Add certificate-key to kubeadm upload-certs phase, and improve init output #74671
Conversation
k8s-ci-robot
added
release-note-none
|
/remote-priority important-longterm |
k8s-ci-robot
added
priority/important-soon
|
/remove-priority important-longterm |
k8s-ci-robot
removed
the
priority/important-longterm
@fabriziopandini should we add a release note here as well? i'm sort of +1 as the PR is extending the upload certs feature that has a separate release note. |
There was a problem hiding this comment.
@yagonobre thanks for the PR!
Everything seems ok, pending some refinements to the final init message. I'm looping in more people to gather feedback
/approve
cmd/kubeadm/app/cmd/util/join.go
Outdated
| @@ -30,12 +30,16 @@ import ( | |||
| ) | |||
|
|
|||
| var joinCommandTemplate = template.Must(template.New("join").Parse(`` + | |||
| `kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}}{{if .UploadCerts}} --certificate-key {{.CertificateKey}}{{end}}`, | |||
| `{{if .UploadCerts}}To join a node: | |||
There was a problem hiding this comment.
That's the tricky part of this PR.
These are the case that should be managed IMO
- without controlPlaneEndpoint --> you can only join worker nodes
- with controlPlaneEndpoint --> you can join both control-plane and worker nodes
- without certificate key -> you have to copy certs manually
- with certificate key -> you can copy certs manually or download certs
A proposal for converting all the above cases into a short and concise command output:
- only join worker nodes
You can now join any number of worker nodes by running the following on each as root:
kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
- i. both control-plane (with manual copy) and worker nodes
You can now join any number of control-plane node by copying the required certificate authorities on each node and then running the following as root:
To join a control-plane node you should copy required certificates to the node and then run the following command as a root:
kubeadm join <master-ip>:<master-port> --experimental-control-plane --token <token> --discovery-token-ca-cert-hash sha256:<hash>
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
- ii. both control-plane (with automatic/manual) and worker nodes
To join a control-plane node run the following command on each as a root:
kubeadm join <master-ip>:<master-port> --experimental-control-plane --certificate-key <key> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use `kubeadm init phase upload-certs` to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
Possible further improvements:
- detail required certificates in case 2.i
- break join commands on multiple lines using \ and move the common (
--token <token> ...) part on a second line
@timothysc @neolit123 @rosti opinions?
There was a problem hiding this comment.
@fabriziopandini I like your ideas. We can extend the security warning to cover tokens too.
@yagonobre I have a particular distaste for having flow control structures (like if statements) in templates. Please, avoid their use. I am OK with for loops though.
There was a problem hiding this comment.
the new messages SGTM. i forgot that we now have to handle them.
There was a problem hiding this comment.
2.i looks weird repeating the two first sentences in different ways, apart from that messages look fine and clear.
There was a problem hiding this comment.
@rosti what do you recommend to avoid ifs on this template?
There was a problem hiding this comment.
@yagonobre I may be misunderstanding your question. Correct me if I am wrong.
You can use different templates for the different use cases in the above example.
Something along the lines of:
var templateToUse *template.Template
if uploadCerts {
templateToUse = uploadCertsJoinTemplate
} else {
templateToUse = controlPlaneJoinTemplate
}
...
err = templateToUse.Execute(&out, ctx)
There was a problem hiding this comment.
Yes, but I'll need to duplicate some text, I'm not sure if it;s better than have a if in the template.
k8s-ci-robot
added
the
approved
cmd/kubeadm/app/cmd/util/join.go
Outdated
| @@ -30,12 +30,16 @@ import ( | |||
| ) | |||
|
|
|||
| var joinCommandTemplate = template.Must(template.New("join").Parse(`` + | |||
| `kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}}{{if .UploadCerts}} --certificate-key {{.CertificateKey}}{{end}}`, | |||
| `{{if .UploadCerts}}To join a node: | |||
There was a problem hiding this comment.
@fabriziopandini I like your ideas. We can extend the security warning to cover tokens too.
@yagonobre I have a particular distaste for having flow control structures (like if statements) in templates. Please, avoid their use. I am OK with for loops though.
| @@ -81,6 +85,9 @@ func GetJoinCommand(kubeConfigFile, token, key string, skipTokenPrint, uploadCer | |||
| if skipTokenPrint { | |||
| ctx["Token"] = template.HTML("<value withheld>") | |||
| } | |||
| if skipCertificateKeyPrint { | |||
| ctx["CertificateKey"] = template.HTML("<value withheld>") | |||
There was a problem hiding this comment.
Oddly enough, we use html/template here. This might cause problems when we try to feed a template with non-alphanumeric characters (< is turned into <, etc.).
But anyway, this again is out of the scope of this PR.
|
@yagonobre please let me know if you don't have the time for this. |
k8s-ci-robot
added
the
needs-rebase
yagonobre
force-pushed
the
certificate-key
branch
from
b163184
to
205efc0
Compare
k8s-ci-robot
removed
the
needs-rebase
yagonobre
force-pushed
the
certificate-key
branch
from
205efc0
to
b193685
Compare
|
@neolit123 should I add a release note? |
@yagonobre |
k8s-ci-robot
added
release-note
|
@yagonobre this looks great! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini, yagonobre The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
lgtm
|
tide is currently borked, so let's see if this will merge.. |
|
We need to draw a cut-line on anything non-bug related. |
|
/test pull-kubernetes-e2e-gce |
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes kubernetes/kubeadm#1408
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
/priority important-longterm
@kubernetes/sig-cluster-lifecycle-pr-reviews