-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: Split discovery from JoinConfiguration #67763
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For current v1alpha3
, I'd prefer not to update the json structure. Use inline
instead.
We could update that in next coming v1beta1
.
cmd/kubeadm/app/cmd/join.go
Outdated
|
||
if len(fd.KubeConfigPath) != 0 { | ||
cfg.Discovery.File = fd | ||
cfg.Discovery.BootstrapToken = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Default will be nil.
Remove it.
cmd/kubeadm/app/cmd/join.go
Outdated
cfg.Discovery.BootstrapToken = nil | ||
} else { | ||
cfg.Discovery.BootstrapToken = btd | ||
cfg.Discovery.File = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
nodeRegistration: | ||
criSocket: relativepath | ||
name: NODE-1 | ||
token: invalidtoken | ||
name: NODE-1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing newline?
- kube-apiserver:6443 | ||
DiscoveryTokenCACertHashes: null | ||
DiscoveryTokenUnsafeSkipCAVerification: true | ||
Discovery: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will break old configurations.
For coming v1beta1
, we cound use a new section like this.
But for current v1alpha3
, shall we use below instead in types.go
,
Discovery Discovery `json:",inline"`
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, it won't, since v1alpha3
is also unreleased and is massively different than v1alpha2
of 1.11.
I am also not a fan of inlining it, because that way the context of the options in Discovery
is gone.
discoveryTokenAPIServers: | ||
- kube-apiserver:6443 | ||
discoveryTokenUnsafeSkipCAVerification: true | ||
discovery: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto for those following yaml files.
Better not change the struction of current released v1alpha3. We could do this in coming v1beta1 instead.
This looks like a double work for me and I am willing to actually hold of this PR for |
7160887
to
15a5136
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold
please coordinate this with @fabriziopandini there are overlapping issues right now.
15a5136
to
46777a2
Compare
46777a2
to
7287c86
Compare
7287c86
to
99aa771
Compare
Rebased the PR on v1beta1 |
@rosti bot says it still needs a rebase. |
99aa771
to
58754a6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that you and @fabriziopandini have been working on this one I'll defer to him on lgtm
/approve
/assign @fabriziopandini
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rosti thank you for this PR and +100 for keeping this going across two cycles!
Overall this PR looks fine, but the things that confused a little bit me is the move from tree token fields (discoveryToken
, tlsBootstrapToken
and token
to override the former two) to two token fields. Some other minors inline
// TLSBootstrapToken is a token used for TLS bootstrapping. | ||
// Defaults to Token. | ||
// If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token, but can be overridden. | ||
// If .File is set, this field **must be set** in case the KubeConfigFile does not contain any other authentication information |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wandering if it makes more sense to have two TLS bootstrap tokens, one inside BootstrapToken and one inside File.
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok according to original Lucas design
// FileDiscovery is used to specify a file or URL to a kubeconfig file from which to load cluster information | ||
type FileDiscovery struct { | ||
// KubeConfigPath is used to specify the actual file path or URL to the kubeconfig file from which to load cluster information | ||
KubeConfigPath string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not fully convinced by calling this path, but I don't have better suggestion ATM...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about KubeConfigFile
? Yet it sounds kind of the same to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leave as it is ATM
} | ||
|
||
// BootstrapTokenDiscovery is used to set the options for bootstrap token based discovery | ||
type BootstrapTokenDiscovery struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I'm not wrong we are missing DiscoveryToken (unless it is intentional to conflate Token and DiscoveryToken)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok according to original Lucas design
return nil | ||
} | ||
|
||
func Convert_kubeadm_JoinConfiguration_To_v1alpha3_JoinConfiguration(in *kubeadm.JoinConfiguration, out *JoinConfiguration, s conversion.Scope) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if I'm not wrong out.token is missing...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok according to original Lucas design/the semantic of --token acting as a proxy for TLSBootstrapToken/DiscoveryToken
@@ -152,6 +136,34 @@ func SetDefaults_NodeRegistrationOptions(obj *NodeRegistrationOptions) { | |||
} | |||
} | |||
|
|||
// SetDefaults_Discovery assigns default values for the discovery process | |||
func SetDefaults_Discovery(obj *Discovery) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DiscoveryToken is missing also here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok according to original Lucas design
// APIServers is a set of IPs to API servers from which info | ||
// will be fetched. Currently we only pay attention to one API server but | ||
// hope to support >1 in the future. | ||
APIServerEndpoints []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wandering if we should make this string
instead of accepting array of string and throwing an error in validation if more than one string is passed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make this string; we are not accepting more than one value ATM and there is no plan for supporting >1 API Endpoints as far as I know
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will come in as a followup PR as the change is not trivial (currently there is a lot of code in kubeadm, that looks upon this as a []string
and doing correct handling of multiple API Servers).
