Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upAdded function to create kubeconfig for addon-manager #75675
Conversation
This comment has been minimized.
This comment has been minimized.
|
@mwwolters: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This comment has been minimized.
This comment has been minimized.
|
Hi @mwwolters. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
label
Mar 25, 2019
k8s-ci-robot
requested review from
jingax10 and
jszczepkowski
Mar 25, 2019
k8s-ci-robot
added
sig/cluster-lifecycle
and removed
needs-sig
labels
Mar 25, 2019
This comment has been minimized.
This comment has been minimized.
|
/assign dekkagaijin |
k8s-ci-robot
added
the
sig/gcp
label
Mar 25, 2019
This comment has been minimized.
This comment has been minimized.
|
@mwwolters: GitHub didn't allow me to assign the following users: dekkagaijin. Note that only kubernetes members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This comment has been minimized.
This comment has been minimized.
|
cc @dekkagaijin |
dekkagaijin
reviewed
Mar 26, 2019
k8s-ci-robot
added
size/M
and removed
size/S
labels
Mar 27, 2019
dekkagaijin
reviewed
Mar 27, 2019
cluster/gce/gci/configure-helper.sh Outdated
This comment has been minimized.
This comment has been minimized.
|
/assign @jszczepkowski |
k8s-ci-robot
assigned
jszczepkowski
Apr 10, 2019
This comment has been minimized.
This comment has been minimized.
|
/assign MaciekPytel |
k8s-ci-robot
assigned
MaciekPytel
Apr 15, 2019
This comment has been minimized.
This comment has been minimized.
|
/ok-to-test |
k8s-ci-robot
assigned
MrHohn
Apr 18, 2019
k8s-ci-robot
added
ok-to-test
and removed
needs-ok-to-test
labels
Apr 18, 2019
| @@ -1096,6 +1097,30 @@ current-context: cluster-autoscaler | |||
| EOF | |||
| } | |||
|
|
|||
| function create-addonmanager-kubeconfig { | |||
This comment has been minimized.
This comment has been minimized.
MrHohn
Apr 18, 2019
Member
It feels like these create-*-kubeconfig funcs are mostly the same. Though not sure if it's worth it for refactoring.
This comment has been minimized.
This comment has been minimized.
mwwolters
Apr 22, 2019
Author
Contributor
Added the function and changed in most places a kubeconfig is made.
| env: | ||
| - name: KUBECTL_EXTRA_PRUNE_WHITELIST | ||
| value: {{kubectl_extra_prune_whitelist}} | ||
| - name: KUBECTL_OPTS | ||
| value: '--kubeconfig=/etc/srv/kubernetes/addon-manager/kubeconfig' |
This comment has been minimized.
This comment has been minimized.
MrHohn
Apr 18, 2019
Member
Does these apply to https://github.com/kubernetes/kubernetes/blob/master/test/kubemark/resources/manifests/kube-addon-manager.yaml as well?
This comment has been minimized.
This comment has been minimized.
| @@ -594,6 +594,7 @@ function create-master-auth { | |||
| if [[ -n "${NODE_PROBLEM_DETECTOR_TOKEN:-}" ]]; then | |||
| append_or_replace_prefixed_line "${known_tokens_csv}" "${NODE_PROBLEM_DETECTOR_TOKEN}," "system:node-problem-detector,uid:node-problem-detector" | |||
| fi | |||
| append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN}," "system:addon-manager,uid:addon-manager" | |||
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
MrHohn
Apr 18, 2019
Member
Does this need to match the system:addon-manager-role role we create in create-apply-addon-manager-rbac()?
This comment has been minimized.
This comment has been minimized.
mwwolters
Apr 22, 2019
Author
Contributor
- Added the check.
- In this case it needs to be the user which is bound to that role.
| @@ -2502,6 +2527,13 @@ function start-kube-addons { | |||
| local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" | |||
| local -r dst_dir="/etc/kubernetes/addons" | |||
|
|
|||
| # need kube-apiserver to be ready | |||
| until kubectl get nodes; do | |||
This comment has been minimized.
This comment has been minimized.
