-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1710766: Add kubeconfigs to masters #858
Bug 1710766: Add kubeconfigs to masters #858
Conversation
@tnozicka: This pull request references Bugzilla bug 1710766, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
6c5b833
to
2f59da6
Compare
/retest |
Namespace: operatorclient.OperatorNamespace, | ||
Name: "machine-system-admin-client", | ||
// This needs to be long lived so users can download it as backup kubeconfig if the initial one would be lost | ||
Validity: 10 * 365 * defaultRotationDay, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
30 days and 15 days is reasonable I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same reasons for the client
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made it 120 and 30 so it always lives at least 30 days longer then kube-control-plane-signer. Does that work for you?
2f59da6
to
42cb6bc
Compare
42cb6bc
to
b65d847
Compare
@tnozicka: This pull request references Bugzilla bug 1710766, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
b65d847
to
a2b6e4a
Compare
a2b6e4a
to
fa5daf4
Compare
fa5daf4
to
71dc7ce
Compare
@tnozicka: This pull request references Bugzilla bug 1710766, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
3 similar comments
/retest |
/retest |
/retest |
kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Informer(), | ||
kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets().Informer(), | ||
infrastuctureInformer.Informer(), | ||
).WithSync(c.sync).ResyncEvery(time.Second).ToController("NodeKubeconfigController", eventRecorder.WithComponentSuffix("node-kubeconfig-controller")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resync is too tight. Every few minutes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was wondering why I'd not write any number there, as I always prefer explicit 1 * time.Second
and it is the same in targetconfigcontroller so it comes from the copy paste. We should likely fix it there too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Informer(), | ||
kubeInformersForNamespaces.InformersFor(operatorclient.TargetNamespace).Core().V1().Secrets().Informer(), | ||
infrastuctureInformer.Informer(), | ||
).WithSync(c.sync).ResyncEvery(time.Second).ToController("NodeKubeconfigController", eventRecorder.WithComponentSuffix("node-kubeconfig-controller")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use the withdegraded option so you can just return an error and get degraded automatically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
/approve the time span is long but acceptable to start. If we need a way to mint a new admin.kubeconfig this should not be it and this is short enough to prevent that. |
10f7268
to
f59f445
Compare
comments addressed, @marun ptal |
/retest |
/refresh |
/retest |
3 similar comments
/retest |
/retest |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, marun, tnozicka The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
/retest |
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@tnozicka: Some pull requests linked via external trackers have merged: The following pull requests linked via external trackers have not merged:
These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Bugzilla bug 1710766 has not been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
When we ssh to a master there is currently no kubeconfig to use to talk to the apiserver. When we are debugging clusters and have only ssh access, building the kubeconfig manually and creating client certs is extremely painful and time consuming. Also when admin has an accident and looses system:admin kubeconfig, this can be used as temporary replacement. (He should still own the user client CA to sign new certs.) The kubeconfigs have intentionally inlined certificates for easy transfer.
The kubeconfigs being placed into
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs
arelocalhost.kubeconfig
lb-ext.kubeconfig
lb-int.kubeconfig
localhost-recovery.kubeconfig
Currently none of them is linked as default to oc. That would probably need MCO to copy it over and somehow handle updates otherwise the
oc
writing (e.g. current context) would fight with cert-syncer.Requires:
/cc @deads2k @sttts
@openshift/sig-master fyi, you'll need it at some point if you haven't already