Bug 1769879: allow CA Cert bundles to be trusted #78
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
|
@iamemilio: This pull request references Bugzilla bug 1788072, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
size/M
openshift-ci-robot
added
the
approved
iamemilio
changed the title
openshift-ci-robot
added
the
bugzilla/valid-bug
|
@iamemilio: This pull request references Bugzilla bug 1769879, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
removed
the
bugzilla/invalid-bug
|
/retest |
iamemilio
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
Was able to deploy workers on a test cluster with self signed certificates, and was able to scale the workers as well. Ready to review and merge. |
| if err != nil { | ||
| return nil, err | ||
| return nil, fmt.Errorf("Create new provider client failed (clients/machienservice.go 197): %v", err) |
There was a problem hiding this comment.
We don't need the extra debugging messages with the line numbers - leftover from testing ?
| @@ -209,6 +212,9 @@ type OpenstackClusterProviderSpec struct { | |||
|
|
|||
| // Default: True. In case of server tag errors, set to False | |||
| DisableServerTags bool `json:"disableServerTags,omitempty"` | |||
|
|
|||
| // CertBundle gets populated from the value in Machines | |||
| // CertBundle string `json:"certBundle,omitempty"` | |||
There was a problem hiding this comment.
If this is commented out, does it mean it's not needed? In that case can we remove it from the patch?
| @@ -82,6 +82,9 @@ type OpenstackProviderSpec struct { | |||
|
|
|||
| // The volume metadata to boot from | |||
| RootVolume *RootVolume `json:"rootVolume,omitempty"` | |||
|
|
|||
| // A plaintext string of PEM(s) | |||
| CertBundle string `json:"caCert,omitempty"` | |||
There was a problem hiding this comment.
Could you possibly move this up to the top of the struct, together with the other cloud parameters CloudsSecret and CloudName?
| } | ||
|
|
||
| opts.AllowReauth = true |
There was a problem hiding this comment.
Any reason to drop this option?
According to the documentation:
// AllowReauth should be set to true if you grant permission for Gophercloud to
// cache your credentials in memory, and to allow Gophercloud to attempt to
// re-authenticate automatically if/when your token expires. If you set it to
// false, it will not cache these settings, but re-authentication will not be
// possible. This setting defaults to false.
//
// NOTE: The reauth function will try to re-authenticate endlessly if left
// unchecked. The way to limit the number of attempts is to provide a custom
// HTTP client to the provider client and provide a transport that implements
// the RoundTripper interface and stores the number of failed retries. For an
// example of this, see here:
// https://github.com/rackspace/rack/blob/1.0.0/auth/clients.go#L311
iamemilio
force-pushed
the
machine-api-CAcerts
branch
from
eda87fd
to
17be769
Compare
|
LGTM @mandre it's all yours |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
/test e2e-openstack |
|
/test e2e-openstack Infra flakyness. |
|
CIRO won't start because the spec isn't valid after openshift/api#560: |
|
Should be fixed with openshift/api#563 |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: iamemilio, mandre The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Implemented bootstrap tokens via cluster-bootstrap Therefore, I added new dependency to k8s.io/cluster-bootstrap. Shelling out to kubeadm from token generation is now removed from machineactuator.go. I used the tools of cluster-bootstrap to generate a kubeadm compliant token name and create a secret out of it. This implementation does not use the ways kubeadm currently uses, because it would pull a hole bunch of other dependencies in, which are IMHO not needed at that point. Fixes openshift#78 * Renamed TokenExpiration to TokenTTL * Increased TokenTTL to 60 minutes * Added link to inspiration of bootstrap/token.go * Changed error handling to panic and removed needless lines
…t#95) * Added Role to kube-system to allow CAP-OS to create secrets When CAP-OS is deployed to the resulted cluster, it runs in the namespace openstack-provider-system, and gets the default ServiceAccount mounted in. Because of openshift#78, CAP-OS needs to create secrets (bootstrap tokens essentially are secrets) in namespace kube-system. Created a Role and RoleBinding to allow this. Using yaml files in config/rbac in favor of kubebuilder auto generation, because this only works for ClusterRoles so far. See kubernetes-sigs/kubebuilder#401 How to test: ``` generate-yaml.sh -c ... -p ubuntu configure machines.yaml and provider-components.yaml clusterctl create cluster \ --minikube kubernetes-version=v1.12.2 \ --vm-driver hyperkit \ --provider openstack \ -c examples/openstack/ubuntu/out/cluster.yaml \ -m examples/openstack/ubuntu/out/machines.yaml \ -p examples/openstack/ubuntu/out/provider-components.yaml wait until master and the one node appear. create a new machine manually by hand. It should be created, come up and join the cluster. e.g. apiVersion: cluster.k8s.io/v1alpha1 kind: Machine metadata: generateName: openstack-node- labels: set: node name: openstack-node-manual namespace: default spec: providerConfig: value: apiVersion: openstackproviderconfig/v1alpha1 availabilityZone: es1 flavor: m1.medium image: Ubuntu 16.04 Xenial Xerus - Latest kind: OpenstackProviderConfig networks: - uuid: e21aeb04-f98a-4c05-bc84-69441dbb304c securityGroups: - default - secgrp_docs sshUserName: ubuntu versions: kubelet: 1.12.1 ``` Fixes openshift#93 * Removed redundant role and rolebinding
What this PR does / why we need it: Adds ability to trust CA bundle to CAPO