-
Notifications
You must be signed in to change notification settings - Fork 39.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Derive kubelet serving certificate CSR template from node status addresses #65594
Derive kubelet serving certificate CSR template from node status addresses #65594
Conversation
f6337f8
to
fb44c6a
Compare
@kubernetes/sig-node-pr-reviews @kubernetes/sig-auth-pr-reviews |
pkg/kubelet/certificate/kubelet.go
Outdated
} | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liggitt since we are using reflect to verify a deep equal later in the code, we should sort the dns and IP addresses just in case they get returned in a different order at some point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point, done
/test pull-kubernetes-e2e-gke |
/retest |
bf9603c
to
2595403
Compare
/lgtm |
/test pull-kubernetes-e2e-gke |
2595403
to
d4fe5b5
Compare
d4fe5b5
to
85298b5
Compare
|
||
switch address.Type { | ||
case v1.NodeHostName: | ||
if ip := net.ParseIP(address.Address); ip != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hrm. Is there any scenario where the node hostname can like an IP, but is not actually an IP and would not be appropriate to interpret as an IP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any scenario where the node hostname can like an IP, but is not actually an IP and would not be appropriate to interpret as an IP?
No? A hostname that parses as an IP is an IP... SNI wouldn't treat it as a DNS name, cert verification would require an IP SAN (c.f. https://golang.org/src/crypto/x509/verify.go?s=28297:28349#L914)
wait.PollImmediateInfinite(time.Second, func() (bool, error) { | ||
lastTemplate = m.getTemplate() | ||
if lastTemplate == nil { | ||
glog.Infof("Waiting for certificate template") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not v(2)? Because it hangs? If so, might want a slightly longer message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, wanted visibility
/retest |
2 similar comments
/retest |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but @mikedanese should take another look
m := manager{ | ||
certSigningRequestClient: config.CertificateSigningRequestClient, | ||
template: config.Template, | ||
getTemplate: getTemplate, | ||
dynamicTemplate: dynamicTemplate, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be config.GetTemplate != nil
and local dynamicTemplate
var can be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
config.GetTemplate and config.Template are mutually exclusive. dynamicTemplate
is used to determine whether we need to monitor getTemplate() for changes
edit: misread, can update
This fixed GKE alpha cluster creation. /lgtm |
b9ff9a9
to
7af8c6a
Compare
New changes are detected. LGTM label has been removed. |
fixed #65594 (comment), rebased, no other changes, relabeling |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, mikedanese, rphillips, smarterclayton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Automatic merge from submit-queue (batch tested with PRs 65052, 65594). If you want to cherry-pick this change to another branch, please follow the instructions here. |
xref kubernetes/enhancements#267
fixes #55633
Builds on #65587
test procedure: