WINC-687: Windows instances react to kubelet CA rotation

[jrvaldes]

• Introduces the certificates package with common operations and constants
• Adds a new watcher to the ConfigMap controller to react on changes in the
  serving CA ConfigMap from the Kube API Server
• Extends the instanceReconciler with a new capability to reconcile the
  kubelet CA rotation
• Adds a function to update the kubelet CA file in a Windows instance. The
  location and name of the file is fixed to C:\k\kubelet-ca.crt by WMCB while
  setting the kubelet configuration.

The initial Kubelet CA certificate is valid for 1 year, from the date of the
cluster installation. Usually, the first rotation of the kubelet CA certificate
is generated by the API Server Operator
at 80% for the CA certificate lifecycle (1 year), which is 292 days, and removes
the previous CA certificate after 365 days.

Alternatively, a cluster administrator can trigger the kubelet CA rotation
on-demand at any time with the following command:

oc patch secret kube-apiserver-to-kubelet-signer \
-n openshift-kube-apiserver-operator \
-p='{"metadata": {"annotations": {"auth.openshift.io/certificate-not-after": null}}}'

The proposed implementation covers both of the above scenarios and does not require
node drain or node reboot. When the new CA bundle (kubelet-ca.crt) is updated
in the worker node, kubelet detects the change in the file system, reads the
certificates from the file, and updates the client configuration.

Related MCO PRs:

• try to make MCD render more self-contained machine-config-operator#626
• Bug 1721586: mco: add kubelet CA rotation support machine-config-operator#965

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jrvaldes]

/test ?

[openshift-ci]

@jrvaldes: The following commands are available to trigger required jobs:

• /test aws-e2e-ccm-install
• /test aws-e2e-operator
• /test aws-e2e-upgrade
• /test azure-e2e-operator
• /test build
• /test ci-index
• /test images
• /test lint
• /test platform-none-vsphere-e2e-operator
• /test unit
• /test vsphere-e2e-operator

The following commands are available to trigger optional jobs:

• /test azure-e2e-ccm-install

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-openshift-windows-machine-config-operator-master-aws-e2e-ccm-install
• pull-ci-openshift-windows-machine-config-operator-master-aws-e2e-operator
• pull-ci-openshift-windows-machine-config-operator-master-aws-e2e-upgrade
• pull-ci-openshift-windows-machine-config-operator-master-azure-e2e-operator
• pull-ci-openshift-windows-machine-config-operator-master-build
• pull-ci-openshift-windows-machine-config-operator-master-ci-index
• pull-ci-openshift-windows-machine-config-operator-master-images
• pull-ci-openshift-windows-machine-config-operator-master-lint
• pull-ci-openshift-windows-machine-config-operator-master-platform-none-vsphere-e2e-operator
• pull-ci-openshift-windows-machine-config-operator-master-unit
• pull-ci-openshift-windows-machine-config-operator-master-vsphere-e2e-operator

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jrvaldes]

/test azure-e2e-operator

[jrvaldes]

WMCO log after triggering the kubelet CA rotation with two (2) Windows nodes.

