New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix client-ca dynamic reload in apiserver #90360
Conversation
/priority important-soon |
173e279
to
10f2598
Compare
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
Outdated
Show resolved
Hide resolved
if err != nil { | ||
return nil, err | ||
} | ||
go clientCAProvider.Run(1, context.TODO().Done()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the test demonstrated that the server properly updated the requested certificates. Was the test flawed? If so, it would be great to see a fix to the flawed test first without your changes so we can see it fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test wasn't testing the certificates are actually in use, just that they report to be. The new test adds a client call actually testing the authentication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3 instances of the client-ca were created only 2 were started
I0423 08:29:39.620652 967521 dynamic_cafile_content.go:102] === NewDynamicCAContentFromFile client-ca-bundle::/tmp/test-integration-TestClientCA158575615/client-ca.crt180811401(0xc0000b0e40)
goroutine 57 [running]:
runtime/debug.Stack(0xc0000b0e40, 0x0, 0x0)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.NewDynamicCAContentFromFile(0x5eccff8, 0x10, 0xc000a207d0, 0x42, 0x1, 0x1, 0x71f7240)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:102 +0x6d2
k8s.io/apiserver/pkg/server/options.(*ClientCertAuthenticationOptions).GetClientCAContentProvider(0xc00000f100, 0x11, 0x5eb030a, 0x0, 0x71f7240)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options/authentication.go:151 +0xa9
k8s.io/kubernetes/pkg/kubeapiserver/options.(*BuiltInAuthenticationOptions).ApplyTo(0xc000ae2150, 0xc000908480, 0xc0009084c0, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go:408 +0x6e0
k8s.io/kubernetes/cmd/kube-apiserver/app.buildGenericConfig(0xc00055c000, 0xc0008a43c0, 0x0, 0x0, 0xc000a23520, 0x0, 0x0, 0xd0, 0xd0, 0xc000a23520, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:446 +0x721
k8s.io/kubernetes/cmd/kube-apiserver/app.CreateKubeAPIServerConfig(0xc00055c000, 0x0, 0x0, 0xc0008a43c0, 0x0, 0x0, 0x71f8780, 0xc00000ed20, 0x989b, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:287 +0x61
k8s.io/kubernetes/test/integration/framework.StartTestServer(0xc0002899e0, 0xc000116660, 0xc0007073f0, 0x0, 0x0, 0x0, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/framework/test_server.go:117 +0x152d
k8s.io/kubernetes/test/integration/apiserver/certreload.TestClientCA(0xc0002899e0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/apiserver/certreload/certreload_test.go:169 +0x630
testing.tRunner(0xc0002899e0, 0x6052bf0)
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:991 +0x1ec
created by testing.(*T).Run
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:1042 +0x661
I0423 08:29:39.630980 967521 dynamic_cafile_content.go:102] === NewDynamicCAContentFromFile client-ca-bundle::/tmp/test-integration-TestClientCA158575615/client-ca.crt180811401(0xc0004bd380)
goroutine 57 [running]:
runtime/debug.Stack(0xc0004bd380, 0x0, 0x0)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.NewDynamicCAContentFromFile(0x5eccff8, 0x10, 0xc000a207d0, 0x42, 0x0, 0x0, 0x5f243e5)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:102 +0x6d2
k8s.io/apiserver/pkg/server/options.(*ClientCertAuthenticationOptions).GetClientCAContentProvider(0xc00000f100, 0x24, 0x0, 0x0, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options/authentication.go:151 +0xa9
k8s.io/kubernetes/pkg/kubeapiserver/options.(*BuiltInAuthenticationOptions).ToAuthenticationConfig(0xc000ae2150, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go:344 +0xe10
k8s.io/kubernetes/cmd/kube-apiserver/app.BuildAuthenticator(0xc00055c000, 0x0, 0x72a18e0, 0xc0002caf20, 0x7289cc0, 0xc00004fea0, 0x7289cc0, 0xc00004fea0, 0x0, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:567 +0x77
k8s.io/kubernetes/cmd/kube-apiserver/app.buildGenericConfig(0xc00055c000, 0xc0008a43c0, 0x0, 0x0, 0xc000a23520, 0x0, 0x0, 0xd0, 0xd0, 0xc000a23520, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:504 +0x12fa
k8s.io/kubernetes/cmd/kube-apiserver/app.CreateKubeAPIServerConfig(0xc00055c000, 0x0, 0x0, 0xc0008a43c0, 0x0, 0x0, 0x71f8780, 0xc00000ed20, 0x989b, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:287 +0x61
k8s.io/kubernetes/test/integration/framework.StartTestServer(0xc0002899e0, 0xc000116660, 0xc0007073f0, 0x0, 0x0, 0x0, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/framework/test_server.go:117 +0x152d
k8s.io/kubernetes/test/integration/apiserver/certreload.TestClientCA(0xc0002899e0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/apiserver/certreload/certreload_test.go:169 +0x630
testing.tRunner(0xc0002899e0, 0x6052bf0)
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:991 +0x1ec
created by testing.(*T).Run
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:1042 +0x661
I
I0423 08:29:39.637074 967521 dynamic_cafile_content.go:102] === NewDynamicCAContentFromFile client-ca-bundle::/tmp/test-integration-TestClientCA158575615/client-ca.crt180811401(0xc000112fc0)
goroutine 57 [running]:
runtime/debug.Stack(0xc000112fc0, 0x0, 0x0)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.NewDynamicCAContentFromFile(0x5eccff8, 0x10, 0xc000a207d0, 0x42, 0xc000a2fd66, 0xc000706630, 0xc000caec00)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:102 +0x6d2
k8s.io/apiserver/pkg/server/options.(*ClientCertAuthenticationOptions).GetClientCAContentProvider(0xc00000f100, 0x10, 0x4, 0xc0000e0280, 0x4)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options/authentication.go:151 +0xa9
k8s.io/kubernetes/cmd/kube-apiserver/app.CreateKubeAPIServerConfig(0xc00055c000, 0x0, 0x0, 0xc0008a43c0, 0x0, 0x0, 0x71f8780, 0xc00000ed20, 0x989b, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:359 +0xb48
k8s.io/kubernetes/test/integration/framework.StartTestServer(0xc0002899e0, 0xc000116660, 0xc0007073f0, 0x0, 0x0, 0x0, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/framework/test_server.go:117 +0x152d
k8s.io/kubernetes/test/integration/apiserver/certreload.TestClientCA(0xc0002899e0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/apiserver/certreload/certreload_test.go:169 +0x630
testing.tRunner(0xc0002899e0, 0x6052bf0)
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:991 +0x1ec
created by testing.(*T).Run
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:1042 +0x661
I0423 08:29:45.215943 967521 dynamic_cafile_content.go:167] === DynamicFileCAContent.Run client-ca-bundle::/tmp/test-integration-TestClientCA158575615/client-ca.crt180811401(0xc0000b0e40)
goroutine 1516 [running]:
runtime/debug.Stack(0xc0000b0e40, 0x0, 0xc000000001)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.(*DynamicFileCAContent).Run(0xc0000b0e40, 0x1, 0xc000becf60)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:167 +0x77
created by k8s.io/apiserver/pkg/server/dynamiccertificates.unionCAContent.Run
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/union_content.go:104 +0xec
I0423 08:29:45.225615 967521 dynamic_cafile_content.go:167] === DynamicFileCAContent.Run client-ca-bundle::/tmp/test-integration-TestClientCA158575615/client-ca.crt180811401(0xc000112fc0)
goroutine 1558 [running]:
runtime/debug.Stack(0xc000112fc0, 0x461e96, 0x203000)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.(*DynamicFileCAContent).Run(0xc000112fc0, 0x1, 0xc000becea0)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:167 +0x77
created by k8s.io/kubernetes/pkg/master.completedConfig.New.func1
/home/tnozicka/go/src/k8s.io/kubernetes/pkg/master/master.go:464 +0x42b
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose the one that isn't started (from BuildAuthenticator
) would explain why you get
E0423 08:29:51.872852 967521 authentication.go:53] Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
TestClientCA: certreload_test.go:292: Unauthorized
if you run the new test against the code from master. It also shows that the tests wasn't actually executing the authentication flow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for the record same 2 of 3 for request header auth
I0423 10:55:51.364805 990025 dynamic_cafile_content.go:102] === NewDynamicCAContentFromFile request-header::/tmp/test-integration-TestClientCA126115273/proxy-ca.crt051635860(0xc000388c60)
goroutine 135 [running]:
runtime/debug.Stack(0xc000388c60, 0x0, 0x0)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.NewDynamicCAContentFromFile(0x5ec7123, 0xe, 0xc0004005f0, 0x41, 0x0, 0x0, 0xc000388840)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:102 +0x6d2
k8s.io/apiserver/pkg/server/options.(*RequestHeaderAuthenticationOptions).ToAuthenticationRequestHeaderConfig(0xc000572150, 0x71f7500, 0xc000388a20, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options/authentication.go:114 +0x87
k8s.io/kubernetes/pkg/kubeapiserver/options.(*BuiltInAuthenticationOptions).ApplyTo(0xc0005720e0, 0xc000944900, 0xc000944940, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go:417 +0x343
k8s.io/kubernetes/cmd/kube-apiserver/app.buildGenericConfig(0xc00071a580, 0xc0008e2500, 0x0, 0x0, 0xc0009188f0, 0x0, 0x0, 0xd0, 0xd0, 0xc0009188f0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:447 +0x721
k8s.io/kubernetes/cmd/kube-apiserver/app.CreateKubeAPIServerConfig(0xc00071a580, 0x0, 0x0, 0xc0008e2500, 0x0, 0x0, 0x71f8b00, 0xc0000d6a20, 0xa45f, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:288 +0x61
k8s.io/kubernetes/test/integration/framework.StartTestServer(0xc0002b8a20, 0xc0009bc2a0, 0xc000a1f3f0, 0x0, 0x0, 0x0, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/framework/test_server.go:117 +0x152d
k8s.io/kubernetes/test/integration/apiserver/certreload.TestClientCA(0xc0002b8a20)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/apiserver/certreload/certreload_test.go:169 +0x630
testing.tRunner(0xc0002b8a20, 0x6052dd8)
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:991 +0x1ec
created by testing.(*T).Run
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:1042 +0x661
I0423 10:55:51.375374 990025 dynamic_cafile_content.go:102] === NewDynamicCAContentFromFile request-header::/tmp/test-integration-TestClientCA126115273/proxy-ca.crt051635860(0xc00042bec0)
goroutine 135 [running]:
runtime/debug.Stack(0xc00042bec0, 0x0, 0x0)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.NewDynamicCAContentFromFile(0x5ec7123, 0xe, 0xc0004005f0, 0x41, 0x0, 0x0, 0xc000a1da40)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:102 +0x6d2
k8s.io/apiserver/pkg/server/options.(*RequestHeaderAuthenticationOptions).ToAuthenticationRequestHeaderConfig(0xc000572150, 0x71f7500, 0xc00042bc80, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options/authentication.go:114 +0x87
k8s.io/kubernetes/pkg/kubeapiserver/options.(*BuiltInAuthenticationOptions).ToAuthenticationConfig(0xc0005720e0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go:364 +0xa88
k8s.io/kubernetes/cmd/kube-apiserver/app.BuildAuthenticator(0xc00071a580, 0x0, 0x72a1c60, 0xc00042c840, 0x728a040, 0xc000432aa0, 0x728a040, 0xc000432aa0, 0x0, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:575 +0xc2
k8s.io/kubernetes/cmd/kube-apiserver/app.buildGenericConfig(0xc00071a580, 0xc0008e2500, 0x0, 0x0, 0xc0009188f0, 0x0, 0x0, 0xd0, 0xd0, 0xc0009188f0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:506 +0x12fa
k8s.io/kubernetes/cmd/kube-apiserver/app.CreateKubeAPIServerConfig(0xc00071a580, 0x0, 0x0, 0xc0008e2500, 0x0, 0x0, 0x71f8b00, 0xc0000d6a20, 0xa45f, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:288 +0x61
k8s.io/kubernetes/test/integration/framework.StartTestServer(0xc0002b8a20, 0xc0009bc2a0, 0xc000a1f3f0, 0x0, 0x0, 0x0, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/framework/test_server.go:117 +0x152d
k8s.io/kubernetes/test/integration/apiserver/certreload.TestClientCA(0xc0002b8a20)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/apiserver/certreload/certreload_test.go:169 +0x630
testing.tRunner(0xc0002b8a20, 0x6052dd8)
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:991 +0x1ec
created by testing.(*T).Run
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:1042 +0x661
I0423 10:55:51.382574 990025 dynamic_cafile_content.go:102] === NewDynamicCAContentFromFile request-header::/tmp/test-integration-TestClientCA126115273/proxy-ca.crt051635860(0xc0000aba40)
goroutine 135 [running]:
runtime/debug.Stack(0xc0000aba40, 0x0, 0x0)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.NewDynamicCAContentFromFile(0x5ec7123, 0xe, 0xc0004005f0, 0x41, 0x0, 0x0, 0xc000a1e630)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:102 +0x6d2
k8s.io/apiserver/pkg/server/options.(*RequestHeaderAuthenticationOptions).ToAuthenticationRequestHeaderConfig(0xc000572150, 0x71f7500, 0xc0000ab740, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/options/authentication.go:114 +0x87
k8s.io/kubernetes/cmd/kube-apiserver/app.CreateKubeAPIServerConfig(0xc00071a580, 0x0, 0x0, 0xc0008e2500, 0x0, 0x0, 0x71f8b00, 0xc0000d6a20, 0xa45f, 0x0, ...)
/home/tnozicka/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:366 +0xc00
k8s.io/kubernetes/test/integration/framework.StartTestServer(0xc0002b8a20, 0xc0009bc2a0, 0xc000a1f3f0, 0x0, 0x0, 0x0, 0x0)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/framework/test_server.go:117 +0x152d
k8s.io/kubernetes/test/integration/apiserver/certreload.TestClientCA(0xc0002b8a20)
/home/tnozicka/go/src/k8s.io/kubernetes/test/integration/apiserver/certreload/certreload_test.go:169 +0x630
testing.tRunner(0xc0002b8a20, 0x6052dd8)
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:991 +0x1ec
created by testing.(*T).Run
/home/tnozicka/lib/go1.14.2/src/testing/testing.go:1042 +0x661
I0423 10:55:56.955038 990025 dynamic_cafile_content.go:167] === DynamicFileCAContent.Run request-header::/tmp/test-integration-TestClientCA126115273/proxy-ca.crt051635860(0xc000388c60)
goroutine 1498 [running]:
runtime/debug.Stack(0xc000388c60, 0x0, 0x0)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.(*DynamicFileCAContent).Run(0xc000388c60, 0x1, 0xc00b1d4600)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:167 +0x77
created by k8s.io/apiserver/pkg/server/dynamiccertificates.unionCAContent.Run
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/union_content.go:104 +0xec
I0423 10:55:56.976483 990025 dynamic_cafile_content.go:167] === DynamicFileCAContent.Run request-header::/tmp/test-integration-TestClientCA126115273/proxy-ca.crt051635860(0xc0000aba40)
goroutine 1534 [running]:
runtime/debug.Stack(0xc0000aba40, 0x0, 0x0)
/home/tnozicka/lib/go1.14.2/src/runtime/debug/stack.go:24 +0xab
k8s.io/apiserver/pkg/server/dynamiccertificates.(*DynamicFileCAContent).Run(0xc0000aba40, 0x1, 0xc00b1d4300)
/home/tnozicka/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:167 +0x77
created by k8s.io/kubernetes/pkg/master.completedConfig.New.func1
/home/tnozicka/go/src/k8s.io/kubernetes/pkg/master/master.go:476 +0x2dc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3 instances of the client-ca were created only 2 were started
This is an interesting result, seems like it may be the actual bug.
5f305d6
to
563d569
Compare
verify got stuck |
@tnozicka: The specified target(s) for
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test pull-kubernetes-verify |
563d569
to
14b2d1b
Compare
/approve this lgtm, but I'd appreciate another set of eyes. /assign @sttts |
6570ef4
to
ede4794
Compare
02076a4
to
17f454d
Compare
17f454d
to
9fda54f
Compare
9fda54f
to
b22a170
Compare
/lgtm |
kubelet changes look good. /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, derekwaynecarr, tnozicka The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
@tnozicka: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
kube-apiserver fails to live reload changed client CA and front proxy CA and refuses clients signed by the new CA with 401
Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
Which issue(s) this PR fixes:
Special notes for your reviewer:
The dynamic reload code is already there, some instances of those controllers were never started though. (See #90360 (comment) and #90360 (comment)). Starting the auto-reload only for some instances of those controllers explains why the current test only checking published CAs was succeeding. This PR is extending the test to actually test the authentication flow for both CAs.
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/cc @deads2k
@kubernetes/sig-api-machinery-pr-reviews