The Wayback Machine - https://web.archive.org/web/20250210101631/https://github.com/kubernetes/kubernetes/pull/90822
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow setting different certificates for kube-controller-managed CSR signers #90822

Merged
merged 2 commits into from
Jul 18, 2020
Merged

allow setting different certificates for kube-controller-managed CSR signers #90822

merged 2 commits into from
Jul 18, 2020

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented May 6, 2020

builds on #90731

The kube-controller-manager managed signers can now have distinct signing certificates and keys. See the help about --cluster-signing-[signer-name]-{cert,key}-file. --cluster-signing-{cert,key}-file is still the default.

/kind feature
/priority important-soon
@kubernetes/sig-auth-pr-reviews

The kube-controller-manager managed signers can now have distinct signing certificates and keys.  See the help about `--cluster-signing-[signer-name]-{cert,key}-file`.  `--cluster-signing-{cert,key}-file` is still the default.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. labels May 6, 2020
@fejta-bot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@deads2k deads2k force-pushed the csr-separate-signer-flags-02 branch 2 times, most recently from 77857ca to 4a889bc Compare May 11, 2020 13:32
@deads2k
Copy link
Contributor Author

deads2k commented May 11, 2020

/retest

@deads2k deads2k force-pushed the csr-separate-signer-flags-02 branch from 4a889bc to 950bedd Compare May 11, 2020 18:15
@deads2k
Copy link
Contributor Author

deads2k commented May 12, 2020

/retest

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 5, 2020
@deads2k deads2k force-pushed the csr-separate-signer-flags-02 branch from 950bedd to d60a117 Compare June 8, 2020 14:41
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 8, 2020
@micahhausler
Copy link
Member

Maybe a dumb question, but could I use this to turn off specific signers? If I only wanted to sign node-serving-cert but not node-client cert, could I do that with this change?

@enj
Copy link
Member

enj commented Jun 11, 2020

Maybe a dumb question, but could I use this to turn off specific signers? If I only wanted to sign node-serving-cert but not node-client cert, could I do that with this change?

No, but you could set the node-client-cert to point to a private key that is not trusted anywhere, which would make it inert. Not really a solution though ...

enj
enj reviewed Jun 11, 2020
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM.

I feel like we should add something like a --cluster-signing-explicit-signers flag which is a bool (default false) that, when set to true, prevents KCM from starting when each signer does not have an explicit key/cert specified. This would allow you to know that a new signer has been added and that you need to address that in some way. Otherwise a new signer addition would implicitly use the default cert/key file, which may not be desired.

cmd/kube-controller-manager/app/certificates.go Outdated
Comment on lines 47 to 52
if ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == "" {
hasSingleSigningFile := ctx.ComponentConfig.CSRSigningController.ClusterSigningCertFile == "" || ctx.ComponentConfig.CSRSigningController.ClusterSigningKeyFile == ""
hasKubeletServingFile := ctx.ComponentConfig.CSRSigningController.KubeletServingSignerConfiguration.CertFile == "" || ctx.ComponentConfig.CSRSigningController.KubeletServingSignerConfiguration.KeyFile == ""
hasKubeletClientFile := ctx.ComponentConfig.CSRSigningController.KubeletClientSignerConfiguration.CertFile == "" || ctx.ComponentConfig.CSRSigningController.KubeletClientSignerConfiguration.KeyFile == ""
hasKubeAPIServerClientFile := ctx.ComponentConfig.CSRSigningController.KubeAPIServerClientSignerConfiguration.CertFile == "" || ctx.ComponentConfig.CSRSigningController.KubeAPIServerClientSignerConfiguration.KeyFile == ""
hasLegacyUnknownFile := ctx.ComponentConfig.CSRSigningController.LegacyUnknownSignerConfiguration.CertFile == "" || ctx.ComponentConfig.CSRSigningController.LegacyUnknownSignerConfiguration.KeyFile == ""
if !hasSingleSigningFile && !hasKubeletServingFile && !hasKubeletClientFile && !hasKubeAPIServerClientFile && !hasLegacyUnknownFile {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Er, what happens if you specify one of the signers but not the default signing file?

Can we add some tests to exercise this wiring?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Er, what happens if you specify one of the signers but not the default signing file?

You'll get an error about an unspecified file. Comes from the code doing the initial load. What is your preferred behavior?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add some tests to exercise this wiring?

Do you have an example of flag wiring behavior tests you like? I don't object, I just haven't seen many.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll get an error about an unspecified file. Comes from the code doing the initial load. What is your preferred behavior?

That seems fine to me.

Do you have an example of flag wiring behavior tests you like?

There are some tests in kube-controller-manager/app/options/options_test.go that test the input flags to CSRSigningControllerOptions bits. Maybe combine that with startCSRSigningController and some permutations of the flags?

@deads2k deads2k force-pushed the csr-separate-signer-flags-02 branch 2 times, most recently from 5fa1580 to e89bd83 Compare July 2, 2020 19:00
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 2, 2020
@deads2k deads2k force-pushed the csr-separate-signer-flags-02 branch from e89bd83 to 94f2ac5 Compare July 6, 2020 18:08
@deads2k
Copy link
Contributor Author

deads2k commented Jul 13, 2020

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@deads2k
Copy link
Contributor Author

deads2k commented Jul 13, 2020

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

8 similar comments
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@deads2k
Copy link
Contributor Author

deads2k commented Jul 15, 2020

/retest

1 similar comment
@deads2k
Copy link
Contributor Author

deads2k commented Jul 15, 2020

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

3 similar comments
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@deads2k
Copy link
Contributor Author

deads2k commented Jul 16, 2020

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

3 similar comments
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@liggitt
Copy link
Member

liggitt commented Jul 17, 2020

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jul 18, 2020
edited
Loading

@deads2k: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
pull-kubernetes-e2e-kind-ipv6 5fa1580efb9a1bb3dc68efc40dfc2518950d536a link /test pull-kubernetes-e2e-kind-ipv6

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit 05f6812 into kubernetes:master Jul 18, 2020
@github-actions github-actions bot mentioned this pull request Jul 22, 2020
Open
@ialidzhikov ialidzhikov mentioned this pull request Oct 27, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@munnerz munnerz munnerz left review comments

@liggitt liggitt liggitt left review comments

@enj enj enj requested changes

@jayunit100 jayunit100 Awaiting requested review from jayunit100

@tallclair tallclair Awaiting requested review from tallclair

Assignees

@liggitt liggitt

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.
7 participants
@deads2k @fejta-bot @micahhausler @enj @liggitt @k8s-ci-robot @munnerz