1.648497188796151e+09 INFO controllers.configmap reconciling kubelet CA client certificates with {"ConfigMap": "kube-apiserver-to-kubelet-client-ca"}
1.6484971887963562e+09 DEBUG controllers.configmap creating auxiliary kubelet CA certificate {"file": "/tmp/kubelet-ca.crt"}
1.6484971887966876e+09 DEBUG controllers.configmap processing {"node count": 2}
1.6484971887967196e+09 DEBUG wc 172.31.251.210 initializing SSH connection
1.6484971890362916e+09 INFO controllers.configmap updating kubelet CA client certificates in {"node": "winworker-f2n8m"}
1.6484971894075413e+09 DEBUG wc 172.31.251.210 run {"cmd": "powershell.exe -NonInteractive -ExecutionPolicy Bypass \"Test-Path C:\\k\\\\kubelet-ca.crt\"", "out": "True\r\n"}
1.6484971897684174e+09 DEBUG wc 172.31.251.210 run {"cmd": "powershell.exe -NonInteractive -ExecutionPolicy Bypass \"$out = Get-FileHash C:\\k\\\\kubelet-ca.crt -Algorithm SHA256; $out.Hash\"", "out": "6C4A61CB99D4C329E67E303DE77EDFF54E9193A2B108A13AC4FAA1BE2F0199AF\r\n"}
1.648497189768449e+09 DEBUG wc 172.31.251.210 copy {"local file": "/tmp/kubelet-ca.crt", "remote dir": "C:\\k\\"}
1.6484971898165677e+09 DEBUG wc 172.31.251.88 initializing SSH connection
1.6484971900478635e+09 INFO controllers.configmap updating kubelet CA client certificates in {"node": "winworker-9j74z"}
1.6484971904268918e+09 DEBUG wc 172.31.251.88 run {"cmd": "powershell.exe -NonInteractive -ExecutionPolicy Bypass \"Test-Path C:\\k\\\\kubelet-ca.crt\"", "out": "True\r\n"}
1.6484971908091497e+09 DEBUG wc 172.31.251.88 run {"cmd": "powershell.exe -NonInteractive -ExecutionPolicy Bypass \"$out = Get-FileHash C:\\k\\\\kubelet-ca.crt -Algorithm SHA256; $out.Hash\"", "out": "6C4A61CB99D4C329E67E303DE77EDFF54E9193A2B108A13AC4FAA1BE2F0199AF\r\n"}
1.6484971908091886e+09 DEBUG wc 172.31.251.88 copy {"local file": "/tmp/kubelet-ca.crt", "remote dir": "C:\\k\\"}
1.648497190859712e+09 DEBUG controllers.configmap deleting kubelet CA certificate {"file": "/tmp/kubelet-ca.crt"}

[jrvaldes]

/hold

Depends on submodule update with openshift/windows-machine-config-bootstrapper#344

[saifshaikh48]

I am not familiar with the initial CA configmap -- my main concern (might be a stupid one) can be summarized as follows: if the initial kubelet CA is only valid for one year, then do we have a code path here that breaks after a year?

[saifshaikh48]

move to next import grouping

[saifshaikh48]

nit: IMO the commit message should be trimmed. The middle two paragraphs describing the different scenarios that could trigger CA bundle updates can be dropped.

[jrvaldes]

Agree.

[saifshaikh48]

only and only if --> if and only if

[saifshaikh48]

Doc for this method

[saifshaikh48]

Consider making "ca-bundle.crt" a constant with a doc explaining where this value comes from

[saifshaikh48]

Would appreciate the creation of a tech debt story around this. And linking the story in this TODO comment

[selansen]

This is going to happen once a year or once in 6 months. I don't think people are going to keep rotating it. I do understand IO operation is expensive but we don't need to worry about it in this situation.

[selansen]

But interesting to know data is read from file and is the only way available now

[jrvaldes]

Right, that is my take too. I don't feel we should track it in the backlog (for now).

[jrvaldes]

I am not familiar with the initial CA configmap -- my main concern (might be a stupid one) can be summarized as follows: if the initial kubelet CA is only valid for one year, then do we have a code path here that breaks after a year?

Correct, it is a time bomb^[1]

^[1] openshift/machine-config-operator#965 (comment)

[selansen]

when you name the previous one initialKubeAPI.., you can name this new or current-kubeAPIser...

[jrvaldes]

No prefix means current.

[selansen]

because it is

[selansen]

This is going to happen once a year or once in 6 months. I don't think people are going to keep rotating it. I do understand IO operation is expensive but we don't need to worry about it in this situation.

[selansen]

But interesting to know data is read from file and is the only way available now

[selansen]

Assume if we have 3 Windows nodes and the second one fails due to some error condition, aren't we going to try the 3rd node?

