Bug 1710766: Add kubeconfigs to masters #858
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
|
@tnozicka: This pull request references Bugzilla bug 1710766, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
needs-rebase
tnozicka
force-pushed
the
local-kubeconfig
branch
from
6c5b833
to
2f59da6
Compare
openshift-ci-robot
removed
the
needs-rebase
|
/retest |
openshift-ci-robot
added
the
needs-rebase
| Namespace: operatorclient.OperatorNamespace, | ||
| Name: "machine-system-admin-client", | ||
| // This needs to be long lived so users can download it as backup kubeconfig if the initial one would be lost | ||
| Validity: 10 * 365 * defaultRotationDay, |
There was a problem hiding this comment.
30 days and 15 days is reasonable I think.
There was a problem hiding this comment.
same reasons for the client
There was a problem hiding this comment.
I made it 120 and 30 so it always lives at least 30 days longer then kube-control-plane-signer. Does that work for you?
tnozicka
force-pushed
the
local-kubeconfig
branch
from
2f59da6
to
42cb6bc
Compare
openshift-ci-robot
removed
the
needs-rebase
tnozicka
force-pushed
the
local-kubeconfig
branch
from
42cb6bc
to
b65d847
Compare
|
@tnozicka: This pull request references Bugzilla bug 1710766, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tnozicka
force-pushed
the
local-kubeconfig
branch
from
b65d847
to
a2b6e4a
Compare
openshift-ci-robot
added
the
needs-rebase
tnozicka
force-pushed
the
local-kubeconfig
branch
from
a2b6e4a
to
fa5daf4
Compare
openshift-ci-robot
removed
the
needs-rebase
tnozicka
force-pushed
the
local-kubeconfig
branch
from
fa5daf4
to
71dc7ce
Compare
tnozicka
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
@tnozicka: This pull request references Bugzilla bug 1710766, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
| kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Informer(), | ||
| kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets().Informer(), | ||
| infrastuctureInformer.Informer(), | ||
| ).WithSync(c.sync).ResyncEvery(time.Second).ToController("NodeKubeconfigController", eventRecorder.WithComponentSuffix("node-kubeconfig-controller")) |
There was a problem hiding this comment.
resync is too tight. Every few minutes.
There was a problem hiding this comment.
I was wondering why I'd not write any number there, as I always prefer explicit 1 * time.Second and it is the same in targetconfigcontroller so it comes from the copy paste. We should likely fix it there too.
There was a problem hiding this comment.
| kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Informer(), | ||
| kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets().Informer(), | ||
| infrastuctureInformer.Informer(), | ||
| ).WithSync(c.sync).ResyncEvery(time.Second).ToController("NodeKubeconfigController", eventRecorder.WithComponentSuffix("node-kubeconfig-controller")) |
There was a problem hiding this comment.
use the withdegraded option so you can just return an error and get degraded automatically.
|
/approve the time span is long but acceptable to start. If we need a way to mint a new admin.kubeconfig this should not be it and this is short enough to prevent that. |
tnozicka
force-pushed
the
local-kubeconfig
branch
from
10f7268
to
f59f445
Compare
|
comments addressed, @marun ptal |
|
/retest |
|
/refresh |
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, marun, tnozicka The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@tnozicka: Some pull requests linked via external trackers have merged: The following pull requests linked via external trackers have not merged:
These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Bugzilla bug 1710766 has not been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
When we ssh to a master there is currently no kubeconfig to use to talk to the apiserver. When we are debugging clusters and have only ssh access, building the kubeconfig manually and creating client certs is extremely painful and time consuming. Also when admin has an accident and looses system:admin kubeconfig, this can be used as temporary replacement. (He should still own the user client CA to sign new certs.) The kubeconfigs have intentionally inlined certificates for easy transfer.
The kubeconfigs being placed into
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigsarelocalhost.kubeconfiglb-ext.kubeconfiglb-int.kubeconfiglocalhost-recovery.kubeconfigCurrently none of them is linked as default to oc. That would probably need MCO to copy it over and somehow handle updates otherwise the
ocwriting (e.g. current context) would fight with cert-syncer.Requires:
/cc @deads2k @sttts
@openshift/sig-master fyi, you'll need it at some point if you haven't already