Support user provided service-account-signing-key and issuer #1012
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…user-provided-sa-signing-key"" This reverts commit 2e34ad9.
…d to bound-sa-token-signing-certs in case the next-bound-service-account-signing-key has empty contents, for example - when user want to rotate the keys and emptied the keys of the secret for operator to recreate them. - when on bootstrap the render creates an empty secret as no user-provided keys exist, prompting the operator to create then in-cluster. the bound-sa-token-signing-certs must wait for the public key to exist/non-empty before adding it to the ConfigMap, otherwise there is failure starting kube-apiserver, ``` Error: error reading public key file /etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs/service-account-001.pub: data does not contain any valid RSA or ECDSA public keys ``` because the ConfigMap has a key with empty data like, > https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_cluster-monitoring-operator/981/pull-ci-openshift-cluster-monitoring-operator-master-e2e-agnostic/1330864689164324864/artifacts/e2e-agnostic/gather-extra/configmaps.json ``` { "apiVersion": "v1", "data": { "service-account-001.pub": "", "service-account-002.pub": "-----BEGIN RSA PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqlOait7Q4okCBEZJ1NNn\nHtNQTC/i2bL9p7cTwbfDNbUJ/5rfYGPSCpyREckIfQb5qlMQa9vc8XI0tC5LGjAK\nTwUEfC/Z3I0kxcx71sDDt/qmtmuDtsauaOtFAyuNG28lULI58Jou6MsYAtADtoia\n9h+rpyQhCBIwmsNvAQBrijwv+eIRQXPEhnCFpVbB4sh2TpH7P0LjcRIDD6ZD2HmV\nRKAuKsWqwR2tRXbLqSvdMRGgOzGmqbA1IkG2xaOQmHuYg5GUkec6lRcYErE4I8MG\nYxFbtbGI/r6eNn+mkktNPk6od4Cz83zd+Z2+tSbvxBzkpnIOxd413FwGNgAOc1WO\nIwIDAQAB\n-----END RSA PUBLIC KEY-----\n" }, "kind": "ConfigMap", "metadata": { "name": "bound-sa-token-signing-certs", "namespace": "openshift-config-managed", "resourceVersion": "7023", "selfLink": "/api/v1/namespaces/openshift-config-managed/configmaps/bound-sa-token-signing-certs", "uid": "0f34f86e-3b3a-4a9c-8ed2-1eaae3dcd243" } }, ```
abhinavdahiya
changed the title
|
/retest |
|
/lgtm |
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, marun, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
tnozicka
reviewed
Nov 25, 2020
| @@ -162,6 +169,22 @@ func (r *renderOpts) Run() error { | |||
| return fmt.Errorf("unable to parse restricted CIDRs from config %q: %v", r.clusterConfigFile, err) | |||
| } | |||
| } | |||
| if len(r.clusterAuthFile) > 0 { | |||
| clusterAuthFileData, err := ioutil.ReadFile(r.clusterAuthFile) | |||
| if err != nil && !os.IsNotExist(err) { | |||
There was a problem hiding this comment.
ignoring a not found error for a flag that is explicitly set should at least log what happened
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Revert the revert #1011 therefore re-adding the changes from #1006
And to fix the cause of the revert:
boundsatokensignercontroller: enure that empty public key is not syned to bound-sa-token-signing-certs
in case the next-bound-service-account-signing-key has empty contents, for example
then in-cluster.
the bound-sa-token-signing-certs must wait for the public key to exist/non-empty before adding it to the ConfigMap, otherwise
there is failure starting kube-apiserver,
because the ConfigMap has a key with empty data like,
xref: https://issues.redhat.com/browse/CO-1266