} | ||
|
||
// ValidateFileDiscovery validates file discovery configuration | ||
func ValidateFileDiscovery(f *kubeadm.FileDiscovery, fldPath *field.Path) field.ErrorList { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might be ValidateDiscoveryFile
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please rename to ValidateDiscoveryFile
} | ||
|
||
allErrs = append(allErrs, ValidateToken(b.Token, fldPath.Child("token"))...) | ||
allErrs = append(allErrs, ValidateJoinDiscoveryTokenAPIServer(b.APIServerEndpoints, fldPath.Child("apiServerEndpoints"))...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is out of the scope of this PR, but it would be great to rename also ValidateJoinDiscoveryTokenAPIServer
into ValidateDiscoveryTokenAPIServer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kindly rename ValidateJoinDiscoveryTokenAPIServer
into ValidateDiscoveryTokenAPIServer
for consistency
@@ -159,6 +159,10 @@ func NewCmdJoin(out io.Writer) *cobra.Command { | |||
cfg := &kubeadmapiv1beta1.JoinConfiguration{} | |||
kubeadmscheme.Scheme.Default(cfg) | |||
|
|||
fd := &kubeadmapiv1beta1.FileDiscovery{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think to understand why you are creating separated object instead of working on cfg, but I'm wondering if we can do the the other way around: use cfg and then clean up cfg.Discovery.File or cfg.Discovery.BootstrapToken if corresponding flags/args are not set
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a fan of this solution but we can leave with it ATM
"For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.") | ||
flagSet.StringVar( | ||
&cfg.Token, "token", "", | ||
token, "token", "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a little bit confusing.
In the config we now there is BootstrapToken.Token
and TLSBootstrapToken
but not Token
here there is Token
, TLSBootstrapToken
but not discovery-token
anymore
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix the flag documentation explaining the semantics of this flag
@fabriziopandini the change is along the lines of the original proposal by Lucas, which I find the most sensible solution here. P.S.: On second though, I got the semantics for |
58754a6
to
3ecb446
Compare
Fixed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rosti
/approve
Please fix minors still pending and then ready for lgtm
After your explanation I added a note on all my previous comments that does not apply anymore, and make it clear where IMO you should fix minors
// APIServers is a set of IPs to API servers from which info | ||
// will be fetched. Currently we only pay attention to one API server but | ||
// hope to support >1 in the future. | ||
APIServerEndpoints []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make this string; we are not accepting more than one value ATM and there is no plan for supporting >1 API Endpoints as far as I know
// ValidateArgSelection validates discovery related configuration and collects all encountered errors | ||
func ValidateArgSelection(cfg *kubeadm.JoinConfiguration, fldPath *field.Path) field.ErrorList { | ||
// ValidateBootstrapTokenDiscovery validates bootstrap token discovery configuration | ||
func ValidateBootstrapTokenDiscovery(b *kubeadm.BootstrapTokenDiscovery, fldPath *field.Path) field.ErrorList { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please rename to ValidateDiscoveryBootstrapToken
} | ||
|
||
// TODO remove once we support multiple api servers | ||
if len(cfg.DiscoveryTokenAPIServers) > 1 { | ||
if len(b.APIServerEndpoints) > 1 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should go away when APIServerEndpoints
changes from []string
to string
} | ||
|
||
allErrs = append(allErrs, ValidateToken(b.Token, fldPath.Child("token"))...) | ||
allErrs = append(allErrs, ValidateJoinDiscoveryTokenAPIServer(b.APIServerEndpoints, fldPath.Child("apiServerEndpoints"))...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kindly rename ValidateJoinDiscoveryTokenAPIServer
into ValidateDiscoveryTokenAPIServer
for consistency
} | ||
|
||
// ValidateFileDiscovery validates file discovery configuration | ||
func ValidateFileDiscovery(f *kubeadm.FileDiscovery, fldPath *field.Path) field.ErrorList { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please rename to ValidateDiscoveryFile
"For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.") | ||
flagSet.StringVar( | ||
&cfg.Token, "token", "", | ||
token, "token", "", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix the flag documentation explaining the semantics of this flag
3ecb446
to
f41d131
Compare
/approve /test pull-kubernetes-e2e-gce |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini, rosti, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
A few minor details to address in a couple of hours and this will be ready to go. /hold |
f41d131
to
80971c9
Compare
This change splits out discovery fields from JoinConfiguration by performing the following changes: - Introduce a BootstrapTokenDiscovery structure, that houses configuration options needed for bootstrap token based discovery. - Introduce a FileDiscovery structure, that houses configuration options (currently only a single option) needed for KubeConfig based discovery. - Introduce a Discovery structure, that houses common options (such as discovery timeout and TLS bootstrap token) as well as pointer to an instance of either BootstrapTokenDiscovery or FileDiscovery structures. - Replace the old discovery related JoinConfiguration members with a single Discovery member. This change is required in order to cleanup the code of unnecessary logic and make the serialized JoinConfiguration more structured (and therefore, more intuitive). Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
80971c9
to
576b8d3
Compare
@fabriziopandini should be ready now for re-lgtm. /hold cancel |
/lgtm |
/test pull-kubernetes-kubemark-e2e-gce-big |
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
/retest Review the full test history for this PR. Silence the bot with an |
What this PR does / why we need it:
This change splits out discovery fields from JoinConfiguration by performing
the following changes:
Introduce a BootstrapTokenDiscovery structure, that houses configuration
options needed for bootstrap token based discovery.
Introduce a FileDiscovery structure, that houses configuration options
(currently only a single option) needed for KubeConfig based discovery.
Introduce a Discovery structure, that houses common options (such as
discovery timeout and TLS bootstrap token) as well as pointer to an instance
of either BootstrapTokenDiscovery or FileDiscovery structures.
Replace the old discovery related JoinConfiguration members with a single
Discovery member.
This change is required in order to cleanup the code of unnecessary logic and
make the serialized JoinConfiguration more structured (and therefore, more
intuitive).
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):refs kubernetes/kubeadm#911, refs kubernetes/kubeadm#963
Special notes for your reviewer:
This is another one of those big and somewhat hard to review PRs, that are the stepping stones in the path to
v1beta1
./cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/area kubeadm
/kind api-change
/kind enhancement
/assign @luxas
/assign @timothysc
/assign @fabriziopandini
Release note: