Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: warn but do not error out on missing CA keys on CP join #94988

Merged
merged 2 commits into from Sep 28, 2020
Merged

kubeadm: warn but do not error out on missing CA keys on CP join #94988

merged 2 commits into from Sep 28, 2020

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented Sep 23, 2020
edited

What this PR does / why we need it:

- Modify validateCACertAndKey() to print warnings for missing keys
instead of erroring out.
- Update unit tests.

This allows doing a CP node join in a case where the user has:
- copied shared certificates to the new CP node, but not copied
ca.key files, treating the cluster CAs as external
- signed other required certificates in advance

The kubeconfig phase of "kubeadm init" detects external CA mode
and skips the generation of kubeconfig files. The kubeconfig
handling during control-plane join executes
CreateJoinControlPlaneKubeConfigFiles() which requires the presence
of ca.key when preparing the spec of a kubeconfig file and prevents
usage of external CA mode.

Modify CreateJoinControlPlaneKubeConfigFiles() to skip generating
the kubeconfig files if external CA mode is detected.

Which issue(s) this PR fixes:

xref kubernetes/kubeadm#2296

Special notes for your reviewer:
NONE

Does this PR introduce a user-facing change?:

kubeadm: warn but do not error out on missing "ca.key" files for root CA, front-proxy CA and etcd CA, during "kubeadm join --control-plane" if the user has provided all certificates, keys and kubeconfig files which require signing with the given CA keys.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Sep 23, 2020
@neolit123
Copy link
Member Author

/kind bug
/priority important-soon

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 23, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 23, 2020
@neolit123 neolit123 mentioned this pull request Sep 23, 2020
Closed
@neolit123
Copy link
Member Author

neolit123 commented Sep 23, 2020
edited

this is ready for a review.
the summary is that CP join is currently broken for external CA mode (no ca.key). we should backport the change to the entire skew. i was able to verify this using a kinder e2e test for external CA that i will send a PR for soon.

/assign @fabriziopandini

@neolit123 neolit123 changed the title WIP: kubeadm: warn but do not error out on missing ca.key on CP join kubeadm: warn but do not error out on missing ca.key on CP join Sep 23, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2020
@neolit123 neolit123 force-pushed the 1.20-tollerate-missing-ca-key-on-join branch from f32fccb to 2a86041 Compare September 23, 2020 20:35
@neolit123
Copy link
Member Author

/retest

@neolit123
Copy link
Member Author

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 23, 2020
@neolit123 neolit123 mentioned this pull request Sep 24, 2020
Merged
fabriziopandini
fabriziopandini reviewed Sep 24, 2020
View reviewed changes
cmd/kubeadm/app/phases/certs/certs.go Outdated
func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error) {

if err := validateCACertAndKey(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, "", "CA"}); err != nil {
if err := validateCACertAndKeyWarn(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, "", "CA"}); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure we should we apply the same change to FrontProxyCA
Instead, if I remember well, etcd does not support an external EtcdCA mode...

Copy link
Member Author

@neolit123 neolit123 Sep 24, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i guess we should have warnings instead of errors for the front-proxy's CA key and etcd's CA key too.
if the CA is external, users may choose to generate everything externally and place the above CA certificates only, without the keys. unlike the root singing CA key, these keys are not needed during cluster runtime.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fabriziopandini i have update the PR.
instead of adding a new function validateCACertAndKey is re-purposed to throw a warning.

@neolit123
kubeadm: warn but do not error out on missing CA keys on CP join
05b77fe 
- Modify validateCACertAndKey() to print warnings for missing keys
instead of erroring out.
- Update unit tests.

This allows doing a CP node join in a case where the user has:
- copied shared certificates to the new CP node, but not copied
ca.key files, treating the cluster CAs as external
- signed other required certificates in advance
@neolit123
kubeadm: make the CP join handling of kubeconfig similar to "init"
7c783fa 
The kubeconfig phase of "kubeadm init" detects external CA mode
and skips the generation of kubeconfig files. The kubeconfig
handling during control-plane join executes
CreateJoinControlPlaneKubeConfigFiles() which requires the presence
of ca.key when preparing the spec of a kubeconfig file and prevents
usage of external CA mode.

Modify CreateJoinControlPlaneKubeConfigFiles() to skip generating
the kubeconfig files if external CA mode is detected.
@neolit123 neolit123 force-pushed the 1.20-tollerate-missing-ca-key-on-join branch from 2a86041 to 7c783fa Compare September 24, 2020 15:12
@neolit123 neolit123 changed the title kubeadm: warn but do not error out on missing ca.key on CP join kubeadm: warn but do not error out on missing CA keys on CP join Sep 24, 2020
fabriziopandini
fabriziopandini reviewed Sep 25, 2020
View reviewed changes
cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
Comment on lines +73 to +77
var externaCA bool
caKeyPath := filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName)
if _, err := os.Stat(caKeyPath); os.IsNotExist(err) {
externaCA = true
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use certs.UsingExternalCA for determining if we are in external CA mode?

Copy link
Member Author

@neolit123 neolit123 Sep 26, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think UsingExternalCA and UsingExternalFrontProxyCA should only check existence of .key files.

.key files missing would indicate to kubeadm about the general assumption of "external CA", but the validation of certificate signatures should be a separate step based on the .crt.

@fabriziopandini
Copy link
Member

/lgtm

I think that in the future we should make the external CA mode something explicit, e.g. with a flag in the config, instead of guessing user intentions from the file existing on disk

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 28, 2020
@neolit123
Copy link
Member Author

/hold cancel

this must be backported to the support skew. will send the cherry picks later today.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 28, 2020
@neolit123 neolit123 mentioned this pull request Sep 28, 2020
Merged
@k8s-ci-robot k8s-ci-robot merged commit db9f1e9 into kubernetes:master Sep 28, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Sep 28, 2020
This was referenced Sep 28, 2020
Merged
Merged
Merged
k8s-ci-robot added a commit that referenced this pull request Sep 28, 2020
@k8s-ci-robot
Merge pull request #95118 from neolit123/automated-cherry-pick-of-#94…
222082f 
…988-origin-release-1.17

Automated cherry pick of #94988: kubeadm: warn but do not error out on missing CA keys on
k8s-ci-robot added a commit that referenced this pull request Sep 28, 2020
@k8s-ci-robot
Merge pull request #95119 from neolit123/automated-cherry-pick-of-#94…
32fd318 
…988-origin-release-1.18

Automated cherry pick of #94988: kubeadm: warn but do not error out on missing CA keys on
k8s-ci-robot added a commit that referenced this pull request Sep 28, 2020
@k8s-ci-robot
Merge pull request #95120 from neolit123/automated-cherry-pick-of-#94…
e97a0c2 
…988-origin-release-1.19

Automated cherry pick of #94988: kubeadm: warn but do not error out on missing CA keys on
@github-actions github-actions bot mentioned this pull request Oct 6, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabriziopandini fabriziopandini fabriziopandini left review comments

@yastij yastij Awaiting requested review from yastij

Assignees

@fabriziopandini fabriziopandini

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.20
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@neolit123 @k8s-ci-robot @fabriziopandini