Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubernetes CAs managed externally #8620

Merged
merged 1 commit into from
Apr 12, 2022
Merged

Kubernetes CAs managed externally #8620

merged 1 commit into from
Apr 12, 2022

Conversation

julienlefur
Copy link
Contributor

@julienlefur julienlefur commented Mar 11, 2022
edited by floryut
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:
Using kubespray to deploy a kubernetes cluster with custom CAs seems to be broken.
Some particular tasks must be disabled when running the playbook to allow a successful installation of a cluster using external CAs (kubernetes-ca, etcd-ca, kubernetes-front-proxy-ca)

To address this issue, this PR introduces a variable designed to disable some problematic tasks.

Special notes for your reviewer:

Does this PR introduce a user-facing change?:
3 initial commits in the PR:

  • the first one disables the certificate validation for the checkhealth on the apiserver. Wich doesn't work when using external CAs
  • the second one is introducing the new variable "kube_external_ca_mode" in order to disable tasks being incompatible with an external management of the kubernetes CAs .
Allow installation of a cluster using external CAs (kubernetes-ca, etcd-ca, kubernetes-front-proxy-ca)

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 11, 2022
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Mar 11, 2022
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: julienlefur / name: Julien Le Fur (c496e38)

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Mar 11, 2022
@k8s-ci-robot
Copy link
Contributor

Welcome @julienlefur!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Hi @julienlefur. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 11, 2022
@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 11, 2022
@WillsonHG
Copy link

/easycla

@cristicalin
Copy link
Contributor

@julienlefur I think you need to place your custom certs in the same locations advertised by kubespray instead of removing the certificate validation. You can make the certificate generation then optional or skip-able via ansible --skip-tags.

@cristicalin cristicalin reopened this Mar 13, 2022
@julienlefur
Copy link
Contributor Author

@cristicalin thanks for your response. Do you mean that, in your opinion, we should rather implement a new tag for ansible instead of the variable we are proposing "kube_external_ca_mode" and update the PR? because I don't see any existing tags that we could use in kubespray today.
Moreover, while we were trying to implement the solution, it was more obvious for us to use a variable instead of a tag because the purpose is not to be able to play or not some tasks in certain conditions but to implement kubespray in a specific context where the PKIs are managed externally. In all kubespray runs we must disable these tasks and not only in some particular cases. It sounded more appropriate for us to implement a variable that could be place in the inventory files to describe the environnement in which kubespray would run.

@cristicalin
Copy link
Contributor

@julienlefur Ok, I see your point about the tags creating more overhead since this affects a rather minor part of a role so I agree on using a variable instead of the tags mechanism.

However please don't remove sanity checks and instead try to condition the execution of commands or parameters based on the variable you propose.

cristicalin
cristicalin previously requested changes Mar 17, 2022
View reviewed changes
@cristicalin cristicalin mentioned this pull request Mar 19, 2022
Closed
@julienlefur julienlefur force-pushed the feat-kubeadm-external-ca branch from 882c522 to 7ed9937 Compare March 23, 2022 15:59
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 25, 2022
@julienlefur julienlefur force-pushed the feat-kubeadm-external-ca branch 2 times, most recently from 24387eb to 8e9f2de Compare March 29, 2022 12:12
@cristicalin
Copy link
Contributor

/check-cla

@julienlefur julienlefur force-pushed the feat-kubeadm-external-ca branch 6 times, most recently from 9c4d549 to 66aff37 Compare April 4, 2022 12:03
@julienlefur julienlefur force-pushed the feat-kubeadm-external-ca branch from 66aff37 to c496e38 Compare April 5, 2022 08:49
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Apr 5, 2022
@cristicalin
Copy link
Contributor

Thanks for this work @julienlefur !

/ok-to-test
/lgtm

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 6, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 6, 2022
@jayonlau
Copy link
Contributor

jayonlau commented Apr 8, 2022

/lgtm

@liupeng0518
Copy link
Member

/cc @liupeng0518

floryut
floryut approved these changes Apr 12, 2022
View reviewed changes
Copy link
Member

@floryut floryut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@julienlefur Thank you for the feature.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, julienlefur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 12, 2022
@k8s-ci-robot k8s-ci-robot merged commit 30306d6 into kubernetes-sigs:master Apr 12, 2022
Quehenr pushed a commit to Quehenr/unstable-laboratory-infrastructure-kubespray that referenced this pull request Apr 14, 2022
Merge branch 'master' into feature/virtualbox
da2c785 
* master: (21 commits)
  Add tz to kubespray image
  Add tag to AWS VPC subnets for automatic subnet discovery by load balancers or ingress controllers (kubernetes-sigs#8705)
  Enable external CA mode for control-plane deployment (kubernetes-sigs#8620)
  UpCloud integration (kubernetes-sigs#8653)
  Fixes for Hetzner terraform and Hetzner Cloud  (kubernetes-sigs#8702)
  Add VAGRANT_ANSIBLE_TAGS for normal deployment (kubernetes-sigs#8697)
  Removed quotation of nerdctl_extra_flags. (kubernetes-sigs#8695)
  [calico] add calico apiserver (kubernetes-sigs#8690)
  Add support for kube-vip (kubernetes-sigs#8669)
  Ensure all Kubelet required kernel values are configured when enabling protectKernelDefaults (kubernetes-sigs#8692)
  [cert-manager] Upgrade to v1.8.0 (kubernetes-sigs#8688)
  fix: reset docker was not removing docker properly (kubernetes-sigs#8680)
  Single quotes are missing in jsonpath argument of kubectl get node (kubernetes-sigs#8683)
  split kube_feature_gates variable for different kubernetes components (kubernetes-sigs#8677)
  [crun] upgrade to 1.4.4 (kubernetes-sigs#8675)
  [validate-container-engine] check if kubelet is present was not working (kubernetes-sigs#8679)
  [containerd] upgrade versions to address CVE-2022-24769 (kubernetes-sigs#8671)
  [vsphere_csi] update to 2.5.1 and make external_vsphere_version 7.0u1 by default (kubernetes-sigs#8676)
  [runc] upgrade to 1.1.1 (kubernetes-sigs#8674)
  [nerdctl] upgrade to 0.18.0 (kubernetes-sigs#8672)
  ...
sakuraiyuta pushed a commit to sakuraiyuta/kubespray that referenced this pull request Apr 16, 2022
@julienlefur @sakuraiyuta
Enable external CA mode for control-plane deployment (kubernetes-sigs…
cfa813d 
…#8620)
@oomichi oomichi mentioned this pull request May 28, 2022
Closed
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Jun 30, 2023
@julienlefur @LuckySB
Enable external CA mode for control-plane deployment (kubernetes-sigs…
7a11e24 
…#8620)
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Oct 23, 2023
@julienlefur @LuckySB
Enable external CA mode for control-plane deployment (kubernetes-sigs…
037fda9 
…#8620)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cristicalin cristicalin cristicalin left review comments

@floryut floryut floryut approved these changes

@jayonlau jayonlau Awaiting requested review from jayonlau

@liupeng0518 liupeng0518 Awaiting requested review from liupeng0518

Assignees

@cristicalin cristicalin

@jayonlau jayonlau

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@julienlefur @k8s-ci-robot @WillsonHG @cristicalin @jayonlau @liupeng0518 @floryut