but I've pushed a new commit that:
Care to take another look, @liggitt? |
pipejakob
changed the title
cmd/certificates-controller/OWNERS
Outdated
| @@ -0,0 +1,67 @@ | |||
| approvers: | |||
There was a problem hiding this comment.
Copied verbatim from cmd/kube-controller-manager/OWNERS, since the code and responsibility has a lot in common with kube-controller-manager. I could also bootstrap it from pkg/controller/certificates/OWNERS instead, or omit it entirely and fall back on cmd/OWNERS. I'm definitely open to suggestions on the best route to bootstrap this.
There was a problem hiding this comment.
With the pending rename, please just put you, me, and mike as owners/approvers of this directory. Other folks can send PRs if they want to be added to the list.
pipejakob
force-pushed
the
webhooksigner-pr
branch
2 times, most recently
from
2f909d9
to
b11d601
Compare
pipejakob
force-pushed
the
webhooksigner-pr
branch
from
6b5a4a9
to
1430f63
Compare
pipejakob
force-pushed
the
webhooksigner-pr
branch
from
1430f63
to
7f4eb53
Compare
|
I've proactively rebased again to make sure this wasn't broken by upstream commits. I have more changes after this, but I've broken them apart into two follow-on PRs to keep from too much scope creep here (#42011 and #42030). Will you have time to take a look before the weekend, @liggitt? I'd love to beat the code freeze if I can. Thanks! |
|
I don't fully understand what this is doing, but I'm a little worried about adding something that appears to be GKE-specific to the kubernetes-server tarball. Is there a reason we need to sideload this instead of treating it more like an addon and pulling from a container registry? |
At a glance it looks like my comments were addressed. @mikedanese can have final lgtm on the controller.
The code is intended to be moved out of tree asap. I agree that the packaging is odd. Is there any way to just let GKE package this? |
|
I don't see any reason we can't package it separately as long as the code can live in the main repo for a short while longer. |
|
@ixdy My original intent was to reuse this mechanism because it lets us thoroughly e2e test new changes (even against GKE clusters) in order to prevent regressions before they happen. But given these comments, I agree that the right thing to do is remove the packaging from OSS and have it live outside of this repo. I'll update the PR again to only include the code and Makefile changes necessary to build the single static binary, and worry about building the image (and other cluster configuration behavior) elsewhere. This should also make my other two chained PRs superfluous. |
pipejakob
force-pushed
the
webhooksigner-pr
branch
from
7f4eb53
to
38abf2f
Compare
|
Done. My updated commit is just the |
pipejakob
force-pushed
the
webhooksigner-pr
branch
from
38abf2f
to
6fb784d
Compare
mikedanese
added
the
lgtm
|
/approve |
k8s-github-robot
added
the
approved
hack/lib/golang.sh
Outdated
| @@ -24,6 +24,7 @@ readonly KUBE_GOPATH="${KUBE_OUTPUT}/go" | |||
| # If you update this list, please also update build/release-tars/BUILD. | |||
| kube::golang::server_targets() { | |||
| local targets=( | |||
| cmd/gke-certificates-controller | |||
There was a problem hiding this comment.
this still ends up in kubernetes-server.tar.gz. :( but at least there's not a docker tarfile, too.
There was a problem hiding this comment.
Ah. Is it more appropriate to add the target to KUBE_ALL_TARGETS instead? I don't actually need it in the tar, I just want to make sure that it gets built by default when anyone runs make so we'll prevent anyone from breaking the code.
There was a problem hiding this comment.
that would probably work! I'm not sure whether we want to make another grouping for this (I don't know what to call it) or just add to the list directly.
| @@ -24,6 +24,7 @@ readonly KUBE_GOPATH="${KUBE_OUTPUT}/go" | |||
| # If you update this list, please also update build/release-tars/BUILD. | |||
There was a problem hiding this comment.
To be completely honest, I read the comment immediately before it that said:
# Note: if you are adding something here, you might need to add it to
# kube::build::source_targets in build/common.sh as well.
and must have stopped reading because source_targets doesn't exist in build/common.sh (or anywhere else in the codebase, says grep -r). :-)
Given that we don't actually want this in the tar, and I just want to ensure that the binary gets built when users run make (or make bazel-build), I'll just leave this alone and move the target to KUBE_ALL_TARGETS.
There was a problem hiding this comment.
that's only been gone for 4.5 months (#30787). :)
mind removing that part of the comment while you're here?
There was a problem hiding this comment.
Done and done. I could create a new target group like KUBE_EXTRA_TARGETS just for this binary, but it seemed overkill for something that's meant to be temporary. Plus, the fact that this target sticks out like a sore thumb in KUBE_ALL_TARGETS is a good reminder that we should remove it.
This adds a new stand-alone certificates controller for use on GKE. It allows calling GKE to sign certificates instead of requiring the CA private key locally. It does not aim for 100% feature parity with kube-controller-manager yet, so for instance, leader election support is omitted.
pipejakob
force-pushed
the
webhooksigner-pr
branch
from
6fb784d
to
0d7a6eb
Compare
k8s-github-robot
removed
the
lgtm
mikedanese
added
the
lgtm
|
/lgtm Thanks! |
|
@ixdy: you can't LGTM a PR unless you are an assignee. In response to this comment:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: ixdy, mikedanese, pipejakob, spxtr Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
@k8s-bot unit test this |
|
Automatic merge from submit-queue (batch tested with PRs 42058, 41160, 42065, 42076, 39338) |
New stand-alone certificates controller for GKE. Rather than requiring the CA's private key on disk, this allows making external calls to GKE in order to sign cluster certificates.
Which issue this PR fixes: fixes #39761
Release note:
CC @mikedanese @jcbsmpsn