New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support user provided service-account-signing-key and issuer #1012
Support user provided service-account-signing-key and issuer #1012
Conversation
…user-provided-sa-signing-key"" This reverts commit 2e34ad9.
…d to bound-sa-token-signing-certs in case the next-bound-service-account-signing-key has empty contents, for example - when user want to rotate the keys and emptied the keys of the secret for operator to recreate them. - when on bootstrap the render creates an empty secret as no user-provided keys exist, prompting the operator to create then in-cluster. the bound-sa-token-signing-certs must wait for the public key to exist/non-empty before adding it to the ConfigMap, otherwise there is failure starting kube-apiserver, ``` Error: error reading public key file /etc/kubernetes/static-pod-resources/configmaps/bound-sa-token-signing-certs/service-account-001.pub: data does not contain any valid RSA or ECDSA public keys ``` because the ConfigMap has a key with empty data like, > https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_cluster-monitoring-operator/981/pull-ci-openshift-cluster-monitoring-operator-master-e2e-agnostic/1330864689164324864/artifacts/e2e-agnostic/gather-extra/configmaps.json ``` { "apiVersion": "v1", "data": { "service-account-001.pub": "", "service-account-002.pub": "-----BEGIN RSA PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqlOait7Q4okCBEZJ1NNn\nHtNQTC/i2bL9p7cTwbfDNbUJ/5rfYGPSCpyREckIfQb5qlMQa9vc8XI0tC5LGjAK\nTwUEfC/Z3I0kxcx71sDDt/qmtmuDtsauaOtFAyuNG28lULI58Jou6MsYAtADtoia\n9h+rpyQhCBIwmsNvAQBrijwv+eIRQXPEhnCFpVbB4sh2TpH7P0LjcRIDD6ZD2HmV\nRKAuKsWqwR2tRXbLqSvdMRGgOzGmqbA1IkG2xaOQmHuYg5GUkec6lRcYErE4I8MG\nYxFbtbGI/r6eNn+mkktNPk6od4Cz83zd+Z2+tSbvxBzkpnIOxd413FwGNgAOc1WO\nIwIDAQAB\n-----END RSA PUBLIC KEY-----\n" }, "kind": "ConfigMap", "metadata": { "name": "bound-sa-token-signing-certs", "namespace": "openshift-config-managed", "resourceVersion": "7023", "selfLink": "/api/v1/namespaces/openshift-config-managed/configmaps/bound-sa-token-signing-certs", "uid": "0f34f86e-3b3a-4a9c-8ed2-1eaae3dcd243" } }, ```
/retest |
/lgtm |
/retest |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, marun, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
@@ -162,6 +169,22 @@ func (r *renderOpts) Run() error { | |||
return fmt.Errorf("unable to parse restricted CIDRs from config %q: %v", r.clusterConfigFile, err) | |||
} | |||
} | |||
if len(r.clusterAuthFile) > 0 { | |||
clusterAuthFileData, err := ioutil.ReadFile(r.clusterAuthFile) | |||
if err != nil && !os.IsNotExist(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ignoring a not found error for a flag that is explicitly set should at least log what happened
Revert the revert #1011 therefore re-adding the changes from #1006
And to fix the cause of the revert:
boundsatokensignercontroller: enure that empty public key is not syned to bound-sa-token-signing-certs
in case the next-bound-service-account-signing-key has empty contents, for example
then in-cluster.
the bound-sa-token-signing-certs must wait for the public key to exist/non-empty before adding it to the ConfigMap, otherwise
there is failure starting kube-apiserver,
because the ConfigMap has a key with empty data like,
xref: https://issues.redhat.com/browse/CO-1266