Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add certificate-key to kubeadm upload-certs phase, and improve init output #74671

Merged
merged 1 commit into from
Mar 6, 2019

Conversation

yagonobre
Copy link
Member

@yagonobre yagonobre commented Feb 27, 2019

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:
/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes kubernetes/kubeadm#1408

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kubeadm: add certificate-key and skip-certificate-key-print flags to kubeadm init

/priority important-longterm
@kubernetes/sig-cluster-lifecycle-pr-reviews

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 27, 2019
@yagonobre
Copy link
Member Author

/remote-priority important-longterm
/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/kubeadm labels Feb 27, 2019
@yagonobre
Copy link
Member Author

/remove-priority important-longterm

@k8s-ci-robot k8s-ci-robot removed the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Feb 27, 2019
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @yagonobre !

i've added a coupe of comments.

cmd/kubeadm/app/cmd/init.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/init.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/init.go Outdated Show resolved Hide resolved
@neolit123
Copy link
Member

Does this PR introduce a user-facing change?:

@fabriziopandini should we add a release note here as well? i'm sort of +1 as the PR is extending the upload certs feature that has a separate release note.

Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yagonobre thanks for the PR!
Everything seems ok, pending some refinements to the final init message. I'm looping in more people to gather feedback
/approve

@@ -30,12 +30,16 @@ import (
)

var joinCommandTemplate = template.Must(template.New("join").Parse(`` +
`kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}}{{if .UploadCerts}} --certificate-key {{.CertificateKey}}{{end}}`,
`{{if .UploadCerts}}To join a node:
Copy link
Member

@fabriziopandini fabriziopandini Feb 28, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's the tricky part of this PR.
These are the case that should be managed IMO

  1. without controlPlaneEndpoint --> you can only join worker nodes
  2. with controlPlaneEndpoint --> you can join both control-plane and worker nodes
    1. without certificate key -> you have to copy certs manually
    2. with certificate key -> you can copy certs manually or download certs

A proposal for converting all the above cases into a short and concise command output:

  1. only join worker nodes
You can now join any number of worker nodes by running the following on each as root:

  kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
  1. i. both control-plane (with manual copy) and worker nodes
You can now join any number of control-plane node by copying the required certificate authorities on each node and then running the following as root:

To join a control-plane node you should copy required certificates to the node and then run the following command as a root: 

  kubeadm join <master-ip>:<master-port> --experimental-control-plane --token <token> --discovery-token-ca-cert-hash sha256:<hash>

Then you can join any number of worker nodes by running the following on each as root:

  kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
  1. ii. both control-plane (with automatic/manual) and worker nodes
To join a control-plane node run the following command on each as a root: 

  kubeadm join <master-ip>:<master-port> --experimental-control-plane --certificate-key <key> --token <token> --discovery-token-ca-cert-hash sha256:<hash>

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use `kubeadm init phase upload-certs` to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:

  kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>

Possible further improvements:

  • detail required certificates in case 2.i
  • break join commands on multiple lines using \ and move the common (--token <token> ...) part on a second line

@timothysc @neolit123 @rosti opinions?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fabriziopandini I like your ideas. We can extend the security warning to cover tokens too.
@yagonobre I have a particular distaste for having flow control structures (like if statements) in templates. Please, avoid their use. I am OK with for loops though.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the new messages SGTM. i forgot that we now have to handle them.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2.i looks weird repeating the two first sentences in different ways, apart from that messages look fine and clear.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rosti what do you recommend to avoid ifs on this template?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yagonobre I may be misunderstanding your question. Correct me if I am wrong.
You can use different templates for the different use cases in the above example.
Something along the lines of:

var templateToUse *template.Template
if uploadCerts {
  templateToUse = uploadCertsJoinTemplate
} else {
  templateToUse = controlPlaneJoinTemplate
}
...
err = templateToUse.Execute(&out, ctx)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but I'll need to duplicate some text, I'm not sure if it;s better than have a if in the template.

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 28, 2019
Copy link
Contributor

@rosti rosti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @yagonobre !

cmd/kubeadm/app/cmd/init.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/init.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/init.go Outdated Show resolved Hide resolved
@@ -30,12 +30,16 @@ import (
)

var joinCommandTemplate = template.Must(template.New("join").Parse(`` +
`kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}}{{if .UploadCerts}} --certificate-key {{.CertificateKey}}{{end}}`,
`{{if .UploadCerts}}To join a node:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fabriziopandini I like your ideas. We can extend the security warning to cover tokens too.
@yagonobre I have a particular distaste for having flow control structures (like if statements) in templates. Please, avoid their use. I am OK with for loops though.

@@ -81,6 +85,9 @@ func GetJoinCommand(kubeConfigFile, token, key string, skipTokenPrint, uploadCer
if skipTokenPrint {
ctx["Token"] = template.HTML("<value withheld>")
}
if skipCertificateKeyPrint {
ctx["CertificateKey"] = template.HTML("<value withheld>")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oddly enough, we use html/template here. This might cause problems when we try to feed a template with non-alphanumeric characters (< is turned into &lt;, etc.).
But anyway, this again is out of the scope of this PR.

@neolit123
Copy link
Member

@yagonobre please let me know if you don't have the time for this.
i'd be happy to help (create new PR based on this one), because we only have 4 more working days before feature freeze next Thursday. ❄️

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 3, 2019
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 5, 2019
@yagonobre
Copy link
Member Author

@neolit123 should I add a release note?

@neolit123
Copy link
Member

@neolit123 should I add a release note?

@yagonobre
yes, please. only the user facing part e.g. kubeadm: add .... flag ....

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Mar 5, 2019
@fabriziopandini
Copy link
Member

@yagonobre this looks great!
/approve
I leave final lgtm to someone else (or I will unblock this myself tomorrow during office hours)

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini, yagonobre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

given feature freeze is soon -> merge this now, send bug fixes later if needed.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 5, 2019
@neolit123
Copy link
Member

tide is currently borked, so let's see if this will merge..

@timothysc
Copy link
Member

We need to draw a cut-line on anything non-bug related.

@yagonobre
Copy link
Member Author

/test pull-kubernetes-e2e-gce

@k8s-ci-robot k8s-ci-robot merged commit 2b63efc into kubernetes:master Mar 6, 2019
@yagonobre yagonobre deleted the certificate-key branch March 6, 2019 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Alllow user to provide the certificate key on upload-certs
7 participants