Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add warning when --certificate-key is set and --control-plane is not. #83661

Merged
merged 1 commit into from Oct 13, 2019

Conversation

@jfbai
Copy link
Contributor

commented Oct 9, 2019

What type of PR is this?

/kind feature

What this PR does / why we need it:

Print warning when --certificate-key is set and --control-plane is not to notify users what happens.

For example, when users try to download certs via kubeadm join phase control-plane-prepare download-certs <ip>:<port> --certificate-key <key> --discovery-token <token> --discovery-token-unsafe -skip-ca-verification, this command exits with no error and the certs will not be downloaded successfully, because --control-plane is not set. I was confused for hours and got to know the cause via reading source code. So, it would be helpful for users to print a warning.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?:

None

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

None

/sig cluster-lifecycle
/assign @rosti
/assign @neolit123

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2019

Hi @jfbai. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Copy link
Member

left a comment

Thanks @jfbai !
Indeed this is a known UX problem. Unfortunately, I don't think, that this is the correct way of solving it.
The best way, in my opinion, is to just force JoinConfiguration.ControlPlane to be non-nil in case some of the control plane phases of join are invoked manually (as is the case here).
@fabriziopandini @neolit123 @ereslibre WDYT?

@@ -342,6 +342,9 @@ func newJoinData(cmd *cobra.Command, args []string, opt *joinOptions, out io.Wri

// if not joining a control plane, unset the ControlPlane object
if !opt.controlPlane {
if len(opt.externalcfg.ControlPlane.CertificateKey) > 0 {
klog.Warningf("[preflight] WARNING: %s will be ignored when %s is not set.", options.CertificateKey, options.ControlPlane)
}

This comment has been minimized.

Copy link
@neolit123

neolit123 Oct 9, 2019

Member

long term, we should not bind more logic related to flags and flags mixtures.
some day, ideally, we should move all flags to configuration-only and configuration patching.

This comment has been minimized.

Copy link
@yastij
@@ -342,6 +342,9 @@ func newJoinData(cmd *cobra.Command, args []string, opt *joinOptions, out io.Wri

// if not joining a control plane, unset the ControlPlane object
if !opt.controlPlane {
if len(opt.externalcfg.ControlPlane.CertificateKey) > 0 {

This comment has been minimized.

Copy link
@neolit123

neolit123 Oct 9, 2019

Member

i think ControlPlane can be nil here?

This comment has been minimized.

Copy link
@yastij

yastij Oct 9, 2019

Member

Yes it can.

This comment has been minimized.

Copy link
@fabriziopandini

fabriziopandini Oct 13, 2019

Member

If --control-plane is false, we are ignoring all the configurations under opt.externalcfg.ControlPlane (bot certificateKey and localAPIEndpoint)

So IMO the check and the message should be made more generic e.g

if !opt.controlPlane {
  if opt.externalcfg.ControlPlane!=nil {
     klog.Warningf("[preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when %s flag is not set.", options.ControlPlane)
  }
}
@neolit123

This comment has been minimized.

Copy link
Member

commented Oct 9, 2019

@rosti

The best way, in my opinion, is to just force JoinConfiguration.ControlPlane to be non-nil in case some of the control plane phases of join are invoked manually (as is the case here).

i would prefer a different solution instead of the flag mixture warning.
by forcing ControlPlane to non-nil are you suggesting that if certificate key is passed we should:

  • create a JoinControlPlane object and assign it to JoinConfiguration.ControlPlane
  • populate JoinConfiguration.ControlPlane.CertificateKey
  • pupulate JoinConfiguration.ControlPlane.LocalAPIEndpoint from the default net interface

this would make the --control-plane flag redundant if --certificate-key is provided?

@@ -342,6 +342,9 @@ func newJoinData(cmd *cobra.Command, args []string, opt *joinOptions, out io.Wri

// if not joining a control plane, unset the ControlPlane object
if !opt.controlPlane {
if len(opt.externalcfg.ControlPlane.CertificateKey) > 0 {

This comment has been minimized.

Copy link
@yastij

yastij Oct 9, 2019

Member

Yes it can.

@@ -342,6 +342,9 @@ func newJoinData(cmd *cobra.Command, args []string, opt *joinOptions, out io.Wri

// if not joining a control plane, unset the ControlPlane object
if !opt.controlPlane {
if len(opt.externalcfg.ControlPlane.CertificateKey) > 0 {
klog.Warningf("[preflight] WARNING: %s will be ignored when %s is not set.", options.CertificateKey, options.ControlPlane)
}

This comment has been minimized.

