New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: warn but do not error out on missing CA keys on CP join #94988
kubeadm: warn but do not error out on missing CA keys on CP join #94988
Conversation
/kind bug |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
this is ready for a review. /assign @fabriziopandini |
f32fccb
to
2a86041
Compare
/retest |
/hold |
func SharedCertificateExists(cfg *kubeadmapi.ClusterConfiguration) (bool, error) { | ||
|
||
if err := validateCACertAndKey(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, "", "CA"}); err != nil { | ||
if err := validateCACertAndKeyWarn(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, "", "CA"}); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure we should we apply the same change to FrontProxyCA
Instead, if I remember well, etcd does not support an external EtcdCA mode...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i guess we should have warnings instead of errors for the front-proxy's CA key and etcd's CA key too.
if the CA is external, users may choose to generate everything externally and place the above CA certificates only, without the keys. unlike the root singing CA key, these keys are not needed during cluster runtime.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fabriziopandini i have update the PR.
instead of adding a new function validateCACertAndKey is re-purposed to throw a warning.
- Modify validateCACertAndKey() to print warnings for missing keys instead of erroring out. - Update unit tests. This allows doing a CP node join in a case where the user has: - copied shared certificates to the new CP node, but not copied ca.key files, treating the cluster CAs as external - signed other required certificates in advance
The kubeconfig phase of "kubeadm init" detects external CA mode and skips the generation of kubeconfig files. The kubeconfig handling during control-plane join executes CreateJoinControlPlaneKubeConfigFiles() which requires the presence of ca.key when preparing the spec of a kubeconfig file and prevents usage of external CA mode. Modify CreateJoinControlPlaneKubeConfigFiles() to skip generating the kubeconfig files if external CA mode is detected.
2a86041
to
7c783fa
Compare
var externaCA bool | ||
caKeyPath := filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName) | ||
if _, err := os.Stat(caKeyPath); os.IsNotExist(err) { | ||
externaCA = true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use certs.UsingExternalCA for determining if we are in external CA mode?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think UsingExternalCA and UsingExternalFrontProxyCA should only check existence of .key files.
.key files missing would indicate to kubeadm about the general assumption of "external CA", but the validation of certificate signatures should be a separate step based on the .crt.
/lgtm I think that in the future we should make the external CA mode something explicit, e.g. with a flag in the config, instead of guessing user intentions from the file existing on disk |
/hold cancel this must be backported to the support skew. will send the cherry picks later today. |
…988-origin-release-1.17 Automated cherry pick of #94988: kubeadm: warn but do not error out on missing CA keys on
…988-origin-release-1.18 Automated cherry pick of #94988: kubeadm: warn but do not error out on missing CA keys on
…988-origin-release-1.19 Automated cherry pick of #94988: kubeadm: warn but do not error out on missing CA keys on
What this PR does / why we need it:
Which issue(s) this PR fixes:
xref kubernetes/kubeadm#2296
Special notes for your reviewer:
NONE
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: