New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add command to create new bootstrap kubeconfig for kubelet #1458
add command to create new bootstrap kubeconfig for kubelet #1458
Conversation
return fmt.Errorf("unable to get the CA bundle from the cluster: %w", err) | ||
} | ||
|
||
newConfig := clientcmdapi.Config{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably worth adding a comment here like
// keep in sync with https://github.com/openshift/machine-config-operator/blob/3d84f653e08d760d446442ddc80c3da21d8d7e59/pkg/server/cluster_server.go#L167
return fmt.Errorf("unable to serialize new kubeconfig: %w", err) | ||
} | ||
|
||
fmt.Fprintln(r.Out, string(newKubeletBootstrapConfig)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Under what scenario does the admin need to see this directly instead of having us directly rotate the file on the node?
I'm OK creating two separate primitives here to be clear, I just don't quite understand why we are instead of having a more opinionated wired-together flow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Under what scenario does the admin need to see this directly instead of having us directly rotate the file on the node?
I'm OK creating two separate primitives here to be clear, I just don't quite understand why we are instead of having a more opinionated wired-together flow.
if our rotation command fails, having this available allows us to do the hard part (content of the file), while allowing any distribution method. Perhaps our "put it on the nodes" fails and we need to re-run it. Or perhaps its doomed in some scenario and they need to SSH it. This gives us those options.
) | ||
|
||
const ( | ||
adminKubeconfigClientCAConfigMap = "admin-kubeconfig-client-ca" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth a comment like
// adminKubeconfigClientCAConfigMap is described in https://github.com/openshift/api/blob/master/tls/docs/kube-apiserver%20Client%20Certificates/README.md#kube-apiserver-admin-kubeconfig-client-ca
perhaps?
const ( | ||
adminKubeconfigClientCAConfigMap = "admin-kubeconfig-client-ca" | ||
|
||
tenYears = 24 * time.Hour * 365 * 10 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At some point we'll want to centralize our many "tenYears" constants...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At some point we'll want to centralize our many "tenYears" constants...
Just in case 10 years changes in duration some day? ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean more that I can imagine us wanting to have a more consistent policy for certs, e.g. something much closer to Let's Encrypt expiry at e.g. 3 months to ensure that rotation really works. To do that we'd want to centralize these currently disparate constants.
Just a side comment, not saying we need to change anything now.
} else if err != nil { | ||
return fmt.Errorf("unable to read configmap %w", err) | ||
} | ||
caBundle, err := combineCABundles(existingConfigMap.Data["ca-bundle.crt"], string(signerCertBytes)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is ensuring we continue trust the old keys for now? Worth a comment if so.
None of my comments are blocking to be clear. |
49ed665
to
83d4101
Compare
Comments fixed, though I decline to be worried about 10y changing durations on us over time :) |
@deads2k: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
bringing in for a complete set to match directions. |
builds on #1452
oc config new-kubelet-bootstrap-kubeconfig > ~/Downloads/bootstrap.kubeconfig
/assign @rphillips