-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm-init: add --copy-credentials-for-user #55901
Conversation
/area kubeadm |
/ok-to-test |
71139ff
to
2956298
Compare
cb8da28
to
f0f8d7f
Compare
@timothysc i was trying to speak about this during the SIG meeting today, but looks like my MIC decided to not work for some reason. :( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm generally ok with it, but we should talk with @luxas about what he thinks because it's so late in the cycle.
cmd/kubeadm/app/cmd/init.go
Outdated
} else { | ||
ctx["KubeConfigInfo"] = "" | ||
if err := copyConfigForDefaultUser(i.defaultUser, adminKubeConfigPath); err != nil { | ||
return fmt.Errorf("error copying configuration for user %q: %v", i.defaultUser, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we still have the previous instructions for a failure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems like the correct thing to do. i will amend the commit.
3369144
to
d3d0843
Compare
@timothysc @luxas |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm - to get you in before the freeze, but definitely redux the logic per-comments b4 approve.
cmd/kubeadm/app/cmd/init.go
Outdated
|
||
if _, err := os.Stat(kubeDir); err != nil { | ||
if os.IsNotExist(err) { | ||
err = os.Mkdir(kubeDir, 0700) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could probably just make the dir and check ignore the error if it exists.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, makes sense.
cmd/kubeadm/app/cmd/init.go
Outdated
} | ||
defer dest.Close() | ||
|
||
_, err = io.Copy(src, dest) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see why you couldn't just copy vs. open.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you please clarify this comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@timothysc TMK, golang does not provide means to copy files on os
level with a single command. thus, one has to os.Open()
and use io.Copy()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue: reversed src / dest
in the recent amend!
@timothysc ok, done. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@neolit123 , if we are extending how kubeconfig file are created in kubeadm init
, IMO it is necessary to ensure a consistent behaviour also in kubeadm alpha phase kubeconfig
. WDYT?
@fabianofranz hi, perhaps you mean to allow |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
got the bazel tests to pass but the uni test now spills a pile of warnings / errors that seem unrelated. |
/test pull-kubernetes-unit |
[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete Action required: This pull request requires label changes. If the required changes are not made within 3 days, the pull request will be moved out of the v1.10 milestone. priority: Must specify exactly one of |
73921ce
to
b6d6dc5
Compare
|
||
usr, err = user.Lookup(copyCredentialsForUser) | ||
if err != nil { | ||
return fmt.Errorf(InitErrorNoSuchUser) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a fan of recasting the errors here. Could you use the errors.Wrap utility if you want to put your output change on it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, i can rebase this next Monday (AFK this week).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated to always include the relevant error
in the Errorf()
format.
) | ||
|
||
// InitCopyCredentialsForUser will copy the cluster admin credentials to the home path of a non-root user | ||
func InitCopyCredentialsForUser(copyCredentialsForUser string, adminKubeConfigPath string) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why can you use ENV-var's or some other platform agnostic library to determine $HOMEDIR.
/cc @kubernetes/sig-windows-misc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this targets any Windows user. the env. variable %HOME%
can only be used for the current user. also some user might have decided to move his home dir outside of default user path on Windows - e.g. /users/
.
cc @luxas
some related changes of mine got accepted in the user
package of the Go standard libarary...
https://github.com/golang/go/commits?author=neolit123
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^ these are going to make it in go 1.11 in August i would guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm generally not ok with this change todo the last step which folks automate to add this platform specific code which can/will be obviated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
even with my contribs to the user
package in the go std lib that can eventually replace the above code, this change would still need the _unix
, _windows
files, because:
- there is no
chown
on windows - the way to check if a user is root/admin differs between platforms
Using this new parameter the administrator's credentials for the cluster will be copied to the specified user's home directory. WARNING: existing files will be overwritten. Usage: kubeadm init --copy-credentials-for-user=<someuser> Windows requires a different approach for copying the credentials than Unix, thus a new package is added - `platform` in `kubeadm/app/cmd`. It contains `init_unix.go` and `init_windows.go` that define the exported function - InitCopyCredentialsForUser(). The function works differently on Unix and Windows. The same package can be re-used for other multiplatform code.
@neolit123: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test pull-kubernetes-verify |
I'm going to close this one per comment kubernetes/kubeadm#416 (comment) . Also, due to the other dependencies that we would drag in. If you feel like we can do this and trim it down feel free to ping me on slack. |
i'm perfectly fine with the close in the aspect of this not being a cmd flag. having this in the configuration is better. |
What this PR does / why we need it:
Using this new parameter the administrator's credentials
for the cluster will be copied to the specified
user's home directory.
WARNING: existing files will be overwritten.
Usage:
kubeadm init --copy-credentials-for-user=
It automates a step that the user needs to perform either manually each time or by scripting. If the flag is not set the old behavior is preserved - i.e. show info how / where to copy the config.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Related to #235
Fixes kubernetes/kubeadm#416
Special notes for your reviewer:
Release note: