New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubelet: migrate pkg/kubelet/certificate to structured logging #98993
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -21,6 +21,7 @@ import ( | |||||||||||||||
"fmt" | ||||||||||||||||
"net" | ||||||||||||||||
"net/http" | ||||||||||||||||
"os" | ||||||||||||||||
"time" | ||||||||||||||||
|
||||||||||||||||
"k8s.io/klog/v2" | ||||||||||||||||
|
@@ -105,18 +106,20 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig | |||||||||||||||
// the certificate has been deleted from disk or is otherwise corrupt | ||||||||||||||||
if now.After(lastCertAvailable.Add(exitAfter)) { | ||||||||||||||||
if clientCertificateManager.ServerHealthy() { | ||||||||||||||||
klog.Fatalf("It has been %s since a valid client cert was found and the server is responsive, exiting.", exitAfter) | ||||||||||||||||
klog.ErrorS(nil, "No valid client certificate is found and the server is responsive, exiting.", "lastCertificateAvailabilityTime", lastCertAvailable, "shutdownThreshold", exitAfter) | ||||||||||||||||
os.Exit(1) | ||||||||||||||||
} else { | ||||||||||||||||
klog.Errorf("It has been %s since a valid client cert was found, but the server is not responsive. A restart may be necessary to retrieve new initial credentials.", exitAfter) | ||||||||||||||||
klog.ErrorS(nil, "No valid client certificate is found but the server is not responsive. A restart may be necessary to retrieve new initial credentials.", "lastCertificateAvailabilityTime", lastCertAvailable, "shutdownThreshold", exitAfter) | ||||||||||||||||
} | ||||||||||||||||
} | ||||||||||||||||
} else { | ||||||||||||||||
// the certificate is expired | ||||||||||||||||
if now.After(curr.Leaf.NotAfter) { | ||||||||||||||||
if clientCertificateManager.ServerHealthy() { | ||||||||||||||||
klog.Fatalf("The currently active client certificate has expired and the server is responsive, exiting.") | ||||||||||||||||
klog.ErrorS(nil, "The currently active client certificate has expired and the server is responsive, exiting.") | ||||||||||||||||
os.Exit(1) | ||||||||||||||||
} else { | ||||||||||||||||
klog.Errorf("The currently active client certificate has expired, but the server is not responsive. A restart may be necessary to retrieve new initial credentials.") | ||||||||||||||||
klog.ErrorS(nil, "The currently active client certificate has expired, but the server is not responsive. A restart may be necessary to retrieve new initial credentials.") | ||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. passing a nil error to ErrorS seems strange... should this do something like There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Docs on calling
I think this is an unexpected error so this is ok? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it looks like the klog implementation gracefully omits the err=nil from the output: kubernetes/vendor/k8s.io/klog/v2/klog.go Lines 803 to 806 in c8fe1d9
but the structured logger always includes an err param, even if nil: kubernetes/staging/src/k8s.io/component-base/logs/json/json.go Lines 171 to 173 in c8fe1d9
is that expected by structured log consumers? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, that's right. We just get the log message with no named error, so it's equivalent to the current behaviour. |
||||||||||||||||
} | ||||||||||||||||
} | ||||||||||||||||
lastCertAvailable = now | ||||||||||||||||
|
@@ -129,7 +132,7 @@ func addCertRotation(stopCh <-chan struct{}, period time.Duration, clientConfig | |||||||||||||||
} | ||||||||||||||||
lastCert = curr | ||||||||||||||||
|
||||||||||||||||
klog.Infof("certificate rotation detected, shutting down client connections to start using new credentials") | ||||||||||||||||
klog.InfoS("Certificate rotation detected, shutting down client connections to start using new credentials") | ||||||||||||||||
// The cert has been rotated. Close all existing connections to force the client | ||||||||||||||||
// to reperform its TLS handshake with new cert. | ||||||||||||||||
// | ||||||||||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are the keys selected for messages like these considered a stable API log consumers can write extraction/monitoring around?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not as of beta but we're moving in that direction for GA. Right now we're trying to figure out a good (loose, non-enforced) schema that we can later enforce.