-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: Mount additional paths inside apiserver/controller-manager for working CA root #59122
Conversation
/assign @krousey |
/area kubeadm |
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In your case, you can try to use config file to add extra volumes. Please refer to Using kubeadm init with a configuration file.
// caCertsExtraVolumePath specifies the paths that can be conditionally mounted into the apiserver and controller-manager containers | ||
// as /etc/ssl/certs might be or contain a symlink to them. It's a variable since it may be changed in unit testing. This var MUST | ||
// NOT be changed in normal codepaths during runtime. | ||
var caCertsExtraVolumePaths = []string{"/etc/pki", "/usr/share/ca-certificates"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should include this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dunno, it is required at least on Container Linux if you want a working CA root. Maybe we should just mention it on the Install kubeadm
page?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see any issue with adding this as a stopgap for now, since we are already special casing /etc/pki.
/ok-to-test |
/retest |
I think the failed test is unrelated to this PR. |
The test was fixed in master ~ 22 hours ago (#60730). I have just rebased the PR and force pushed. |
/cc @detiber @stealthybox - want to quick review. |
// caCertsExtraVolumePath specifies the paths that can be conditionally mounted into the apiserver and controller-manager containers | ||
// as /etc/ssl/certs might be or contain a symlink to them. It's a variable since it may be changed in unit testing. This var MUST | ||
// NOT be changed in normal codepaths during runtime. | ||
var caCertsExtraVolumePaths = []string{"/etc/pki", "/usr/share/ca-certificates"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see any issue with adding this as a stopgap for now, since we are already special casing /etc/pki.
// as /etc/ssl/certs might be a symlink to it. It's a variable since it may be changed in unit testing. This var MUST NOT be changed | ||
// in normal codepaths during runtime. | ||
var caCertsPkiVolumePath = "/etc/pki" | ||
// caCertsExtraVolumePath specifies the paths that can be conditionally mounted into the apiserver and controller-manager containers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment needs to be updated to caCertsExtraVolumePaths
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Outside of the minor comments, this looks okay to me as a bandaid fix.
@detiber Good catch :) I have fixed the comments, rebased and squashed the commits. |
/test pull-kubernetes-e2e-kops-aws |
/lgtm |
// caCertsExtraVolumePaths specifies the paths that can be conditionally mounted into the apiserver and controller-manager containers | ||
// as /etc/ssl/certs might be or contain a symlink to them. It's a variable since it may be changed in unit testing. This var MUST | ||
// NOT be changed in normal codepaths during runtime. | ||
var caCertsExtraVolumePaths = []string{"/etc/pki", "/usr/share/ca-certificates"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to address the other paths for OS's mentioned in kubernetes/kubeadm#671 (comment) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cc @klausenbusk
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry about the late response, I will add the extra paths when I get home. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
@stealthybox feel free to lgtm when you think the changes are ready.
…or working CA root This is required for a working CA root, as /etc/ssl/certs on a few Linux distributions just contains a bunch of symlinks. Container Linux and Debian have symlinks pointing to /usr/share/ca-certificates, ArchLinux has symlinks pointing to /etc/ca-certificates. On Debian /etc/ssl/certs can also include symlinks pointing to /usr/local/share/ca-certificates for local CA certificates. Fix: kubeadm/#671
@stealthybox @detiber - requires re-eval b/c of PR change. |
@stealthybox I do not believe that this will conflict with the other changes in flight, lgtm |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: detiber, klausenbusk, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-node-e2e Looks unrelated: |
Automatic merge from submit-queue (batch tested with PRs 62655, 61711, 59122, 62853, 62390). If you want to cherry-pick this change to another branch, please follow the instructions here. |
This is required for a working CA root, as /etc/ssl/certs on a few
Linux distributions just contains a bunch of symlinks.
Container Linux and Debian have symlinks pointing to
/usr/share/ca-certificates, ArchLinux has symlinks pointing
to /etc/ca-certificates.
On Debian /etc/ssl/certs can also include symlinks pointing
to /usr/local/share/ca-certificates for local CA certificates.
Fix: kubeadm/#671
What this PR does / why we need it:
Without this PR,
controller-manager
andapiserver
would lack a CA root on some Linux distro (ex: Container Linux) which for example break flexplugins which require a CA root [1].Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes kubernetes/kubeadm#671
Special notes for your reviewer:
Release note:
/sig sig-kubeadm