MrHohn
Apr 18, 2019
Member
We already have two places (e.g. update-legacy-addon-node-labels()) that do this check. Maybe make a wait-til-apiserver-ready() func and put that under main?
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
MrHohn
Apr 23, 2019
Member
Thanks! Can we run wait-till-apiserver-ready just once so individual step won't need to check explicitly?
start-kube-scheduler
wait-till-apiserver-ready
start-kube-addons
k8s-ci-robot
added
release-note-none
and removed
do-not-merge/release-note-label-needed
labels
May 3, 2019
This comment has been minimized.
This comment has been minimized.
|
/priority important-soon |
k8s-ci-robot
added
priority/important-soon
and removed
needs-priority
labels
May 3, 2019
This comment has been minimized.
This comment has been minimized.
|
Thanks for making this working :) (I can't approve though.) |
This comment has been minimized.
This comment has been minimized.
|
/test pull-kubernetes-e2e-gce |
This comment has been minimized.
This comment has been minimized.
|
Need approval from cluster/gce/OWNERS |
k8s-ci-robot
assigned
cjcullen
May 3, 2019
This comment has been minimized.
This comment has been minimized.
|
/test pull-kubernetes-kubemark-e2e-gce-big |
dekkagaijin
reviewed
May 3, 2019
| @@ -2765,6 +2700,7 @@ function start-lb-controller { | |||
| prepare-log-file /var/log/glbc.log | |||
| setup-addon-manifests "addons" "cluster-loadbalancing/glbc" | |||
| setup-addon-manifests "addons" "rbac/cluster-loadbalancing/glbc" | |||
| create-kubeconfig "l7-lb-controller" ${GCE_GLBC_TOKEN} | |||
| create-l7-lb-controller-kubeconfig | |||
This comment has been minimized.
This comment has been minimized.
mwwolters
force-pushed the
mwwolters:addon-manager-kubeconfig
branch
from
c75a9d7
to
f584954
May 3, 2019
k8s-ci-robot
removed
the
lgtm
label
May 3, 2019
dekkagaijin
approved these changes
May 3, 2019
This comment has been minimized.
This comment has been minimized.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
label
May 3, 2019
This comment has been minimized.
This comment has been minimized.
|
/test pull-kubernetes-kubemark-e2e-gce-big |
This comment has been minimized.
This comment has been minimized.
|
|
cjcullen
reviewed
May 3, 2019
| @@ -1987,7 +1920,7 @@ function setup-etcd-encryption { | |||
|
|
|||
| # Updates node labels used by addons. | |||
| function update-legacy-addon-node-labels() { | |||
| # need kube-apiserver to be ready | |||
| # need kube-api-server to be ready | |||
This comment has been minimized.
This comment has been minimized.
| @@ -597,6 +597,9 @@ function create-master-auth { | |||
| if [[ -n "${GCE_GLBC_TOKEN:-}" ]]; then | |||
| append_or_replace_prefixed_line "${known_tokens_csv}" "${GCE_GLBC_TOKEN}," "system:controller:glbc,uid:system:controller:glbc" | |||
| fi | |||
| if [[ -n "${ADDON_MANAGER_TOKEN:-}" ]]; then | |||
| append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN}," "system:addon-manager,admin,system:masters" | |||
This comment has been minimized.
This comment has been minimized.
cjcullen
May 3, 2019
Member
The entry after the "Name" is the "UID." It's mostly not used, but setting it to "admin" is confusing. Make it uid:system:addon-manager.
mwwolters
force-pushed the
mwwolters:addon-manager-kubeconfig
branch
from
f584954
to
1456979
May 3, 2019
k8s-ci-robot
removed
the
lgtm
label
May 3, 2019
This comment has been minimized.
This comment has been minimized.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
label
May 3, 2019
This comment has been minimized.
This comment has been minimized.
|
/approve |
This comment has been minimized.
This comment has been minimized.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, MrHohn, mwwolters The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
label
May 4, 2019
This comment has been minimized.
This comment has been minimized.
|
/test pull-kubernetes-e2e-gce |
mwwolters commentedMar 25, 2019
/kind cleanup
This is the first step toward migrating the addon manager off of the master insecure port.