UPSTREAM: 88120: add dynamic certificate reloading for kube aggregator #24607

p0lyn0mial · 2020-02-27T20:47:52Z

not clean, needs review.

based on openshift/kubernetes@adfea73#diff-40fbc204fb430ee43a18f381a4e2182e

p0lyn0mial · 2020-02-27T20:49:00Z

/hold

Do not review it.
I want to test it before. I created this PR to get CI feedback.

p0lyn0mial · 2020-02-28T05:13:53Z

/retest

p0lyn0mial · 2020-02-28T07:36:12Z

alright, CI feedback was positive. What's the best way to test it? Create a cluster and leave it for 24h?

p0lyn0mial · 2020-02-28T07:36:33Z

/assign @deads2k @sttts

p0lyn0mial · 2020-02-28T07:43:32Z

...kubernetes/staging/src/k8s.io/kube-aggregator/pkg/controllers/status/available_controller.go

+	if err != nil {
+		panic(err)
+	}
+	discoveryClient := &http.Client{


I think that I have an idea (check the upstream PR) how to change that code so that we don't have to create a new http client on every sync (every 30s).

p0lyn0mial · 2020-02-28T09:40:13Z

/retest

mfojtik · 2020-03-02T10:32:10Z

/lgtm

@deads2k PTAL

p0lyn0mial · 2020-03-02T15:07:55Z

Alright, so I managed to test it more or less.

Because I failed to create a cluster on GCP I modified the operator to rotate the certificates more quickly and created a cluster on AWS.

I haven't found any suspicious entries in the logs at the time of certificate reloading except:

E0302 14:14:50.341544       1 available_controller.go:415] v1.packages.operators.coreos.com failed with: Operation cannot be fulfilled on apiservices.apiregistration.k8s.io "v1.packages.operators.coreos.com": the object has been modified; please apply your changes to the latest version and try again
E0302 14:14:50.343971       1 available_controller.go:415] v1.packages.operators.coreos.com failed with: failing or missing response from https://10.128.0.107:5443/apis/packages.operators.coreos.com/v1: bad status from https://10.128.0.107:5443/apis/packages.operators.coreos.com/v1: 401
E0302 14:14:54.152041       1 available_controller.go:415] v1.packages.operators.coreos.com failed with: failing or missing response from https://10.129.0.110:5443/apis/packages.operators.coreos.com/v1: bad status from https://10.129.0.110:5443/apis/packages.operators.coreos.com/v1: 401
E0302 14:14:59.129673       1 available_controller.go:415] v1.packages.operators.coreos.com failed with: failing or missing response from https://10.129.0.110:5443/apis/packages.operators.coreos.com/v1: bad status from https://10.129.0.110:5443/apis/packages.operators.coreos.com/v1: 401
E0302 14:15:02.159001       1 available_controller.go:415] v1.packages.operators.coreos.com failed with: Operation cannot be fulfilled on apiservices.apiregistration.k8s.io "v1.packages.operators.coreos.com": the object has been modified; please apply your changes to the latest version and try again
E0302 14:15:12.415322       1 controller.go:114] loading OpenAPI spec for "v1.packages.operators.coreos.com" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: Error trying to reach service: 'x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "Red Hat, Inc.")', Header: map[Content-Type:[text/plain; charset=utf-8] X-Content-Type-Options:[nosniff]]
I0302 14:15:12.415362       1 controller.go:127] OpenAPI AggregationController: action for item v1.packages.operators.coreos.com: Rate Limited Requeue.

which seems to be related to #24607 (comment) as the certificate will be reloaded after 30 seconds in the worst case.

Additionally, @sttts suggested to manually update the secret (kubectl edit secrets -n openshift-kube-apiserver aggregator-client) and that was reflected in the logs.

p0lyn0mial · 2020-03-02T15:08:06Z

/hold cancel

p0lyn0mial · 2020-03-03T08:04:40Z

/retest

…CertKeyPairContent controller

sttts · 2020-03-03T08:38:54Z

vendor/k8s.io/kubernetes/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go

+		if err := aggregatorProxyCerts.RunOnce(); err != nil {
+			return nil, err
+		}
+		aggregatorProxyCerts.AddListener(apiserviceRegistrationController)


order is correct? Would expect AddListener before the RunOnce()

it does the initial loading? Then it's fine I guess.

that is correct, we use CurrentCertKeyContent function for loading the certificate.

sttts · 2020-03-03T08:44:36Z

/lgtm

p0lyn0mial · 2020-03-03T08:44:48Z

/cherrypick release-4.4

openshift-cherrypick-robot · 2020-03-03T08:44:49Z

@p0lyn0mial: once the present PR merges, I will cherry-pick it on top of release-4.4 in a new PR and assign it to you.

In response to this:

/cherrypick release-4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci-robot · 2020-03-03T08:46:06Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mfojtik, p0lyn0mial, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [mfojtik,sttts]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-bot · 2020-03-03T09:13:08Z

/retest