New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube-apiserver-cert-syncer-kubeconfig: point to serving cert #905
kube-apiserver-cert-syncer-kubeconfig: point to serving cert #905
Conversation
The service account gets the service-account CA that is valid at the point of creation. So if the localhost-recovery CA is not yet part of the kube-apiserver serving CA (which is the case during bootstrapping), this service-account won't work with the localhost-recovery endpoints. The serving CA bundle though is always correct as it changes with time. Fixes openshift@2a44f96#r456357777
Flake. /retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tnozicka fyi, you need to check this on Monday, for now we want to unblock the work switching from origin to o/k repo
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: soltysh, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold @p0lyn0mial noticed something that might be the root cause. Though my theory here stands. |
/hold cancel Seems to be different. |
Unrelated failure, and we'd like to see if this unblocks us |
@soltysh: soltysh unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/override ci/prow/e2e-aws-serial |
@sttts: Overrode contexts on behalf of sttts: ci/prow/e2e-aws-serial In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The service account gets the service-account CA that is valid at the point of creation. So if the localhost-recovery CA is not yet part of the kube-apiserver serving CA (which is the case during bootstrapping), this service-account won't work with the localhost-recovery endpoints.
The serving CA bundle though is always correct as it changes with time.
Fixes 2a44f96#r456357777
Partly reverts #663.