New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1769879: allow CA Cert bundles to be trusted #78
Bug 1769879: allow CA Cert bundles to be trusted #78
Conversation
@iamemilio: This pull request references Bugzilla bug 1788072, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@iamemilio: This pull request references Bugzilla bug 1769879, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
Was able to deploy workers on a test cluster with self signed certificates, and was able to scale the workers as well. Ready to review and merge. |
if err != nil { | ||
return nil, err | ||
return nil, fmt.Errorf("Create new provider client failed (clients/machienservice.go 197): %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't need the extra debugging messages with the line numbers - leftover from testing ?
@@ -209,6 +212,9 @@ type OpenstackClusterProviderSpec struct { | |||
|
|||
// Default: True. In case of server tag errors, set to False | |||
DisableServerTags bool `json:"disableServerTags,omitempty"` | |||
|
|||
// CertBundle gets populated from the value in Machines | |||
// CertBundle string `json:"certBundle,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is commented out, does it mean it's not needed? In that case can we remove it from the patch?
@@ -82,6 +82,9 @@ type OpenstackProviderSpec struct { | |||
|
|||
// The volume metadata to boot from | |||
RootVolume *RootVolume `json:"rootVolume,omitempty"` | |||
|
|||
// A plaintext string of PEM(s) | |||
CertBundle string `json:"caCert,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you possibly move this up to the top of the struct, together with the other cloud parameters CloudsSecret and CloudName?
} | ||
|
||
opts.AllowReauth = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason to drop this option?
According to the documentation:
// AllowReauth should be set to true if you grant permission for Gophercloud to
// cache your credentials in memory, and to allow Gophercloud to attempt to
// re-authenticate automatically if/when your token expires. If you set it to
// false, it will not cache these settings, but re-authentication will not be
// possible. This setting defaults to false.
//
// NOTE: The reauth function will try to re-authenticate endlessly if left
// unchecked. The way to limit the number of attempts is to provide a custom
// HTTP client to the provider client and provide a transport that implements
// the RoundTripper interface and stores the number of failed retries. For an
// example of this, see here:
// https://github.com/rackspace/rack/blob/1.0.0/auth/clients.go#L311
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, that was an oversight
eda87fd
to
17be769
Compare
LGTM @mandre it's all yours |
/retest |
2 similar comments
/retest |
/retest |
/test e2e-openstack |
/test e2e-openstack Infra flakyness. |
CIRO won't start because the spec isn't valid after openshift/api#560:
|
Should be fixed with openshift/api#563 |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: iamemilio, mandre The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Implemented bootstrap tokens via cluster-bootstrap Therefore, I added new dependency to k8s.io/cluster-bootstrap. Shelling out to kubeadm from token generation is now removed from machineactuator.go. I used the tools of cluster-bootstrap to generate a kubeadm compliant token name and create a secret out of it. This implementation does not use the ways kubeadm currently uses, because it would pull a hole bunch of other dependencies in, which are IMHO not needed at that point. Fixes openshift#78 * Renamed TokenExpiration to TokenTTL * Increased TokenTTL to 60 minutes * Added link to inspiration of bootstrap/token.go * Changed error handling to panic and removed needless lines
…t#95) * Added Role to kube-system to allow CAP-OS to create secrets When CAP-OS is deployed to the resulted cluster, it runs in the namespace openstack-provider-system, and gets the default ServiceAccount mounted in. Because of openshift#78, CAP-OS needs to create secrets (bootstrap tokens essentially are secrets) in namespace kube-system. Created a Role and RoleBinding to allow this. Using yaml files in config/rbac in favor of kubebuilder auto generation, because this only works for ClusterRoles so far. See kubernetes-sigs/kubebuilder#401 How to test: ``` generate-yaml.sh -c ... -p ubuntu configure machines.yaml and provider-components.yaml clusterctl create cluster \ --minikube kubernetes-version=v1.12.2 \ --vm-driver hyperkit \ --provider openstack \ -c examples/openstack/ubuntu/out/cluster.yaml \ -m examples/openstack/ubuntu/out/machines.yaml \ -p examples/openstack/ubuntu/out/provider-components.yaml wait until master and the one node appear. create a new machine manually by hand. It should be created, come up and join the cluster. e.g. apiVersion: cluster.k8s.io/v1alpha1 kind: Machine metadata: generateName: openstack-node- labels: set: node name: openstack-node-manual namespace: default spec: providerConfig: value: apiVersion: openstackproviderconfig/v1alpha1 availabilityZone: es1 flavor: m1.medium image: Ubuntu 16.04 Xenial Xerus - Latest kind: OpenstackProviderConfig networks: - uuid: e21aeb04-f98a-4c05-bc84-69441dbb304c securityGroups: - default - secgrp_docs sshUserName: ubuntu versions: kubelet: 1.12.1 ``` Fixes openshift#93 * Removed redundant role and rolebinding
What this PR does / why we need it: Adds ability to trust CA bundle to CAPO