[jrvaldes]

Good question. In case the 3rd node fails, the reconciler will reconcile the failed event where nodes 1 and 2 are up to date, and only the 3rd node will get the file update.

[selansen]

namespace of the ConfigMap - ConfigMap's namespace

[selansen]

namespace of the ConfigMap - ConfigMap's namespace

[selansen]

if we keep hitting in this part, can this become an infinite loop?. The for loop is running as long as len(initialBundle) > 0

[jrvaldes]

Correct, sounds like a good case for unit testing.

[sebsoto]

I would like to see unit tests around this functionality

[jrvaldes]

Added in 6498dc0

[selansen]

Is there going to be a different ticket to track this one?

[jrvaldes]

Included in e163351

[sebsoto]

The instanceReconciler struct is a way for us to handle Nodes and Windows Instances in a generic way. By introducing more specific casing like this, we are moving away from that design. I'd prefer that the username annotation is applied to all Windows nodes, including Machine based Nodes.

That would involve passing in the annotation in this call, like is done with the ConfigMap reconciler

[jrvaldes]

Agree. I thought about that too. It's more nosy (and complex) so I went this route instead.

Happy to chat more about this.

[saifshaikh48]

I am leaning towards including the Windows annotation on all nodes too, but I understand that may be out of scope of this story. Another alternative seems to be splitting this into 2 functions upon the respective Reconciler structs, one for machine nodes and one for BYOH?

[selansen]

how complex is adding Windows annotation on all nodes? I understand it is out of the scope of this PR. But the change that we are making has a direct impact on the current design. So curious to know the complexity level for this change.

[saifshaikh48]

Not that involved from what I can tell:

• call crypto.EncryptToJSONString to get encrypted value of Machine username
• pass in encrypted username annotation to r.ensureInstanceIsUpToDate call in wm_controller
• remove this if/else block in secret_controller, leaving only the code from within the if
• for e2e tests, add UsernameAnnotation to annotations and remove the if BYOH check here
• remove the isBYOH condition from this if statement in create_test

[jrvaldes]

@saifshaikh48 thanks for highlighting the implementation details.

Dropped 804520f in favor of

• WINC-687: Add Username annotation for all Windows nodes #1021

[jrvaldes]

remove this if/else block in secret_controller, leaving only the code from within the if

It makes sense, but that is a change of behavior. I don't think we should introduce it as part of this effort. So, far Windows instances configured by MachineController reconcile the annotation by "deletion".

[saifshaikh48]

/lgtm

[sebsoto]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jrvaldes, sebsoto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sebsoto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[selansen]

/lgtm

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@jrvaldes: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jrvaldes]

/cherry-pick release-4.10

[jrvaldes]

/cherry-pick community-4.10

[openshift-cherrypick-robot]

@jrvaldes: #1013 failed to apply on top of branch "release-4.10":

Applying: Pass reader to connectivity transfer
Applying: Move checksum validation to FileExist
Applying: Windows nodes react to kubelet CA rotation
Using index info to reconstruct a base tree...
M	controllers/configmap_controller.go
Falling back to patching base and 3-way merge...
Auto-merging controllers/configmap_controller.go
CONFLICT (content): Merge conflict in controllers/configmap_controller.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0003 Windows nodes react to kubelet CA rotation
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-4.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@jrvaldes: #1013 failed to apply on top of branch "community-4.10":

Applying: Pass reader to connectivity transfer
Applying: Move checksum validation to FileExist
Applying: Windows nodes react to kubelet CA rotation
Using index info to reconstruct a base tree...
M	controllers/configmap_controller.go
Falling back to patching base and 3-way merge...
Auto-merging controllers/configmap_controller.go
CONFLICT (content): Merge conflict in controllers/configmap_controller.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0003 Windows nodes react to kubelet CA rotation
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick community-4.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.