Copy link
@yastij
@@ -342,6 +342,9 @@ func newJoinData(cmd *cobra.Command, args []string, opt *joinOptions, out io.Wri

// if not joining a control plane, unset the ControlPlane object
if !opt.controlPlane {
if len(opt.externalcfg.ControlPlane.CertificateKey) > 0 {
klog.Warningf("[preflight] WARNING: %s will be ignored when %s is not set.", options.CertificateKey, options.ControlPlane)

This comment has been minimized.

Copy link
@yastij

yastij Oct 9, 2019

Member

If we think that we should force --control-plane when providing cert. key, I think we should error here.

This comment has been minimized.

Copy link
@jfbai

jfbai Oct 9, 2019

Author Contributor

Sorry, I am a bit confused. Do we prefer to force ControlPlane to non-nil or error and exits?

This comment has been minimized.

Copy link
@neolit123

neolit123 Oct 9, 2019

Member

i will add this for a discussion for our next kubeadm meeting and we will hopefully have a good answer in the next couple of days.

This comment has been minimized.

Copy link
@jfbai

jfbai Oct 10, 2019

Author Contributor

Thanks a lot. :)

@neolit123

This comment has been minimized.

Copy link
Member

commented Oct 9, 2019

Copy link
Member

left a comment

@jfbai thanks for this contribution
I think that while we get agreement on a more generalized solution (sew issue kubernetes/kubeadm#1442 for a similar use case), I think that giving a warning to users is a good idea.

I only added a suggestion to make the check/the warning more generic, then lgtm from my side

@@ -342,6 +342,9 @@ func newJoinData(cmd *cobra.Command, args []string, opt *joinOptions, out io.Wri

// if not joining a control plane, unset the ControlPlane object
if !opt.controlPlane {
if len(opt.externalcfg.ControlPlane.CertificateKey) > 0 {

This comment has been minimized.

Copy link
@fabriziopandini

fabriziopandini Oct 13, 2019

Member

If --control-plane is false, we are ignoring all the configurations under opt.externalcfg.ControlPlane (bot certificateKey and localAPIEndpoint)

So IMO the check and the message should be made more generic e.g

if !opt.controlPlane {
  if opt.externalcfg.ControlPlane!=nil {
     klog.Warningf("[preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when %s flag is not set.", options.ControlPlane)
  }
}
@jfbai jfbai force-pushed the jfbai:fix-kubeadm-join branch from 62c9765 to 0aa88af Oct 13, 2019
@jfbai

This comment has been minimized.

Copy link
Contributor Author

commented Oct 13, 2019

@jfbai thanks for this contribution
I think that while we get agreement on a more generalized solution (sew issue kubernetes/kubeadm#1442 for a similar use case), I think that giving a warning to users is a good idea.

I only added a suggestion to make the check/the warning more generic, then lgtm from my side

@fabriziopandini Thanks a lot and your comment has been fixed. :)

@fabriziopandini

This comment has been minimized.

Copy link
Member

commented Oct 13, 2019

Great!
/approve
I'll wait one or two days for letting everyone in this loop take s look at the last commit

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Oct 13, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini, jfbai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fabriziopandini

This comment has been minimized.

Copy link
Member

commented Oct 13, 2019

/ok-to-test

@fabriziopandini

This comment has been minimized.

Copy link
Member

commented Oct 13, 2019

/priority important-soon

@jfbai

This comment has been minimized.

Copy link
Contributor Author

commented Oct 13, 2019

/test pull-kubernetes-kubemark-e2e-gce-big

@neolit123

This comment has been minimized.

Copy link
Member

commented Oct 13, 2019

/lgtm
/retest

@k8s-ci-robot k8s-ci-robot added the lgtm label Oct 13, 2019
@jfbai jfbai force-pushed the jfbai:fix-kubeadm-join branch from 0aa88af to 6dbf154 Oct 13, 2019
@k8s-ci-robot k8s-ci-robot removed the lgtm label Oct 13, 2019
@jfbai

This comment has been minimized.

Copy link
Contributor Author

commented Oct 13, 2019

@neolit123 I fixed the gofmt, could you please help add LGTM again? thanks a lot. :)

@neolit123

This comment has been minimized.

Copy link
Member

commented Oct 13, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Oct 13, 2019
@jfbai

This comment has been minimized.

Copy link
Contributor Author

commented Oct 13, 2019

/test pull-kubernetes-integration

@k8s-ci-robot k8s-ci-robot merged commit f0e1d39 into kubernetes:master Oct 13, 2019
15 checks passed
15 checks passed
cla/linuxfoundation jfbai authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-kind Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Oct 13, 2019
@jfbai jfbai deleted the jfbai:fix-kubeadm-join branch Oct 14, 2019
ohsewon added a commit to ohsewon/kubernetes that referenced this pull request Oct 16, 2019
Add warning when --certificate-key is set and --control-plane is not.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.