From 8daea70b624bfe802119c8eb4c6d8b343218836f Mon Sep 17 00:00:00 2001 From: Pablo Acevedo Montserrat Date: Fri, 3 Mar 2023 18:43:50 +0100 Subject: [PATCH 1/2] OCPBUGS-8301: Use correct CAs in kubeconfig files --- pkg/cmd/init.go | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go index 01db0bd4f95..04c268d9c84 100644 --- a/pkg/cmd/init.go +++ b/pkg/cmd/init.go @@ -341,7 +341,6 @@ func certSetup(cfg *config.MicroshiftConfig) (*certchains.CertificateChains, err []string{"kubelet-signer", "kube-csr-signer"}, ).WithCABundle( cryptomaterial.ServiceAccountTokenCABundlePath(certsDir), - []string{"kube-apiserver-external-signer"}, []string{"kube-apiserver-localhost-signer"}, []string{"kube-apiserver-service-network-signer"}, ).Complete() @@ -370,9 +369,13 @@ func initKubeconfigs( cfg *config.MicroshiftConfig, certChains *certchains.CertificateChains, ) error { - inClusterTrustBundlePEM, err := os.ReadFile(cryptomaterial.ServiceAccountTokenCABundlePath(cryptomaterial.CertsDirectory(microshiftDataDir))) + externalTrustPEM, err := os.ReadFile(cryptomaterial.CACertPath(cryptomaterial.KubeAPIServerExternalSigner(cryptomaterial.CertsDirectory(microshiftDataDir)))) if err != nil { - return fmt.Errorf("failed to load the in-cluster trust bundle: %v", err) + return fmt.Errorf("failed to load the external trust signer: %v", err) + } + internalTrustPEM, err := os.ReadFile(cryptomaterial.CACertPath(cryptomaterial.KubeAPIServerLocalhostSigner(cryptomaterial.CertsDirectory(microshiftDataDir)))) + if err != nil { + return fmt.Errorf("failed to load the internal trust signer: %v", err) } adminKubeconfigCertPEM, adminKubeconfigKeyPEM, err := certChains.GetCertKey("admin-kubeconfig-signer", "admin-kubeconfig-client") @@ -390,12 +393,12 @@ func initKubeconfigs( } // Generate one kubeconfigs per name - for _, name := range append(cfg.SubjectAltNames, cfg.NodeName, "localhost") { + for _, name := range append(cfg.SubjectAltNames, cfg.NodeName) { u.Host = fmt.Sprintf("%s:%d", name, apiServerPort) if err := util.KubeConfigWithClientCerts( cfg.KubeConfigAdminPath(name), u.String(), - inClusterTrustBundlePEM, + externalTrustPEM, adminKubeconfigCertPEM, adminKubeconfigKeyPEM, ); err != nil { @@ -406,7 +409,7 @@ func initKubeconfigs( if err := util.KubeConfigWithClientCerts( cfg.KubeConfigPath(config.KubeAdmin), cfg.Cluster.URL, - inClusterTrustBundlePEM, + internalTrustPEM, adminKubeconfigCertPEM, adminKubeconfigKeyPEM, ); err != nil { @@ -420,7 +423,7 @@ func initKubeconfigs( if err := util.KubeConfigWithClientCerts( cfg.KubeConfigPath(config.KubeControllerManager), cfg.Cluster.URL, - inClusterTrustBundlePEM, + internalTrustPEM, kcmCertPEM, kcmKeyPEM, ); err != nil { @@ -434,7 +437,7 @@ func initKubeconfigs( if err := util.KubeConfigWithClientCerts( cfg.KubeConfigPath(config.KubeScheduler), cfg.Cluster.URL, - inClusterTrustBundlePEM, + internalTrustPEM, schedulerCertPEM, schedulerKeyPEM, ); err != nil { return err @@ -447,7 +450,7 @@ func initKubeconfigs( if err := util.KubeConfigWithClientCerts( cfg.KubeConfigPath(config.Kubelet), cfg.Cluster.URL, - inClusterTrustBundlePEM, + internalTrustPEM, kubeletCertPEM, kubeletKeyPEM, ); err != nil { return err @@ -459,7 +462,7 @@ func initKubeconfigs( if err := util.KubeConfigWithClientCerts( cfg.KubeConfigPath(config.ClusterPolicyController), cfg.Cluster.URL, - inClusterTrustBundlePEM, + internalTrustPEM, clusterPolicyControllerCertPEM, clusterPolicyControllerKeyPEM, ); err != nil { return err @@ -472,7 +475,7 @@ func initKubeconfigs( if err := util.KubeConfigWithClientCerts( cfg.KubeConfigPath(config.RouteControllerManager), cfg.Cluster.URL, - inClusterTrustBundlePEM, + internalTrustPEM, routeControllerManagerCertPEM, routeControllerManagerKeyPEM, ); err != nil { return err From 6bc9b7980a9de48836dae3447689c41265dddbdf Mon Sep 17 00:00:00 2001 From: Pablo Acevedo Montserrat Date: Mon, 6 Mar 2023 10:59:01 +0100 Subject: [PATCH 2/2] OCPBUGS-8301: Update docs --- docs/openshift_ci.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/openshift_ci.md b/docs/openshift_ci.md index 89db4b72ab5..c348a73c958 100644 --- a/docs/openshift_ci.md +++ b/docs/openshift_ci.md @@ -31,8 +31,6 @@ MicroShift generates a set of kubeconfig files in default configuration: # tree /var/lib/microshift/resources/kubeadmin/ /var/lib/microshift/resources/kubeadmin/ ├── kubeconfig -├── localhost -│ └── kubeconfig ├── microshift-dev │ └── kubeconfig └── microshift-dev.localdomain @@ -40,7 +38,7 @@ MicroShift generates a set of kubeconfig files in default configuration: 3 directories, 4 files ``` -Using default configuration there is a kubeconfig for each of the subject alternative names, localhost, and the one at the root directory which is using the cluster URL. If cluster URL is not using localhost then all these files are not generated. +Using default configuration there is a kubeconfig for each of the subject alternative names and the one at the root directory which is using the cluster URL, which defaults to localhost. Having a DNS (or simply changing `/etc/hosts`) we have to select which of the kubeconfig files we need to use according to it. In this case we may copy the `microshift-dev` kubeconfig to our local environment and we will be able to use `oc`: ```